SEcTEc

domingo

C|Net Download.Com is now bundling Nmap with malware!

C|Net Download.Com is now bundling Nmap with malware!

Hi Folks. I've just discovered that C|Net's Download.Com site has
started wrapping their Nmap downloads (as well as other free software
like VLC) in a trojan installer which does things like installing a
sketchy "StartNow" toolbar, changing the user's default search engine
to Microsoft Bing, and changing their home page to Microsoft's MSN.

The way it works is that C|Net's download page (screenshot attached)
offers what they claim to be Nmap's Windows installer. They even
provide the correct file size for our official installer. But users
actually get a Cnet-created trojan installer. That program does the
dirty work before downloading and executing Nmap's real installer.

Of course the problem is that users often just click through installer
screens, trusting that download.com gave them the real installer and
knowing that the Nmap project wouldn't put malicious code in our
installer. Then the next time the user opens their browser, they
find that their computer is hosed with crappy toolbars, Bing searches,
Microsoft as their home page, and whatever other shenanigans the
software performs! The worst thing is that users will think we (Nmap
Project) did this to them!

I took and attached a screen shot of the C|Net trojan Nmap installer
in action. Note how they use our registered "Nmap" trademark in big
letters right above the malware "special offer" as if we somehow
endorsed or allowed this. Of course they also violated our trademark
by claiming this download is an Nmap installer when we have nothing to
do with the proprietary trojan installer.

In addition to the deception and trademark violation, and potential
violation of the Computer Fraud and Abuse Act, this clearly violates
Nmap's copyright. This is exactly why Nmap isn't under the plain GPL.
Our license (http://nmap.org/book/man-legal.html) specifically adds a
clause forbidding software which "integrates/includes/aggregates Nmap
into a proprietary executable installer" unless that software itself
conforms to various GPL requirements (this proprietary C|Net
download.com software and the toolbar don't). We've long known that
malicious parties might try to distribute a trojan Nmap installer, but
we never thought it would be C|Net's Download.com, which is owned by
CBS! And we never thought Microsoft would be sponsoring this
activity!

It is worth noting that C|Net's exact schemes vary. Here is a story
about their shenanigans:

http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations

It is interesting to compare the trojaned VLC screenshot in that
article with the Nmap one I've attached. In that case, the user just
clicks "Next step" to have their machine infected. And they wrote
"SAFE, TRUSTED, AND SPYWARE FREE" in the trojan-VLC title bar. It is
telling that they decided to remove that statement in their newer
trojan installer. In fact, if we UPX-unpack the Trojan CNet
executable and send it to VirusTotal.com, it is detected as malware by
Panda, McAfee, F-Secure, etc:

http://bit.ly/cnet-nmap-vt

According to Download.com's own stats, hundreds of people download the
trojan Nmap installer every week! So the first order of business is
to notify the community so that nobody else falls for this scheme.
Please help spread the word.

Of course the next step is to go after C|Net until they stop doing
this for ALL of the software they distribute. So far, the most they
have offered is:

"If you would like to opt out of the Download.com Installer you can
submit a request to cnet-installer () cbsinteractive com All opt-out
requests are carefully reviewed on a case-by-case basis."

In other words, "we'll violate your trademarks and copyright and
squandering your goodwill until you tell us to stop, and then we'll
consider your request 'on a case-by-case basis' depending on how much
money we make from infecting your users and how scary your legal
threat is.

F*ck them! If anyone knows a great copyright attorney in the U.S.,
please send me the details or ask them to get in touch with me.

Also, shame on Microsoft for paying C|Net to trojan open source
software!

Cheers,
Fyodor

Adobe Flash Player Unspecified Code Execution Vulnerability

A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error. No further information is currently available.

Successful exploitation allows execution of arbitrary code.

The vulnerability is reported in version 11.1.102.55. Other versions may also be affected.

Solution
Do not browse untrusted sites or disable the player.
Provided and/or discovered by
Reportedly a module for VulnDisco Pack by Evgeny Legerov, Intevydis

Original Advisory
http://archives.neohapsis.com/archives/dailydave/2011-q4/0081.html

Adobe Flash Player Unspecified Code Execution Vulnerability

Full Path Disclosure (FPD)

Many people including developers, vendors and security professionals believe that Full Path Disclosure (FPD) is mainly a Security Misconfiguration problem rather than a Input Sanitation or Error Handling problem. I’m not saying that they are wrong, but I hope to convince them that it is more of a coding bug than a configuration bug. I want to put my argument over as to why I think FPD is a bug in source code and not in configuration.
What is Full Path Disclosure (FPD)?
According to OWASP:
“Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.”
https://www.owasp.org/index.php/Full_Path_Disclosure
For me this is a very vague description of what FPD really is. FPD occurs when a web application encounters an error that is displayed to the user; the error includes the full path to the file the error occurred in possibly along with other debugging information.
Why is it a problem?
It’s just the path of the file from the root directory, what’s all the fuss about?

Let’s look at a WordPress FPD:

Fatal error: Call to undefined function is_multisite() in /home/bob/public_html/wp/wp-includes/wp-db.php on line 505

From the above error a username is disclosed which can later be used in a brute force attack:

/bob/

From the above error we know the web root folder name and location, this can be useful when combined with a Local File Inclusion (LFI) if the web root is not in the default location:

/home/bob/public_html/

In reality it’s not a massive deal, we can glean some server side information, so what, it’s not as serious as SQL Injection or Cross-Site Scripting (XSS). But, when there is no SQL Injection or XSS, bob’s weak password maybe our only way in or that LFI vulnerability we found earlier is now more useful.
Security Misconfiguration or Sloppy Coding?
Many people believe that FPD is a Security Misconfiguration and I can see why they think that. By simply turning ‘display_errors’ to ‘Off’ in your php.ini file the problem goes away. The same applies most other web server technologies. (note: FPD is widely known to effect PHP more than any other technology but it does effect most if not all web server technologies)
If we do the above the FPDs are gone, right? No. They are still there, all you have done is hide them. If for example a developer turns ‘display_errors’ to on by accident, the bug returns. We can say the same about a WAF in an extreme example. Just because the WAF stops the SQL Injection from happening, it does not mean that it is not there and that one day that WAF maybe turned off. *cough* barracuda *cough*
I think it is mostly due to sloppy coding practices because of the following triggers of FPD. (taking some of OWASPs examples)
Empty array: (input sanitation)

Original: http://site.com/index.php?page=about
Crafted: http://site.com/index.php?page[]=about

Fix: Ensure the parameter is a string not an array.
Null Session Cookie: (input sanitation)

Original: Cookie: PHPSESSID=ef7f786sd78f6ds78f6;
Crafted: Cookie: PHPSESSID=;

Fix: Deal with unexpected cookie values.
Direct Object Reference: (error handling)

http://localhost/wp/wp-includes/wp-db.php

Fix: Deal with errors gracefully when a file is not located in the location is should be.
Invalid File Names: (configuration)

Original: http://www.host.com/default.aspx
Crafted: http://www.host.com/default~.aspx

Fix: Now this one, I think, the only fix is configuration. You could argue that this could be fixed by the ASP developers, but in reality, that’s not going to happen.
The bigger problem
The bigger problem for me is not the information disclosure through FPD itself but rather the reluctance of vendors and developers to fix FPD. It’s too easy for them to put the blame back onto the user, “not our problem, hide the bug with configuration”.
The biggest culprit for me is WordPress. This is from their own Security FAQ:
“Why are there path disclosures when directly loading certain files?
This is considered a server configuration problem. Never enable display_errors on a production site.”
The earliest version of WordPress I could get installed (0.71-gold) had 44 FPDs, the newest release at the time of writing (3.2.1) has 155. Most of these are due to “directly loading certain files” but not all of them. One example; http://wordpress-3.2.1/index.php?s[]=FPD
It is not only WordPress either, the YEHG have kindly been collecting logs of vulnerable applications;
http://code.google.com/p/inspathx/source/browse/#svn%2Ftrunk%2Fpaths_vuln
My job is to reduce software [security] bugs, I think this bug is underestimated and deserves more attention. All FPD bugs found in WordPress will soon be implemented into my tool WPScan.
To check your web applications for FPD vulnerabilities I recommend using the YEHG’s inspathx awesome tool which checks for all and more of the triggers outlined above.

Hack a webcam and a film camera into a USB microscope

Hack a webcam and a film camera into a USB microscope

Have you ever wanted to inspect or photograph something up close, but could not find amagnifying glass or did not have enough light on your subject? Well read on, because this project will do the job for you at little or no cost called “My Inspector Gadget”.

Most of you probably have a webcam sitting around somewhere, and after all the high voltage projects you’ve done using disposable cameras, we bet you have some camera lenses too. In a contest entry Butch shows how to make your very own computer enabled microscope out of stuff that many of you will have lying around your house. What is basically involved is tearing apart a web cam, adding additional lighting and a lens assembly from an old film camera.

In is project he shows how to harvest the lens from the film camera and mount it, as well as where he added the LED. You can see in the picture above, his results are pretty good.

WPScan 1.1 released

I am pleased to announce, after 5 months of work, that WPScan version 1.1 has been released!
With 780 more lines of code the most notable changes are:
Detection for 750 more plugins.
Detection for 107 new plugin vulnerabilities.
Detection for 447 possible timthumb file locations.
Advanced version fingerprinting implemented.
Full Path Disclosure (FPD) checks.
Auto updates.
Progress indicators.
Improved custom 404 checking.
Improved plugin detection.
Improved error_log checking.
Lots of bugs fixed.
Lots of small tweaks.
A full list of changes can be found here:
http://code.google.com/p/wpscan/source/browse/trunk/CHANGELOG

We have done away with file downloads and instead we’re using Subversion (SVN) for distributing WPScan, you can checkout WPScan 1.1 by issuing the following command:
svn checkout http://wpscan.googlecode.com/svn/trunk/ ./wpscan-1.1
WPScan can also be found pre-installed in Backtrack5 R1 in the ‘/pentest/web/wpscan’ directory and will soon be available in SamuraiWTF.
Thanks to everyone who reported bugs or requested features. A special thanks to Alip, @gbrindisi and michee08.
If you find any pesky bugs or want to request a feature in version 1.1, please do so here:
http://code.google.com/p/wpscan/

(IN) Magazine - Dec. 2011

(December 2011)

7 questions you always wanted to ask a professional vulnerability researcher
Insights on drive-by browser history stealing
Review: Kingston DataTraveler 6000
RSA Conference Europe 2011
PacketFence: Because NAC doesn't have to be hard!
Information security and the threat landscape with Raj Samani
Security is a dirty word
Smartphone apps are not that smart: Insecure development practices
Virus Bulletin 2011
Infosec professionals: Accomplishing your day job without breaking the law
WPScan: WordPress Security Scanner
Securing the enterprise: Is your IT department under siege?

DOWNLOAD ISSUE 32 HERE

XSS Vulnerability On Twitter

XSS Vulnerability On Twitter Found by 15 Years Old Expert

A 15 years old XSS Expert "Belmin Vehabovic(~!White!~)" discovered XSS Vulnerability On Twitter and report us. The Vulnerable link is here. Even He also Discovered XSS Vulnerability in Facebook also as tweeted by him Yesterday &Facebook is offering him $700 as Bounty.