November 14, 2016

pixel-safari-edgewindows-10-1

 

 

Google’s new Pixel smartphone was reportedly hacked by a Chinese team in just 60 seconds.

 

At PwnFest, a hacking competition in Seoul on Friday (11 November), a team of white-hat hackers called Qihoo 360 cracked Google’s new handset and won $120,000 (£95,670) in cash. The hackers took advantage of a vulnerability to gain remote code execution that is undisclosed.

 

The exploit launched the Google Play store before opening Chrome and displaying a web page reading “Pwned By 360 Alpha Team”.

 

Google said the Chrome bug that Keen Team found was patched within 24 hours of the event and the changes have already been released into the stable branch by the Chrome team.

 

It was the second time in as many weeks that the Pixel has been compromised.

 

Chinese hacking group, Keen Team of Tencent, a rival of Qihoo 360, discovered a zero-day vulnerability at the Mobile Pwn2Own event in Japan. The vulnerability is yet to be patched. Thankfully, these exploits have been found in hacking events, instead of being used in the wild by attackers.
While these exploits suggest Pixel phones are vulnerable to attackers, earlier this month Adrian Ludwig, the director of security at Android, told Motherboard that the Google Pixel and the iPhone are equal when it comes to security. Ludwig said Android would be soon better though. “In the long term, the open ecosystem of Android is going to put it in a much better place,” he said.

 

 
Apple’s updated Safari browser running on MacOS Sierra also fell. Respected Chinese hacker outfit Pangu Team renowned for releasing million-dollar persistent modern iOS jailbreaks for free, along with hacker JH, blasted Cupertino’s web browser with a root privilege escalation zero day that took 20 seconds to run, earning the team $80,000.
Qihoo 360 also breached Adobe Flash with a flick of the finger, digging up a combination decade-old, use-after-free zero day and a win32k kernel flaw to score $120,000.

 

It took four seconds for Flash to fall.

 

The hacks conclude the PwnFest whitewash, which saw Microsoft Edge hacked and the first-ever zero day exploits against VMWare Workstation on Thursday.

 

Qihoo 360 hackers walked away with $520,000 in prize money.

Share

move-over-shodan-meet-censys-1280x600

 

When John Matherly released SHODAN, search engine which could collect data on web servers like HTTP port 80, FTP etc. It was considered a success, in the hackers point of view. And now there’s censys.

 

Censys was created by a group of scientists from the University of Michigan as an instrument to make Internet more secure. In fact, both Shodan and Censys are meant for security researches, but as the duo gains more and more attention, there certainly can be a lot of people who would try to use it for more nefarious purposes.
Censys is just like shodan but, more user friendly and works in a better and broader way. Censys is like a time saving buddy for the system lovers or the so called hackers.

 

 

 

HOW CENSYS WORKS

 

Millions of devices like the home routers, ip cameras, mobile phones use same set of cryptographic keys for SSH secure shells or https. Which makes them vulnerable to hijacking. The vendors build and deploy their products. Typically, the vendors build their device’s firmware based on software development kits (SDKs) received from chip makers. They are too lazy to change the codes.

 

Censys conducts a daily scan on whole internet database almost everything. It scans all the IPv4 addresses which controls the majority internet traffic. It makes sure that it checks all the possible vulnerabilities. When researcher conducted the mass scan of 4 billion ip addresses the result was shocking.

 

“We have found everything from ATMs and bank safes to industrial control systems for power plants. It’s kind of scary,” said Zakir Durumeric, the researcher leading the Censys project at the University of Michigan and inventor of ZMap. Censys uses mainly two tools.

 

 

TOOLS USED

 

ZMap
Zgrab

 
ZMap

 

The first step of collecting data is Zmap(20) it performs single packet host discovery and scans all the Ipv4 address space. Hosts found by ZMap seed pluggable application scanners, which perform a followup application layer handshake and produce structured JSON data describing a certain aspect of how a host is configured. Typically, application scanners only perform a single handshake and measure one aspect of how a service is configured. For example, they perform separate horizontal scans and use different pluggable scanners to measure how HTTPS hosts respond to a typical TLS handshake, whether hosts support SSLv3, and whether a host is vulnerable to the heart bleed attack. Since collecting all the data from a single scan may cause load on the host., it instead uses scheduled scans thereby aggregating the data collected from each scheduled scans.

 

 

Zgrab

 

It is a fast and more extensible application scanner. At this time, ZGrab supports application handshakes for HTTP, HTTP Proxy, HTTPS, SMTP(S), IMAP(S), POP3(S), FTP, CWMP, SSH, and Modbus, as well as StartTLS, Heartbleed, SSLv3, and specific cipher suite checks. On a dual-Xeon E5-2640 (6-cores at 2.5 GHz) system with an Intel X520 ethernet adapter, ZGrab can complete HTTPS handshakes with the full IPv4 address space in 6h20m, and a banner grab and StartTLS connection with all publicly accessible SMTP hosts in 3h9m, 1.86k and 1.32k hosts/second respectively. In simple words ZMap quickly identifies hosts and ZGrab produces structured data about each of those hosts. Zgrab can be used independently. It does on even on one host from simply reading and writing a data to initiating a handshake.

 
EXPOSING DATA

Censys exposes data back to the community, which ranges from researchers who need to quickly perform a simple query to those who want to perform in-depth analysis on raw data. In order to meet these disparate needs, they are exposing the data to researchers through several interfaces, which offer varying degrees of flexibility.

 

1) a web-based query and reporting interface,

2) a programmatic REST API,

3) Public Google BigQuery tables,

4) Raw downloadable scan results. They are planning to publish pre-defined dashboards that are accessible to users outside of the research community.

 
Neither Shodan nor Censys are likely to be used by some serious cyber criminals — the real big bad guys have had botnets for a while, which can serve the very same purpose yet yield more power. It took Shodan’s creator John Matherly only 5 hours to ping and map all the devices on the whole Internet, and a botnet utilising hundreds of computers would probably do that even faster.

 

But there are a lot of other people who already have tried to misuse Shodan and Censys to play bad tricks and pranks on other people. And while the problem with the IoT security is mostly for the manufacturers to solve, there are a few things that you can do about it to secure those connected things that actually belong to you.

 

 

Share
August 25, 2016

iOS 9.3.5 is now out. Update like you’ve never updated before. https://t.co/8mWfs6aril #Trident

Share
August 24, 2016

This translation toolset is a very neat asset to any penetration tester and especially useful for exploit development and Web Application Pen Testing.

https://paulschou.com/tools/xlate/

Share

Easy SMTP Mail Relay Test

Author: Martin Voelk,
August 23, 2016

This is a neat tool to test for open relays. Whilst most true open relays are not out there these days, internal relay is as dangerous? Why? Imagine Mr Tom Smith is the boss of Mr Jack Miller. Now Jack Miller sends an insulting email to Tom Smith which could terminate his work contract. Likewise a fake Smith to Miller mail could create serious disturbance. We come across those internal relay problems in many of our audits. Disable internal mail relaying!

https://www.wormly.com/test_smtp_server

Share

Dangerous FTP dork

Author: Martin Voelk,
August 22, 2016

The following Google dork reveals open FTP directories spidered and indexed by Google. Shocking! As always, use responsibly but test for your own web site by adding the site operator

inurl:ftp -inurl:(http|https)

site:yourdomain.com inure:ftp -inurl:(http|https)

Share

nsa_gchq-e1448883882585

 

An unknown hacker or a group of hackers just claimed to have hacked into “Equation Group” — a cyber-attack group allegedly associated with the United States intelligence organization NSA — and dumped a bunch of its hacking tools (malware, private exploits, and hacking tools) online.

 

In what security experts say is either a one-of-a-kind breach or an elaborate hoax, an anonymous group has published what it claims are sophisticated software tools belonging to an elite team of hackers tied to the US National Security Agency.

 

Screenshot from 2016-08-17 10:08:23

 

 

In a recently published blog post, the group calling itself Shadow Brokers claims the leaked set of exploits were obtained after members hacked Equation Group (the post has since been removed from Tumblr, but a cached version here was still available as this post was going live). Last year, Kaspersky Lab researchers described Equation Group as one of the world’s most advanced hacking groups, with ties to both the Stuxnet and Flame espionage malware platforms. The compressed data accompanying the Shadow Broker post is slightly bigger than 256 megabytes and purports to contain a series of hacking tools dating back to 2010. While it wasn’t immediately possible for outsiders to prove the posted data—mostly batch scripts and poorly coded python scripts—belonged to Equation Group, there was little doubt the data have origins with some advanced hacking group.

 
The files mostly contained installation scripts, configurations for command-and-control (C&C) servers, and exploits allegedly designed to target routers and firewalls from American manufacturers including, Cisco, Juniper, and Fortinet.

 

According to the leaked files, Chinese company ‘Topsec’ was also an Equation Group target.

 

The leak mentioned names of some of the hacking tools that correlate with names used in the documents leaked by whistleblower Edward Snowden, like “BANANAGLEE” and “EPICBANANA.”

 

Screenshot from 2016-08-17 10:08:40 Screenshot from 2016-08-17 10:08:56 Screenshot from 2016-08-17 10:09:24

 

It is yet not confirmed whether the leaked documents are legitimate or not, but some security experts agree that it likely is. “I haven’t tested the exploits, but they definitely look like legitimate exploits,” Matt Suiche, founder of UAE-based cyber security firm Comae Technologies, told the Daily Dot.

 

While some are saying that the leak could be a very well-researched hoax, and the Bitcoin auction could be nothing but a distraction in an attempt to gain media attention.
At the same time, the Risk Based Security post cautioned that so-called false-flag operations—in which attackers manufacture evidence that falsely implicates others—is a regular occurrence in hacking campaigns, particularly those sponsored by nations. If the claims in the Shadow Brokers’ post are true, this may be one of the only publicly known times the NSA has been compromised. But even if the claims turn out to be exaggerated, the Shadow Brokers’ post is significant, if only for the amount of work and planning that went into the fabricating evidence to provoke one of the world’s most advanced hacking operations.

 

 

Share

Help an abused puppy

Author: Martin Voelk,
July 16, 2016

Squid proxy server

 
Tsinghua University postgraduate student Jianjun Chen has reported a critical cache poisoning vulnerability in the Squid proxy server, a transparent cache widely deployed by internet service providers.

 
The vulnerability allows attackers to compromise connections using a maliciously-crafted packet. A patch has been produced for daily versions but not yet distributed for regular builds, according to researchers.
Chen says the attack can be executed against versions 3.5.12 and below using malicious Flash advertisements.

 
“The attack enables cache poisoning of ANY unencrypted HTTP website,”.

 

Cache Poisoning issue in HTTP Request handling

 

Incorrect input validation of HTTP Request messages lets clients use an absolute-URI on port 80 to bypass the protection previously added to Squid for CVE-2009-0801 and other related attack vectors. This can lead to cache poisoning of the Squid and browser caches, bypass of same-origin and sandbox protections in browsers.

 

“The scenario requires an attacker who can send HTTP requests that pass through a shared transparent cache controlled by the attacker” before hitting a victim site. It’s not hard to stage the attack as “… attackers can readily obtain the necessary vantage point using techniques such as web ads.”

 
“For successful exploitation, an attacker must be able to send requests to some website (like attack.com) through the proxy server. Under this scenario, the attacker first establishes a TCP connection with the attack.com web server. As far as Squid works in transparent proxy mode, these requests are intercepted and transmitted further. At the next stage, the attacker initiates the following HTTP request:

 

GET http://victim.com/ HTTP/1.1 Host: attack.com
The cache module uses the host address from the request string (victim.com) to create the key; however, the verification module uses the Host header (attack.com) to check the communication between the host and the IP address. This is what makes the attack possible.

 

 

Protection

 

The vulnerability was already fixed but there is still no CVE for the issue or patched version of Squid available. The bug fix is included only in the daily builds for 4 and 3.5 versions.

 

C51 Security researchers recommend enabling the host_verify_strict option which is disabled by default, and considering the Suricata intrusion detection system rules to detect exploitation attempts.

 

 

https://drive.google.com/file/d/0ByM36MBckzBaQUFES0VYRlZydUE/view

Share

imagetragick_logo-100659291-primary.idge

 

 

Researchers have discovered several vulnerabilities in the popular image processing suite ImageMagick, including a serious remote code execution flaw that has been exploited in the wild.

 
ImageMagick is a free and open-source software package that allows users to display, convert and edit image files. The ImageMagick library is used by many image-processing plugins, which means that the software is present in a large number of web applications.

 

The vulnerability resides in ImageMagick, a widely used image-processing library that’s supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.

 

While analyzing a flaw found by a researcher who uses the online moniker “Stewie,” Nikolay Ermishkin from the Mail.Ru security team discovered a remote code execution vulnerability (CVE-2016-3714) related to insuficient filtering of shell characters.

 
The vulnerability, dubbed “ImageTragick,” can be exploited by uploading a specially crafted file to a website that processes images using ImageMagick.

 

An attacker can create an exploit file and assign it an image extension, such as .png, in order to bypass the targeted site’s file type checks. ImageMagick determines the file type based on so-called “magic bytes,” the first few bytes of a file that are specific to each file type. Once it detects that it’s not an actual .png, ImageMagick converts the file and the malicious code is executed in the process, allowing the attacker to gain access to the targeted server.

 

An exploit for this vulnerability is publicly available and experts say it has already been leveraged in the wild.

 
ImageMagick developers attempted to patch the vulnerability with the release of versions 6.9.3-9 and 7.0.1-0 on April 30, but researchers say the fix is incomplete. Another patch will be included in ImageMagick 7.0.1-1 and 6.9.3-10, which are expected to become available by this weekend.

 
In the meantime, users have been advised to disable vulnerable coders by modifying their policy files. Another mitigation involves verifying that magic bytes correspond to image file types before sending the file to ImageMagick for processing.

 

Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in ‘/etc/ImageMagick’.
Other vulnerabilities found in ImageMagick can be exploited to move, read or delete files (CVE-2016-3716, CVE-2016-3717 and CVE-2016-3715), and for server-side request forgery, or SSRF, attacks (CVE-2016-3718).

Share