Uncategorized

fulldisclosure logo Full Disclosure mailing list archives

  By Date           By Thread        

TheBigIndexer – Index services and leaks over the ipv4 internet


From: Gregory Boddin <gregory () siwhine net>
Date: Fri, 12 Jun 2020 23:50:05 +0200


Hi, I'd like to share my new current project with you all : https://leaks.nobody.run It's a search engine indexing open hosts on the internet. It focuses on
listing the databases and table names and keeps history of every successful
connection. New database software support is added on a regular basis. It currently includes : - mysql
- redis
- mongodb
- elasticsearch
- cassandra
- kafka
- couchdb
- mssql _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/ 

  By Date           By Thread  

Current thread:

  • TheBigIndexer – Index services and leaks over the ipv4 internet Gregory Boddin (Jun 12)

Follow me for more information.

Uncategorized

fulldisclosure logo Full Disclosure mailing list archives

Open-Xchange Security Advisory 2020-06-12


From: Open-Xchange GmbH via Fulldisclosure <fulldisclosure () seclists org>
Date: Fri, 12 Jun 2020 10:07:37 +0200


Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne. Yours sincerely,
Martin Heiland, Open-Xchange GmbH Product: OX App Suite / OX Documents
Vendor: OX Software GmbH Internal reference: 68441, 68453, 68454 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend, office documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev68, 7.10.1-rev28, 7.10.2-rev22, 7.10.3-rev7
Vendor notification: 2019-11-29
Solution date: 2020-03-06
Public disclosure: 2020-06-12
CVE reference: CVE-2019-18846, CVE-2020-8544
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details:
Our blacklisting restrictions for various APIs have flaws that allow attackers to bypass certain checks by using "smart" endpoints. In detail, the check if a URL is blacklisted was triggered independently from accessing the actual resource. Malicious endpoints with knowledge about application state could abuse this to bypass blacklisted resources. The same vulnerability affects multiple components. Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce:
1. Create a RSS feed
2. Specify a resource where the endpoint responds differently based on the request count
3. Return a valid result on the blacklist request but HTTP redirect when actually accessing the resource Solution:
We improved the blacklisting check to make sure the actual resource is being checked when retrieving. --- Internal reference: 68478 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev62, 7.10.1-rev28, 7.10.2-rev20, 7.10.3-rev6
Vendor notification: 2019-12-02
Solution date: 2020-03-06
Public disclosure: 2020-06-12
CVE reference: CVE-2020-8542
CVSS: 2.2 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Vulnerability Details:
Self-XSS was possible when pasting malicious HTML content to the mail signature editor. This could be used as part of a social engineering scheme. Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce:
1. Ask a user to edit a mail signature and use the "Code" feature
2. Make the user paste malicious HTML Code, for example SVG with embedded JS
3. Example: </p><style><a id="</style><img src=1 onerror=alert(ox.session)>"> sodales molestie velit Solution:
We improved frontend sanitization of user-provided content. --- Internal reference: OXUIB-39 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev28, 7.10.2-rev20, 7.10.3-rev6
Vendor notification: 2020-01-27
Solution date: 2020-03-06
Public disclosure: 2020-06-12
Researcher Credits: zee_shan
CVE reference: CVE-2020-8542
CVSS: 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Vulnerability Details:
Script code within a HTML E-Mail was executed under certain circumstances, like agreeing to load external images. Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services. Steps to reproduce:
1. Create a malicious mail with external images
2. Make the user load external content within the mail
3. Example: <a class=xss style='font:"xss{color:color><img src onerror=alert(doc... Solution:
The sanitizer has been improved to consider "getUnmodified" function calls. --- Internal reference: MWB-34 (Bug ID)
Vulnerability type: Improper Parameter Validation (CWE-20)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev68, 7.10.1-rev28, 7.10.2-rev22, 7.10.3-rev7
Vendor notification: 2020-01-27
Solution date: 2020-03-06
Public disclosure: 2020-06-12
Researcher Credits: Johannes Moritz
CVE reference: CVE-2020-8543
CVSS: 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Vulnerability Details:
Resource exhaustion can be triggered by using pre-authenticated API requests with excessive parameter length. Risk:
Degradation of availability and response times due to excessive resource usage while processing request parameters. Steps to reproduce:
1. Use the /api/defer endpoint and use huge request parameters repeatedly. Solution:
We now limit and filter request parameter size to avoid denial of service vectors. --- Internal reference: DOCS-1658 (Bug ID)
Vulnerability type: Improper Restriction of XML External Entity (CWE-611)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev6, 7.10.2-rev5, 7.10.3-rev5
Vendor notification: 2020-01-22
Solution date: 2020-03-06
Public disclosure: 2020-06-12
Researcher credits: Hasan Ali
CVE reference: CVE-2020-8541
CVSS: 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Vulnerability Details:
XML Entity Expansion can be use to trigger HTTP requests to remote servers and include local files. Risk:
Internal network topology and local files might get exposed, server-side requests can be triggered by unauthorized users. Steps to reproduce:
1. Create and upload a malicious OpenXML document
2. Edit or open the document Solution:
We now use the correct XML stream reader with additional hardening when unmarshalling this kind of files. 

Attachment: signature.asc
Description: Message signed with OpenPGP

 _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

  By Date           By Thread  

Current thread:

Follow me for more information.

Uncategorized

fulldisclosure logo Full Disclosure mailing list archives

  By Date           By Thread        

New Release: UFONet v1.5 – [MLV] “MuLTi.V3rSe!”…


From: psy <epsylon () riseup net>
Date: Fri, 12 Jun 2020 04:46:04 +0200


Hi Community, I am glad to present a new release of this tool: - https://ufonet.03c8.net "UFONet is a free software, P2P and cryptographic -disruptive toolkit-
that allows to perform DoS and DDoS attacks; on the Layer 7 (APP/HTTP)
through the exploitation of Open Redirect vectors on third-party
websites to act as a botnet and on the Layer3 (Network) abusing the
protocol." See these links for more info: - UFONet schema (WebAbuse Single DDoS attack) [1] - UFONet (v1.2 "HackRon") slides [2] --------- Main options are: * DDoS (botnet) + DoS * Auto-update * Clean code * Documentation with examples * Web/GUI Interface * Proxy to connect to 'zombies' (ex: tor) * Change HTTP Headers (User-Agent, Referer, Host...) * Configure requests (Timeout, Retries, Delay, Threads...) * Search for 'zombies' on different search engines * Test vulnerabilities on 'zombies' * Download/Upload 'zombies' from/to others * Inspect a target (HTML objects sizes) * Set a place to 'bite' on a target (ex: big file) * Control number of rounds to attack * Apply cache evasion techniques * Advanced queries (ex: Verb tunneling exploitation) * Supports GET/POST * Multithreading * Order 'zombies' to attack you for benchmarking * Geomapping / Visual data * Sharing content space * [...] This release (v1.5) called "MuLTi.V3rSe!" has added this new features: * Added: GUI Links * Added: GUI Streams * Added: GUI Games * Added: GUI Browser * Added: GUI Global.NET * Fixed deprecated services * Modified/Updated WebGUI * Updated Requirements * Updated FAQ (online) * Updated Website * [...] --------- FAQ: - https://ufonet.03c8.net/FAQ.html --------- Packages: * [source]: - https://code.03c8.net/epsylon/ufonet * [mirror]: - https://github.com/epsylon/ufonet * [.zip]: - https://ufonet.03c8.net/ufonet/ufonet-v1.5.zip * [.tar.gz]: - https://ufonet.03c8.net/ufonet/ufonet-v1.5.tar.gz ------------------------- [1] - https://ufonet.03c8.net/ufonet/ufonet-schema.png
[2] - https://ufonet.03c8.net/ufonet/UFONet-v1.2-slides.pdf 

Attachment: signature.asc
Description: OpenPGP digital signature

 _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

  By Date           By Thread  

Current thread:

  • New Release: UFONet v1.5 – [MLV] “MuLTi.V3rSe!”… psy (Jun 12)

Follow me for more information.

DoppelPaymerFlorenceGuest blogKnoxvilleMalwareRansomware

The City of Florence in northern Alabama has agreed to pay a ransom of US $300,000 worth of Bitcoin to hackers who compromised its computer systems and deployed ransomware.

At an emergency meeting this week, the Florence City Council unanimously voted to give in to the extortionists’ demands and pay the cybercriminals behind the attack.

Embarrassingly for the council workers, they were first warned that hackers had infiltrated a Windows 10 PC connected to their IT systems in late May by security blogger Brian Krebs.

Krebs says that he alerted “numerous officials” that criminals specialising in deploying ransomware had compromised their network and – if not stopped – might launch a more widespread attack.

It appears, however, that the Florence city council failed to successfully expel the hackers, who activated their DoppelPaymer ransomware on the city’s IT systems on June 5th.

At the time, Florence Mayor Steve Holt told the media that the city’s email system had been shut down, but that no ransom had been demanded, and officials did not believe that any information had been lost.

Less than a week later the City of Florence realises that things are more serious. As Mayor Steve Holt told journalists, money from the city’s insurance fund will be used to pay the hackers’ ransom demands:

“We began taking every precaution we could possibly take, and then on June 5 it actually hit us. It appears they may have been in our system since early May – over a month going through our system.” “It’s a roll of the dice for us to say ‘nope we’re not doing that,’ and if they actually have our information in their possession they can send it publicly. This unfortunately is a response on our part to pay to make sure they delete it.”

Quite how the council will be able to 100% confirm that the hackers have permanently erased any data they have stolen is unclear, but the gang behind the DoppelPaymer ransomware is reputed to keep its word and not release data after a ransom has been paid.

The same DoppelPaymer ransomware has recently struck NASA contractor Digital Management Inc (DMI) and previously hit the city of Torrance, in the South Bay region of Los Angeles.

Unfortunately Florence is not the only US city to find itself dealing with the aftermath of a ransomware infection this week.

The city of Knoxville, Tennessee, shut down its computer systems after ransomware encrypted its systems in the early hours of Thursday.

In social media posts, the public were advised that court sessions were cancelled as a result of the computer network being offline.

A post on the city’s official website, meanwhile, warns the city’s 180,000 residents that “City online services are currently unavailable.”

A spokesperson said that the FBI had been informed of the attack, which was first spotted by employees of the fire department at approximately 4:30am on June 11th.

Knoxville officials have declined to make public the size of the ransom demand they have received, and no information has been shared about the type of ransomware that was involved.

Cities and government departments are on the horns of a dilemma when it comes to ransomware attacks.

The risk when you give in to an extortionist’s ransomware demand is that you are encouraging other criminals to launch similar attacks. A strong message is sent out to other attackers that organisations are prepared to pay a ransom if hit by ransomware. And that, inevitably, means more ransomware attacks for all of us to fend against.

But at the same time, attacked councils may feel that there is less of a financial hit paying their ransomware attacker than trying to recover from an infection. And if the ransomware attack has also stolen data from an organisation – which the most pernicious strains of ransomware do today – then you may feel that you are protecting your citizens better by at least trying to stop their possibly sensitive data from being leaked to the outside world.

In July last year, a resolution was passed by the the United States Conference of Mayors (USCM) agreeing to “stand united against paying ransoms in the event of an IT security breach.”

Judging by the decision made unanimously this week by the emergency meeting of the City of Florence, Alabama, that is a resolution which some cities are choosing to ignore.

Follow me for more information.

passwordPrivacy

Suspicious wife fails to get good password advice from The Guardian

Suspicious wife fails to get good password advice from The Guardian

From the relationship advice column of yesterday’s edition of The Guardian newspaper:

‘My husband’s password is his ex-girlfriend’s name. I am devastated. What made him change it?’

My husband’s password is his ex-girlfriend’s name for almost every account, and I am devastated. After a few months of our marriage, I came to know about his past relationship. In the first two years of our marriage we had a lot of fights about his ex, but things eventually settled down when she got married. Good riddance, I thought.

We’ve been married for almost six years and recently I came to know his password is her name. It was a shock. When I confronted him, he threatened to abandon me and take some other woman. I retreated. But I am heartbroken and burning from inside. What made him change his passwords to her name when initially they were different?

Obviously the best advice is for the woman to leave the idiot.

Not because he is clearly still obssessed with his ex-girlfriend (hey, maybe his former girlfriend’s name is seventeen characters long, and full of weird symbols) but because he’s using the same darn password for every account!

Email

Email

Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

Never ever re-use passwords on different services. Use a password manager to generate complex, hard-to-crack, unique passwords and store them securely.

As for the man’s threat to abandon the woman and find another wife over this password kerfuffle, surely he’s going to find it hard to find a new partner called Hunter2?

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

Product categories

Post

June 2020
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
282930 
X