[FD] Cisco AsyncOS Cross-Site Scripting Vulnerability CVE-2014-3289
I. VULNERABILITY - Reflected XSS Attacks vulnerabilities in Cisco Ironport Email Security Virtual Appliance Version: 8.0.0-671 II. BACKGROUND - Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, that designs, manufactures, and sells networking equipment. III. DESCRIPTION - Has been detected a Reflected XSS vulnerability in Cisco Ironport Email Security Virtual appliance. The code injection is done through the parameter "date_range" in the page “ /monitor/reports/overview?printable=False&date_range” IV. PROOF OF CONCEPT - The application does not validate the parameter “date_range” correctly. https://ip_cisco_web_security/monitor/reports/overview?printabl e=False&date_range=alert(2) V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. VI. SYSTEMS AFFECTED - Reflected XSS Attacks vulnerabilities in Cisco Ironport Email Security Virtual Appliance Version: 8.0.0-671. VII. SOLUTION - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3289 By William Costa william.co...@gmail.com ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This sounds like modified prisoners' dilemma to me:
Prisoner 1 (the researcher):
Cooperate: give information to the company
Not-cooperate: deny information, release publicly
Prisoner 2 (the company):
Cooperate: don't sue the researcher
Not-cooperate: sue the researcher
With the result table of:
[cooperate][cooperate] - Company gets vuln info; researcher doesn't
get sued.
[cooperate][no-cooperate] - company gets vuln info; researcher gets sued
[not-cooperate][cooperate] - researcher discloses vuln publicly;
company sues
[not-cooperate][not-cooperate] - researcher discloses vuln publicly;
company sues
With [nc][c] being a case where the researcher doesn't bother making
themselves known to the company, for this to hold true.
As I recall, the optimal strategy for that situation is to cooperate
until the other party doesn't, and then no longer cooperate at all.
I think that in a situation where the researching community -as a
whole- acted as the 'researcher' in this situation, i.e. if a company
sues a researcher, then no researcher discloses vulns about that
company's products to the company before public release, that would
most closely model the win/loss strategy and make it very easy for all
parties to understand the situation.
And since, despite the fact that humans are not rational, we keep on
trying to assume people act in a rational and informed manner,
rational actors would behave according to the optimal strategy--to
cooperate until they get betrayed.
That's my two cents on the matter, anyway.
- --ER/@munin
On 06/08/2014 11:23 AM, Paul Vixie wrote:
>
>
> codeinject.org wrote:
>> any lawyer will dismiss this in court stating it was signed under
>> duress.
>
> in my proposed model, the only recourse a researcher has against
> vendor nonperformance is future silence. in your scenario above the
> lawyer in question would be trying to argue that future silence was
> in some way inappropriate.
>
>> Also it sounds an awful lot like blackmail.
>
> "i wish to enter into a no-fee relationship with you wherein you
> will receive certain valuable information at no monetary cost. the
> only requirement you would have to meet in order to receive this
> and future potentially valuable information is absolute fidelity to
> this nondisclosure agreement."
>
> doesn't sound like blackmail to me, not even a little bit. and i've
> been sued by experts. and it's what i wish i'd tried instead of
> doing the BIND Forum (criticized as a form of "pay for play"), back
> when CMU-CERT's lossy predisclosure chain screwed me for what i
> swore would be the last fscking time.
>
>>
>> I think you should either make the gamble, or let a ZDI, Exodus,
>> VUPEN etc do the disclosure on your behave.
>>
>> or just go full diclosure on them =)
>
> those are all lose-lose propositions. i say shoot for a win-win and
> let lose-lose be the recourse ("fallback position").
>
> vixie
>
>
> ___ Sent through the
> Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS:
> http://seclists.org/fulldisclosure/
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTlLLJAAoJELegdynGqmmacIQP/1RNyws00MJ0XKNKekdk8dx6
+FPmZPgR7nImH00oYJqTu+fyWq1PuE8N7e/jEGzge6AydEExkShasTndckNBVewV
N325VZmgouXkVPx1vQzlOLoApYdTMKTAACDyQSuD3Tg31wbRPgK3/EMtdwNNHqkt
TX1H0y0axKojCVfl3PYrMDFvb1YWvFpdlz/CwEgRmsH1u7H1mKyQ7Jl3eYbIk/na
3M9t1+mc19boKS4rhLj5AmfR350/BRjKHG4fc7QUtHqfgl7Rw18XarB1croTFKeI
owfLx7BR+zi0c6mRx0hLfEo3wcTzJS1ZICxUYIhyP3bMtENLjxE77kTrpkTUxMXN
QgvYNiMyRuphJ1sgzO6u6KAxaEUK/TrZNccZUMzsyympnPIDYQvd+/KSQK4qoSsw
2BP2OKk4mPp10xNeFE1yih1ZUk7QdvtE8EmJKUTmGvXtpNIocsPYB1vjZ1sKjYeM
aTSQiwJHJS/WoBPp8yMzw4CE7269SuM2R5BzFE33CuovLH3PbAovWovbl87IXkdr
SKfOA/pLDJ5LJLg6tD/Bkp1b6Lyh4omxrFzc+Oj13m4TGoARPYkLNc8BZ7U/p9S8
vjSzLejXRupPL0wJwOW2VX2N9tfCpI3OShwrJG5LZ7Hc8S0OTtAr1u+eL8Xt4L9/
hsu8tKSDy3RKZi+pVbOX
=eaI7
-END PGP SIGNATURE-
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
On Sun, Jun 8, 2014 at 4:03 AM, Paul Vixie wrote: >... > i am not a lawyer either. i started MAPS, the first anti-spam company, > in 1997 or so, and became the most-sued person i know. i may be the > most-sued person you'll ever know. you have had interesting experiences! how many of these lawsuits have been dropped before heading to trial? (numbers or percentages?) how many legal motions went back and forth before trial in various motions or other tactics? how many plaintiffs were multiple offenders, or behind multiple legal filings against you in multiple venues? how any of these lawsuits encountered procedural or judicial complications by nature of being technical in nature? (and if you're answered these elsewhere please forgive and point in the right direction :) best regards, ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
Should also point out that getting E&O insurance is a good idea. Daniel > On Jun 8, 2014, at 1:34 PM, Dave Warren wrote: > >> On 2014-06-08 04:03, Paul Vixie wrote: >> this is concerning, for two reasons. >> >> first, for enforceability, a contract requires exchange of >> consideration. what's yours? i can see that the vendor is receiving >> something of value (the disclosure) but it's not clear what you're >> getting in return beyond the opportunity to have your good deeds go >> unpunished. absence of a negative does not amount to a positive in the >> eyes of the law. > > Indemnity is definitely consideration. I'm not sure that "1- You will not > attempt to threaten or prosecute the researcher in any jurisdiction." is > sufficient though, but something similar in appropriate legalese would > possibly do the trick. > > There also needs to be an enforcement or penalty clause that is mutually > agreeable (and this is probably where most companies will start to wonder if > agreeing is worthwhile). A contact without an enforcement clause is mostly > useless since a violation will, at most, allow the opposing party to > disregard the contract. This works great in a "I will mow your lawn as needed > for $80/week" contract, in which case in the event of a breach, the other > party would stop complying with their terms. > > In this case, the vendor has on ongoing obligation to not sue, whereas the > researcher has completed their portion as soon as they reveal the information > to the company (or as soon as they complete a defined responsible disclosure > period). If the company chooses to pursue legal action against the > researcher, the researcher has no remedy in the contract. > > At a minimum, agreeing to limit damages in the event of any and all legal > actions resulting from researching and disclosing the vulnerability would be > a start. > > Still, I like the idea, especially if it's something that a reasonable number > of researchers use. > > -- > Dave Warren > http://www.hireahit.com/ > http://ca.linkedin.com/in/davejwarren > > > > ___ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [Tool] Responder v2.0.9
Responder is an Active Directory/Windows environment takeover tool suite that can stealthily take over any default active directory environment (including Windows 2012) in minutes or hours. Most of the attacks in this tool are hard to detect and are highly successful. Responder attacks 5 Windows core protocols: - LLMNR Poisoning (Windows >=vista). - Netbios Name Service Poisoning (NBT-NS poisoning, any by default). - WPAD (Any by default). - ICMP Redirect (Windows <=2003/XP). - DHCP INFORM (Windows <=2003/XP) and ability to perform normal DHCP attacks (Linux, OSX, Windows) [unicast answer]. An extra protocol has been added, for OSX and Linux distributions using avahi: MDNS (Linux, Apple, any .local) When exploiting these protocol flaws, Responder has its own rogue servers listening: - SMB Auth server. Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. This functionality is enabled by default when the tool is launched. - MSSQL Auth server. In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005 & 2008. - HTTP Auth server. In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows versions older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari. Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can also send your custom files to a victim. - HTTPS Auth server. In order to redirect HTTPS Authentication to this tool, you will need to set the -r option for Windows versions older than Vista (NBT-NS queries for HTTP server lookups are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2, and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, and Safari. The folder Cert/ was added. It containa 2 default keys, including a dummy private key. This is intentional. The purpose is to have Responder working out of the box. A script was added in case you need to generate your own self signed key pair. - LDAP Auth server. In order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows versions older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool "ldp" and LdapAdmin. - FTP Auth server. This module will collect FTP clear text credentials. - Kerberos v5 pre-auth server. - Small DNS server. This server will answer type A queries. This is really handy when it's combined with ARP spoofing, ICMP Redirect, DHCP INFORM. - WPAD rogue transparent proxy server. This module will capture all HTTP requests from anyone launching Internet Explorer on the network. This module is highly effective. You can send your custom PAC script to a victim and inject HTML into the server's responses. See Responder.conf. - Analyze mode: This module allows you to see NBT-NS, BROWSER and LLMNR requests between systems without poisoning any requests. You can also map domains, MSSQL servers, workstations passively and also see if ICMP Redirects attacks are plausible on your subnet. No port scans. - POP3 auth server. This module will collect POP3 plaintext credentials - SMTP auth server. This module will collect PLAIN/LOGIN clear text credentials. - IMAP auth server. Responder also: - Logs all its activity to a file: Responder-Session.log. - All hashes are printed to stdout and dumped in an unique hashcat compliant file using this format: (SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or clear-text)-Client_IP.txt. The file will be located in the current folder. - When the option -f is set, Responder will fingerprint every host that issued an LLMNR/NBT-NS query. All capture modules still work while in fingerprint mode. Responder also lets you: - Customizes your penetration test via Responder.conf. - Responds to specific in-scope Netbios/LLMNR names. - Responds to specific in-scope IP addresses. - Injects SMB share pictures into WPAD responses. - Replaces requested .exe files with your own, but shown as the orig
