[ MDVSA-2010:255 ] php-intl

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:255
 http://www.mandriva.com/security/
 ___

 Package : php-intl
 Date: December 15, 2010
 Affected: Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability was discovered and corrected in php-intl:
 
 Integer overflow in the NumberFormatter::getSymbol (aka
 numfmt_get_symbol) function in PHP 5.3.3 and earlier allows
 context-dependent attackers to cause a denial of service (application
 crash) via an invalid argument (CVE-2010-4409).
 
 The updated packages have been upgraded to php-intl-1.1.2 and patched
 to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4409
 ___

 Updated Packages:

 Mandriva Enterprise Server 5:
 e4150c29c342b12bf02f802692c3e9af  
mes5/i586/php-intl-1.1.2-0.1mdvmes5.1.i586.rpm 
 cf1acac56b390efc3b731307a8d5b139  
mes5/SRPMS/php-intl-1.1.2-0.1mdvmes5.1.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 0c5c740e3a0596ba5223de67e4219f58  
mes5/x86_64/php-intl-1.1.2-0.1mdvmes5.1.x86_64.rpm 
 cf1acac56b390efc3b731307a8d5b139  
mes5/SRPMS/php-intl-1.1.2-0.1mdvmes5.1.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNCLRJmqjQ0CJFipgRAlM9AKCZel2zsKCm/8uDytkhQLB6l9xRegCdH3i7
t6AZrhZgu20J+8l2wggMT6Y=
=aPyA
-END PGP SIGNATURE-

[security bulletin] HPSBMA02615 SSRT100228 rev.1 - HP Insight Diagnostics Online Edition Running on Linux and Windows, Remote Cross Site Scripting (XSS)

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02652463
Version: 1

HPSBMA02615 SSRT100228 rev.1 - HP Insight Diagnostics Online Edition Running on 
Linux and Windows, Remote Cross Site Scripting (XSS)

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2010-12-14
Last Updated: 2010-12-14

Potential Security Impact: Remote cross site scripting (XSS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Insight 
Diagnostics Online Edition running on Linux and Windows. The vulnerability 
could be exploited remotely resulting in cross site scripting (XSS).

References: CVE-2010-4111

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Insight Diagnostics Online Edition prior to v8.5.1.3712

Note: HP Insight Diagnostics Online Edition is provided in the Proliant Support 
Pack (PSP).

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2010-4111(AV:N/AC:M/Au:N/C:N/I:P/A:N)   4.3
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks ProCheckUp Ltd. for reporting this 
vulnerability to security-al...@hp.com.

RESOLUTION

HP has provided HP Insight Diagnostics Online Edition v8.5.1.3712 or subsequent 
to resolve this vulnerability.

The vulnerability in HP Insight Diagnostics Online Edition can be resolved by 
installing HP Insight Diagnostics Online Edition v8.5.1.3712 from the HP 
ProLiant Support Pack 8.6.

Note: The ProLiant Support Pack is available from www.hp.com by selecting 
'Support & Drivers' , select 'Download drivers and software (and firmware)' and 
then enter 'Proliant Support Pack' for the product.

HISTORY
Version:1 (rev.1) - 14 December 2010 Initial Release

Third Party Security Patches: Third party security patches that are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: security-al...@hp.com
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-al...@hp.com
  Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.

To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault

System management and security procedures must be reviewed frequently to 
maintain system integrity. HP is continually reviewing and enhancing the 
security features of software products to provide customers with current secure 
solutions.

"HP is broadly distributing this Security Bulletin in order to bring to the 
attention of users of the affected HP products the important security 
information contained in this Bulletin. HP recommends that all users determine 
the applicability of this information to their individual situations and take 
appropriate action. HP does not warrant that this information is necessarily 
accurate or complete for all user situations and, consequently, HP will not be 
responsible for any damages resulting from user's use or disregard of the 
information provided in this Bulletin. To the extent permitted by law, HP 
disclaims all warranties, either express or implied, including the warranties 
of merchantability and fitness for a particul

[security bulletin] HPSBMA02616 SSRT100231 rev.1 - HP Insight Management Agents Running on Linux and Windows, Remote Full Path Disclosure

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02653973
Version: 1

HPSBMA02616 SSRT100231 rev.1 - HP Insight Management Agents Running on Linux 
and Windows, Remote Full Path Disclosure

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2010-12-14
Last Updated: 2010-12-14

Potential Security Impact: Remote full path disclosure

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Insight 
Management Agents running on Linux and Windows. The vulnerability could be 
exploited remotely resulting in full path disclosure.

References: CVE-2010-4112

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Insight Management Agents prior to v8.6

Note: The HP Insight Management Agents product is provided in the Proliant 
Support Pack (PSP).

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2010-4112(AV:N/AC:L/Au:N/C:P/I:N/A:N)   5.0
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks ProCheckUp Ltd. for reporting this 
vulnerability to security-al...@hp.com.

RESOLUTION

HP has provided HP Insight Management Agents v8.6 or subsequent to resolve this 
vulnerability.

The vulnerability in HP Insight Management Agents can be resolved by installing 
HP Insight Management Agents v8.6 from the HP ProLiant Support Pack 8.6.

Note: The ProLiant Support Pack is available from www.hp.com by selecting 
'Support & Drivers' , select 'Download drivers and software (and firmware)' and 
then enter 'Proliant Support Pack' for the product.

HISTORY
Version:1 (rev.1) - 14 December 2010 Initial Release

Third Party Security Patches: Third party security patches that are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: security-al...@hp.com
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-al...@hp.com
  Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.

To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault

System management and security procedures must be reviewed frequently to 
maintain system integrity. HP is continually reviewing and enhancing the 
security features of software products to provide customers with current secure 
solutions.

"HP is broadly distributing this Security Bulletin in order to bring to the 
attention of users of the affected HP products the important security 
information contained in this Bulletin. HP recommends that all users determine 
the applicability of this information to their individual situations and take 
appropriate action. HP does not warrant that this information is necessarily 
accurate or complete for all user situations and, consequently, HP will not be 
responsible for any damages resulting from user's use or disregard of the 
information provided in this Bulletin. To the extent permitted by law, HP 
disclaims all warranties, either express or implied, including the warranties 
of merchantability and fitness for a particular purpose, title and 
non-infringement."

Copyright 2009 Hewlett-Packard Development Compa

Re: OpenBSD Paradox

[Theo de Raadt]

> We has OpenBSD tell us:
> 
> "We have never allowed US citizens or foreign citizens working in the
> US to hack on crypto code"
> http://marc.info/?l=3Dopenbsd-tech&m=3D129237675106730&w=3D2

That statement remains true.

IPSEC isn't 100% crypto; it is a complex layered subsystem with many
other elements to it.  In particular our IPSEC stack also supports the
IPCOMP sub-protocol -- the same management framework moves compressed
ip packets through the framework.  This means that there are parts of
the IPSEC stack that are 'dual use'.  There are also many other parts
of IPSEC which are related to non-encrypted encapsulations.

Our project permitted American developers to work on any part of the
tree which was not specifically cryptography; in this particular
instance that includes the parts of IPSEC which are 'dual use' or 'not
related to cryptography'.  We did not permit them to work on the
crypto-specific parts.

> And is yes on the same thread, we have the presumed innocent until
> proven is guilty party conflict with team OpenBSD:
> 
> "I will state clearly that I did not add backdoors to the OpenBSD
> operating system or the OpenBSD crypto framework (OCF)."
> "The timeline for my involvement with IPSec can be clearly
> demonstrated by looking at the revision history of:
>   src/sys/dev/pci/hifn7751.c (Dec 15, 1999)

This is a driver for a crypto chip, but the driver itself does not do
any cryptography.  The driver moves things around so that the hardware
can do the cryptography.

>   src/sys/crypto/cryptosoft.c (March 2000)

revision 1.38
date: 2003/02/21 20:33:35;  author: jason;  state: Exp;  lines: +1 -6
There's no cleaning necessary for deflate compression, so remove it from
the switch.

Note, the commit message talks about compression.

> What is this time to stop the press!
> 
> OpenBSD - "We is never allow Americans to work on crypto move is along"
> Perp - "Is when I worked on OpenBSD crypto..."
> 
> Is we here see Paradox? For to this we create the BSD Paradox:
> 
> Paradox - A paradox is a true statement or group of statements that
> leads to a contradiction or a situation which defies intuition.
> 
> OpenBSD Paradox - There is no backdoor - that we knowingly admit to is
> know of. Is

That is a simplistic viewpoint held by your simplistic mind.

OpenBSD Paradox

[musnt live]

использовать свой мозг! Is we think with our brain and ask: "how is
team OpenBSD lying to is public" well then is the proof is in the
каша!


We has OpenBSD tell us:

"We have never allowed US citizens or foreign citizens working in the
US to hack on crypto code"
http://marc.info/?l=openbsd-tech&m=129237675106730&w=2

And is yes on the same thread, we have the presumed innocent until
proven is guilty party conflict with team OpenBSD:

"I will state clearly that I did not add backdoors to the OpenBSD
operating system or the OpenBSD crypto framework (OCF)."
"The timeline for my involvement with IPSec can be clearly
demonstrated by looking at the revision history of:
src/sys/dev/pci/hifn7751.c (Dec 15, 1999)
src/sys/crypto/cryptosoft.c (March 2000)

http://marc.info/?a=9036790799&r=1&w=2

What is this time to stop the press!

OpenBSD - "We is never allow Americans to work on crypto move is along"
Perp - "Is when I worked on OpenBSD crypto..."

Is we here see Paradox? For to this we create the BSD Paradox:

Paradox - A paradox is a true statement or group of statements that
leads to a contradiction or a situation which defies intuition.

OpenBSD Paradox - There is no backdoor - that we knowingly admit to is
know of. Is

Re: OpenBSD's IPSEC is Backdoored

[Michael Scheidell]

On 12/14/10 8:35 PM, musnt live wrote:

Original e-mail is from Theo DeRaadt

http://marc.info/?l=openbsd-tech&m=129236621626462&w=2



Then also read Jason Wright's response and clear denial:
http://marc.info/?l=openbsd-tech&m=129244045916861&w=2

--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * 2008-9 Hot Company Award Winner, World Executive Alliance
   * Five-Star Partner Program 2009, VARBusiness
   * Best in Email Security,2010: Network Products Guide
   * King of Spam Filters, SC Magazine 2008

__
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
__  

[ MDVSA-2010:254 ] php

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:254
 http://www.mandriva.com/security/
 ___

 Package : php
 Date: December 15, 2010
 Affected: 2010.0, 2010.1
 ___

 Problem Description:

 This is a maintenance and security update that upgrades php to 5.3.4
 for 2010.0/2010.1.
 
 Security Enhancements and Fixes in PHP 5.3.4:
 
 * Paths with NULL in them (foo\0bar.txt) are now considered as invalid
 (CVE-2006-7243).
 * Fixed bug #53512 (NumberFormatter::setSymbol crash on bogus  values)
 (CVE-2010-4409)
 
 Please note that CVE-2010-4150, CVE-2010-3870, CVE-2010-3436,
 CVE-2010-3709, CVE-2010-3710 were fixed in previous advisories.
 
 Key Bug Fixes in PHP 5.3.4 include:
 
  * Added stat support for zip stream.
  * Added follow_location (enabled by default) option for the http
  stream support.
  * Added a 3rd parameter to get_html_translation_table. It now takes
  a charset hint, like htmlentities et al.
  * Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect
  zend multibyte at runtime.
  * Multiple improvements to the FPM SAPI.
  * Over 100 other bug fixes.
 
 Additional post 5.3.4 fixes:
 
  * Fixed bug #53517 (segfault in pgsql_stmt_execute() when postgres
  is down).
  * Fixed bug #53541 (format string bug in ext/phar).
 
 Additionally some of the PECL extensions has been upgraded and/or
 rebuilt for the new php version.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7243
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4409
 http://bugs.php.net/bug.php?id=53517
 http://bugs.php.net/bug.php?id=53541
 http://www.php.net/ChangeLog-5.php#5.3.4
 ___

 Updated Packages:

 Mandriva Linux 2010.0:
 51c55ecb17d2210accdf613c976f59a4  
2010.0/i586/apache-mod_php-5.3.4-0.1mdv2010.0.i586.rpm
 97f7b521655ab6116cb6a234e6f80764  
2010.0/i586/libphp5_common5-5.3.4-0.1mdv2010.0.i586.rpm
 3774b11ee026427f852f70fa81d6bc36  
2010.0/i586/php-apc-3.1.6-0.1mdv2010.0.i586.rpm
 414a6e9803d674cab2c1bdd30192c2d4  
2010.0/i586/php-apc-admin-3.1.6-0.1mdv2010.0.i586.rpm
 9a9e5109e74403a5f27b201a485dd0f8  
2010.0/i586/php-bcmath-5.3.4-0.1mdv2010.0.i586.rpm
 82792da2e73d05fb1ac96dd01e7df327  
2010.0/i586/php-bz2-5.3.4-0.1mdv2010.0.i586.rpm
 4b1f8a025bc06bc77606972a120b624a  
2010.0/i586/php-calendar-5.3.4-0.1mdv2010.0.i586.rpm
 2a7742b6b850dc9c24c144819499796a  
2010.0/i586/php-cgi-5.3.4-0.1mdv2010.0.i586.rpm
 d9921529289da226d002b0b54a163b43  
2010.0/i586/php-cli-5.3.4-0.1mdv2010.0.i586.rpm
 3cb0d17749a1eb0ec10fdd7198e42661  
2010.0/i586/php-ctype-5.3.4-0.1mdv2010.0.i586.rpm
 8b1d13671549660a8c26cd9c566cd311  
2010.0/i586/php-curl-5.3.4-0.1mdv2010.0.i586.rpm
 cafdb1d2ad8557c824ab2ff5c5015942  
2010.0/i586/php-dba-5.3.4-0.1mdv2010.0.i586.rpm
 fa714ef1db314bdb4b71904a408d83a2  
2010.0/i586/php-devel-5.3.4-0.1mdv2010.0.i586.rpm
 be2c1c9f5a9ef55f2695215e28901e65  
2010.0/i586/php-dio-0.0.2-6.3mdv2010.0.i586.rpm
 f00e6724d44f55fa7d4385fede50d8a4  
2010.0/i586/php-doc-5.3.4-0.1mdv2010.0.i586.rpm
 fbbb222bfed3e3d14d7ef621439f32fe  
2010.0/i586/php-dom-5.3.4-0.1mdv2010.0.i586.rpm
 f8bf3f1cfad6fc2491164d38249329e6  
2010.0/i586/php-eaccelerator-0.9.6.1-0.3mdv2010.0.i586.rpm
 89fddd11bb1a1b869350ed62640c4069  
2010.0/i586/php-eaccelerator-admin-0.9.6.1-0.3mdv2010.0.i586.rpm
 8291b82d95940b8dd55c2480edb0fc57  
2010.0/i586/php-enchant-5.3.4-0.1mdv2010.0.i586.rpm
 819bb39a1a77cff003a876e41d61565f  
2010.0/i586/php-exif-5.3.4-0.1mdv2010.0.i586.rpm
 3cdd26e27e3a903b582a36f9b53136cb  
2010.0/i586/php-fam-5.0.1-10.3mdv2010.0.i586.rpm
 8407e79c069e6c144c7707169e2040dc  
2010.0/i586/php-fileinfo-5.3.4-0.1mdv2010.0.i586.rpm
 a3ef81335333a23a8569ed3d458651d5  
2010.0/i586/php-filepro-5.1.6-20.3mdv2010.0.i586.rpm
 9364cbed8fdc4a1baac2a669b6143f5c  
2010.0/i586/php-filter-5.3.4-0.1mdv2010.0.i586.rpm
 baaf423a7512ae2b28e6792ef3b62ad7  
2010.0/i586/php-fpm-5.3.4-0.1mdv2010.0.i586.rpm
 cb4df0245abd7cd9f24f63309a77d177  
2010.0/i586/php-ftp-5.3.4-0.1mdv2010.0.i586.rpm
 56cfaeef1babf985d74f9d17fc899e7d  
2010.0/i586/php-gd-5.3.4-0.1mdv2010.0.i586.rpm
 945e781f42c5b7a52876766de3cf68ea  
2010.0/i586/php-gettext-5.3.4-0.1mdv2010.0.i586.rpm
 ab0c640ec4d5e6cfc23323a6ef549322  
2010.0/i586/php-gmp-5.3.4-0.1mdv2010.0.i586.rpm
 52ebab66ee7a55e0cf7ebe5124cf51e2  
2010.0/i586/php-hash-5.3.4-0.1mdv2010.0.i586.rpm
 880bc08442537c1d0260c927b631f96f  
2010.0/i586/php-iconv-5.3.4-0.1mdv2010.0.i586.rpm
 44e8cc3284a558be2ec51d9ba4f76e48  
2010.0/i586/php-idn-1.2b-18.3mdv2010.0.i586.rpm
 70c31ab8a9872c846b28987cf3890f46  
2010.0/i586/php-imap-5.3.4-0.1mdv2010.0.i586.rpm
 5f8e2ca2ca52c783bd5d5274b489f43f  
2010.0/i586/ph

Re: hidden admin user on every HP MSA2000 G3

[Pavel Kankovsky]

On Mon, 13 Dec 2010 hpdisclos...@anonmail.de wrote:

> i just found out that there is a hidden user on every HP MSA2000 G3 
> SAN out there:
> 
> username: admin
> password: !admin

Confirmed on P2000 G3 (fw L100R013). (Please, HP, is it really
necessary to give us *so many* different reasons to hate you?!)

> this user doesnt show up in the user manager, and the password 
> cannot be changed - looks like the perfect backdoor for everybody.

The user was invisible but I was able to change its password in CLI with
"set password admin password ..." (the change was effective, the old
password was not valid any longer).

-- 
Pavel Kankovsky aka Peak  / Jeremiah 9:21\
"For death is come up into our MS Windows(tm)..." \ 21st century edition /

www.eVuln.com : BBCode CSS XSS in slickMsg

[bt]

www.eVuln.com advisory:
BBCode CSS XSS in slickMsg
Summary: http://evuln.com/vulns/162/summary.html 
Details: http://evuln.com/vulns/162/description.html 

---Summary---
eVuln ID: EV0162
Software: slickMsg
Vendor: n/a
Version: 0.7-alpha
Critical Level: low
Type: Cross Site Scripting
Status: Unpatched. No reply from developer(s)
PoC: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
Description
It is possible to inject XSS code (expression) into CSS style of size and color 
bbcodes.
"size" and "color" values are not properly sanitized before being used in CSS 
code.
Note: works in MS IE
PoC/Exploit
PoC code is available at:
http://evuln.com/vulns/162/exploit.html 
-Solution--
Not available
--Credit---
Vulnerability discovered by Aliaksandr Hartsuyeu
http://evuln.com/xss/bbcode.html - recent bbcode xss advisories

www.eVuln.com : "post" - Non-persistent XSS in slickMsg

[bt]

www.eVuln.com advisory:
"post" - Non-persistent XSS in slickMsg
Summary: http://evuln.com/vulns/161/summary.html 
Details: http://evuln.com/vulns/161/description.html 

---Summary---
eVuln ID: EV0161
Software: slickMsg
Vendor: n/a
Version: 0.7-alpha
Critical Level: low
Type: Cross Site Scripting
Status: Unpatched. No reply from developer(s)
PoC: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
Description
It is possible to inject xss code into "post" parameter in
"views/Post/edit/form.php" script.
Parameter "post" is not properly sanitized before being used in HTML
code.
Condition: register_globals: on
PoC/Exploit
PoC code is available at:
http://evuln.com/vulns/161/exploit.html 
-Solution--
Not available
--Credit---
Vulnerability discovered by Aliaksandr Hartsuyeu
http://evuln.com/auth-bypass/ - recent Authentication Bypass vulns

OpenBSD's IPSEC is Backdoored

[musnt live]

Original e-mail is from Theo DeRaadt

http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

I have received a mail regarding the early development of the OpenBSD
IPSEC stack.  It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack.  Around 2000-2001.

Since we had the first IPSEC stack available for free, large parts of
the code are now found in many other projects/products.  Over 10
years, the IPSEC code has gone through many changes and fixes, so it
is unclear what the true impact of these allegations are.

The mail came in privately from a person I have not talked to for
nearly 10 years.  I refuse to become part of such a conspiracy, and
will not be talking to Gregory Perry about this.  Therefore I am
making it public so that
(a) those who use the code can audit it for these problems,
(b) those that are angry at the story can take other actions,
(c) if it is not true, those who are being accused can defend themselves.

Of course I don't like it when my private mail is forwarded.  However
the "little ethic" of a private mail being forwarded is much smaller
than the "big ethic" of government paying companies to pay open source
developers (a member of a community-of-friends) to insert
privacy-invading holes in software.



From: Gregory Perry 
To: "dera...@openbsd.org" 
Subject: OpenBSD Crypto Framework
Thread-Topic: OpenBSD Crypto Framework
Thread-Index: AcuZjuF6cT4gcSmqQv+Fo3/+2m80eg==
Date: Sat, 11 Dec 2010 23:55:25 +
Message-ID: 
<8d3222f9eb68474da381831a120b1023019ac...@mbx021-e2-nj-5.exch021.domain.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Status: RO

Hello Theo,

Long time no talk.  If you will recall, a while back I was the CTO at
NETSEC and arranged funding and donations for the OpenBSD Crypto
Framework.  At that same time I also did some consulting for the FBI,
for their GSA Technical Support Center, which was a cryptologic
reverse engineering project aimed at backdooring and implementing key
escrow mechanisms for smart card and other hardware-based computing
technologies.

My NDA with the FBI has recently expired, and I wanted to make you
aware of the fact that the FBI implemented a number of backdoors and
side channel key leaking mechanisms into the OCF, for the express
purpose of monitoring the site to site VPN encryption system
implemented by EOUSA, the parent organization to the FBI.  Jason
Wright and several other developers were responsible for those
backdoors, and you would be well advised to review any and all code
commits by Wright as well as the other developers he worked with
originating from NETSEC.

This is also probably the reason why you lost your DARPA funding, they
more than likely caught wind of the fact that those backdoors were
present and didn't want to create any derivative products based upon
the same.

This is also why several inside FBI folks have been recently
advocating the use of OpenBSD for VPN and firewalling implementations
in virtualized environments, for example Scott Lowe is a well
respected author in virtualization circles who also happens top be on
the FBI payroll, and who has also recently published several tutorials
for the use of OpenBSD VMs in enterprise VMware vSphere deployments.

Merry Christmas...

Gregory Perry
Chief Executive Officer
GoVirtual Education

"VMware Training Products & Services"

540-645-6955 x111 (local)
866-354-7369 x111 (toll free)
540-931-9099 (mobile)
877-648-0555 (fax)

http://www.facebook.com/GregoryVPerry
http://www.facebook.com/GoVirtual

[USN-1024-2] OpenJDK regression

[Kees Cook]

===
Ubuntu Security Notice USN-1024-2 December 13, 2010
openjdk-6 regression
https://launchpad.net/bugs/688522
===

A security issue affects the following Ubuntu releases:

Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 10.10:
  openjdk-6-jdk   6b20-1.9.2-0ubuntu2

After a standard system update you need to restart any Java services,
applications or applets to make all the necessary changes.

Details follow:

USN-1024-1 fixed vulnerabilities in OpenJDK. Some of the additional
backported improvements could interfere with the compilation of certain
Java software. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that certain system property information was being
 leaked, which could allow an attacker to obtain sensitive information.


Updated packages for Ubuntu 10.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.2-0ubuntu2.diff.gz
  Size/MD5:   144304 adc24f6354df2a2a1ae1d024069f9cf7

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.2-0ubuntu2.dsc
  Size/MD5: 3004 b5b17735587556b44e8f661f56e2c912

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.2.orig.tar.gz
  Size/MD5: 73145170 16097f5b8d699fb72a7e9f4f40f7bc0a

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b20-1.9.2-0ubuntu2_all.deb
  Size/MD5: 19975574 e86e54e0edcb1ee7572a2cb8310c1a21

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b20-1.9.2-0ubuntu2_all.deb
  Size/MD5:  6155244 1e592facd826f092e948eca45d199616

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b20-1.9.2-0ubuntu2_all.deb
  Size/MD5: 26839560 46684345135ee2f3444a4c08e204bafd

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.2-0ubuntu2_amd64.deb
  Size/MD5:   430828 ab0dd71c758c1c606c547566484fc7ab

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.2-0ubuntu2_amd64.deb
  Size/MD5:83390 d5e8d526e022c291f4c6c37fd54b665e

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.2-0ubuntu2_amd64.deb
  Size/MD5: 119310214 a331b97c32ebe934759dd4c879c2a798

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.2-0ubuntu2_amd64.deb
  Size/MD5:  2361192 d4046e2391f6bcf661bf4be219e01769

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.2-0ubuntu2_amd64.deb
  Size/MD5: 10856514 fb3b73f9c3c960594b60fee0bd31a283

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.2-0ubuntu2_amd64.deb
  Size/MD5: 25582314 92d0bcb779bfdc09ad79c26a03da4aa9

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.2-0ubuntu2_amd64.deb
  Size/MD5:   267252 93f44ba496f94ac2c8549e9db4099c07

http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.2-0ubuntu2_amd64.deb
  Size/MD5:  2242408 0189fc3811c39f8769bd7908061e2beb

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.2-0ubuntu2_i386.deb
  Size/MD5:   416068 ae5cefb8d5fae5ef7ca2e71d5cc7eaaa

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.2-0ubuntu2_i386.deb
  Size/MD5:78702 64782c55d8ee34c7da7591669b4fd2b4

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.2-0ubuntu2_i386.deb
  Size/MD5: 172650414 3f7d938530597a3d53c7ab67933e703c

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.2-0ubuntu2_i386.deb
  Size/MD5:  2348234 d73243c82be1514173abc1574af64e40

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.2-0ubuntu2_i386.deb
  Size/MD5: 10858410 b228042cf914be243478f9eb8b836ccc

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.2-0ubuntu2_i386.deb
  Size/MD5: 27410392 44019332daa4e4d46d1fade7ccb8b02e

http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.2-0ubuntu2_i386.deb
  Size/MD5:   251276 11804e5988e0ba558127ff8c516f6456

http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.2-0ubuntu2_i386.deb
  Size/MD5:  1922634 a3f31a76ec31e6ee34fb8d8bc0335b7b

  powerpc architecture (Apple Macintosh G3/G4/G5):


http://ports.ubuntu.com/pool/m

iDefense Security Advisory 12.14.10: Microsoft Internet Explorer HTML Object Memory Corruption Vulnerability

[labs-no-reply]

iDefense Security Advisory 12.14.10
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 14, 2010

I. BACKGROUND

Internet Explorer is a graphical web browser developed by Microsoft
Corp. that has been included with Microsoft Windows since 1995. For
more information about Internet Explorer, please the visit following
website:

http://www.microsoft.com/ie/

II. DESCRIPTION

Remote exploitation of a memory corruption vulnerability in Microsoft
Corp.'s Internet Explorer could allow an attacker to execute arbitrary
code with the privileges of the current user.   T During the
instantiation of multiple ActiveX Controls, a particular object is
created along with multiple references that point to the object. The
object can be destroyed and its associated references removed. However,
a reference can incorrectly remain pointing to the object. The invalid
object resides in uninitialized memory, which the attacker may control
to gain arbitrary execution control.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user viewing the web page. To exploit
this vulnerability, a targeted user must load a malicious webpage
created by an attacker. An attacker typically accomplishes this via
social engineering or injecting content into a compromised, trusted
site.

IV. DETECTION

Microsoft Internet Explorer 6, 7 and 8 are vulnerable.

V. WORKAROUND

Microsoft suggested workarounds can be found in Microsoft Security
Bulletin MS10-090.

VI. VENDOR RESPONSE

Microsoft Corp. has released patches which address this issue.
Information about downloadable vendor updates can be found by clicking
on the URLs shown.

http://www.microsoft.com/technet/security/Bulletin/MS10-090.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-3340 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

03/24/2010  Initial Vendor Notification
03/24/2010  Initial Vendor Reply
12/14/2010  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Aniway.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2010 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerserv...@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Re: [Full-disclosure] minor browser UI nitpicking

[Michal Zalewski]

> 1) Yup, pretty unconvincing. Though one could separate window shadows,

I'm guessing you have your window manager configured to render window
shadows. In this case, this is less plausible, yup, unless you do the
inverted gradient trick.

> 2) Where is "here"? :)

I tried to dig something up, but couldn't. But we definitely had these
around 2001-2003, culminating in browsers removing the ability to do
location=no in window.open().

/mz

[security bulletin] HPSBOV02618 SSRT100354 rev.1 - HP OpenVMS Integrity Servers, Local Denial of Service (DoS), Gain Privileged Access

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02656471
Version: 1

HPSBOV02618 SSRT100354 rev.1 - HP OpenVMS Integrity Servers, Local Denial of 
Service (DoS), Gain Privileged Access

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2010-12-14
Last Updated: 2010-12-14

Potential Security Impact: Local Denial of Service (DoS), gain privileged access

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP OpenVMS 
Integrity Servers. The vulnerability could be locally exploited to create a 
Denial of Service (DoS) or to gain privileged access to system resources.

References: CVE-2010-4110

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenVMS Itanium v 8.3, v 8.3-1H1, v 8.4.

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2010-4110(AV:L/AC:L/Au:S/C:P/I:P/A:C)   5.7
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following patch kits available to resolve the vulnerability.

Mandatory Update Patch (MUP) for OpenVMS Integrity customers is provided in 
kits to be downloaded from the ITRC.
Patch kit information and installation instructions are provided with each kit.

To download the MUP from the ITRC:

- Go to http://itrc.hp.com/service/patch/mainPage.do
- Login using ID/e-mail and password
- Search from the below OpenVMS patches for the Patch Kit Image name

HP OpenVMS VersionPlatformPatch kit Image

v 8.3 Itanium VMS83I_SYS_MUP-V1600
v 8.3-1H1 Itanium VMS831H1I_SYS_MUP-V1300
v 8.4 Itanium VMS84I_MUP-V0200

PRODUCT SPECIFIC INFORMATION
None

HISTORY
Version:1 (rev.1) - 14 December 2010 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: security-al...@hp.com
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-al...@hp.com
  Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.

To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault

System management and security procedures must be reviewed frequently to 
maintain system integrity. HP is continually reviewing and enhancing the 
security features of software products to provide customers with current secure 
solutions.

"HP is broadly distributing this Security Bulletin in order to bring to the 
attention of users of the affected HP products the important security 
information contained in this Bulletin. HP recommends that all users determine 
the applicability of this information to their individual situations and take 
appropriate action. HP does not warrant that this information is necessarily 
accurate or complete for all user situations and, consequently, HP will not be 
responsible for any damages resulting from user's use or disregard of the 
information provided in this Bulletin. To the extent permitted by law, HP 
disclaims all warranties, either

ASPR #2010-12-14-1: Remote Binary Planting in Windows Address Book

[ACROS Security Lists]

=[BEGIN-ACROS-REPORT]=

PUBLIC

=
ACROS Security Problem Report #2010-12-14-1
-
ASPR #2010-12-14-1: Remote Binary Planting in Windows Address Book
=

Document ID: ASPR #2010-12-14-1-PUB
Vendor:  Microsoft Corp. (http://www.microsoft.com)
Target:  Windows Address Book & Windows Contacts 
Impact:  Remote execution of arbitrary code
Severity:Very high
Status:  Official patch available, workarounds available
Discovered by:   Simon Raner of ACROS Security

CVSS score:  9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE ID:  CVE-2010-3147
CWE ID:  CWE-426: Untrusted Search Path

Current version 
   http://www.acrossecurity.com/aspr/ASPR-2010-12-14-1-PUB.txt


Summary
===

A "binary planting" [1] vulnerability in Windows Address Book and Windows 
Contacts allows local or remote (even Internet-based) attackers to deploy 
and execute malicious code on Windows machines in the context of logged-on 
users.


Product Coverage


- Windows Server 2003
- Windows XP
- Windows Vista
- Windows 7
- Windows Server 2008
- Windows Server 2008 R2


Analysis 


As a result of an incorrect dynamic link library loading in Windows 
Address Book and Windows Contacts (wab.exe), an attacker can cause her 
malicious DLL to be loaded and executed from local drives, remote Windows 
shares, and even shares located on Internet. 

All a remote attacker has to do is plant a malicious DLL with a specific 
name (wab32res.dll) on a network share and get the user to open any .WAB, 
.VCF or .CONTACT file from this network location - which should require 
minimal social engineering. Once the user opens the file, wab.exe makes an 
unsafe call to LoadLibrary("wab32res.dll"). As this DLL is not present on 
the system, its malicious version gets loaded from the current working 
directory.

Windows systems by default have the Web Client service running - which 
makes remote network shares accessible via WebDAV -, thus the malicious 
DLL can also be deployed from an Internet-based network share as long as 
the intermediate firewalls allow outbound HTTP traffic to the Internet. 

A systematic attack could deploy malicious code to a large number of 
Windows workstations in a short period of time, possibly as an Internet 
worm.

Visit http://www.binaryplanting.com/ for more information on binary 
planting vulnerabilities and attacks.


Mitigating Factors 
==

- A firewall blocking outbound WebDAV traffic (in addition to blocking all 
  Windows Networking protocols) could stop an Internet-based attack.

- Microsoft's CWDIllegalInDllSearch hotfix [2] can stop a network-based 
  exploitation of this vulnerability.


Solution 


Microsoft has issued a security bulletin [3] and published an update for
Windows Address Book and Windows Contacts that fixes this issue.


Workaround 
==

- Stopping the Web Client service could stop Internet-based attacks as 
  long as the network firewall stops outbound Microsoft Networking 
  protocols. This would not, however, stop remote LAN-based attacks where 
  the attacker is able to place a malicious DLL on a network share inside 
  the target (e.g., corporate) network.
  
- General recommendations for limiting or stopping binary planting attacks 
  are available at 
  http://www.binaryplanting.com/guidelinesAdministrators.htm


Related Services


ACROS is offering professional consulting on this issue to interested 
corporate and government customers. Typical questions we can help you 
answer are:

1) To what extent is your organization affected by this issue?

2) Is it possible to get remote code from the Internet launched inside 
   your network? Can this be demonstrated?

3) Have you adequately applied the remedies to remove the vulnerability?

4) Are there circumstances in your environment that might prevent the 
   effectiveness of this fix?

5) Are there other workarounds that you could implement to fix this issue 
   more efficiently and/or inexpensively?

6) Are your systems or applications vulnerable to other similar issues?


Interested parties are encouraged to ask for more information at 
secur...@acrossecurity.com.


Background
==

ACROS Security has performed an extensive Binary Planting research 
project, focused on various types of vulnerabilities where an attacker 
with low privileges can place (i.e., "plant") a malicious executable file 
(i.e., "binary") to some possibly remote location and get it launched by 
some vulnerable application running on user's computer. 

The research found that binary planting vulnerabilities are affecting a 
large percentage of Windows applications and often allowing for trivial 
exploitation: it identified ~520 remotel

minor browser UI nitpicking

[Michal Zalewski]

Hi folks,

Two minor things that do not deserve a lengthy discussion, but are
probably mildly interesting and worth mentioning for the record:

1) Chrome browser is an interesting example of the perils of using
minimalistic window chrome, allowing multiple windows to be spliced
seamlessly to confuse the user as to the origin of the displayed
content. An unconvincing Windows-specific proof-of-concept:
http://lcamtuf.coredump.cx/chsplice/

2) I reported this to the vendor long time ago, and could not get them
to commit to a specific fix: Safari allows windows without the address
bar and other essential chrome, akin to the behavior of other browsers
circa 10 years ago. This essentially makes all other address spoofing
vulnerabilities redundant, as the attacker has the ability to decorate
windows arbitrarily (you can look up ancient proof-of-concept exploits
for Netscape or MSIE here).

/mz

iDefense Security Advisory 12.14.10: Microsoft Internet Explorer CSS Style Table Layout Uninitialized Memory Vulnerability

[labs-no-reply]

iDefense Security Advisory 12.14.10
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 14, 2010

I. BACKGROUND

Internet Explorer is a graphical web browser developed by Microsoft
Corp. that has been included with Microsoft Windows since 1995. For
more information about Internet Explorer, please the visit following
website:

http://www.microsoft.com/ie/

II. DESCRIPTION

Remote exploitation of a memory corruption vulnerability in Microsoft
Corp.'s Internet Explorer could allow an attacker to execute arbitrary
code with the privileges of the current user.

The vulnerability exists due to an uninitialized variable in the
"CLayout::EnsureDispNode" method. This method is called to recalculate
the location of various HTML elements within the page. This function
passes a "CDispNodeInfo" object to another function,
"CLayout::GetDispNodeInfo," which is supposed to initialize the object
passed in; however, the function fails to properly initialize a flag's
value that is used later to determine how many "extra" bytes to
allocate for a heap buffer. This eventually leads to an undersized
buffer being allocated to hold a "CDispClipNode" object in the
"CLayout::EnsureDispNodeCore" function. The vulnerability manifests
itself when the "CDispNode::SetUserClip" function attempts to use the
invalid "extra size" to calculate an offset into the object and
manipulate a bit at this location. This corrupts the objects VTABLE by
setting the second bit to 1, which can lead to the execution of
arbitrary code when this pointer is accessed later.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user viewing the Web page. To exploit
this vulnerability, a targeted user must load a malicious Web page. An
attacker typically accomplishes this via social engineering or
injecting content into compromised, trusted sites. After the user
visits the malicious Web page, no further user interaction is needed.

IV. DETECTION

Microsoft Internet Explorer 6, 7 and 8 are vulnerable.

V. WORKAROUND

Microsoft suggested workarounds can be found in Microsoft Security
Bulletin MS10-090.

VI. VENDOR RESPONSE

Microsoft Corp. has released patches which address this issue.
Information about downloadable vendor updates can be found by clicking
on the URLs shown.

http://www.microsoft.com/technet/security/Bulletin/MS10-090.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-3962 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/11/2010  Initial Vendor Notification
08/11/2010  Initial Vendor Reply
12/14/2010  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was reported to iDefense by José Antonio Vázquez
González.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2010 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerserv...@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

OSSTMM 3 Now Available!

[Pete Herzog]

Hi,

The OSSTMM has been released today at www.osstmm.org.

It's a big document so you may want to check out first some of the 
reviews and commentary on it first. InfoSec Island is having an OSSTMM 
week to spread the word:


https://www.infosecisland.com/osstmm.html

Some of the articles available:

* Security Benefit and Operational Impact or the "Illusion of Infinite 
Resources"

https://www.infosecisland.com/blogview/10251-Security-Benefit-and-Operational-Impact-or-the-Illusion-of-Infinite-Resources.html

* OSSTMM v3 From A Client's Perspective
https://www.infosecisland.com/blogview/10214-OSSTMM-v3-From-A-Clients-Perspective.html

* OSSTMM 2.2 to 3 - a long trail!
https://www.infosecisland.com/blogview/10216-OSSTMM-22-to-3-a-long-trail.html

* Tiempos de Cambio: OSSTMM 3 - Una Introducción
https://www.infosecisland.com/blogview/10215-Tiempos-de-Cambio-OSSTMM-3-Una-Introduccin-.html

* Security, Trust and How We Are Broken - SecTor 2010
https://www.infosecisland.com/security-videos-view/10197-Security-Trust-and-How-We-Are-Broken-SecTor-2010.html

* Methodologies: Cleaning the Mental Gutters
https://www.infosecisland.com/blogview/9138-Methodologies-Cleaning-the-Mental-Gutters.html

* Implementing OSSTMM Strategies Creates Value
https://www.infosecisland.com/blogview/8340-Implementing-OSSTMM-Strategies-Creates-Value.html

* Better Security Through Sacrificing Maidens
https://www.infosecisland.com/blogview/6646-Better-Security-Through-Sacrificing-Maidens.html

And many more! Check it out!

Sincerely,
-pete.

--
Pete Herzog - Managing Director - p...@isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

www.eVuln.com : "post" - Non-persistent XSS in slickMsg

[www.eVuln.com Advisories]

www.eVuln.com advisory:
"post" - Non-persistent XSS in slickMsg
Summary: http://evuln.com/vulns/161/summary.html 
Details: http://evuln.com/vulns/161/description.html 

---Summary---
eVuln ID: EV0161
Software: slickMsg
Vendor: n/a
Version: 0.7-alpha
Critical Level: low
Type: Cross Site Scripting
Status: Unpatched. No reply from developer(s)
PoC: Available
Solution: Not available
Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )
Description
It is possible to inject xss code into "post" parameter in
"views/Post/edit/form.php" script.
Parameter "post" is not properly sanitized before being used in HTML
code.
Condition: register_globals: on
PoC/Exploit
PoC code is available at:
http://evuln.com/vulns/161/exploit.html 
-Solution--
Not available
--Credit---
Vulnerability discovered by Aliaksandr Hartsuyeu
http://evuln.com/auth-bypass/ - recent Authentication Bypass vulns

Re: [Full-disclosure] Linux kernel exploit

[Ariel Biener]

But he said that RedHat (and thus CentOS) doesn't have Econet enabled by
default.

--Ariel

fireb...@backtrack.com.br wrote:
> I tested it on a VM with CentOS 5.5 i386 updated and did not work.
>
> Last login: Tue Dec 13 12:48:54 2010
> [r...@localhost~]#nano full-nelson.c
> [r...@localhost~]#gcc-o full-nelson.c full-nelson
> [r...@localhost~]#./full-nelson
> [*] Failed to open file descriptors.
> [r...@localhost~]# uname-a
> Linux localhost.localdomain 2.6.18-194.26.1.el5 # 1 SMP Thu Nov 9 12:54:40 
> EST 2010 i686 i686 i386 GNU/Linux
> [r...@localhost~]#
>
> My 10 cents:)
>
> @firebitsbr
>
>   

-- 
 --
 Ariel Biener
 e-mail: ar...@post.tau.ac.il
 PGP: http://www.tau.ac.il/~ariel/pgp.html

Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)

[Marsh Ray]

On 12/13/2010 11:19 AM, Michael Bauer wrote:

An administrator is very different there are many levels of
administrative control in windows to say an admin is an admin is
absurd.


I disagree. There's only one level of pwned.


There is a big difference between a local admin and a domain
admin.


Yes, local vs. network is sometimes a useful distinction.

But joining a machine to the domain gives it a bit more power to attack 
other stuff on the domain. And how many domain-joined systems do not 
also include Domain Admins as Local Admins?



There are many types of admin in windows and all of them have
different levels of permission.


I disagree.


I would be very scared to have anyone
taking care of any of my systems windows or NIX who thought an admin
was an admin and root is root.


You ought to be scared anyway.
There's a new local exploit here every few days or weeks.


Here is a reference showing the
different SIDs for some common windows accounts.
Http://support.microsoft.com/kb/24333

If you take time to read it you will see there are numerous types of
windows administrator all with different permissions.


I know MS set out to define all these different capabilities and so on. 
My impression is that much of that was suggested by Orange Book. But 
they supposedly obtained this Orange Book certification yet still 
installed notepad.exe as world-writable by default.


In practice, those distinctions rarely hold up under scrutiny. Remember 
"Guest User" vs "User" vs "Power User"? MS has greatly de-emphasized the 
utility of boundaries between privileges them in the OS over time, 
preferring instead to invent new ones that were more relevant to the 
times. Witnesseth the recent discussions about the elevation token and 
IE protected mode.


The best you can hope for is to maintain an effective boundary between 
normal users and root/admin. But usually as soon as you install a few 
off-the-shelf Windows or shareware apps, it's gone. Try this: install 
your favorite "productivity" app in a non-default directory, e.g. C:\, 
then look at the filesystem permissions on its executable folder (and 
everywhere it might load DLLs from). Then note that (just a wild guess) 
it probably runs some dll-preloader and system tray icon processes for 
everyone who logs in - even Admins.


Even on a pristine OS install, the next local escalation bug is just a 
matter of time, and that's just the published ones. The bad guys likely 
have plenty already.


If you're lucky, you might be able to maintain an effective security 
boundary between a local computer and the network. Don't waste your time 
trying to protect machines from users who have unsupervised physical 
access anyway.


- Marsh

Re: [Full-disclosure] Linux kernel exploit

[Ryan Sears]

Hey Dan,

Freaking THANK YOU first and foremost. I've been waiting for someone to say 
that for days now, and was just about to myself. 

Just because everyone and their brother want's to show off that they can 
compile & run some software (herp a derp, good job) DOESN'T mean they should 
immediately post it here. I tested it against an OLDER KERNEL on purpose 
because I actually read the headers and the exploit worked as expected. I knew 
that this was responsibly disclosed, so it was already patched on any system 
that I updated. If you don't have the proper symbols, then the exploit doesn't 
have the proper offsets, and the exploit will fail. Plain and simple. *THEN* 
there's people who don't even bother to read that "Red Hat does not support 
Econet by default". DOES NOT. As in the exploit WON'T WORK!

It's pathetic that the original exploit dev has to waste his time saying the 
same thing 5 times.



Ryan Sears

- Original Message -
From: "dan j rosenberg" 
To: "Cal Leeming [Simplicity Media Ltd]" 
, 
full-disclosure-boun...@lists.grok.org.uk, "Ariel Biener" 
Cc: "leandro lista" , fireb...@backtrack.com.br, 
bugtraq@securityfocus.com, full-disclos...@lists.grok.org.uk
Sent: Monday, December 13, 2010 4:08:05 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Linux kernel exploit

Please don't inundate me with e-mail because none of you bothered to read the 
exploit header.

The exploit so far has a 100% success rate on the systems it was designed to 
work on.

I don't think this is rocket science.  If your distribution does not compile 
Econet, then the exploit obviously won't be able to open an Econet socket.  
This includes Arch Linux, Gentoo, Fedora, Red Hat, CentOS, Slackware, and more. 
 This doesn't mean you're not vulnerable, it just means this particular exploit 
won't work.

If your distro doesn't export the relevant symbols (Debian), ditto above.

If your distro has patched the Econet vulnerabilities I used to trigger this 
(Ubuntu), ditto above.

This was done on purpose, to avoid giving a weaponized exploit to people who 
shouldn't have one.

-Dan


Sent from my Verizon Wireless BlackBerry

-Original Message-
From: "Cal Leeming [Simplicity Media Ltd]"

Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Mon, 13 Dec 2010 20:40:45 
To: Ariel Biener
Cc: ; ; 
; 
Subject: Re: [Full-disclosure] Linux kernel exploit

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily EscalatePrivileges and Login as Cached Domain Admin Accounts (2010-M$-002)

[Thor (Hammer of God)]

>The attack has some academically interesting details about how cached
>credentials work, but I agree with Stefan. If you own the machine, you own
>the machine. What's to stop you from, say, simply installing a rootkit?

Exactly.  More importantly, even if you must make users local admins, there is 
never *any* reason why the domain administrator should interactively log onto a 
workstation as the domain administrator anyway.  Service personnel log on with 
support accounts, not the domain admin accounts.  If they do, well, then you've 
got other problems.  But in this case even if a domain admin logs in 
interactively (or via RDP), it's not an issue.  Cached credentials can't be 
used for anything other than to log on to the local machine if there is no DC 
available.  After a domain account logs on to a local system, after AD 
authenticates the request, then *another* hash is made of the hashed password 
with *a different salt* each time, for each user cached. 

As far as the academic interest, cached account behavior is a documented 
process which has been around for years, local admin overwrite capabilities 
included.  

t

Re: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)

[StenoPlasma @ www.ExploitDevelopment.com]

Everyone.

Please read my original post.  I never claimed to gain access to
networked resources using the masqueraded account.  My method merely
shows that you can modify the SAM and SECURITY hives without using DLL
injection or any other advanced technique that security Admins are
currently looking for when it comes to advanced persistent threats.


On Dec 13, 2010 11:54 AM, "Kurt Dillard"  wrote:
> So far I agree with Thor. Did I miss something? Has anyone demonstrated
> using the locally cached credentials to access resources across the network?
> So far I haven't seen anything new or interesting in this thread:
>
> 1. StenoPlasma claims that a local admin can access and reuse the cached
> credentials of other users.
> 2. Stefan, Thor, et al yawn.
> 3. Joyce, Andrea, and perhaps others seem to be conflating local access
> (what StenoPlasma was talking about) with gaining domain admin privileges on
> domain controllers and other resources on separate machines (which nobody
> appears to have shown is possible using locally cached credentials).
>
> If I've missed something obvious please educate me.
>
> Regards,
>
> Kurt Dillard
>
>
>
>
> -Original Message-
> From: katt...@gmail.com [mailto:katt...@gmail.com] On Behalf Of Andrea Lee
> Sent: Monday, December 13, 2010 2:12 PM
> To: Thor (Hammer of God)
> Cc: George Carlson; bugtraq@securityfocus.com;
> full-disclos...@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching
> Allows Local Workstation Admins to Temporarily Escalate Privileges and Login
> as Cached Domain Admin Accounts (2010-M$-002)
>
> I hope I'm not just feeding the troll...
>
> A local admin is an admin on one system. The domain admin is an admin on all
> systems in the domain, including mission critical Windows servers. With
> temporary domain admin privs, the local admin could log into the AD and
> change permissions / passwords for another user or another user, thus
> getting full admin rights on all systems for a long period of time. Plus
> whatever havoc might be caused by having the ability to change rights on
> fileshares to allow the new domain admin to see confidential files..
>
> I would expect that the intent is to use another flaw for a normal user to
> become a local admin, and then jump to domain admin via this.
>
> So yes. In an enterprise environment, the "domain administrator" is
> "bigger".
>
> Cheers,
>
> On Fri, Dec 10, 2010 at 4:15 PM, Thor (Hammer of God) 
> wrote:
>> Wow.  I guess you didn't read the post either.  I'm a bit surprised that a
> Sr. Network Engineer thinks that Group Policies "differentiate between local
> and Domain administrators."  You're making it sound like you think Group
> Policy application has some "magic permissions" or something, or that a
> "domain administrator" is a "bigger" administrator than the local
> administrator.
>>
>> Group Policy loads from the client via the Group Policy Client service.
> If I'm a local admin, I can just set my local system to not process group
> policy via the GPExtensions hive.  Done.  If I take the domain admin out of
> my local administrators, they can't do anything.  Done.
>>
>> How exactly do you think this is problematic for "shops that differentiate
> between desktop support and AD support"?  (whatever that means).
>>
>> t
>>
>>>-Original Message-
>>>From: full-disclosure-boun...@lists.grok.org.uk
>>>[mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of
>>>George Carlson
>>>Sent: Friday, December 10, 2010 10:12 AM
>>>To: bugtraq@securityfocus.com; full-disclos...@lists.grok.org.uk
>>>Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account
>>>Caching Allows Local Workstation Admins to Temporarily Escalate
>>>Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
>>>
>>>Your objections are mostly true in a normal sense.  However, it is not
>>>true when Group Policy is taken into account.  Group Policies
>>>differentiate between local and Domain administrators and so this
>>>vulnerability is problematic for shops that differentiate between
>>>desktop support and AD support.
>>>
>>>
>>>George Carlson
>>>Sr. Network Engineer
>>>(804) 423-7430
>>>
>>>
>>>-Original Message-
>>>From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
>>>Sent: Friday, December 10, 2010 11:30 AM
>>>To: bugtraq@securityfocus.com; full-disclos...@lists.grok.org.uk
>>>Cc: stenopla...@exploitdevelopment.com
>>>Subject: Re: Flaw in Microsoft Domain Account Caching Allows Local
>>>Workstation Admins to Temporarily Escalate Privileges and Login as
>>>Cached Domain Admin Accounts (2010-M$-002)
>>>
>>>"StenoPlasma @ www.ExploitDevelopment.com" wrote:
>>>
>>>Much ado about nothing!
>>>
 TITLE:
 Flaw in Microsoft Domain Account Caching Allows Local Workstation
 Admins to Temporarily Escalate Privileges and Login as Cached Domain
 Admin Accounts
>>>
>>>There is NO privilege escalation. A local administrator is an
>>>admistrator is an administ

Re: hidden admin user on every HP MSA2000 G3

[nightfighter]

 Can anyone confirm this vulnerabilty?
I don't have a MSA for testing at the moment.

> Hi,
>
> i just found out that there is a hidden user on every HP MSA2000 G3 
> SAN out there:
>
> username: admin
> password: !admin
>
> this user doesnt show up in the user manager, and the password 
> cannot be changed - looks like the perfect backdoor for everybody.
>
>
>

Re: [Full-disclosure] Flaw in Microsoft Domain Account CachingAllows Local Workstation Admins to Temporarily Escalate Privileges andLogin as Cached Domain Admin Accounts (2010-M$-002)

[Michael Bauer]

Maybe what some of us need to learn from this is that we should never think in 
absolutes such as local VS domain users. There are  numerous account types and 
the overrides to take into account with any OS and they change.

This is more of a wakeup call to brush up on our understanding of permissions.

I know this is not a vulnerability but it was a great posting to wake some of 
us up and remind us that things are never absolute when it comes to 
permissions. We learn about things in such a manner that we forget to think 
outside the box. Even if controls are designed to work a specific way that 
doesn't mean they will. 

This is not directed at anyone rather an observation that might help other with 
similar thought on the subject.

Mike

Sent from my iPhone

On Dec 13, 2010, at 1:15 PM, "David Gillett"  wrote:

>> If I take the domain admin out of my local administrators, they can't do
> anything.  Done.
> 
>  Back when I did AD/domain support, all domain user accounts got a profile
> that included a trivial script to re-add Domain Admins to the Local Admins
> group.  So this kind of local removal shenanigans lasted only until the user
> next logged into the domain.
> 
> David Gillett
> 

Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)

[Stefan Kanthak]

"Andrea Lee"  wrote:

> I hope I'm not just feeding the troll...

No. You just made a complete fool of yourself.-P
Read the initial post again.
CAREFULLY.
Especially that part about unplugging from the network.

> A local admin is an admin on one system. The domain admin is an admin
> on all systems in the domain, including mission critical Windows
> servers.

Correct so far.

> With temporary domain admin privs,

What are "temporary domain admin privs"?
If you meant to say "cached credentials", just use "cached credentials".

> the local admin could log into the AD

A local admin (or better: a local user account) CAN'T log into the AD.
Only domain user accounts can.

Cached credentials are stored for domain accounts only, and are only
used when the AD is NOT available during login. They are NEVER used to
login to another computer!

> and change permissions / passwords for another user or
> another user, thus getting full admin rights on all systems for a long
> period of time. Plus whatever havoc might be caused by having the
> ability to change rights on fileshares to allow the new domain admin
> to see confidential files..
>
> I would expect that the intent is to use another flaw for a normal
> user to become a local admin, and then jump to domain admin via this.

You got wrong expectations. And: there is no "jump"!

> So yes. In an enterprise environment, the "domain administrator" is "bigger".

GIGO!

Stefan

[ braindead fullquote removed ]

Re: Flaw in Microsoft Domain AccountCachingAllows Local Workstation Admins to TemporarilyEscalatePrivileges and Login as Cached Domain Admin Accounts(2010-M$-002)

[Stefan Kanthak]

"StenoPlasma @ ExploitDevelopment"  wrote:

Your MUA is defective, it strips the "References:" header! 

> Stefan,
> 
> For you information:
> 
> Cached domain accounts on a local system are not stored in the SAM.  They 
> are stored in the SECURITY registry hive.  When a cached domain user logs 
> in to the system, they do not authenticate against the SAM (As you can see 
> in my article, I am not editing the SAM).  

OUCH!
Obviously you have NOT understand a single word!

It is COMPLETELY irrelevant where cached credentials are stored on the
local computer, and I haven't written anything about that.

Logins with local user accounts are authenticated against the resp. SAM,
whereas logins with domain user accounts are authenticated against the
resp. AD. Only if the latter is not available cached credentials are used.

Stefan

[ another braindead fullquote removed]