Intel CPUs Vulnerable To New Spectre-Like Attack, BranchScope

3/28/2018 The Hackers Chronicle 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-G0c3cAW9Rhk/WrtChDJaI4I/AAAAAAAAAsY/uOzMF-QlgXUh7J44cyTjIxxo8QPdVhdCACLcBGAs/s1600/BranchScope.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Intel CPUs Are Now Vulnerable to BranchScope Attacks.After Meltdown and Spectre" border="0" data-original-height="455" data-original-width="1250" height="232" src="https://3.bp.blogspot.com/-G0c3cAW9Rhk/WrtChDJaI4I/AAAAAAAAAsY/uOzMF-QlgXUh7J44cyTjIxxo8QPdVhdCACLcBGAs/s640/BranchScope.png" title="Intel CPUs Are Now Vulnerable to BranchScope Attacks.After Meltdown and Spectre" width="640" /></a></div>
<br />
<br />
Security researchers have discovered a new wave of attacks called <b>BranchScope</b>. Yet we're not done with the Meltdown and Spectre security flaws that put billions of devices at risk of attacks.<br />
<br />
<b>BranchScope :  </b>It's a <b>new side-channel attack </b>discovered by four security researchers<b> </b>from College of William and Mary, Carnegie Mellon University in Qatar, University of California Riverside, and Binghamton University, which could affect devices powered by Intel processors and which may be immune to the <a href="http://www.hackerschronicle.com/search/label/meltdown">Meltdown </a>and Spectre mitigations.<br />
<br />
According to their <a href="http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf">paper</a>, even if they are a bit more sophisticated, the BranchScope attacks can do the same damage as the <a href="http://www.hackerschronicle.com/search/label/spectre">Spectre </a>and Meltdown flaws, in the way that an<b> attacker can exploit the security vulnerability to retrieve sensitive data from the unpatched system, including passwords and encryption keys,</b> by manipulating the shared directional branch predictor.<br />
<br />
"<b>The success of the attack largely depends on the ability to perform branch manipulations with precise timing,</b>" reads the paper. "The attacker controlled OS can easily manipulate victim execution timings. For example, the attacker can configure the Advanced Programmable Interrupt Controller (APIC) in such a way that enclave code is interrupted after several instructions are executed."<br />
<br />
Sandy Bridge, Haswell, and Skylake processors affected The researchers have demonstrated the BranchScope attack on three recent Intel Core i5 and Core i7 x86_64 (64-bit) processor families,  including Sandy Bridge, Haswell, and Skylake. The worst part of these attacks is that BranchScope can be extended, offering attackers additional tools to perform more advanced and flexible attacks that target even applications running inside Intel SGX (Software Guard Extensions) enclaves.<br />
<br />
In their paper, which is a must read if you want to learn everything there is to know about the BranchScope vulnerability, the security<b> researchers have proposed software- and hardware-based mitigations for the BranchScope attacks</b>. Therefore, we expect Intel to release new microcode updates for its processors that also fully patch the <a href="http://www.hackerschronicle.com/search/label/branchscope">BranchScope </a>vulnerability, so make sure you always keep your systems up-to-date.<br />
<br />
“We have been working with these researchers and have determined the method they describe is similar to previously known side channel exploits. We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper. We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers.”<br />
<br />
<br /></div>

Security researchers have discovered a new wave of attacks called BranchScope . Yet we're not done with the Meltdown and Spectre se...

18.5 Million Websites Infected With Malware

3/22/2018 The Hackers Chronicle 0

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-go0VTR5wZag/WrNXQUKL4NI/AAAAAAAAEBg/z8ui1V6BOOIU5vEq1lsr_iri24GmW_uGACLcBGAs/s1600/website-malware-attack.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="website-malware-attack" border="0" data-original-height="438" data-original-width="1339" height="208" src="https://3.bp.blogspot.com/-go0VTR5wZag/WrNXQUKL4NI/AAAAAAAAEBg/z8ui1V6BOOIU5vEq1lsr_iri24GmW_uGACLcBGAs/s640/website-malware-attack.PNG" title="website-malware-attack" width="640" /></a></div>On the internet, there are more than 1.86 billion websites. Around 1% of these -- something like 18,500,000 -- are infected with malware at a given time each week; while the average website is attacked 44 times every day.<br />
<br />
Sitelock has published its Q4 2017 Website Security Insider analysis of malware and websites based on statistics from 6 million of its 12 million customers. All these customers use at least one of Sitelock's malware scanners, while a smaller subset also use the firm's cloud-based web application firewall (WAF). <b>The WAF provides insight into <a href="http://www.hackerschronicle.com/search/label/DDoS">DDoS </a>attacks against websites,</b> while the scanners provide insight into the state of malware in websites.<br />
<br />
The analysis shows an increase of <b>around 20% in the number of infected websites over Q3 2017</b>. <b>"We went from about 0.8% of our user base in Q3 to a little over 1% in Q4," Sitelock research analyst Jessica Ortega told SecurityWeek</b>. A 0.2% increase seems a small number, but it implies that up to 18.5 million websites worldwide may be infected with malware at any given time.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-SHEhKwl-y8U/WrNWztfFzGI/AAAAAAAAEBc/g-BWAJQ7-TU0GQPZPVx1oN26YxItMM2hgCLcBGAs/s1600/website-attack.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="200" data-original-width="800" height="160" src="https://4.bp.blogspot.com/-SHEhKwl-y8U/WrNWztfFzGI/AAAAAAAAEBc/g-BWAJQ7-TU0GQPZPVx1oN26YxItMM2hgCLcBGAs/s640/website-attack.png" width="640" /></a></div><br />
Despite the increase in infected sites, continued Ortega, "The total number of attacks or attempted attacks actually decreased by about 20% -- so what we're seeing is that it takes fewer attack attempts to compromise the websites. Attackers are becoming sneakier, and more difficult-to-decode malware is coming through."<br />
<br />
The majority of Sitelock's customers are typically small businesses and blogs. "<b>Many website owners remain unaware that website security is their responsibility and rely too heavily </b>on popular search engines and other <b>third parties to notify them when they've been compromised</b>," <b>said Ortega.</b> This doesn't work -- less than 1 in 5 infected websites are blacklisted by the search engines.<br />
<br />
Other owners rely on their CMS software provider to keep them secure with security updates. But according to Sitelock, 46% of <a href="http://www.hackerschronicle.com/search/label/Wordpress">WordPress</a> sites infected with malware were up to date with the latest core updates. Those also using plug-ins were twice as likely to be compromised.<br />
<br />
It is the sheer volume of both threats and compromises that is most surprising. During Q4 2017, <b>Sitelock cleaned an average of 672,655 <a href="http://www.hackerschronicle.com/search/label/Malwares">malici<span id="goog_234162612"></span><span id="goog_234162613"></span>ous </a>files every week. </b>It found an average of 309 infected files per site. Sixteen percent of malware results in site defacements, while more than 12% are backdoors facilitating the upload of thousands of other malicious files including exploit kits and phishing pages.<br />
<br />
<b>Jessica Ortega, a research analyst at Sitelock, comments that the malicious files are often stored on websites in zip files.</b> Even if active files are removed, the site can be compromised again, and the zip file extracted for the attacker to continue precisely as before.<br />
<br />
One of the problems is that the average website is very easy to compromise. <b>Sitelock's analysis in Q4 found an average of 414 pages per site containing cross-site scripting (XSS)</b> vulnerabilities; 959 pages per site containing SQL injection (SQLi) vulnerabilities; and 414 pages per site containing cross-site request forgery (CSRF) vulnerabilities.<br />
<br />
<blockquote class="tr_bq">Even CSM security updates can be used against the website if they are not immediately installed. <b>"Attackers can see what vulnerabilities have been patched in the latest update, and develop an exploit for those <a href="http://www.hackerschronicle.com/search/label/Vulnerability">vulnerabilities</a>.</b> They then scan the internet for, for example, WordPress sites that haven't yet been updated, and compromise them."</blockquote><br />
Understanding the attackers' motives is key to understanding the threat to small business websites. "A lot of attackers go for the low-hanging fruit, and small business websites are among the softest and easiest targets because so many owners don't even realize they need security," e<b>xplains Ortega</b>. One of the primary motivations is to improve the search engine rankings of the attackers' own customers, by inserting backlinks to the customer website.<br />
<br />
"Or they use it to attack the website's visitors -- for example, by phishing credentials," she continued; "and <b>obviously the longer that a phishing site stays up, the greater the number of credentials it can potentially steal.</b> Or they're just trying to further spread their malware to visitors via exploit kits."<br />
<br />
Compromising small business websites is a numbers game for the criminals. Each site has a relatively small reach in the volume of visitors that can be exploited, but the sheer number of sites combined with the ease of compromise makes it worthwhile. And it is complicated by being perhaps the last refuge of the skiddie. As large companies improve their own security, small companies increasingly attract low-skilled skiddies who hack for personal aggrandizement -- those who do it because they can, and then boast about it.<br />
<br />
<b>Sixteen percent of infected sites were subsequently defaced,</b> often with a political or religious message, often <b>by script skiddies</b>.<br />
For a list of best Android Mobile Hacking Apps: <a href="https://joyofandroid.com/best-hacking-apps-for-android/">Refer Here</a><br />
</div>

DDoS Hacking News Malwares sitelock Vulnerability 18.5 Million Websites Infected With Malware

On the internet, there are more than 1.86 billion websites. Around 1% of these -- something like 18,500,000 -- are infected with malware at ...

Millions of email servers affected with Remote Code Execution

3/07/2018 The Hackers Chronicle 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-xx3VMuTTRf0/Wp-OLCiUdgI/AAAAAAAAAhU/GUC4AC5x-KIv8pt6YX-x8xDmT1FFQw9XwCLcBGAs/s1600/remote-code-vulnerability-in-exim.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Vulnerability Affects millions of the Email Servers" border="0" data-original-height="570" data-original-width="1344" height="268" src="https://1.bp.blogspot.com/-xx3VMuTTRf0/Wp-OLCiUdgI/AAAAAAAAAhU/GUC4AC5x-KIv8pt6YX-x8xDmT1FFQw9XwCLcBGAs/s640/remote-code-vulnerability-in-exim.PNG" title="Vulnerability Affects millions of the Email Servers" width="640" /></a></div>
<br />
<br />
A critical vulnerability affects millions of email servers. A fix has been released but this flaw affects more than half of the Internet's <a href="http://www.hackerschronicle.com/search/label/Email">email servers</a>, and patching the issue will take a couple of days.<br />
<br />
The vulnerability in <a href="http://www.hackerschronicle.com/search/label/Exim">Exim, a mail transfer agent</a> (MTA) —software that runs on email servers and which relays emails from senders to recipients.According to a survey conducted in March 2018, 56% of all of the Internet's email servers run Exim, with over <b>63,36,687</b> available online at the time.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-BNYs78WrJtc/Wp-PdcMDJ4I/AAAAAAAAD-A/JR5rsebtkeA-Jzs1aq6kkc2EFjxHhJNMACEwYBhgL/s1600/vulnerable-exim-servers.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Vulnerability Affects millions of the Email Servers" border="0" data-original-height="413" data-original-width="1328" height="198" src="https://2.bp.blogspot.com/-BNYs78WrJtc/Wp-PdcMDJ4I/AAAAAAAAD-A/JR5rsebtkeA-Jzs1aq6kkc2EFjxHhJNMACEwYBhgL/s640/vulnerable-exim-servers.PNG" title="Vulnerability Affects millions of the Email Servers" width="640" /></a></div>
<br />
A Taiwanese security researcher named Meh Chang discovered the bug, which he <a href="https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/">reported</a> to the Exim crew on February 2. The Exim team released Exim distribution 4.90.1 on February 10 that fixes the RCE issue.<br />
<br />
The bug —tracked as <b>CVE-2018-6789</b> is categorized as a "pre-auth <a href="http://www.hackerschronicle.com/search/label/Remote%20Code%20Execution">remote code execution</a>," meaning an attacker could trick the Exim email server into running malicious commands before the attacker would need to authenticate on the server.<br />
<br />
The actual bug is a <b>one-byte buffer overflow</b> in the base64 decode function of Exim and affects all Exim versions ever released. Chang described the bug in a blog post released earlier today, detailing basic steps for exploiting Exim's SMTP daemon.<br />
<br />
In a security advisory, the Exim team publicly acknowledged the issue. "Currently we're unsure about the severity, we believe, an exploit is difficult. A mitigation isn't known," the <a href="https://exim.org/static/doc/security/CVE-2018-6789.txt">Exim team said</a>.<br />
<br />
Since Exim 4.90.1's release, updated Exim versions have trickled down to Linux distros used primarily in data centers, but the question remains about the number of unpatched systems that remain online. Taking into account that Exim is by far the most popular mail agent, CVE-2018-6789 opens a large attack surface, and Exim server owners should look into deploying the Exim 4.90.1 update as soon as possible.<br />
<br />
At the time of writing, there is no public exploit code for taking advantage of vulnerable Exim servers, but this will likely change in the days following Chang's blog post.<br />
<br /></div>

CVE-2018-6789 Email Exim News Remote Code Execution Vulnerability Millions of email servers affected with Remote Code Execution

A critical vulnerability affects millions of email servers. A fix has been released but this flaw affects more than half of the Interne...

Hotspot Shield VPN is NO more Secure, Leaking Users Location

2/28/2018 The Hackers Chronicle 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-bZ3-3oqqLhs/WpZIbCT_a6I/AAAAAAAAAcs/YyT2BSn1p0U4G5CTR0lSKivm2UiQ4RUswCLcBGAs/s1600/Hotspot-Shield-Information-Disclosure.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Hotspot Shield can expose VPN users locations" border="0" data-original-height="400" data-original-width="1200" height="211" src="https://4.bp.blogspot.com/-bZ3-3oqqLhs/WpZIbCT_a6I/AAAAAAAAAcs/YyT2BSn1p0U4G5CTR0lSKivm2UiQ4RUswCLcBGAs/s640/Hotspot-Shield-Information-Disclosure.jpg" title="Hotspot Shield can expose VPN users locations" width="640" /></a></div>
<br />
A security researcher has found that one of the world’s largest <a href="http://www.hackerschronicle.com/search/label/VPN" target="_blank">Virtual Private Network (VPN)</a> providers is leaking users private information. Hotspot Shield, which has been downloaded over half a billion times and has been in operation for over a decade, has a bug which can reveal what country a user is located in, as well as leak the name of the WiFi network they are using. The <a href="http://www.hackerschronicle.com/search/label/Vulnerability" target="_blank">vulnerability </a>in Hotspot Shield’s VPN service was discovered by Paulos Yibelo. Yibelo reported his findings to Beyond Security’s SecuriTeam Secure Disclosure program.<br />
<br />
“By <a href="http://www.hackerschronicle.com/search/label/Information%20Disclosure" target="_blank">disclosing information</a> such as WiFi name, an attacker can easily narrow down or pinpoint where the victim is located,” Paulos Yibelo told. When an attacker knows what country a Hotspot Shield VPN user is from, they “can narrow down a list of places” their victim is from, Yibelo said. The vulnerability in Hotspot Shield’s VPN service was tested using a proof-of-concept code that Yibelo wrote. Using Yibelo’s code they were able to identify users WiFi networks, and the vulnerability kept working when tried from different computers and different network.<br />
<br />
Yibelo was able to write his proof-of-concept code very quickly, and it is only a few lines long. The code exploits a vulnerability in the local web server installed by Hotspot Shield. Private information and configuration data are returned when the exploit calls a JavaScript file being hosted on the web server. The private information of Hotspot Shield VPN users could be captured and stored from an infected website. According to Yibelo, he was able to successfully obtain Hotspot Shield VPN users IP addresses, though he was only having mixed results and was not always able to successfully capture real IP addresses. <br />
<br />
The developer of <b>Hotspot Shield VPN</b>, AnchorFree, Inc., is strongly denying that any user’s real IP addresses are being leaked through the vulnerability discovered by Paulos Yibelo. “We have reviewed and tested the researcher’s report. We have found that this vulnerability does not leak the user’s real IP address or any personal information, but may expose some generic information such as the user’s country. We are committed to the safety and security of our users, and will provide an update this week that will completely remove the component capable of leaking even generic information,” AnchorFree’s Tim Tsoriev said in a statement.<br />
<br />
After Yibelo discovered the vulnerability in Hotspot Shield VPN, he reported it to AnchorFree in December of last year but never received a response from the company. Yibelo then submitted the vulnerability to Beyond Security through their bug bounty program. Beyond Security also did not receive a response from AnchorFree. However, in February, AnchorFree finally addressed the issue with a new version of Hotspot Shield VPN which was recently released. The new version of Hotspot Shield VPN patches the vulnerability discovered by Yibelo.<br />
<br />
Last year Hotspot Shield VPN was accused by the Center for Democracy & Technology of selling their customers private information. A formal complaint was filed with the United States Federal Trade Commission (FTC) in which they allege that Hotspot Shield was guilty of employing unfair and deceptive trade practices. AnchorFree claimed that they did not collect any personal information about Hotspot Shield VPN users. Hotspot Shield VPN comes in both a free version, as well as a paid “Elite Version” subscription. The Center for Democracy & Technology discovered that Hotspot Shield VPN was sharing information after analyzing the VPN using Carnegie Mellon University’s Mobile App Privacy Compliance automated system on the free version of the Hotspot Shield VPN service.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-yiMbNLpeA8U/WpZPnHbue6I/AAAAAAAAAdI/1f4DMravZvwie_jbFEoCc5CW4LYMvIMSwCLcBGAs/s1600/HotSpot-Vulnerability-POC.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Hotspot Shield Information Disclosure POC" border="0" data-original-height="253" data-original-width="645" height="249" src="https://3.bp.blogspot.com/-yiMbNLpeA8U/WpZPnHbue6I/AAAAAAAAAdI/1f4DMravZvwie_jbFEoCc5CW4LYMvIMSwCLcBGAs/s640/HotSpot-Vulnerability-POC.PNG" title="Hotspot Shield Information Disclosure POC" width="640" /></a></div>
<br /></div>

CVE-2018-6460 Information Disclosure News VPN Vulnerability Hotspot Shield VPN is NO more Secure, Leaking Users Location

A security researcher has found that one of the world’s largest Virtual Private Network (VPN) providers is leaking users private inform...

Tinder Can be Hacked With Just A Phone Number

2/24/2018 The Hackers Chronicle 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-oLRxat5H_Kc/WpFBzlIpvFI/AAAAAAAAAak/9XJshkej6X0wfkui7QvVBmb_5nwYv98dwCLcBGAs/s1600/Tinder-Hacked.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Tinder vulnerability let hackers take over accounts with just a phone number" border="0" data-original-height="640" data-original-width="960" height="425" src="https://4.bp.blogspot.com/-oLRxat5H_Kc/WpFBzlIpvFI/AAAAAAAAAak/9XJshkej6X0wfkui7QvVBmb_5nwYv98dwCLcBGAs/s640/Tinder-Hacked.png" title="Tinder vulnerability let hackers take over accounts with just a phone number" width="640" /></a></div>
<br />
An easy-to-exploit bug has left Tinder accounts and private chats exposed to hackers, revealed a researcher this week.<br />
<br />
<a href="http://www.hackerschronicle.com/search/label/Indian%20Hackers" target="_blank">Indian engineer</a> Anand Prakash, a serial bug hunter, said on Wednesday, 20 February, that a flaw in a <a href="http://www.hackerschronicle.com/search/label/Facebook" target="_blank">Facebook</a>-linked program called Account Kit let attackers access profiles armed with just a phone number. Account Kit has been implemented on Tinder and it has been used by developers to let users log on to a range of apps using mobile details or email addresses without a password.<br />
<br />
That should not have been enough for an account takeover by itself, but <a href="http://www.hackerschronicle.com/search/label/Tinder" target="_blank">Tinder</a>’s implementation of Account Kit had its own vulnerability. Tinder’s login system wasn’t verifying access tokens against their associated client ID, which meant anyone with a valid access token could take over an entire account. Chained together, the two <a href="http://www.hackerschronicle.com/search/label/Vulnerability" target="_blank">vulnerabilities </a>let researchers completely take over a Tinder account — with full access to the user’s profile and chats — starting from only a phone number.<br />
<br />
According to Prakash, an ethical hacker known for finding bugs in popular websites, until recently, there was a crack in this process that could let hackers compromise "access tokens" from users' cookies. The attacker could then exploit a bug in Tinder to use the token, which stores security details, and log in to the dating account with little fuss.<br />
<br />
Earlier this year, on 23 January, a different set of “disturbing” vulnerabilities were found in Tinder's <a href="http://www.hackerschronicle.com/search/label/Android" target="_blank">Android </a>and iOS apps by Checkmarx Security Research Team.<br />
<br />
Experts said hackers could use them to take control of profile pictures and swap them for “inappropriate content, rogue advertising or other type of malicious content.” The firm claimed that nefarious attackers could “monitor the user's every move” on the application.<br />
<br />
A bug within Tinder is problematic as the app boasts an estimated 50 million users worldwide with roughly 40 percent of them based in North America, and a million dates facilitated a week according to the website, along with 1.6 billion swipes a day.<br />
<br />
Tinder declined to comment on the specifics of the report. “Security is a top priority at Tinder,” a representative said, “However, we do not discuss any specific security measures or strategies, so as not to tip off malicious hackers.”</div>

Hacking News Indian Hackers News Tinder Vulnerability Tinder Can be Hacked With Just A Phone Number

An easy-to-exploit bug has left Tinder accounts and private chats exposed to hackers, revealed a researcher this week. Indian engine...

Multiple Zero-Day Vulnerabilities found in GitLab

2/22/2018 The Hackers Chronicle 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-XMN5vkUplBM/Wo5xszzHFgI/AAAAAAAAAYY/PzFs8ZPxO8oE5mjbDdS2sgjQeL69zBGEACLcBGAs/s1600/Zero-Day-in-GitLab.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Domain Hijacking Vulnerability found in GitLab" border="0" data-original-height="545" data-original-width="770" height="449" src="https://4.bp.blogspot.com/-XMN5vkUplBM/Wo5xszzHFgI/AAAAAAAAAYY/PzFs8ZPxO8oE5mjbDdS2sgjQeL69zBGEACLcBGAs/s640/Zero-Day-in-GitLab.jpg" title="Domain Hijacking Vulnerability found in GitLab" width="640" /></a></div>
<br />
A security researcher hijacked hundreds of GitLab domains in just a few seconds by exploiting a weakness in how the company handles domain verification -- a security issue that the company has now fixed.<br />
<br />
<a href="http://www.hackerschronicle.com/search/label/GitLab" target="_blank">GitLab</a>, a web-based git repository manager that lets developers track and collaborate on source code and project development, also allows users to host their own content and projects with a custom domain name.<br />
<br />
But the company said in a security notification on February 5 that no validation was being performed when a user added a custom domain to their GitLab accounts. In the little time that a custom domain points to a recently deleted or unclaimed GitLab repo that will be added later, the domain can be hijacked.<br />
<br />
Edwin Foudil, known as EdOverflow, and founder of security consulting firm Penultimate, drew inspiration from a bug report submitted on February 1, which contained proof-of-concept code that listed vulnerable custom domains that were pointing to GitLab. GitLab marked the initial report as informative, which according to documentation means it contains "useful information but did not warrant an immediate action or a fix".<br />
<br />
Because GitLab allows pointing an unlimited number of domains for a single repository, Foudil was able to write a short script weaponizing that initial code, allowing him to mass hijack a limitless number of domains. "This resulted in <b>700 hijacked domains and subdomains in under one minute</b>," he told ina interview. Not only that, any hijacked domain is prevented from creating a GitLab repository with that domain.<br />
<br />
That was enough to catch GitLab's attention, with the company confirming that Foudil's "valuable report" was what "triggered our response" in releasing the security notification less than a day later. "I managed to escalate the issue to the point where the issue was in fact caused by GitLab," said Foudil. "GitLab allowed mass monitoring of domains prior to them even pointing to GitLab's IP address."<br />
<br />
<span class="highlight">Foudil's report was publicly released late Wednesday after the company fixed the bug. </span><br />
<br />
Foudil also said the attack isn't just limited to domains that his script could detect. Hijacking domains was as easy as scraping the domain names of thousands of high-ranking sites. Once a domain is taken over, the attacker can serve any content they want on that domain.<br />
<br />
"The <a href="http://www.hackerschronicle.com/search/label/Exploit" target="_blank">exploits </a>are endless," Foudil said. He gave several examples where an attacker can hijack a subdomain to read and set cookies on other basenames. "I can even mine <a href="http://www.hackerschronicle.com/search/label/Cryptocurrency" target="_blank">cryptocurrency</a>," he said.<br />
<br />
Kathy Wang, director of security at GitLab, said in a phone call this week that the company took responsibility for the security issue. She added that the lack of domain verification is "a widespread problem across the industry". "Implementing domain verification is an exception not a rule -- so a lot of vendors have not yet done it," she said.<br />
<br />
GitLab switched off the feature to add custom domains until a fix was made available. The company said it estimates the fix rollout will complete by the end of the month.</div>

DevOps GitLab Hacking News News Vulnerability Zero-Day Multiple Zero-Day Vulnerabilities found in GitLab

A security researcher hijacked hundreds of GitLab domains in just a few seconds by exploiting a weakness in how the company handles doma...

Zero-day vulnerability found in Telegram

2/13/2018 The Hackers Chronicle 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-CmHDja6XqWk/WoLS129-roI/AAAAAAAAATw/0l0zquSsJNQ8XiE9v8Nq4reUQnlVSp28wCLcBGAs/s1600/telegram-zeroday-vulnerability.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="466" data-original-width="732" height="404" src="https://1.bp.blogspot.com/-CmHDja6XqWk/WoLS129-roI/AAAAAAAAATw/0l0zquSsJNQ8XiE9v8Nq4reUQnlVSp28wCLcBGAs/s640/telegram-zeroday-vulnerability.png" width="640" /></a></div>
<br />
Research conducted by Kaspersky showed that the zero-day flaw was based on the <a href="https://www.fileformat.info/info/unicode/char/202e/index.htm" target="_blank">RLO </a>(right-to-left override) Unicode method, which is generally used for coding languages written from right to left, such as Arabic and Hebrew. However, it can also be used by hackers to dupe unknowing recipients into downloading malware, for example disguised as images.<br />
<br />
Kaspersky analysts identified “several scenarios of <a href="http://www.hackerschronicle.com/search/label/Zero-Day" target="_blank">zero-day</a> exploitation in the wild by threat actors.” The threats identified were two-fold. First, the exploit was used to deliver mining software, allowing hackers to use the victim’s machine to mine <a href="http://www.hackerschronicle.com/search/label/CryptoCurrency" target="_blank">cryptocurrency </a>including “Monero, Zcash, Fantomcoin and others.”<br />
<br />
Second, a backdoor was installed allowing <a href="http://www.hackerschronicle.com/search/label/Cyber%20Crime" target="_blank">cybercriminals </a>to gain remote access to the victim’s computer after which it started to “operate in a silent mode,” allowing “the threat actor to remain unnoticed in the network and execute different commands, including the further installation of spyware tools.”<br />
<br />
Kaspersky says its analysis suggests the cybercriminals are of <a href="http://www.hackerschronicle.com/search/label/Russian%20Hackers" target="_blank">Russian </a>origin, and the company has offered some tips to protect your PC against attack.  These include not downloading and opening unknown files from untrusted sources, avoiding sharing sensitive personal information in messenger apps and making sure to have reliable antivirus software installed on your machine.<br />
<br />
It appears that only Russian cybercriminals were aware of this <a href="http://www.hackerschronicle.com/search/label/Vulnerability" target="_blank">vulnerability</a>, with all the exploitation cases that we detected occurring in Russia. Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cybercriminals.</div>

Hacking News Malwares News Russian Hackers Telegram Vulnerability Zero-Day Zero-day vulnerability found in Telegram

Research conducted by Kaspersky showed that the zero-day flaw was based on the RLO (right-to-left override) Unicode method, which is gen...

New AndroRAT found, exploiting Rooting Vulnerability

2/13/2018 The Hackers Chronicle 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-IE_i4iZC3EE/WoLMVvJKBOI/AAAAAAAAD7U/9LeH60k--EUn0CvKQGTiV5SjdmQycNVWQCEwYBhgL/s1600/AndroRAT_malware.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="468" data-original-width="888" height="336" src="https://4.bp.blogspot.com/-IE_i4iZC3EE/WoLMVvJKBOI/AAAAAAAAD7U/9LeH60k--EUn0CvKQGTiV5SjdmQycNVWQCEwYBhgL/s640/AndroRAT_malware.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">New AndroRAT found, exploiting Rooting Vulnerability</td></tr>
</tbody></table>
<br />
<div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;">
Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture. This AndroRAT targets <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a>, a publicly disclosed vulnerability in 2016 that allows attackers to penetrate a number of older Android devices to perform its privilege escalation.</div>
<div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;">
RATs have long been a common Windows threat, so <b>it shouldn't be a surprise that it has come to Android</b>. A RAT has to gain root access — usually by exploiting a <a href="http://www.hackerschronicle.com/search/label/Vulnerability">vulnerability </a>— in order to have control over a system.<b> Discovered in 2012, </b>the original authors intended AndroRAT — <a href="https://forum.xda-developers.com/android/apps-games/androrat-remote-administration-tool-t2734932">initially a university project </a>— as an open-source client/server application that can provide remote control of an <a href="http://www.hackerschronicle.com/search/label/Android">Android </a>system, which naturally attracted cybercriminals.</div>
<div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;">
This new variant of AndroRAT disguises itself as a malicious utility app called TrashCleaner, which is presumably downloaded from a malicious URL. The first time TrashCleaner runs, it prompts the Android device to install a Chinese-labeled calculator app that resembles a pre-installed system calculator. Simultaneously, the TrashCleaner icon will disappear from the device’s UI and the RAT is activated in the background.</div>
<div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-GKlT54ZiTtA/WoLMTtvX0HI/AAAAAAAAD7Q/4iH8yrdYDcALPPts1MwxM7jCRomVNDPngCLcBGAs/s1600/TrachCleaner.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="139" data-original-width="129" src="https://2.bp.blogspot.com/-GKlT54ZiTtA/WoLMTtvX0HI/AAAAAAAAD7Q/4iH8yrdYDcALPPts1MwxM7jCRomVNDPngCLcBGAs/s1600/TrachCleaner.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Icon of the malicious TrashCleaner</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-OHyYug2THrE/WoLMVh5vYEI/AAAAAAAAD7Y/ks74-QasRHsyrQ31H7n900s18edL0qRdACLcBGAs/s1600/AndroRAT_Calculator.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="147" data-original-width="111" src="https://2.bp.blogspot.com/-OHyYug2THrE/WoLMVh5vYEI/AAAAAAAAD7Y/ks74-QasRHsyrQ31H7n900s18edL0qRdACLcBGAs/s1600/AndroRAT_Calculator.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Icon of the Chinese-labeled calculator app</td></tr>
</tbody></table>
</div>
<div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;">
The configurable RAT service is controlled by a remote server, which could mean that commands may be issued to trigger different actions. The variant activates the embedded root exploit when executing privileged actions. It performs the following malicious actions found in the original AndroRAT:</div>
<ul style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin: 0px 0px 0px 30px; outline: 0px; padding: 0px; vertical-align: baseline;">
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Record audio</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Take photos using the device camera</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of system information such as phone model, number, IMEI, etc.</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of WiFi names connected to the device</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of call logs including incoming and outgoing calls</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of mobile network cell location</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of GPS location</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of contacts list</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of files on the device</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of list of running apps</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of SMS from device inbox</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Monitor incoming and outgoing SMS</li>
</ul>
<div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;">
Apart from the original features of the <a href="http://www.hackerschronicle.com/search/label/AndroRAT">AndroRAT</a>, it also performs new privileged actions:</div>
<ul style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin: 0px 0px 0px 30px; outline: 0px; padding: 0px; vertical-align: baseline;">
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of mobile network information, storage capacity, rooted or not</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of list of installed applications</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of web browsing history from pre-installed browsers</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of calendar events</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Record calls</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Upload files to victim device</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Use front camera to capture high resolution photos</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Delete and send forged SMS</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Screen capture</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Shell command execution</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Theft of WiFi passwords</li>
<li style="background: transparent; border: 0px; list-style: disc; margin: 0px; outline: 0px; padding: 0px 0px 5px; vertical-align: baseline;">Enabling accessibility services for a key logger silently</li>
</ul>
<div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;">
<b style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><i style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Targeting CVE-2015-1805</i></b></div>
<div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;">
Google already <a href="https://source.android.com/security/advisory/2016-03-18">patched </a>CVE-2015-1805 in March 2016,<b> but devices that no longer receive patches or those with a long rollout period are at risk of being compromised by this new AndroRAT variant. </b> Older versions of Android, which are still being used by a significant number of mobile users, may still be vulnerable.</div>
<div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;">
<b style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><i style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Indicators of Compromise (IoCs)</i></b></div>
<table style="background: rgb(255, 255, 255); border-collapse: collapse; border-spacing: 0px; border: 1px solid rgb(228, 228, 228); color: #777777; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline; width: 619px;"><tbody style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">
<tr style="background: rgb(241, 241, 241); border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="295"><b style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">SHA256</b></td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="108"><b style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">App Label</b></td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="187"><b style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Package Name</b></td></tr>
<tr style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="295">2733377c14eba0ed6c3313d5aaa51171f6aef5f1d559fc255db9a03a046f0e8f</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="108">TrashCleaner</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="187">com.cleaner.trashcleaner</td></tr>
<tr style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="295">fde9f84def8925eb2796a7870e9c66aa29ffd1d5bda908b2dd1ddb176302eced</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="108">TrashCleaner</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="187">com.cleaner.trashcleaner</td></tr>
<tr style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="295">2441b5948a316ac76baeb12240ba954e200415cef808b8b0760d11bf70dd3bf7</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="108">TrashCleaner</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="187">com.cleaner.trashcleaner</td></tr>
<tr style="background: transparent; border: 0px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="295">909f5ab547432382f34feaa5cd7d5113dc02cda1ef9162e914219c3de4f98b6e</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="108">TrashCleaner</td><td style="background: transparent; border: 1px dotted rgb(228, 228, 228); margin: 0px; outline: 0px; padding: 8px; text-align: center; vertical-align: baseline; word-break: break-word !important;" width="187">com.cleaner.trashcleaner</td></tr>
</tbody></table>
<div style="background: rgb(255, 255, 255); border: 0px; color: #666666; font-family: Arial, sans-serif; font-size: 14px; line-height: 21px; margin-bottom: 10px !important; outline: 0px; padding: 0px; vertical-align: baseline;">
<br /></div>
</div>

Android AndroRAT Hacking News Malwares News rat Rooting Trojan Vulnerability New AndroRAT found, exploiting Rooting Vulnerability

New AndroRAT found, exploiting Rooting Vulnerability Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (ide...

Millions of Netgear Routers Vulnerable

2/11/2018 The Hackers Chronicle 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-kNqNMATMjnA/WoA4_77uaYI/AAAAAAAAAQo/L0HPIDySVn8u4ODJIuKlYK1s2sEfPNe4wCLcBGAs/s1600/router_back_label.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="" border="0" data-original-height="192" data-original-width="750" src="https://3.bp.blogspot.com/-kNqNMATMjnA/WoA4_77uaYI/AAAAAAAAAQo/L0HPIDySVn8u4ODJIuKlYK1s2sEfPNe4wCLcBGAs/s1600/router_back_label.png" title="Netgear Routers wonderable to be Hacked" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Netgear Routers wonderable to be Hacked</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://4.bp.blogspot.com/-6EPLnk4LlRo/WoA4sSswF0I/AAAAAAAAAQs/O3o_GAxjJcY7HosVH27RuZ2nXdHEwfQhACEwYBhgL/s1600/netgear_password_bypass.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="400" data-original-width="680" height="188" src="https://4.bp.blogspot.com/-6EPLnk4LlRo/WoA4sSswF0I/AAAAAAAAAQs/O3o_GAxjJcY7HosVH27RuZ2nXdHEwfQhACEwYBhgL/s320/netgear_password_bypass.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Netgear Routers</td></tr>
</tbody></table>
<br />
<strong><span style="font-size: small;"><span style="font-family: "trebuchet ms" , "geneva";">Security firm Trustwave has disclosed the details of several vulnerabilities affecting Netgear routers, including devices that are top-selling products on Amazon and Best Buy.</span></span></strong><br />
<div style="background-color: white; color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , "geneva";">The flaws were discovered by researchers in March 2017 and they were patched by Netgear in August, September and October.</span></span></div>
<div style="background-color: white; color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , "geneva";">One of the high severity vulnerabilities has been described as a password recovery and file access issue affecting 17 Netgear routers and modem routers, including best-sellers such as R6400, R7000 (Nighthawk), R8000 (Nighthawk X6), and R7300DST (Nighthawk DST).</span></span></div>
<br />
<div style="background-color: white; color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , "geneva";">According to Trustwave, the web server shipped with these and other Netgear routers has a resource that can be abused to access files in the device’s root directory and other locations if the path is known. The exposed files can store administrator usernames and passwords, which can be leveraged to gain complete control of the device.</span></span></div>
<div style="background-color: white; color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , "geneva";">An unauthenticated attacker can exploit the flaw remotely if the remote management feature is enabled on the targeted device. Improperly implemented cross-site request forgery (CSRF) protections may also allow remote attacks.</span></span></div>
<div style="background-color: white; color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , "geneva";"><b>Another high severity flaw affecting 17 Netgear routers, including the aforementioned best-sellers, can be exploited by an attacker to bypass authentication using a specially crafted reques</b>t. Trustwave said the vulnerability can be easily exploited.</span></span></div>
<div style="background-color: white; color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , "geneva";">A flaw that can be exploited to execute arbitrary OS commands with root privileges without authentication has also been classified as high severity. Trustwave said command injection is possible through a chained attack that involves a CSRF token recovery vulnerability and other weaknesses.</span></span></div>
<div style="background-color: white; color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , "geneva";">Two other command injection vulnerabilities have been found by Trustwave researchers, but they have been rated medium severity and they only affect six Netgear router models.</span></span></div>
<div style="background-color: white; color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , "geneva";">One of the flaws requires authentication, but experts pointed out that an attacker can execute arbitrary commands after bypassing authentication using the aforementioned authentication bypass vulnerability.</span></span></div>
<div style="background-color: white; color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , "geneva";">The other medium severity command injection is related to the Wi-Fi Protected Setup (WPS). When a user presses the WPS button on a Netgear router, a bug causes WPS clients to be allowed to execute arbitrary code on the device with root privileges during the setup process.</span></span></div>
<div style="background-color: white; color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , "geneva";">“In other words, <b>if an attacker can press the WPS button on the router, the router is completely compromised</b>,” Trustwave said in an advisory.</span></span></div>
<div style="background-color: white; color: #333333; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , "geneva";">Netgear has put a lot of effort into securing its products, especially since the launch of its bug bounty program one year ago. In 2017, the company published more than 180 security advisories describing vulnerabilities in its routers, gateways, extenders, access points, managed switches, and network-attached storage (NAS) products.</span></span></div>
</div>

Hacking News Netgear Routers News Vulnerability Millions of Netgear Routers Vulnerable

Netgear Routers wonderable to be Hacked Netgear Routers Security firm Trustwave has disclosed the details of several vulnerabilit...

RCE, Information Disclosure and XSS Flaws Found in PayPal

4/15/2014 cyb3r.gladiat0r 4

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-1K9IcMEXFoo/U0zt5SMKjvI/AAAAAAAABJM/LjG2WmX79aw/s1600/RCE-Information-Disclosure-and-XSS-Flaws-Found-in-PayPal-Partner-Program-Video.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="RCE, Information Disclosure and XSS Flaws Found in PayPal " border="0" src="http://4.bp.blogspot.com/-1K9IcMEXFoo/U0zt5SMKjvI/AAAAAAAABJM/LjG2WmX79aw/s1600/RCE-Information-Disclosure-and-XSS-Flaws-Found-in-PayPal-Partner-Program-Video.jpg" height="218" title="RCE, Information Disclosure and XSS Flaws Found in PayPal " width="400" /></a></div>
<br />
A security expert has managed to identify three <a href="http://www.hackerschronicle.com/search/label/Vulnerability">vulnerabilities</a> on <a href="http://paypal-marketing.com/">paypal-marketing.com</a>, the website used by the payment processor for the <a href="http://www.hackerschronicle.com/search/label/PayPal">PayPal</a> Partner Program.<br />
<br />
Behrouz Sadeghipour has found and reported a <a href="http://www.hackerschronicle.com/search/label/XSS">cross-site scripting (XSS)</a> issue, a <a href="http://www.hackerschronicle.com/search/label/Remote%20Code%20Execution">remote code execution</a> flaw and an <a href="http://www.hackerschronicle.com/search/label/Information%20Disclosure">information disclosure vulnerability</a>.<br />
<br />
Initially, the researcher found the XSS flaw, which he reported to PayPal’s security team on March 19. The XSS was addressed on April 9.<br />
<br />
One day after the XSS was fixed, Sadeghipour identified an information disclosure issue, which he later leveraged for remote code execution. The expert said he was looking for an SQL Injection bug, but he found an RCE instead.<br />
<br />
To demonstrate the existence of the RCE to PayPal, he sent the company’s security team three links showing that he could retrieve the Process ID (PID), the script owner’s Group ID (GID) and the script owner’s User ID (UID) by replacing a parameter in the request with <a href="http://www.hackerschronicle.com/search/label/PHP">PHP</a> commands.<br />
<br />
By April 11, PayPal had addressed the vulnerability. The company has promised to reward the researcher in the next payment cycle.<br />
<br />
Sadeghipour highlights that the RCE he has found is a remote code execution, not a remote command execution bug. This vulnerability allows an attacker to run PHP functions. The flaw produces the same sort of results, but by leveraging PHP.<br />
<br />
Check out the proof-of-concept video for the PayPal Partner Program vulnerabilities. Additional technical details are available on <a href="http://nahamsec.com/2014/04/paypal-marketing-remote-code-execution/">Behrouz Sadeghipour's blog</a>.<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/BB3rSd_muBc" width="560"></iframe><br />
Source: <a href="http://softpedia.com/">Softpedia</a></div>

RCE, Information Disclosure and XSS Flaws Found in PayPal

Hacking News Information Disclosure News PayPal Remote Code Execution Vulnerability XSS RCE, Information Disclosure and XSS Flaws Found in PayPal

A security expert has managed to identify three vulnerabilities on paypal-marketing.com , the website used by the payment processor for...

How to patch your server against The Heartbleed Bug

4/09/2014 cyb3r.gladiat0r 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<h3>
 <div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-jQUXBjsyTLo/U0UXSCZs21I/AAAAAAAAALk/AIVkGhzFkIU/s1600/How+to+patch+your+server+against+The+Heartbleed+Bug.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="How to patch your server against The Heartbleed Bug" border="0" src="http://2.bp.blogspot.com/-jQUXBjsyTLo/U0UXSCZs21I/AAAAAAAAALk/AIVkGhzFkIU/s1600/How+to+patch+your+server+against+The+Heartbleed+Bug.jpg" height="400" title="How to patch your server against The Heartbleed Bug" width="318" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
</h3>
<h3>
What is the Heartbleed Bug?</h3>
<br />
The Heartbleed Bug is a serious <a href="http://www.hackerschronicle.com/search/label/Vulnerability">vulnerability</a> in the popular <a href="http://www.hackerschronicle.com/search/label/OpenSSL">OpenSSL</a> cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).<br />
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. <br />
<br />
<h3>
Before you start</h3>
Check if your OpenSSL version is vulnerable to the <a href="http://www.hackerschronicle.com/search/label/Exploit">exploit</a>. You can check it by typing in your terminal: <span class="highlight pulse">openssl version</span><br />
The result should look something like this:<br />
<div class="command wobble-horizontal">
# openssl version<br />
OpenSSL 1.0.1g 7 Apr 2014  </div>
<br />
<br />
Since we at <a href="http://www.hackerschronicle.com/">Hackers Chronicle</a> already patched our systems at the time of writing this guide, your result will probably be different.<br />
<h3>
What versions are vulnerable?</h3>
Status of different versions:<br />
<ul>
<li>OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable</li>
<li>OpenSSL 1.0.1g is NOT vulnerable</li>
<li>OpenSSL 1.0.0 branch is NOT vulnerable</li>
<li><a href="http://www.hackerschronicle.com/search/label/OpenSSL">OpenSSL</a> 0.9.8 branch is NOT vulnerable</li>
</ul>
<br />
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.<br />
<br />
Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:<br />
<ul>
<li>Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4</li>
<li><a href="http://www.hackerschronicle.com/search/label/Ubuntu">Ubuntu</a> 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11</li>
<li><a href="http://www.hackerschronicle.com/search/label/CentOS">CentOS</a> 6.5, OpenSSL 1.0.1e-15</li>
<li>Fedora 18, OpenSSL 1.0.1e-4</li>
<li>OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)</li>
<li>FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c)</li>
<li>NetBSD 5.0.2 (OpenSSL 1.0.1e)</li>
<li>OpenSUSE 12.2 (OpenSSL 1.0.1c)</li>
</ul>
Operating system distribution with versions that are not vulnerable:<br />
<ul>
<li>Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14</li>
<li>SUSE Linux Enterprise Server</li>
</ul>
<h3>
Ubuntu</h3>
open your terminal and type in the following:<br />
<span class="command wobble-horizontal">#sudo apt-get update<br />
#sudo apt-get install -y libssl1.0.0 openssl<br />
#openssl version -a <br />
//confirm the "built on" date is >= 2014-04-07<br />
sudo lsof -n | grep ssl | grep DEL <br />
//restart all listed services. Repeat this until no results are returned</span><br />
<br />
<h3>
<a href="http://www.hackerschronicle.com/search/label/Debian">Debian</a></h3>
Open terminal and copy or type the following:<br />
<span class="command wobble-horizontal">#wget http://security.debian.org/pool/updates/main/o/openssl/libssl1.0.0-dbg_1.0.1e-2+deb7u5_amd64.deb<br />
#wget http://security.debian.org/pool/updates/main/o/openssl/openssl_1.0.1e-2+deb7u5_amd64.deb<br />
#wget http://security.debian.org/pool/updates/main/o/openssl/libssl1.0.0_1.0.1e-2+deb7u5_amd64.deb<br />
#wget http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_1.0.1e-2+deb7u5_amd64.deb<br />
<br />
#dpkg -i openssl_1.0.1e-2+deb7u5_amd64.deb<br />
#dpkg -i libssl1.0.0_1.0.1e-2+deb7u5_amd64.deb<br />
#dpkg -i libssl1.0.0-dbg_1.0.1e-2+deb7u5_amd64.deb<br />
#dpkg -i libssl-dev_1.0.1e-2+deb7u5_amd64.deb<br />
<br />
#/etc/init.d/apache2 restart<br />
#/etc/init.d/ssh restart</span><br />
<br />
<h3>
CentOS</h3>
Open terminal and copy or type the following:<br />
<span class="command wobble-horizontal">#yum clean all && yum update "openssl*"</span><br />
<br />
Take note and ensure that it’s specifically <span class="system push highlight">openssl-1.0.1e-16.el6_5.7 (or later)</span> being installed. As this update has just been released, your yum mirror may not have this package yet. If your yum mirror/repository does not yet have this update, you can download and install the RPMs manually from another CentOS yum repository.<br />
<br />
After updating the packages, run the following command to see what processes still have the old, deleted OpenSSL libraries open:<br />
<span class="command wobble-horizontal">#lsof -n | grep ssl | grep DEL</span><br />
<br />
You must restart each process that still has the old libraries open.<br />
<br />
Examples of processes that may still have the old libraries open:<br />
<ul>
<li>mysql</li>
<li>postfix</li>
<li>webmin</li>
<li>openvpn</li>
<li>osad</li>
<li>nrpe</li>
</ul>
<h3>
<a href="http://www.hackerschronicle.com/search/label/Red%20Hat">Fedora/Red Hat</a></h3>
Open terminal and copy or type the following:<br />
<span class="command wobble-horizontal">$ yum update openssl</span><br />
<br />
Restart services that rely on OpenSSL<br />
<span class="command wobble-horizontal">$ lsof | grep libssl | awk '{print $1}' | sort | uniq</span><br />
<br />
<h3>
Test your website against Heartbleed Bug</h3>
<a href="http://possible.lv/tools/hb">Heartbleed Test - provided by possible.lv</a><br />
<a href="http://filippo.io/Heartbleed/">Heartbleed Test - provided by filippo.io </a><br />
<br />
Source: <a href="http://scanarch.com/" target="_blank">Scan Arch</a> </div>

How to patch your server against The Heartbleed Bug

Bug Centos CVE-2014-0160 Debian Heartbleed Bug Linux Tutorials OS Patch Red Hat Ubuntu Vulnerability How to patch your server against The Heartbleed Bug

What is the Heartbleed Bug? The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software librar...

SQL Injection vulnerability in Yahoo

4/08/2014 The Hackers Chronicle 0

Hacking News News SQL Injection Vulnerability Yahoo SQL Injection vulnerability in Yahoo

Security researcher Behrouz Sadeghipour has identified several SQL Injection vulnerabilities in a Hong Kong subdomain of Yahoo . He...

New Exploits for Old PHP Vulnerability

3/21/2014 The Hackers Chronicle 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-5TQYeQ2y3PU/Uyvbhzqt4GI/AAAAAAAAAJs/k6QTNY7qM3U/s1600/new+php+exploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="New Exploits for Old PHP Vulnerability" border="0" src="http://2.bp.blogspot.com/-5TQYeQ2y3PU/Uyvbhzqt4GI/AAAAAAAAAJs/k6QTNY7qM3U/s1600/new+php+exploit.png" height="238" title="New Exploits for Old PHP Vulnerability" width="400" /></a></div>
Close to two years ago, a serious vulnerability in <a href="http://www.hackerschronicle.com/search/label/PHP">PHP</a> was accidentally disclosed after it was discovered months prior during a hacking contest. A patch was released in relatively short order, and one would assume that given PHP’s prevalence as a web development framework, the fix would have been applied just as quickly.<br />
<br />
But given the discovery last October of a new set of exploits for <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823" target="_blank">CVE-2012-1823</a>, that assumption may not be correct.<br />
<br />
Researchers at <a href="http://blog.imperva.com/2014/03/threat-advisory-php-cgi-at-your-command.html" target="_blank">Imperva</a> have been watching since Oct. 29 attacks exploiting the PHP bug. Attackers were using the new <a href="http://www.hackerschronicle.com/search/label/Exploit">exploit</a> to deliver arbitrary code to websites running <span class="higlight">PHP 5.4.x, 5.3.x before 5.4.2 or 5.3.12</span>; those vulnerable versions account for about 16 percent of the sites on the web according to director of security research <span class="higlight">Barry Shteiman</span>.<br />
<br />
The new exploits were dangerous in that they allowed hackers to abuse an old vulnerability to not only run arbitrary code, but also adapt techniques found in <a href="http://www.hackerschronicle.com/search/label/Botnets">botnets</a> and crimeware kits to inject <a href="http://www.hackerschronicle.com/search/label/Malwares">malware</a>, steal credentials or system data from the server, or move laterally within the data center.<br />
<br />
“Not only are we seeing a vulnerability used after it was released so long ago, but what we’re seeing is attackers and professional hackers understanding what vendors understand—people just don’t patch,” Shteiman said. “They can’t or won’t or are not minded to fix these problems.”<br />
<br />
PHP is found on nearly 82 percent of websites today; these attacks target sites where PHP is running with CGI as an option, creating a condition that allows for code execution from the outside. Shteiman said the vulnerability affects a built-in mechanism in PHP that protects itself from exposing files and commands. A configuration flaw allows hackers to first disable the security mechanism, which in turn allows a hacker to run remote code or arbitrarily inject code.<br />
<br />
“With the new exploit, it’s the same relative technique, but what we’ve seen is a lot of automation,” Shteiman said. “The tool that attacked these systems is running an interesting subset of dictionaries that requires an attacker know where PHP is installed on the server. We’ve seen attackers trying different paths to see which backend contains the [PHP] executable.”<br />
<br />
The big-picture problem is the number of PHP websites still running vulnerable code despite the availability of a patch for close to two years now.<br />
<br />
“PHP is installed as an interpreter,” Shteiman said. “Replacing the existing instance of PHP with a new one means downtime. Sometimes you may have to change applications because some things that are now deprecated may require application changes. For that reason, sometimes organizations don’t patch or go a different route. They might use a new framework instead.”<br />
<br />
Original reports on the vulnerability triggered advisories from a number of organizations, including <span class="highlight">US-CERT</span>. The bug is a relatively simple one; researchers found that when they passed a specific query string that contained the -s command to PHP in a CGI setup, PHP would interpret the <span class="highlight">-s</span> as the command line argument and result in the disclosure of the source code for the application. They extended their testing and found they could pass whatever command-line arguments they wanted to the PHP binary.<br />
<br />
“You’d think these bugs would be long forgotten, but it isn’t so; they’re like the undead. Vulnerabilities never die,” Shteiman said. “They don’t die and we realize if we see this executed by botnets trying to onboard servers and by crimeware kits being sold, that means attackers understand they can rely on old problems because people won’t fix them and attackers don’t have to work too hard.”
</div>

Exploit PHP Programming Vulnerability Web Development New Exploits for Old PHP Vulnerability

Close to two years ago, a serious vulnerability in PHP was accidentally disclosed after it was discovered months prior during a hacking ...

One Billion Android Devices Vulnerable to Privilege Escalation

3/20/2014 The Hackers Chronicle 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-NUV30jvOWtk/UystkRg0yCI/AAAAAAAAAJc/F_XIL4qEATE/s1600/android+vulnerability.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="One Billion Android Devices Vulnerable to Privilege Escalation" border="0" src="http://2.bp.blogspot.com/-NUV30jvOWtk/UystkRg0yCI/AAAAAAAAAJc/F_XIL4qEATE/s1600/android+vulnerability.png" height="235" title="One Billion Android Devices Vulnerable to Privilege Escalation" width="400" /></a></div>
<br />
The first deep look into the security of the <a href="http://www.hackerschronicle.com/search/label/Android">Android</a> patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for <a href="http://www.hackerschronicle.com/search/label/Privilege%20Escalation">privilege escalation attacks</a>.<br />
<br />
 Researchers from Indiana University and <a href="http://www.hackerschronicle.com/search/label/Microsoft">Microsoft</a> published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects <a href="http://www.hackerschronicle.com/search/label/Malwares">malicious</a> apps already on a device lying in wait for elevated privileges.<br />
<br />
 The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.<br />
<br />
 The researchers said they found a half-dozen different Pileup flaws within Android’s Package Management Service, and confirmed those vulnerabilities are present in all Android <a href="http://www.hackerschronicle.com/search/label/Open%20Source">Open Source</a> Project versions and more than <span class="highlight pop">3,500</span> customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said.<br />
<br />
 An attacker could use a malicious application to <a href="http://www.hackerschronicle.com/search/label/Exploit">exploit</a> this situation to access data on the device such as user credentials, activity logs, SMS data. The researchers also said a successful attack could also give a hacker control of new signature and system permission, leading to a deeper level of trouble.<br />
<br />
 The paper, “<a href="http://www.informatics.indiana.edu/xw7/papers/privilegescalationthroughandroidupdating.pdf" target="_blank">Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating</a>,” was written by Luyi Xing, Xiaorui Pan, Kan Yuan and XiaoFeng Wang of Indiana University Bloomington and Rui Wang of Microsoft. The frequency of Android updates—estimated to be on average of every 3½ months— and the fragmentation of the Android market make it close to impossible to adequately secure devices, the researchers said.  “Every few months, an update is released, which causes replacement and addition of tens of thousands of files on a live system. Each of the new apps being installed needs to be carefully configured to set its attributes within its own sandboxes and its privileges in the system, without accidentally damaging existing apps and the user data they keep,” the researchers wrote. “This complicates the program logic for installing such mobile updates, making it susceptible to security-critical flaws.”<br />
<br />
 Pileup flaws, short for privilege escalation through updating, ramp up the permissions given to malicious apps once Android is updated without raising an alarm to the user. “Through the app running on a lower version of Android, the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version,” the researchers wrote.<br />
<br />
 The paper said customized versions of Android, such as those developed by device makers and carriers, are especially vulnerable to Pileup attacks. The researchers said manufacturers are purposely conservative with regard to updates so as not to interfere with the user experience. Users who have apps currently installed, for example, expect them to work seamlessly after OS updates and upgrades; that means data and features must transfer. An attacker can get a seemingly benign app on a device that requests privileges not present on the lower OS version. Generally, the Package Management Service must compare the privileges present between updates and will generally grandfather in existing permission requests so as not to interfere with functionality.<br />
<br />
 “A third-party package attribute or property, which bears the name of its system counterpart, can be elevated to a system one during the updating shuffle-up where all apps are installed or reinstalled, and all system configurations are reset,” the paper said. “Also, when two apps from old and new systems are merged as described above, security risks can also be brought in when the one on the original system turns out to be malicious.”<br />
<br />
 Upon an <a href="http://www.hackerschronicle.com/search/label/OS">OS</a> upgrade, the PMS will install new and existing system apps, including third-party apps, and will register the permissions they declare. That means for a malicious app, the PMS recognizes all the permissions it requests and those are silently granted because it supposes that permissions with an existing app have already been approved by the user.<br />
<br />
 All of the issues have been reported to <a href="http://www.hackerschronicle.com/search/label/Google">Google</a>, the researchers said; Google has already patched one of the six vulnerabilities.<br />
<br />
 As for the team’s SecUP scanner, it inspects Android APKs already installed on a device, identifying those that are likely to cause privilege escalations during an update, the paper said. SecUP is made up of a number of components, including a vulnerability detector, exploit opportunity analyzer and a risk database, in addition to the scanner app, the paper said.<br />
<br />
 “The detector verifies the source code of PMS (from different Android versions) to identify any violation of a set of security constraints, in which we expect that the attributes, properties (name, permission, UID, etc.) and data of a third-party app will not affect the installation and configurations of system apps during an update,” the researchers wrote. “A Pileup flaw is detected once any of those constraints are breached.”<br />
<br />
 The analyzer then kicks in and searches Android factory images for places where privilege escalation could happen; that information is stored in the risk database. The scanner app uses that database to check third-party apps and alerts the user to any potential risks. </div>

Android Mobile Privilege Escalation Vulnerability One Billion Android Devices Vulnerable to Privilege Escalation

The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), h...

Remote Code Execution vulnerability in Yahoo

3/19/2014 The Hackers Chronicle 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-IweyMCAMqYs/Uym_9zmNygI/AAAAAAAAAIw/zL-rgx65FqU/s1600/rce+in+yahoo.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-IweyMCAMqYs/Uym_9zmNygI/AAAAAAAAAIw/zL-rgx65FqU/s320/rce+in+yahoo.PNG" height="210" width="400" /></a></div>
<br />
Security researcher Behrouz Sadeghipour has identified a number of <a href="http://www.hackerschronicle.com/search/label/Vulnerability" target="_blank">vulnerabilities</a> on a Hong Kong subdomain of Yahoo (<a href="http://hk.yahoo.net/" target="_blank">hk.yahoo.net</a>). Fortunately, Yahoo has rushed to address the security holes reported by the expert.<br />
According to Sadeghipour, he came across the vulnerabilities while analyzing a <a href="https://www.blogger.com/www.hackerschronicle.com/search/label/XSS" target="_blank">cross-site scripting</a> (XSS) issue. While looking at the HTTP headers, he came across an administrator login page for the hk.yahoo.net domain.<br />
He simply tried to log in with the “<span class="highlight pop">admin</span>” username and “<span class="highlight pop">admin</span>” password and it worked. Once he gained access to the administrator panel, he found a page where he could upload images. <br />
There was an upload restriction, but the expert managed to bypass it by naming his file <span class="highlight pop">shell.php.jpg</span>. Once the file was uploaded, he simply renamed it to <span class="highlight pop">shell.php</span>.<br />
“I had read/write/execute permissions in /home which contains few more subdomains and website. Also, Linux kernel is VERY old and is a rootable. Not to mention I was able to read most DIRs and Files but NOT including /etc/shadow),” the researcher explained in a blog post.<br />
The vulnerability was reported to Yahoo on February 20 and it was patched the next day. However, so far, the company hasn’t rewarded <span class="highlight pop">Sadeghipour</span> for his findings.<br />
For additional details on these Yahoo vulnerabilities, check out the video proof-of-concept and the expert’s blog.
</div>
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/ymG00fiKU6o" width="560"></iframe></div>

Remote Code Execution Vulnerability XSS Yahoo Remote Code Execution vulnerability in Yahoo

Security researcher Behrouz Sadeghipour has identified a number of vulnerabilities on a Hong Kong subdomain of Yahoo ( hk.yahoo.net )....

New Vulnerability found in WhatsApp, read private chats

3/13/2014 The Hackers Chronicle 1

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-2b6vUpGE8Os/UyDed-aGxFI/AAAAAAAAAGo/VWytX9DuWpA/s1600/new-vulnerability+in+whatsapp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="New Vulnerability found in WhatsApp" border="0" src="http://3.bp.blogspot.com/-2b6vUpGE8Os/UyDed-aGxFI/AAAAAAAAAGo/VWytX9DuWpA/s1600/new-vulnerability+in+whatsapp.jpg" height="167" title="New Vulnerability found in WhatsApp" width="320" /></a></div>
<br />
A security consultant has uncovered a <a href="http://www.hackerschronicle.com/search/label/Vulnerability" target="_blank">security hole</a> in <a href="http://www.hackerschronicle.com/search/label/WhatsApp" target="_blank">WhatsApp</a>, the instant messaging platform recently acquired by <a href="http://www.hackerschronicle.com/search/label/Facebook" target="_blank">Facebook</a>. The flaw can be leveraged to gain access to the private chats of Android device owners.<br />
Many people are concerned with the <a href="http://www.hackerschronicle.com/search/label/Privacy" target="_blank">privacy</a> implications that come with Facebook’s acquisition of WhatsApp. However, as Bas Bosschert, the man who identified the vulnerability, highlights, Facebook didn’t need to buy the company if all it wanted to do was read users’ chats.<br />
The expert has found that any Android app that’s allowed access to the SD card installed on the device can easily access private conversations. <br />
All chats are saved in a database file (msgstore.db) that’s stored on the SD card. Bosschert has developed a <a href="http://bas.bosschert.nl/steal-whatsapp-database/#more-1" target="_blank">proof-of-concept</a> which demonstrates that any app that’s granted permission to access the card can easily retrieve the database and upload it to a remote server.<br />
According to Bosschert, in newer versions of <a href="http://www.whatsapp.com/%E2%80%8E" target="_blank">WhatsApp</a>, the database file is encrypted. However, this doesn’t mean that users’ private chats are secure. It simply means that an attacker would have to decrypt the database file to gain access to its contents.<br />
The decryption key can be found in WhatsApp Xtract, an app that allows users to create backups of WhatsApp conversations.<br />
The POC developed by the expert is designed so that when the database is retrieved, the victim only sees a simple loading screen. Cybercriminals could combine the data-stealing code with a popular application to harvest a large number of databases. <br />
In February, security researchers from Praetorian revealed finding a number of SSL-related vulnerabilities in WhatsApp. Most of them were fixed almost immediately by the company.
<br />
Source: <a href="http://www.softpedia.com/" rel="nofollow" target="_blank">Softpedia</a></div>

Mobile Vulnerability WhatsApp New Vulnerability found in WhatsApp, read private chats

A security consultant has uncovered a security hole in WhatsApp , the instant messaging platform recently acquired by Facebook . The fl...

Vulnerability in Android Jelly Bean and Kitkat

3/04/2014 The Hackers Chronicle 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-P8JzTo2nBdg/UxVxhy73GsI/AAAAAAAAAB8/R56oHfujsEk/s1600/android-kitkat-vulnerability.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Vulnerability in Android Jelly Bean and Kitkat" border="0" src="http://3.bp.blogspot.com/-P8JzTo2nBdg/UxVxhy73GsI/AAAAAAAAAB8/R56oHfujsEk/s1600/android-kitkat-vulnerability.png" height="200" title="Vulnerability in Android Jelly Bean and Kitkat" width="320" /></a></div>
<br />
The researchers at <a href="http://en.wikipedia.org/wiki/Indian_Computer_Emergency_Response_Team" target="_blank">CERT-IN</a>, the Indian governments agency that monitors cyber threats, issued the advisory about the <a href="http://en.wikipedia.org/wiki/Vpn" target="_blank">VPN</a> flaw a few days ago.<br />
A critical flaw has been detected in the virtual private network offered by <a href="http://www.hackerschronicle.com/search/label/Android">Android</a> operating systems in the Indian cyberspace leading to hijack of personal data of users.<br />
Internet security sleuths have alerted consumers of this web-based service to guard against the spread of this <a href="http://www.hackerschronicle.com/search/label/Malwares" target="_blank">virus</a> which affects computer systems and mobile phones using the Android system.<br />
The suspicious activity has been noticed in two Android versions: 4.3 known as '<a href="http://en.wikipedia.org/wiki/Android_Jelly_Bean#Android_4.1_Jelly_Bean_.28API_level_16.29" target="_blank">Jelly Bean</a>' and the latest version 4.4 called '<a href="http://en.wikipedia.org/wiki/Android_Jelly_Bean#Android_4.4_KitKat_.28API_level_19.29" target="_blank">KitKat</a>'.<br />
"A critical flaw has been reported in Android's (<a href="http://www.hackerschronicle.com/search/label/VPN" target="_blank">virtual private network</a>) VPN implementation, affecting Android version 4.3 and 4.4 which could allow an attacker to bypass active VPN configuration to redirect secure VPN communications to a third party server or disclose or hijack unencrypted communications", said CERT-In in a latest advisory to users of this network.<br />
VPN technology is used to create an encrypted tunnel into a private network over public Internet. Organisations and group of people use such connections to enable employees or acquaintances to securely connect to enterprise networks from remote locations through multiple kinds of devices like laptops, desktops, mobiles and tablets.<br />
The agency said the current malicious application is capable of diverting the VPN traffic "to a different network address" and successful exploitation of this issue "could allow attackers to capture entire communication originating from affected device".<br />
"It is noted that not all applications are encrypting their network communication. Still there is a possibility that attacker could possibly capture sensitive information from the affected device in plain text like email addresses, IMEI number, SMSes, installed applications", the advisory said.<br />
Cyber experts said that this anomaly could only lead to capture and viewing the data which is in plain text and Android applications directly connecting to the server using SSL will not be affected. Websites which use 'https' in their URL will also be safe. The cyber agency has also suggested some counter measures to beat this threat.<br />
"Apply appropriate updates from original equipment manufacturer, do not download and install application from untrusted sources, maintain updated mobile security solution or <a href="http://www.hackerschronicle.com/search/label/Mobile">mobile</a> <a href="http://www.hackerschronicle.com/search/label/Anti%20Virus" target="_blank">anti-virus</a> solutions on the device, exercise caution while visiting trusted or untrusted URLs and do not click on the URLs received via SMS or email unexpectedly from trusted or received from untrusted users", are some of the combat techniques which have been suggested by the agency.</div>

Android Malwares Mobile VPN Vulnerability Vulnerability in Android Jelly Bean and Kitkat

The researchers at CERT-IN , the Indian governments agency that monitors cyber threats, issued the advisory about the VPN flaw a few da...

Cross-Site Request Forgery(CSRF) Vulnerability in HP Service Manager

2/26/2014 cyb3r.gladiat0r 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-df3N6b_3n48/Uw2wRtdaiEI/AAAAAAAABGA/CaOTumUZul0/s1600/hp+csrf.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Cross-Site Request Forgery(CSRF)  in HP (Hewlett-Packard)" border="0" src="http://2.bp.blogspot.com/-df3N6b_3n48/Uw2wRtdaiEI/AAAAAAAABGA/CaOTumUZul0/s1600/hp+csrf.jpg" height="190" title="Cross-Site Request Forgery(CSRF)  in HP (Hewlett-Packard)" width="400" /></a></div>
<br />
Potential security vulnerabilities have been identified with <a href="http://www.hp.com/" rel="nofollow" target="_blank">HP</a> Service Manager. The vulnerabilities could be remotely exploited resulting in Cross-Site Scripting (<a href="http://www.hackerschronicle.com/search/label/XSS" target="_blank">XSS</a>), Cross-Site Request Forgery (<a href="http://www.hackerschronicle.com/search/label/CSRF" target="_blank">CSRF</a>), Denial of Service (<a href="http://www.hackerschronicle.com/search/label/DoS" target="_blank">DoS</a>), execution of arbitrary code, unauthorized access, disclosure of Information, and authentication issues.<br />
<br />
<h3>
Effected Software Versions</h3>
HP Service Manager<br />
<ul>
<li>v9.30</li>
<li>v9.31</li>
<li>v9.32</li>
<li>v9.33</li>
</ul>
<h3>
Solution</h3>
HP has made the following software updates available to resolve the vulnerabilities.<br />
<ul>
<li><a href="http://support.openview.hp.com/selfsolve/document/LID/HPSM_00507" target="_blank">AIX Server 9.33.0035</a></li>
<li><a href="http://support.openview.hp.com/selfsolve/document/LID/HPSM_00508">HP Itanium Server 9.33.0035</a></li>
<li><a href="http://support.openview.hp.com/selfsolve/document/LID/HPSM_00509">Linux Server 9.33.0035</a></li>
<li><a href="http://support.openview.hp.com/selfsolve/document/LID/HPSM_00510">Solaris Server 9.33.0035</a></li>
<li><a href="http://support.openview.hp.com/selfsolve/document/LID/HPSM_00511" target="_blank">Windows Server 9.33.0035</a></li>
<li><a href="http://support.openview.hp.com/selfsolve/document/LID/HPSM_00512" target="_blank">Web Tier 9.33.0035</a></li>
<li><a href="http://support.openview.hp.com/selfsolve/document/LID/HPSM_00513" target="_blank">Windows Client 9.33.0035</a></li>
<li><a href="http://support.openview.hp.com/selfsolve/document/LID/HPSM_00514" target="_blank">Windows Client Configuration 9.33.0035</a></li>
<li><a href="http://support.openview.hp.com/selfsolve/document/LID/HPSM_00515" target="_blank">Mobility 9.33.0006</a></li>
<li><a href="http://support.openview.hp.com/selfsolve/document/LID/HPSM_00516" target="_blank">Applications 9.33.0035</a></li>
</ul>
<h3>
Technical Details</h3>
<ul>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493" target="_blank">CVE-2013-1493</a> - Oracle Java JRE 1.7 Remote Execution of Arbitrary Code and Denial of Service (DoS)</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2067" target="_blank">CVE-2013-2067</a> - Apache Tomcat Authentication Issues</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6202" target="_blank">CVE-2013-6202</a> - Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Remote Execution of Arbitrary Code, Unauthorized Access, Disclosure of Information</li>
</ul>
Source: <a href="http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c04117626&ac.admitted=1393402317326.876444892.492883150" target="_blank">HP</a></div>

CSRF HP Vulnerability Cross-Site Request Forgery(CSRF) Vulnerability in HP Service Manager

Potential security vulnerabilities have been identified with HP Service Manager. The vulnerabilities could be remotely exploited result...

Remote Code Execution Vulnerability in Adobe Flash Player

2/24/2014 cyb3r.gladiat0r 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-JNfbIzopTIw/UwpRjLR4VWI/AAAAAAAABFs/pugPhjdE1vk/s1600/adobe-flash-remote-code-execution.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Remote Code Execution Vulnerability in Adobe Flash Player" border="0" src="http://1.bp.blogspot.com/-JNfbIzopTIw/UwpRjLR4VWI/AAAAAAAABFs/pugPhjdE1vk/s1600/adobe-flash-remote-code-execution.png" height="175" title="Remote Code Execution Vulnerability in Adobe Flash Player" width="400" /></a></div>
<br />
A <a href="http://www.hackerschronicle.com/search/label/Remote%10Code%20Execution">remote code execution</a> <a href="http://www.hackerschronicle.com/search/label/Vulnerability">vulnerability</a> has been reported in Adobe Flash Player. The vulnerability is due to a double-free condition when handling specially crafted SWF files. Successful <a href="http://www.hackerschronicle.com/search/label/Exploit">exploitation</a> would allow an attacker to take complete control of the affected system.<br />
<strong>CVE number:</strong> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0498">CVE-2014-0498</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0499">CVE-2014-0499</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0502">CVE-2014-0502</a><br />
<br />
<h3>
Vulnerable Versions</h3>
Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh <br />
Flash Player 11.2.202.336 and earlier for Linux <br />
Flash Player 12.0.0.44 and earlier for Chrome (Windows, Macintosh and Linux) <br />
Flash Player 12.0.0.44 and earlier in Internet Explorer 10 for Windows 8.0 <br />
Flash Player 12.0.0.44 and earlier in Internet Explorer 11 for Windows 8.1 <br />
AIR 4.0.0.1390 and earlier for Android <br />
AIR 4.0.0.1390 SDK & Compiler <br />
AIR 4.0.0.1390 SDK<br />
<br />
<h3>
Solution</h3>
Adobe recommends users update their software installations by following the instructions below:<br />
<ul>
<li>Adobe recommends users of Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh update to the newest version 12.0.0.70 by downloading it from the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted.</li>
<li>Adobe recommends users of Adobe Flash Player 11.2.202.336 and earlier versions for Linux update to Adobe Flash Player 11.2.202.341 by downloading it from the Adobe Flash Player Download Center.</li>
<li>For users of Flash Player 11.7.700.261 and earlier versions for Windows and Macintosh, who cannot update to Flash Player 12.0.0.44, Adobe has made available the update Flash Player 11.7.700.269, which can be downloaded here.</li>
<li>Adobe Flash Player 12.0.0.44 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 12.0.0.70 for Windows, Macintosh and Linux.</li>
<li>Adobe Flash Player 12.0.0.44 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 12.0.0.70 for Windows 8.0.</li>
<li>Adobe Flash Player 12.0.0.44 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 12.0.0.70 for Windows 8.1.</li>
<li>Users of the Adobe AIR 4.0.0.1390 SDK should update to the Adobe AIR 4.0.0.1628 SDK.</li>
<li>Users of the Adobe AIR 4.0.0.1390 SDK & Compiler and earlier versions should update to the Adobe AIR 4.0.0.1680 SDK & Compiler.</li>
<li>Users of the Adobe AIR 4.0.0.1390 and earlier versions for Android should update to Adobe AIR 4.0.0.1628 by browsing to Google play on an Android device.</li>
</ul>
</div>

Adobe Hacking Remote Code Execution Vulnerability Remote Code Execution Vulnerability in Adobe Flash Player

A remote code execution vulnerability has been reported in Adobe Flash Player. The vulnerability is due to a double-free condition whe...

Ubuntu 13.10 Kernel Exploit

2/21/2014 rahlabs 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-MebNxWu-j-0/UwbqZOtqQ7I/AAAAAAAAAIs/aNzYjmVjAYc/s1600/ubuntu+kernel+exploit.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Ubuntu 13.10 Kernel Exploit" border="0" src="http://1.bp.blogspot.com/-MebNxWu-j-0/UwbqZOtqQ7I/AAAAAAAAAIs/aNzYjmVjAYc/s1600/ubuntu+kernel+exploit.jpg" height="187" title="Ubuntu 13.10 Kernel Exploit" width="400" /></a></div>
<br />
A security issue affects Ubuntu 13.10 releases of Ubuntu and its derivatives<br />
<b>Saran Neti</b> reported a flaw in the ipv6 UDP Fragmentation Offload (UFI) in the Linux kernel. A remote attacker could exploit this flaw to cause a denial of service (panic). (<div class="highlight pop">CVE-2013-4563</div>)<br />
<b>Mathy Vanhoef</b> discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing attack.  (<div class="highlight pop">CVE-2013-4579</div>
)<br />
<b>Andrew Honig</b> reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual Machine (KVM) subsystem. A local user could exploit this flaw to gain privileges on the host machine. (<div class="highlight pop">CVE-2013-4587</div>) Various other issues were also addressed.<br />
Andrew Honig reported a flaw in the apic_get_tmcct function of the Kernel Virtual Machine (KVM) subsystem if the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service or host OS system crash. (<div class="highlight pop">CVE-2013-6367</div>)<br />
Andrew Honig reported an error in the Linux Kernel's Kernel Virtual Machine (KVM) VAPIC synchronization operation. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash).<br />
Source:<a href="http://www.ubuntu.com/usn/usn-2117-1/" target="_blank">Ubuntu</a> </div>

Exploit Hacking Kernel Linux News OS Ubuntu Vulnerability Ubuntu 13.10 Kernel Exploit

A security issue affects Ubuntu 13.10 releases of Ubuntu and its derivatives Saran Neti reported a flaw in the ipv6 UDP Fragmentation ...