Posts Tagged ‘vulnerability’

tv crime2KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url’s are dumped into a CSV file in %AppData%.

General Design

KeeFarce uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload).

The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

Prebuilt Packages

An appropriate build of KeeFarce needs to be used depending on the KeePass target’s architecture (32 bit or 64 bit). Archives and their shasums can be found under the ‘prebuilt’ directory.

Executing

In order to execute on the target host, the following files need to be in the same folder:

  • BootstrapDLL.dll
  • KeeFarce.exe
  • KeeFarceDLL.dll
  • Microsoft.Diagnostic.Runtime.dll

Copy these files across to the target and execute KeeFarce.exe

Building

Open up the KeeFarce.sln with Visual Studio (note: dev was done on Visual Studio 2015) and hit ‘build’. The results will be spat out into dist/$architecture. You’ll have to copy the KeeFarceDLL.dll files and Microsoft.Diagnostic.Runtime.dll files into the folder before executing, as these are architecture independent.

Compatibility

KeeFarce has been tested on:
KeePass 2.28, 2.29 and 2.30 – running on Windows 8.1 – both 32 and 64 bit.
This should also work on older Windows machines (win 7 with a recent service pack). If you’re targeting something other than the above, then testing in a lab environment before hand is recommended.
Download

 

Advertisements

Ghost in the Machine

Posted: 29/01/2015 in Uncategorized
Tags: , , , ,

tv crime2A newly disclosed flaw opens up most Linux-based Web and mail servers to attack, researchers from Redwood Shores, California-based security firm Qualys disclosed today (Jan. 27).

The flaw, dubbed “GHOST” by its discoverers, “allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials,” (i.e. administrative passwords), Qualys staffer Amol Sarwate said in a company blog posting.

“As a proof of concept, we developed a full-fledged remote exploit against the Exim mail server, bypassing all existing protections (ASLR, PIE, and NX) on both 32-bit and 64-bit machines,” Qualys researchers posted on the Openwall security mailing list earlier today.

MORE: 5 Worst Security Fails of 2014

GHOST is of immediate and urgent concern to any IT professional administering a Linux-based server, but users of desktop Linux should also install patches, which have already been pushed out by Red Hat and Ubuntu, among others. (Red Hat Fedora 20 and later, and Ubuntu 13.10 and later, were already immune.)

Various flavors of Linux power at least a third of the world’s Web servers and mail servers, but it’s likely that administrators at top Web-based companies were tipped off ahead of today’s disclosure.

GHOST, designated CVE-2015-0235 per security-industry convention, is the fourth major vulnerability in open-source software found in the past 10 months. The stampede began with the discovery of the Heartbleed flaw in OpenSSL in April, then continued with the Shellshock hole in the Bash command-line shell in September, followed by the POODLE weakness in Web encryption in October.

Such technical talk may be gobbledygook to most computer users, but arcane open-source software runs the Internet and the Web that rides on top of it. Any major open-source flaw threatens not only the massive global Internet economy, but your ability to check your own Facebook page.

“To be clear, this is NOT the end of the Internet,” wrote Jen Ellis of Boston information-security firm Rapid7 in an official blog posting. “It’s also not another Heartbleed. But it is potentially nasty, and you should patch and reboot your affected systems immediately.”

GHOST vulnerability explained

The flaw exists in older versions of the GNU C library, or glibc, a repository of open-source software written in the C and C++ coding languages. Newer versions of glibc, beginning with glibc 2.18, released in August 2013, are not affected. But many builds of Linux may still be using older versions.

In addition to Exim, server software vulnerable to GHOST includes Apache, Sendmail, Nginx, MySQL, CUPS, Samba and many others, according to a post by Qualys researchers on the Full Disclosure mailing list. CORRECTION: The applications listed on the Full Disclosure page are NOT vulnerable to GHOST.

The risk to users of massively subscribed services such as Twitter, Facebook and all of Google’s online services should be low, presuming that administrators of those company’s servers have already implemented or are currently implementing patches. (It’s possible that last night’s 40-minute Facebook outage was the result of this.)

But implementation of the patches will have to be manual, which means that millions of websites and mail servers that don’t get the same degree of administrative attention will continue to be vulnerable for an extended period of time.

Thanks to Qualys and Tom’s Guide

TV PayPal

A 17-year-old German student contends PayPal has denied him a reward for finding a vulnerability in its website.

Robert Kugler said he notified PayPal of the vulnerability on May 19. He said he was informed by email that because he is under 18 years old, he did not qualify for its Bug Bounty Program. He will turn 18 next March.

PayPal, which is owned by auction site eBay, outlines the terms and conditions for its Bug Bounty Program on its website, but does not appear to have an age guideline. PayPal officials did not have an immediate comment.

Many companies such as Google and Facebook have reward programs. The programs are intended to create an incentive for researchers to privately report issues and allow vendors to release fixes before hackers take advantage of flaws.

Facebook pays a minimum of $500 for qualifying bugs, while Google pays from $100 up to $20,000 depending on the severity of the issue. Neither has an age restriction listed on their websites. Microsoft does not pay for security vulnerability information, but instead publicly acknowledges the work. PayPal does not list what it will pay a researcher for a bug.

Kugler is listed as a contributor in a Microsoft list from April of security researchers. He said he received rewards for finding vulnerabilities in the past. Mozilla paid him $1,500 for finding a problem in the Firefox browser last year and $3,000 earlier this year for another bug.

PayPal requires that those reporting bugs have a verified PayPal account. Kugler said he asked PayPal that any bounty be paid into his parent’s account.

At minimum, Kugler would like PayPal to acknowledge his finding and send him some documentation “that I can use in a job application,” he wrote via email. So far, he hasn’t received anything.

The details of the vulnerability, a cross-site scripting flaw (XSS), is posted on Full Disclosure section Seclists.org, a forum for disclosing security vulnerabilities.

An XSS attack occurs when a script drawn from another Web site is allowed to run but should not. The type of flaw can be used to steal information or potentially cause other malicious code to run.

For Security Researchers – PayPal

Source: www.pcworld.com

tv-backtrackThis tutorial is for demonstration purposes only – Please use this knowledge responsibly

This video will show you how to create a reverse SSH connection to a server/workstation

This exploit is taking advantage of vulnerability MS08-067 using Metasploit on Kali.
This is a Kali VM attacking a Microsoft 2008 server (this will also work on any machine without the patch)

The moral of this is to update your system

http://www.kali.org

http://support.microsoft.com/kb/958644

Caintech.co.uk – Here comes Kali

Affected Software

Operating System

Microsoft Windows 2000 Service Pack 4

Windows XP Service Pack 2

Windows XP Service Pack 3

Windows XP Professional x64 Edition

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 1

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP1 for Itanium-based Systems

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista and Windows Vista Service Pack 1

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Windows Server 2008 for 32-bit Systems

Windows Server 2008 for x64-based Systems

Windows Server 2008 for Itanium-based Systems

tv crime2

A critical vulnerability discovered in certain LaserJet Pro printers that could give remote attackers access to sensitive data. Homeland Security’s Computer Emergency Response Team recently issued a vulnerability note warning that HP LaserJet Professional printers contain a telnet debug shell which could allow a remote attacker to gain unauthorized access to data.

This flaw was discovered by a Germany security expert, Christoph von Wittich. He detected the vulnerability during a routine network scan of his company’s corporate network.

He said the vulnerability could also be used for a denial-of-service attack. “As long as the printer is not connected to the Internet, this vulnerability should not cause much trouble for the end user”.

Marked as CVE-2012-5215 (VU#782451, SSRT101078), vulnerability affected 12 printer models including HP LaserJet Pro P1102w, P1102w, P1606dn, M1212nf MFP, M1213nf MFP, M1214nfh MFP, M1216nfh Multifunction Printer, M1217nfw Multifunction Printer, M1218nfs MFP, M1219nf MFP, CP1025nw, and CP1025nw.

Users are advised to download updated firmware for printers impacted by the bug from the company’s Support Center site.

HP Support Center

HP SUPPORT COMMUNICATION – SECURITY BULLETIN

HP UPDATED FIRMWARE

tv crime2

A security flaw on the Galaxy Note II with Android 4.1.2 that allows hackers to briefly bypass the phone’s lock screen without needing a password.

By hitting “emergency call” then “emergency contacts” then holding the home button, the main home screen becomes visible for around a second just enough time to load an app, before reverting back to the lock screen.

Not all apps will open in this manner, a demo video shows that Google Play does not respond. Reportedly, Eden contacted Samsung roughly five days ago but has yet to hear back. He said that he has not tested any other Samsung devices to see if they are also affected.

Steps to follow:

  1. Lock the device with a “secure” pattern, PIN, or password.
  2. Activate the screen.
  3. Press “Emergency Call”.
  4. Press the “ICE” button on the bottom left.
  5. Hold down the physical home key for a few seconds and then release.
  6. The phone’s home screen will be displayed – briefly.
  7. While the home screen is displayed, click on an app or a widget.
  8. The app or widget will launch.
  9. If the widget is “direct dial” the phone will start ringing.

Using this method it could also be possible to load up email or SMS apps for long enough to get an overview of sensitive messages.

tv-blackberry

If you are a BlackBerry Enterprise Network user, here is something you need to be careful about. BlackBerry Enterprise Server (BES) users have been warned that an image-based exploit could allow hackers to access and execute code on the servers used to support corporate users of BlackBerry smartphones.

The flaw that been rated as high severity and actual vulnerability in BlackBerry Enterprise Servers resulted from how the server processes image files.

Scenario to Exploit Vulnerability: A malicious person writes a special code and then embeds it in a TIFF image file. The person then convinces a Blackberry smart phone user (whose phone is connected to a corporate BES) to view the TIFF file.

As soon as the image file loads on the phone, the code runs on the Blackberry Enterprise server and either opens up a back door in the network or causes the network to crash altogether as instructed in the basic code.

RIM is not aware of any attacks on or specifically targeting BlackBerry Enterprise Server customers, and recommends that affected customers update to the latest available software version to be fully protected from these vulnerabilities.” Blackberry said.

The exploit uses a TIFF image containing malicious code, and the dangerous image can either be linked to an email or attached directly to it. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.

BlackBerry Enterprise Server Express version 5.0.4 and earlier for Microsoft Exchange and IBM Lotus Domino and BlackBerry Enterprise Server version 5.0.4 and earlier for Microsoft Exchange, IBM Lotus Domino and Novell Groupwise are affected only.

For the full RIM statement, issue and resolution visit: Knowledge Base Article BSRT-2013-003