Kategorie

A platform that allows online applications for copies of birth certificates did not store its data properly.

The hard disks that fail abruptly at 32,768 hours of use - why simply 'adding 1' can send you into oblivion.

Since 2007, the two allegedly operated a cybercrime ring called "Bayrob Group."

Využít zájmu lidí o nejrůznější slevy a soutěže, které kolují běžně internetem, se rozhodli počítačoví piráti. V podvodné nabídce pod hlavičkou operátora T-Mobile nabízí lidem špičkový telefon v ceně více než 20 000 Kč za cenu poštovného, ve skutečnosti je ale chtějí jen připravit o důvěrné informace a peníze.

A phishing attack is masquerading as messages from the game's developers.

Does turning location access off for all your apps mean that location access is off altogether?

A PR and marketing provider exposed sensitive data for a raft of big-name companies.

The platform has linked documents posted on its site to a vote-manipulation campaign already observed on Facebook earlier this year.

Today we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is of an HTB machine named Swagshop. HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple […]

The post Hack the Box (HTB) machines walkthrough series — Swagshop appeared first on Infosec Resources.

Hack the Box (HTB) machines walkthrough series — Swagshop was first posted on December 9, 2019 at 8:05 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

V lednu příštího roku končí oficiální prodloužená podpora Windows 7 a po tomto datu již systém nedostane žádné aktualizace. Pokud tedy Microsoftu nezaplatíte. Nyní ale komunita přišla na způsob, jak toto omezení obejít. Firemní zákazníci, kteří si předplatí Windows 7 Extended Security Updates ...

Introduction Social engineering is a common infosecurity threat. I once tried to track down a missing friend by calling up hospitals in our city and telling them that my brother was missing. Four out of five told me he wasn’t there, thus revealing information without confirming my identity in any way. The fifth one said […]

The post How smoking led to social engineers gaining physical access to a network appeared first on Infosec Resources.

How smoking led to social engineers gaining physical access to a network was first posted on December 9, 2019 at 8:01 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction When it comes to ethical hacking, one of the critical skills you need to succeed is the usage of various tools to start your penetration testing process. While browser extensions may not be the most popular, they can actually help you achieve a variety of objectives, ranging from crawling an entire website to hijacking […]

The post Ethical hacking: Top 10 browser extensions for hacking appeared first on Infosec Resources.

Ethical hacking: Top 10 browser extensions for hacking was first posted on December 9, 2019 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Posted by Marta Rożek, Google Summer Intern 2019, and Stephen Röttger, Software Engineer 

#!/bin/sh
cat /home/user/foo

What can go wrong if this command runs as root? Does it change anything if foo is a symbolic link to /etc/shadow? How is the output going to be used?

Depending on the answers to the questions above, accessing files this way could be a vulnerability. The vulnerability exists in syscalls that operate on file paths, such as open, rename, chmod, or exec. For a vulnerability to be present, part of the path has to be user controlled and the program that executes the syscall has to be run at a higher privilege level. In a potential exploit, the attacker can substitute the path for a symlink and create, remove, or execute a file. In many cases, it's possible for an attacker to create the symlink before the syscall is executed.

At Google, we have been working on a solution to find these potentially problematic issues at scale: PathAuditor. In this blog post we'll outline the problem and explain how you can avoid it in your code with PathAuditor.

Let’s take a look at a real world example. The tmpreaper utility contained the following code to check if a directory is a mount point:
if ((dst = malloc(strlen(ent->d_name) + 3)) == NULL)
       message (LOG_FATAL, "malloc failed.\n");
strcpy(dst, ent->d_name);
strcat(dst, "/X");
rename(ent->d_name, dst);
if (errno == EXDEV) {
[...]

This code will call rename("/tmp/user/controlled", "/tmp/user/controlled/X"). Under the hood, the kernel will resolve the path twice, once for the first argument and once for the second, then perform some checks if the rename is valid and finally try to move the file from one directory to the other.

However, the problem is that the user can race the kernel code and replace the “/tmp/user/controlled” with a symlink just between the two path resolutions.

A successful attack would look roughly like this:

• Make “/tmp/user/controlled” a file with controlled content.
• The kernel resolves that path for the first argument to rename() and sees the file.
• Replace “/tmp/user/controlled” with a symlink to /etc/cron.
• The kernel resolves the path again for the second argument and ends up in /etc/cron.
• If both the tmp and cron directories are on the filesystem, the kernel will move the attacker controlled file to /etc/cron, leading to code execution as root.

Can we find such bugs via automated analysis? Well, yes and no. As shown in the tmpreaper example, exploiting these bugs can require some creativity and it depends on the context if they’re vulnerabilities in the first place. Automated analysis can uncover instances of this access pattern and will gather as much information as it can to help with further investigation. However, it will also naturally produce false positives.

We can’t tell if a call to open(/user/controlled, O_RDONLY) is a vulnerability without looking at the context. It depends on whether the contents are returned to the user or are used in some security sensitive way. A call to chmod(/user/controlled, mode) depending on the mode can be either a DoS or a privilege escalation. Accessing files in sticky directories (like /tmp) can become vulnerabilities if the attacker found an additional bug to delete arbitrary files.

How Pathauditor works

To find issues like this at scale we wrote PathAuditor, a tool that monitors file accesses and logs potential vulnerabilities. PathAuditor is a shared library that can be loaded into processes using LD_PRELOAD. It then hooks all filesystem related libc functions and checks if the access is safe. For that, we traverse the path and check if any component could be replaced by an unprivileged user, for example if a directory is user-writable. If we detect such a pattern, we log it to syslog for manual analysis.

Here's how you can use it to find vulnerabilities in your code:

• LD_PRELOAD the library to your binary and then analyse its findings in syslog. You can also add the library to /etc/ld.so.preload, which will preload it in all binaries running on the system.
• It will then gather the PID and the command line of the calling process, arguments of the vulnerable function, and a stack trace -- this provides a starting point for further investigation. At this point, you can use the stack trace to find the code path that triggered the violation and manually analyse what would happen if you would point the path to an arbitrary file or directory.
• For example, if the code is opening a file and returning the content to the user then you could use it to read arbitrary files. If you control the path of chmod or chown, you might be able to change the permissions of chosen files and so on.

PathAuditor has proved successful at Google and we're excited to share it with the community. The project is still in the early stages and we are actively working on it. We look forward to hearing about any vulnerabilities you discover with the tool, and hope to see pull requests with further improvements.
Try out the PathAuditor tool here.

Marta Rożek was a Google Summer intern in 2019 and contributed to this blog and the PathAuditor tool

EFF and a coalition of privacy advocates have filed comments with the California Attorney General seeking strong regulations to protect consumer data privacy. The draft regulations are a good step forward, but the final regulations should go further. What are your thoughts on the draft regulations that were published in October? Learn more:

Researchers have discovered a security flaw in macOS, Linux, and several other operating systems that could let attackers hijack a wide range of virtual private network (VPN) connections. Learn more about this networking attack:

Researchers have discovered a flaw in macOS, Linux, and several other operating systems that could let attackers hijack VPN connections.

In an embarrassing twist, bug bounty platform HackerOne has paid a $20,000 reward to a researcher who reported a security flaw inadvertently caused by one of its staff during… a bug submission.

Facebook says the company used celeb bait links to infect victims with malware and hijacked their ad accounts to sell diet pills.

Know where Maksim “Aqua” Yakubets is? Can you pry him out of Russia and his Lamborghinis? The biggest ever cybercrook reward awaits!

Get up to date with the hot security stories from the past week - from fake Android apps to malware targeting Mac users.