[Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
_ Security Advisory NSOADV-2010-002 _ _ Title: Google Wave Design Bugs Severity: Low Advisory ID:NSOADV-2010-002 Found Date: 16.11.2009 Date Reported: 18.11.2009 Release Date: 19.01.2010 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-002.txt Vendor: Google (http://www.google.com/) Affected Products: Google Wave Preview (Date: = 14.01.2010) Not Affected Component: Google Wave Preview (Date: = 14.01.2010) Remote Exploitable: Yes Local Exploitable: No Patch Status: partially patched Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Google Wave is an online tool for real-time communication and collaboration. A wave can be both a conversation and a document where people can discuss and work together using richly formatted text, photos, videos, maps, and more. (Product description from Google Website) Description: All this possible attacks are the result of playing 4 hours with Google Wave. I didn't check all the funny stuff, which is possible with the Wave. 1. Gadget phishing attack: -- The Google Wave Gadget API can be used for phishing attacks. An attacker can build his own phishing Gadget, share it with his Google Wave contacts an hopefully get the login credentials from a user. This behavior is normal. The Problem is, that this bug makes it easier to steal logins. 2. Virus spreading attack: -- Uploads Files are not scanned for malicious code. An attacker could upload his malware to a wave and share it to his Google Wave contacts. Proof of Concept : == A proof of concept gadget can be found here: http://sotiriu.de/demos/phgadget.xml Solution: = 1. No changes made here. Workaround: Don't trust Waves. 2. Google builds in AV scanning. Disclosure Timeline (/MM/DD): = 2009.11.16: Vulnerability found 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.12.03) to Vendor 2009.11.23: Vendor response 2009.12.01: Ask for a status update, because the planned release date is 2009.12.03. 2009.12.03: Google Security Team asks for 2 more week to patch. 2009.12.03: Changed release date to 2009.12.17. 2009.12.15: Ask for a status update, because the planned release date is 2009.12.17. = No Response 2009.12.21: Ask for a status update. 2009.12.29: Google Security Team informs me, that there are no changes made before 2010.01.03. 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. 2010.01.19: Release of this Advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iiscan results - a closer look
Hm, wondering if I should allow a China based company to scan any f my servers just my 2 cents... -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 @ http://pgp.mit.edu:11371/ skype:rc46fi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iiscan results - a closer look
What's your problem? All the cool kids are doing it! On Tue, Jan 19, 2010 at 7:00 AM, Gregor Schneider rc4...@googlemail.com wrote: Hm, wondering if I should allow a China based company to scan any f my servers just my 2 cents... -- just because your paranoid, doesn't mean they're not after you... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
This is the stupidest advisory I have read on this list in at least two months. 2010/1/19 NSO Research nso-resea...@sotiriu.de _ Security Advisory NSOADV-2010-002 _ _ Title: Google Wave Design Bugs Severity: Low Advisory ID:NSOADV-2010-002 Found Date: 16.11.2009 Date Reported: 18.11.2009 Release Date: 19.01.2010 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-002.txt Vendor: Google (http://www.google.com/) Affected Products: Google Wave Preview (Date: = 14.01.2010) Not Affected Component: Google Wave Preview (Date: = 14.01.2010) Remote Exploitable: Yes Local Exploitable: No Patch Status: partially patched Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Google Wave is an online tool for real-time communication and collaboration. A wave can be both a conversation and a document where people can discuss and work together using richly formatted text, photos, videos, maps, and more. (Product description from Google Website) Description: All this possible attacks are the result of playing 4 hours with Google Wave. I didn't check all the funny stuff, which is possible with the Wave. 1. Gadget phishing attack: -- The Google Wave Gadget API can be used for phishing attacks. An attacker can build his own phishing Gadget, share it with his Google Wave contacts an hopefully get the login credentials from a user. This behavior is normal. The Problem is, that this bug makes it easier to steal logins. 2. Virus spreading attack: -- Uploads Files are not scanned for malicious code. An attacker could upload his malware to a wave and share it to his Google Wave contacts. Proof of Concept : == A proof of concept gadget can be found here: http://sotiriu.de/demos/phgadget.xml Solution: = 1. No changes made here. Workaround: Don't trust Waves. 2. Google builds in AV scanning. Disclosure Timeline (/MM/DD): = 2009.11.16: Vulnerability found 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.12.03) to Vendor 2009.11.23: Vendor response 2009.12.01: Ask for a status update, because the planned release date is 2009.12.03. 2009.12.03: Google Security Team asks for 2 more week to patch. 2009.12.03: Changed release date to 2009.12.17. 2009.12.15: Ask for a status update, because the planned release date is 2009.12.17. = No Response 2009.12.21: Ask for a status update. 2009.12.29: Google Security Team informs me, that there are no changes made before 2010.01.03. 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. 2010.01.19: Release of this Advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] All China, All The Time
Jokes aside has anyone seen this? http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0ftype=js On Mon, Jan 18, 2010 at 1:44 PM, Christian Sciberras uuf6...@gmail.comwrote: Bipin, I'm not wise either, at least not when it comes to security, I'm just still discovering this world. Other then that, I didn't understand a thing of what you said. Regards, Christian Sciberras. On Mon, Jan 18, 2010 at 8:42 PM, Bipin Gautam bipin.gau...@gmail.comwrote: Christian! I may not be wise as you all but i left FD long back --- still i happen to stumble into security bugs every now and then. No i dodnt sat on a chair to look for it! It JUST followed me like a shadows. I hate it... At one point in time i got so sick of it all, i stopped my counting of my number of advisory.. but that doesnt help either. BOTTOM LINE: ITS A PROBLEM BY ARCHITECTURE! A direction where infinite things can go wrong because your teeth are stronger if your roots are stronger? With due respect, I dont want to waste a life working on something like that for my whole life. nothing meaningful @end! Just business and politics that is fueling this ecosystem and we are like the soldiers fighting for virtue? f*** it THINK ABOUT IT. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:015 ] roundcubemail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:015 http://www.mandriva.com/security/ ___ Package : roundcubemail Date: January 19, 2010 Affected: Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in transmission: A number of dependency probles were discovered and has been corrected with this release (#56006). Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that modify user information via unspecified vectors, a different vulnerability than CVE-2009-4077 (CVE-2009-4076). Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that send arbitrary emails via unspecified vectors, a different vulnerability than CVE-2009-4076 (CVE-2009-4077). The updated packages have been patched to correct these issues. Additionally roundcubemail has been upgraded to 0.2.2 that also fixes a number of upstream bugs. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4076 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4077 https://qa.mandriva.com/56006 ___ Updated Packages: Mandriva Enterprise Server 5: a1f0123588ceb9641dcf271095c32a0c mes5/i586/roundcubemail-0.2.2-0.1mdvmes5.noarch.rpm 9957258d449a99eea2065481183cb412 mes5/SRPMS/roundcubemail-0.2.2-0.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: bb7c6fb4c4d6c26fd352ef148e7dc099 mes5/x86_64/roundcubemail-0.2.2-0.1mdvmes5.noarch.rpm 9957258d449a99eea2065481183cb412 mes5/SRPMS/roundcubemail-0.2.2-0.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLVbYZmqjQ0CJFipgRAoAJAKC19oqyR48prrDvZ3Ldb5mQaWF8rwCgyral mTsXVBxXg9nXw/qZ2zU0bpk= =gpX8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:017 ] ruby
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:017 http://www.mandriva.com/security/ ___ Package : ruby Date: January 19, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in ruby: WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator (CVE-2009-4492). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4492 ___ Updated Packages: Mandriva Linux 2008.0: 81ffde889fff5e736c7fc8ff4caed3af 2008.0/i586/ruby-1.8.6-5.5mdv2008.0.i586.rpm 5cc1e869a22fc16936eedfd34005a683 2008.0/i586/ruby-devel-1.8.6-5.5mdv2008.0.i586.rpm 6d1f7748edeb1aba0051cc11560a071b 2008.0/i586/ruby-doc-1.8.6-5.5mdv2008.0.i586.rpm 39bc1acbe49a9453acab67b49b084b80 2008.0/i586/ruby-tk-1.8.6-5.5mdv2008.0.i586.rpm 744a650335e29123f403d35cf366e5b6 2008.0/SRPMS/ruby-1.8.6-5.5mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: f02c68cceb01dc048f5b056d61672346 2008.0/x86_64/ruby-1.8.6-5.5mdv2008.0.x86_64.rpm 2c1242265445600bd8ee386766f4bd22 2008.0/x86_64/ruby-devel-1.8.6-5.5mdv2008.0.x86_64.rpm 0f70cc7a2b8ec3c4d7b56ff4ce21e703 2008.0/x86_64/ruby-doc-1.8.6-5.5mdv2008.0.x86_64.rpm 2c8c2aad4db092fa7afc86ab6081862b 2008.0/x86_64/ruby-tk-1.8.6-5.5mdv2008.0.x86_64.rpm 744a650335e29123f403d35cf366e5b6 2008.0/SRPMS/ruby-1.8.6-5.5mdv2008.0.src.rpm Mandriva Linux 2009.0: b2fd3ee6542e4cd9631b91acf9dea020 2009.0/i586/ruby-1.8.7-7p72.3mdv2009.0.i586.rpm dbdd2531cc1fa4e0b7f36231da1ff758 2009.0/i586/ruby-devel-1.8.7-7p72.3mdv2009.0.i586.rpm cacf5f1c157efdb1d34c487c5981c743 2009.0/i586/ruby-doc-1.8.7-7p72.3mdv2009.0.i586.rpm 21e92249cbfd8be58fb0f4e7fb179b8f 2009.0/i586/ruby-tk-1.8.7-7p72.3mdv2009.0.i586.rpm 4d73e6540dd45a75948aae15c227180c 2009.0/SRPMS/ruby-1.8.7-7p72.3mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 5fcb69fd1908cf385712fe8f0c7197ad 2009.0/x86_64/ruby-1.8.7-7p72.3mdv2009.0.x86_64.rpm 24e163680c8ab0c33599954482d66c8a 2009.0/x86_64/ruby-devel-1.8.7-7p72.3mdv2009.0.x86_64.rpm a7ca58b52fe54fc71b84a5bf13db878c 2009.0/x86_64/ruby-doc-1.8.7-7p72.3mdv2009.0.x86_64.rpm f59a9ebd06d9447729f86816849f2829 2009.0/x86_64/ruby-tk-1.8.7-7p72.3mdv2009.0.x86_64.rpm 4d73e6540dd45a75948aae15c227180c 2009.0/SRPMS/ruby-1.8.7-7p72.3mdv2009.0.src.rpm Mandriva Linux 2009.1: 88cfd59b0e447ce2fc3e555bd8cc8c05 2009.1/i586/ruby-1.8.7-9p72.3mdv2009.1.i586.rpm b26875792b8dd1450acf22e1cd5e7125 2009.1/i586/ruby-devel-1.8.7-9p72.3mdv2009.1.i586.rpm ae27cb9ea848800dd24eed2622c863a5 2009.1/i586/ruby-doc-1.8.7-9p72.3mdv2009.1.i586.rpm 80d7ae68c8318b4544c3c15605baf376 2009.1/i586/ruby-tk-1.8.7-9p72.3mdv2009.1.i586.rpm 158e9c9ea053a470c964e0bc3ce03a00 2009.1/SRPMS/ruby-1.8.7-9p72.3mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: dacfa4833a9dfd882c93bf87b671fe90 2009.1/x86_64/ruby-1.8.7-9p72.3mdv2009.1.x86_64.rpm 8409d1abd0192d2bfa7426049ffaaf8b 2009.1/x86_64/ruby-devel-1.8.7-9p72.3mdv2009.1.x86_64.rpm 0cc95c768f986b0bb168ae821b04c370 2009.1/x86_64/ruby-doc-1.8.7-9p72.3mdv2009.1.x86_64.rpm 1088ecc3fa689f1d41346880f7a71427 2009.1/x86_64/ruby-tk-1.8.7-9p72.3mdv2009.1.x86_64.rpm 158e9c9ea053a470c964e0bc3ce03a00 2009.1/SRPMS/ruby-1.8.7-9p72.3mdv2009.1.src.rpm Mandriva Linux 2010.0: 2c0a2f50cb64ce9c8db446c7c43a3ad5 2010.0/i586/ruby-1.8.7-9p174.1mdv2010.0.i586.rpm 1d3b0284cefce641ae3a9e0acad3eb31 2010.0/i586/ruby-devel-1.8.7-9p174.1mdv2010.0.i586.rpm a5889305c1e1efe0306e87e0e0584905 2010.0/i586/ruby-doc-1.8.7-9p174.1mdv2010.0.i586.rpm e04504a888df5b80242b430253d01ebe 2010.0/i586/ruby-tk-1.8.7-9p174.1mdv2010.0.i586.rpm bb56bb35355c556f4be4e11bcf53cc93 2010.0/SRPMS/ruby-1.8.7-9p174.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 75230d955e7f28d6fbbe0efb5069b2d2 2010.0/x86_64/ruby-1.8.7-9p174.1mdv2010.0.x86_64.rpm 085cb4af83feef546a9cf6a3929c5c51 2010.0/x86_64/ruby-devel-1.8.7-9p174.1mdv2010.0.x86_64.rpm 9e35d282e30588fa843b4edc36808068 2010.0/x86_64/ruby-doc-1.8.7-9p174.1mdv2010.0.x86_64.rpm
[Full-disclosure] Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack - CVE-2010-0232 In order to support BIOS service routines in legacy 16bit applications, the Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode monitor code. These are implemented in two stages, the kernel transitions to the second stage when the #GP trap handler (nt!KiTrap0D) detects that the faulting cs:eip matches specific magic values. Transitioning to the second stage involves restoring execution context and call stack (which had been previously saved) from the faulting trap frame once authenticity has been verified. This verification relies on the following incorrect assumptions: - Setting up a VDM context requires SeTcbPrivilege. - ring3 code cannot install arbitrary code segment selectors. - ring3 code cannot forge a trap frame. This is believed to affect every release of the Windows NT kernel, from Windows NT 3.1 (1993) up to and including Windows 7 (2009). Working out the details of the attack is left as an exercise for the reader. Just kidding, that was an homage to Derek Soeder :-) - Assumption 0: Setting up a VDM context requires SeTcbPrivilege. Creating a VDM context requires EPROCESS-Flags.VdmAllowed to be set in order to access the authenticated system service, NtVdmControl(). VdmAllowed can only be set using NtSetInformationProcess(), which verifies the caller has SeTcbPrivilege. If this is true, the caller is very privileged and can certainly be trusted. This restriction can be subverted by requesting the NTVDM subsystem, and then using CreateRemoteThread() to execute in the context of the subsystem process, which will already have this flag set. - Assumption 1: ring3 code cannot install arbitrary code segment selectors. Cpl is usually equal to the two least significant bits of cs and ss, and is a simple way to calculate the privilege of a task. However, there is an exception, Virtual-8086 mode. Real mode uses a segmented addressing scheme in order to allow 16-bit addresses to access the 20-bit address space. This is achieved by forming physical addresses from a calculation like (cs 4) + (eip 0x). The same calculation is used to map the segmented real address space onto the protected linear address space in Virtual-8086 mode. Therefore, I must be permitted to set cs to any value, and checks for disallowed or privileged selectors can be bypassed (PsSetLdtEnties will reject any selector where any of the three lower bits are unset, as is the case with the required cs pair). - Assumption 2: ring3 code cannot forge a trap frame. Returning to usermode with iret is a complicated operation, the pseudocode for the iret instruction alone spans several pages of Intel's Software Developers Manual. The operation occurs in two stages, a pre-commit stage and a post-commit stage. Using the VdmContext installed using NtVdmControl(), an invalid context can be created that causes iret to fail pre-commit, thus forging a trap frame. The final requirement involves predicting the address of the second-stage BIOS call handler. The address is static in Windows 2003, XP and earlier operating systems, however, Microsoft introduced kernel base randomisation in Windows Vista. Unfortunately, this potentially useful exploit mitigation is trivial to defeat locally as unprivileged users can simply query the loaded module list via NtQuerySystemInformation(). Affected Software All 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to be affected, including but not limited to the following actively supported versions: - Windows 2000 - Windows XP - Windows Server 2003 - Windows Vista - Windows Server 2008 - Windows 7 Consequences --- Upon successful exploitation, the kernel stack is switched to an attacker specified address. An attacker would trigger the vulnerability by setting up a specially formed VDM_TIB in their TEB, using a code sequence like this: /* ... */ // Magic CS required for exploitation Tib.VdmContext.SegCs = 0x0B; // Pointer to fake kernel stack Tib.VdmContext.Esi = KernelStack; // Magic IP required for exploitation Tib.VdmContext.Eip = Ki386BiosCallReturnAddress; NtCurrentTeb()-Reserved4[0] = Tib; /* ... */ Followed by /* ... */ NtVdmControl(VdmStartExecution, NULL); /* ... */ Which will reach the following code sequence via the #GP trap handler, nt!KiTrap0D. Please note how the stack pointer is restored from the saved (untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition described above. /* ... */ .text:0043C3CE Ki386BiosCallReturnAddress proc near .text:0043C3CE mov eax, large fs:KPCR.SelfPcr .text:0043C3D4 mov edi, [ebp+KTRAP_FRAME.Esi] .text:0043C3D7 mov edi, [edi] .text:0043C3D9 mov
Re: [Full-disclosure] All China, All The Time
Mark, Dan, Smasher, etc. Thanks for the feedback. I saw the thread this weekend, but I had to wait until I today to respond. My main motivation was to point out that there is no free lunch, and often even security professionals forget to think critically. It was not meant to be a thorough assessment of the actual 0-day. However I appreciate the correction, the details of the exploit, and the observation that its sophistication was probably exaggerated in the media. I have changed some implicit wording in the article about China and added an addendum to the blog to clarify the exploit and thank sources. ~todd Todd Densmore HP Software - Application Security Center todd.densm...@hp.com 770.343.7054 Office ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:018 ] phpMyAdmin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:018 http://www.mandriva.com/security/ ___ Package : phpMyAdmin Date: January 19, 2010 Affected: Corporate 4.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in phpMyAdmin: libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 creates a temporary directory with 0777 permissions, which has unknown impact and attack vectors (CVE-2008-7251). libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses predictable filenames for temporary files, which has unknown impact and attack vectors (CVE-2008-7252). scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2.11.10 calls the unserialize function on the values of the (1) configuration and (2) v[0] parameters, which might allow remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors (CVE-2009-4605). This update provides phpMyAdmin 2.11.10, which is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7251 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7252 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4605 http://www.phpmyadmin.net/home_page/security/PMASA-2010-1.php http://www.phpmyadmin.net/home_page/security/PMASA-2010-2.php http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php ___ Updated Packages: Corporate 4.0: e03dbf68c5d28f28c6937d81a4e8c9aa corporate/4.0/i586/phpMyAdmin-2.11.10-0.1.20060mlcs4.noarch.rpm 6ccf82f206cf5bf67073055a1954668f corporate/4.0/SRPMS/phpMyAdmin-2.11.10-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: c1b99fd5d52f53f1bbd5fc56a99654de corporate/4.0/x86_64/phpMyAdmin-2.11.10-0.1.20060mlcs4.noarch.rpm 6ccf82f206cf5bf67073055a1954668f corporate/4.0/SRPMS/phpMyAdmin-2.11.10-0.1.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLVeaemqjQ0CJFipgRAh6qAKCsqDZhji1dmY2d0s4meXin5VQYiQCgirsS wR0MMOPv9tCsrLdQfteLphE= =N7cm -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MouseOverJacking attacks
Hello MustLive! Thanking you for taking a personal approach to all of your list admirers! Prosperous futures abound! A missive granted in thy honor sweet prince of XSS. On Sun, Jan 17, 2010 at 4:33 PM, MustLive mustl...@websecurity.com.ua wrote: Hello Travis! Thanks for your attention to my article about MouseOverJacking attacks. If you read the HTML specification you can find all sorts of XSS attack vectors that people just assumed would be redundant to write entire articles on! Yes, I'm familiar with HTML specification (as web developer from beginning of 1999) and I know about different events in HTML. And as web security professional I know a lot of XSS vectors. Many of events in HTML are not widespread enough (or not usable enough) for XSS attacks to write entire articles about them, but such ones as onclick and onmouseover are those which worth entire articles. There were said a lot about attacks via onclick in 2008, so I decided to said about onmouseover in 2009 (because it worths it). P.S. Because Jeff is already in my blacklist, as I mentioned to the list, so in the future no need to send me his letters. If you'll decide to answer me, than write me directly. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: T Biehn tbi...@gmail.com To: Jeff Williams jeffwilli...@gmail.com Cc: MustLive mustl...@websecurity.com.ua; full-disclosure@lists.grok.org.uk Sent: Tuesday, January 05, 2010 4:53 PM Subject: Re: [Full-disclosure] MouseOverJacking attacks Hey MustLive! If you read the HTML specification you can find all sorts of XSS attack vectors that people just assumed would be redundant to write entire articles on! Here! http://www.w3.org/TR/REC-html40/interact/scripts.html -Travis On Sun, Jan 3, 2010 at 10:29 PM, Jeff Williams jeffwilli...@gmail.com wrote: Thanks for your wishes MustDie; Do you consider yourself as an oz XSS ninja ? Did your C.V. ended in the OWASP trash bin ? And how the fuck you came up with a nickname like that ? Let us know, we truly give a shit about your life, and xss. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
Apparently not. Read Google's Response: 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. On Tue, Jan 19, 2010 at 7:11 AM, dramacrat yirim...@gmail.com wrote: This is the stupidest advisory I have read on this list in at least two months. 2010/1/19 NSO Research nso-resea...@sotiriu.de _ Security Advisory NSOADV-2010-002 _ _ Title: Google Wave Design Bugs Severity: Low Advisory ID:NSOADV-2010-002 Found Date: 16.11.2009 Date Reported: 18.11.2009 Release Date: 19.01.2010 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-002.txt Vendor: Google (http://www.google.com/) Affected Products: Google Wave Preview (Date: = 14.01.2010) Not Affected Component: Google Wave Preview (Date: = 14.01.2010) Remote Exploitable: Yes Local Exploitable: No Patch Status: partially patched Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Google Wave is an online tool for real-time communication and collaboration. A wave can be both a conversation and a document where people can discuss and work together using richly formatted text, photos, videos, maps, and more. (Product description from Google Website) Description: All this possible attacks are the result of playing 4 hours with Google Wave. I didn't check all the funny stuff, which is possible with the Wave. 1. Gadget phishing attack: -- The Google Wave Gadget API can be used for phishing attacks. An attacker can build his own phishing Gadget, share it with his Google Wave contacts an hopefully get the login credentials from a user. This behavior is normal. The Problem is, that this bug makes it easier to steal logins. 2. Virus spreading attack: -- Uploads Files are not scanned for malicious code. An attacker could upload his malware to a wave and share it to his Google Wave contacts. Proof of Concept : == A proof of concept gadget can be found here: http://sotiriu.de/demos/phgadget.xml Solution: = 1. No changes made here. Workaround: Don't trust Waves. 2. Google builds in AV scanning. Disclosure Timeline (/MM/DD): = 2009.11.16: Vulnerability found 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.12.03) to Vendor 2009.11.23: Vendor response 2009.12.01: Ask for a status update, because the planned release date is 2009.12.03. 2009.12.03: Google Security Team asks for 2 more week to patch. 2009.12.03: Changed release date to 2009.12.17. 2009.12.15: Ask for a status update, because the planned release date is 2009.12.17. = No Response 2009.12.21: Ask for a status update. 2009.12.29: Google Security Team informs me, that there are no changes made before 2010.01.03. 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. 2010.01.19: Release of this Advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORELAN-10-006] BOF Vulnerability in S.O.M.P.L. Player
|--|
| __ __ |
| _ / /___ _ / / _ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| secur...@corelan.be |
| |
|-[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|--|
Advisory: CORELAN-10-006
Disclosure date : 20 January 2010
http://www.corelan.be:8800/index.php/forum/security-advisories/
0x00 : Vulnerability information
[*] Product : S.O.M.P.L player
[*] Version : 1.0
[*] Vendor : George Fesalides
[*] URL : http://sourceforge.net/projects/somplmp3/files/
[*] URL2 : http://www.softpedia.com/progDownload/SOMPL-Download-144999.html
[*] Platform : Windows
[*] Type of vulnerability : Buffer Overflow
[*] Risk rating : Medium
[*] Issue fixed in version : ???
[*] Vulnerability discovered by : Rick2600
[*] Greetings to : corelanc0d3r, EdiStrosar, mr_me, ekse, MarkoT, sinn3r
0x01 : Vendor description of software
-
S.O.M.PL. Is a Simple Open Music Player that plays mp3 files. This player loads
mp3 files and stores them in a playlist. It includes features such as random
tracks selection,tracks repetition,loading playlist, saving playlist.
0x02 : Vulnerability details
The discovered vulnerability allows an attacker to send a crafted malicious
playlist (M3U) whereby
the user could be tricked into executing unauthorized commands.
In order for the vulnerability to be triggered, an end user must be tricked
into loading a malicious
playlist (M3U) on SOMPL.
Crash information :
(dc.e4): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=41414141 ecx= edx= esi=0012eb48 edi=
eip=40004ae4 esp=0012eb18 ebp=0012fb4c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0246
VCL50!SystemLStrClr$qqrr17SystemAnsiString:
40004ae4 8b10mov edx,dword ptr [eax] ds:0023:41414141=
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:000 !exchain
0012eb2c: VCL50!StdctrlsTRadioButtonCNCommand$qqrr19MessagesTWMCommand+e6
(40048762)
0012fb7c: 41414141
Invalid exception stack at 41414141
!pvefindaddr findmsp :
Log data
0BADF00D
-
0BADF00D Searching for metasploit pattern references
0BADF00D
-
0BADF00D [1] Checking register addresses and contents
0BADF00D
0BADF00D Register EDI points to Metasploit pattern at position 0
0BADF00D Register EAX is overwritten with Metasploit pattern at position 4096
0BADF00D Register EBP points to Metasploit pattern at position 4100
0BADF00D Register EDX points to Metasploit pattern at position 0
0BADF00D Register EBX is overwritten with Metasploit pattern at position 4096
0BADF00D Register ESI points to Metasploit pattern at position 0
0BADF00D [2] Checking seh chain
0BADF00D ==
0BADF00D- Checking seh chain entry at 0x0012eb2c, value 40048762
0BADF00D- Checking seh chain entry at 0x0012fb7c, value 46346946
0BADF00D = record is overwritten with Metasploit pattern at position 4152
0BADF00D
-
0x03 : Vendor communication
---
[*] 28 dec 2009 : Vendor contacted - no reply
[*] 09 jan 2010 : Vendor contacted again - still no reply
[*] 20 jan 2010 : Public disclosure
0x04 : Exploit/PoC
--
# Exploit Title : SOMPL Player Buffer Overflow
# Date : 20 January 2010
# Author: Rick2600 (ricks2600[at]gmail{dot}com)
# Bug found by : Rick2600 (ricks2600[at]gmail{dot}com)
# Software Link :
http://www.softpedia.com/progDownload/SOMPL-Download-144999.html
# Version : 1.0
# Issue fixed in: ???
# OS: Windows
#
[Full-disclosure] [Onapsis Security Advisory 2010-001] SAP WebAS Integrated ITS Remote Command Execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2010-001: SAP WebAS Integrated ITS Remote Command Execution This advisory can be downloaded from http://www.onapsis.com/research.html. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able execute arbitrary remote commands over vulnerable SAP Web Application Servers, taking complete control of the SAP system. With these privileges, he would be able to obtain, create, modify and/or delete any business related information stored in the vulnerable SAP system. - - Risk Level: High 2. Advisory Information === - - Release Date: 2010-01-19 - - Last Revised: 2010-01-19 - - Security Advisory ID: ONAPSIS-2010-001 - - Onapsis SVS ID: ONAPSIS-06 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information - - Vendor: SAP - - Affected Components: . SAP Kernel 6.40 Patch Level 312 . SAP Kernel 7.00 Patch Level 235 . SAP Kernel 7.01 Patch Level 72 - - Vulnerability Class: Buffer Overflow - - Remotely Exploitable: Yes - - Locally Exploitable: Yes - - Authentication Required: Yes 4. Affected Components Description == The SAP Web Application Server (WebAS) is the application platform of the SAP NetWeaver, which is the basis for the other NetWeaver components. With the SAP Web Application Server you can implement both server-based and client-based Web applications. As of SAP NetWeaver 04, the ITS is now integrated into the SAP NetWeaver component SAP Web Application Server as an Internet Communication Framework (ICF) service, which can, like other services, be accessed through the Internet Communication Manager (ICM). With the SAP Web Application Server with integrated ITS functionality, the Web browser communicates directly with the SAP system. The integrated ITS is widely used among SAP implementations, being the Webgui service one of the most common services. This service provides access to the SAP system through a SAPGUI HTML interface, enabling end-users to access the server through a regular Internet browser. 5. Vulnerability Details Due to the significant risk of this vulnerability to critical business solutions, Onapsis is not distributing technical details about it to the general public at this moment in order to provide enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1414112, which provides a patched version of the affected components. This patch can be downloaded from https://service.sap.com/sap/support/notes/1414112. Onapsis highly recommends SAP customers to download the related security fix and apply it to the affected components in order to reduce business risks. 7. Report Timeline == . 2009-11-24: Onapsis provides vulnerability information to SAP. . 2009-11-24: SAP confirms reception of vulnerability submission. . 2009-12-12: SAP releases security patch. . 2010-01-14: Onapsis coordinates release of security advisory with SAP. . 2010-01-19: Onapsis releases security advisory. 8. About Onapsis Research Labs == Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit – the Onapsis Research Labs – has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. 9. About Onapsis Onapsis is the leading provider of solutions for the security of business-critical systems and applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
Yeah, no kidding. Surprise! Untrusted files can be malicious. If you accept files from those whom you do not trust, whether its via e-mail, instant message, Google Wave, or physical media, you well and truly deserve the virus that'll eventually infect your machine. -- Rohit Patnaik On Tue, Jan 19, 2010 at 7:11 AM, dramacrat yirim...@gmail.com wrote: This is the stupidest advisory I have read on this list in at least two months. 2010/1/19 NSO Research nso-resea...@sotiriu.de _ Security Advisory NSOADV-2010-002 _ _ Title: Google Wave Design Bugs Severity: Low Advisory ID:NSOADV-2010-002 Found Date: 16.11.2009 Date Reported: 18.11.2009 Release Date: 19.01.2010 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-002.txt Vendor: Google (http://www.google.com/) Affected Products: Google Wave Preview (Date: = 14.01.2010) Not Affected Component: Google Wave Preview (Date: = 14.01.2010) Remote Exploitable: Yes Local Exploitable: No Patch Status: partially patched Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Google Wave is an online tool for real-time communication and collaboration. A wave can be both a conversation and a document where people can discuss and work together using richly formatted text, photos, videos, maps, and more. (Product description from Google Website) Description: All this possible attacks are the result of playing 4 hours with Google Wave. I didn't check all the funny stuff, which is possible with the Wave. 1. Gadget phishing attack: -- The Google Wave Gadget API can be used for phishing attacks. An attacker can build his own phishing Gadget, share it with his Google Wave contacts an hopefully get the login credentials from a user. This behavior is normal. The Problem is, that this bug makes it easier to steal logins. 2. Virus spreading attack: -- Uploads Files are not scanned for malicious code. An attacker could upload his malware to a wave and share it to his Google Wave contacts. Proof of Concept : == A proof of concept gadget can be found here: http://sotiriu.de/demos/phgadget.xml Solution: = 1. No changes made here. Workaround: Don't trust Waves. 2. Google builds in AV scanning. Disclosure Timeline (/MM/DD): = 2009.11.16: Vulnerability found 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.12.03) to Vendor 2009.11.23: Vendor response 2009.12.01: Ask for a status update, because the planned release date is 2009.12.03. 2009.12.03: Google Security Team asks for 2 more week to patch. 2009.12.03: Changed release date to 2009.12.17. 2009.12.15: Ask for a status update, because the planned release date is 2009.12.17. = No Response 2009.12.21: Ask for a status update. 2009.12.29: Google Security Team informs me, that there are no changes made before 2010.01.03. 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. 2010.01.19: Release of this Advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] All China, All The Time
Now, by analyzing the software used in the break-ins against Google and dozens of other companies, Joe Stewart, a malware specialist with SecureWorks, a computer security company based in Atlanta, said he determined the main program used in the attack contained a module based on an unusual algorithm from a Chinese-authored technical paper that has been published exclusively on Chinese-language Web sites. http://news.cnet.com/Evidence-found-of-Chinese-attack-on-Google/2100-7349_3-6250413.html?tag=newsEditorsPicksArea.0 On Wed, Jan 20, 2010 at 6:51 AM, Densmore, Todd todd.densm...@hp.com wrote: Mark, Dan, Smasher, etc. Thanks for the feedback. I saw the thread this weekend, but I had to wait until I today to respond. My main motivation was to point out that there is no free lunch, and often even security professionals forget to think critically. It was not meant to be a thorough assessment of the actual 0-day. However I appreciate the correction, the details of the exploit, and the observation that its sophistication was probably exaggerated in the media. I have changed some implicit wording in the article about China and added an addendum to the blog to clarify the exploit and thank sources. ~todd Todd Densmore HP Software - Application Security Center todd.densm...@hp.com 770.343.7054 Office ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said: Yeah, no kidding. Surprise! Untrusted files can be malicious. If you accept files from those whom you do not trust, whether its via e-mail, instant message, Google Wave, or physical media, you well and truly deserve the virus that'll eventually infect your machine. Let's see.. *HOW* many years ago did we first see e-mail based viruses that depended on people opening them because they came from people they already knew? 'CHRISTMA EXEC' in 1984 comes to mind. The problem here is that Google Wave is for *collaboration* - which means that you're communicating with people you already know, and presumably trust to some degree or other. Hey Joe, look at this PDF and tell me what you think is something reasonable when the request comes from somebody who Joe knows and who has sent Joe PDF's in the past. I guarantee that if every time you receive a document that appears to be from your boss, you call back and ask if they really intended to send a document or if it's a virus, your boss will get very cranky with you very fast. Let's look at that original advisory again: An attacker could upload his malware to a wave and share it to his Google Wave contacts. Now change that to An attacker could trick/pwn some poor victim into uploading the malware to a wave Hilarity ensues. pgp17lPMlmDaK.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
