▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Termux-Webpentest... tool
> txtool is made to help you for easly pentesting in termux,
t.me/UndercOdeTesting

1) git clone https://github.com/kuburan/txtool.git

2) cd txtool

3) apt install python2

4) ./install.py

5) Mtxtool

@UndercOdeTesting

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁


🦑2020 all Android Cve - VULNERABILITIES TO GAIN ACCESS ON ANY ANDROID :
twitter.com/UndercOdeTC

> CVE References Type Severity Updated AOSP versions

1) CVE-2020-0014 A-128674520 EoP High 8.0, 8.1, 9, 10

2) CVE-2020-0015 A-139017101 EoP High 8.0, 8.1, 9, 10

3) CVE-2019-2200 A-67319274 EoP High 10

4) CVE-2020-0017 A-123232892 [2] ID High 8.0, 8.1, 9, 10

5) CVE-2020-0018 A-139945049 ID High 8.0, 8.1, 9, 10

6) CVE-2020-0020 A-143118731 ID High 10

7) CVE-2020-0021 A-141413692 [2] [3] DoS High 10

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Let s Start with First Android Vulnerabilitie :
instagram.com/UndercOdeTestingCompany

🦑 CVE-2020-0014 A-128674520 EoP High 8.0, 8.1, 9, 10 :

1) RESTRICT AUTOMERGE
Make toasts non-clickable

2) Since enforcement was only on client-side, in Toast class, an app could

3) use reflection (or other means) to make the Toast clickable. This is a
security vulnerability since it allows tapjacking, that is, intercept touch
events and do stuff like steal PINs and passwords.

🦑This CL brings the enforcement to the system by applying flag
FLAG_NOT_TOUCHABLE.

Test: atest CtsWindowManagerDeviceTestCases:ToastTest
Test: Construct app that uses reflection to remove flag FLAG_NOT_TOUCHABLE and
log click events. Then:

1) Observe click events are logged without this CL.

2) Observer click events are not logged with this CL.

Bug: 128674520

Change-Id: Ic36585bc4f186e0224f5b687c49c0b3d9266838c
(cherry picked from commit b81f269ae2afb446b9d4a909fc2bcf038af00c41)

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 CVE-2020-0015 A-139017101 EoP High 8.0, 8.1, 9, 10
Android bug details :
instagram.com/UndercOdeTestingCompany

1) KeyChain: Do not allow hiding Cert Install dialog

2) Do not allow apps to float a window on top of the certificate
installation / naming dialog.

3) This obscures the CA certificate installation dialog and could be used
to trick a user into installing a CA certificate.

4) This is fixed by adding the HIDE_NON_SYSTEM_OVERLAY_WINDOWS system
flag when the activity is created (onCreate), so that another activity
starting in the foreground would not be able to obscure the dialog.

Bug: 139017101
Test: Manual, with an app that floats a window.
Change-Id: Iff8e678743c3883cf1f7f64390097a768ca00856
(cherry picked from commit afdacb2ec4c5cdc2fb2a9943fa5b48100f4725c8)


@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 CVE-2020-0015 A-139017101 EoP High 8.0, 8.1, 9, 10
ANDROID BUG DETAIL :

🦑 Revoke granted permission when the permission defining app is removed.☠️

> Bug: 67319274

> Test: atest android.permission.cts.RemovePermissionTest

> Change-Id: I22df546f5cd19e10045131d36dc3f5033f727baa

> Merged-In: I20c4c975a1dd41a0a6c3e068988fe60be51dd1b4
(cherry picked from commit bde381848d0d07780710ce36e0c974646ba8f995)

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑NOW ANDROID SYSTEM BUGS SUCH BLUETOOTH-SOFTWARE BUGS ANDROID 7-8-9
twitter.com/UndercOdeTC



🦑 CVE References Type Severity Updated AOSP versions


1) CVE-2020-0022 A-143894715 DoS Moderate 10

> GAP: Correct the continuous pkt length in l2cap

L2cap continuous pkt length wrongly calculated in
reassembly logic when remote sends more data
than expected.

Wrong pkt length leading to memory corruption

Hence the Correct the continuous pkt length in
l2cap reassembly logic.

Bug: 135239489
Bug: 143894715
CRs-Fixed: 2434229
Test: make and internal testing
Change-Id: I758d9e31465b99e436b9b1841320000f08186c97
Merged-In: I758d9e31465b99e436b9b1841320000f08186c97
(cherry picked from commit 337bd4579453bd6bf98ff519de3ac1019cd30d28)
(cherry picked from commit 602f4b44fe30ec8b225e1cee5f96817607d93e5a)


2) RCE Critical 8.0, 8.1, 9
CVE-2020-0023 A-145130871 ID Critical 10
>Enforce BLUETOOTH_PRIVILEGED in setPhonebookAccessPermission

Bug: 145130871
Test: POC
Merged-In: Ib4985e18de9f6695acc371da78deb240d42671f1
Change-Id: I3b8897166e223179fcbcf8c7a64e0c4d4ca974ef
(cherry picked from commit 8d1e8979f56acfe477bd3b84994a716a8391a8eb)


3) CVE-2020-0005 A-141552859 EOP High 8.0, 8.1, 9, 10

4) CVE-2020-0026 A-140419401 EoP High 8.0, 8.1, 9, 10

5) CVE-2020-0027 A-144040966 EoP High 8.0, 8.1, 9, 10

6) CVE-2020-0028 A-122652057 [2] ID High 9

🦑hope after all those and more bugs coming for android, may you figured out the meaning of: ''NOTHING SAFE''

🦑For any doubt feel free to ask us

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑some Hack-News by UndercOde from our tweets : MIT: Blockchain voting system Voatz is vulnerable and vulnerable
16-2-2020
Twitter.com/UndercOdeTC

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> A recent study by the MIT team of engineers found a series of shocking vulnerabilities in a blockchain voting system called Voatz. After reverse engineering Voatz's Android app, researchers concluded that by invading voters' phones, attackers could observe, suppress and change votes almost at will. The paper states that a cyber attack could also reveal where a given user is voting and may suppress voting in the process.

>The researchers said that the most disturbing thing is that an attacker who broke the server that manages the Voatz API can even change the ballot when the vote comes, which should theoretically prevent the threat of distributed ledger.

>The researchers concluded: "Given the gravity of the failure discussed in this article, the lack of transparency, the risks of voter privacy, and the trivial nature of the attack, we recommend that any recent plans to use this application for high-risk elections be abandoned."

>Voatz's blockchain-based voting project is designed to replace absentee ballots, and security researchers are skeptical, but many in the tech community have expressed strong interest and it has received more than $ 9 million in venture capital. Under Voatz, users will vote remotely through the app and verify their identity through the phone's facial recognition system.

>Voatz has been used in some minor elections in the United States, collecting more than 150 votes early West Virginia elections.

> Voatz challenged MIT's findings in a blog post, saying the research methodology was "wrong." The company's main complaint is that researchers are testing outdated versions of the Voatz client software and have not tried to connect to the Voatz server itself.

> "This flawed approach invalidates any claims about its ability to disrupt the entire system," the blog post wrote.Voatz also highlighted measures that allow voters and election officials to verify ballots after the fact. "Each ballot filed with Voatz will generate a paper ballot, and every voter who uses Voatz will receive a ballot," said Hilary Braseth, the company's product owner.

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Google removes more than 500 malicious extensions few days ago
instagram.com/UndercOdeTestingCompany

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) After more than two months of in-depth investigation by Cisco Duo Security team and security researcher Jamila Kaya, Google recently announced the removal of more than 500 malicious Chrome extensions from the official online store. These extensions are known to inject malicious advertisements into user browsing sessions.

2) The malicious code injected by these extensions activates under certain conditions and redirects users to specific pages. In some cases, the redirect address may be a member link on a legitimate website such as Macys, DELL, or BestBuy; in other cases, it may be a malicious site, such as a download site for malware or a phishing page.

4) According to a report shared by the Duo Security team and Jamila Kaya, these malicious extensions have been online for at least two years. These malicious extensions were originally discovered by Kaya, who discovered them during a routine threat scan to access malicious websites through a universal URL pattern.

5) Using CRXcavator (a service for analyzing Chrome extensions), Kaya discovered the original cluster of extensions, which ran on almost the same code base, but used a variety of common names, and few related to their true use information.

6) Kaya said that we then returned the findings to Google. Later, Google found more extensions that met this pattern after self-examination, and then deleted more than 500 extensions. It is unclear how many users have more than 500 malicious extensions installed, but the number may exceed millions.

WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 CVE-2020-7053 LINUX DEBIAN TRACKER- AGAINST KALI-PARROT-(DEBIAN FORKS)
pinterest.com/UndercOdeOfficial

🦑 DESCRIPTION :

1) In the Linux kernel 4.14 longterm through 4.14.165 and 4.19 longterm through 4.19.96 (and 5.x before 5.2), there is a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c.

> This is related to i915_gem_context_destroy_ioctl in drivers/gpu/drm/i915/i915_gem_context.c.

2)
Release Version Status
linux (PTS) jessie 3.16.56-1+deb8u1 fixed
jessie (security) 3.16.81-1 fixed
stretch 4.9.210-1 fixed
stretch (security) 4.9.189-3+deb9u2 fixed
buster 4.19.98-1 vulnerable
buster (security) 4.19.67-2+deb10u2 vulnerable
bullseye 5.4.13-1 fixed
sid 5.4.19-1 fixed


3) [stretch] - linux <not-affected> (Vulnerable code introduced later)
[jessie] - linux <not-affected> (Vulnerable code introduced later)


4) MORE DETAILS :

Base Score 7.8 5.3
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Access Vector Local Local
Access Complexity Low Low
Privileges Required Low Low
User Interaction None None
Scope Unchanged Unchanged
Confidentiality Impact High Low
Integrity Impact High Low
Availability Impact High Low
CVSSv3 Version 3.1 3.1


Powered by Wiki
WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

We recently Posted Carding Tutorial 2020 from deep web to UndercOde wa Grps, will forward Then to here later

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Carding Tutorial: How to Buy Any Product Online for Free : FOR PROTECTING YOUR SITE- PRODUCT NOT USE FOR HACK :
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Welcome dear visitors, I hope you are all right, today I posted a post about Carding, with this tip, you can buy any product online for free. Here today, I posted a complete combing tutorial method. What is grooming?

2) Carding is a term describing online trafficking of credit cards, bank accounts and other personal information, and related fraud services. The term "comb" is often associated with credit card fraud. At this point every shopping site or other purchase on the site using a credit card will attract hackers' attention, they notice this and start using it for profit.

3) Grooming is completely fraudulent and illegal in Australia and other countries. But most cases in chinia and the US are for online shopping.

4) Grooming is insecure and a complete scam for all users. There are many tricks and secrets to sorting out, which makes every country illegal and fraudulent.

5) Primarily, Carders used fake credit cards for online shopping or used credit cards for cracking. Today I will share all the secret and hidden tips of Carding.

6) I think you have to see some recently posts in the UndercOde facebook or whatsapp groups, according to them learn free carding.

7) Carding exactly is example :

>One person cracks someone's credit card and their details and buys a small amount of product online and tries to deliver it in a fake place. This is Cardel. But 99% of cadres are fake and will deceive you with your money. So don't try to contact any truck. Grooming or not grooming is a type of cybercrime.

8) Carding is used to obtain online products through fake payment methods. Carders uses information and data from others. This is a big deal for anyone and their money. If someone finds it in this case, there are hard rules for punishing them. Cyber ​​police departments handle these cases and they are not affected by anything from any government in any country.

🦑 First, Before Starts Require :

1) computer
(windows 7 recommended not 10)

2) MacBook

2) laptop

3) Android phone

4) (One of them.) VPN: But Trusted providers :
A virtual private network VPN is a network built using a public line (usually the Internet) to connect to a private network, such as a company's internal network. There are many systems that allow you to create a network using the Internet as a medium for transmitting data. VPNs use encryption and other security mechanisms to protect private networks to ensure that only authorized users can access the network, and data cannot access the network.


5) Remote Desktop Protocol RDP is a proprietary protocol developed by Microsoft that provides users with a graphical interface to connect to another computer through a network connection. The user uses the RDP client software for this purpose, and another computer must run the RDP server software. Most versions of Microsoft Windows (including Windows Mobile Linux, Unix OS X iOS Android, and other operating systems) exist client RDP servers built into the Windows operating system; there are also RDP servers for Unix and OS X. By default, the server listens on TCP port 3389 and UDP port 3389. Microsoft currently refers to its official RDP client software as Remote Desktop Connection (formerly known as "Terminal Services Client"). This protocol is an extension of the ITU-T T.128 application sharing protocol.

6) Socks 5 SOCKet Secure (SOCKS) is an Internet protocol that routes network packets between clients and servers through a proxy server. SOCKS5 also provides authentication, so only authorized users can access the server. In fact, the SOCKS server proxies TCP connections to arbitrary IP addresses and provides methods for forwarding UDP packets.

7) Don t Forget to run MacOS in Virtual box Not VMWARE

8) Crdit card combing

9) You need a reliable credit card. You need to buy a Bitcoin-based credit card. Buy any credit card from any website and you will get all your credit card information.

Example :

Tamar

Middle Name Jamsin

Last name Mozes

Billing address 9006 peppertree circle

Wichita

State KS

Zip Code 67226

Country america

Phone3166342050

Card type credit card

Credit card number 5102 4129 0001 1332

import and export. Date 6 / June 2020

Name card Tamar Mozes

Cvv2 474

Social Security Number 515 16 4160

Birthday 18

Birth Month 02

Born in 1999

Account Information example ID tmrmzes@exmaplecom

Password: ProtectionTest1ByUTC


WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Crading Part 2 :

On Android :

1) First download Zenmate apk to your Android phone to hide your IP address.

2) After downloading Shadowsocks Apk use Socks on Android.

3) Now connect Zenmate & Shadowsocks to the same address on your credit card. Must be the same as the victim's address: COUNTRY, STATE, CITY

4) When all is done, create a Gmail with the same name as the credit card holder, but don't confirm with your phone number. Fill in the same address, the same city, and everything. Or better if you have email access.

5) Now go to the website store where you want the card. Search for your product.

6) Adding your products to the card is now logged out of your Amazon account. Log in to your Amazon account again after 2-4 hours. Don't click on process checkout now.

7) Create an account on Amazon with your credit card username now! Then fill in the credit card details.

8) Fill in all checkout information after

9) Then add the shipping address (the location of your order).

10) Now click on the order and I'm sure 100% of them will confirm your order via email or you will track your order on the website after you press the order.

11) (Please note that some websites require phone verification, but you can always buy a phone number on the internet or in real life, confirm your order, and destroy it after delivery)

12) Confirm your order now and wait for the order to reach your shipping address. When they call you, then say the different address you want to pick up the order ..

13) Those are the ones you have already done. Enjoy your grooming products now. Try it for myself I am not responsible for any kind of harm. As I mentioned above, this is illegal in India because they use a VPN to hide location and identity, so there is no risk of carders. Only you will be caught by your shipping address. If anything happens, only you are responsible in the police case.


WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 DEEP WEB CARDING TUTORIAL