proof of concept - Online Cyber Security News

Hackers Have Started Exploiting Drupal RCE Exploit Released Yesterday

Friday, April 13, 2018 Swati Khandelwal

hacking-drupal-remote-code-execution-exploit-code

Hackers have started exploiting a recently disclosed critical vulnerability in Drupal shortly after the public release of working exploit code.

Two weeks ago, Drupal security team discovered a highly critical remote code execution vulnerability, dubbed Drupalgeddon2, in its content management system software that could allow attackers to completely take over vulnerable websites.

To address this vulnerability the company immediately released updated versions of Drupal CMS without releasing any technical details of the vulnerability, giving more than a million sites enough time to patch the issue.

Two days ago, security researchers at Check Point and Dofinity published complete technical details about this vulnerability (CVE-2018-7600), using which, a Russian security researcher published a proof-of-concept (PoC) exploit code for Drupalgeddon2 on GitHub.

The Drupalgeddon2 vulnerability that affects all versions of Drupal from 6 to 8 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations.

According to checkpoint's disclosure, the vulnerability exists due to the insufficient sanitation of inputs passed via Form API (FAPI) AJAX requests.

"As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication," Check Point researchers said.

"By exploiting this vulnerability, an attacker would have been able to carry out a full site takeover of any Drupal customer."

However, shortly after the public release of the PoC exploit, which many confirmed to be functional, researchers at Sucuri, Imperva, and the SANS Internet Storm Center started seeing attempts to exploit Drupalgeddon2, though none have yet to see any reports of websites being hacked.

Sites administrators still running vulnerable versions of Drupal are highly recommended to patch the vulnerability by updating their CMS to Drupal 7.58 or Drupal 8.5.1 as soon as possible to avoid exploits.

The vulnerability also affects Drupal 6, which is no longer supported by the company since February 2016, but a patch for the version has still been created.

iPhone Instagram users vulnerable to hackers

Monday, December 03, 2012 Mohit Kumar

Instagram - Facebook’s popular photo sharing app for iOS, is currently has a vulnerability that could make your account susceptible to hackers. A security researcher Carlos Reventlov published on Friday another attack on Facebook's Instagram photo-sharing service that could allow a hacker to seize control of a victim's account.

"The Instagram app communicates with the Instagram API via HTTP and HTTPs connections. Highly sensitive activities, such as login and editing profile data, are sent through a secure channel. However, some other request are sent through plain HTTP without a signature, those request could be exploited by an attacker connected to the same LAN of the victim’s iPhone."

Vulnerability Details -- The vulnerability is in the 3.1.2 version of Instagram's application, which is susceptible to “eavesdropping and man in the middle attacks that could lead an evil user to delete photos and download private media without the victim’s consent.

An attacker on the same LAN of the victim could launch a simple arpspoofing attack to trick the iPhones into passing port 80 traffic through the attackers machine. When the victim starts the Instagram app a plain text cookie is sent to the Instagram server, once the attacker gets the cookie he is able to craft special HTTP requests for getting data and deleting photos.

The Secunia verified the attack and issued an advisory Here. The compromise uses a method called ARP (Address Resolution Protocol) spoofing, where the web traffic of the victim's mobile device is channeled through the attacker's computer. Reventlov wrote that it is then possible to intercept the plain-text cookie.

“I’ve found that many iPhone apps are vulnerable to such things but not too many are high-profile apps like Instagram,” Reventlov added. He says that the fix for Instagram is rather easy. For API calls that utilize sensitive information, simply use HTTPS, or Hypertext Transfer Protocol Secure. Find Proof of concept on Reventlov blog.

Online IT Security Courses – CISA, CISM, CISSP Certifications

Friday, April 20, 2018 Exclusive Deals

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Remote 0day Exploit for Tectia SSH Server released

Sunday, December 02, 2012 Mohit Kumar

Hacker @kingcope discovered critical vulnerability in Tectia SSH Server. Exploit working on SSH-2.0-6.1.9.95 SSH Tectia Server (Latest available version from www.tectia.com) that allow attacker to bypass Authentication remotely.

Description : An attacker in the possession of a valid username of an SSH Tectia installation running on UNIX (verified on AIX/Linux) can login without a password. The bug is in the “SSH USERAUTH CHANGE REQUEST” routines which are there to allow a user to change their password. A bug in the code allows an attacker to login without a password by forcing a password change request prior to authentication.

Download Exploit Code : Click Here

A default installation on Linux (version 6.1.9.95 of Tectia) is vulnerable to the attack. Eric Romang posted a Demo video on Youtube, hope you will like it :)