So another vulnerability with a name and a logo – ImageTragick? At least this time it’s pretty dangerous, a bunch of ImageMagick Zero-Day vulnerabilities have been announced including one that can leave you susceptible to remote code execution.
It’s pretty widely used software too and very public, if you use an app online that lets you upload images and they get cropped/resized then it’s probably using ImageMagick or something similar on the back-end (PHP often uses GD).
I know some organisations that use it in their Ruby apps to deal with user avatar uploads, and they will be very open to this channel of ownage. Of course if you’re already smart and using a third party service to do it like Cloudinary or ImgIX – you are safe.
A wildly popular software tool used by websites to process people’s photos can be exploited to execute malicious code on servers and leak server-side files.
Security bugs in the software are apparently being exploited in the wild right now to compromise at-risk systems. Patches to address the vulnerabilities are available in the latest source code – but are incomplete and have not been officially released, we’re told.
Whenever you upload a profile photo, a gallery of snaps, or a silly meme to a website, there’s an extremely high chance that the site is using ImageMagick, an open-source collection of image processing tools, to resize, crop and tweak the pictures.
By feeding booby-trapped data – such as a poisoned selfie – to web services using ImageMagick, it may be possible to execute malicious code on the website’s server. From there hackers can start infiltrating the system to steal secrets, snoop on people’s accounts, and so on.
Source: The Register
The exploit is in use in the wild as it’s fairly trivial and current patches are incomplete. It seems like the details leaked out before the proper patches could be developed, tested and rolled out – they are expected to come this weekend though.
The flaw itself somehow seems to be related to these insecure delegates used by ImageMagick.
How to Protect against it
1. Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing. (see FAQ for more info)
2. Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.
An example policy.xml:
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
Do note, this is not a complete protection and you need to apply the patches as soon as they are released.
This has been assigned – CVE-2016–3714 and if you want to read a more technical look at the issues, read this thread – Re: ImageMagick Is On Fire — CVE-2016-3714 and this – Remote code execution vulnerability in ImageMagick.
MISP, Malware Information Sharing Platform and Threat Sharing, is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threat about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reverser to support their day-to-day operations to share structured informations efficiently.
The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of the information by Network Detection Intrusion System (NIDS), LIDS but also log analysis tools, SIEMs.
- An efficient IOC and indicators database allowing to store technical and non-technical information about malware samples, incidents, attackers and intelligence.
- Automatic correlation finding relationships between attributes and indicators from malware, attacks campaigns or analysis.
- Built-in sharing functionality to ease data sharing using different model of distributions. MISP can synchronize automatically events and attributes among different MISP. Advanced filtering functionalities can be used to meet each organization sharing policy including a flexible sharing group capacity and an attribute level distribution mechanisms.
- An intuitive user-interface for end-users to create, update and collaborate on events and attributes/indicators. A graphical interface to navigate seamlessly between events and their correlations. Advanced filtering functionalities and warning list to help the analysts to contribute events and attributes.
- storing data in a structured format (allowing automated use of the database for various purposes) with an extensive support of cyber security indicators along fraud indicators as in the financial sector.
- export: generating IDS, OpenIOC, plain text, CSV, MISP XML or JSON output to integrate with other systems (network IDS, host IDS, custom tools)
- import: bulk-import, batch-import, import from OpenIOC, GFI sandbox, ThreatConnect CSV.
- Flexible free text import tool to ease the integration of unstructured reports into MISP.
- A gentle system to collaborate on events and attributes allowing MISP users to propose changes or updates to attributes/indicators.
- data-sharing: automatically exchange and synchronization with other parties and trust-groups using MISP.
- delegating of sharing: allows a simple pseudo-anonymous mechanism to delegate publication of event/indicators to another organization.
- Flexible API to integrate MISP with your own solutions. MISP is bundled with PyMISP which is a flexible Python Library to fetch, add or update events attributes, handle malware samples or search for attributes.
- Adjustable taxonomy to classify and tag events following your own classification schemes or existing classification. The taxonomy can be local to your MISP but also shareable among MISP instances.
- Expansion modules in Python to expand MISP with your own services or activate already available misp-modules.
- Sighting support to get observations from organizations concerning shared indicators and attributes. Sighting can be contributed via MISP user-interface, API as MISP document or STIX sighting documents.
- STIX support: export data in the STIX format (XML and JSON).
- Integrated encryption and signing of the notifications via PGP and/or S/MIME depending of the user preferences.
Exchanging info results in faster detection of targeted attacks and improves the detection ratio while reducing the false positives. We also avoid reversing similar malware as we know very fast that others team or organizations who already analyzed a specific malware.
You can download MISP here:
Or read more here.
Empire is a pure PowerShell post-exploitation agent built on cryptographically secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.
It has a LOT of modules (90+) and is currently in the midst of implementing a RESTful API which will be great.
Currently Empire has the following categories for modules:
- Code Execution – Ways to run more code
- Collection – Post exploitation data collection
- Credentials – Collect and use creds
- Exfiltration – Identify egress channels
- Lateral Movement – Move around the network
- Management – Host management and auxilary
- Persistence – Survive reboots
- Privesc – Privilege escalation capabilities
- Recon – Test further entry points (HTTP Basic Auth etc)
- Situational Awareness – Network awareness
- Trollsploit – For the lulz
PowerShell offers a multitude of offensive advantages, including:
- Full .NET access
- Application whitelisting
- Direct access to the Win32 API
- Ability to assemble malicious binaries in memor
- Default installation on Windows 7+.
Offensive PowerShell had a watershed year in 2014, but despite the multitude of useful projects, many pen-testers still struggle to integrate PowerShell into their engagements in a secure manner.
How it works
Empire has a few components which you can chain together, similar to something like Metasploits.
Listeners – Think of this like a metasploit handler, this will catch your session.
Stagers – This is your payload, this is what you will execute on your target system.
Agents – This is how you interact with the target system, you can gather stats & info or run shell commands.
It also had fairly robust logging built in.
You can download Empire here:
Or read more here.
So another data breach, and no surprise here, but another dating site. This time the BeautifulPeople.com Leak has exposed 1.1 million customer records, including 15 million private messages sent between users.
Not so private now is it.
And no surprise either the entry point for this leak, was the not-so excellent NoSQL database MongoDB which has amazing passwordless defaults and listens on ALL network interfaces rather than binding to localhost.
Sexual preference. Relationship status. Income. Address. These are just some details applicants for the controversial dating site BeautifulPeople.com are asked to supply before their physical appeal is judged by the existing user base, who vote on who is allowed in to the “elite” club based on looks alone. All of this, of course, is supposed to remain confidential. But much of that supposedly-private information is now public, thanks to the leak of a database containing sensitive data of 1.1 million BeautifulPeople.com users. The leak, according to one researcher, also included 15 million private messages between users. Another said the data is now being sold by traders lurking in the murky corners of the web.
But the information – which now appears to be real user data despite being hosted on a non-production server – was taken by one or more less-than-scrupulous individuals before the lockdown, making it out into the dirty world of data trading this year. That’s according to Troy Hunt, an Australian security expert who runs the website HaveIBeenPwned.com, where people can check if their own information has been leaked in some of the biggest breaches in recent memory, from Adobe to Ashley Madison.
It seems like the records are for sale on the shadier parts of the web and actively being traded by those who trade these kind of things. Fortunately payment details weren’t leaked, and passwords were encrypted.
So it’s a privacy issue more than a financial loss or threat, but as always this kind of info is a goldmine for social engineering, blackmail and identity theft.
Two BeautifulPeople.com users confirmed their information was in the leaked database, which also contained encrypted passwords. They shared their entries as found in the database, which showed an entry for descriptions of themselves, revealing more private details about their personal lives. One confirmed the latitude and longitude details were correct, pointing to Cambridge, UK, where they’d signed up.
BeautifulPeople.com, which brags about being “the largest network of attractive people in the world”, has courted controversy in the past by removing thousands of users from the service for not being attractive enough. In 2009, it boasted 1.8 million “ugly people” had been denied access to the site. In 2010, 5,000 were culled after gaining too much weight over a festive break. Last year, weight gain and ageing led to another 3,000 being thrown out.
Today, the company re-sent its original statement on the breach, first received by FORBES in December. “We can confirm we were notified of a breach on December 24th of 2015 of one of our MongoDB test servers. This was a staging server and not part of our production data base. The staging server was immediately shut down.” The company claimed all affected members were informed of “the vulnerability” in December, whilst noting passwords were encrypted and no financial data was exposed.
The user data apparently is only for users that signed up and were active before July 2015, anyone who joined after that shouldn’t be affected.
And yah, be careful with your staging servers – don’t have production data on them unless you absolutely have to (which honestly you don’t). You can mock whatever data structures you need to develop on it.
And don’t use MongoDB.
GRR Rapid Response is an incident response framework focused on remote live forensics. It based on client server architecture, so there’s an agent which is installed on target systems and a Python server infrastructure that can manage and communicate with the agents. There are agents for Windows, Linux and Mac OS X environments. Overview To […]
SamParser is a Python script used to parse SAM registry hives for both users and groups, it’s only dependency is python-registry. This would be a great little script to write into another toolset or larger attack pattern, especially if you’re already using a Python kit or framework. Dependencies
pip install python-registry
python samparse.py <hive>
----- Administrator -----
Comment : Built-in account for administering the computer/domain
Account Type : Default Admin User
RID : 500
Account Created Date : 13 May 2008 - 22:20:14
Last Login Date : 21 July 2008 - 01:22:18
Password Reset Date : 13 May 2008 - 22:23:39
Password Fail Date : Never
Account Flags : Password does not expire | Normal user account |
Failed Login Count : 0
Login Count : 24
----- Guest -----
Comment : Built-in account for guest access to the computer/domain
Account Type : Default Guest Acct
RID : 501
Account Created Date : 13 May 2008 - 22:20:14
Last Login Date : Never
Password Reset Date : Never
Password Fail Date : Never
Account Flags : Password does not expire | Account Disabled | Password not required | Normal user account |
Failed Login Count : 0
Login Count : 0
----- Administrators -----
Group Description : Administrators have complete and unrestricted access to the computer/domain
Last Write : 2008-05-14 05:35:35.281248
User Count : 7
Memebers : S-1-5-21-484763869-796845957-839522115-500
----- Users -----
Group Description : Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
Last Write : 2008-05-14 05:35:35.265625
User Count : 8
Memebers : S-1-5-4
Much like Adobe Flash, QuickTime from Apple is a bit of a relic some pretty serious, remote code execution type Windows QuickTime Vulnerabilities were recently discovered by Trend Micro. Apple has officially stated that they won’t be fixing them and the official line on this, is to uninstall QuickTime. I guess a lot of people […]
Recon-ng is a full-featured Web Reconnaissance Framework written in Python. Complete with independent modules, database interaction, interactive help, and command completion – Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly. Recon-ng has a look and feel and even command flow similar to the Metasploit Framework, reducing […]
IPGeoLocation is a Python based tool designed to retrieve IP geolocation information from the ip-api service, useful for building into your security tools. Do be aware that as this tool is leveraging a 3rd party API, you will be limited to 150 requests a minute. Whilst that is quite a lot, just be wary of […]
So there’s been hype about this big exploit coming, for over a month, before anything was released. It had a name, a website and a logo – and it was called Badlock. And now it’s out, and it’s more like Sadlock – really a local network DoS against DCE/RPC services on Windows and Linux with […]