0-days hitting Fedora and Ubuntu open desktops to a world of hurt

Posted on December 16, 2016 by mea

The exploit ending in .flac works as a drive-by attack when a Fedora 25 user visits a booby-trapped webpage. With nothing more than a click required, the file will open the desktop calculator. With modification, it could load any code an attacker chooses and execute it with the same system privileges afforded to the user. While users typically don’t have the same unfettered system privileges granted to root, the ones they do have are plenty powerful.

Source: 0-days hitting Fedora and Ubuntu open desktops to a world of hurt

Here’s a blurb from the researcher’s blog post about this:

Resolving all the above, I present here a full, working, reliable, 0day exploit for current Linux distributions (Ubuntu 16.04 LTS and Fedora 25). It’s a full drive-by download in the context of Fedora. It abuses cascading subtle side effects of an emulation misstep that at first appears extremely difficult to exploit but ends up presenting beautiful and 100% reliable exploitation possibilities.

Source: Redux: compromising Linux using… SNES Ricoh 5A22 processor opcodes?!

“Most serious” Linux privilege-escalation bug ever is under active exploit

Posted on October 21, 2016 by mea

The vulnerability, a variety known as a race condition, was found in the way Linux memory handles a duplication technique called copy on write. Untrusted users can exploit it to gain highly privileged write-access rights to memory mappings that would normally be read-only. More technical details about the vulnerability and exploit are available here, here, and here. Using the acronym derived from copy on write, some researchers have dubbed the vulnerability Dirty COW.

Source: “Most serious” Linux privilege-escalation bug ever is under active exploit (updated)

Disable WPAD now or have your accounts and private data compromised

Posted on August 13, 2016 by mea

WPAD is a protocol, developed in 1999 by people from Microsoft and other technology companies, that allows computers to automatically discover which web proxy they should use. The proxy is defined in a JavaScript file called a proxy auto-config (PAC) file.

The location of PAC files can be discovered through WPAD in several ways: through a special Dynamic Host Configuration Protocol (DHCP) option, through local Domain Name System (DNS) lookups, or through Link-Local Multicast Name Resolution (LLMNR).

Source: Disable WPAD now or have your accounts and private data compromised | CSO Online

The researchers recommended computer users disable the protocol. “No seriously, turn off WPAD!” one of their presentation slides said. “If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file.”

From Slashdot comments:

To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:

Click the Start button, and in the search field, type in “regedit”, then select “regedit.exe” from the list of results
Navigate through the tree to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad”
Once you have the “Wpad” folder selected, right click in the right pane, and click on “New -> DWORD (32-Bit Value)”
Name this new value “WpadOverride”
Double click the new “WpadOverride” value to edit it
In the “Value data” field, replace the “0” with a “1”, then click “OK”
Reboot the computer

Microsoft Live Account Credentials Leaking From Windows 8 And Above

Posted on August 2, 2016 by mea

Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user’s Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker’s network share.

Source: Microsoft Live Account Credentials Leaking From Windows 8 And Above | Hackaday

How I Hacked Facebook, and Found Someone’s Backdoor Script

Posted on April 25, 2016 by mea

Here I’d like to explain some common security problems found in large corporations during pentesting by giving an example.

Source: How I Hacked Facebook, and Found Someone’s Backdoor Script | DEVCORE 戴夫寇爾

A brief summary, the hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use WGET every once in a while

Do you have the brains for cybersecurity?

Posted on March 24, 2016 by mea

In the modern day, the ability to work through a problem and decipher it is essential to anyone who works in cybersecurity, partly because a lot of what they do involves working out what is going on with less than perfect knowledge.

The puzzles below have been drawn up with the help of the team behind the UK’s Cyber Security Challenge, which uses similar tests to find people who are good at problem solving who could be of use for attacking and defending computer networks.

Source: Do you have the brains for cybersecurity? – BBC News

Reverse engineering an IP camera

Posted on February 4, 2016 by mea

During setup the app instructs the user to either plug in an Ethernet cable or press the ‘pair’ button on the camera which causes the camera to switch to host mode and offer up an open (aka insecure) wireless network. The app then scans for this network which is typically called CameraHD-(MAC address) and prompts the user to connect to it. This is an alarming feature for a camera designed for outdoor use particularly as the camera also offers a host of unfiltered network services, including the network video feed (RTSP), a bespoke internal messaging service for initiating alerts and two distinct web servers (nuvoton and busybox), one of which has an undocumented firmware upgrade page. Readers of our other blogs will know how much we like upgrading firmware…

Source: Push To Hack: Reverse engineering an IP camera

Trend Micro flaw could have allowed attacker to steal all passwords

Posted on January 12, 2016 by mea

Overall, Ormandy wrote that he found over 70 APIs exposed to the Internet, not all of which he had investigated for security issues. He suggested Trend should hire an external consultancy to audit the code.

Source: Trend Micro flaw could have allowed attacker to steal all passwords

Antivirus software could make your company more vulnerable

Posted on January 10, 2016 by mea

While these are mainly examples of using antivirus vulnerabilities to evade detection, there’s also a demand for remote code execution exploits affecting antivirus products and these are being sold by specialized brokers on the largely unregulated exploit market.

Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status “sold.”

Source: Antivirus software could make your company more vulnerable

On the Juniper backdoor

Posted on December 23, 2015 by mea

To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge! They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world.

And all because Juniper had already paved the road.

Source: A Few Thoughts on Cryptographic Engineering: On the Juniper backdoor

One of the most serious concerns we raise during these meetings is the possibility that encryption backdoors could be subverted. Specifically, that a backdoor intended for law enforcement could somehow become a backdoor for people who we don’t trust to read our messages. Normally when we talk about this, we’re concerned about failures in storage of things like escrow keys. What this Juniper vulnerability illustrates is that the danger is much broader and more serious than that.

Bucktown Bell

Cut to the chase.

Tag Archives: security research