Opening malicious PDF in Android version of Adobe reader allows attacker to access files


The android version of Adobe PDF Reader contains a security bug that could allow an attacker to compromise documents stored in reader and other files stored on the android's SD card.

Security researcher says the problem is there because the Adobe reader exposes few insecure javascript interfaces.  These javascript interfaces allows an attacker to run malicious javascript code inside Adobe reader.

"An attacker can create a specially crafted PDF file containing Javascript that runs when the target user views (or interacts with) this PDF file" security researcher Yorick Koster from Security said.

Researcher has successfully verified the existence of vulnerability in the version 11.1.3 of the adobe reader for Android. The bug has been fixed in the latest version 11.2.0.

He also have released a poc code that will create '.txt' file, when an user open the specially crafted .pdf on vulnerable version of reader.

How researchers hack Google using XXE vulnerability !

What is most secure website? NOTHING.  Even Google is vulnerable to all sort of attacks!

Security researchers and Co-Founders of Detectify have discovered a critical security vulnerability in Google that allowed them to access Internal servers.

The vulnerability exists in the Google Toolbar button gallery.  The page allows users to customize their toolbar with buttons. It also allows users to create their own buttons by uploading XML file containing various meta data.

Researchers identified this function is vulnerable to XML External Entity vulnerability.

By sending a crafted XML file, researchers are able to gain access to internal files stored in one of Google's product server.  They have managed to read the 'etc/passwd' and 'etc/hosts' files of the server. 

By exploiting this vulnerability, researchers could have accessed any files on the Google's server, also they could have done SSRF Exploitation to access internal systems.

Google has rewarded the researchers with $10,000 for finding and reporting this vulnerability. 

31 Security bugs fixed in Google Chrome 34

Google has announced the stable release of Chrome 34, an update brining number of fixes, functionality improvements and security updates.

In total, 31 security vulnerabilities have been patched in this latest version 34.0.1847.116 which includes medium to high severity bugs.

The list of high severity bugs are UXSS in V8, OOB access in V8, Integer overflow in compositor, Use-after-free in web workers, Use-after-free in DOM, Memory corruption in V8, Use-after-free in rendering, Url confusion with RTL characters and Use-after-free in speech.

The medium severity bugs include Use-after-free in speech, OOB read with window property and Use-after-free in forms.

A total of $29,500 has been awarded to researchers who reported the above security vulnerabilities.

OpenSSL vulnerability allows hackers to read 64k of memory on target server


HeartBleed: A potentially critical security vulnerability in OpenSSL has been discovered that allows an attacker to read up to 64kilobytes of memory from the server running a vulnerable OpenSSL version.

As a normal user, you may not aware what is OpenSSL.  It is cryptographic library which is used for encrypting communication between web server and users - used by plenty of websites including Google, Yahoo, Twitter.

The bug( CVE-2014-0160), dubbed as 'HeartBleed', was independently discovered by Neel Mehta from Google Security team and Codenomicon.  The bug appropriately named HeartBleed because vulnerability is located in HeartBeat extension and it leads to memory leak.

The attacker can read only up to 64k of memory during one iteration of the attack.  However, according to Heardbleed.com, an attacker can "keep reconnecting or during an active TLS connection keep requesting arbitrary number of 64 kilobyte chunks of memory content until enough secrets are revealed".

An attacker can retrieve the private key used for encrypting the communication that will allow to read all information passed to server and user like it wasn't encrypted at all.

How to fix it?
If your server is using OpenSSL 1.0.1 and 1.0.1f, then better upgrade to 1.0.1g. If you are using 1.0.0 and 0.9.8, you are not vulnerable to this bug.  As a temporary fix, users can remove HeartBeat extension by recompiling OpenSSL with -DOPENSSL_NO_HEARTBEATS

Check whether Your server is vulnerable or not:
"http://filippo.io/Heartbleed/" allows to find whether your server is vulnerable to this bug or not.

Details about the Bug:
TLS Heartbeat extension is to ping from one end to another end - a specific message with size of it is being sent from client to server and server responds with the same message.

But, if an attacker send a small size of data(Let's say 1 kilo byte) and claims it's large size(64k), then the server(running vulnerable OpenSSL) will respond with 1 kilo byte of attacker's data + 63 kilobytes of data read from memory of the server.

Technical details of this bug can be found here .(read only if you are good in 'C' program).

Here is POC script written in Python: https://gist.github.com/ixs/10116537

*Update:
Metasploit Module :
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb

Nessus Plugin:
http://www.tenable.com/plugins/index.php?view=single&id=73404

Nmap Script(NSE):
http://nmap.org/nsedoc/scripts/ssl-heartbleed.html

One should always be careful, when using pointers in C programming ;)

Opening an email containing RTF in Outlook hands your computer to hackers

How many of you are using Microsoft Outlook in your office? Previewing or opening an email containing .RTF file in Microsoft Outlook will open a backdoor for remote hackers to access your machine.

Microsoft warned today that attackers are exploiting a new zero-day vulnerability in Microsoft Word that allows them to run arbitrary code in the vulnerable system.

"The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word" Security advisory reads. "or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer."

The vulnerability affects Microsoft word 2003, 2007,2010,2013, word viewer and Microsoft Office for Mac 2011.  Advisory states that the exploits it has seen so far have targeted Microsoft word 2010 users.

Microsoft is in the process of creating patch for this security flaw.  In the meantime, they have released a temporary Fix it solution which prevents opening of RTF files in Microsoft word.

Other suggestion to prevent yourself from being victim are 'configuring the outlook to read email messages in plain text format', 'using Enhanced Mitigation Experience Toolkit(EMET)'.

Yahoo using 'admin' as username and password, leads to RCE


Behrouz Sadeghipour, a bug bounty hunter, has found a critical vulnerability in one of the subdomain of Yahoo(hk.yahoo.net) that allowed him to access admin panel.

It is funny to know that the hk.yahoo.net is using 'admin' as username and password for its panel.

After gaining access to the admin panel, he managed to upload his backdoor shell to the server.  Using the shell, he was able to delete or create any file or run any commands on the server.

He was also able to control few other subdomains of Yahoo.  After getting notification from the researcher, Yahoo has patched the security hole.  Researcher is still waiting for his bounty. 

In addition to this bug, he also found another vulnerability 'Directory Traveral attack' on health.yahoo.com that allowed him to read the contents of '/etc/passwd' files on the server.