[security bulletin] HPSBMU02797 SSRT100867 rev.1 - HP Network Node Manager i (NNMi) v9.1x Running JDK for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Information Disclosure, Modification,
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03358587 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03358587 Version: 1 HPSBMU02797 SSRT100867 rev.1 - HP Network Node Manager i (NNMi) v9.1x Running JDK for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Information Disclosure, Modification, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-07-16 Last Updated: 2012-07-16 Potential Security Impact: Remote unauthorized information disclosure, modification, Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Network Node Manager I (NNMi) running JDK for HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be remotely exploited resulting in unauthorized information disclosure, modification, Denial of Service (DoS). References: CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4451, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4473, CVE-2010-4474, CVE-2010-4475, CVE-2010-4476, CVE-2011-0786, CVE-2011-0788, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0872, CVE-2011-0873, CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561, CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0504, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507, CVE-2012-0508 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Network Node Manager I (NNMi) v9.1x for HP-UX, Linux, Solaris, and Windows BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2010-4422(AV:N/AC:H/Au:N/C:C/I:C/A:C)7.6 CVE-2010-4447(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3 CVE-2010-4448(AV:N/AC:H/Au:N/C:N/I:P/A:N)2.6 CVE-2010-4450(AV:L/AC:H/Au:N/C:P/I:P/A:P)3.7 CVE-2010-4451(AV:N/AC:H/Au:N/C:C/I:C/A:C)7.6 CVE-2010-4452(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-4454(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-4462(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-4463(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-4465(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-4466(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2010-4467(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-4468(AV:N/AC:H/Au:N/C:P/I:P/A:N)4.0 CVE-2010-4469(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-4470(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2010-4471(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2010-4472(AV:N/AC:H/Au:N/C:N/I:N/A:P)2.6 CVE-2010-4473(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-4474(AV:L/AC:L/Au:N/C:P/I:N/A:N)2.1 CVE-2010-4475(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3 CVE-2010-4476(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2011-0786(AV:N/AC:H/Au:N/C:C/I:C/A:C)7.6 CVE-2011-0788(AV:N/AC:H/Au:N/C:C/I:C/A:C)7.6 CVE-2011-0802(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-0814(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-0815(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-0817(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-0862(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-0863(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-0864(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-0865(AV:N/AC:H/Au:N/C:N/I:P/A:N)2.6 CVE-2011-0866(AV:N/AC:H/Au:N/C:C/I:C/A:C)7.6 CVE-2011-0867(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2011-0868(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2011-0869(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2011-0871(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-0872(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2011-0873(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-3389(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3 CVE-2011-3516(AV:N/AC:H/Au:N/C:C/I:C/A:C)7.6 CVE-2011-3521(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-3544(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-3545(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-3546(AV:N/AC:M/Au:N/C:P/I
[security bulletin] HPSBMU02799 SSRT100867 rev.1 - HP Network Node Manager i (NNMi) v9.0x Running JDK for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Information Disclosure, Modification,
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03405642 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03405642 Version: 1 HPSBMU02799 SSRT100867 rev.1 - HP Network Node Manager i (NNMi) v9.0x Running JDK for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Information Disclosure, Modification, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-07-16 Last Updated: 2012-07-16 Potential Security Impact: Remote unauthorized information disclosure, modification, Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Network Node Manager I (NNMi) running JDK for HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be remotely exploited resulting in unauthorized information disclosure, modification, Denial of Service (DoS). References: CVE-2009-3555, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849, CVE-2010-0850, CVE-2010-0886, CVE-2010-0887, CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574, CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4451, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4473, CVE-2010-4474, CVE-2010-4475, CVE-2010-4476, CVE-2011-0786, CVE-2011-0788, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0872, CVE-2011-0873, CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561, CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0504, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507, CVE-2012-0508 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Network Node Manager I (NNMi) v9.0x for HP-UX, Linux, Solaris, and Windows BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2009-3555(AV:N/AC:M/Au:N/C:N/I:P/A:P)5.8 CVE-2009-3865(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2009-3866(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2009-3867(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2009-3868(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2009-3869(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2009-3871(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2009-3872(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2009-3873(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2009-3874(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2009-3875(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2009-3876(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2010-0082(AV:N/AC:H/Au:N/C:P/I:P/A:P)5.1 CVE-2010-0084(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2010-0085(AV:N/AC:H/Au:N/C:P/I:P/A:P)5.1 CVE-2010-0087(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5 CVE-2010-0088(AV:N/AC:M/Au:N/C:P/I:P/A:P)6.8 CVE-2010-0089(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2010-0090(AV:N/AC:M/Au:N/C:N/I:P/A:P)5.8 CVE-2010-0091(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3 CVE-2010-0092(AV:N/AC:H/Au:N/C:P/I:P/A:P)5.1 CVE-2010-0093(AV:N/AC:H/Au:N/C:P/I:P/A:P)5.1 CVE-2010-0094(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5 CVE-2010-0095(AV:N/AC:M/Au:N/C:P/I:P/A:P)6.8 CVE-2010-0837(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5 CVE-2010-0838(AV:N/AC:L/Au:N/C:P/I:P/A:P
[PT-2012-23] SQL Injection in Dr.Web Anti-virus
- (PT-2012-23) Positive Technologies Security Advisory SQL Injection in Dr.Web Anti-virus - ---[ Vulnerable software ] Dr.Web Anti-virus Version: 7.00.0 and earlier Application link: https://play.google.com/store/apps/details?id=com.drweb.pro ---[ Severity level ] Severity level: Medium Impact: SQL Injection Access Vector: Local CVSS v2: Base Score: 6.6 Vector: (AV:L/AC:L/Au:N/C:C/I:N/A:C) CVE: not assign ---[ Software description ] Dr.Web Anti-virus is an antivirus software for Android platform. ---[ Vulnerability description ] The specialists of the Positive Research center have detected "SQL Injection" vulnerability in Dr.Web Anti-virus application. The vulnerability was detected in Dr.Web Anti-virus application for Android platrform in com.drweb.activities.antispam.CursorActivity class. An attacker can get the history of calls or SMS messages via third-party applications installed in the system. ---[ How to fix ] Update your software up to the latest version ---[ Advisory status ] 11.07.2012 - Vendor is notified 11.07.2012 - Vendor gets vulnerability details 13.07.2012 - Vendor releases fixed version and details 17.07.2012 - Public disclosure ---[ Credits ] The vulnerability was discovered by Artem Chaykin, Positive Research Center (Positive Technologies Company) ---[ References ] http://en.securitylab.ru/lab/PT-2012-23 http://news.drweb.com/show/?c=5&i=2573&lng=en Reports on the vulnerabilities previously discovered by Positive Research: http://ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/ ---[ About Positive Technologies ] Positive Technologies www.ptsecurity.com is among the key players in the IT security market in Russia. The principal activities of the company include the development of integrated tools for information security monitoring (MaxPatrol); providing IT security consulting services and technical support; development of the Securitylab leading Russian information security portal. Among the clients of Positive Technologies, there are more than 40 state enterprises, more than 50 banks and financial organizations, 20 telecommunication companies, more than 40 plant facilities, as well as IT, service and retail companies from Russia, the CIS countries, the Baltic States, China, Ecuador, Germany, Great Britain, Holland, Iran, Israel, Japan, Mexico, the Republic of South Africa, Thailand, Turkey, and the USA. Positive Technologies is a team of highly skilled developers, advisers and experts with years of vast hands-on experience. The company specialists possess professional titles and certificates; they are the members of various international societies and are actively involved in the IT security field development.
Secunia Research: Cisco Linksys PlayerPT ActiveX Control "SetSource()" Buffer Overflow
== Secunia Research 17/07/2012 - Cisco Linksys PlayerPT ActiveX Control - - "SetSource()" Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Cisco Linksys PlayerPT ActiveX Control 1.0.0.15 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System compromise Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Cisco Linksys PlayerPT ActiveX Control, which can be exploited by malicious people to compromise a user's system. Cisco Linksys PlayerPT ActiveX control is bundled with the Cisco WVC200 Wireless-G PTZ Internet Video Camera and is used by client systems to view footage via Internet Explorer. The ActiveX control is marked safe-for-scripting and one of the provided methods is: "SetSource()", which is used to set the source of the footage to view. The method accepts five string arguments where the first ("sURL") is the URL to the footage. When a web page instantiates the ActiveX control and invokes the "SetSource()" method, the function in PlayerPT.ocx responsible for handling this method is called. The function performs various checks on the supplied arguments including a check to determine if the "sFrameType" string (2nd argument) is set to "mpeg". If so, the function searches for and strips "img/video.asf" from the provided URL in the "sURL" argument; if not, "img/mjpeg.cgi" is used. The URL is stored to a CString object and URLs to various resources are crafted based on the base URL including an URL to the "img/query.cgi" resource. Later, this URL is copied into a 256 byte stack buffer via a call to sprintf() without performing any size checks. This can be exploited to cause a stack-based buffer overflow via an overly long, specially crafted URL. Successful exploitation allows execution of arbitrary code. == 4) Solution According to the vendor, the ActiveX control is bundled only with products considered EOL and, therefore, itself considered EOL. The vendor is currently working on getting the kill-bit set. As a workaround, set the kill-bit for the following CLSID: * {9E065E4A-BD9D-4547-8F90-985DC62A5591} == 5) Time Table 23/03/2012 - Vulnerability discovered while analysing public report of similar vulnerability (SA48543#1). 23/03/2012 - Vendor notified. 02/04/2012 - Vendor response (WVC200 product bundling the ActiveX control has become EOL). 03/04/2012 - Vendor informed that ActiveX control should have kill-bit set if considered EOL and asked to confirm that no currently supported products bundle it. 13/04/2012 - Status update requested. 15/04/2012 - Vendor response (currently checking which products bundle the ActiveX control and looking into setting kill-bit). 21/06/2012 - Status update requested. 13/07/2012 - Status update requested. 13/07/2012 - Vendor response (determined that no supported products bundle the vulnerable ActiveX control and looking into setting kill-bit). 17/07/2012 - Public disclosure. == 6) Credits Discovered by Carsten Eiram, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2012-0284 for the vulnerability. == 8) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory
DomsHttpd 1.0 <= Remote Denial Of Service
# DomsHttpd 1.0 <= Remote Denial Of Service # Discovered by: Jean Pascal Pereira About DomsHttpd: "A very simple HTTP protocol program base on asynchronous socket model." Vendor URI: http://domshttpd.codeplex.com/ # The remote attacker has the possibility to crash the application by sending a malformed referer inside the HTTP request. - Exploit / Proof Of Concept: http://dl.packetstormsecurity.net/1207-exploits/domshttpd-dos.txt - Solution: Do some input validation. - #
KeyPass Password Safe v1.22 - Software Filter Vulnerability
Title: == KeyPass Password Safe v1.22 - Software Filter Vulnerability Date: = 2012-06-26 References: === http://www.vulnerability-lab.com/get_content.php?id=615 VL-ID: = 615 Common Vulnerability Scoring System: 3 Introduction: = KeePass is a very famous & free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). (Copy of the Vendor Homepage: http://keepass.info ) Abstract: = The Vulnerability Laboratory Research Team discovered a software filter & validation vulnerability in the KeyPass Password Manager v1.22 & older versions. Report-Timeline: 2012-06-13: Researcher Notification & Coordination 2012-06-14: Vendor Notification 2012-06-20: Vendor Response/Feedback 2012-06-26: Public or Non-Public Disclosure 2012-07-01: Vendor Fix/Patch Status: Published Affected Products: == Domenic Reichl Product: Keypass Password Safe v1.22 & older versions Exploitation-Technique: === Remote Severity: = Medium Details: A software filter & validation vulnerability is detected in the KeyPass Password Manager v1.22 & older versions. The bug allows an attacker (local) to implement/inject malicious script code when processing to export a manipulated KeyPass Password Manager database. The vulnerability is located in the validation of the html/xml export function/module & the bound vulnerable domain/url (listing) parameter. URLs of entries are embedded in the exported HTML file without encoding XML special characters, when the URL (domain) field of an entry contains a malicious script code, this will be executed when the exported HTML file is opened in a browser. Exploitation of the vulnerabilitiy requires a manipulated url with malicious script code, a logging server with chmod 777, a listing file (random) & an keypass v1.22 user. The bug will be injected on the local way, affects the local validation (html/xml) and change the technic back when remote transfering the password lists. The injection of the malicious url/domain context can be done via import (victim) or manually (reproduce)by including. Successful exploitation of the vulnerability lead to stable (persistent) context manipulation, persistent phishing, execution of malware or stealing plain password lists. Medium user inter action is required to exploit the vulnerability. Normally KeyPass Password Manager exports the html backup with a secure clean template like ... URLPasswordNotesUUIDIconCreation TimeLast Access Last ModificationExpiresAttachment DescriptionAttachment mypass categorymy keypass testasdfasasd The local attacker manipulate the database with malicious strings (script code) in the category item profile name input fields. KeyPass Password Manager generates the clean html template but after the persistent script code inject in the database profile domain/url item, the persistent code is getting executed direct out the clean exported html template file. Name des Benutzerkontos: ``><[PERSISTENT SCRIPT CODE]`) <<=`` b=``> Vulnerable Section(s): [+] Export Vulnerable Module(s): [+] HTML - XML Vulnerable Parameter(s): [+] URL (Domain) Proof of Concept: = The persistent script code inject & execution can only be exploited by local attackers. For demonstration or reproduce ... Exploitation Scenario: Attacker is sending the victim a manipulated login page with script code in the url parameters. The script code impacts an easy html or js script which responds to a url with chmod 777 (other server) to exchange of the file when processing a local request. The victim with keypass save the url or imports it via module (backup, xml & co). After some time the victim is exporting the file as html plain file with the keypass template. The script code of the url gets executed and transfers the context of the listed plain file directly to the attackers listening website script. PoC: HTML Password GroupsGroup TreeTitleUser NameURL PasswordNotesUUIDIconCreation TimeLast Access Last ModificationExpiresAttachment DescriptionAttachment mypass categorymy keypass testasdfasasd<[PERSISTENT SCRIPT CODE]")' <"=""> ">http://vuln-lab.com onload=alert("VL")bdd4c872495537e65493cd08d1a2489b02012-06-13 22:17:282012-06-13 22:22:122012-06-13 22:17:282999-12-28 23:59:59 PoC: XML for imports ... mypass category
AVAVoIP v1.5.12 - Multiple Web Vulnerabilities
Title: == AVAVoIP v1.5.12 - Multiple Web Vulnerabilities Date: = 2012-06-28 References: === http://www.vulnerability-lab.com/get_content.php?id=437 VL-ID: = 611 Common Vulnerability Scoring System: 6.5 Introduction: = Designed from the ground up to empower VoIP and to meet the needs of the changing business environment, the AVA VoIP platform provides best in class features and carrier performance at competitive cost so you can spend more time on strategic initiatives and less time on technical issues and downtime. Powerful CDR Mediation, Pricing, Rating, Billing, Reporting and Routing engines enable providers to meet the challenges they face every day. The AVA VoIP package supports all the traditional telecom business models such as: prepaid and postpaid wholesale VoIP, prepaid and postpaid retail VoIP, calling cards, callback, call shop, Internet café, hotels, etc. In addition our team of experienced engineers can address and custom tailor updates or platform add-ons as requested by our clients. Avangard Solutions, Inc. provides cost-effective, customized IT solutions to large and mid-sized organizations worldwide. With experience in the latest, state of the art technology trends, our expertise spans a wide variety of subject matters in the areas of Pricing and Rating, Billing, BSS, OSS, CRM, ERP, SRM and e-commerce solutions. We offer our strategic expertise backed with years of experience in communications protocols, VoIP, Triple Play and converged solutions. (Copy of the Vendor Homepage: http://avavoip.com/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in AVAVoIP Communication Application 1.5.12. Report-Timeline: 2012-06-09: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 An arbitrary File Upload Vulnerability is detected in AVAs AVAVoIP Communication Application v1.5.12. An attacker can upload a php file to the website and access this php file to control the entire site. The vulnerability can only be exploited with privileged application user account. The bug is located in the FX rates > upload FX rates application function in the fx_rates_upload.php file. Vulnerable Section(s): [+] FX rates > upload FX rates Vulnerable File(s): [+] fx_rates_upload.php 1.2 Multiple persistent input validation vulnerabilities are detected in AVAs AVAVoIP Communication Application v1.5.12. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action & privileged user account. The persistent vulnerabilities are located in multiple different files and also the bound parameters & affected output listings. Vulnerable File(s): [+] accountadd.php First Name [+] agent_set.php [+] batchadd.php [+] carrier_list.php [+] routeset_set.php [+] tariff_add.php [+] taxadd.php Vulnerable Module(s): [+] Accounts > Add > First Name [+] Agents > Add Agents > Business Phone [+] Rating & Billing > Update Batch > Batch Name [+] Rating & Billing > Taxes & Localities > Taxes > Tax Name [+] Routing > Carrers > Carrier ID > Add & Listing [+] Routing > Route Sets > Add & Update > Route Set Name [+] Routing > Tariffs > Update Name Vulnerable Parameter(s): [+] mtext, firstname & text [+] agent_business_phone [+] batch_name [+] carrier_id [+] route_set_name [+] tariff_name [+] taxname 1.3 Multiple non persistent cross site scripting vulnerabilities are detected in AVAs AVAVoIP Communication Application v1.5.12. The vulnerability allows remote attackers to hijack website customer, moderator & admin sessions with medium/high required user inter action or local low privileged user account. Successful exploitation result in account steal, phishing & client-side context request manipulation. Vulnerable File(s): [+] agent_accounts_report.php [+] tariff_add.php [+] routeset_set.php Vulnerable Parameter(s):
DC4420 - London DEFCON - July meet - Tuesday July 17th 2012
OK, this is the last one before the big one! Whether you're coming to Vegas or not, you need to be here for this: Title: "Hacking iOS Applications" Synopsis: "iOS applications are leet and cool. Let's have some fun with them!" Pentester Bio: Zsombor Kovacs, "Zsombor is a security geek interested in hacking iOS applications, working for an early adopter of enterprise iPad applications." Heh. Maybe he can help me unfsck my iphone... Speaking of which, what do you do when you get the dreaded 'error -1' when updating to the latest ios (5.1.1) and the apple support nazis say 'you must have tried to hack it, tough luck!'? No, really, I didn't try to hack it. Honest. No, honest, really. Look, I *know* who I am, but, honest, honest, honest, guvner, pretty please I didn't. Your stoopid update broicked it! Dammit! Anyways, moving on Venue is here: The Phoenix 37 Cavendish Square London W1G 0PP http://www.phoenixcavendishsquare.co.uk/ 2 minutes walk from Oxford Circus tube. Talks start at 19:30, kicking out at kicking out time. See you there! cheers, MM -- "In DEFCON, we have no names..." errr... well, we do... but silly ones...
Re: [Full-disclosure] Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
Right - if you've compromised the server to the point you can alter directory structures/names, the you've already bypassed the ACLs required in order to "exploit" the vulnerability that allows you to bypass the ACLs. I don't get it. t On 7/16/12 10:47 AM, "Григорий Братислава" wrote: >On Mon, Jul 16, 2012 at 1:24 PM, king cope > wrote: >> Hi Lists, >> >> it seems Microsoft doesn't want to patch the vulnerabilities I posted >> back in June, >> at least not in the July update. >> > >Hello Full Disclosure!! !! !! > >Is like to introduce you to Schrödinger's Cat and Wigner's Friend in >is Computer Security. 'The Wigner's Friend thought experiment posits a >friend of Wigner who performs the Schrödinger's cat experiment after >Wigner leaves the laboratory. Only when he returns does Wigner learn >the result of the experiment from his friend, that is, whether the cat >is alive or dead. The question is raised: was the state of the system >a superposition of "dead cat/sad friend" and "live cat/happy friend," >only determined when Wigner learned the result of the experiment, or >was it determined at some previous point?' > >http://en.wikipedia.org/wiki/Wigner's_friend >http://en.wikipedia.org/wiki/Schr%C3%B6dinger%27s_cat > >IIS is neither vulnerable or not vulnerable. Is until you is exploit >it and verify! > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/
Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
Hi Lists, it seems Microsoft doesn't want to patch the vulnerabilities I posted back in June, at least not in the July update. The posting included some important bugs in the Internet Information Services, one of their flagship products: http://seclists.org/fulldisclosure/2012/Jun/189 The July Security Bulletin doesn't mention any bug. http://technet.microsoft.com/en-us/security/bulletin/ms12-jul I wonder if Microsoft will silently patch the vulnerabilities or just bluntly ignore them. I understand that Microsoft doesn't want to make a big deal about the impact and exposure like in the past, yet I believe that admins should be informed about the threats by their very side. You have to remember that I put much effort into finding these vulnerabilities and you get them for free. With resolving the bugs Microsoft proves that they care about security even if these vulnerabilties where disclosed uncoordinated yet free to patch. /Kingcope
CORE-2011-1123 - Windows Kernel ReadLayoutFile Heap Overflow
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Windows Kernel ReadLayoutFile Heap Overflow 1. *Advisory Information* Title: Windows Kernel ReadLayoutFile Heap Overflow Advisory ID: CORE-2011-1123 Advisory URL: http://www.coresecurity.com/content/windows-kernel-readlayoutfile Date published: 2012-05-08 Date of last update: 2012-07-11 Vendors contacted: Microsoft Release mode: Coordinated release 2. *Vulnerability Information* Class: Heap-based Buffer Overflow [CWE-122] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2012-1890 3. *Vulnerability Description* There is a bug in the ReadLayoutFile Windows Kernel function that can be leveraged into a local privilege escalation exploit, potentially usable in a client-side attack scenario or after a remote intrusion by other means. This bug is similar to another bug used by a client-side exploit in Stuxnet. 4. *Vulnerable packages* . Windows XP SP3. . Windows Vista SP2. . Windows 7 . Windows 7 SP1. . Windows Server 2003 SP2. . Windows Server 2008 SP2. . Other Windows versions might be vulnerable but were not tested. 5. *Vendor Information, Solutions and Workarounds* Apply security patch MS12-047 [4] 6. *Credits* This vulnerability was discovered and researched by Nicolás Economou from Core Security Technologies. The publication of this advisory was coordinated by Fernando Russ. 7. *Technical Description / Proof of Concept Code* There is a bug in the 'ReadLayoutFile' Windows Kernel ('win32k.sys') function that can be leveraged into a local privilege escalation exploit, potentially usable in a client-side attack scenario, or after a remote intrusion by other means. Custom keyboard layouts are implemented using a .dll file exporting the 'KbdLayerDescriptor' function which, in theory, returns a pointer to a structure of type 'KBDTABLES' that is stored in the '.DATA' sections of the PE file. The 'NtUserLoadKeyboardLayoutEx' is a private function used by 'LoadKeyboardLayout'[2] to load a custom keyboard layout, as arguments 'NtUserLoadKeyboardLayoutEx' uses an open file handle pointing to a keyboard layout library. When the function 'NtUserLoadKeyboardLayoutEx' is correctly called the PE file referenced by its arguments is mapped in kernel space. The bug is due to a memory corruption: a double word can be overwritten in a position relative to the base of the allocated memory in kernel space. We have to distinguish the following constraints for exploiting this vulnerability: . There is no bound check for the value used to index the '.DATA' section of the keyboard layout .dll where the actual where the actual layout descriptor table is stored. (So, we can reference spurious memory address) . The file handle used to load the keyboard layout must refer to a file located in \Windows\System32. . The value used to index the '.DATA' section of the keyboard layout is incorrectly bound checked. We can confirm reliable exploitation for the following Microsoft Windows versions: . Windows XP SP3, . Windows Vista, . Windows Server 2003 SP2, . Windows Server 2008 SP2. 8. *Report Timeline* . 2011-11-23: Core Security Technologies notifies MSRC of the vulnerability, including technical details and a PoC that crashes Windows XP SP3. . 2011-11-23: Vendor acknowledges the receipt of the information. Vendor warns Core Security Technologies that it may take longer than normal for a technical review of the bug because of the Thanksgiving holiday. . 2011-11-24: Core acknowledges the aforementioned possible delay and wishes MSRC a happy Thanksgiving. . 2011-11-25: MSRC opens case number "MSRC 12000gd" for report tracking. . 2011-11-28: MSRC mentions over an unencrypted communication channel that they are currently investigating the issue, and that they'll let Core Security Technologies know of their findings when the investigation is complete. . 2011-11-29: Core Security Technologies acknowledges the previous e-mail. . 2011-12-08: MSRC contacts Core Security Technologies for a quick update, informing that they were able to reproduce the crash and that it is indeed very similar to bug publicly exploited at [1]. MSRC informs that they are currently discussing the next steps they will take with Windows Product Team. . 2012-01-09: Ivan Arce, current CTO and founder of the Core Advisories Team, leaves Core after 15 years. Thanks Wari! . 2012-01-17: MSRC notifies that the release of a fix was scheduled for March 2012. . 2012-01-18: Core acknowledges the previous update and notifies that Nicolas Economou has further analyzed the crash (publicly available in exploit-db) and concluded it is indeed a different issue. Core offers to compile Nicolas' findings into a private technical report. . 2012-01-18: MSRC validates Nicolas' findings stating the two issues are separate, even though they share a same code area. . 2012-03-09: Core asks if the March publication dat