Archive | October, 2010

Critical 0-day Vulnerability In Adobe Flash Player, Reader & Acrobat

Your website & network are Hackable


Well this seems to be a frequently recurring theme, yes there is yet another critical 0day vulnerability in Adobe products – pretty much across the board this time.

It was that long ago that a critical flaw in Flash put Android phones at risk. The core vulnerability exists in Flash but it’s being actively exploited in Adobe Reader via the usual pdf route.

The vulnerability exists across all OS versions (including Android), but as usual the active exploitation seems to be taking place on the Windows platform.

Adobe has confirmed reports that yet another unpatched vulnerability in the latest versions of its ubiquitous software is being actively exploited to infect end users with data-stealing malware.

The vulnerability exists in Adobe’s Reader document viewer and Flash Media Player for Windows, OS X and Unix operating systems, Adobe warned on Thursday. According to independent researchers, it is being exploited in the wild against Reader for Windows to install a nasty trojan known as Wisp, which according to Microsoft, steals sensitive user data and installs a backdoor on compromised systems.

The vulnerability itself resides in Adobe’s Flash Player, which is available as stand alone software and is also embedded into Reader. According to researcher Mila Parkour of the Contagio Malware Dump blog, poisoned PDF documents are circulating that drop two malicious binaries onto Windows machines that open the document files.

A screenshot identified the two files as nsunday.exe and nsunday.dll. A Virus Total scan showed just 15 of 42 antivirus programs were detecting the malicious EXE. She didn’t say whether the attacks succeed against more recent versions of the OS, which Microsoft has designed to withstand many of the most common types of exploits.

This vector comes to pass as Flash player is also embedded into Adobe Reader, so by using a malicious PDF file with the AuthPlay exploit – they can trigger the Flash player flaw and drop malware into the OS.

There is information on how to disable the AuthPlay functionality at the bottom of the Adobe advisory:

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

Basically you need to go to the Adobe Reader directory and delete the AuthPlayLib.bundle (Windows/Mac OSX) or libauthplay.so.0.0.0. (linux) file.


Adobe said it planned to patch the vulnerability in Flash during the week of November 9 and in Reader during the week of November 15. The schedule is puzzling, since Reader has been confirmed to be under attack and Flash has not been confirmed.

In the meantime, users can protect themselves by using an alternate document viewer, such as Foxit. For those who must use Reader, Adobe said they can mitigate attacks by removing functionality known as AuthPlay, by following the instructions near the bottom of this advisory. Adobe provided no temporary measures Flash users can follow.

It’s been a bad couple of years for Adobe’s security team, which has gotten repeatedly hammered by critical vulnerabilities that are exploited by criminals to install malware on users’ machines. Three weeks ago, the company issued a fix for a security flaw in Reader that was also under attack by a highly sophisticated exploit. Last month, Adobe fixed a critical vulnerability in Flash that was also being used to compromise end user computers.

Adobe is also in the process of developing a patch for a code-execution bug in its Shockwave Player. By many researchers’ reckoning, Reader is among the world’s most exploited applications, in close competition with Oracle’s Java framework and, of course, various Microsoft programs.

From recent attacks it seems Adobe Reader and Flash are amongst the most exploited applications, especially when it comes to serious vulnerabilities that allow code-execution.

The new generation Adobe Reader with Sandbox Feature can’t come soon enough.

There’s also more here:

Hackers exploit newest Flash zero-day bug

Source: The Register


Posted in: Exploits/Vulnerabilities, Malware, Windows Hacking

Tags: , , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Malware, Windows Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Mirai DDoS Malware Source Code Leaked
- mimikittenz – Extract Plain-Text Passwords From Memory
- Massive Yahoo Hack – 500 Million Accounts Compromised

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 236,502 views
- AJAX: Is your application secure enough? - 120,376 views
- eEye Launches 0-Day Exploit Tracker - 85,869 views


Recent in Hacking Tools:
- PyExfil – Python Data Exfiltration Tools
- Netdiscover – Network Address Discovery Tool
- Kautilya – Human Interface Device Hacking Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 2,000,913 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,511,671 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 692,085 views


Hackers Exploit Unpatched Firefox 0day Using Nobel Peace Prize Website

Your website & network are Hackable


It’s been a while since Firefox has been in the news, but this is a fairly high profile case involving the Nobel Peace Prize website. It seems there is a race condition vulnerability in the latest versions of Firefox (including 3.6.11) that allows remote exploitation.

In this case it was used via an iFrame on nobelpeaceprize.org which then downloaded malware to the visitors machine using a multi-exploit back-end which amongst others also leveraged this 0day Firefox exploit.

Malicious hackers have exploited an unpatched vulnerability in the latest version of Firefox to attack people visiting the Nobel Peace Prize website, a Norway-based security firm said on Tuesday.

Mozilla representatives confirmed a “critical vulnerability” in versions 3.5 and 3.6 of the open-source browser. It came several hours after the organization members were said to have made the same admission on this password-protected Bugzilla page. According to Einar Oftedal, a detection executive at Norman ASA in Oslo, the official website for the Nobel Peace prize, nobelpeaceprize.org, was compromised so that it contained an iframe link to a malicious server.

“This iframe has a multi exploit backend and serves exploits for Firefox, including a working remote exploit for Firefox 3.6.11,” he said in an instant message to The Register. “We didn’t see any 0day for IE,” he added, referring to Microsoft’s browser.

Mozilla claims they will address this issue soon and past history dictates that a patch will come out within a few days, so look forwards to Firefox 3.6.12 by the end of the week. It seems to be a fairly advanced and targeted attack.

Of course the conspiracy theorists will say that the attack was carried out by the Chinese Government as their way of complaining that the most recent Nobel Peace Prize was given to a Chinese dissident named Liu Xiaobo.


He said the attack exploited a race condition vulnerability in Firefox to force end users to install malware his firm has dubbed Belmoo. The Windows executable was created on Sunday and attempts to connect to several internet addresses, according to his analysis.

If the addresses resolve, “the malware attaches a command shell to the opened socket, giving an attacker access on the local computer with the same rights as the logged on user.” If not, the malware will exit.

If Norman’s report proves accurate, it’s the first time in recent memory attackers have exploited an unpatched vulnerability in Firefox. Most so-called zero-day attacks are perpetrated against Adobe Reader or Flash Player, Microsoft software and to a lesser extent Oracle’s Java. The report is also unusual because the attack didn’t appear to target other applications, as is typical with exploit packages.

Hours after the reports surfaced, Mozilla said it would issue a fix as soon as possible. In the meantime, users can protect themselves by disabling JavaScript altogether or installing the NoScript extension that allows users to control which websites are permitted to run JavaScript.

As per usual you can protect yourself against this flaw by using NoScript or disabling JavaScript functionality in your browser.

It’s been a while since there’s been a serious bug in Firefox, most of the recent ones have not been exploitable or have involved passive activities like data leakage and clickjacking.

Source: The Register


Posted in: Exploits/Vulnerabilities, Malware, Web Hacking

Tags: , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Malware, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Mirai DDoS Malware Source Code Leaked
- mimikittenz – Extract Plain-Text Passwords From Memory
- Massive Yahoo Hack – 500 Million Accounts Compromised

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 236,502 views
- AJAX: Is your application secure enough? - 120,376 views
- eEye Launches 0-Day Exploit Tracker - 85,869 views


The Social-Engineer Toolkit (SET) – Computer Based Social Engineering Tools

Find your website's Achilles' Heel


The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

SET is a menu driven based attack system, which is fairly unique when it comes to hacker tools. The decision not to make it command line was made because of how social-engineer attacks occur; it requires multiple scenarios, options, and customizations. If the tool had been command line based it would have really limited the effectiveness of the attacks and the inability to fully customize it based on your target. Let’s dive into the menu and do a brief walkthrough of each attack vector.


This is an extremely complete and advanced toolkit, which also harnessed the power of Metasploit and Ettercap and it provides following attack vectors:

  • Spear-Phishing Attack Vector
  • Java Applet Attack Vector
  • Metasploit Browser Exploit Method
  • Credential Harvester Attack Method
  • Tabnabbing Attack Method
  • Man Left in the Middle Attack Method
  • Web Jacking Attack Method
  • Multi-Attack Web Vector
  • Infectious Media Generator
  • Teensy USB HID Attack Vector

You can find some tutorials and videos on how to get up and running and use SET here:

Social Engineering Resources

You can download SET using SVN.

Or read more here.


Posted in: Hacking Tools, Social Engineering

Tags: , , , , , , , , , , , , , ,

Posted in: Hacking Tools, Social Engineering | Add a Comment
Recent in Hacking Tools:
- PyExfil – Python Data Exfiltration Tools
- Netdiscover – Network Address Discovery Tool
- Kautilya – Human Interface Device Hacking Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 2,000,913 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,511,671 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 692,085 views


Malware Pushers Abuse Firefox Warning Page

Find your website's Achilles' Heel


This is a pretty neat attack from the malware pushes leveraging on the ignorance of the average user – which in all honestly is a safe bet most of the time! You could consider it a Social Engineering attack as it’s taking something that’s familiar and changing it to deliver malware.

I’m sure all the Firefox users reading have at some point or another been faced with the warning screen that tells you a site is not safe to visit, the red page which states in big white letters “Reported Attack Page!”.

Hackers have subverted warnings generated by Firefox about dangerous sites to punt fake anti-virus portals.

Surfers straying onto a web page offering the “Security Tool” rogue anti-virus are offered a warning page that convincingly mimics the genuine Firefox block page. The site offers supposed updates for Mozilla’s technology that are actually scareware packages.

If Windows users apply these updates they will be falsely warned that their system is infected and continuously nagged into buying worthless scareware packages that serve only to line the pockets of cyber-scammers.

The rogue application will automatically attempt to install itself on the machines of prospective marks in cases where scripts are enabled, net security firm F-Secure warns.

Personally I’d say this attack would be pretty effective, my only question would be – how would the user land on that site in the first place? I guess through the normal channels (e-mail spam, facebook wall worms and so on).

After landing the user would realize they’ve been spammed/scammed and see the Firefox warning…then download the ‘security update’ and install it – unknowingly pwning themselves in the process.


Firefox’s genuine attack warning technology is all server-side and never requests that users download updates. The attack relies, in part, on the ignorance of the majority of potential victims on this point.

The attack is a rare but not unprecedented attempt by malware slingers to use Firefox features to push their wares. Previous attacks by the same gang have involved tricking users into downloading scareware in the guise of a supposed Firefox/Flash update.

The malware is offered from a page designed to trick Firefox users into thinking their browser software has just been updated but that they still need to apply a Flash Player patch, which is actually a rogue anti-virus installation utility. The sneaky tactic, first spotted back in July, is explained in more detail in a blog post by F-Secure.

It just goes to show the bad guys are pretty creative when it comes to new ways to trick people into installing their malware, I wonder what we’ll see next?

The full entry by F-Secure can be seen here:

Reported Attack Site! – Security Tool’s Latest Trick

Source: The Register


Posted in: Malware, Social Engineering, Spammers & Scammers

Tags: , , , , , , ,

Posted in: Malware, Social Engineering, Spammers & Scammers | Add a Comment
Recent in Malware:
- Androguard – Reverse Engineering & Malware Analysis For Android
- Android Devices Phoning Home To China
- Linux kernel.org Hacker Arrested After Traffic Stop

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,576 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,704 views
- US considers banning DRM rootkits – Sony BMG - 45,005 views


NSDECODER – Automated Website Malware Detection Tool

Find your website's Achilles' Heel


NSDECODER is a automated website malware detection tool. It can be used to decode and analyze an URL to see if it host to malware. Also, NSDECODER will analyze which vulnerability has been exploited and the original source address of malware.

Functions

  • Automated analysis and detection of website malware.
  • Detection for plenty of vulnerabilities.
  • Log export supports HTML and TXT format.
  • Ability to deeply analyze JavaScript.

You can download NSDECODER here:

nsdecoder_gui_v1.0.zip

Or you can read more here.


Posted in: Countermeasures, Malware, Web Hacking

Tags: , , , , , , , , ,

Posted in: Countermeasures, Malware, Web Hacking | Add a Comment
Recent in Countermeasures:
- Pulled Pork – Suricata & Snort Rule Management
- Signal Messaging App Formal Audit Results Are Good
- Snort – Free Network Intrusion Detection & Prevention System

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,376 views
- Password Hasher Firefox Extension - 117,979 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,778 views


Facebook Apps Leaking Personal Data To Third Parties

Find your website's Achilles' Heel


Less than a week after our story about Facebook Introducing OTP (One-time Password) Functionality to make the site more secure, their dubious privacy standards have hit the news again.

Facebook privacy has been in the news numerous times and it’s a subject we’ve also covered many times, with the sheer mass of users on the site the amount of data (especially personal data) is phenomenal.

The latest buzz is that many of the most popular 3rd party apps (mostly games like Farmville and Texas HoldEm Poker) are leaking the unique Facebook ID that enables tracking of an individual Facebook user.

A number of Facebook apps have been providing advertisers with information that make social networking users easily identifiable, according to an investigation by the Wall Street Journal.

All 10 of Facebook’s most popular apps, including Farmville and Texas HoldEm Poker, are among those leaking the unique ‘Facebook ID’ number to outside firms. Every Facebook number is individual and assigned to every profile. Searching for the number will provide access to the Facebook user’s profile and anyone can view the information a user has chosen to share with ‘everyone’. This can include their name, date of birth and even photos.

Farmville, which has 59 million users, also passes this information about a user’s friends. The WSJ said at least 25 firms were being sent the Facebook IDs, which they were using to build profiles of web users, and in some cases, even track their web browsing. It’s not known if the developers knew their apps were leaking data.

It’s become a big issue because WSJ reported on it – Facebook in Privacy Breach, it seems that with the data that the apps leak + some good old data mining advertising and marketing companies can build fairly comprehensive databases about individuals on the Internet.

Not that this is a new problem for anyone who has followed the issues Facebook has been dealing with and in part making worse themselves with lax default privacy settings. It’s a contradiction really because for a service like Facebook the more data they can collect the more valuable they are and on the flip-side everyone and his dog is so worried about privacy…but they still use Facebook.


Millions of Facebook users have been affected, even those that use the social network’s strongest privacy settings. It also breaks Facebook’s rules concerning privacy, which state app developers can not pass on users’ data to outside firms, even if the user has given permission.

Facebook admitted a user’s ID “may be inadvertently shared by a user’s internet browser or by an application” but it “does not permit access to anyone’s private information on Facebook”.

Third-party developers are usually responsible for developing the apps. Facebook stopped users accessing several apps thought to have been leaking personal data.

“We have taken immediate action to disable all applications that violate our terms,” Facebook said. The WSJ named RapLeaf as one of the developers using the Facebook IDs in its own database as well as passing them onto to several other firms.

Facebook claims that somehow they are going to address these issues (by introducing new technology), perhaps another use for a OTP or some kind of token access for the application which allows you to use the application without revealing ANY personal info – including the Facebook ID.

But then I’m not sure how games like Farmville would track your progress and link to your account if they can’t use your Facebook ID.

Source: Network World


Posted in: Legal Issues, Privacy

Tags: , , , , , , ,

Posted in: Legal Issues, Privacy | Add a Comment
Recent in Legal Issues:
- UK Teen Earned More Than US$385,000 From DDoS Service
- Massive Yahoo Hack – 500 Million Accounts Compromised
- Two Israeli Men Arrested For Running VDoS-s.com DDoS Service

Related Posts:

Most Read in Legal Issues:
- Class President Hacks School Grades - 80,756 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,704 views
- One Of The World’s Most Prolific Music Piracy Groups Busted - 43,642 views


USBsploit 0.3b – Generate Reverse TCP Backdoors & Malicious .LNK Files

Your website & network are Hackable


PoC to generate Reverse TCP backdoors (x86, x64, all ports), running Autorun or LNK USB infections, but also dumping all USB files remotely on multiple targets at the same time. USBsploit works through Meterpreter sessions with a light (27MB) modified version of Metasploit. The interface is a mod of SET (The Social Engineering Toolkit). The Meterpreter script usbsploit.rb of the USBsploit Framework can otherwise be used with the original Metasploit Framework.

You can download USBsploit here:

usbsploit-0.3-BETA-linux-i686.tar.gz

Or read more here.


Posted in: Exploits/Vulnerabilities, Hardware Hacking, Windows Hacking

Tags: , , , , , ,

Posted in: Exploits/Vulnerabilities, Hardware Hacking, Windows Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Mirai DDoS Malware Source Code Leaked
- mimikittenz – Extract Plain-Text Passwords From Memory
- Massive Yahoo Hack – 500 Million Accounts Compromised

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 236,502 views
- AJAX: Is your application secure enough? - 120,376 views
- eEye Launches 0-Day Exploit Tracker - 85,869 views


Half Of Home Wi-Fi Networks In The UK Vulnerable to Hacking/WiFi-Jacking

Your website & network are Hackable


Once again WiFi security is in the news, this time a new report in the UK shows that almost half of UK home WiFi networks could be compromised within 5 seconds.

While that sounds a little dramatic it wouldn’t surprise me if a lot still have no WEP key at all. And even if they have a WEP key with the tools available for WEP cracking now – it wouldn’t take that long to hammer it down – especially on a high traffic network.

From the study it seems that about 25% of networks are totally password free, I’m not sure how far they went though in terms of trying to connect. Perhaps a lot are public wifi spots that employ proxy services and require you to ‘login’, perhaps some are using MAC address white-listing.

Nearly half of all home Wi-Fi networks in the UK could be hacked within five seconds, according to CPP. The life assistance company employed the services of ethical hacker Jason Hart to roam six major cities across the UK and use specially developed software to identify home networks that were at risk of ‘Wi-Fi jacking’.

Wi-Fi jacking see hackers piggybacking on a net connection and allows them to illegally download files, purchase illegal goods or pornography or even sell on stolen goods, without being traced. It also allows them to view the private transactions made over the net, providing them with access to passwords and usernames that can subsequently be used to commit identity fraud. CPP’s research, which has been conducted ahead of National Identity Fraud Prevention Week, revealed 40,000 home Wi-Fi networks were at risk.

CPP also said that despite the fact 82 percent of web users believe their Wi-Fi connection is secure, nearly a quarter of private wireless networks are not password protected

It’s also interesting the amount of web users that use public or wifi-jacked networks without using encrypted connections. Grabbing login and password combos at a rate of 350 per hour is a LOT of passwords.

If they also recorded the associated services that could be a massive stash of credentials. It just goes to show if you do a little war-driving, what kind of goodies you can go home with.


Furthermore, nearly one in five (16 percent) of web users say they regularly use public networks. During his research, Hart was able to ‘harvest’ usernames and passwords from user of the public Wi-Fi networks at a rate of more than 350 an hour.

He also revealed more than 200 web users unsuspectingly logged onto a fake Wi-Di network over the course of an hour, during the experiment, putting themselves at risk from fraudsters who could harvest their personal and financial information.

“This report is a real eye-opener in highlighting how many of us have a cavalier attitude to Wi-Fi use, despite the very real dangers posed by unauthorised use,” said CPP’s identity fraud expert Michael Lynch.

“We urge all Wi-Fi users to remember that any information they volunteer through public networks can easily be visible to hackers. It’s vital they remain vigilant, ensure their networks are secure and regularly monitor their credit reports and bank statements for unsolicited activity.”

Hart warned both businesses and individuals to “think very carefully about network security and what information they provide when going online”.

As with most things this is not a technical issue, there are plenty of security options for home Wi-Fi setups, they are well documented and all new modems/routers come with filtering, white-listing and WEP/WPA encryption built in.

With a combination of these factors anyone can set up a secure WAP at home.

Oh well, it looks like things are going to change for a while.

Source: Network World


Posted in: Network Hacking, Privacy, Wireless Hacking

Tags: , , , , , , ,

Posted in: Network Hacking, Privacy, Wireless Hacking | Add a Comment
Recent in Network Hacking:
- PyExfil – Python Data Exfiltration Tools
- Netdiscover – Network Address Discovery Tool
- Censys – Public Host & Network Search Engine

Related Posts:

Most Read in Network Hacking:
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,511,671 views
- Wep0ff – Wireless WEP Key Cracker Tool - 514,763 views
- THC-Hydra – The Fast and Flexible Network Login Hacking Tool - 329,132 views


Windows Credentials Editor v1.0 – List, Add & Edit Logon Sessions

Your website & network are Hackable


Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes). This can be used, for example, to perform pass-the-hash on Windows and also obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.) which can be used in further attacks.

Supported Platforms

Supports Windows XP, 2003, Vista, 7 and 2008 (Vista was not actually tested yet, but it should work).

Options

Windows Credentials Editor provides the following options:

You can download Windows Credentials Editor v1.0 here:

wce_v1.0.tgz


Posted in: Hacking Tools, Password Cracking, Windows Hacking

Tags: , , , , , , , , ,

Posted in: Hacking Tools, Password Cracking, Windows Hacking | Add a Comment
Recent in Hacking Tools:
- PyExfil – Python Data Exfiltration Tools
- Netdiscover – Network Address Discovery Tool
- Kautilya – Human Interface Device Hacking Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 2,000,913 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,511,671 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 692,085 views