Re: [Full-disclosure] WinAppDbg 1.4 is out!
How is it different from pydbg? Sent from my Blackberry handheld. - Original Message - From: Mario Vilas mvi...@gmail.com To: bugt...@securityfocus.com bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk; Python-Win32 List python-wi...@python.org Sent: Tue Aug 24 09:00:59 2010 Subject: WinAppDbg 1.4 is out! What is WinAppDbg? == The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes. Current features also include disassembling x86 native code (using the open source diStorm project, see http://ragestorm.net/distorm/), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing. What's new in this version? === In a nutshell... * fully supports Python 2.4 through 2.7 * fully supports Windows XP through Windows 7, 32 and 64 bit editions * crash report tool now supports MSSQL (requires pyodbc) * now supports downloading debugging symbols from Microsoft (thanks Neitsa!) * new tool: sehtest.py (Windows SEH buffer overflow jump address bruteforcer, inspired by the same tool by Nicolas Economou) * the tutorial is now available in chm and pdf formats * now with only one MSI installer for all supported Python versions * added support for diStorm 3 (falls back to the old version if not found) * now using cerealizer instead of pickle whenever possible * added new command to the command line debugger to show the SEH chain * a few more anti-anti-debug tricks were added, still more to go! * several improvements to the Window instrumentation classes * more code examples * more Win32 API wrappers * lots of miscellaneous improvements, more documentation and bugfixes as usual! Entire changelog for all versions (slow!): http://p.sf.net/winappdbg/changelog Where can I find WinAppDbg? === Project homepage: - http://tinyurl.com/winappdbg Download links: --- Windows installer (32 bits) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win32.exe/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win32.msi/download Windows installer (64 bits) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win-amd64.exe/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win-amd64.msi/download Source code http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.zip/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.tar.bz2/download Documentation: -- Online http://winappdbg.sourceforge.net/doc/v1.4/tutorial http://winappdbg.sourceforge.net/doc/v1.4/reference For download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-tutorial-1.4.chm/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-reference-1.4.chm/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-tutorial-1.4.pdf/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-reference-1.4.pdf/download ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2096-1] New zope-ldapuserfolder packages fix authentication bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2096-1 secur...@debian.org http://www.debian.org/security/ Moritz Muehlenhoff August 24, 2010 http://www.debian.org/security/faq - Package: zope-ldapuserfolder Vulnerability : missing input validation Problem type : remote Debian-specific: no CVE Id : CVE-2010-2944 Debian Bug : 593466 Jeremy James discovered that in zope-ldapuserfolder, a Zope extension used to authenticate against an LDAP server, the authentication code does not verify the password provided for the emergency user. Malicious users that manage to get the emergency user login can use this flaw to gain administrative access to the Zope instance, by providing an arbitrary password. For the stable distribution (lenny), this problem has been fixed in version 2.9-1+lenny1. The package no longer exists in the upcoming stable distribution (squeeze) or the unstable distribution. We recommend that you upgrade your zope-ldapuserfolder package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9.orig.tar.gz Size/MD5 checksum: 106677 c380401e4de43c4aa5aad8c7af104ac5 http://security.debian.org/pool/updates/main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1.dsc Size/MD5 checksum: 1122 65bc92834fb17c525b9c5a43589a05e6 http://security.debian.org/pool/updates/main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1.diff.gz Size/MD5 checksum: 2635 fdfc884244f970d77f3da18a638a135c Architecture independent packages: http://security.debian.org/pool/updates/main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1_all.deb Size/MD5 checksum: 110686 44db774a6142e62e71ac0e0cb9e6fafa These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkx0MVEACgkQXm3vHE4uylrJcACfb+YXHmXJRVT048+yEtxwLR/f +AcAoJSOMNCmGLHCq9gdrR0jjsj60l6R =Voz+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DLL hijacking on Linux
All, If you've seen the recent Microsoft advisory. I put together a nice post on a similar DLL hijacking issue that affects Linux (and other POSIX-alikes). You can read the full details on my blog (http://www.nth- dimension.org.uk/blog.php?id=87) but the key point is that an empty directory specification statement in LD_LIBRARY_PATH, PATH (and probably others) is equivalent to $CWD. That is to say that LD_LIBRARY_PATH=:/lib is equivalent to LD_LIBRARY_PATH=.:/lib. It can occur when a script has LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib or similar and LD_LIBRARY_PATH hasn't previously been defined. It's worth checking for this kind of thing in scripts that may be run via sudo/su when auditing hosts. I don't believe it's a vulnerability per se, but particular instances of broken scripts may well be. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking on Linux
On Wednesday 25 August 2010 02:26:22 Tim Brown wrote: All, If you've seen the recent Microsoft advisory. I put together a nice post on a similar DLL hijacking issue that affects Linux (and other POSIX-alikes). You can read the full details on my blog (http://www.nth- dimension.org.uk/blog.php?id=87) but the key point is that an empty directory specification statement in LD_LIBRARY_PATH, PATH (and probably others) is equivalent to $CWD. That is to say that LD_LIBRARY_PATH=:/lib is equivalent to LD_LIBRARY_PATH=.:/lib. It can occur when a script has LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib or similar and LD_LIBRARY_PATH hasn't previously been defined. It's worth checking for this kind of thing in scripts that may be run via sudo/su when auditing hosts. I don't believe it's a vulnerability per se, but particular instances of broken scripts may well be. man sudo(8): Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of setuid executables, including sudo. Depending on the operating system this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. These type of variables are removed from the environment before sudo even begins execution and, as such, it is not possible for sudo to preserve them. -- Mihai Donțu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking on Linux
On Wednesday 25 August 2010 10:38:37 Mihai Donțu wrote: man sudo(8): Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of setuid executables, including sudo. Depending on the operating system this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. These type of variables are removed from the environment before sudo even begins execution and, as such, it is not possible for sudo to preserve them. Absolutely, but in the case I gave, the path is set /by the script/, not inherited from the original user. The script sets the dangerous path, but since sudo hasn't changed the CWD it points at the directory the user running sudo was in. Tim -- Tim Brown mailto:t...@65535.com signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2882
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Memory corruption when Adobe Shockwave Player parses .dir media file CVE-2010-2882 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module DIRAPI.dll by opening a malformed file with an invalid value located in PoC repro.dir at offset 0x3812. This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected. Shockwave Player version 11.5.7.609 and older for Windows and MacOS CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem a PoC file (repro11.dir) is available to interested parts. DETAILS Disassembly: 68113255 8B4C24 24MOV ECX,DWORD PTR SS:[ESP+24] 68113259 8B01 MOV EAX,DWORD PTR DS:[ECX] 6811325B FF48 04 DEC DWORD PTR DS:[EAX+4] 6811325E 8B01 MOV EAX,DWORD PTR DS:[ECX] 68113260 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] 68113263 85C9 TEST ECX,ECX 68113265 ^0F8F 95EEJG DIRAPI.68112100 6811326B 8B5424 24MOV EDX,DWORD PTR SS:[ESP+24] 6811326F 8B08 MOV ECX,DWORD PTR DS:[EAX] 68113271 52 PUSH EDX 68113272 56 PUSH ESI 68113273 FF51 0C CALL DWORD PTR DS:[ECX+C] --- Problem ECX = 0x CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2869
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Memory corruption when Adobe Shockwave Player parses .dir media file CVE-2010-2869 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro10.dir at offset 0x3712. This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected. Shockwave Player version 11.5.7.609 and older for Windows and MacOS CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem a PoC file (repro10.dir) is available to interested parts. DETAILS Disassembly: 7C9011DD 8BFF MOV EDI,EDI 7C9011DF 55 PUSH EBP 7C9011E0 8BEC MOV EBP,ESP 7C9011E2 83EC 54 SUB ESP,54 7C9011E5 56 PUSH ESI 7C9011E6 64:A1 1800 MOV EAX,DWORD PTR FS:[18] 7C9011EC 803D 94E0977C 00 CMP BYTE PTR DS:[7C97E094],0 7C9011F3 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 7C9011F6 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 7C9011F9 0F85 F7ECJNZ ntdll.7C90FEF6 7C9011FF F646 10 10 TEST BYTE PTR DS:[ESI+10],10 7C901203 0F84 EDECJE ntdll.7C90FEF6 7C901209 5E POP ESI 7C90120A C9 LEAVE 7C90120B C2 0400 RETN 4 7C90120E CC INT3 7C90120F C3 RETN--- Stop Here :) EIP = 0x CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2868
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Memory corruption when Adobe Shockwave Player parses .dir media file CVE-2010-2868 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro04.dir at offset 0x320D. This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected. Shockwave Player version 11.5.7.609 and older for Windows and MacOS CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem PoC files (repro04.dir, repro05.dir, repro06.dir, repro07.dir, repro08.dir and repro09.dir) are available to interested parts. DETAILS Disassembly: 69081240 74 46JE SHORT IML32.69081288 69081242 8B16 MOV EDX,DWORD PTR DS:[ESI] 69081244 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8] 69081247 83E2 02 AND EDX,2 6908124A 0BD5 OR EDX,EBP 6908124C 83CA 01 OR EDX,1 6908124F 8916 MOV DWORD PTR DS:[ESI],EDX 69081251 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4] 69081254 8950 04 MOV DWORD PTR DS:[EAX+4],EDX 69081257 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4] 6908125A 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8] 6908125D 8950 08 MOV DWORD PTR DS:[EAX+8],EDX 69081260 8BFE MOV EDI,ESI 69081262 03F5 ADD ESI,EBP 69081264 894C31 FCMOV DWORD PTR DS:[ECX+ESI-4],ECX --- Problem ECX = 0x616CF240 ESI = 0x06C94038 CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2864
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Memory corruption when Adobe Shockwave Player parses .dir media file CVE-2010-2864 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro03.dir at offset 0x24C6. This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected. Shockwave Player version 11.5.7.609 and older for Windows and MacOS CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem a PoC file (repro03.dir) is available to interested parts. DETAILS Disassembly: 69009F10 56 PUSH ESI 69009F11 8B7424 08MOV ESI,DWORD PTR SS:[ESP+8] 69009F15 85F6 TEST ESI,ESI 69009F17 74 46JE SHORT IML32.69009F5F 69009F19 8B06 MOV EAX,DWORD PTR DS:[ESI] 69009F1B 85C0 TEST EAX,EAX 69009F1D 74 3AJE SHORT IML32.69009F59 69009F1F 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] --- Problem EAX = 0xA1A1 ECX = 0x0013D0C8 CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2881
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Memory corruption when Adobe Shockwave Player parses .dir media file CVE-2010-2881 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave player does not properly parse .dir media file, which causes a corruption in module IML32.dll by opening a malformed file with an invalid value located in PoC repro02.dir at offset 0x24C0. This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected. Shockwave Player version 11.5.7.609 and older for Windows and MacOS CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem a PoC file (repro02.dir) is available to interested parts, together with a deep exploitability analysis. DETAILS Disassembly: 6900725F 8B0D 3CEA0B69MOV ECX,DWORD PTR DS:[690BEA3C] 69007265 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] 69007268 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C] 6900726B F7C7 0700TEST EDI,7 69007271 74 0FJE SHORT IML32.69007282 69007273 8A06 MOV AL,BYTE PTR DS:[ESI] 69007275 83C6 01 ADD ESI,1 69007278 8807 MOV BYTE PTR DS:[EDI],AL 6900727A 83C7 01 ADD EDI,1 6900727D 49 DEC ECX 6900727E 74 42JE SHORT IML32.690072C2 69007280 ^EB E9JMP SHORT IML32.6900726B 69007282 83F9 20 CMP ECX,20 69007285 7C 29JL SHORT IML32.690072B0 69007287 0F6F5E 18MOVQ MM3,QWORD PTR DS:[ESI+18] --- Problem ESI = 0x06CAFFE8 CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2880
Dear List, I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Memory corruption when Adobe Shockwave Player parses .dir media file CVE-2010-2880 INTRODUCTION Adobe Shockwave Player is the Adobe plugin to many different browsers to view rich-media content on the web including animations, interactive presentations, and online entertainment. Adobe Shockwave Player does not properly parse .dir media file, which causes a corruption in module DIRAPI.dll by opening a malformed file with an invalid value located in PoC repro01.dir at offset 0x47. This problem was confirmed in the following versions of Adobe Shockwave Player, other versions may be also affected. Shockwave Player version 11.5.7.609 and older for Windows and MacOS CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM To trigger the problem a PoC file (repro01.dir) is available to interested parts. DETAILS Disassembly: 68001602 40 INC EAX 68001603 83E0 FE AND EAX,FFFE 68001606 8945 04 MOV DWORD PTR SS:[EBP+4],EAX 68001609 8D5408 08LEA EDX,DWORD PTR DS:[EAX+ECX+8] 6800160D 8B47 20 MOV EAX,DWORD PTR DS:[EDI+20] 68001610 8B58 10 MOV EBX,DWORD PTR DS:[EAX+10] 68001613 83FB FF CMP EBX,-1 68001616 895424 14MOV DWORD PTR SS:[ESP+14],EDX 6800161A 895C24 10MOV DWORD PTR SS:[ESP+10],EBX 6800161E 0F8E 9201JLE DIRAPI.680017B6 68001624 53 PUSH EBX 68001625 57 PUSH EDI 68001626 E8 C514 CALL DIRAPI.68002AF0 6800162B 8BD8 MOV EBX,EAX 6800162D 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10] -- Problem EBX = 0x46A6FAAC EAX = 0x46A6FAAC CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WinAppDbg 1.4 is out!
Basically it supports 64 bits Windows, has a few more features, and comes with a crash analyzer. PyDbg on the other hand supports Mac OS and is integrated to PaiMei. So both frameworks have their own advantages. Also the programming API for PyDbg is much simpler (but still powerful), but WinAppDbg's is more complete, documented, and object oriented. So if I were you, I wouldn't rush to port all my already written code to WinAppDbg :) but if you're about to code something new you might want to give it a try! On Tue, Aug 24, 2010 at 9:42 PM, Aleksandr Yampolskiy ayampols...@gilt.com wrote: How is it different from pydbg? Sent from my Blackberry handheld. - Original Message - From: Mario Vilas mvi...@gmail.com To: bugt...@securityfocus.com bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk; Python-Win32 List python-wi...@python.org Sent: Tue Aug 24 09:00:59 2010 Subject: WinAppDbg 1.4 is out! What is WinAppDbg? == The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes. Current features also include disassembling x86 native code (using the open source diStorm project, see http://ragestorm.net/distorm/), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing. What's new in this version? === In a nutshell... * fully supports Python 2.4 through 2.7 * fully supports Windows XP through Windows 7, 32 and 64 bit editions * crash report tool now supports MSSQL (requires pyodbc) * now supports downloading debugging symbols from Microsoft (thanks Neitsa!) * new tool: sehtest.py (Windows SEH buffer overflow jump address bruteforcer, inspired by the same tool by Nicolas Economou) * the tutorial is now available in chm and pdf formats * now with only one MSI installer for all supported Python versions * added support for diStorm 3 (falls back to the old version if not found) * now using cerealizer instead of pickle whenever possible * added new command to the command line debugger to show the SEH chain * a few more anti-anti-debug tricks were added, still more to go! * several improvements to the Window instrumentation classes * more code examples * more Win32 API wrappers * lots of miscellaneous improvements, more documentation and bugfixes as usual! Entire changelog for all versions (slow!): http://p.sf.net/winappdbg/changelog Where can I find WinAppDbg? === Project homepage: - http://tinyurl.com/winappdbg Download links: --- Windows installer (32 bits) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win32.exe/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win32.msi/download Windows installer (64 bits) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win-amd64.exe/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win-amd64.msi/download Source code http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.zip/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.tar.bz2/download Documentation: -- Online http://winappdbg.sourceforge.net/doc/v1.4/tutorial http://winappdbg.sourceforge.net/doc/v1.4/reference For download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-tutorial-1.4.chm/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-reference-1.4.chm/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-tutorial-1.4.pdf/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-reference-1.4.pdf/download -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia -
[Full-disclosure] Secunia Research: KDE Okular PDB Parsing RLE Decompression Buffer Overflow
== Secunia Research 25/08/2010 - KDE Okular PDB Parsing RLE Decompression Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * KDE Okular 4.4.5 NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: System access Where: Remote == 3) Vendor's Description of Software Okular is a universal document viewer based on KPDF for KDE 4.. Product Link: http://okular.kde.org/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in KDE Okular, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused by a boundary error within the RLE decompression in the TranscribePalmImageToJPEG() function in generators/plucker/unpluck/image.cpp. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted PDB file. == 5) Solution Apply patches. See the vendor's advisory for additional details. http://www.kde.org/info/security/advisory-20100825-1.txt == 6) Time Table 11/08/2010 - Vendor notified. 11/08/2010 - Vendor response. 25/08/2010 - Public disclosure. == 7) Credits Discovered by Stefan Cornelius, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-2575 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-109/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities Advisory ID: cisco-sa-20100825-cucm Revision 1.0 For Public Release 2010 August 25 1600 UTC (GMT) +- Summary === Cisco Unified Communications Manager contains two denial of service (DoS) vulnerabilities that affect the processing of Session Initiation Protocol (SIP) messages. Exploitation of these vulnerabilities could cause an interruption of voice services. Cisco has released free software updates that address these vulnerabilities. There are no workarounds for these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100825-cucm.shtml Affected Products = Vulnerable Products +-- The following products are affected by vulnerabilities that are described in this advisory: * Cisco Unified Communications Manager 6.x * Cisco Unified Communications Manager 7.x * Cisco Unified Communications Manager 8.x Products Confirmed Not Vulnerable + Cisco Unified Communications Manager version 4.x is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Cisco Unified Communications Manager contains two DoS vulnerabilities that involve the processing of SIP messages. Each vulnerability is triggered by a malformed SIP message that could cause a critical process to fail, which could result in the disruption of voice services. All SIP ports (TCP ports 5060 and 5061, UDP ports 5060 and 5061) are affected. The first SIP DoS vulnerability is documented in Cisco bug ID CSCtd17310 and has been assigned the CVE identifier CVE-2010-2837. This vulnerability is fixed in Cisco Unified Communications Manager versions 6.1(5)SU1, 7.0(2a)SU3, 7.1(3b)SU2, 7.1(5) and 8.0(1). Cisco Unified Communications Manager version 4.x is not affected. The second SIP DoS vulnerability is documented in Cisco bug ID CSCtf66305 and has been assigned the CVE identifier CVE-2010-2838. The second vulnerability is fixed in Cisco Unified Communications Manager versions 7.0(2a)SU3, 7.1(5) and 8.0(3). Cisco Unified Communications Manager versions 4.x and 6.x are not affected. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd17310 - potential core dump issue in SIPStationInit code CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtf66305 - CCM Coredump From SendCombinedStatusInfo on Fuzzed REGISTER Message CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. Cisco Unified Communications Manager will restart the affected processes, but repeated attacks may result in a sustained DoS Condition. Software Versions and Fixes === When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution
[Full-disclosure] Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities Advisory ID: cisco-sa-20100825-cup Revision 1.0 For Public Release 2010 August 25 1600 UTC (GMT) +- Summary === Cisco Unified Presence contains two denial of service (DoS) vulnerabilities that affect the processing of Session Initiation Protocol (SIP) messages. Exploitation of these vulnerabilities could cause an interruption of presence services. Cisco has released free software updates that address these vulnerabilities. There are no workarounds for these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100825-cup.shtml Affected Products = Vulnerable Products +-- The following products are affected: * Cisco Unified Presence 6.0 versions prior to 6.0(7) * Cisco Unified Presence 7.0 versions prior to 7.0(8) Note: Cisco Unified Presence version 8.0(1) shipped with software fixes for all the vulnerabilities described in this advisory. Administrators of systems running Cisco Unified Presence can determine the software version by viewing the main page of the Cisco Unified Presence Administration interface. The software version can be determined by running the command show version active using the command line interface (CLI). Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Presence contains two DoS vulnerabilities that involve the processing of SIP messages. Each vulnerability is triggered by a malformed SIP message that could cause a critical process to fail, which could result in the disruption of presence services. All SIP ports (TCP ports 5060 and 5061, UDP ports 5060 and 5061) are affected. The first SIP DoS vulnerability is documented in Cisco bug ID CSCtd14474 and has been assigned the CVE identifier CVE-2010-2839. This vulnerability is fixed in Cisco Unified Presence versions 6.0(7) and 7.0(8). The second SIP DoS vulnerability is documented in Cisco bug ID CSCtd39629 and has been assigned the CVE identifier CVE-2010-2840. This vulnerability is fixed in Cisco Unified Presence versions 6.0(7) and 7.0(8). Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd14474 - SIPD Coredumps due to Possible Stack Corruption During Fuzzing CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd39629 - PE Coredump On Subscribe Message with Contact Field Error CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of any of the vulnerabilities may result in the interruption of presence services. Cisco Unified Presence will restart the affected processes, but repeated attacks may result in a sustained DoS condition. Software Versions and Fixes === When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance
[Full-disclosure] [USN-976-1] Tomcat vulnerability
=== Ubuntu Security Notice USN-976-1August 25, 2010 tomcat6 vulnerability CVE-2010-2227 === A security issue affects the following Ubuntu releases: Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.04: libtomcat6-java 6.0.18-0ubuntu6.3 Ubuntu 9.10: libtomcat6-java 6.0.20-2ubuntu2.2 Ubuntu 10.04 LTS: libtomcat6-java 6.0.24-2ubuntu1.3 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that Tomcat incorrectly handled invalid Transfer-Encoding headers. A remote attacker could send specially crafted requests containing invalid headers to the server and cause a denial of service, or possibly obtain sensitive information from other requests. Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu6.3.diff.gz Size/MD5:30050 75de0a1316bc34227060d042c20d8c38 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu6.3.dsc Size/MD5: 1412 188f1cfcc4b3b63975c0e2229c19d38c http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18.orig.tar.gz Size/MD5: 3484249 9bdbb1c1d79302c80057a70b18fe6721 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libservlet2.5-java-doc_6.0.18-0ubuntu6.3_all.deb Size/MD5: 246612 21e11f9c0a17be237dd9f97d584ff2ab http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libservlet2.5-java_6.0.18-0ubuntu6.3_all.deb Size/MD5: 172804 392096566951baab934719b4639b45b8 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libtomcat6-java_6.0.18-0ubuntu6.3_all.deb Size/MD5: 2847842 553828b2f158cf856bfe604bc9f4be45 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-admin_6.0.18-0ubuntu6.3_all.deb Size/MD5:38210 c10afbf52194108e7bf89e16744934bc http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-common_6.0.18-0ubuntu6.3_all.deb Size/MD5:53524 646532e66478de18e2a0a75fce6bd115 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-docs_6.0.18-0ubuntu6.3_all.deb Size/MD5: 714432 04c88fc0ab11de3f39e0f05ef3f47d3c http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-examples_6.0.18-0ubuntu6.3_all.deb Size/MD5: 418592 f7d35eea325ee1914cbc4988420993eb http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-user_6.0.18-0ubuntu6.3_all.deb Size/MD5:20974 8cb24c726ce75010f98ba6ec2a516ea6 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu6.3_all.deb Size/MD5:25352 92268953fafb1a5ef96f6d6e645ae12e Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.20-2ubuntu2.2.diff.gz Size/MD5:25177 65aeb39da2704850e5b368a46980e8ee http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.20-2ubuntu2.2.dsc Size/MD5: 1564 7a27be3c6be1df01a80219a71b219696 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.20.orig.tar.gz Size/MD5: 3590562 44f49e7e14028b6a53c3c346bd18c72f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libservlet2.5-java-doc_6.0.20-2ubuntu2.2_all.deb Size/MD5: 247294 b4cbcd364cbcd04911e3b25cf198f07c http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libservlet2.5-java_6.0.20-2ubuntu2.2_all.deb Size/MD5: 183096 06459b765e5a80932965d8799e14471f http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libtomcat6-java_6.0.20-2ubuntu2.2_all.deb Size/MD5: 2914570 9c2bffea9539d14880558033dab95eac http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-admin_6.0.20-2ubuntu2.2_all.deb Size/MD5:38912 67d391543e5074d3bf0b4950adea23f8 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-common_6.0.20-2ubuntu2.2_all.deb Size/MD5:36678 dbb73216c89c46e7c431b56d0caaad9f http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-docs_6.0.20-2ubuntu2.2_all.deb Size/MD5: 480078 df083c520b559f4784b9e84716e9e545 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-examples_6.0.20-2ubuntu2.2_all.deb Size/MD5: 419192 54964deda126605ecedbbae6646aea19 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-user_6.0.20-2ubuntu2.2_all.deb Size/MD5:21754 8ae9f3fadceacf93c7a0ec2c5822ba0c http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.20-2ubuntu2.2_all.deb Size/MD5:26162 f764f22044eb2f804d034447f19aa713
[Full-disclosure] [USN-977-1] MoinMoin vulnerabilities
=== Ubuntu Security Notice USN-977-1August 25, 2010 moin vulnerabilities CVE-2010-2487, CVE-2010-2969, CVE-2010-2970 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: python2.4-moinmoin 1.5.2-1ubuntu2.7 Ubuntu 8.04 LTS: python-moinmoin 1.5.8-5.1ubuntu2.5 Ubuntu 9.04: python-moinmoin 1.8.2-2ubuntu2.5 Ubuntu 9.10: python-moinmoin 1.8.4-1ubuntu1.3 Ubuntu 10.04 LTS: python-moinmoin 1.9.2-2ubuntu3.1 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that MoinMoin did not properly sanitize its input, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.7.diff.gz Size/MD5:49089 798d58a0653bc3c6f340a8dfcd67139a http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2-1ubuntu2.7.dsc Size/MD5: 711 b3b09797305667d6fcfd30e8bf7876ba http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.2.orig.tar.gz Size/MD5: 3975925 689ed7aa9619aa207398b996d68b4b87 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.2-1ubuntu2.7_all.deb Size/MD5: 1508970 fbda9dabaa4e983fbc56b10d59c3fc2d http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.2-1ubuntu2.7_all.deb Size/MD5:70242 750193bf55e2d3df3f2fde6ed6b03a67 http://security.ubuntu.com/ubuntu/pool/main/m/moin/python2.4-moinmoin_1.5.2-1ubuntu2.7_all.deb Size/MD5: 837102 5a32177941963f7e4f706c3277c13b2d Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.5.diff.gz Size/MD5:68607 0edfd9492a73f79ec0abc4bc92d37be3 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8-5.1ubuntu2.5.dsc Size/MD5: 990 ced66d820c57593f80df919fa69170b6 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.5.8.orig.tar.gz Size/MD5: 4351630 79625eaeb65907bfaf8b3036d81c82a5 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moinmoin-common_1.5.8-5.1ubuntu2.5_all.deb Size/MD5: 1662232 91ca3ee6f8d48db16e29aff8d3f923e6 http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.5.8-5.1ubuntu2.5_all.deb Size/MD5: 943264 3c08830a948982b97c93a331b2188b55 Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.2-2ubuntu2.5.diff.gz Size/MD5: 109042 f0195805c73089e3fda1ad724fb60493 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.2-2ubuntu2.5.dsc Size/MD5: 1354 307dda00e18ff959b74eb47c7082e954 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.2.orig.tar.gz Size/MD5: 5943057 b3ced56bbe09311a7c56049423214cdb Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.8.2-2ubuntu2.5_all.deb Size/MD5: 3904124 583e95f544c30bbd69655ce5b7d21dbf Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.4-1ubuntu1.3.diff.gz Size/MD5: 113133 d84de84bb2707f19f7a301e34505c313 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.4-1ubuntu1.3.dsc Size/MD5: 1359 510b24aa0fc1f45708dba675ddb4b322 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.8.4.orig.tar.gz Size/MD5: 5959517 6a91a62f5c0dd5379f3c2411c6629496 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/moin/python-moinmoin_1.8.4-1ubuntu1.3_all.deb Size/MD5: 3926296 280bb8332b7e105762cc417553579adc Updated packages for Ubuntu 10.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.9.2-2ubuntu3.1.debian.tar.gz Size/MD5: 120262 a968937a9e6fa0a2a01c00fd72d35e94 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.9.2-2ubuntu3.1.dsc Size/MD5: 1297 0771b4b929b30d60adf7932855653ba2 http://security.ubuntu.com/ubuntu/pool/main/m/moin/moin_1.9.2.orig.tar.gz Size/MD5: 30111807
Re: [Full-disclosure] Reliable reports on attacks on medical software and IT-systems available?
Hi Halfdog, While I have not come across any specific documentation of willful attacks, security (and software quality) issues abound in the medical device space. You might try researching some of the databases at the FDA [1]. In particular, a good place to start is the FDA MAUDE database (Manufacturer and User Facility Device Experience) [2] A few search tips for MAUDE: 1. Choose the Event Type to focus in on injuries (death, injury, etc.) 2. Set a wide date range 3. Do a number of different searches using the various selections under Product Problem -- you can only choose one at a time. The values vary, but there's Computer failure, Computer hardware error, Computer operating system issue,, Computer system security issue, Fail-safe design failure, Failure to back-up, etc. For more focused databases, such as radiation-related, there's the Medical Radiation Emitting Device Recalls. Search tips for this DB include putting very general terms into the Reason for recall field, like computer to start. An example of what you'll find in these databases: http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/detail.cfm?mdrfoi__id=1447254 ...the system locked up with a message stating there was insufficient disk space to run windows. The system took several reboots to make it operational. The pt was experiencing a cardiac infarct during the failure. Overall, I see a lack of rigorous guidelines for the data entry. That is, the problem descriptions are often vague, and in a narrative. Nor is there any severity rating or ranking, etc. We've a long way to go in structuring the reporting. We've likely even further to go regarding issue follow-up. [1] http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Databases/default.htm [2] http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/search.CFM [3] http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfRES/res.cfm Cheers, --scm On Tue, Aug 10, 2010 at 5:03 PM, halfdog m...@halfdog.net wrote: I have no knowledge of ongoing or planned attacks. I was just searching for historic reports of any age. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-165: Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Vulnerability
ZDI-10-165: Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-165 August 25, 2010 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Trend Micro -- Affected Products: Trend Micro Internet Security Pro 2010 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10289. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Internet Security Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the UfPBCtrl.dll ActiveX control. The extSetOwner function accepts a parameter and assumes it is an initialized pointer. By specifying an invalid address, an attacker can force the process to call into a controlled memory region. This can be exploited to execute remote code under the context of the user invoking the browser. -- Vendor Response: Trend Micro has issued an update to correct this vulnerability. More details can be found at: http://esupport.trendmicro.com/pages/Hot-Fix-UfPBCtrldll-is-vulnerable-to-remote-attackers.aspx -- Disclosure Timeline: 2010-07-20 - Vulnerability reported to vendor 2010-08-25 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking on Linux
Apache CouchDB (tested on Ubuntu 10.04) is vulnerable to exactly this issue. The script installed on my machine at /usr/bin/couchdb first sets LD_LIBRARY_PATH with: LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/xulrunner-`xulrunner-1.9.2 --gre-version`/ At the time of invocation, the following environment is set up: command=env \LD_LIBRARY_PATH=/usr/lib:${LD_LIBRARY_PATH}\ \ ... So in the normal case where LD_LIBRARY_PATH is empty at the time of invocation, the resulting path will be: /usr/lib::/usr/lib/xulrunner-[version]/ The vulnerability to hijacking can be trivially verified by creating a fake libc.so.6 in your current directory and running /usr/bin/couchdb. Fortunately, the init script changes directories before executing couchdb, so exploitation is limited to cases where /usr/bin/couchdb is invoked directly inside a hostile current directory. Not a likely exploitation scenario, but it still should probably be fixed. -Dan On Wed, Aug 25, 2010 at 5:58 AM, Tim Brown t...@65535.com wrote: On Wednesday 25 August 2010 10:38:37 Mihai Donțu wrote: man sudo(8): Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of setuid executables, including sudo. Depending on the operating system this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. These type of variables are removed from the environment before sudo even begins execution and, as such, it is not possible for sudo to preserve them. Absolutely, but in the case I gave, the path is set /by the script/, not inherited from the original user. The script sets the dangerous path, but since sudo hasn't changed the CWD it points at the directory the user running sudo was in. Tim -- Tim Brown mailto:t...@65535.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking on Linux
...And it looks like I jumped the gun on blaming upstream. The vulnerability was introduced by Debian patch mozjs1.9_ldlibpath.patch on 3/24/2009. -Dan On Wed, Aug 25, 2010 at 1:23 PM, Dan Rosenberg dan.j.rosenb...@gmail.com wrote: Apache CouchDB (tested on Ubuntu 10.04) is vulnerable to exactly this issue. The script installed on my machine at /usr/bin/couchdb first sets LD_LIBRARY_PATH with: LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/xulrunner-`xulrunner-1.9.2 --gre-version`/ At the time of invocation, the following environment is set up: command=env \LD_LIBRARY_PATH=/usr/lib:${LD_LIBRARY_PATH}\ \ ... So in the normal case where LD_LIBRARY_PATH is empty at the time of invocation, the resulting path will be: /usr/lib::/usr/lib/xulrunner-[version]/ The vulnerability to hijacking can be trivially verified by creating a fake libc.so.6 in your current directory and running /usr/bin/couchdb. Fortunately, the init script changes directories before executing couchdb, so exploitation is limited to cases where /usr/bin/couchdb is invoked directly inside a hostile current directory. Not a likely exploitation scenario, but it still should probably be fixed. -Dan On Wed, Aug 25, 2010 at 5:58 AM, Tim Brown t...@65535.com wrote: On Wednesday 25 August 2010 10:38:37 Mihai Donțu wrote: man sudo(8): Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of setuid executables, including sudo. Depending on the operating system this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. These type of variables are removed from the environment before sudo even begins execution and, as such, it is not possible for sudo to preserve them. Absolutely, but in the case I gave, the path is set /by the script/, not inherited from the original user. The script sets the dangerous path, but since sudo hasn't changed the CWD it points at the directory the user running sudo was in. Tim -- Tim Brown mailto:t...@65535.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking on Linux
On Aug 25, 2010, at 10:55 AM, Dan Rosenberg wrote: ...And it looks like I jumped the gun on blaming upstream. The vulnerability was introduced by Debian patch mozjs1.9_ldlibpath.patch on 3/24/2009. -Dan A Debian patch introducing a security vulnerability? Wow, I bet that's never happened before... -- chort ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpMyAdmin 3.3.5 / 2.11.10 = Cross Site Scripting (XSS) Vulnerability
Did you read the advisory that contains vendor advisory link - http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php ? On Sat, Aug 21, 2010 at 12:46 AM, Christian Sciberras uuf6...@gmail.com wrote: Since I didn't see this mentioned even on their website, (phpmyadmin.net), I would like to ask, are these vulnerabilities existent in world-public OR registered users part (OR both)? Regards, Chris. On Fri, Aug 20, 2010 at 6:32 PM, YGN Ethical Hacker Group li...@yehg.net wrote: == phpMyAdmin 3.3.5 / 2.11.10 = Cross Site Scripting (XSS) Vulnerability == 1. OVERVIEW The phpMyAdmin web application was vulnerable to Cross Site Scripting vulnerability. 2. PRODUCT DESCRIPTION phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement. 3. VULNERABILITY DESCRIPTION Some URLs in phpMyAdmin do not properly escape user inputs that lead to cross site scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED phpMyAdmin 3.3.5 and lower phpMyAdmin 2.11.10 and lower 5. PROOF-OF-CONCEPT/EXPLOIT http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-02.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-02.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-02.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-02.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-02.jpg And full list of URLs (of both probably unexploitable/exploitable) that fail to html escape user inputs: UR: http://target/phpmyadmin/db_search.php Affected Parameter(s): field_str URL: http://target/phpmyadmin/db_sql.php Affected Parameter(s): QUERY_STRING, delimiter URL: http://target/phpmyadmin/db_structure.php Affected Parameter(s): sort URL: http://target/phpmyadmin/js/messages.php Affected Parameter(s): db URL: http://target/phpmyadmin/server_databases.php Affected Parameter(s): sort_by URL: http://target/phpmyadmin/server_privileges.php Affected Parameter(s): QUERY_STRING, checkprivs, dbname, pred_tablename, selected_usr[], tablename , username URL: http://target/phpmyadmin/setup/config.php Affected Parameter(s): DefaultLang URL: http://target/phpmyadmin/sql.php Affected Parameter(s): QUERY_STRING, cpurge, goto,purge,purgekey,table,zero_rows URL: http://target/phpmyadmin/tbl_replace.php Affected (Dynamic) Parameter(s): fields[multi_edit][0][f7235a61fdc3adc78d866fd8085d44db], fields_name[multi_edit][0][349e686330723975502e9ef4f939a5ac] 6. IMPACT Attackers can compromise currently logged-in user session and inject arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE) via crafted XSS payloads. 7. SOLUTION Upgrade to phpMyAdmin 3.3.5.1 or 2.11.10.1 8. VENDOR phpMyAdmin (http://www.phpmyadmin.net) 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 08-09-2010: vulnerability discovered 08-10-2010: notified vendor 08-20-2010: vendor released fix 08-20-2010: vulnerability disclosed 11. REFERENCES Vendor Advisory URL: http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php Original Advisory URL: http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting(XSS) Previous Release: http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php XSS FAQ: http://www.cgisecurity.com/xss-faq.html OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [08-20-2010] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it.
[Full-disclosure] Joomla! Component com_bc Cross Script Scripting (XSS) Vulnerability
= Joomla! Component com_bc Cross Script Scripting (XSS) Vulnerability = 1. OVERVIEW The Joomla! Component com_bc was vulnerable to Cross Script Scripting (XSS) Vulnerability. 2. PRODUCT DESCRIPTION The Joomla! Component com_bc is a widely-used Blastchat chat server component designed for website communities from the smallest personal websites to the huge megasites who desire to provide their members and visitors with a superb chat experience. BlastChat has currently been serving chat to over 50.000+ websites. 3. VULNERABILITY DESCRIPTION The Joomla! Component com_bc does not properly escape parameters:- ctask, bcItemid, lang, nlang , rid, rsid, sec_code, template, and usergid. This leads to Cross Site Scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED Versions Not Available (reason: Closed-source/Commercial Product) 5. PROOF-OF-CONCEPT/EXPLOIT Vulnerable URL-1: index2.php?option=com_bcno_html=1task=loadctask=enterd=1url=[victim_url]intraid=[]userid=0usergid=0nick=rid=0rsid=0lang=englishnlang=en-GBtemplate=systempub_key=[]sec_code=[]time_key=2010-08-11%2003:46:00bcItemid=bc_ver=3.2prod=Joomla!rel=1.5dev=20detaching=1 Vulnerable URL-2: index2.php?option=com_bcno_html=1task=clientctask=enterd=0c39e7url=[victim_urlintraid=[]userid=0usergid=0nick=rid=0rsid=0lang=englishnlang=en-GBtemplate=systempub_key=[]sec_code=[]time_key=2010-08-11%2018:45:20bcItemid=bc_ver=3.2prod=Joomla!rel=1.5dev=7 Affected parameters: d , no_html, ctask, bcItemid, lang, nlang , rid, rsid, sec_code, template, usergid http://yehg.net/lab/pr0js/advisories/joomla/com_bc_xss(rid).jpg 6. IMPACT As this is a multi-user chat application component, the impact of XSS is huge, ranking from cookie theft to mass client exploits. 7. SOLUTION Reported vulnerabiltiy was fixed at 08-15-2010. It is now supposed to be safe. It is suggested that any web sites that use this component ask the vendor for the updated version. 8. VENDOR Blastchat http://www.blastchat.com 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 08-11-2010: discovered vulnerability 08-11-2010: notified vendor 08-15-2010: vendor fixed vulnerability 08-26-2010: vulnerability disclosed 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/[com_bc]_cross_site_scripting What XSS Can Do: http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdf XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [08-26-2010] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BlastChat Chat Client Component version 3.3 = Cross Script Scripting (XSS) Vulnerability
== BlastChat Chat Client Component version 3.3 = Cross Script Scripting (XSS) Vulnerability == 1. OVERVIEW The BlastChat's chat client Component of Joomla 1.x, Joomla 1.5.x, Mambo 4.5, Mambo 4.6, Drupal 6 was vulnerable to Cross Script Scripting (XSS) Vulnerability. 2. PRODUCT DESCRIPTION The BlastChat Chat Client Component is a widely-used Blastchat chat client component designed for website communities from the smallest personal websites to the huge megasites who desire to provide their members and visitors with a superb chat experience. The client chat component is available in multiple CMSes including Joomla 1.x, Joomla 1.5.x, Mambo 4.5, Mambo 4.6, and Drupal 6. BlastChat has currently been serving chat to over 50.000+ websites. 3. VULNERABILITY DESCRIPTION The BlastChat's chat client Component does not properly escape Itemid parameter, which leads to Cross Site Scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED Versions: 3.3 and lower 5. PROOF-OF-CONCEPT/EXPLOIT URL: /index.php?option=com_blastchatcItemid=-999 Affected Parameter: Itemid http://yehg.net/lab/pr0js/advisories/joomla/com_blastchatc_xss(Itemid).jpg 6. IMPACT As this is a multi-user chat application component, the impact of XSS is huge, ranking from cookie theft to mass client exploits. 7. SOLUTION Upgrade to version 3.4 8. VENDOR Blastchat http://www.blastchat.com 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 08-11-2010: discovered vulnerability 08-11-2010: notified vendor 08-11-2010: vendor fixed vulnerability 08-14-2010: vendor released patched version - 3.4 08-26-2010: vulnerability disclosed 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/[com_blastchatc]_cross_site_scripting What XSS Can Do: http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdf XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [08-26-2010] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Method to encode DLL payloads for hijacking purposes.
Hey.. Yesterday I wrote a post describing how to exploit these vulnerabilities using the webdav_dll_hijacker Metasploit module, but it requires you to jump through some hoops in order to get your victim to browse to the rogue share. So, here's a new article that doesn't use the webdav_dll_hijacker module and details how to encode a payload into a DLL using msfpayload, which allows you to put the exploit files on any share that you'd like. http://www.attackvector.org/alternative-dll-hijacking-method/ Enjoy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Joomla! Component com_bcaccount Persistent Cross Script Scripting (XSS) Vulnerability
=== Joomla! Component com_bcaccount Persistent Cross Script Scripting (XSS) Vulnerability === 1. OVERVIEW The Joomla! Component com_bcaccount was vulnerable to Persistent Cross Script Scripting (XSS) Vulnerability. 2. PRODUCT DESCRIPTION The Joomla! Component com_bcaccount is a chat user account management component of widely-used Blastchat chat client component (com_blastchatc) designed for website communities from the smallest personal websites to the huge megasites who desire to provide their members and visitors with a superb chat experience. BlastChat has currently been serving chat to over 50.000+ websites. 3. VULNERABILITY DESCRIPTION The Joomla! Component com_bcaccount does not properly escape user profile information when it is saved. Attackers can craft CSRF payloads to save persistent XSS in users' profiles, which can turn into massive XSS worms cloning. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED Versions Not Available (reason: Closed-source/Commercial Product) 5. PROOF-OF-CONCEPT/EXPLOIT WebSite Manager URL: https://www.blastchat.com/index.php?option=com_bcaccountbctask=wmanagerItemid=24 Affected Parameters: name, url_chat, autonick, theme Room Create URL: https://www.blastchat.com/index.php?cid=[valid_id]id=[valid_id]option=com_bcaccounttask=rmanagerbctask=rmanagerItemid=24 Affected Parameters: name, topic 6. IMPACT As this is a multi-user chat application component, the impact of XSS is huge, ranking from cookie theft to mass client exploits and XSS worming. 7. SOLUTION Reported vulnerability was fixed at 08-15-2010. It is now supposed to be safe. It is suggested that any web sites that use this component ask the vendor for the updated version. 8. VENDOR Blastchat http://www.blastchat.com 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 08-11-2010: discovered vulnerability 08-11-2010: notified vendor 08-15-2010: vendor fixed vulnerability 08-26-2010: vulnerability disclosed 11. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/joomla/[com_bcaccount]_persistent_cross_site_scripting What XSS Can Do: http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdf XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) XSS Worm: http://en.wikipedia.org/wiki/XSS_Worm OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [08-26-2010] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpMyAdmin 3.3.5 / 2.11.10 = Cross Site Scripting (XSS) Vulnerability
After looking into several sources, I've found the following: 6. IMPACT Attackers can compromise currently logged-in user session and inject arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE) via crafted XSS payloads. Which I presume means it affects the system only with a registered (and a logged in) account. I don't mean to boss you or anyone around, but why wasn't that detail well written around? Surely I won't risk wasting time fixing a possible bad patch when it doesn't affect my install in the least (since it's only me that is using phpMyAdmin). I'm usually quite paranoid about security, but I don't want to risk wasting unnecessary time espeially considering it doesn't affect my security at all. I'm not trying to nitpick or anything, but if I were you, I'd make it a point to make the real impact well known, unless the vulnerabilities have been published in the interest of popularity rather than true concern. Cheers, Christian Sciberras. On Wed, Aug 25, 2010 at 8:29 PM, YGN Ethical Hacker Group li...@yehg.netwrote: Did you read the advisory that contains vendor advisory link - http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php ? On Sat, Aug 21, 2010 at 12:46 AM, Christian Sciberras uuf6...@gmail.com wrote: Since I didn't see this mentioned even on their website, (phpmyadmin.net), I would like to ask, are these vulnerabilities existent in world-public OR registered users part (OR both)? Regards, Chris. On Fri, Aug 20, 2010 at 6:32 PM, YGN Ethical Hacker Group li...@yehg.net wrote: == phpMyAdmin 3.3.5 / 2.11.10 = Cross Site Scripting (XSS) Vulnerability == 1. OVERVIEW The phpMyAdmin web application was vulnerable to Cross Site Scripting vulnerability. 2. PRODUCT DESCRIPTION phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement. 3. VULNERABILITY DESCRIPTION Some URLs in phpMyAdmin do not properly escape user inputs that lead to cross site scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED phpMyAdmin 3.3.5 and lower phpMyAdmin 2.11.10 and lower 5. PROOF-OF-CONCEPT/EXPLOIT http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-02.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-02.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-02.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-02.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-02.jpg And full list of URLs (of both probably unexploitable/exploitable) that fail to html escape user inputs: UR: http://target/phpmyadmin/db_search.php Affected Parameter(s): field_str URL: http://target/phpmyadmin/db_sql.php Affected Parameter(s): QUERY_STRING, delimiter URL: http://target/phpmyadmin/db_structure.php Affected Parameter(s): sort URL: http://target/phpmyadmin/js/messages.php Affected Parameter(s): db URL: http://target/phpmyadmin/server_databases.php Affected Parameter(s): sort_by URL: http://target/phpmyadmin/server_privileges.php Affected Parameter(s): QUERY_STRING, checkprivs, dbname, pred_tablename, selected_usr[], tablename , username URL: http://target/phpmyadmin/setup/config.php Affected Parameter(s): DefaultLang URL: http://target/phpmyadmin/sql.php Affected Parameter(s): QUERY_STRING, cpurge, goto,purge,purgekey,table,zero_rows URL: http://target/phpmyadmin/tbl_replace.php Affected (Dynamic) Parameter(s): fields[multi_edit][0][f7235a61fdc3adc78d866fd8085d44db], fields_name[multi_edit][0][349e686330723975502e9ef4f939a5ac] 6. IMPACT Attackers can compromise currently logged-in user session and inject arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE) via crafted XSS
Re: [Full-disclosure] phpMyAdmin 3.3.5 / 2.11.10 = Cross Site Scripting (XSS) Vulnerability
Which I presume means it affects the system only with a registered (and a logged in) account. Yes. Affecting only currently logged-in users. If you're sure that you could never be fooled by someone through any means, you're safe not to patch this upgrade. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking on Linux
On Wed, 25 Aug 2010, Tim Brown wrote: the key point is that an empty directory specification statement in LD_LIBRARY_PATH, PATH (and probably others) is equivalent to $CWD. And there is also the infamous DT_RPATH (and DT_RUNPATH) that makes it possible to hardwire unsafe paths into executable files themselves. This happens quite often and I find it very disturbing. -- Pavel Kankovsky aka Peak / Jeremiah 9:21\ For death is come up into our MS Windows(tm)... \ 21st century edition / ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in eSitesBuilder
Hello Full-Disclosure! I want to warn you about multiple vulnerabilities in eSitesBuilder. After previous vulnerabilities in eSitesBuilder (SecurityVulns ID:10940), which I wrote earlier in June, there are Insufficient Anti-automation, Cross-Site Scripting, SQL Injection and Full path disclosure vulnerabilities in eSitesBuilder. It's Ukrainian commercial CMS (which is used particularly for online shops). Both previous and these vulnerabilities were ignored and not fixed by developers. Insufficient Anti-automation: http://site/forget.php In the form there is no protection against automated requests (captcha). XSS: It's single-user persistent XSS (when user is logged in at the site). POST request to profile page http://site/account.php. Code will work at profile page (fields Name, Email, Phone, Address 1, Address 2, City, Region) and at all external pages of the site (field Name). XSS (persistent): Via field Name in profile it's possible to conduct attack at the pages: http://site/products/comments/product/ http://site/products/details/product/ XSS: http://site/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3Eseenform=y http://site/index.php?page=searchstart_do_search=yessearch_text=%3Cscript%3Ealert(document.cookie)%3C/script%3E SQL Injection: http://site/index.php?page=searchstart_do_search=yessearch_text=1pcat_id=-1%20or%20version()=5 Full path disclosure: http://site/index.php?page=searchsearch_text=%3C%3E Affected products: possibly all versions of eSitesBuilder. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4303/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking on Linux
Dear Dan, A Debian patch introducing a security vulnerability? Wow, I bet that's never happened before... No need for patches. Debian is insecure by policy: http://bugs.debian.org/299007 http://bugs.debian.org/538392 Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Details of cisco-sa-20081022-asa security advisory?
Hi, I'm curious if anybody is aware of the details of the IPv6 DoS vulnerabilities listed in the aforementioned advisory (available at: http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml). Thanks! Kind regards, Fernando ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CyberLink products vulnerable to DLLHijacking
Hi Trying to play with the HD Moore tool on a default HP notebook installation, I have found that the CyberLink products seems vulnerable to this kind of threat. I have check and test the proof of concept generated by dllhijacking and works. The products are: - CyberLink PowerDirector v7 - CyberLink Power2Go DVD v6.0 The issue is trigger with the iso,pdl,pds,p2g and p2i file formats, and DLL request by the applications is the mfc71loc.dll or mfc71country.dll . If interested http://extraexploit.blogspot.com -- http://extraexploit.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/