Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br]
Hi, I found and notified this vulnerability to Microsoft in date: Tue, 10 Apr 2007 15:40:13 +0200 You read exactly, April 2007, 1 year and 6 months ago. :( The Microsoft Security Response Center opened the case ID MSRC 7368br. The bug has never been patched since 1 year and 6 months. I asked time to time for updates but they always answered me that the bug had to be patched with the next Service Pack and they did not have any ETA. This SP has still to be released. They told me that if I released the vulnerability prior to the official patch, I could not be officially credited for that. I tought it was not a critical vuln, and so I waited. Too much (?). I am a bit sorry for Microsoft, I think they lost an other chance since now I feel a bit tricked. I am not sure if the next time I will wait so much and I am not sure if I will suggest to anyone to wait for the patch. I just hope Microsoft will credit me in the official patch. :( Below you can find the first mail I wrote to MS regarding the issue. Best regards, Davide Del Vecchio. From: "Davide Del Vecchio" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Microsoft Outlook Web Access "redir.asp" Redirection Weakness Date: Tue, 10 Apr 2007 15:40:13 +0200 Hello, I found a weakness in Microsoft Outlook Web Access (OWA), which potentially can be exploited by malicious people to conduct phishing attacks. The weakness is caused due to a design error in the way OWA uses an unverified user supplied argument to redirect a user after successful authentication. This can e.g. be exploited by tricking a user into following a link from a HTML document to the trusted login page with a malicious "url" parameter. After successful authentication, the user will be redirected to the untrusted (fake) site. The affected product is: Microsoft Outlook Web Access ( OWA ) Windows 2003 Examples: https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com this will take the user to http://www.example.com when the login box is pressed. https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe prompts the user to download an executable or other file. The attacker can then have a page to capture the user / password and redirect back to the original login page or some other form of phishing attack. Note that this vulnerability is very similar to the one affecting "owalogin.asp" described here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420 Best regards, Davide Del Vecchio. Martin Suess ha scritto: ... Timeline: - Vendor Status: MSRC tracking case closed Vendor Notified:March 31st 2008 Vendor Response:May 6th 2008 Advisory Release: October 15th 2008 Patch available:- (vulnerability not high priority)
Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60)
3APA3A ha scritto: > Dear Davide Del Vecchio, > > It's also possible to recover deleted photos from almost any flash card > in almost any device (camera, mobile, etc) - it's a way general purpose > file systems work. Requirement to delete information securely is > enforced in devices certified to e.g. process US military secretes. In > this case, device must follow DoD 5220-22-M recommendations and you can > expect secure erase. In general purpose operation systems and devices, > todelete information securely (wipe it) some additional > actions/utilities are usually required. > > --Tuesday, May 15, 2007, 9:09:19 PM, you wrote to [EMAIL PROTECTED]: > > DDV> Hello list, > > DDV> During some research, I found an intersting "feature" > DDV> on my Nokia mobile phone; I was able to retrieve any > DDV> apparently deleted sms/mms. I completely agree with you. Infact the news is how EASY is it to recover sms/mms deleted without using any recovery tool (just using the PC Nokia Suite) and the aim of my post was to increase the perception of the privacy risk on the mobile devices. I hope that after this post, Nokia people will think about introducing more security features. Those actually are infact often reduced to just a 4 digit number (the PIN). I think the question is crucial and, I hope, finally clear. d. -- http://www.alighieri.org
Retrieving "deleted" sms/mms from Nokia phone (Symbian S60)
Hello list, During some research, I found an intersting "feature" on my Nokia mobile phone; I was able to retrieve any apparently deleted sms/mms. Letting aside some paranoid thoughts about WHY this sms are not deleted, I think that, while this represents an high risk for our privacy, this discover could give some hint into mobile phone forensics and anti-forensics field. First, I would like to tell you that I tested this on my Nokia N-gage and on a Nokia 6600 but I am quiete sure that this procedure works on every Nokia Symbian S60 (maybe other vendors). So I strongly incite you to test it on your mobile phone and share the results. Tested products: Nokia N-gage, firmware version: V 4.03 26-11-2003 NEM-4 Nokia 6600 Maybe the whole S60 series. Procedure: Download the Nokia PC Suite for your mobile phone and make a backup on your local hd. I used PC Suite for Nokia N-Gage Version 1.0.0 http://www.nokia.com/pcsuite It will create a huge number of ".dat" files in a specified directory. Download, install and start Cygwin. This is not required but suggested, you could use an hexadecimal editor and a bit of patience but using Cygwin is surely faster. http://www.cygwin.com Move into the backup directory. $ ls -al | less total 6016 drwx--+ 2 Administrator Nessuno 0 Feb 6 01:35 . drwx--+ 7 Administrator Nessuno 0 Feb 5 23:00 .. -rwx--+ 1 Administrator Nessuno 2972 Nov 27 2003 1.dat -rwx--+ 1 Administrator Nessuno 22913 Nov 27 2003 10.dat -rwx--+ 1 Administrator Nessuno 1062 Feb 16 2005 100.dat -rwx--+ 1 Administrator Nessuno 3912 Aug 9 2005 1000.dat -rwx--+ 1 Administrator Nessuno 2750 Aug 25 2005 1001.dat -rwx--+ 1 Administrator Nessuno 8741 Dec 15 2005 1002.dat -rwx--+ 1 Administrator Nessuno 9926 Dec 20 2005 1003.dat -rwx--+ 1 Administrator Nessuno 63 Dec 30 2005 1004.dat -rwx--+ 1 Administrator Nessuno 23988 Jan 13 2006 1005.dat -rwx--+ 1 Administrator Nessuno 18 Jan 23 2006 1006.dat ... ... etc etc (files created by the nokia pc suite). Choose a file to examine. $ ls -al 3102.dat -rwx--+ 1 Administrator Nessuno 666569 Feb 5 23:59 3102.dat Use the command "strings" to find printable characters. $ strings 3102.dat | less Ciao! Auguro a te ed alla tua [EMAIL PROTECTED] Farlonesi ... ... etc etc This is part of an sms I deleted and that I don't see on my phone. So, just grep every file in the directory to find the complete sms: $ grep -i "Auguro a te ed alla" * Binary file 1770.dat matches Binary file 3102.dat matches The sms has been found in 1770.dat file, let's see what's inside it: $ strings 1770.dat Ciao! Auguro a te ed alla tua famiglia un felice anno nuovo! E. 4+393915253350 4+393922378986 Got it! The complete sms, with the phone number of the sender (phone numbers have been changed). In earlier versions of Nokia PC Suite it just creates a ".nbu" file and you can just edit it with an hexadecimal editor. I mailed the Nokia support and they told me they didn't know about this bug and would like to know more informations about impacted models but they don't have any intention to release some kind of patch. I contacted Symbian too, they told me that Symbian sources are distributed to mobile phone vendors and so they cannot release any final-user patch. This description is also avaiable here: http://www.alighieri.org/advisories/retrieving_deleted_sms.txt (ENG) http://www.alighieri.org/advisories/recuperare_sms_cancellati.txt (ITA) Regards, Davide Del Vecchio. -- http://www.alighieri.org
Re: Remedy Action Request System 5.01.02 - User Enumeration
Lee Rumble writes: This has always been the case with the Remedy system which I use day in and day out. This is also present in older versions too and I have spoken with them about this, but they do not deem this to be a security flaw. Hello Lee, if they think or not it is a security flaw, well, it's their opinion. I think that the possibility to enumerate users is a security flaw, and you? Gaining access to the system itself has no real advantages either. It depends from what the system is used for. There are a lot of companies that use to attach important documents to the remedy tickets or use remedy to trace every activity. According to you, is it important to access the repository in which every activity has been traced ? Best regards, d. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Davide Del Vecchio "Dante Alighieri" [EMAIL PROTECTED] http://www.alighieri.org http://legaest.blogspot.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Remedy Action Request System 5.01.02 - User Enumeration
=== Remedy Action Request System User Enumeration === Davide Del Vecchio Adv#11 Discovered in: 08/01/2007 Version affected: Remedy Action Request System 5.01.02 Patch 1267. The same vulnerable code could be present in other versions. Reference: http://www.alighieri.org/advisories/advisory-remedy50102.txt Software description: From BMC Software website: "Remedy Action Request System 5.01.02 provides a consolidated Service Process Management platform for automating and managing Service Management business processes." The problem: During user login phase, it is possible to enumerate existing users examining the error messages provided by the software. Suppling a non-existing user the error message is: ARERR [612] No such user is registered with this server user: test, server: 10.10.10.11 Unable to successfully log in to any server. Suppling an existing user the error message is: ARERR [329] Invalid password for an existing user user: user, server: 10.10.10.11 Unable to successfully log in to any server. Solution: Vendor has been contacted 3 times with no answer. Credits: Davide Del Vecchio would like to thank his family and all the people supporting him and his research. Support the rosewitch project. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: Davide Del Vecchio "Dante Alighieri" - dante at alighieri dot org http://www.alighieri.org ~ http://legaest.blogspot.com
HPUX disable buffer overflow vulnerability
=== HPUX disable buffer overflow vulnerability === Davide Del Vecchio Adv#4 Date: 13/02/2003 Tested on HP-UX B.11.00 Description: The enable command activates the named printers, enabling them to print requests taken by lp. The "-r" option Associate a reason with the deactivation of the printer. The "-c" option cancel any requests that are currently printing on any of the designated printers. $ ls -al `which disable` -r-sr-xr-x 1 lp bin 28672 Jun 15 1998 /usr/bin/disable Using disable with or without '-r', '-c' with a long option string: $ disable -r `perl -e 'printf "A" x 9777'` Memory fault Solution: HP has been contacted, hope it will release soon a patch. I sent an e-mail to [EMAIL PROTECTED] beacause the url http://thenew.hp.com/country/us/eng/sftware_security.html wont work. Credits: Davide Del Vecchio would like to thank in primis his love Mara, his coworkers of the security and monitoring staff @ Banca Mediolanum. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ^^^^^^^^ Please send suggestions, updates, and comments to: Davide Del Vecchio , Dante Alighieri - [EMAIL PROTECTED] / [EMAIL PROTECTED] www.alighieri.org
Ericsson HM220dp ADSL modem Insecure Web Administration Vulnerability
Ericsson HM220dp ADSL modem Insecure Web Administration Vulnerability Discussion: Ericsson HM220dp is a small office enviroment ADSL modem, distributed by many Carriers such as Telecom Italia to thousand users. It may be administered remotely through a number of mechanisms, including a web based interface. Unfortunately, the web interface does not require authentication and does not give the possibility to require it. Unauthorized users accessing the web pages may perform a variety of malicious actions. By the way Ericsson forced the modem in "Bridged" mode with a modified firmware, so the web administration page could not be accessed from Internet but "just" from any user of the lan. It is possible that other products of the same series share this vulnerabilty. Solution: Ericsson has been contacted months ago but it's not still providing an updated firmware version that could prevent the problem ignoring it. Credits: Davide Del Vecchio would like to thank in primis his love Mara, his coworkers of the security and monitoring staff @ Banca Mediolanum. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: Davide Del Vecchio - [EMAIL PROTECTED] / [EMAIL PROTECTED] www.alighieri.org