Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label null. Show all posts

Evil Colon Attacks: A Quick Guide

 

The high-tech era has made the emergence of new cyber attacks more common than social media trends. One such case of a rapidly evolving threat is the Evil-Colon attack, which shares similarities with Poison-NULL-byte attacks. Despite the fact that poison-NULL-Byte attacks are now non-functioning, it has been suggested that they could have led to new versions of hacking and malware on your systems in case of inappropriate handling. 

In one of his articles, Leon Juranic, a security researcher at Mend, detailed his encounter with the Evil-colon attack. He mentioned that during auditing a source code he discovered a case where an Evil-Colon could be used to evade the path sanitization process. By using novel strategies, the threat actors were able to exploit the vulnerabilities in applications running on Windows operating systems. The analysis concluded that as Evil-Colon is a specific issue in windows-based services, it is more likely to affect any Windows servers. 

When applications or servers use path-based operations, such as using user input when forming the file path, the information stored in that file can be modified by external code flows, which can cause severe security issues like arbitrary data injection, etc. Leon illustrated the working of Evil-Colon with the example of the Java application WriterFile.jsp source code. 

He stated that the working of Evil-Colon includes creating a file in the directory whereas, with sanitization, the new files will append .txt. After passing a colon character at the end of the user’s input, the file gets created as an Altered Data Stream with an arbitrary file extension. 

Later the file is again created in the directory, but as a colon character was added at the end of the filename and it stripped off the rest of the filename string into Alternate Data Stream, the file is recreated with the .jsp extension. 

He furthermore described how the possibility of altering the files that are created earlier in the applicating workflow can lead to serious security threats. When malicious actors can edit the existing files later in code, it will also allow them to modify the .jsp file content into anything they want. On further searching of the modified file in-depth, you will find a string named EVIL-CONTENT. 

Leon concluded his example by warning that, in real-world scenarios, JSP webshell scripts can allow threat actors to remotely execute codes on vulnerable servers or applications. 

To protect your files and data from the Evil-Colon attacks, it is important to remove colon characters from any possible path operations. The elimination of colon characters can be done by using filters, string check operations, etc.

First Anniversary of Null Chennai Chapter


Hello EHN Readers, This month, Null Chennai Chapter completes one year.  So let us celebrate this month meeting.  We need maximum attended to celebrate it.


Null Chennai Monthly Meet is Scheduled on 25th August 2012.

Notice : Venue Changed


Topics :
1) NullCon HackIM – How we didn’t win By Ajith & Dev
2) Brup Suite By Sukesh Reddy
3) News Bytes – Punit Gupta

Date : 22nd September,2012
Time : 3.00pm to 5.00 pm

Venue :
ThoughtWorks Technologies (India) Pvt Ltd.
Ascendas International Tech Park
Zenith – 9th Floor
Tharamani Road
Tharamani
Chennai – 600 113, India
For any issues regarding Venue or Meet Contact :niteshbetala [ at ] gmail [ dot] com or Call @ 9941576747

Don't miss the fun..!

14th July 2012 null Bangalore Monthly Meetup

null meetup on Saturday 14th July 2012 starting at 09:30 AM. No registrations, no fees, just come with
an open mind :)

The Bangalore meet, as usual, is divided into 2 parts, the monthly
talks and the Training on Reverse Engineering. The Reverse Engineering
training will start at 12:30 PM by the SecurityXploded/Garage4Hackers
team.

The schedule for this months meet is as outlined below:

  • 09:30 - 10:10: Hands on Web Application Security: Mutillidae -
  • Vulnerable Web App - Satish
  • 10:10 - 10:25: Introductions
  • 10:25 - 11:05: Burpsuite for Beginners - Saran
  • 11:05 - 11:20: Networking
  • 11:20 - 12:00: Basics of IDS/IPS - Pravin
  • 12:00 - 12:20: Feedback & Topic discussion for next monthly meet
  • 12:20 - 12:30: Break
  • 12:30 - 01:50: Advanced Malware Analysis - Monnappa

VENUE DETAILS
Kieon, 3rd Floor, 302 Prestige Sigma,
3 Vittal Mallya Road,
Bangalore 560001
Opposite Bishop Cottons Girls School, Above Emirates Airlines office.
Map Location: http://g.co/maps/dahhv
Parking is available in the building. See you there.

16th June 2012 null Bangalore Monthly meetup

Hi All,

We will have this month's null/OWASP/Garage4hackers/SecurityXploded
Bangalore meetup on Saturday 16th June 2012 starting at 10:00 AM. No
registrations, no fees, just come with an open mind :)

The Bangalore meet, as usual, is divided into 2 parts, the monthly
talks and the Training on Reverse Engineering. The Reverse Engineering
training will start at 12:45 PM by the SecurityXploded/
Garage4Hackers team.

Also, as discussed in the last month's meet, we will have a basic 30
minute primer on SQL Injection by Satish at 9:30 AM, before the main
talks begin at 10:00 AM. All those who would be interested to learn,
understand the basics of SQL Injection and to watch some cool demos
are requested to be present at 9:30 AM.

TALKS
1. News Bytes - Sumeer
2. JavaScript Obfuscation - Prasanna
3. SSL VPNs - Rajesh

12:45 PM onwards:
4. Practical Reversing: Part3 - Memory Forensics - Monnappa


VENUE DETAILS
Kieon, 3rd Floor, 302 Prestige Sigma,
3 Vittal Mallya Road,
Bangalore 560001
Opposite Bishop Cottons Girls School, Above Emirates Airlines office.

Map Location: http://g.co/maps/dahhv

Parking is available in the building. See you there.

Null Chennai Chapter monthly meet on 19th May ,2012

Hey Guys ,

We have scheduled our null+g4h Chennai Chapter Monthly Meet on 19th May,2012.

Topics:
1) Exploits - Ahmed
2) IronWASP - Lava Kumar
3) News Byte & Symbolic Linking - Santhosh Kumar


Date :
19th May,2012 (Saturday).

Time :
4:00 - 7:00 p.m

Venue:
OrangeScape,
No.305, D-Block, North Wing,
Tidel Park, Dr.Rajiv Gandhi Salai,
Taramani, Chennai- 600113
044 3068 6500

For any issues regarding Venue or Meet Contact :niteshbetala [ at ] gmail [ dot] com or Call @ 9941576747

Null Mumbai Chapter meet on 26th April,2012

Null, Open Security Team scheduled mumbai chapter on 26th April,2012.

The agenda for the meet would be as follows:

1) Rootkit Internals by Omkar Pardeshi

-Types of malware - Introduction to types of malwares. Basics of virus worm and Trojans.

-Tools used to analyze malwares

-Introduction to Rootkit - Where Rootkit stands in current scenario.

-Working of Rootkit-Details of how Rootkit work.

-Protection against Rootkit-Ways of protection available for Rootkit Attack

-Effectiveness of current Av software-How Av software can prevent attack of Rootkits

Omkar has about 1.4 years of experience working as a Malware Analyst and Driver Developer. He also maintains the following security blogs:

http://hackerslabrotary.blogspot.com

http://indiancybercell.blogspot.com

http://vxanalyst.blogspot.com

2) Leveraging OSINT in Penetration Testing by Ashish Mistry

As a Penetration Tester or Security Auditor it is necessary to identify as much attack surface as possible. We can obtain this result by leveraging publicly exposed information.OSINT helps a penetration tester identify larger attack surfaces. We shall also look into ways to fix this.We shall see demonstrations information gathering which an attacker may use against real world targets.

Ashish is an individual information security researcher and trainer. He is the founder and owner of www.Hcon.in infosec resources and tools portal and author of HconSTF - a open source penetration testing framework

Max. session duration:

45 mins.

Venue:

M/s Institute of Information Security,

201, Ecospace Building, Off Old Nagardas Road,

Mogra-Pada,

Near Andheri Subway/Station,

Andheri (East)

(Google Map Link: http://g.co/maps/e4jzr)

Time:

6:30 PM onwards

Contact No:
+91-9819643034 (Wasim Halani)



Null Bangalore Meet Scheduled on 21st April 2012


Hi All,

We will have this month's null/OWASP/Garage4hackers/SecurityXploded Bangalore meetup on Saturday 21st April 2012 starting at 10.00 AM. No registrations, no fees, just come with an open mind :)

The Bangalore meet, as usual, is divided into 2 parts, the monthly talks and Training on Reverse Engineering. The Reverse Engineering training will start at 12:45 PM by the SecurityXploded/ Garage4Hackers team. The RE training for this month is completely hands-on and everyone is required to get their laptops fully charged for the exercises.

Also, we have a guest speaker from the US, Mr. Arshad Noor, who is also a speaker at the ongoing OWASP AppSec AsiaPac 2012, Sydney - Australia, who will be talking about RC3 - Regulatory Compliant Cloud Computing.

TALKS
1. Believe it or not SSL Attacks - Akash Mahajan
2. News Bytes - Satyendra
3. RC3 - Regulatory Compliant Cloud Computing - Arshad Noor

4. Practical Reversing & Unpacking Part 1 - Harsimran & Nagershwar


VENUE DETAILS
Kieon, 3rd Floor, 302 Prestige Sigma,
3 Vittal Mallya Road,
Bangalore 560001
Opposite Bishop Cottons Girls School, Above Emirates Airlines office.

Map Location: http://g.co/maps/dahhv

Parking is available in the building.

NB: As discussed in the last month's meet, we will have a basic 30 minute primer on Cross Site Request Forgery by Satish at 9:30 AM, before the main talks begin at 10:00 AM. All those who would be interested to learn, understand the basics of CSRF and to watch some cool demos are requested to be present at 9:30 AM.

Regards,
karniv0re

Null Pune meet scheduled on 21st April 2012



Null Team scheduled the next Pune monthly meet on 21st April,2012. As usual ,there is no registration .

Here is the Agenda for the meet :

  •  Explaining DDoS: by Rohit Verma
  •  Recovering PDF Encryption Key: by Akib Sayyed

Venue :
Room No. 704, 7th Floor,
Atur Center, SICSR,
Gokhale Cross Road, Model Colony,
Pune.


Timings :
1700 Hrs to 1900 Hrs

For any more queries or if anyone is interested in giving a talk drop us a mail at
ppush_at_null_dot_co_dot_in /// corrupt_at_null_dot_co_dot_in /// void_at_null_dot_co_dot_in

regards
push - Moderator, null Pune Chapter

Null-Chennai Chapter rescheduled on 31st march,2012


We have re-scheduled the Null-Chennai monthly meet on 31st March,2012. Sorry for not having on the discussed date due to non availability of speaker as well venue we are not able to make it on 24th March.

Speaker :
1) The Art of UI-Redressing - Ahmed Nafeez.
2) News Byte - Sukesh Reddy.
3) IronWASP - Lava Kumar.

Venue:
OrangeScape
No.305, D-Block, North Wing,, Tidel Park,, Dr.Rajiv Gandhi Salai, Taramani,, Chennai- 600113
044 3068 6500
Time : 4.00 pm - 6.00pm
If you have any queries , feel free to contact Nitesh Betala.
Mail id:  niteshbetala[at]gmail[ dot]com or null[ at ]null[ dot] co [dot] in
Nitesh BetalaPh: +9941576747

NULL Mumbai Chapter meet on 29th March, 2012


NULL, Open security community, has scheduled the Next NULL Mumbai chapter meet on 29th March, 2012, Thursday. As usual, there are NO FEES to attend the meet.

The agenda for the meet:

1) Know Your Activities - IT ACT, 2000 perspective by Vicky Shah:
-Introduction
-Terminology as per IT ACT
-Approach to Info Security
-Due Diligence
-43A - Reasonable Security Practices
-Approach to Due Diligence

Vicky Shah is the Founder and Principal Consultant of The Eagle Eye.He has 7+ years of experience in the Information Security domain specializing in Cyber Security, Cyber Crime Investigations, Cyber Law and Cyber Forensics.
Vicky is an ACE(Accessdata Certified Examiner) and ISMS-ISO27001 Lead Auditor.

2) XML Interfaces to the Popular Nessus Scanner by Rajesh Deo:
The modern Nessus scanner comes with an XML-RPC interface
to control the built-in scanner engine. We review available command-line
tools and programming libraries to automate scanning of large networks.
We will demonstrate some tools we have developed for this purpose.

Rajesh Deo is a Security Analyst with NII Consulting.
He has recently completed his CISSP certification. He is interested
in programming, automation of VA/PT scans and web services.


Venue:
1st Floor, Directiplex, Old Nagardas Road, Next to Andheri Subway, Andheri East
(Google Map Link: http://g.co/maps/5gt23)

Time:
6:30 PM onwards

If you have any queries about the meet, you can contact Wasim Halani(+91-9819643034)

Call For Paper : Null Delhi Chapter March 2012


 
 Null Delhi Chapter March meet is approaching. Call For Paper (CFP) is open for speakers interested to share their presentation/white paper with community members.

Topics from all security disciplines are welcome but we encourage you to present talks about the following topics/concepts:
  • Malware Research. 
  •  Reverse Engineering.
  •  Mobile computing and communications. 
  •  Privilege Escalation & Exploitation Techniques
Send your papers to this mail address "ishan.inbox@gmail.com" for nominations.

Null Bangalore meeting scheduled on 10th March 2012


Null ,The Open Security Community scheduled the next Bangalore meeting on 10th March 2012 starting at 10.00AM.  As usual, there is no registrations ,no fees.

They divided the meeting into two parts , the first one is monthly talks and second one is Training on Reverse Engineering.  The Reverse Engineering training will start at 12:45 PM by the SecurityXploded/Garage4Hackers team.

Monthly talk covers News Bytes(Riyaz),Hack IM CTF part 2(Himanshu),Computer image acquistion(Nithin),Belive it or not SSL attacks(Akash), Reversing tools guide( swapnil).


VENUE DETAILS
Kieon, 3rd Floor, 302 Prestige Sigma,
3 Vittal Mallya Road,
Bangalore 560001
Opposite Bishop Cottons Girls School, Above Emirates Airlines office.

Map Location: http://g.co/maps/dahhv

Parking is available in the building.

Null+G4H Chennai Meet on 25th Feb,2012


Next Null Chennai Meet is scheduled on 25th, 2012. null is an open security community for ethical hackers, security professionals and security enthusiasts. It was founded by Aseem Jakhar in Jan 2008.


Topics:
1) PDF Exploits – Tamaghna Basu
2) Metasploit 101 – Dayal
3) News Byte – Ajith

Date :
25th Feb,2012 (Saturday).

Time :
4:00 – 6:00 p.m

Venue:
OrangeScape,
No.305, D-Block, North Wing,
Tidel Park, Dr.Rajiv Gandhi Salai,
Taramani, Chennai- 600113
044 3068 6500

For any issues regarding Venue or Meet Contact :niteshbetala [ at ] gmail [ dot] com or Call @ 9941576747
NULL.co.in

Null Bangalore meeting on 4th Feb 2012, Reverse Engineering from securityxploded

null/OWASP/Garage4hackers/securityxploded Bangalore meetup on Saturday 4th Feb 2012 starting at 10.00 AM. No registrations, no fees, just come with an openmind :)

Meet is divided into 2 parts,
  • The monthly talks
  • Training on Reverse Engineering. 
The Reverse Engineering training will start at 12:45 PM by the SecurityXploded/
Garage4Hackers team.

TALKS
1. News Bytes:- Ajan
2. Null HackIM CTF Walkthrough - Part 1 by Himanshu
3. FTK basics:- Abhishek basu
4. Assembly Basics- Amit Malik and Swapnil

VENUE DETAILS
Kieon, 3rd Floor, 302 Prestige Sigma,
3 Vittal Mallya Road,
Bangalore 560001
Opposite Bishop Cottons Girls School, Above Emirates Airlines office.

Map Location: http://g.co/maps/dahhv

Parking is available in the building.