[Full-disclosure] [SECURITY] [DSA 761-1] New heartbeat packages fix insecure temporary files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 761-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 19th, 2005 http://www.debian.org/security/faq - -- Package: heartbeat Vulnerability : insecure temporary files Problem-Type : local Debian-specific: no CVE ID : CAN-2005-2231 Eric Romang discovered several insecure temporary file creations in heartbeat, the subsystem for High-Availability Linux. For the old stable distribution (woody) these problems have been fixed in version 0.4.9.0l-7.3. For the stable distribution (sarge) these problems have been fixed in version 1.2.3-9sarge2. For the unstable distribution (sid) these problems have been fixed in version 1.2.3-12. We recommend that you upgrade your heartbeat package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l-7.3.dsc Size/MD5 checksum: 658 2de794d2f0c7bbeafa08ecca95a47a12 http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l-7.3.diff.gz Size/MD5 checksum:47040 1376087e2548ffea01f1fa05f0644952 http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l.orig.tar.gz Size/MD5 checksum: 308033 1dcae9e87ad2e5c2113e91a884c1ca8e Architecture independent components: http://security.debian.org/pool/updates/main/h/heartbeat/ldirectord_0.4.9.0l-7.3_all.deb Size/MD5 checksum:33196 1555855937e539691c90d0922c5b4723 Alpha architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l-7.3_alpha.deb Size/MD5 checksum: 207842 2ac37764f43c65cb2c52ccbcb01c200c http://security.debian.org/pool/updates/main/h/heartbeat/libstonith-dev_0.4.9.0l-7.3_alpha.deb Size/MD5 checksum:15528 09da0f1657f0cecdd5a61e64d427d2cd http://security.debian.org/pool/updates/main/h/heartbeat/libstonith0_0.4.9.0l-7.3_alpha.deb Size/MD5 checksum:14166 68f4624f3ab15fdb40ca5c03509801a9 http://security.debian.org/pool/updates/main/h/heartbeat/stonith_0.4.9.0l-7.3_alpha.deb Size/MD5 checksum:63996 e6be61aaf9968a45279836d2c0ccfe06 ARM architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l-7.3_arm.deb Size/MD5 checksum: 194086 c844f2f1b2229158a9f957a35692a9b7 http://security.debian.org/pool/updates/main/h/heartbeat/libstonith-dev_0.4.9.0l-7.3_arm.deb Size/MD5 checksum:15192 553019cc16dca110440b1ff71b89c41a http://security.debian.org/pool/updates/main/h/heartbeat/libstonith0_0.4.9.0l-7.3_arm.deb Size/MD5 checksum:13514 3f0388253daf988d1130e3ca85b22466 http://security.debian.org/pool/updates/main/h/heartbeat/stonith_0.4.9.0l-7.3_arm.deb Size/MD5 checksum:53664 fa8d400ac60493dcb9a532d8267aa2a7 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l-7.3_i386.deb Size/MD5 checksum: 185258 f31317301ac9a8c059e1198604e3501f http://security.debian.org/pool/updates/main/h/heartbeat/libstonith-dev_0.4.9.0l-7.3_i386.deb Size/MD5 checksum:14860 231f74af0884ca03735c775ad382e8b9 http://security.debian.org/pool/updates/main/h/heartbeat/libstonith0_0.4.9.0l-7.3_i386.deb Size/MD5 checksum:13370 6c003c7a78a50aee134f5e0fb80afca3 http://security.debian.org/pool/updates/main/h/heartbeat/stonith_0.4.9.0l-7.3_i386.deb Size/MD5 checksum:51094 4699c73994b6f5ec39f9ece83dbcfc81 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/h/heartbeat/heartbeat_0.4.9.0l-7.2_ia64.deb Size/MD5 checksum: 259426 34814d6a05215a9cbd3e5c96420d16dd http://security.debian.org/pool/updates/main/h/heartbeat/libstonith-dev_0.4.9.0l-7.2_ia64.deb Size/MD5 checksum:16156 65ff55faefafac7d4283ce57441d7d00 http://security.debian.org/pool/updates/main/h/heartbeat/libstonith0_0.4.9.0l-7.2_ia64.deb Size/MD5 checksum:15240 ff38757ef93dc3bf1027062c6f3bc06e http://security.debian.org/pool/updates/main/h/heartbeat/stonith_0.4.9.0l-7.2_ia64.deb Size/MD5 checksum: 100186 cc86feab05680b136abd9730a42c49c7 HP Precision architecture:
[Full-disclosure] [SECURITY] [DSA 762-1] New affix packages fix arbitrary command and code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 762-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze July 19th, 2005 http://www.debian.org/security/faq - -- Package: affix Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-2250 CAN-2005-2277 BugTraq ID : 14230 Debian Bug : 318327 318328 Kevin Finisterre discovered two problems in the Bluetooth FTP client from affix, user space utilities for the Affix Bluetooth protocol stack. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CAN-2005-2250 A buffer overflow allows remote attackers to execute arbitrary code via a long filename in an OBEX file share. CAN-2005-2277 Missing input sanitising before executing shell commands allow an attacker to execute arbitrary commands as root. The old stable distribution (woody) is not affected by these problems. For the stable distribution (sarge) these problems have been fixed in version 2.1.1-2. For the unstable distribution (sid) these problems have been fixed in version 2.1.2-2. We recommend that you upgrade your affix package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-2.dsc Size/MD5 checksum: 669 bb24e5747a984193075e7ad2cde94bd2 http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-2.diff.gz Size/MD5 checksum:81326 c1e434ed0667a4e0f60d6e8f431fbc11 http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1.orig.tar.gz Size/MD5 checksum: 415816 34af8e6b1d20d99d01427f7da5c777ef Alpha architecture: http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-2_alpha.deb Size/MD5 checksum: 103006 d897078ef26ac210835785a60f63ba40 http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-2_alpha.deb Size/MD5 checksum:93410 d606fe680c82300c17f821ab0238517d http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-2_alpha.deb Size/MD5 checksum:75560 50dd674ab6f58b456152bd65232ef486 ARM architecture: http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-2_arm.deb Size/MD5 checksum:85840 47fe949ac3eaf11e40785d535df13de5 http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-2_arm.deb Size/MD5 checksum:69494 17cbdd22f998e972d6d3719509766f1c http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-2_arm.deb Size/MD5 checksum:56790 a1f04650c5e0f086e95a3c90d87f0a14 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-2_i386.deb Size/MD5 checksum:84860 7f5b869acb23ff4d03074e72c5848972 http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-2_i386.deb Size/MD5 checksum:63308 c6931e79eb3f8ab121a6211bcb09d71c http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-2_i386.deb Size/MD5 checksum:59606 2b52f0d5ce8c700b50a2119c70e38330 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-2_ia64.deb Size/MD5 checksum: 122082 e674b494cc0738be0ca67fe58e6fd366 http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-2_ia64.deb Size/MD5 checksum:93876 40a4a3b972b76d84839b22ec0047a1de http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-2_ia64.deb Size/MD5 checksum:83630 c5af3eee5c18f3783d306bfcf2e6a3cf HP Precision architecture: http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-2_hppa.deb Size/MD5 checksum:94884 f1fc0e6bd41671594f4ee434cad99505 http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-2_hppa.deb Size/MD5 checksum:76596 e1f3ed8b636875f9dfb744b71af2f172 http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-2_hppa.deb Size/MD5 checksum:68508 a3312999b8c7fea595e12a67b8d10640 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-2_m68k.deb Size/MD5 checksum:79808 d2e87f6c2ccb4f8b47c863e0d487d80b
Re: [Full-disclosure] NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein
Dear Amit Klein (AKsecurity), NTLM authentication is insecure by design for external authentication, because of single signon ideology. NTLM authentication can be used for NTLM proxy attack. For example, attacker who can hijack or spoof server connection with NTLM authentication can use this connection to access different Web server, mail server or file server with client's privileges. This is known for many years and was discussed for many times. Internet Explorer uses NTLM authentication by default only for local network zone. Local network zone (by default) are hosts with NetBIOS names (for exampel WEBSRV), this hosts are excluded from proxy by dafault, and exclusion list for proxy is also part of local network. So, in default configuration, NTLM will never be used through proxy server. --Monday, July 18, 2005, 9:43:02 PM, you wrote to full-disclosure@lists.grok.org.uk: AKA NTLM HTTP Authentication AKA (and possibly other connection-oriented AKA HTTP authentication and authorization protocols) AKA is insecure by design AKA Or AKANTLM Authentication and HTTP proxies AKA don't mix AKAAmit Klein, July 2005 AKA Introduction AKA AKA In Meanwhile on the other side of the webserver AKA (http://www.securityfocus.com/archive/1/401866) I surveyed some AKA possible attacks against a scenario wherein a proxy server is AKA positioned in front of a web server, and that proxy server shares a AKA single TCP connection to the server among several clients. In that AKA write-up, I mentioned several problems related to HTTP Request AKA Smuggling AKA (http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf) and AKA HTTP Response Splitting AKA (http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdf). These AKA are attacks that make use of non-RFC HTTP requests (HTTP Request AKA Smuggling) or inject unexpected data (CRLF) through the application AKA into the HTTP response stream (HTTP Response Splitting). In contrast, AKA this write-up discusses a completely different problem, one which is AKA inherent to the situation of a connection-oriented authentication/ AKA authorization protocol (e.g. NTLM authentication) used with a proxy AKA server that shares TCP connections among several clients. Exploiting AKA this vulnerability can be performed with 100% RFC compliant HTTP AKA requests, and without attacking the application (i.e. without sending AKA malicious data to the application). AKA Theory AKA == AKA In connection oriented security, the authentication is associated AKA with the TCP connection, rather than to the individual HTTP requests AKA it transports. As a result, a proxy server that shares a TCP AKA connection to the server among 2 clients may jeopardize the security AKA of the web application by sending a first request (or a set of AKA requests) with authentication/authorization credentials from the AKA first client, followed by a request with no credentials from the AKA second client, and have the web server associate the privileges of AKA the first request with the second request. AKA NTLM authentication is an example to such connection-oriented AKA security scheme. From http://curl.haxx.se/rfc/ntlm.html#ntlmHttpAuthentication AKA (lacking official Microsoft specification, this resource is one of AKA the most comprehensive descriptions of NTLM authentication): AKA This [HTTP NTLM authentication] scheme differs from most normal AKA HTTP authentication mechanisms, in that subsequent requests over AKA the authenticated connection are not themselves authenticated; AKA NTLM is connection-oriented, rather than request-oriented. So a AKA second request for /index.html would not carry any AKA authentication information, and the server would request none. AKA This attack is possible because: AKA 1. Proxy servers share the same TCP connection to the server, among AKA several clients. This enables several attacks (on top of the one AKA described here), as discussed in Meanwhile, on the other side of AKA the web server. AKA 2. Connection-oriented security is an insecure concept because AKA there's no guarantee in the HTTP RFC that a single connection will AKA be used by a single entity. As can be seen, this simply doesn't AKA hold. Note that SSL is not connection-oriented security since each AKA request is encrypted with a secret, shared key, making this protocol AKA implicitly request-oriented. AKA Results AKA === AKA I tested this security issue with Microsoft IIS/6.0 (as the web AKA server that requires NTLM authentication Integrated Windows AKA Authentication in Microsoft's IIS GUI terminology) and Sun AKA Microsystems Sun Java System Web Proxy 4 (as the proxy server that AKA shares TCP connections to the same server). AKA There are some tricky points
[Full-disclosure] Anonymous Web Attacks via Dedicated Mobile Services
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Security Notice: Anonymous Web Attacks via Dedicated Mobile Services Security Risk: UNKNOWN Publish Data: 2005 July 16 Security Researcher: Petko Petkov Contact Information: [EMAIL PROTECTED] PGP Key: http://pdp.gnucitizen.org/ppetkov.asc Synopsis - Various Mobile Services provide malicious users with an intermediate point to anonymously browse Web Resources and execute attacks against them. Affected Applications - - * Google's WMLProxy * IYHY Background - -- WAP stands for Wireless Application Protocol, a communication standard primarily designed for Information Exchange on various Wireless Terminals such as mobile telephones. WAP devices work with WML (Wireless Markup Language), a markup language similar to HTML but more strict because of its XML nature. WML and HTML are totally different in semantics. As such, there are applications located on The Internet that are able to transcode from HTML/XHTML to WML. Description - --- An attacker can take advantage of the Google's WMLProxy Service by sending a HTTP GET request with carefully modified URL of a malicious nature. Such request hides the attacker's IP address and may slow down future investigations on a successful breakin since Google's Services are often over-trusted. The following URL should reveal the current IP address: http://ipchicken.com However, a similar request proxied through WMLProxy: http://wmlproxy.google.com/wmltrans/u=ipchicken.com results to: 64.233.166.136 which belongs to Google Inc. Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it is primarily designed for PDAs and Smart Phones. Still, IYHY can be used as an intermediate point for launching anonymous attacks. For example the following URL reveals IYHY IP address: http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com Attackers are able to chain Google's WMLProxy and IYHY in order to obscure their IP address further. For example, the following URL goes through WMLProxy and IYHY before getting to http://ipchiken.com: http://wmlproxy.google.com/wmltrans/[EMAIL PROTECTED] Impact - -- Misuse of Services like Google's WMLProxy and IYHY must be considered as a hight risk in situations where they are over-trusted. Google's entries are often filtered out from the logs making all possible attacks undetectable. Moreover, attackers can make use of mobile devices to request dangerous URLs in order to compromise vulnerable Web Applications. If such requests are not monitored by the particular mobile network, there is no way to detect where the attack is launched from. Workaround - -- Mobile Services can offer cleaver parameter filtering features to prevent the execution of dangerous requests. However, it is important to understand that simple input validation technique can be easily circumvented. The tinyurl service can be used to obscure the dangerous URLs, bypassing the input validation checks that an application may have. It is also worth to mention that modifying the requests, in order to stop certain XSS and SQL Injection attacks, may completely brake the logic of the proxided Web Site leaving the users with unsatisfactory results. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) iD8DBQFC3NPjFf/6vxAyUpgRAjIdAKC2YLXNSlWPLOTF9rMAS+hERte8IQCfR18G SDmdYsnJsSRSMlgCEl6cMX4= =J9z1 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Full-Disclosure Digest, Vol 5, Issue 43
Hi, This is interesting. We are using a Proxy server but it ask for NTLM authorization. Any other software i try to use apart from Microsoft products the error comes up for example if i use HTTRACK software it says:- 16:18:32 Warning: Cache: damaged cache, trying to repair16:18:32 Warning: Cache: 0 bytes successfully recovered in 0 entries16:18:32 Error: "Proxy Authentication Required" (407) at link www.yahoo.com/ (from primary/primary)16:18:32 Info: No data seems to have been transfered during this session! : restoring previous one! They say this is due to NTLM authorization problem. Even if i supply the user name and password to the software still it is not working. Proxy is 172.16.0.1 with port 8080. I also tried to tunnel through HTTP but to no avail. Before they invoke the NTLM authorization, HTTRACK was working fine. Any ideas? Warm regards, Tanvir. [EMAIL PROTECTED] wrote: Send Full-Disclosure mailing list submissions tofull-disclosure@lists.grok.org.ukTo subscribe or unsubscribe via the World Wide Web, visithttps://lists.grok.org.uk/mailman/listinfo/full-disclosureor, via email, send a message with subject or body 'help' to[EMAIL PROTECTED]You can reach the person managing the list at[EMAIL PROTECTED]When replying, please edit your Subject line so it is more specificthan "Re: Contents of Full-Disclosure digest..."Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.Today's Topics:1. Re: NTLM HTTP Authentication is insecure by design - a newwriteup by Amit Klein (3APA3A)2. Re: Advice RE Site Exploit (Mike Hoye)From: 3APA3A [EMAIL PROTECTED]CC: full-disclosure@lists.grok.org.ukTo: "Amit Klein (AKsecurity)" [EMAIL PROTECTED]Date: Tue, 19 Jul 2005 13:13:03 +0400Subject: Re: [Full-disclosure] NTLM HTTP Authentication is insecure by design - a new writeup by Amit KleiDear Amit Klein (AKsecurity),NTLM authentication is insecure by design for external authentication,because of "single signon" ideology. NTLM authentication can be usedfor NTLM proxy attack. For example, attacker who can hijack or spoofserver connection with NTLM authentication can use this connection toaccess different Web server, mail server or file server with client'sprivileges. This is known for many years and was discussed for manytimes. Internet Explorer uses NTLM authentication by default only forlocal network zone. Local network zone (by default) are hosts withNetBIOS names (for exampel WEBSRV), this hosts are excluded from proxyby dafault, and exclusion list for proxy is also part of local network.So, in default configuration, NTLM will never be used through proxyserver.--Monday, July 18, 2005, 9:43:02 PM, you wrote to full-disclosure@lists.grok.org.uk:AKA NTLM HTTP AuthenticationAKA (and possibly other connection-orientedAKA HTTP authentication and authorization protocols)AKA is insecure by designAKA OrAKA NTLM Authentication and HTTP proxiesAKA don't mixAKA Amit Klein, July 2005AKA IntroductionAKA AKA In "Meanwhile on the other side of the webserver"AKA (http://www.securityfocus.com/archive/1/401866) I surveyed someAKA possible attacks against a scenario wherein a proxy server isAKA positioned in front of a web server, and that proxy server shares aAKA single TCP connection to the server among several clients. In thatAKA write-up, I mentioned several p roblems related to HTTP RequestAKA SmugglingAKA (http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf) andAKA HTTP Response SplittingAKA (http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdf). TheseAKA are attacks that make use of non-RFC HTTP requests (HTTP RequestAKA Smuggling) or inject unexpected data (CRLF) through the applicationAKA into the HTTP response stream (HTTP Response Splitting). In contrast,AKA this write-up discusses a completely different problem, one which isAKA inherent to the situation of a connection-oriented authentication/AKA authorization protocol (e.g. NTLM authentication) used with a proxyAKA server that shares TCP connections among several clients. ExploitingAKA this vulnerability can be performed with 100% RFC compliant HTTPAKA requests, and without attacking the application (i.e. without sendingAKA malicious data to the application).AKA TheoryAKA ==AKA In connection oriented security, the authentication is associatedAKA with the TCP connection, rather than to the individual HTTP requestsAKA it transports. As a result, a proxy server that shares a TCPAKA connection to the server among 2 clients may jeopardize the securityAKA of the web application by sending a first request (or a set ofAKA requests) with authentication/authorization credentials from theAKA first client, followed by a request with no credentials from theAKA second client, and have the web server associate the privileges ofAKA the first request with the second request.AKA NTLM authentication is an example to such connection-orientedAKA security scheme.From
[Full-disclosure] NTLM authorization.
Hi, This is interesting. We are using a Proxy server but it ask for NTLM authorization. Any other software i try to use apart from Microsoft products the error comes up for example if i use HTTRACK software it says:- 16:18:32 Warning: Cache: damaged cache, trying to repair16:18:32 Warning: Cache: 0 bytes successfully recovered in 0 entries16:18:32 Error: "Proxy Authentication Required" (407) at link www.yahoo.com/ (from primary/primary)16:18:32 Info: No data seems to have been transfered during this session! : restoring previous one! They say this is due to NTLM authorization problem. Even if i supply the user name and password to the software still it is not working. Proxy is 172.16.0.1 with port 8080. I also tried to tunnel through HTTP but to no avail. Before they invoke the NTLM authorization, HTTRACK was working fine. Any ideas? Warm regards, Tanvir. [EMAIL PROTECTED] wrote: Send Full-Disclosure mailing list submissions tofull-disclosure@lists.grok.org.ukTo subscribe or unsubscribe via the World Wide Web, visithttps://lists.grok.org.uk/mailman/listinfo/full-disclosureor, via email, send a message with subject or body 'help' to[EMAIL PROTECTED]You can reach the person managing the list at[EMAIL PROTECTED]When replying, please edit your Subject line so it is more specificthan "Re: Contents of Full-Disclosure digest..."Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.Today's Topics:1. Re: NTLM HTTP Authentication is insecure by design - a newwriteup by Amit Klein (3APA3A)2. Re: Advice RE Site Exploit (Mike Hoye)From: 3APA3A [EMAIL PROTECTED]CC: full-disclosure@lists.grok.org.ukTo: "Amit Klein (AKsecurity)" [EMAIL PROTECTED]Date: Tue, 19 Jul 2005 13:13:03 +0400Subject: Re: [Full-disclosure] NTLM HTTP Authentication is insecure by design - a new writeup by Amit KleiDear Amit Klein (AKsecurity),NTLM authentication is insecure by design for external authentication,because of "single signon" ideology. NTLM authentication can be usedfor NTLM proxy attack. For example, attacker who can hijack or spoofserver connection with NTLM authentication can use this connection toaccess different Web server, mail server or file server with client'sprivileges. This is known for many years and was discussed for manytimes. Internet Explorer uses NTLM authentication by default only forlocal network zone. Local network zone (by default) are hosts withNetBIOS names (for exampel WEBSRV), this hosts are excluded from proxyby dafault, and exclusion list for proxy is also part of local network.So, in default configuration, NTLM will never be used through proxyserver.--Monday, July 18, 2005, 9:43:02 PM, you wrote to full-disclosure@lists.grok.org.uk:AKA NTLM HTTP AuthenticationAKA (and possibly other connection-orientedAKA HTTP authentication and authorization protocols)AKA is insecure by designAKA OrAKA NTLM Authentication and HTTP proxiesAKA don't mixAKA Amit Klein, July 2005AKA IntroductionAKA AKA In "Meanwhile on the other side of the webserver"AKA (http://www.securityfocus.com/archive/1/401866) I surveyed someAKA possible attacks against a scenario wherein a proxy server isAKA positioned in front of a web server, and that proxy server shares aAKA single TCP connection to the server among several clients. In thatAKA write-up, I mentioned several p roblems related to HTTP RequestAKA SmugglingAKA (http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf) andAKA HTTP Response SplittingAKA (http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdf). TheseAKA are attacks that make use of non-RFC HTTP requests (HTTP RequestAKA Smuggling) or inject unexpected data (CRLF) through the applicationAKA into the HTTP response stream (HTTP Response Splitting). In contrast,AKA this write-up discusses a completely different problem, one which isAKA inherent to the situation of a connection-oriented authentication/AKA authorization protocol (e.g. NTLM authentication) used with a proxyAKA server that shares TCP connections among several clients. ExploitingAKA this vulnerability can be performed with 100% RFC compliant HTTPAKA requests, and without attacking the application (i.e. without sendingAKA malicious data to the application).AKA TheoryAKA ==AKA In connection oriented security, the authentication is associatedAKA with the TCP connection, rather than to the individual HTTP requestsAKA it transports. As a result, a proxy server that shares a TCPAKA connection to the server among 2 clients may jeopardize the securityAKA of the web application by sending a first request (or a set ofAKA requests) with authentication/authorization credentials from theAKA first client, followed by a request with no credentials from theAKA second client, and have the web server associate the privileges ofAKA the first request with the second request.AKA NTLM authentication is an example to such connection-orientedAKA security scheme.From
[Full-disclosure] [ISR] - Novell Groupwise WebAccess Cross-Site Scripting
|| || [ISR] || Infobyte Security Research || www.infobyte.com.ar || 07.19.2005 || .:: SUMMARY Novell Groupwise WebAccess Cross-Site Scripting Version: GroupWise 6.5 SP4, It is suspected that all previous versions of Groupwise WebAccess are vulnerable. .:: BACKGROUND GroupWise WebAccess is Novell's premier Intranet/Internet GroupWare solution for the Web. More info:http://www.novell.com .:: DESCRIPTION Remote explotation of Cross-Site Scripting due to failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content. To reproduce this, send a e-mail with the following html code: IMG SRC=j#X41vascript:alert(document.cookie) It show a simple code of example to execute script in the browser of an unsuspecting user. This issue may allow for the theft of authentication credentials. .:: VENDOR RESPONSE Vendor advisory: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098301.htm Vendor patch: http://support.novell.com/filefinder/16963/beta.html The filename is fwa655d.exe .:: CVE INFORMATION Id: CAN-2005-2276 Web: http://cve.mitre.org .:: DISCLOSURE TIMELINE 06/14/2005 Initial vendor notification 06/14/2005 Initial vendor response 07/19/2005 Coordinated public disclosure .:: CREDIT Francisco Amato is credited with discovering this vulnerability. famato][at][infobyte][dot][com][dot][ar .:: LEGAL NOTICES Copyright (c) 2005 by [ISR] Infobyte Security Research. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Infobyte Security Research Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from infobyte com ar Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Advisory: Run any OS Command via unauthorized Oracle Reports
Hello 3 months ago (15-april-2005) I informed the Oracle Security Team ([EMAIL PROTECTED]) that I will publish bug details if the bugs are not fixed with the next critical patch update (CPU July 2005). I know that Oracle products are complex and a good patch quality need some time. That's why I offered Oracle additional time if 3 months are not sufficient for fixing the bugs. Oracle never asked for more time. Oracle's behaviour not fixing critical security bugs for a long time (over 650 days) is not acceptable for their customers. Oracle put their customers in danger. At least one critical vulnerability can be abused from any attacker via internet. I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories. Kind Regards Alexander Kornbrust www.red-database-security.com ## Red-Database-Security GmbH - Oracle Security Advisory Run any OS Command via unauthorized Oracle Reports NameRun any OS Command via unauthorized Oracle Reports Systems AffectedOracle Reports 6.0, 6i, 9i, 10g SeverityHigh Risk CategoryOS command execution Vendor URL http://www.oracle.com Author Alexander Kornbrust (ak at red-database-security.com) Date19 July 2005 (V 1.00) AdvisoryAKSEC2003-014 Inital bug report 663 days ago Advisory-URL http://www.red-database-security.com/advisory/oracle_reports_run_any_os_ command. html Details ### Oracle Reports is Oracle's award-winning, high-fidelity enterprise reporting tool. It enables businesses to give immediate access to information to all levels within and outside of the organization in an unrivaled scalable and secure environment. Oracle Reports, a component of the Oracle Application Server, is used by Oracle itself for the E-Business Suite. Many large customers are using Oracle Reports as reporting tool for their enterprise applications. Oracle Reports starts reports executables (*.rep or *.rdf) from any directory and any user on the application server. These reports are executed as user Oracle or System (Windows). An attacker which is able to upload a specially crafted reports executable to the application server is able to run any OS command or read and write text files on the application server (e.g. wdbsvr.app containing Oracle passwords). He can overtake the application server. The upload could be done via Webdav (Part of the Oracle Application Server), Webutil, SMB, SAMBA, NFS, FTP, ... By using the report parameter with an absolute path it is possible to execute reports executables from ANY directory and ANY user. Testcase 1. Create or modify a simple report and add an ORA_FFI call to run OS commands or a TEXT_IO call to create or read text files on the application server. Details how to call OS Program/Command from Reports (Metalink ID: 181086.1) or Read and Write Textfiles Using TEXT_IO (Metalink: 33247.1) are available on Oracle Metalink. 2. Generate the reports executable (e.g. hacker.rdf or hacker.rep) for the destination platform (e.g. Linux, Solaris, Windows, ...) 3. Copy the reports executable hacker.rdf to a directory on the Oracle Application Server (e.g. via SMB, file upload, Webdav, Samba, NFS, Webutil, FTP, ...) 4. Run the report hacker.rdf as user Oracle and specify an absolute path for the reports executable http://myserver.com:7779/reports/rwservlet?server=repserv+report=/tmp/ha cker.rdf+destype=cache+desformat=PDF 5. The host command is executed (ORA_FFI) or a file could be read/write (TEXT_IO) as user Oracle (Unix) or user SYTEM (Windows). Workarounds ### Available at http://www.red-database-security.com/advisory/oracle_reports_run_any_os_ command.html Patch Information # This bug is NOT FIXED with Critical Patch Update July 2005 (CPU July 2005). It seems that Oracle is NOT INTERESTED to fix this issue and provide patches. History ### 25-sep-2003 Oracle secalert was informed 26-sep-2003 Bug confirmed 15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005 Red-Database-Security offered Oracle more time if it is not possible to provide a fix == NO FEEDBACK. 12-jul-2005 Oracle published CPU July 2005 without fixing this issue 19-jul-2005 Red-Database-Security published this advisory (c) 2005 by Red-Database-Security GmbH - last update 19-july-2005 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Advisory: Overwrite any file via desname in Oracle Reports
Hello 3 months ago (15-april-2005) I informed the Oracle Security Team ([EMAIL PROTECTED]) that I will publish bug details if the bugs are not fixed with the next critical patch update (CPU July 2005). I know that Oracle products are complex and a good patch quality need some time. That's why I offered Oracle additional time if 3 months are not sufficient for fixing the bugs. Oracle never asked for more time. Oracle's behaviour not fixing critical security bugs for a long time (over 650 days) is not acceptable for their customers. Oracle put their customers in danger. At least one critical vulnerability can be abused from any attacker via internet. I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories. Kind Regards Alexander Kornbrust www.red-database-security.com ## Red-Database-Security GmbH - Oracle Security Advisory Overwrite any file via desname in Oracle Reports NameOverwrite any file via desname in Oracle Reports Systems AffectedOracle Reports 6.0, 6i, 9i, 10g SeverityHigh Risk CategoryFile overwrite Vendor URL http://www.oracle.com Author Alexander Kornbrust (ak at red-database-security.com) Date19 July 2005 (V 1.00) AdvisoryAKSEC2003-005 Inital bug report 706 days ago Advisory-URL http://www.red-database-security.com/advisory/oracle_reports_overwrite_a ny_file.html Details ### Oracle Reports is Oracle's award-winning, high-fidelity enterprise reporting tool. It enables businesses to give immediate access to information to all levels within and outside of the organization in an unrivaled scalable and secure environment. Oracle Reports, a component of the Oracle Application Server, is used by Oracle itself for the E-Business Suite. Many large customers are using Oracle Reports as reporting tool for their enterprise applications. By specifing a special value for the parameter desname Oracle Reports can overwrite any file on the application server. On Windows systems an attacker can overwrite any files (e.g. boot.ini) on the application server. On UNIX system an attacker can overwrite all files (e.g. opmn.xml) which belongs to the Oracle Application Server user. This attack can be done with a simple URL. TestURL ### Will be provided if a patch is available. Workaround ## Available at http://www.red-database-security.com/advisory/oracle_reports_overwrite_a ny_file.html Affected systems All versions of Oracle Reports are affected. All applications using Oracle Reports (e.g. E-Business-Suite, ...) Patch Information # This bug is NOT FIXED with Critical Patch Update July 2005 (CPU July 2005). It seems that Oracle is NOT INTERESTED to fix this issue and provide patches for this issue. If you believe you need a patch to protect your Oracle Application Server you should contact Oracle. History ### 12-aug-2003 Oracle secalert was informed 26-sep-2003 Bug confirmed 15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005 Red-Database-Security offered Oracle more time if it is not possible to provide a fix == NO FEEDBACK. 12-jul-2005 Oracle published CPU July 2005 without fixing this issue 19-jul-2005 Red-Database-Security published this advisory (c) 2005 by Red-Database-Security GmbH - last update 19-july-2005 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Advisory: Read parts of any XML-file via customize parameter in Oracle Reports
Hello 3 months ago (15-april-2005) I informed the Oracle Security Team ([EMAIL PROTECTED]) that I will publish bug details if the bugs are not fixed with the next critical patch update (CPU July 2005). I know that Oracle products are complex and a good patch quality need some time. That's why I offered Oracle additional time if 3 months are not sufficient for fixing the bugs. Oracle never asked for more time. Oracle's behaviour not fixing critical security bugs for a long time (over 650 days) is not acceptable for their customers. Oracle put their customers in danger. At least one critical vulnerability can be abused from any attacker via internet. I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories. Kind Regards Alexander Kornbrust www.red-database-security.com ## Red-Database-Security GmbH - Oracle Security Advisory Read parts of any XML-file via customize parameter in Oracle Reports NameRead parts of any XML-file via customize parameter in Oracle Reports Systems AffectedAll version of Oracle Reports SeverityMedium Risk CategoryInformation disclosure Vendor URL http://www.oracle.com Author Alexander Kornbrust (ak at red-database-security.com) Date19 July 2005 (V 1.00) AdvisoryAKSEC2003-007 Inital bug report 693 days ago Advisory-URL http://www.red-database-security.com/advisory/oracle_reports_read_any_xm l_file.html Details ### Oracle Reports is Oracle's award-winning, high-fidelity enterprise reporting tool. It enables businesses to give immediate acces to information to all levels within and outside of the organization in an unrivaled scalable and secure environment. Oracle Reports, a component of the Oracle Application Server, is used by Oracle itself for the E-Business Suite. Many large customers are using Oracle Reports as reporting tool for their enterprise applications. The Oracle Reports parameter customize can read any file by using an absolute or relative file name. Parts of the file content are displayed in the Reports error message (see test case). Testcase http://myserver:7778/reports/rwservlet?server=myserver+report=test.rdf+u serid=scott/[EMAIL PROTECTED]/opt/ORACL E/ias/oracle/product/9.0.2/webcache/webcache.xml ***Reports Output REP--866648059: Error in the XML report definition at line 3 in ' Element 'CALYPSO' used but not declared.'. ***Reports Output Workarounds ### Available at http://www.red-database-security.com/advisory/oracle_reports_read_any_xm l_file.html Affected systems All versions of Oracle Reports are affected. Patch Information # This bug is NOT FIXED with Critical Patch Update July 2005 (CPU July 2005). It seems that Oracle is NOT INTERESTED to fix this issue and provide patches for this issue. If you think you need a patch to protect your Oracle Application Server you should contact Oracle. History ### 26-aug-2003 Oracle secalert was informed 27-aug-2003 Bug confirmed 15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005 Red-Database-Security offered Oracle more time if it is not possible to provide a fix == NO FEEDBACK. 12-jul-2005 Oracle published CPU July 2005 without fixing this issue 19-jul-2005 Red-Database-Security published this advisory (c) 2005 by Red-Database-Security GmbH - last update 19-july-2005 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Advisory: Run any OS Command via unauthorized Oracle Forms
Hello 3 months ago (15-april-2005) I informed the Oracle Security Team ([EMAIL PROTECTED]) that I will publish bug details if the bugs are not fixed with the next critical patch update (CPU July 2005). I know that Oracle products are complex and a good patch quality need some time. That's why I offered Oracle additional time if 3 months are not sufficient for fixing the bugs. Oracle never asked for more time. Oracle's behaviour not fixing critical security bugs for a long time (over 650 days) is not acceptable for their customers. Oracle put their customers in danger. At least one critical vulnerability can be abused from any attacker via internet. I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories. Kind Regards Alexander Kornbrust www.red-database-security.com ## Red-Database-Security GmbH - Oracle Security Advisory Run any OS Command via unauthorized Oracle Forms NameRun any OS Command via unauthorized Oracle Forms Systems AffectedOracle (Web) Forms 4.5, 5.0, 6.0, 6i, 9i, 10g SeverityHigh Risk CategoryOS command execution Vendor URL http://www.oracle.com Author Alexander Kornbrust (ak at red-database-security.com) Date19 July 2005 (V 1.00) AdvisoryAKSEC2003-013 Inital bug report 664 days ago Advisory-URL http://www.red-database-security.com/advisory/oracle_forms_run_any_os_co mmand.html Details ### Oracle Forms Services, a component of the Oracle Application Server, is Oracle's long-established technology to design and build enterprise applications. Oracle itself is using Oracle Forms for the E-Business Suite. Many large customers are using Oracle Forms for their enterprise applications. Oracle Forms Services starts forms executables (*.fmx) from any directory and any user on the application server. These forms are executed as user Oracle or System (Windows). An attacker which is able to upload a specially crafted forms executable to the application server is able to run any OS command and can overtake the application server. The upload could be done via Webdav (Part of the Oracle Application Server), SMB, Webutil, SAMBA, NFS, FTP, ... By using the form or module parameter with an absolute path it is possible to execute forms executables from ANY directory and ANY user. Testcase 1. Create or modify a simple forms module and add the following command to the WHEN_NEW_FORM_INSTANCE-Trigger Host('ls forms_is_unsecure.txt' , NO_SCREEN); 2. Generate the forms executable (e.g. hacker.fmx) for the destination platform (e.g. Linux, Solaris, Windows, ...) 3. Copy the forms executable hacker.fmx to a directory on the Oracle Application Server (e.g. via SMB, file upload, Webdav, Samba, NFS, Webutil, FTP, ...) 4. Run the form hacker.fmx as user Oracle and specify an absolute path for the forms executable http://myserver.com:7779/forms90/f90servlet?form=/public/johndoe/hacker. fmx or http://myserver.com:7779/forms90/f90servlet?module=/tmp/hacker.fmx 5. The host command is executed as user Oracle (Unix) or user SYTEM (Windows). Workarounds ### Available at http://www.red-database-security.com/advisory/oracle_forms_run_any_os_co mmand.html Patch Information # This bug is NOT FIXED with Critical Patch Update July 2005 (CPU July 2005). It seems that Oracle is NOT INTERESTED to fix this issue and provide patches for this issue. They recommend to migrate to Oracle Forms 10g because 9i and 10g are binary compatible. History ### 24-sep-2003 Oracle secalert was informed 25-sep-2003 Bug confirmed 15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005 Red-Database-Security offered Oracle more time if it is not possible to provide a fix == NO FEEDBACK. 18-apr-2005 Oracle Forms Product Management contacted. 20-apr-2005 Email from Product Management that customers should migrate to Forms 10g. No patches for Forms 6i or 9i. 12-jul-2005 Oracle published CPU July 2005 without fixing this issue 19-jul-2005 Red-Database-Security published this advisory (c) 2005 by Red-Database-Security GmbH - last update 19-july-2005 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Advisory: Read parts of any file via desformat in Oracle Reports
Hello 3 months ago (15-april-2005) I informed the Oracle Security Team ([EMAIL PROTECTED]) that I will publish bug details if the bugs are not fixed with the next critical patch update (CPU July 2005). I know that Oracle products are complex and a good patch quality need some time. That's why I offered Oracle additional time if 3 months are not sufficient for fixing the bugs. Oracle never asked for more time. Oracle's behaviour not fixing critical security bugs for a long time (over 650 days) is not acceptable for their customers. Oracle put their customers in danger. At least one critical vulnerability can be abused from any attacker via internet. I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories. Kind Regards Alexander Kornbrust www.red-database-security.com ## Red-Database-Security GmbH - Oracle Security Advisory Read parts of any file via desformat in Oracle Reports NameRead parts of any file via desformat in Oracle Reports Systems AffectedAll version of Oracle Reports SeverityMedium Risk CategoryInformation disclosure Vendor URL http://www.oracle.com Author Alexander Kornbrust (ak at red-database-security.com) Date19 July 2005 (V 1.00) AdvisoryAKSEC2003-007 Inital bug report 692 days ago Advisory-URL http://www.red-database-security.com/advisory/oracle_reports_read_any_fi le.html Details ### Oracle Reports is Oracle's award-winning, high-fidelity enterprise reporting tool. It enables businesses to give immediate access to information to all levels within and outside of the organization in an unrivaled scalable and secure environment. Oracle Reports, a component of the Oracle Application Server, is used by Oracle itself for the E-Business Suite. Many large customers are using Oracle Reports as reporting tool for their enterprise applications. The Oracle Reports parameter desformat can read any file by using an absolute or relative file name. Parts of the file content are displayed in the Reports error message (see test case) The DESFORMAT parameter specifies the format for the job output. In bit-mapped environments, use DESFORMAT to specify the printer driver to be used when DESTYPE is FILE. In character-mode environments, use it to specify the characteristics of the printer named in DESNAME. Testcase http://myserver:7778/reports/rwservlet?server=myserver+report=test.rdf+u serid=scott/[EMAIL PROTECTED]/etc/passw d ***Reports Output REP-3002: Error in column 5 of line 1 of printer definition file /etc/passwd: Unknown keyword root. REP-3002: Error initializing printer. Please make sure a printer is installed. ***Reports Output Workaround ## Available at http://www.red-database-security.com/advisory/oracle_reports_read_any_fi le.html Affected systems All versions of Oracle Reports are affected. Patch Information # This bug is NOT FIXED with Critical Patch Update July 2005 (CPU July 2005). It seems that Oracle is NOT INTERESTED to fix this issue and provide patches for this issue. If you think you need a patch to protect your Oracle Application Server you should contact Oracle. History ### 27-aug-2003 Oracle secalert was informed 27-aug-2003 Bug confirmed 15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005 Red-Database-Security offered Oracle more time if it is not possible to provide a fix == NO FEEDBACK. 12-jul-2005 Oracle published CPU July 2005 without fixing this issue 19-jul-2005 Red-Database-Security published this advisory (c) 2005 by Red-Database-Security GmbH - last update 19-july-2005 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SiteMinder Multiple Vulnerabilities
List: full-disclosure Subject:[Full-disclosure] SiteMinder Multiple Vulnerabilities From: c0ntexb () gmail ! com Date: 2005-07-08 14:08:53 Message-ID: df8ba96d050708070869551019 () mail ! gmail ! com $ An open security advisory #10 - Siteminder v5.5 Vulnerabilities [...] I have contacted Netegrity via ca.com multiple times but received no response, as such, users should use a filtering technology like modsecurity to detect the above descibed attacks until a fix has been released. Note that vulnerabilities can be reported to CA by a) sending email to [EMAIL PROTECTED], or b) submitting via a web form at http://www3.ca.com/securityadvisor/vulninfo/submit.aspx . The form can be found by clicking on the Submit a Vulnerability link at http://www3.ca.com/securityadvisor/ . This information is documented in the Vendor Dictionary at OSVDB. Regards, kw Ken Williams ; Vulnerability Research Computer Associates ; 0xE2941985 A9F9 44A6 B421 FF7D 4000 E6A9 7925 91DF E294 1985 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anonymous Web Attacks via Dedicated MobileServices
google's language translation also does this.. http://ipchicken.com http://translate.google.com/translate?u=http://ipchicken.com m.w - Original Message - From: Petko Petkov [EMAIL PROTECTED] To: bugtraq@securityfocus.com Cc: full-disclosure@lists.grok.org.uk Sent: Tuesday, July 19, 2005 4:05 AM Subject: [Full-disclosure] Anonymous Web Attacks via Dedicated MobileServices -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Security Notice: Anonymous Web Attacks via Dedicated Mobile Services Security Risk: UNKNOWN Publish Data: 2005 July 16 Security Researcher: Petko Petkov Contact Information: [EMAIL PROTECTED] PGP Key: http://pdp.gnucitizen.org/ppetkov.asc Synopsis - Various Mobile Services provide malicious users with an intermediate point to anonymously browse Web Resources and execute attacks against them. Affected Applications - - * Google's WMLProxy * IYHY Background - -- WAP stands for Wireless Application Protocol, a communication standard primarily designed for Information Exchange on various Wireless Terminals such as mobile telephones. WAP devices work with WML (Wireless Markup Language), a markup language similar to HTML but more strict because of its XML nature. WML and HTML are totally different in semantics. As such, there are applications located on The Internet that are able to transcode from HTML/XHTML to WML. Description - --- An attacker can take advantage of the Google's WMLProxy Service by sending a HTTP GET request with carefully modified URL of a malicious nature. Such request hides the attacker's IP address and may slow down future investigations on a successful breakin since Google's Services are often over-trusted. The following URL should reveal the current IP address: http://ipchicken.com However, a similar request proxied through WMLProxy: http://wmlproxy.google.com/wmltrans/u=ipchicken.com results to: 64.233.166.136 which belongs to Google Inc. Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it is primarily designed for PDAs and Smart Phones. Still, IYHY can be used as an intermediate point for launching anonymous attacks. For example the following URL reveals IYHY IP address: http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com Attackers are able to chain Google's WMLProxy and IYHY in order to obscure their IP address further. For example, the following URL goes through WMLProxy and IYHY before getting to http://ipchiken.com: http://wmlproxy.google.com/wmltrans/[EMAIL PROTECTED] Impact - -- Misuse of Services like Google's WMLProxy and IYHY must be considered as a hight risk in situations where they are over-trusted. Google's entries are often filtered out from the logs making all possible attacks undetectable. Moreover, attackers can make use of mobile devices to request dangerous URLs in order to compromise vulnerable Web Applications. If such requests are not monitored by the particular mobile network, there is no way to detect where the attack is launched from. Workaround - -- Mobile Services can offer cleaver parameter filtering features to prevent the execution of dangerous requests. However, it is important to understand that simple input validation technique can be easily circumvented. The tinyurl service can be used to obscure the dangerous URLs, bypassing the input validation checks that an application may have. It is also worth to mention that modifying the requests, in order to stop certain XSS and SQL Injection attacks, may completely brake the logic of the proxided Web Site leaving the users with unsatisfactory results. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) iD8DBQFC3NPjFf/6vxAyUpgRAjIdAKC2YLXNSlWPLOTF9rMAS+hERte8IQCfR18G SDmdYsnJsSRSMlgCEl6cMX4= =J9z1 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: SiteMinder Multiple Vulnerabilities (solution)
List: full-disclosure Subject:SiteMinder Multiple Vulnerabilities From: c0ntex c0ntexb () gmail ! com Date: 2005-07-08 14:08:53 $ An open security advisory #10 - Siteminder v5.5 Vulnerabilities [...] This issue is NOT present in out-of-the-box installations of SiteMinder. All supported versions of SiteMinder have an agent configuration parameter called CSSChecking that is, by default, set to YES. A SiteMinder administrator would have to intentionally set this parameter to NO to become vulnerable to this issue. The CSSChecking configuration parameter has been very well documented in SiteMinder product documentation since 2001. This issue is also documented and addressed in a security advisory posted in October 2002 at this URL: (URL may wrap) https://support.netegrity.com/ocp/custom/productdownload/productdownload .asp?isNodeGroup=nullProductNumber=735ParentId=493groupType=249 Note that SiteMinder customers should continue to go to support.netegrity.com for product support. Regards, kw Ken Williams ; Vulnerability Research Computer Associates ; 0xE2941985 A9F9 44A6 B421 FF7D 4000 E6A9 7925 91DF E294 1985 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein
Dear 3APA3A, On 19 Jul 2005 at 13:35, 3APA3A wrote: Dear Amit Klein (AKsecurity), --Monday, July 18, 2005, 9:40:32 PM, you wrote to bugtraq@securityfocus.com: AKA NTLM HTTP Authentication AKA (and possibly other connection-oriented AKA HTTP authentication and authorization protocols) AKA is insecure by design NTLM authentication is insecure by design for external authentication, because of single signon ideology. NTLM authentication can be used for NTLM proxy attack. For example, attacker who can hijack or spoof server connection with NTLM authentication can use this connection to access different Web server, mail server or file server with client's credentials. This is known for many years and was discussed for many times. While not downplaying this remark, I'd say that: 1. By this argument, any non-cryptographically strong protocol should be considered insecure by design. I don't think that's what people have in mind. I think that per each protocol, there's a set of expectations. For example, no-one expects NTLM auth to protect data in transit. But people do expect NTLM not to by bypassed by silly methods. 2. I see a big difference between spoofing and hijacking attacks, which require non trivial skill set, and the attack I described, which, given the right preconditions, is so easy to mount that it can be done so accidentally. Few years ago Internet Explorer was patched to use NTLM authentication only for local network zone. Local network are hosts with NetBIOS name (for example WEBSRV, excluded by default from proxy) and list of proxy exclusions. Uh, I don't think so. From my experiments with IE 6.0, it happily engages in NTLM authentication on non local network sites. In fact, there are many sites on the Internet which require NTLM authentication. For example, OWA 2000/2003... So, under default configuration, NTLM will not be used through proxy server, at least in Internet Explorer. As a result of my former comment, I have to disagree. There ARE websites that require NTLM authentication, IE DOES perform it, so there's no theoretic reason why there shouldn't be proxy servers in between. Thanks, -Amit ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/