So in order to trigger this behaviour, someone with root-level privileges needs to edit a Unit file and enter a “invalid username”, in this case one that starts with a digit.
But you need root level privileges to edit the file in the first place and to reload systemd to make use of that Unit file.
Source: Giving perspective on systemd’s “usernames that start with digit get root privileges”-bug
It’s an obvious bug (at least on RHEL/CentOS 7), since a valid username does not get accepted by systemd so it triggers unexpected behaviour by launching services as root.
However, it isn’t as bad as it sounds and does not grant any username with a digit immediate root access.
To exploit the flaw, Caballero says that an attacker can use server redirect requests combined with data URIs, which would allow him to confuse Edge’s SOP filter and load unauthorized resources on sensitive domains. The expert explains the attack step by step on his blog.
In the end, the attacker will be able to inject a password form on another domain, which the built-in Edge password manager will automatically fill in with the user’s credentials for that domain. Below is a video of the attack.
Source: Edge Security Flaw Allows Theft of Facebook and Twitter Credentials
According to Scheel, the problem is that the HbbTV standard, carried by DVB-T signals and supported by all smart TVS, allows the sending of commands that tell smart TVs to access and load a website in the background.
Knowing this, Scheel developed two exploits he hosted on his own website, which when loaded in the TV’s built-in browser would execute malicious code, gain root access, and effectively take over the device.
Source: About 90% of Smart TVs Vulnerable to Remote Hacking via Rogue TV Signals
The (presumably ancient) code has a bug, though: it does not verify the syntax of the user name. RFC 959 specifies that a username may consist of a sequence of any of the 128 ASCII characters except
<LF>. Guess what the JRE implementers forgot? Exactly − to check for the presence of
<LF>. This means that if we put
%0D%0A anywhere in the user part of the URL (or the password part for that matter), we can terminate the USER (or PASS) command and inject a new command into the FTP session.
Source: SMTP over XXE − how to send emails using Java’s XML parser – shift or die
So, if we send a
USER command to a mail server instead of a FTP server, it will answer with an error code (since
USER is not a valid SMTP command), but let us continue with our session. Combined with the bug mentioned above, this allows us to send arbitrary SMTP commands, which allows us to send emails.
The full story is admittedly lengthy, clocking in at over 8000 words, but worth the time to understand how botnet wranglers make money siccing their zombie device armies on unsuspecting targets. The sources that pointed Krebs to Anna Senpai’s identity were involved in using botnets on behalf of shadowy clients, unleashing them on security companies protecting lucrative Minecraft servers that host thousands of players. When their online gaming is obstructed — say, by repeated and annoying DDoS attacks — players leave, giving servers an incentive to jump ship to whichever security provider can ensure protection…in this case, providers that arranged for the botnet attacks in the first place.
Source: Krebs pinpoints the likely author of the Mirai botnet
The exploit ending in .flac works as a drive-by attack when a Fedora 25 user visits a booby-trapped webpage. With nothing more than a click required, the file will open the desktop calculator. With modification, it could load any code an attacker chooses and execute it with the same system privileges afforded to the user. While users typically don’t have the same unfettered system privileges granted to root, the ones they do have are plenty powerful.
Source: 0-days hitting Fedora and Ubuntu open desktops to a world of hurt
Here’s a blurb from the researcher’s blog post about this:
Resolving all the above, I present here a full, working, reliable, 0day exploit for current Linux distributions (Ubuntu 16.04 LTS and Fedora 25). It’s a full drive-by download in the context of Fedora. It abuses cascading subtle side effects of an emulation misstep that at first appears extremely difficult to exploit but ends up presenting beautiful and 100% reliable exploitation possibilities.
Source: Redux: compromising Linux using… SNES Ricoh 5A22 processor opcodes?!
The vulnerability, a variety known as a race condition, was found in the way Linux memory handles a duplication technique called copy on write. Untrusted users can exploit it to gain highly privileged write-access rights to memory mappings that would normally be read-only. More technical details about the vulnerability and exploit are available here, here, and here. Using the acronym derived from copy on write, some researchers have dubbed the vulnerability Dirty COW.
Source: “Most serious” Linux privilege-escalation bug ever is under active exploit (updated)
The location of PAC files can be discovered through WPAD in several ways: through a special Dynamic Host Configuration Protocol (DHCP) option, through local Domain Name System (DNS) lookups, or through Link-Local Multicast Name Resolution (LLMNR).
Source: Disable WPAD now or have your accounts and private data compromised | CSO Online
The researchers recommended computer users disable the protocol. “No seriously, turn off WPAD!” one of their presentation slides said. “If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file.”
From Slashdot comments:
To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:
Click the Start button, and in the search field, type in “regedit”, then select “regedit.exe” from the list of results
Navigate through the tree to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad”
Once you have the “Wpad” folder selected, right click in the right pane, and click on “New -> DWORD (32-Bit Value)”
Name this new value “WpadOverride”
Double click the new “WpadOverride” value to edit it
In the “Value data” field, replace the “0” with a “1”, then click “OK”
Reboot the computer
Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user’s Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker’s network share.
Source: Microsoft Live Account Credentials Leaking From Windows 8 And Above | Hackaday
Here I’d like to explain some common security problems found in large corporations during pentesting by giving an example.
Source: How I Hacked Facebook, and Found Someone’s Backdoor Script | DEVCORE 戴夫寇爾
A brief summary, the hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use WGET every once in a while