TrackSomebody.com

october27thgroup.com pentesting, pci, red team

illmob.org

Vbootkit 2.0

April 25th, 2009 by Dev Team in News, Privilege Escalation

Like Kon-boot we talked about in our last post VBootkit 2.0 is an updated code from 2007 that hasnt hit the internet yet , but is pretty much the same idea, modify the bootmgr and you essentially can modify the security checks on the fly to let you do anything you wanted on the system as any user without knowing the password. Read more from there authors site ::HERE::

VBootkit 2.0 is a follow-up to earlier work that Kumar and Kumar have done on vulnerabilities contained in the Windows boot process. In 2007, Kumar and Kumar demonstrated an earlier version of VBootkit for Windows Vista at the Black Hat Europe conference.

The latest version of VBootkit includes the ability to remotely control the victim’s computer. In addition, the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user’s password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected.

WPA Wi-Fi encryption is cracked

November 6th, 2008 by admin in News, Wireless

Security researchers say they’ve developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.

The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption, in order to read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.
(more…)

Change Your Yahoo Email

October 30th, 2008 by admin in News, Privilege Escalation, Yahoo

The month’s victim comes courtesy of Yahoo, or should I say Yahoo’s HotJobs.com. On October 28th, popular internet research and analysis company Netcraft discovered a vulnerability on the Yahoo site that was being exploited to steal user authentication cookies. These cookies contain user login credentials that can be used to access any of Yahoo’s services, including e-mail. These cookies were being sent remotely to a site in the United States under the control of the attacker.

Yahoo has since corrected the flaw and released the following statement to netcraft:

The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft’s assistance in identifying this issue.

As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.

How it happened:

The attacker managed to find a flaw at hotjobs.yahoo.com that allows visitors to inject obfuscated JavaScript into the page. The script can be configured to steal authentication cookies. The authentication cookie can then be used to allow the attacker to pose as the user.  This type of attack, and loyal netleets readers already know, is called cross-site scripting. Earlier in the year netcraft found a similar flaw at ychat.help.yahoo.com.

This attack was probably executed using the CookieMonster tool that has recently affected netflix.com and bankofamerica. CookieMonster is a cookie stealing toolkit that works with both http and https sites. It siphons authentication cookies from vulnerable sites. These cookies can be used to hijack a users account.

Theregister.co.uk best describes CookieMonster as follows:

The vulnerability stems from website developers’ failure to designate authentication cookies as secure. That means web browsers are free to send them over the insecure http channel, and that’s exactly what CookieMonster causes them to do. It does this by caching all DNS responses and then monitoring hostnames that use port 443 to connect to one of the domain names stored there. CookieMonster then injects images from insecure (non-https) portions of the protected website, and – voila! – the browser sends the authentication cookie.

A CookieMonster blog listed several popular sites that were allegedly vulnerable back in September. Those sites include southwest.com, expedia.com, usairways.com, register.com, newegg.com, ebay.com, any many many more.

What can be done:

In addition to the steps outlined in this XSS tutorial, sites that contain cookies for authentication must not allow cookie values to be translated on the client side. In the early days of cookie based authentication, many sites simply stored authentication information in the cookie, which can be read in any text editor. Today, cookies merely act as a reference point for server side authentication, however if the cookie can be used from any client, it defeats the purpose of even hiding the true value.

Perhaps the easiest thing that could have been done on Yahoo’s part would have been to configure their site to use http-only or https-only cookies. If only http is allowed, malicious javascript cannot be injected.

Via: netleets.com

New Windows RPC Exploit

October 26th, 2008 by admin in windows

If you haven’t been auto-updated yet make sure you do. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.
http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx

http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx

DriveCrypt Security Model bypass

September 25th, 2008 by admin in News, Password Info
Synopsis

The password checking routine of DriveCrypt fails to sanitize the BIOS keyboard buffer before AND after reading passwords.

(more…)

McAfee SafeBoot Device Encryption Plain Text Password Disclosure

September 25th, 2008 by admin in News, Password Info

The password checking routine of SafeBoot Device Encryption fails to sanitize the BIOS keyboard buffer after reading passwords, resulting in plain text password leakage to unprivileged local users.
(more…)

Microworld Mailscan 5.6.a Password Reveal

September 12th, 2008 by Dev Team in Password Info, windows

From MicroWorld’s website: “MailScan 5.6 is the world’s most
advanced Real-Time AntiVirus and AntiSpam solution for Mail Servers.
The software safeguards organizations against Virus, Worm, Trojan and
many other malware breeds with futuristic and proactive technologies.
Employing an array of intelligent filters, MailScan offers powerful
protection against Spam and Phishing mails along with comprehensive
Content Security.”

http://www.microworld.de
http://www.mwti.net

(more…)

Physical Access is Total Access

July 12th, 2008 by Dev Team in News

by LysergicBliss
A cardinal rule of computer security is that once an attacker has
acquired physical access to a machine, it is generally trivial for
that attacker to fully compromise the system. As technology
improves, this is becoming less the case, but for now, if an attacker
has physical access to a machine, the attacker can generally breach
its security.
(more…)