Forwarded from BlackBox (Security) Archiv
Google Just Gave Millions Of Users A Reason To Quit Chrome, Windows 10
Google is always improving Chrome and it recently issued a brilliant (if long overdue) upgrade. That said, there have also been some recent controversial changes, security problems and data concerns and now Google has detailed a serious new problem in Chrome which cannot be fixed. The result is users may find themselves forced to choose between Windows 10 and Chrome.
💡Edit: James Forshaw has clarified that Firefox is impacted the same way because it uses the Chromium sandbox which Mozilla confirms. The result is Forshaw's research exposes a vulnerability for the sandbox of all major browsers to updates in Windows 10. I have followed this up with Firefox, Opera, Brave and Microsoft and will update when I have more information.
In a fascinating post titled ‘You Won't Believe what this One Line Change Did to the Chrome Sandbox’, Google’s Project Zero researcher James Forshaw revealed that Chrome is entirely reliant on the code of Windows 10 to stay secure. Moreover, Forshaw explains a new Windows 10 update recently broke through Chrome’s security with just a single line of misplaced code. Given Windows 10’s appalling recent update record, that’s not reassuring for either browser or platform.
https://googleprojectzero.blogspot.com/2020/04/you-wont-believe-what-this-one-line.html
👉🏼 Read more:
https://www.forbes.com/sites/gordonkelly/2020/04/23/google-chrome-critical-security-exploit-windows-10-upgrade-warning-update-chrome-browser/
#exploit #windows #chrome #firefox #browser #sandbox
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
Google is always improving Chrome and it recently issued a brilliant (if long overdue) upgrade. That said, there have also been some recent controversial changes, security problems and data concerns and now Google has detailed a serious new problem in Chrome which cannot be fixed. The result is users may find themselves forced to choose between Windows 10 and Chrome.
💡Edit: James Forshaw has clarified that Firefox is impacted the same way because it uses the Chromium sandbox which Mozilla confirms. The result is Forshaw's research exposes a vulnerability for the sandbox of all major browsers to updates in Windows 10. I have followed this up with Firefox, Opera, Brave and Microsoft and will update when I have more information.
In a fascinating post titled ‘You Won't Believe what this One Line Change Did to the Chrome Sandbox’, Google’s Project Zero researcher James Forshaw revealed that Chrome is entirely reliant on the code of Windows 10 to stay secure. Moreover, Forshaw explains a new Windows 10 update recently broke through Chrome’s security with just a single line of misplaced code. Given Windows 10’s appalling recent update record, that’s not reassuring for either browser or platform.
https://googleprojectzero.blogspot.com/2020/04/you-wont-believe-what-this-one-line.html
👉🏼 Read more:
https://www.forbes.com/sites/gordonkelly/2020/04/23/google-chrome-critical-security-exploit-windows-10-upgrade-warning-update-chrome-browser/
#exploit #windows #chrome #firefox #browser #sandbox
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
Forwarded from BlackBox (Security) Archiv
F5 Big-IP RCE writeup + full exploit
When TEAMARES began research into the vulnerability identified in the F5 TMUI RCE vulnerability advisory released last month, we initially started by reading the advisory and mitigation steps, which contained minimal details but included key pieces of information needed to kick off our research. The advisory states that the vulnerability impacts a variety of capabilities when exploited, including the ability to execute arbitrary Java code, which stood out to us.
👀 👉🏼 https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
👀 👉🏼 https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902
#f5 #ip #remote #code #execution #exploit #teamares #poc #writeup
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
When TEAMARES began research into the vulnerability identified in the F5 TMUI RCE vulnerability advisory released last month, we initially started by reading the advisory and mitigation steps, which contained minimal details but included key pieces of information needed to kick off our research. The advisory states that the vulnerability impacts a variety of capabilities when exploited, including the ability to execute arbitrary Java code, which stood out to us.
👀 👉🏼 https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
👀 👉🏼 https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902
#f5 #ip #remote #code #execution #exploit #teamares #poc #writeup
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
Forwarded from BlackBox (Security) Archiv
Exploitation of LAN vulnerability found in Firefox for Android (PoC)
I tested this PoC exploit on 3 devices on same wifi, it worked pretty well.
I was able to open custom URL on every smartphone using vulnerable Firefox (68.11.0 and below)
👀 👉🏼 https://twitter.com/LukasStefanko/status/1307013106615418883
👀 👉🏼 Firefox for Android LAN-Based Intent Triggering:
https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-tech-notes/-/tree/master/firefox-android-2020
#android #security #exploit #firefox #LAN #vulnerability #poc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
I tested this PoC exploit on 3 devices on same wifi, it worked pretty well.
I was able to open custom URL on every smartphone using vulnerable Firefox (68.11.0 and below)
👀 👉🏼 https://twitter.com/LukasStefanko/status/1307013106615418883
👀 👉🏼 Firefox for Android LAN-Based Intent Triggering:
https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-tech-notes/-/tree/master/firefox-android-2020
#android #security #exploit #firefox #LAN #vulnerability #poc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
The FBI Team Sent to ‘Exploit’ Protesters’ Phones in Portland
https://www.nybooks.com/daily/2020/10/08/the-fbi-team-sent-to-exploit-protesters-phones-in-portland
The FBI’s Washington, D.C., headquarters sent agents from its “Fly Team,” an elite counterterrorism unit, to Portland this summer during the second weekend in July. Their task was to interview arrested protesters and carry out the “initial exploitation of phones, or other communication devices,” according to FBI emails obtained through a public records request. It is unclear whether the Fly Team operation extended either past that weekend or beyond Portland, but the emails suggest that the FBI has been using counterterrorism tools and powers to map left-wing protest networks just months before an election whose result is likely to be delayed, if not challenged.
#usa #phone #exploit #protesters #cops #fbi
https://www.nybooks.com/daily/2020/10/08/the-fbi-team-sent-to-exploit-protesters-phones-in-portland
The FBI’s Washington, D.C., headquarters sent agents from its “Fly Team,” an elite counterterrorism unit, to Portland this summer during the second weekend in July. Their task was to interview arrested protesters and carry out the “initial exploitation of phones, or other communication devices,” according to FBI emails obtained through a public records request. It is unclear whether the Fly Team operation extended either past that weekend or beyond Portland, but the emails suggest that the FBI has been using counterterrorism tools and powers to map left-wing protest networks just months before an election whose result is likely to be delayed, if not challenged.
#usa #phone #exploit #protesters #cops #fbi
The New York Review of Books
The FBI Team Sent to ‘Exploit’ Protesters’ Phones in Portland | by Mattathias Schwartz | The New York Review of Books
The FBI’s Washington, D.C., headquarters sent agents from its “Fly Team,” an elite counterterrorism unit, to Portland this summer during the second weekend in July. Their task was to interview arrested protesters and carry out the “initial exploitation of…
Forwarded from BlackBox (Security) Archiv
The Great iPwn Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit
This summer, iPhones belonging to as many as 36 Al Jazeera journalists were silently infected with malware, according to research released Sunday. They were subjected to silent attacks that appeared to exploit a vulnerability in Apple’s iOS and installed malware on the iOS devices, leaving reporters’ phones open to snooping, the researchers claimed.
In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked.
The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11.
Based on logs from compromised phones, we believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019.
The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.
https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/
https://www.forbes.com/sites/thomasbrewster/2020/12/20/apple-security-warning-zero-click-iphone-hacks-hit-36-al-jazeera-journalists/
#ipwn #iphone #apple #journalists #hacked #nso #imessage #exploit #zeroclick #kismet #jazeera
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
This summer, iPhones belonging to as many as 36 Al Jazeera journalists were silently infected with malware, according to research released Sunday. They were subjected to silent attacks that appeared to exploit a vulnerability in Apple’s iOS and installed malware on the iOS devices, leaving reporters’ phones open to snooping, the researchers claimed.
In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked.
The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11.
Based on logs from compromised phones, we believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019.
The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.
https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/
https://www.forbes.com/sites/thomasbrewster/2020/12/20/apple-security-warning-zero-click-iphone-hacks-hit-36-al-jazeera-journalists/
#ipwn #iphone #apple #journalists #hacked #nso #imessage #exploit #zeroclick #kismet #jazeera
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
The Citizen Lab
The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage 'Zero-Click' Exploit - The Citizen Lab
Government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute…
Forwarded from BlackBox (Security) Archiv
How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit
Back in college, I was very interested in Java bytecode. When I got an internship at Google in 2013, I was skeptical of the security of the Java version of Google App Engine and got permission to spend the last week of my internship doing a mini red team exercise, trying to break into App Engine. This is the story of how I found a vulnerability and developed an exploit to break out of the App Engine sandbox and get arbitrary code execution on a Google server.
Background
One of the reasons I was skeptical was Java’s poor security track record. Java is unusual among programming languages in attempting to do in-process sandboxing with its Applet model, where trusted and untrusted code run within the same language runtime.
Back in the dark ages before Javascript and Webassembly took over the world, website authors that wanted to include nontrivial interactivity had to rely on browser plugins. Sun’s entry into the fray was Java Applets, a system that allowed website authors to include precompiled Java classfiles on their site. When the user views the embedding page, the browser sends that code to the Java Virtual Machine (JVM) installed on the user’s computer for execution.
In order to keep things secure, Java used a permission system to control what running code could and couldn’t do. Desktop applications were executed with all permissions by default, while Java applets ran with a very restrictive policy that prevented stuff like accessing the user’s local files.
Unfortunately, applets were still plagued with security vulnerabilities. One issue is that most of the Java runtime library is itself implemented in Java. Trusted and untrusted code run side by side in the same VM, with the only thing separating them being the permission system and visibility modifiers (public, protected, private, etc.)
This means that a bug anywhere in the JVM or standard libraries is liable to become a security vulnerability. Additionally, the attack surface is huge. The Java 7 runtime included over 17,000 classes, a lot of places for bugs to creep in.
https://blog.polybdenum.com/2021/05/05/how-i-hacked-google-app-engine-anatomy-of-a-java-bytecode-exploit.html
#google #app #engine #hacked #java #bytcode #exploit
📡 @nogoolag 📡 @blackbox_archiv
Back in college, I was very interested in Java bytecode. When I got an internship at Google in 2013, I was skeptical of the security of the Java version of Google App Engine and got permission to spend the last week of my internship doing a mini red team exercise, trying to break into App Engine. This is the story of how I found a vulnerability and developed an exploit to break out of the App Engine sandbox and get arbitrary code execution on a Google server.
Background
One of the reasons I was skeptical was Java’s poor security track record. Java is unusual among programming languages in attempting to do in-process sandboxing with its Applet model, where trusted and untrusted code run within the same language runtime.
Back in the dark ages before Javascript and Webassembly took over the world, website authors that wanted to include nontrivial interactivity had to rely on browser plugins. Sun’s entry into the fray was Java Applets, a system that allowed website authors to include precompiled Java classfiles on their site. When the user views the embedding page, the browser sends that code to the Java Virtual Machine (JVM) installed on the user’s computer for execution.
In order to keep things secure, Java used a permission system to control what running code could and couldn’t do. Desktop applications were executed with all permissions by default, while Java applets ran with a very restrictive policy that prevented stuff like accessing the user’s local files.
Unfortunately, applets were still plagued with security vulnerabilities. One issue is that most of the Java runtime library is itself implemented in Java. Trusted and untrusted code run side by side in the same VM, with the only thing separating them being the permission system and visibility modifiers (public, protected, private, etc.)
This means that a bug anywhere in the JVM or standard libraries is liable to become a security vulnerability. Additionally, the attack surface is huge. The Java 7 runtime included over 17,000 classes, a lot of places for bugs to creep in.
https://blog.polybdenum.com/2021/05/05/how-i-hacked-google-app-engine-anatomy-of-a-java-bytecode-exploit.html
#google #app #engine #hacked #java #bytcode #exploit
📡 @nogoolag 📡 @blackbox_archiv
Considerations on Codecrafting
How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit
Back in college, I was very interested in Java bytecode. When I got an internship at Google in 2013, I was skeptical of the security of the Java version of Google App Engine and got permission to spend the last week of my internship doing a mini red team…
Media is too big
VIEW IN TELEGRAM
Mobile Espionage in the Wild: Pegasus and Nation-State Level Attacks - BLack Hat CitizenLab / 2020
This briefing will take an in-depth look at the technical capabilities of mobile attacks that are being leveraged against real targets for the purpose of espionage. We will focus on Pegasus, a lawful intercept product, and the features and exploit chain it used. We will describe how we discovered and tracked the developer’s infrastructure prior to the attack, and how we later caught a sample of the elusive malcode being used against a prominent human rights defender.
#Pegasus #NSO #Spyware #CitizenLab #BlackHat #espionage #israel #exploit
This briefing will take an in-depth look at the technical capabilities of mobile attacks that are being leveraged against real targets for the purpose of espionage. We will focus on Pegasus, a lawful intercept product, and the features and exploit chain it used. We will describe how we discovered and tracked the developer’s infrastructure prior to the attack, and how we later caught a sample of the elusive malcode being used against a prominent human rights defender.
#Pegasus #NSO #Spyware #CitizenLab #BlackHat #espionage #israel #exploit
A technical analysis of Pegasus for Android – Part 1 – https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1/
A technical analysis of Pegasus for Android – Part 2 – https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-2/
A technical analysis of Pegasus for Android – Part 3 – https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/
#Pegasus #NSO #israel #Spyware #espionage #exploit
A technical analysis of Pegasus for Android – Part 2 – https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-2/
A technical analysis of Pegasus for Android – Part 3 – https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/
#Pegasus #NSO #israel #Spyware #espionage #exploit
Testing a new encrypted messaging app's extraordinary claims – https://crnkovic.dev/testing-converso/
How I accidentally breached a nonexistent database and found every private key in a 'state-of-the-art' encrypted messenger called Converso
#exploit #encryptedMessenger #Converso #hacking #SoftwareBreach
How I accidentally breached a nonexistent database and found every private key in a 'state-of-the-art' encrypted messenger called Converso
#exploit #encryptedMessenger #Converso #hacking #SoftwareBreach
itnewsbot@schleuss.online - WinRAR 0-day that uses poisoned JPG and TXT files under exploit since April - Enlarge (credit: Getty Images)
A newly discovered zeroday in t... - https://arstechnica.com/?p=1962625 #vulnerability #security #zipfiles #exploit #zeroday #biz #winrar
A newly discovered zeroday in t... - https://arstechnica.com/?p=1962625 #vulnerability #security #zipfiles #exploit #zeroday #biz #winrar
Ars Technica
WinRAR 0-day that uses poisoned JPG and TXT files under exploit since April
Vulnerability allows hackers to execute malicious code when targets open malicious ZIP files.
Media is too big
VIEW IN TELEGRAM
Physical Attacks Against Smartphones
Android devices are constantly improving their security to protect against attackers with physical access, with new protection techniques being added year-by-year. This talk aims to demonstrate vulnerabilities in modern Android smartphones that are still viable, despite the mitigations in place.
In the first phase of this talk, we will discuss the analysis and exploitation of vendor-customized versions of Android's Recovery mode, demonstrating weaknesses that allow for privilege escalation to root, and traversal from Recovery to Android, without Bootloader access....
By: Christopher Wade
Full Abstract and Presentation Materials:https://www.blackhat.com/us-23/briefings/schedule/#physical-attacks-against-smartphones-32485
#Android #Vulnerabilities #RecoveryMode #Exploit #PrivilegdeEscalation #Root
Android devices are constantly improving their security to protect against attackers with physical access, with new protection techniques being added year-by-year. This talk aims to demonstrate vulnerabilities in modern Android smartphones that are still viable, despite the mitigations in place.
In the first phase of this talk, we will discuss the analysis and exploitation of vendor-customized versions of Android's Recovery mode, demonstrating weaknesses that allow for privilege escalation to root, and traversal from Recovery to Android, without Bootloader access....
By: Christopher Wade
Full Abstract and Presentation Materials:https://www.blackhat.com/us-23/briefings/schedule/#physical-attacks-against-smartphones-32485
#Android #Vulnerabilities #RecoveryMode #Exploit #PrivilegdeEscalation #Root
Media is too big
VIEW IN TELEGRAM
The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders
Modern video encoding standards such as H.264 are a marvel of hidden complexity. But with hidden complexity comes hidden #security risk. #Decoding video today involves interacting with dedicated #hardware accelerators and the #proprietary, privileged software components used to drive (#driver) them. The video #decoder ecosystem is obscure, opaque, diverse, highly privileged, largely untested, and highly exposed -- a dangerous combination.
We introduce H26Forge, a framework that carefully crafts #video files to expose edge cases in H.264 decoders....
By: Stephen Checkoway , Hovav Shacham , Willy Vasquez
Full Abstract and Presentation Materials
#VideoEncoding #Vulnerabilities #Security #Codec #H264 #Exploit
Modern video encoding standards such as H.264 are a marvel of hidden complexity. But with hidden complexity comes hidden #security risk. #Decoding video today involves interacting with dedicated #hardware accelerators and the #proprietary, privileged software components used to drive (#driver) them. The video #decoder ecosystem is obscure, opaque, diverse, highly privileged, largely untested, and highly exposed -- a dangerous combination.
We introduce H26Forge, a framework that carefully crafts #video files to expose edge cases in H.264 decoders....
By: Stephen Checkoway , Hovav Shacham , Willy Vasquez
Full Abstract and Presentation Materials
#VideoEncoding #Vulnerabilities #Security #Codec #H264 #Exploit