Blog

ImageTragick PoC

ImageMagick Is On Fire — CVE-2016–3714 There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild. A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s imagick, Ruby’s rmagick and paperclip, and nodejs’s imagemagick. For more information about this vulnerability visit: https://imagetragick.com/ or [...]

Read more...

Phorum – Full Disclosure

Reporter VoidSec Security Team Advisory VoidSec-16-002 Date of contact 03-03-16 2nd date of contact 16-03-16 3rd date of contact 04-04-16 Vendor last reply 03-03-16 Date of public disclosure 21-04-16 Product Phorum Open Source PHP Forum Software Version 5.2.20   Download the Report [EN] Introduction The purpose of the present project is to assess the security posture of some important aspects of Phorum Forum Software. Phorum is open source forum software with a penchant for speed. Phorum’s very flexible hook and module system can satisfy every web master’s needs. During the web application security assessment for Phorum, VoidSec assessed the following systems [...]

Read more...

LinkedIn – CSV Excel formula injection

We are proud to publish an undisclosed vulnerability affecting LinkedIn and in particular its “CSV Export” function. Following our Vulnerability Disclosure Policy Agreement, LinkedIn Security Team has been informed about this specific issue and this vulnerability will be published without a working PoC. LinkedIn`s users can exports all their connections into a CSV file, that due to some missing filters (escaping output), could allows an attacker to execute a command on the user machine. An attacker can create a LinkedIn profile embedding [...]

Read more...

Avactis – Full Disclosure

Advisory: VoidSec-16-001 Date of contact: 19-01-16 2nd date of contact: 23-01-16 Vendor reply: N/A Date of public disclosure: 12-04-16 Product: Avactis PHP Shopping Cart Version: 4.7.9.Next.47900 Vendor: Avactis   Download the Report [EN] Introduction Avactis is an open source ecommerce Shopping Cart software. The purpose of the present project is to assess the security posture of some important aspects of Avactis PHP Shopping Cart. The activity is performed through Web Application Penetration Test using Grey Box approach. Vulnerabilities: Spreading of Files with Malicious Extensions on Upload New Design and Execution in some circumstances Non-Admin PHP Shell Upload [...]

Read more...

Simulazione di un Penetration Test

Hacker di professione: simulazione di un Penetration Test JEToP – Junior Enterprise Torino Politecnico Mercoledì 13 aprile 2016 dalle 09:00 alle 19:00 (CEST) Cosa si fa? Durante le 8 ore del corso, i partecipanti assisteranno ad una breve introduzione al mondo della Sicurezza Informatica, focalizzandosi in particolare sull’attività di Penetration Testing. Per Penetration Test si intende un’attività che ha lo scopo di identificare e sfruttare la vulnerabilità di un sistema, ripercorrendo i tipici passaggi di un attacante malintenzionato (Cracker). La sostanziale differenza tra un Cracker [...]

Read more...

Backdoored OS

Recap Nella giornata del 21 Febbraio la distribuzione Linux Mint è stata attaccata e, a seguito dell’intrusione, l’aggressore è stato in grado di modificare la ISO della versione 17.3 Cinnamon Edition, inserendo una backdoor al suo interno. “Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it,” Clement Lefebvre – head of Linux Mint project Tralasciando le modalità dell’attacco a WordPress, la successiva compromissione del sito web e del forum (password [...]

Read more...

Backdoored OS

Recap On February 21 Linux Mint was attacked and, as a result of the intrusion, the attacker was able to backdoor the ISO (Cinnamon Edition v17.3). “Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it,” Clement Lefebvre – head of Linux Mint project Aside from the WordPress attack, the subsequent forum dump (database password: “upMint.”, seriously?) and the analysis of the malware (Tsunami/Kaiten), this incident made me think about a [...]

Read more...

Keybase

Recently, a malware known as KeyBase, is “triggering” some of my sensors. KeyBase was distributed in February 2015 and sold for about $ 50 (in its first version), It remained active until May and then disappear from internet. During November it is back up with thousands of infections (v1.5). Keybase is a malware with limited capabilities belonging to the families of keyloggers and info-stealers. Malware Overview Keybase is written in C# and among its features we can find: Keylogging HotLogging(Keylogging ofspecific windows.ex. Paypal, bank [...]

Read more...

KeyBase

Da un po’ di tempo a questa parte, un malware conosciuto col nome di KeyBase, è ricomparso nei log di alcuni dei sensori che monitoro. Distribuito durante Febbraio 2015 nella versione 1.0 e acquistabile per circa 50$, è rimasto attivo fino a Maggio per poi sparire dalla rete. Da Novembre è tornato attivo (v1.5) con migliaia d’infezioni. Keybase è un malware dalle limitate capacità appartenente alla famiglia dei keylogger e info-stealer. You can read this article in English. Malware Overview Keybase è scritto [...]

Read more...

Aethra Botnet

What do an old log file, WordPress, “some” routers and some Italian ISP have in common? Apparently nothing but let me explain from the beginning and you will notice how interesting elements can be discovered, starting from an insignificant event. Friday, February 13, 2015: I was performing ordinary maintenance on my personal website and, while I was analyzing the statistics and logs, I noticed a “strange” recurring pattern: Anyone who has ever run a WordPress can recognize in this extract of [...]

Read more...