Another Door to Windows | Hot Potato exploit

Microsoft Windows versions 7, 8, 10, Server 2008 and Server 2012 vulnerable to Hot Potato exploit which gives total control of PC/laptop to hackers

Security researchers from Foxglove Security have discovered that almost all recent versions of Microsoft’s Windows operating system are vulnerable to a privilege escalation exploit. By chaining together a series of known Windows security flaws, researchers from Foxglove Security have discovered a way to break into PCs/systems/laptops running on Windows 7/8/8.1/10 and Windows Server 2008/2010.

The Foxglove researchers have named the exploit as Hot Potato. Hot Potato relies on three different types of attacks, some of which were discovered back at the start of the new millennium, in 2000. By chaining these together, hackers can remotely gain complete access to the PCs/laptops running on above versions of Windows.

Surprisingly, some of the exploits were found way back in 2000 but have still not been patched by Microsoft, with the explanation that by patching them, the company would effectively break compatibility between the different versions of their operating system.

Hot Potato

Hot Potato is a sum of three different security issues with Windows operating system. One of the flaw lies in local NBNS (NetBIOS Name Service) spoofing technique that’s 100% effective. Potential hackers can use this flaw to set up fake WPAD (Web Proxy Auto-Discovery Protocol) proxy servers, and an attack against the Windows NTLM (NT LAN Manager) authentication protocol.

Exploiting these exploits in a chained manner allows the hackers to gain access to the PC/laptop by elevating an application’s permissions from the lowest rank to system-level privileges, the Windows analog for a Linux/Android root user’s permissions.

Foxglove researchers created their exploit on top of a proof-of-concept code released by Google’s Project Zero team in 2014 and have presented their findings at the ShmooCon security conference over the past weekend.

They have also posted proof-of-concept videos on YouTube in which the researchers break Windows versions such as 7, 8, 10, Server 2008 and Server 2012.

You can also access the proof of concept on Foxglove’s GitHub page here.


The researchers said that using SMB (Server Message Block) signing may theoretically block the attack. Other method to stop the NTNL relay attack is by enabling “Extended Protection for Authentication” in Windows.



Credit:  Vijay Prabhu, techworm

Firefox Under Fire: Anatomy of latest 0-day attack

On the August 6th, the Mozilla Foundation released a security update for the Firefox web browser that fixes the CVE-2015-4495 vulnerability in Firefox’s embedded PDF viewer, PDF.js. This vulnerability allows attackers to bypass the same-origin policy and execute JavaScript remotely that will be interpreted in the local file context. This, in turn, allows attackers to read and write files on local machine as well as upload them to a remote server. The exploit for this vulnerability is being actively used in the wild, so Firefox users are advised to update to the latest version (39.0.3 at the time of writing) immediately.

In this blog we provide an analysis of two versions of the script and share details about the associated attacks against Windows, Linux and OS X systems.

According to ESET’s LiveGrid® telemetry, the server at the IP address, which was hosting the malicious script, has been up since July 27, 2015. Also we can find corroboration on one of the compromised forums:


Operatives from the Department on Combating Cybercrime of the Ministry of Internal Affairs of Ukraine, who responded promptly to our notification, have also confirmed that the malicious exfiltration server, hosted in Ukraine, has been online since July 27, 2015.

According to our monitoring of the threat, the server became inactive on August 8, 2015.


The script

The script used is not obfuscated and easy to analyze. Nevertheless, the code shows that the attackers had good knowledge of Firefox internals.

The malicious script creates an IFRAME with an empty PDF blob. When Firefox is about to open the PDF blob with the internal PDF viewer (PDF.js), new code is injected into the IFRAME (Figure 2). When this code executes, a new sandboxContext property is created within wrappedJSObject. A JavaScript function is written to the sandboxContext property. This function will later be invoked by subsequent code. Together, these steps lead to the successful bypass of the same-origin policy.

Code that creates sandboxContext property

The exploit is very reliable and works smoothly. However, it may display a warning which can catch the attention of tech-savvy users.

The warning message showed on compromised site

After successful exploitation of the bug, execution passes to the exfiltration part of code. The script supports both the Linux and Windows platforms. On Windows it searches for configuration files belonging to popular FTP clients (such as FileZilla, SmartFTP and others), SVN client, instant messaging clients (Psi+ and Pidgin), and the Amazon S3 client.

The list of collected files on Windows at the first stage of attack

These configuration files may contain saved login and password details.

On the Linux systems, the script sends following files to the remote server:

  • /etc/passwd
  • /etc/hosts
  • /etc/hostname
  • /etc/issue

It also parses the /etc/passwd file in the order to get the home directories (homedir) of users on the system. The script then searches files by mask in the home directories collected, and it avoids searching in the home directories of standard system users (such as daemon, bin, sys, sync and so forth).

The list of collected files on Linux at stage 1 of attack

It collects and uploads such files as:

  • history (bash, MySQL, PostgreSQL)
  • SSH related configuration files and authorization keys
  • Configuration files for remote access software – Remmina
  • FileZilla configuration files
  • PSI+ configuration
  • text files with possible credentials and shell scripts

As is evident here, the purpose of the first version of the malicious script was to gather data used mostly by webmasters and site administrators. This allowed attackers to move on to compromising more websites.


The second version

The day after Mozilla released the patch for Firefox the attackers decided to go “all-in”: they registered two new domains and improved their script.

The two new malicious domains were maxcdnn[.]com ( and acintcdn[.]net ( The second IP address is the same one as used in the first version. Attackers selected these names because the domains look as if they belong to a content delivery network (CDN).

The improved script on the Windows platform not only collects configuration files for applications; it also collects text files containing almost all combinations of words of possible value to attackers (such as password, accounts, bitcoins, credit cards, exploits, certificates, and so on):

List of files collected on Windows during the second attack stage

The attackers improved the Linux script by adding new files to collect and also developed code that works on the Mac OS X operating system:

List of files collected on Macs during the second stage of an attack

Some Russian-speaking commentators misattributed this code to the Duqu malware, because some variables in the code have the text “dq” in them.


A copycat attack

Since the bug is easy to exploit and a working copy of the script is available to cybercriminals, different attackers have started to use it. We have seen that various groups quickly adopted the exploit and started to serve it, mostly on adult sites from google-user-cache[.]com (

This malicious script does all the same things as the original script, but it collects different files:

The list of collected files used in copycat attack



The recent Firefox attacks are an example of active in-the-wild exploitation of a serious software vulnerability. The exploit shows that the malware-writers had a deep knowledge of Firefox internals. It is also an interesting one, since in most cases, exploits are used as an infection vector for other data-stealing trojans. In this instance, however, that was not necessary, because the malicious script alone was able to steal sensitive files from victims’ systems.

Additionally, the exploit started to be reused by other malware operators shortly after its discovery. This is common practice in the malware world.

ESET detects the malicious scripts as JS/Exploit.CVE-2015-4495. We also urge Firefox users to update their browser to the patched version (39.0.3). The internal Firefox PDF reader can also be disabled by changing the pdfjs.disabled setting to true.


Indicators of Compromise

A partial list of compromised servers:








Servers used in attack:

maxcdnn[.]com (

acintcdn[.]net (

google-user-cache[.]com (

Hashes (MD5):






Credit:  Anton Cherepanov

DynamoRIO | Runtime Code Manipulation System

About DynamoRIO

DynamoRIO is a runtime code manipulation system that supports code transformations on any part of a program, while it executes. DynamoRIO exports an interface for building dynamic tools for a wide variety of uses: program analysis and understanding, profiling, instrumentation, optimization, translation, etc. Unlike many dynamic tool systems, DynamoRIO is not limited to insertion of callouts/trampolines and allows arbitrary modifications to application instructions via a powerful IA-32/AMD64 instruction manipulation library. DynamoRIO provides efficient, transparent, and comprehensive manipulation of unmodified applications running on stock operating systems (Windows or Linux) and commodity IA-32 and AMD64 hardware.

DynamoRIO’s powerful API abstracts away the details of the underlying infrastructure and allows the tool builder to concentrate on analyzing or modifying the application’s runtime code stream. API documentation is included in the release package and can also be browsed online.



Downloading DynamoRIO

DynamoRIO is available free of charge as a binary package for both Windows and Linux. DynamoRIO’s source code is available under a BSD license.



DynamoRIO Website:




Critical vulnerability in NetUSB driver exposes millions of routers to hacking


Millions of routers and other embedded devices are affected by a serious vulnerability that could allow hackers to compromise them.

The vulnerability is located in a service called NetUSB, which lets devices connected over USB to a computer be shared with other machines on a local network or the Internet via IP (Internet Protocol). The shared devices can be printers, webcams, thumb drives, external hard disks and more.

NetUSB is implemented in Linux-based embedded systems, such as routers, as a kernel driver. The driver is developed by Taiwan-based KCodes Technology. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients.

Security researchers from a company called Sec Consult found that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. If exploited, this kind of vulnerability can result in remote code execution or denial of service.

Since the NetUSB service code runs in kernel mode, attackers who exploit the flaw could gain the ability to execute malicious code on the affected devices with the highest possible privilege, the Sec Consult researchers said in a blog post Tuesday.

Many vendors integrate NetUSB into their products, but have different names for it. For example, Netgear calls the feature ReadySHARE, while others simply call it print sharing or USB share port.

Sec Consult has confirmed the vulnerability in the TP-Link TL-WDR4300 V1, TP-Link WR1043ND v2 and Netgear WNDR4500 routers. However, after scanning firmware images from different manufacturers for the presence of the NetUSB.ko driver, they believe that 92 other products from D-Link, Netgear, TP-Link, Trendnet and ZyXEL Communications are likely vulnerable.

The researchers also found references to 26 vendors in the NetUSB.inf client driver for Windows, so they believe many other vendors might also have vulnerable products. They’ve alerted the CERT Coordination Center (CERT/CC), the German CERT-Bund and Austrian CERT, who are working to notify the vendors.

On some devices it’s possible for users to disable the feature from the Web-based administration interface or to block access to the port using the firewall feature. However, on some devices, like those made by Netgear, this is not possible, the researchers said.



Many devices likely expose the NetUSB service to the local area network only, but there might be implementations that expose it to the Internet as well. Even when restricted to the local network only, the vulnerability still poses a high risk, because attackers can potentially exploit it if they compromise any computer from the local network or if they gain access to the network in some other way—for example, due to weak or no wireless password.

As far as the Sec Consult researchers know, only TP-Link has released fixes so far. It has a release schedule for around 40 products.

TP-Link, Netgear, D-Link and ZyXEL did not immediately respond to a request for comment.

This vulnerability is just the latest in a long stream of basic security flaws found in consumer routers in recent years.

“It is safe to say that vulnerability reports like these will continue to appear until a paradigm shift is enacted at the manufacturer level,” said Jacob Holcomb, a security analyst at Baltimore-based Independent Security Evaluators, via email. Holcomb has found many vulnerabilities in routers and other embedded devices over the past several years. Security Evaluators organized a router hacking contest at the DefCon security conference last year.

The way in which vendors have implemented NetUSB in their products is egregious, Holcomb said. “For instance, hardcoded AES keys, the processing of unvalidated and untrusted data, and kernel integration are all red flags that should have been identified during the early stages of SDLC [software development lifecycle].”



Credit: Lucian Constantin

Critical SSL Vulnerability Leaves 25,000 iOS Apps Vulnerable to Hackers

Critical SSL Vulnerability Leaves 25,000 iOS Apps Vulnerable to Hackers
A critical vulnerability resides in AFNetworking could allow an attacker to cripple the HTTPS protection of 25,000 iOS apps available in Apple’s App Store via man-in-the-middle (MITM) attacks.
AFNetworking is a popular open-source code library that lets developers drop networking capabilities into their iOS and OS X products. But, it fails to check the domain name for which the SSL certificate has been issued.
Any Apple iOS application that uses AFNetworking version prior to the latest version 2.5.3 may be vulnerable to the flaw that could allow hackers to steal or tamper data, even if the app protected by the SSL (secure sockets layer) protocol.


Use any SSL Certificate to decrypt users’ sensitive data:
An attacker could use any valid SSL certificate for any domain name in order to exploit the vulnerability, as long as the certificate issued by a trusted certificate authority (CA) that’s something you can buy for $50.

This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the Internet,” reports SourceDNA, a startup company that provides code analysis services.

Like, for example, I can pretend to be ‘‘ just by presenting a valid SSL certificate for ‘
The vulnerability, which is estimated to affect more than 25,000 iOS apps, was discovered and reported by Ivan Leichtling from Yelp.
AFNetworking had fixed the issue in its latest release 2.5.3 before the previous version 2.5.2, which fails to patch another SSL-related vulnerability.


Version 2.5.2 Failed to Patch the issue:
Previously it was believed that with the release of AFNetworking 2.5.2, the lack of SSL certificate validation issue had been eliminated that allowed hackers with self-signed certificates to intercept the encrypted traffic from vulnerable iOS apps and view the sensitive data sent to the server.
However, even after the vulnerability was patched, SourceDNA scanned for vulnerable code present in iOS apps and found a number of iOS apps till then vulnerable to the flaw.


Therefore, anyone with a man-in-the-middle position, such as a hacker on an unsecured Wi-Fi network, a rogue employee inside a virtual private network, or a state-sponsored hacker, presenting their own CA-issued certificate can monitor or modify the protected communications.


Apps from Big Developers found to be vulnerable. SERIOUSLY?
A quick check for iOS products with the domain name validation turned off; the security company found apps from important developers, including Bank of America, Wells Fargo, and JPMorgan Chase, likely to be affected.
SourceDNA also said that the iOS apps from top developers such as Yahoo and Microsoft, meanwhile, remained vulnerable to the HTTPS-crippling bug.
Prevention against the flaw:
Just to prevent hackers from exploiting the vulnerability, SourceDNA has not disclosed the list of vulnerable iOS apps.
However, the company advised developers to integrate the latest AFNetworking build (2.5.3) into their products in order to enable domain name validation by default.
SourceDNA is also offering a free check tool that could help developers and end users check their apps for the vulnerability.


Meanwhile, iOS users are also advised to check immediately the status of apps they use, especially those apps that use bank account details or any other sensitive information.
And before the developers of vulnerable apps release an update, users should avoid using any vulnerable version of the apps for the time being.


Russian hacking group CozyDuke responsible for attack on White House

A group of Russian hackers known as CozyDuke has been identified as being responsible for a sustained cyber attack against the White House.

Researchers at Russian-based Kaspersky Lab has published its latest findings about the advanced persistent threat (APT) actor known as CozyDuke and while the security firm has stopped short of explicitly attributing blame on any one country, corroborating evidence indicates that the Russian government is behind attacks on the White House and the Department of State – something US officials had previously claimed.

When initially reported in October US officials said no sensitive information had been accessed, but in April, sources at the White House said the hackers had gained access to President Obama’s schedule which, while not classified, is seen as highly prized by foreign intelligence agencies.

The group, also known as CozyBear, CozyCar or “Office Monkeys”, has been linked by Kaspersky Lab to other APT groups – OnionDuke, MiniDuke and CosmicDuke – which have previously been linked to the Russian government.

In July 2014, CosmicDuke was revealed as a state-sponsored malware campaign targeting users in Ukraine as part of Russia’s on-going cyber-espionage campaign. The command-and-control communication methods used by CozyDuke are similar to those used in the CosmicDuke attacks according to Kaspersky Labs.

The researchers add that parts of the CozyDuke malware has been built on the same platform as OnionDuke and MiniDuke, both of which are believed to be groups of Russian hackers operating at the behest of the Russian government.



Office Monkeys LOL

Last year it was reported that hackers had shut down the email system of the Executive Office of the President with White House officials, claiming the attack was state-sponsored and three months later the attackers were still present on the non-classified network.


Kaspersky says the group goes after “blatantly sensitive high profile victims and targets” utilizing “evolving crypto and anti-detection capabilities”.

The main attack vector was spear phishing campaigns some of which contain links to high profile, legitimate websites such as “” which hosted a Zip archive.

Once downloaded the extracted Zip archive contains a file which installs the malware as well as a decoy file showing an empty PDF.

Another “highly successful” attack saw the hackers send a phone flash videos attached to the phishing emails, one of which was a video called “Office Monkeys LOL”. When the victim clicks on the link the video plays, but in the background the malware is installed on the system.


Kaspersky Lab has published reports on alleged electronic espionage by the U.S., Israel, and the U.K.—but hasn’t looked as aggressively at Russia

Kaspersky Lab sells security software, including antivirus programs recommended by big-box stores and other U.S. PC retailers. The Moscow-based company ranks sixth in revenue among security-software makers, taking in $667 million in 2013, and is a favorite among Best Buy’s Geek Squad technicians and reviewers on Founder and Chief Executive Officer Eugene Kaspersky was educated at a KGB-sponsored cryptography institute, then worked for Russian military intelligence, and in 2007, one of the company’s Japanese ad campaigns used the slogan “A Specialist in Cryptography from KGB.” The sales tactic, a local partner’s idea, was “quickly removed by headquarters,” according to Kaspersky Lab, as the company recruited senior managers in the U.S. and Europe to expand its business and readied an initial public offering with a U.S. investment firm.



In 2012, however, Kaspersky Lab abruptly changed course. Since then, high-level managers have left or been fired, their jobs often filled by people with closer ties to Russia’s military or intelligence services. Some of these people actively aid criminal investigations by the FSB, the KGB’s successor, using data from some of the 400 million customers who rely on Kaspersky Lab’s software, say six current and former employees who declined to discuss the matter publicly because they feared reprisals.
This closeness starts at the top: Unless Kaspersky is traveling, he rarely misses a weekly banya (sauna) night with a group of about 5 to 10 that usually includes Russian intelligence officials.


Kaspersky says in an interview that the group saunas are purely social: “When I go to banya, they’re friends.”Kaspersky says government officials can’t associate his company’s data with individual customers and that he hasn’t had to worry about increased pressure to demonstrate loyalty to Vladimir Putin. “I’m not the right person to talk about Russian realities, because I live in cyberspace,” he says.


Nonetheless, while Kaspersky Lab has published a series of reports that examined alleged electronic espionage by the U.S., Israel, and the U.K., the company hasn’t pursued alleged Russian operations with the same vigor. In February, Kaspersky Lab researchers released a remarkably detailed report about the tactics of a hacker collective known as the Equation Group, which has targeted Russia, Iran, and Pakistan, and which cybersecurity analysts believe to be a cover for the U.S. National Security Agency.


Kaspersky Lab hasn’t issued a similar report about Russia’s links to sophisticated spyware known as Sofacy, which has attacked NATO and foreign ministries in Eastern Europe. Sofacy was reported on last fall by U.S. cybersecurity company FireEye.While Kaspersky Lab is the most prominent cybersecurity business with close ties to the Russian government, that affinity with the country’s spooks reflects a yearslong shift by security companies toward choosing sides.


Most major security-software makers work with the U.S. in some capacity. Any government relationships can make a company’s products harder to sell in a paranoid global marketplace, says Rick Holland, principal analyst of security and risk management for Forrester Research. “It’s a challenge for any security company out there,” Holland says. “What are your ties to government?”Kaspersky Lab’s ties dramatically increased after two waves of executive departures, say four of the former insiders.


The first came in 2012, after Kaspersky scotched an IPO partnership with Greenwich (Conn.) investment firm General Atlantic. Afterward, Chief Business Officer Garry Kondakov circulated an internal e-mail saying that from then on, the company’s highest positions would be held only by Russians, say two people who saw the e-mail. Board meetings, once conducted in English, were now in Russian.


The company denies that the e-mail was ever sent.In 2014 after a handful of senior managers, including Chief Technology Officer Nikolay Grebennikov and North American President Steve Orenberg, asked Kaspersky to consider appointing a new CEO and retaining only the chairmanship of the company, he fired them.


Chief Legal Officer Igor Chekunov, who regularly joins Kaspersky’s banya nights, is the point man for the company’s work with the Russian government, three of the insiders say. Since 2013 he has managed a team of 10 specialists who study data from customers who have been hacked and provide technical support to the FSB and other Russian agencies. The team can access data directly from any of the company’s systems.


While Kaspersky Lab’s managing director for North America, Christopher Doggett, says its data are anonymous, two people familiar with the technology say it can be altered to gather identifying information from individual computers and has been used to aid the FSB in investigations. Chekunov had no biography on the company website prior to a query from Bloomberg Businessweek.


Spokeswoman Sarah Kitsos says he served as a policeman after working in the KGB’s border patrol.FireEye shows how these relationships work in the U.S. The company was guided early on by the CIA, which uses its technology and for years maintained a stake in the company through the agency’s investment arm, In-Q-Tel. FireEye has revealed Chinese and Russian hacking but has yet to do a major report calling out spying by the U.S. Although FireEye CEO David DeWalt praised Kaspersky Lab’s Equation Group report, he wouldn’t say whether his company is researching the group. “Is it any mystery what origins they have and who probably fed them these information sources?” he says. “You look at all of that, and you just go, ‘Hey, this is the reality we’re in now.’ ”


In head-to-head tests, Kaspersky Lab’s software still performs well against competitors. “The techies love us,” Doggett says. But the ruble’s slide will likely dent the company’s 2014 earnings, which it posts in dollars online. More important, Kaspersky has struggled to win federal U.S. contracts. “There’s a cyber isolationism that’s definitely emerging,” says Holland, the Forrester analyst. “They have to overcome any perceived or actual alliances.”


The bottom line: Popular security-software maker Kaspersky Lab has close ties to Russian military and intelligence officials.(Updated first paragraph to clarify that Eugene Kaspersky was educated at a KGB-sponsored cryptography institute, then worked for Russian military intelligence.)




Credit: David Gilbert, Carol Matlack, Michael A Riley and Jordan Robertson

MongoDB phpMoAdmin GUI Tool Zero-day Vulnerability Puts Websites at Risk


About two weeks back, over 40,000 organizations running MongoDB were found unprotected and vulnerable to hackers. Now, once again the users of MongoDB database are at risk because of a critical zero-day vulnerability making rounds in underground market.

MongoDB, one of the leading NoSQL databases, is an open-source database used by companies of all sizes, across all industries for a wide variety of applications. By leveraging in-memory computing, MongoDB provides high performance for both reads and writes.


Hacker known by the online moniker, “sp1nlock” has found a zero-day vulnerability in ‘phpMoAdmin‘, a free, open-source, written in PHP, AJAX-based MongoDB GUI (graphical user interface) administration tool that allows you to easily manage noSQL database MongoDB.
According to multiple posts available on the exploit selling underground forums, the phpMoAdmin is vulnerable to a Zero-Day Remote Code Execution flaw that allows an unauthorized remote user to hijack the websites running phpMoAdmin tool.

At the time of writing, we have no idea that phpMoAdmin developers are aware of the this zero-day vulnerability or not, but this exploit is already for sale on underground exploits forums and has already been verified by the market administrators that — It Works!
It might be possible that number of buyers and hackers already have access to the phpMoAdmin zero-day exploit and, unfortunately, there is no patch yet available for thousands of vulnerable websites.



In order to protect yourself, users of MongoDB database are recommended to avoid using phpMoAdmin until the developer team releases a patch for the zero-day remote code execution vulnerability.
As an alternate to the phpMoAdmin, you can make use of other free MongoDB GUI Tools available, as follows:
  • RockMongo – A Powerful MongoDB GUI Tool
  • MongoVUE – A Desktop based MongoDB GUI Tool
  • Mongo-Express – A well featured MongoDB GUI Tool
  • UMongo – A Decent MongoDB GUI Tool
  • Genghis – A lightweight MongoDB GUI Tool
However, if you don’t want to replace your phpMoAdmin file, then the simplest approach would be to restrict unauthorized access using htaccess password i.e. creating ‘.htpasswd’ authentication for folder containing “moadmin.php” file.


Credit: thn


Hackers Can Remotely Install Malware Apps to Your Android Device

Hackers Can Remotely Install Malware Apps to Your Android Device

Security researchers have warned of a pair of vulnerabilities in the Google Play Store that could allow cyber crooks to install and launch malicious applications remotely on Android devices.

Tod Beardsley, technical lead for the Metasploit Framework at Rapid7 warns that an X-Frame-Options (XFO) vulnerability – when combined with a recent Android WebView (Jelly Bean) flaw – creates a way for hackers to quietly install any arbitrary app from the Play store onto victims’ device even without the users consent.

The vulnerability affects users running Android version 4.3 Jelly Bean and earlier versions of Android that no longer receive official security updates from Android security team for WebView, a core component used to render web pages on an Android device. Also, users who have installed third party browsers are affected.
According to the researcher, the web browser in Android 4.3 and prior that are vulnerable to a Universal Cross-Site Scripting (UXSS) attack, and Google Play Store is vulnerable to a Cross-Site Scripting (XSS) flaw.


In UXSS attacks, client-side vulnerabilities are exploited in a web browser or browser extensions to generate an XSS condition, which allows the malicious code to be executed, bypassing or disabling the security protection mechanisms in the web browser.

Users of these platforms may also have installed vulnerable aftermarket browsers,” Beardsley explains in a blog post on Tuesday. “Until the Google Play store XFO [X-Frame-Options] gap is mitigated, users of these web applications who habitually sign in to their Google Account will remain vulnerable.

At the beginning of this month, a Universal Cross Site Scripting (UXSS) flaw was discovered in all the latest versions of Internet Explorer that allows malicious hackers to inject malicious code into users’ websites and steal cookies, session and login credentials.
The security researcher demonstrated the issue with JavaScript and Ruby code that response from the domain can be generated without the appropriate XFO header.


A Metasploit module has been created and made public on Github in order to help enterprise security bods test corporate-issued smartphones for exposure to the vulnerability. According to the advisory, the remote code execution is achieved by leveraging two vulnerabilities on affected Android devices:
  • First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android’s open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat).
  • Second, the Google Play store’s web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play’s remote installation feature, as any application available on the Google Play store can be installed and launched on the user’s device.
  • Use a web browsers that are not susceptible to widely known UXSS vulnerabilities – such as Google Chrome or Mozilla Firefox or Dolphin. This could help mitigate the lack of universal X-Frame-Options (XFO) for the domain.
  • Another effective way is to simply logged out of the Google Play store account in order to avoid the vulnerability, although this practice is highly unlikely to be adopted by most of the users.



Credit: thehackernews

Exploit Pack – Open Source Security Project for Penetration Testing and Exploit Development


Exploit Pack, is an open source GPLv3 security tool, this means it is fully free and you can use it without any kind of restriction. Other security tools like Metasploit, Immunity Canvas, or Core Impact are ready to use as well but you will require an expensive license to get access to all the features, for example: automatic exploit launching, full report capabilities, reverse shell agent customization, etc.


Exploit Pack is fully free, open source and GPLv3. Because this is an open source project you can always modify it, add or replace features and get involved into the next project decisions, everyone is more than welcome to participate. We developed this tool thinking for and as pentesters. As security professionals we use Exploit Pack on a daily basis to deploy real environment attacks into real corporate clients.


Video demonstration of the latest Exploit Pack release:


More than 300+ exploits
Military grade professional security tool
Exploit Pack comes into the scene when you need to execute a pentest in a real environment, it will provide you with all the tools needed to gain access and persist by the use of remote reverse agents.


Remote Persistent Agents
Reverse a shell and escalate privileges
Exploit Pack will provide you with a complete set of features to create your own custom agents, you can include exploits or deploy your own personalized shell-codes directly into the agent.


Write your own Exploits
Use Exploit Pack as a learning platform
Quick exploit development, extend your capabilities and code your own custom exploits using the Exploit Wizard and the built-in Python Editor moded to fulfill the needs of an Exploit Writer.