Archive | May, 2011

VUPEN Whitehats Claim To Have Broken Chrome Sandbox

The New Acunetix V12 Engine


The big news recently is that someone has finally managed to pop the formidable Chrome browser, as we know from following Pwn2Own – it’s been safe for 3 years in a row.

It has a sandbox, ASLR and DEP and that’s a pretty heavy combination to keep users safe from malicious software coming in via the web browser. VUPEN (a French infosec consultancy) claims to have broken ALL of these defenses allowing them to execute code using the browser on the latest version of Chrome.

Do bear in mind however as of now this is just a claim, there’s a video of the exploit in action – but that doesn’t prove anything either.

Researchers say they’ve developed attack code that pierces key defenses built into Google’s Chrome browser, allowing them to reliably execute malware on end user machines.

The attack contains two separate exploits so it can bypass the security counter measures, which include address space layout randomization (or ASLR), data execution prevention (or DEP), and a “sandbox” designed to isolate browser functions from core operating-system operations. So far, there have been relatively few reported exploits that can penetrate the sandbox, and that’s one of the reasons the browser has managed to emerge unscathed during the annual Pwn2Own hacker competition for three years in a row.

“While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP,” researchers from France-based Vupen Security wrote in a blog post published on Monday.

The interesting part, and the thing that is causing a lot of debate (as per usual) is the disclosure policy by VUPEN. These guys are not going to tell Google, they say they will tell their clients for attack and defense purposes – but honestly? What good would a working exploit like this be in terms of defense? Unless you can perhaps add it into your IPS/IDS.

The only power/value I can see it having is in attack circumstances and from their attitude it seems like they will sell/rent this exploit out to the highest bidders. Scruples aside I have to say the bounty offered by Google definitely wouldn’t cut it in this case.


The Vupen researchers said they plan to share technical details of the exploit only with government customers “for defensive and offensive security.” Neither Google nor the public will be privy to the specifics.

“We’re unable to verify VUPEN’s claims at this time as we have not received any details from them,” a Google spokesman said. “Should any modifications become necessary, users will be automatically updated to the latest version of Chrome.”

Google to date has awarded more than $150,000 under its bug bounty program, which pays as much as $3133.7 for reports of serious security bugs.

As is typical with attacks that bypass security sandboxes, the Vupen proof-of-concept actually contains two separate exploits, said Chaouki Bekrar, the company’s CEO.

It’s an interesting attack vector if it does really work and if as is claimed – it’s reliable and repeatable. I’d like to see it verified somehow though, but unless Google gets their hands on the code – that’s extremely unlikely.

And well if it is real these two exploits combined into a deadly package would certainly be worth a LOT on the black market. Either way, it’s certainly providing a lot of PR coverage for VUPEN.

Source: The Register

Posted in: Exploits/Vulnerabilities, Hacking News

Topic: Exploits/Vulnerabilities, Hacking News


Latest Posts:


Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.


ArpON v2.2 Released – Tool To Detect & Block ARP Spoofing

Use Netsparker


ArpON (ARP handler inspection) is a portable handler daemon that make ARP secure in order to avoid the Man In The Middle (MITM) through ARP Spoofing/Poisoning attacks. It detects and blocks also derived attacks by it for more complex attacks, as: DHCP Spoofing, DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

This is possible using three kinds of anti ARP Poisoning techniques: the first is based on SARPI or “Static ARP Inspection” in statically configured networks without DHCP; the second on DARPI or “Dynamic ARP Inspection” in dynamically configured networks having DHCP; the third on HARPI or “Hybrid ARP Inspection” in “hybrid” networks, that is in statically and dynamically (DHCP) configured networks together.

SARPI, DARPI and HARPI protects both unidirectional, bidirectional and distributed attacks: into “Unidirectional protection” is required that ArpON is installed and running on one node of the connection attacked; into “Bidirectional protection” is required that ArpON is installed and running on two nodes of the connection attacked; into “Distributed protection” is required that ArpON is installed and running on all nodes of the connections attacked. All other nodes without ArpON will not be protected from attack.

ArpON is therefore a host-based solution that doesn’t modify ARP’s standard base protocol, but rather sets precise policies by using SARPI for static networks, DARPI for dynamic networks and HARPI for hybrid networks thus making today’s standardized protocol working and secure from any foreign intrusion.


Features

  • It detects and blocks Man In The Middle through ARP Spoofing/Poisoning attacks in statically, dynamically (DHCP), hybrid configured networks
  • It detects and blocks derived attacks: DHCP Spoofing, DNS Spoofing WEB Spoofing, Session Hijacking, SSL/TLS Hijacking & co
  • It detects and blocks unidirectional, bidirectional and distributed attacks
  • Doesn’t affect the communication efficiency of ARP protocol
  • Doesn’t affect the race response time from attacks
  • Multi-threading on all OS supported
  • It manages the network interface into unplug, boot, hibernation and suspension OS features
  • It works in userspace for OS portability reasons
  • Easily configurable via command line switches, provided that you have root permissions
  • Tested against Ettercap, Cain & Abel, dsniff and other tools

You can download ArpON v2.2 here:

ArpON-2.2.tar.gz

Or read more here.

Posted in: Countermeasures, Networking Hacking

Topic: Countermeasures, Networking Hacking


Latest Posts:


Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.


Sony Loses 25 Million More Customer Account Details Through SOE (Sony Online Entertainment)

The New Acunetix V12 Engine


I actually misread this news at first and thought it was an additional leak from the Sony PlayStation Network (PSN) Hack that has been flooding the news, but sadly for Sony this is an entirely different hack carried out at the same time.

It turns out around the same time PSN got hacked SOE (Sony Entertainment Online) also got hacked and critically an ‘old’ payment details table was stolen that contained credit card details.

It looks like Sony has been hacked REAL hard this time, perhaps some splinter cell of Anonymous really is laying the smackdown on them.

Sony warned that personally identifiable information for an additional 25 million customers was exposed after discovering a massive security breach extended to its online computer games service.

The intrusion on Sony Online Entertainment systems exposed data for 24.6 million users, including their name, address, email address, birthdate, phone number, and login name. Those behind the attack likely also made off with passwords that were hashed, although Sony didn’t address critical details, including what hashing algorithm was used and whether random values known as salt were used to prevent crooks from converting hashes into cleartext.

Sony also warned that that the SOE attackers may also have stolen an “outdated database” that stored data for some 12,700 payment cards belonging to customers located in Europe. The majority of SOE card information was stored in a “main credit card database” that was “in a completely separate and secured environment” that Sony analysts don’t believe was accessed.

The warning came a day after Sony closed the SOE’s Station.com website, because investigators “discovered an issue that warrants enough concern for us to take the service down effective immediately.”

As mentioned in the previous post comments, Sony also warned that the PSN hack could have exposed 10 million credit card details.

The latest news is that SOE was hacked resulting in 25 million customer accounts being exposed and the possibility of 12,000 sets of payment details being exposed is there too.

If you add up the numbers – in one week Sony has managed to expose over 100 million user accounts, that’s quite a feat.


Combined with a previously reported hack on the company’s PlayStation Network, in which sensitive data for 78 million users is believed to have been stolen, the new disclosure means Sony has exposed personally identifiable information for 102.6 million user accounts. Sony has said that the passwords in the previously disclosed attack were also hashed, but so far hasn’t supplied the same crucial details.

For the first time, Sony hinted that it would compensate users for the cost of enrolling in programs designed to prevent identity theft. “The implementation will be at a local level and further details will be made available shortly in each region,” Tuesday’s press release from Sony said.

The company also said SOE users will get 30 free days of additional time on their subscriptions and compensation of one day for each day the system is down. Sony hasn’t said when it expects to restore SOE service. It has said that PSN and Qriocity services will be progressively restarted over the coming week.

The intrusion on SOE happened on April 16 and 17, around the same time as the attack on the PSN, from April 17 to April 19. Sony closed the PSN on April 20, but didn’t disclose the extent of the breach until six days later. Security experts have already said that the amount of information believed to have been stolen in the PSN hack, and the number of users affected, means the attackers had sustained access to the core parts of Sony’s network.

It seems like they are considering ways of compensating their users for the downtime, the same can’t be said for PSN as it’s a free service. I wonder if any more news is going to come out about this, if the main Sony database was breached that would be tragic.

I can see them getting in some hot legal waters over all this data-loss. There are rumours that the main credit card database was compromised, but so far Sony has denied this and stated there is no evidence pointing to that.

Either way it’s an interesting case and I’m just waiting to see where else it’s going to go.

Source: The Register

Posted in: Legal Issues, Privacy

Topic: Legal Issues, Privacy


Latest Posts:


Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.


sslsnoop v0.6 – Dump Live Session Keys From SSH & Decrypt Traffic On The Fly

The New Acunetix V12 Engine


sslsnoop dumps live session keys from openssh and can also decrypt the traffic on the fly.

  1. Works if scapy doesn’t drop packets. using pcap instead of SOCK_RAW helps a lot now.
  2. Works better on interactive traffic with no traffic at the time of the ptrace. It follows the flow, after that.
  3. Dumps one file by fd in outputs/
  4. Attaching a process is quickier with –addr 0xb788aa98 as provided by haystack INFO:abouchet:found instance @ 0xb788aa98
  5. how to get a pickled session_state file : $ sudo haystack –pid pgrep ssh sslsnoop.ctypes_openssh.session_state search > ss.pickled

Not all ciphers are implemented.

Workings ciphers: aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc
Partially workings ciphers (INBOUND only ?!): aes128-cbc, aes192-cbc, aes256-cbc
Non workings ciphers: 3des-cbc, 3des, ssh1-blowfish, arcfour, arcfour1280

It can also dump DSA and RSA keys from ssh-agent or sshd ( or others ).

You can download sslsnoop here:

trolldbois-sslsnoop.zip

Or read more here.

Posted in: Cryptography, Exploits/Vulnerabilities, Networking Hacking

Topic: Cryptography, Exploits/Vulnerabilities, Networking Hacking


Latest Posts:


Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.