Posts tagged: Exploits

Dec 15 2013

EBay Remote Code Execution Vulnerability Demonstrated

EBay Exploit
A German Security researcher has demonstrated a critical vulnerability on Ebay website.

He found a controller which was prone to remote-code-execution due to a type-cast issue in combination with complex curly syntax.

In a demo video, he exploited this RCE flaw on EBay website, and managed to display output of phpinfo() PHP function on the web page, just by modifying the URL and injecting code in that.

According to an explanation on his blog, he noticed a legitimate URL on EBay:

https://sea.ebay.com/search/?q=david&catidd=1

and modified the URL to pass any array values including a payload:

https://sea.ebay.com/search/?q[0]=david&q[1]=sec{${phpinfo()}}&catidd=1

Video Demonstration:

David has already reported the flaw responsibly to the Ebay Security Team and they have patched it early this week.

Source: eBay : Remote Code Execution

Aug 14 2013

Android Malware Exploiting Google Cloud Messaging Service

Google Cloud Messaging Hacking Researchers have discovered a number of malicious Android apps are using Google’s Cloud Messaging (GCM) service and leveraging it as a command and control server to carry out attacks.

A post on Securelist today by Kaspersky Lab’s Roman Unuchek, breaks down five Trojans that have been spotted checking in with GCM after launching.

  • Trojan-SMS.AndroidOS.FakeInst.a
  • Trojan-SMS.AndroidOS.Agent.ao
  • Trojan-SMS.AndroidOS.OpFake.a
  • Backdoor.AndroidOS.Maxit.a
  • Trojan-SMS.AndroidOS.Agent.az

These trojans having a relatively wide range of functions:

— Sending premium text messages to a specified number
— Sending text messages to a specified number on the contact list
— Performing self-updates
— Stealing text messages
— Deleting incoming text messages that meet the criteria set by the C&C
— Theft of contacts
— Replacing the C&C or GCM numbers
— Stopping or restarting its operations
— Generate shortcuts to malicious sites
— Initiate phone calls
— Collect information about the phone and the SIM card & upload on server

Kaspersky Lab detected millions of installers in over 130 countries and Kaspersky Mobile Security (KMS) blocked attempted installations for these Trojans.

No doubt, GCM is a useful service for legitimate software developers. But virus writers are using Google Cloud Messaging as an additional C&C for their Trojans. Furthermore, the execution of commands received from GCM is performed by the GCM system and it is impossible to block them directly on an infected device.

The only way to cut this channel off from virus writers is to block developer accounts with IDs linked to the registration of malicious programs.

Jan 10 2013

New Java 0-Day Exploit Spotted in the Wild

Java 7 0-Day ExploitA new Java 0-day vulnerability has been discovered, and is already being exploited in the wild. Currently, disabling the plugin is the only way to protect your computer.

Description:
The MBeanInstantiator in Oracle Java Runtime Environment (JRE) 1.7 in Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via vectors related to unspecified classes that allow access to the class loader, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681.

Impact:
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

CVE Standard Vulnerability Entry: CVE-2013-0422

This actual vulnerability was later confirmed by security firm AlienVault Labs. With Kafeine’s help, the company reproduced the exploit on a new, fully-patched installation of Java, and used a malicious Java applet to remotely execute the Calculator application on Windows XP as shown in the below screen-shot:

Java 7 update 10 0-day exploit demo

Nov 28 2012

Yahoo Account Exploit Selling on Black Market

Yahoo ExploitYahoo is investigating the claims of a hacker who is selling an exploit that apparently hijacks Yahoo mail accounts.

The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a cross-site scripting (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users.

Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Demonstrating an apparent flair for marketing, the hacker, under the alias “TheHell” also posted a video on YouTube, providing a demo for potential customers. He claims it works with all browsers and does not require a bypass of XSS filters in either Chrome or Internet Explorer. He also says the exploit will be sold only to trusted individuals who are not likely to turn it over to Yahoo, which would undoubtedly develop a patch that will foil the attack.

“TheHell” claims that his exploit attacks a “stored” XSS flaw. This type of attack injects a code that is permanently stored on targeted servers until it is found and deleted. The malicious code is then passed to the victim’s machine when that particular server is accessed for legitimate download.

A standard phishing attempt is used to access the user’s cookies, from which the attacker can access the person’s email, or take full control of the account.

As of Tuesday morning, Yahoo was in the process of trying to identify the infected URL. Once the identification is successful, the malicious portion of code will be deleted.

Dec 21 2011

Windows-7 Memory Corruption Vulnerability

Windows Memory CorruptionA vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user’s system.

The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large “height” attribute viewed using the Apple Safari browser.

Successful exploitation may allow execution of arbitrary code with kernel-mode privileges.

The vulnerability is confirmed on a fully patched Windows 7 Professional 64-bit.
Other versions may also be affected.

Solution:
No effective solution is currently available.

Discovered By:
webDEViL

Original Advisory:
https://twitter.com/#!/w3bd3vil/status/148454992989261824

<iframe height=’18082563′></iframe> causes a BSoD on win 7 x64 via Safari. Lol!