Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency

Posted on August 22, 2017 by mea

“Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a Bitcoin entrepreneur.

Source: Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency – The New York Times

Giving perspective on systemd’s “usernames that start with digit get root privileges”-bug

Posted on July 3, 2017 by mea

So in order to trigger this behaviour, someone with root-level privileges needs to edit a Unit file and enter a “invalid username”, in this case one that starts with a digit.

But you need root level privileges to edit the file in the first place and to reload systemd to make use of that Unit file.

Source: Giving perspective on systemd’s “usernames that start with digit get root privileges”-bug

It’s an obvious bug (at least on RHEL/CentOS 7), since a valid username does not get accepted by systemd so it triggers unexpected behaviour by launching services as root.

However, it isn’t as bad as it sounds and does not grant any username with a digit immediate root access.

Edge Security Flaw Allows Theft of Facebook and Twitter Credentials

Posted on May 16, 2017 by mea

To exploit the flaw, Caballero says that an attacker can use server redirect requests combined with data URIs, which would allow him to confuse Edge’s SOP filter and load unauthorized resources on sensitive domains. The expert explains the attack step by step on his blog.

In the end, the attacker will be able to inject a password form on another domain, which the built-in Edge password manager will automatically fill in with the user’s credentials for that domain. Below is a video of the attack.

Source: Edge Security Flaw Allows Theft of Facebook and Twitter Credentials

OAUTH phishing against Google Docs ? beware!

Posted on May 3, 2017 by mea

As you can see, it appears as Google Docs wants full access to my Gmail as well as my contacts. Of course, this is not real Google Docs – the attacker has simply named his “application” Google Docs – this can be verified by clicking on the Google Docs text where the real web site behind this and developer info is shown:

Source: InfoSec Handlers Diary Blog – OAUTH phishing against Google Docs ? beware!

Finally, if you accidentally clicked on “Allow”, go to https://myaccount.google.com/u/0/permissions?pli=1 to revoke permissions.

About 90% of Smart TVs Vulnerable to Remote Hacking via Rogue TV Signals

Posted on April 13, 2017 by mea

According to Scheel, the problem is that the HbbTV standard, carried by DVB-T signals and supported by all smart TVS, allows the sending of commands that tell smart TVs to access and load a website in the background.

Knowing this, Scheel developed two exploits he hosted on his own website, which when loaded in the TV’s built-in browser would execute malicious code, gain root access, and effectively take over the device.

Source: About 90% of Smart TVs Vulnerable to Remote Hacking via Rogue TV Signals

Hundreds of Cisco switches vulnerable to flaw found in WikiLeaks files

Posted on March 20, 2017 by mea

An attacker can exploit the vulnerability by sending a malformed protocol-specific Telnet command while establishing a connection to the affected device, because of a flaw in how the protocol fails to properly process some commands.

Cisco said that there are “no workarounds” to address the vulnerability, but it said that disabling Telnet would “eliminate” some risks.

Source: Hundreds of Cisco switches vulnerable to flaw found in WikiLeaks files | ZDNet

SMTP over XXE − how to send emails using Java’s XML parser

Posted on February 25, 2017 by mea

The (presumably ancient) code has a bug, though: it does not verify the syntax of the user name. RFC 959 specifies that a username may consist of a sequence of any of the 128 ASCII characters except <CR> and <LF>. Guess what the JRE implementers forgot? Exactly − to check for the presence of <CR> or <LF>. This means that if we put %0D%0A anywhere in the user part of the URL (or the password part for that matter), we can terminate the USER (or PASS) command and inject a new command into the FTP session.

Source: SMTP over XXE − how to send emails using Java’s XML parser – shift or die

So, if we send a USER command to a mail server instead of a FTP server, it will answer with an error code (since USER is not a valid SMTP command), but let us continue with our session. Combined with the bug mentioned above, this allows us to send arbitrary SMTP commands, which allows us to send emails.

0-days hitting Fedora and Ubuntu open desktops to a world of hurt

Posted on December 16, 2016 by mea

The exploit ending in .flac works as a drive-by attack when a Fedora 25 user visits a booby-trapped webpage. With nothing more than a click required, the file will open the desktop calculator. With modification, it could load any code an attacker chooses and execute it with the same system privileges afforded to the user. While users typically don’t have the same unfettered system privileges granted to root, the ones they do have are plenty powerful.

Source: 0-days hitting Fedora and Ubuntu open desktops to a world of hurt

Here’s a blurb from the researcher’s blog post about this:

Resolving all the above, I present here a full, working, reliable, 0day exploit for current Linux distributions (Ubuntu 16.04 LTS and Fedora 25). It’s a full drive-by download in the context of Fedora. It abuses cascading subtle side effects of an emulation misstep that at first appears extremely difficult to exploit but ends up presenting beautiful and 100% reliable exploitation possibilities.

Source: Redux: compromising Linux using… SNES Ricoh 5A22 processor opcodes?!

“Most serious” Linux privilege-escalation bug ever is under active exploit

Posted on October 21, 2016 by mea

The vulnerability, a variety known as a race condition, was found in the way Linux memory handles a duplication technique called copy on write. Untrusted users can exploit it to gain highly privileged write-access rights to memory mappings that would normally be read-only. More technical details about the vulnerability and exploit are available here, here, and here. Using the acronym derived from copy on write, some researchers have dubbed the vulnerability Dirty COW.

Source: “Most serious” Linux privilege-escalation bug ever is under active exploit (updated)

Disable WPAD now or have your accounts and private data compromised

Posted on August 13, 2016 by mea

WPAD is a protocol, developed in 1999 by people from Microsoft and other technology companies, that allows computers to automatically discover which web proxy they should use. The proxy is defined in a JavaScript file called a proxy auto-config (PAC) file.

The location of PAC files can be discovered through WPAD in several ways: through a special Dynamic Host Configuration Protocol (DHCP) option, through local Domain Name System (DNS) lookups, or through Link-Local Multicast Name Resolution (LLMNR).

Source: Disable WPAD now or have your accounts and private data compromised | CSO Online

The researchers recommended computer users disable the protocol. “No seriously, turn off WPAD!” one of their presentation slides said. “If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file.”

From Slashdot comments:

To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:

Click the Start button, and in the search field, type in “regedit”, then select “regedit.exe” from the list of results
Navigate through the tree to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad”
Once you have the “Wpad” folder selected, right click in the right pane, and click on “New -> DWORD (32-Bit Value)”
Name this new value “WpadOverride”
Double click the new “WpadOverride” value to edit it
In the “Value data” field, replace the “0” with a “1”, then click “OK”
Reboot the computer

Bucktown Bell

Cut to the chase.

Tag Archives: exploit vector