Hacks and Incidents

Safari FILE: scheme security hole

Safari FILE: scheme security hole: It appears that Safari does not enforce any kind of access
restrictions for XMLHTTPRequests on FILE: scheme URLs. As a result, any HTML file on the local file system that is opened in Safari can read any file that the user has access to (and, of
course, it can upload those files too). Here’s a little proof-of-concept. Copy and paste this into a local HTML file and open it in Safari. It will display the contents of /etc/passwd.

<script src=https://code.jquery.com/jquery-2.1.3.min.js></script>
$.ajax({url: ‘/etc/passwd’}).done(function (s) {
$(‘body’).html(‘<pre>’ + s + ‘</pre>’);

Tested on Safari 7.1.4. FF and Chrome do not appear to have this problem.

UPDATE: Turns out this is a known problem:



Buco nel sito Trenitalia: carte dei clienti clonate

Avevano appena rifatto il sito.. Ma c’è un ma.

Buco nel sito Trenitalia: carte dei clienti clonate: Tutto comincia con una telefonata: «Siamo la sua banca lei per caso ha effettuato queste spese?».

All’inizio si resta un po’interdetti, si, no, forse fino a quando appare chiaro che siamo di fronte a una carta clonata. «Ma come avete fatto a scoprirlo?» si balbetta per capire almeno quando «tutto ebbe inizio». «L’allarme è stato lanciato da Trenitalia». Già, il sito delle Ferrovie nazionali, violato dai soliti hacker, pare napoletani, che stanno facendo festa dopo aver spazzolato i dati delle carte di credito. «Ma non si preoccupi, le sarà tutto rimborsato».

Brutto colpo scoprire che un segmento cruciale dell’economia e della sicurezza nazionale si è dimostrato così vulnerabile da diventare un pozzo di san Patrizio per i soliti noti. La polizia postale conferma, l’indagine è in corso, si sospetta una banda di truffatori napoletani. Nel frattempo Trenitalia, scoperto l’accesso fraudolento, avverte le banche dei vari clienti che, dopo aver acquistato un biglietto online, si ritrovano con la carta esposta a tutte le intemperie.

Ottima sicurezza applicativa FS!


Security Techniques

Noose around Internet’s TLS system tightens with 2 new decryption attacks

Noose around Internet’s TLS system tightens with 2 new decryption attacks: The noose around the neck of the Internet’s most widely used encryption scheme got a little tighter this month with the disclosure of two new attacks that can retrieve passwords, credit card numbers and other sensitive data from some transmissions protected by secure sockets layer and transport layer security protocols.

Both attacks work against the RC4 stream cipher, which is estimated to encrypt about 30 percent of today’s TLS traffic. Cryptographers have long known that some of the pseudo-random bytes RC4 uses to encode messages were predictable, but it wasn’t until 2013 that researchers devised a practical way to exploit the shortcoming. The result was an attack that revealed small parts of the plaintext inside an HTTPS-encrypted data stream. It required attackers to view more than 17 billion (234) separate encryptions of the same data. That was a high bar, particularly given that the attack revealed only limited amounts of plaintext. Still, since the researchers demonstrated the attack could decrypt HTTPS-protected authentication cookies used to access user e-mail accounts, Google and other website operators immediately took notice.

Now, researchers have figured out refinements that allow them to recover RC4-protected passwords with a 50-percent success rate using slightly more than 67 million (226) encryptions, a two-order of magnitude reduction over the previous attack used to recover secure cookies. The exploits—laid out in a paper published last week titled Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS—work against both Basic access authentication over HTTPS and the widely used IMAP protocol for retrieving and storing e-mail.

Hacks and Incidents


stealth/troubleshooter: Abstract: This paper demonstrates vulnerabilities within the SELinux framework as well as shortcomings in the type enforcement setup. I will show how to deconstruct a SELinux setup with some simple 80’s style exploit techniques. While reading this paper, I recommend listening to this music from the year of morrisworm.

When in 2012 the SELinux developers analyzed the behaivior of an exploit that was not designed to run on a SELinux system at page 32 of these slides – it triggered a review-selector for SELinux and I put it to the list of my audit targets. Not surprisingly, GingerBreak lost that “competition”, just because it was not made for it. Using my QUANTUM AUDIT techniques I was now able to have a deeper look into SELinux itself to see whether the claims that were made really hold.

Security Techniques


Pcap2XML/Sqlite: This tool converts 802.11 packet traces (PCAP format) into an XML and SQLITE equivalent so you can now run XPATH/XQUERY/SQL queries on the packets.

Why do we need this?

Wireshark is great when it comes to capturing and filtering packet traces. However, it has no facility for macro level tasks. Here are some answers which Wireshark cannot give you out of the box:

  • Give me all device MAC addresses in the PCAP
  • Give me a unique list of all Access Point/Ad-Hoc networks in the PCAP
  • Of course, this is by design. Wireshark is a packet capture tool and not a data analysis platform.

This is where Pcap2XMl/Sqlite comes in! We map every header field in an 802.11 packet to an XML and SQLITE Equivalent. Once we convert every packet into these formats, it is extremely easy to run analysis tools on them as you shall see in latter part of this post.

Where can this tool be used?

This tool can be used anywhere there is a need to analyze individual packets. However, we had the following purposes in mind:

  • Teaching Wi-Fi security using Packet Analysis
  • Deriving Macro-Stats on a PCAP file as discussed in the previous section
  • Writing a simple Wi-Fi IDS :)
Security Techniques

TextSecure, RedPhone, and Signal threat modeling

TextSecure, RedPhone, and Signal threat modeling: TextSecure, RedPhone, and Signal threat modeling

In this blog post I will explore what telecommunication companies (telcos) are able to observe in terms of metadata and content when using or not using Open Whisper Systems’ TextSecure, Signal, and RedPhone. This blog post is independently licensed as “CC0″, because I hope that it might influence EFF’s Surveillance Self Defense guide. Special thanks to John Brooks for content editing.


Telecos, globally, for over a hundred years, have had various data retention policies that include metadata and content collection and storage (information seizure). In the United States, the Communications Assistance for Law Enforcement Act (CALEA) was enacted specifically to enhance electronic surveillance. Anything the telecos can see and store, intelligence agencies and law enforcement have the ability to obtain too, often in real-time (information search). Intelligence agencies store this information for much longer than telcos because of the monetary costs to store your private information. Within the Snowden revelations, top secret documents make clear that as much information as possible is collected depending on company/agency capacity and technical capability.

The mobile devices that you use contain a huge swath of information about you. They also contain a huge swath of information about the people that you communicate with. In each of the scenarios that I explore below, I’ll be breaking down my exploration into two high-level categories; device vulnerabilities, which can alternatively be thought of as “data at rest”. The second high-level category is infrastructure threats, which can alternatively be thought of as “data in motion”.

Hacks and Incidents

This String of 13 Characters Can Crash your Chrome on a Mac

This String of 13 Characters Can Crash your Chrome on a Mac: If you’re currently on a Mac computer and using a Chrome browser then a weird little Apple’s OS X quirk, just a special thirteen-characters string could cause your tab in Chrome to crash instantly.
A string of 13 characters (appear to be in Assyrian), shown below in an image, is all needed to crash any tab in Chrome for OS X, however, this text has no impact on Windows, Android, or iOS operating systems.

This Chrome crash vulnerability has already been reported by an open-source project Chromium project, which means that Google is likely aware of this troublesome issue.

Hacks and Incidents

The old is new, again: CVE-2011-2461

Nibble Security: The old is new, again. CVE-2011-2461: As part of an ongoing investigation on Adobe Flash SOP bypass techniques, we identified a vulnerability affecting old releases of the Adobe Flex SDK compiler. Further investigation traced the issue back to a known vulnerability (CVE-2011-2461), already patched by Adobe in apsb11-25.

Old vulnerability, bad luck, let’s move on. Not this time.

The particularity of CVE-2011-2461 is that vulnerable Flex applications have to be recompiled or patched; even with the most recent Flash player, vulnerable Flex applications can be exploited. As long as the SWF file was compiled with a vulnerable Flex SDK, attackers can still use this vulnerability against the latest web browsers and Flash plugin.

As soon as we understood the potential risk, we conducted a large-scale analysis by locating SWFs hosted on popular websites and analyzing those files with a custom tool capable of detecting vulnerable code patterns. This research has led to the identification of numerous websites vulnerable to CVE-2011-2461, including 3 sites out of the Alexa Top 10.

Security Techniques


ikkisoft/ParrotNG: ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461

ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461

ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461. For more details, please refer to the slides of our Troopers 2015 talk.


  • Written in Java, based on swfdump
  • One JAR, two flavors: command line utility and Burp Pro Passive Scanner plugin
  • Detection of SWF files compiled with either a vulnerable Flex SDK version, patched by Adobe’s tool or not affected

How To Use – Command Line

  • Download the latest ParrotNG from the release page
  • Simply use the following command:
  • $ java -jar parrotng_v0.2.jar
  • The tool accepts a single SWF file or an entire directory.

How To Use – Burp Pro Passive Scanner Plugin

  • Download the latest ParrotNG from the release page
  • Load Burp Suite Professional
  • From the Extender tab in Burp Suite, add parrotng_v0.2.jar as a standard Java-based Burp Extension
  • Enable Burp Scanner Passive Scanning
  • Browse your target web application. All SWF files passing through Burp Suite are automatically analyzed