Aggregator

尽管企业服务数据库公司Crunchbase的数据显示，2024年第三季度，网络安全初创公司的风险投资下降了51 […]

新闻速览 •国家网络安全通报中心风险提示：重点防范境外恶意网址和恶意IP •国家数据局就《可信数据空间发展行动 […]

A vulnerability was found in Juniper Junos 8.5/9.0 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2009-3485. The attack may be initiated remotely. Furthermore, there is an exploit available.

1. 基本介绍1.1 概要

通用即插即用（英语：Universal Plug and Play，简称UPnP）是由“通用即插即用论坛”（UPnP™ Forum）推广的一套网络协议。该协议的目标是使家庭网络（数据共享、通信和娱乐）和公司网络中的各种设备能够相互无缝连接，并简化相关网络的实现。UPnP通过定义和发布基于开放、因特网通讯网协议标准的UPnP设备控制协议来实现这一目标。

1.2 结构组成

• 设备 - UPNP规范中的最基本单元。代表一个物理设备或包含多个物理设备的逻辑设备。
• 服务 - UPNP规范中的最小控制单元。代表设备提供的服务及调用API接口。
• 控制点 - UPNP所在网络的其他网络中UPNP设备。

1.3 协议过程

• 发现 - 简单发现服务
• 描述 - 通过远程访问URL，XML文件格式显示服务相关信息
• 控制 - 控制信息使用SOAP协议，XML文件格式显示。

2. 安全风险

UPnP由于设计上的缺陷而产生的漏洞，这些其中大多数漏洞是由于服务配置错误或实施不当造成的。

• 路由器设备作为代理，对内网进行渗透测试
• 开启端口映射，访问内部计算机

3. 威胁分析3.1 获得服务控制协议文档(SCPD)(1) 部分开启服务 - 1

(2) 部分开启服务 - 2

开启服务汇总

<serviceType>urn:schemas-upnp-org:service:Layer3Forwarding:1serviceType>
<serviceId>urn:upnp-org:serviceId:L3Forwarding1serviceId>
<SCPDURL>/L3F.xmlSCPDURL>
<controlURL>/ctl/L3FcontrolURL>
<eventSubURL>/evt/L3FeventSubURL>

<serviceType>urn:schemas-upnp-org:service:DeviceProtection:1serviceType>
<serviceId>urn:upnp-org:serviceId:DeviceProtection1serviceId>
<SCPDURL>/DP.xmlSCPDURL>
<controlURL>/ctl/DPcontrolURL>
<eventSubURL>/evt/DPeventSubURL>

<serviceType>urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1serviceType>
<serviceId>urn:upnp-org:serviceId:WANCommonIFC1serviceId>
<SCPDURL>/WANCfg.xmlSCPDURL>
<controlURL>/ctl/CmnIfCfgcontrolURL>
<eventSubURL>/evt/CmnIfCfgeventSubURL>

<serviceType>urn:schemas-upnp-org:service:WANIPConnection:2serviceType>
<serviceId>urn:upnp-org:serviceId:WANIPConn1serviceId>
<SCPDURL>/WANIPCn.xmlSCPDURL>
<controlURL>/ctl/IPConncontrolURL>
<eventSubURL>/evt/IPConneventSubURL>

<serviceType>urn:schemas-upnp-org:service:WANIPv6FirewallControl:1serviceType>
<serviceId>urn:upnp-org:serviceId:WANIPv6Firewall1serviceId>
<SCPDURL>/WANIP6FC.xmlSCPDURL>
<controlURL>/ctl/IP6FCtlcontrolURL>
<eventSubURL>/evt/IP6FCtleventSubURL

ControlURL是与特定服务进行通信的SOAP端点（实质上，该URL的GET / POST将触发操作）。

3.2 服务操作(SOAP)

假若路由器设备SOAP API暴露，我们就可以对设备进行操作，从而绕过防护。

(1) 直接访问控制

查看具体服务参数及对应接口

(2) 端口映射操作

Miranda是Kali提供的一款基于Python语言的UPNP客户端工具。它可以用来发现、查询和操作UPNP设备，尤其是网关设置。当路由器开启UPNP功能，存在相应的漏洞，就可以通过Miranda进行渗透和控制。https://github.com/kimocoder/miranda

优势 - 无需认证

• 将路由器80端口映射在外网端口8443

$ upnp> host send 0 WANConnectionDevice WANIPConnection AddPortMapping

• 获取设备端口映射列表

• 查看后端端口映射是否添加成功

• 查看映射是否成功

4. 安全风险

①代理跳板：黑客可以利用路由器的某些服务接管路由器的设备权限。②内网渗透：边界设备开启UPNP没有做好鉴权处理，会导致攻击者通过该服务队内部网络进行内部渗透。

5. UPNP攻击面

• 通过SCPD获取服务控制协议文档，查看可利用服务。
• 通过SOAP进行可利用服务操作，获取设备相关敏感信息及相应权限。

总结

UPNP协议通过端口转发和映射等功能，简化网络设备的安全配置，提供更方便的用户体验的同时，也带来不小的安全威胁。这就需要管理者花时间去研究如何调整UPnP的设置，而不是通过部署或优化其他安全组件，来提高其所处网络的整体安全态势。

A vulnerability, which was classified as critical, has been found in David Paleino WICD. This issue affects the function SetWiredProperty. The manipulation leads to improper input validation. The identification of this vulnerability is CVE-2012-2095. An attack has to be approached locally. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in WP Shortcodes Plugin up to 7.2.2 on WordPress. This issue affects some unknown processing. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-8500. The attack may be initiated remotely. There is no exploit available.

A vulnerability classified as problematic was found in Transients Manager Plugin up to 2.0.6 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. This vulnerability was named CVE-2024-10045. The attack can be initiated remotely. There is no exploit available.

A vulnerability classified as critical has been found in ProfilePress Plugin up to 4.11.1 on WordPress. This affects an unknown part. The manipulation leads to improper authentication. This vulnerability is uniquely identified as CVE-2024-9947. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in RSS Aggregator Plugin up to 4.23.12 on WordPress. It has been rated as critical. Affected by this issue is some unknown functionality. The manipulation leads to missing authorization. This vulnerability is handled as CVE-2024-9583. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in Qi Addons for Elementor Plugin up to 1.8.0 on WordPress. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to information disclosure. This vulnerability is known as CVE-2024-9530. The attack can be launched remotely. There is no exploit available.

A vulnerability was found in IBM DB2 and DB2 Connect Server 10.5/11.1/11.5. It has been classified as problematic. Affected is an unknown function of the component SQL Statement Handler. The manipulation leads to allocation of resources. This vulnerability is traded as CVE-2024-31880. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Adobe Acrobat Reader up to 11.0.15/15.006 and classified as critical. This issue affects some unknown processing. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-2016-4091. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Gator 3.0.6.1 and classified as critical. Affected by this issue is some unknown functionality in the library IEGator.dll of the component Installer. The manipulation of the argument src leads to improper privilege management. This vulnerability is handled as CVE-2002-0317. The attack may be launched remotely. There is no exploit available.

Home About Tools Now Then Chang

A vulnerability has been found in Adobe Acrobat Reader up to 11.0.15/15.006 and classified as critical. This vulnerability affects unknown code. The manipulation leads to memory corruption. This vulnerability was named CVE-2016-4090. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

In this Help Net Security interview, Detective Superintendent Ian Kirby, CEO of the National Cyber Resilience Centre Group (NCRCG), discusses the emerging cyber threats and strategies organizations can use to increase cyber resilience. He emphasizes basic cyber hygiene, security awareness training, multi-factor authentication, and stakeholder involvement at all levels in building a resilient organizational culture. What are the most significant emerging cyber threats organizations should prioritize when developing resilience strategies? There are a myriad of … More →

The post Effective strategies for measuring and testing cyber resilience appeared first on Help Net Security.

1. 基本介绍

ZigBee是一种低复杂度、低功耗、低速率、低成本的近距离无线通信技术。它基于IEEE 802.15.4标准，主要用于短距离数据传输和监控应用。

ZigBee网络由协调器、路由器和终端设备组成，支持星型、树型和网状等多种拓扑结构。该技术广泛应用于智能家居、工业自动化、医疗监护等领域，通过低功耗和自组织网络特性，实现高效、可靠的无线数据传输。ZigBee的传输速率在10KB/秒到250KB/秒之间，支持大量设备连接，具有强大的网络容量和灵活的节点配置能力。

2. 协议概述2.1 栈结构

ZigBee协议组成主要涵盖了四个层次，这些层次共同构成了ZigBee网络协议栈的基础，确保了数据的可靠传输和网络的有效管理。以下是ZigBee协议组成的详细概述：

• 物理层
• 处理无线电硬件之间的实际通信
• 基于IEEE 802.15.4标准的无线通信技术
• 传输层
• 管理无线链路，包括处理帧的发送、接收、超时重传、收发确认等
• 提供了安全和管理机制，如加密、身份认证和底层设备管理
• 网络层
• 负责多跳网络的支持，主要包括路由选择、拓扑结构和组网等功能(星型、树型和网状拓扑结构)
• 协调器、路由器和终端设备
• 负责定义不同应用的数据格式和通信规则
• 节点之间的路由和寻址机制，确保数据传输的可靠性和安全性
• 不同设备之间的互相通信，允许节点在网络中相互切换

2.2 数据帧2.2.1 具体分布

• 物理层
• SHR - 前导序列
• PHR -  PSDU长度信息
• PSDU - MAC层协议数据单元
• 传输层
• MHR - 控制信息、序列号、寻址信息等
• MSDU - 网络层和应用层数据
• MFR - 帧校验序列
• 网络层
• 网络层帧头和有效载荷
• 应用层
• 数据和服务

2.2.2 帧结构

  信标帧

帧控制域序列号地址域附加安全头部超帧描述GTS分配释放信息转发数据目标地址信息帧负载FCS

  数据帧

帧控制域序列号地址域附加安全头部数据帧负载FCS校验

确认帧

帧控制域序列号FCS2.3 安全机制

ZigBee主要提供三个级别的安全模式:

• 非安全模式
• 不采取任务安全措施 - 可重发、中间人攻击
• 访问控制模式
• 只允许接入的硬件设备MAC地址存在列表中，限制无合法节点访问获取相关数据
• 安全模式
• 支持128位AES加密算法进行数据通信加密

Wireshark里面提供的安全级别可支持预设密钥用于解析数据包

2.4 密钥类型

• 主密钥
• 配合ZigBee对称密钥的建立(SKKE)过程来派生其它密钥，在建立网络时生成或配置的，用于后续生成网络密钥和链接密钥。
• 网络密钥
• 保护广播和组数据的机密性和完整性，同时也为网络认证提供保护
• 链接密钥
• 保护两个设备之间单播数据的机密性和完整性
• 其他密钥
• 除了上述主要密钥外，ZigBee协议还可能定义其他类型的密钥，如应用主密钥、应用链接密钥等，用于特定场景下的安全通信

3. 安全风险3.1 中间人攻击

ZigBee采用非安全模式，对数据传输内容没有加密，可能被窃取敏感数据内容。

3.2 密钥攻击

在密钥传输过程中，密钥内容会以明文形式传输，因此可能被获取密钥信息，通过密钥对数据信息进行解密或者伪造合法接入设备。

4. 总结

当前，针对ZigBee协议的攻击策略主要聚焦于其密钥安全性的薄弱环节，其密钥安全是整个Zigbee协议中最重要一环。

Argus is an open-source toolkit that simplifies information gathering and reconnaissance. It features a user-friendly interface and a collection of powerful modules, enabling the exploration of networks, web applications, and security configurations. Argus offers a collection of tools categorized into three main areas: Network and infrastructure tools These tools help you gather data about a network, uncovering vital details about servers, IP addresses, DNS records, and more: Associated Hosts: Discover domains associated with the target. … More →

The post Argus: Open-source information gathering toolkit appeared first on Help Net Security.

error code: 1106