[Full-disclosure] ZDI-10-174: Hewlett-Packard Data Protector DtbClsLogin Utf8cpy Remote Code Execution Vulnerability
ZDI-10-174: Hewlett-Packard Data Protector DtbClsLogin Utf8cpy Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-174 September 13, 2010 -- CVE ID: CVE-2010-3007 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Data Protector -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10470. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Data Protector. Authentication is not required to exploit this vulnerability. The specific flaw exists within the function DtbClsLogin defined in the module dpwindtb.dll on Windows and libdplindtb.so on Linux. This function takes user supplied input and copies it directly to a stack buffer. By providing a large enough string this buffer can be overrun and may result in arbitrary code execution dependent on the underlying operating system. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02498535 -- Disclosure Timeline: 2009-10-21 - Vulnerability reported to vendor 2010-09-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * AbdulAziz Hariri of Insight Technologies -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-176: Mozilla Firefox normalizeDocument Remote Code Execution Vulnerability
ZDI-10-176: Mozilla Firefox normalizeDocument Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-176 September 13, 2010 -- CVE ID: CVE-2010-2766 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Mozilla Firefox -- Affected Products: Mozilla Firefox 3.6.x -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10463. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw exists within the normalizeDocument function defined within nsDocument.cpp. When handling children nodes the code does not account for a varying number of children during normalization. An attacker can abuse this problem along with the fact that the code does not validate the child index is within bounds to access an invalid object and execute arbitrary code under the context of the browser. -- Vendor Response: Mozilla Firefox has issued an update to correct this vulnerability. More details can be found at: http://www.mozilla.org/security/announce/2010/mfsa2010-55.html -- Disclosure Timeline: 2010-07-20 - Vulnerability reported to vendor 2010-09-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * regenrecht -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Web challenges from RootedCON'2010 CTF - Contest
Hello, Next Friday I will be running a web-based challenges contest. Winner will be awarded with the new iPod touch from Apple. Thanks to Hispasec Sistemas (you probably know them as the makers of VirusTotal service) from sponsoring the prize. Full info (registration currently open): http://www.rs-labs.com/rooted2010-ctf/ -- Saludos, -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
> Isn't *any* mechanism for code execution going to be effective with the use > of social engineering? I mean, isn't that what we've known for years, that > the weakest component of any security system is the users? Yes, we know. Don't get us wrong. We're not telling Social Engineering. We're telling about Social Engineering Toolkit (SET) - http://www.offensive-security.com/metasploit-unleashed/SET What we mean is DLL Hijacking added a way to deliver payload to entice users to execute it. We've already drawn attention to SET authors and see how they will leverage this issue. On Mon, Sep 13, 2010 at 9:59 PM, Rohit Patnaik wrote: >>DLL Hijacking is highly effective in combination with use of Social >> Engineering Toolkit. > -- Rohit Patnaik > > On Wed, Sep 8, 2010 at 3:36 AM, YGN Ethical Hacker Group > wrote: >> >> A vulnerability is a vulnerability. >> A SQL Injection is a type of Vulnerability. >> For each type of Vulnerability, there will be thousands of web >> applications that might be vulnerable to it. >> DLL Hijacking is same. >> >> We do each post rather than a list so that security vulnerability news >> site can get required detailed information >> as possible. >> >> If you don't want it, set filter for each post subject with "DLL >> Hijacking" or from our email. >> >> We can't underestimate such an easy flaw that leads to system >> compromise or command execution under user' privilege. >> >> Disabling remote share/WebDav is not a solution to DLL Hijacking at all. >> >> DLL Hijacking is highly effective in combination with the use of >> Social Engineering Toolkit. >> >> >> >> >> On Tue, Sep 7, 2010 at 2:28 PM, Christian Sciberras >> wrote: >> > I'm getting a bit tired of throwing away these "security advisories". >> > >> > Really, someone should install a whole load of popular applications, >> > ensure >> > any of them load their own files, and finally, thanks to a mass >> > dependency >> > check, ensure DWM is being loaded at runtime. >> > >> > At least, it would be just one email/thread to trash. >> > >> > >> > >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-173: Mozilla Firefox nsTreeSelection Dangling Pointer Remote Code Execution Vulnerability
ZDI-10-173: Mozilla Firefox nsTreeSelection Dangling Pointer Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-173 September 13, 2010 -- CVE ID: CVE-2010-2760 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Mozilla Firefox -- Affected Products: Mozilla Firefox 3.6.x -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10035. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the fix implemented for CVE-2010-2753 in the nsTreeSelection interface. In a certain condition, the application still can be made to free a reference and then made to use said freed reference. This can lead to code execution under the context of the application. -- Vendor Response: Mozilla Firefox has issued an update to correct this vulnerability. More details can be found at: http://www.mozilla.org/security/announce/2010/mfsa2010-54.html -- Disclosure Timeline: 2010-08-09 - Vulnerability reported to vendor 2010-09-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * regenrecht -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-172: Mozilla Firefox tree Object Removal Remote Code Execution Vulnerability
ZDI-10-172: Mozilla Firefox tree Object Removal Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-172 September 13, 2010 -- CVE ID: CVE-2010-3168 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Mozilla Firefox -- Affected Products: Mozilla Firefox 3.6.x -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9984. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the support for XUL objects. If a specific property of a tree object is set and the parent node attempts to remove the child, the process can be made to access invalid memory. This can be abused by an attacker to execute remote code under the context of the user running the browser. -- Vendor Response: Mozilla Firefox has issued an update to correct this vulnerability. More details can be found at: http://www.mozilla.org/security/announce/2010/mfsa2010-55.html -- Disclosure Timeline: 2010-06-30 - Vulnerability reported to vendor 2010-09-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * regenrecht -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-171: Mozilla Firefox nsTreeContentView Dangling Pointer Remote Code Execution Vulnerability
ZDI-10-171: Mozilla Firefox nsTreeContentView Dangling Pointer Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-171 September 13, 2010 -- CVE ID: CVE-2010-3167 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Mozilla Firefox -- Affected Products: Mozilla Firefox 3.6.x -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9972. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of a particular element within the XUL namespace. Due to a method for the element having the side effect of executing javascript, an attacker can provide their own javascript code which can be used to remove an object out from underneath the element's child hierarchy. This can force the application to make an invalid reference when traversing it's internal objects, thus using an illegitimate pointer. This can be leveraged by an attacker to execute arbitrary code under the context of the application. -- Vendor Response: Mozilla Firefox has issued an update to correct this vulnerability. More details can be found at: http://www.mozilla.org/security/announce/2010/mfsa2010-56.html -- Disclosure Timeline: 2010-06-30 - Vulnerability reported to vendor 2010-09-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * regenrecht -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-170: Apple Safari Webkit Runin Remote Code Execution Vulnerability
ZDI-10-170: Apple Safari Webkit Runin Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-170 September 13, 2010 -- CVE ID: CVE-2010-1806 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Apple -- Affected Products: Apple WebKit -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10462. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari's Webkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the library's support of an element containing the run-in property. When a block box is appended as the sibling of a run-in box, the run-in box will be promoted to the first inline box. This implies that the first inline box will be destroyed. Later when the application attempts to destroy this element, it will access memory that has been freed. If an attacker can substitute an alternate type in the element's place, the attacker will have code execution under the context of the application. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4333 -- Disclosure Timeline: 2010-06-17 - Vulnerability reported to vendor 2010-09-13 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * wushi of team509 -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL Hijacking vulnerability in Opera
It was reported on 24th August already http://www.exploit-db.com/exploits/14732/ It takes only a few seconds to check it http://secunia.com/advisories/41083/ Juha-Matti MustLive [mustl...@websecurity.com.ua] wrote: > Hello Full-Disclosure! > > I want to warn you about DLL Hijacking vulnerability in Opera. As I wrote in > Saturday in my post DLL Hijacking in different browsers > (http://websecurity.com.ua/4522/), besides Mozilla Firefox (which was fixed > in version 3.6.9) there is also vulnerable such browser as Opera. > > DLL Hijacking vulnerability in Opera allows to execute arbitrary code via > library dwmapi.dll. Attack will work in Opera on OS Windows. For attack > there can be used the same dwmapi.dll, as for Firefox (based on the sources > of Glafkos Charalambous). > > When I informed Opera, I draw their attention as to the hole itself, as to > possibility to attack version Opera 10.62 (which released recently), where > this hole was fixed by developers. > > There are possible two variants of attack: > > 1. Attack will work at opening in browser the file of web page (htm, html, > mht, mhtml) or other file, alongside with which there is file dwmapi.dll. > > 2. If file dwmapi.dll is placed at desktop or in any folder which is in > PATH, then code will work at every starting of the browser. > > >From second variant of attack it's clear, that in some applications (such as > Opera) it's possible to conduct DLL Hijacking attacks with other method, > then one which was mentioned in August. I.e. code will execute not only at > placing of dll-file alongside with file designed for opening in application, > but also if dll-file is placed at desktop or in any folder which is in PATH. > And code can be executed even at starting of application (as in Opera), > without opening of any files. > > Vulnerable are Opera 10.61 and previous versions. > > As I checked in Opera 10.62, which released at 09.09.2010, this version is > not vulnerable (to both variants of attack). Only if to place dll-file in > folder Opera or in System32, only then the code will work (so the attack can > take place on systems with FAT32 or when attacker will be having appropriate > rights on systems with NTFS). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-169: Novell Netware SSHD.NLM Remote Code Execution Vulnerability
ZDI-10-169: Novell Netware SSHD.NLM Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-169 September 1, 2010 -- CVSS: 9, (AV:N/AC:L/Au:S/C:C/I:C/A:C) -- Affected Vendors: Novell -- Affected Products: Novell Netware -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Netware. Authentication is required to exploit this vulnerability. The flaw exists within SSHD.NLM. When the application attempts to resolve an absolute path on the server, a 512 byte destination buffer is used without bounds checking. By providing a large enough value, an attacker can cause a buffer to be overflowed. Successful exploitation results in remote code execution under the context of the server. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7006756&sliceId=1&docTypeID=DT_TID_1_1&dialogID=164386838&stateId=0%200%20164390561 -- Disclosure Timeline: 2010-04-06 - Vulnerability reported to vendor 2010-09-01 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Francis Provencher -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DLL Hijacking vulnerability in Opera
Hello Full-Disclosure! I want to warn you about DLL Hijacking vulnerability in Opera. As I wrote in Saturday in my post DLL Hijacking in different browsers (http://websecurity.com.ua/4522/), besides Mozilla Firefox (which was fixed in version 3.6.9) there is also vulnerable such browser as Opera. DLL Hijacking vulnerability in Opera allows to execute arbitrary code via library dwmapi.dll. Attack will work in Opera on OS Windows. For attack there can be used the same dwmapi.dll, as for Firefox (based on the sources of Glafkos Charalambous). When I informed Opera, I draw their attention as to the hole itself, as to possibility to attack version Opera 10.62 (which released recently), where this hole was fixed by developers. There are possible two variants of attack: 1. Attack will work at opening in browser the file of web page (htm, html, mht, mhtml) or other file, alongside with which there is file dwmapi.dll. 2. If file dwmapi.dll is placed at desktop or in any folder which is in PATH, then code will work at every starting of the browser. >From second variant of attack it's clear, that in some applications (such as Opera) it's possible to conduct DLL Hijacking attacks with other method, then one which was mentioned in August. I.e. code will execute not only at placing of dll-file alongside with file designed for opening in application, but also if dll-file is placed at desktop or in any folder which is in PATH. And code can be executed even at starting of application (as in Opera), without opening of any files. Vulnerable are Opera 10.61 and previous versions. As I checked in Opera 10.62, which released at 09.09.2010, this version is not vulnerable (to both variants of attack). Only if to place dll-file in folder Opera or in System32, only then the code will work (so the attack can take place on systems with FAT32 or when attacker will be having appropriate rights on systems with NTFS). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
>DLL Hijacking is highly effective in combination with use of Social Engineering Toolkit. Isn't *any* mechanism for code execution going to be effective with the use of social engineering? I mean, isn't that what we've known for years, that the weakest component of any security system is the users? -- Rohit Patnaik On Wed, Sep 8, 2010 at 3:36 AM, YGN Ethical Hacker Group wrote: > A vulnerability is a vulnerability. > A SQL Injection is a type of Vulnerability. > For each type of Vulnerability, there will be thousands of web > applications that might be vulnerable to it. > DLL Hijacking is same. > > We do each post rather than a list so that security vulnerability news > site can get required detailed information > as possible. > > If you don't want it, set filter for each post subject with "DLL > Hijacking" or from our email. > > We can't underestimate such an easy flaw that leads to system > compromise or command execution under user' privilege. > > Disabling remote share/WebDav is not a solution to DLL Hijacking at all. > > DLL Hijacking is highly effective in combination with the use of > Social Engineering Toolkit. > > > > > On Tue, Sep 7, 2010 at 2:28 PM, Christian Sciberras > wrote: > > I'm getting a bit tired of throwing away these "security advisories". > > > > Really, someone should install a whole load of popular applications, > ensure > > any of them load their own files, and finally, thanks to a mass > dependency > > check, ensure DWM is being loaded at runtime. > > > > At least, it would be just one email/thread to trash. > > > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] H2HC 2010 Sao Paulo - Capture the Flag
The game this year is entitled Capture the Captcha! A Captcha is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. It is a contrived acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart." The process usually involves one computer asking a user to complete a simple test (Captcha) which the computer is able to generate and grade. Because other computers are unable to solve the Captcha, any user entering a correct solution is presumed to be Human. There are a lot of Captcha implementations out there, written in JSP, PHP, ASP, .NET which are very poorly implemented and introduce serious bugs in Web applications they are supposed to protect. We developed 10 different Captcha implementations, each with its own weakness, for participants to break using automation and hacking techniques with the objective of bypassing the human verification process. Teams (or a single participant) are scored on their success in breaking the security behind every presented Captcha on the game. This CTC contest is designed to serve as an educational exercise to give participants experience in securing Web Applications from automated attacks, as well as conducting and reacting to the sort of Captchas found in the wild. The participants will need to register during the conference and the winner will need to provide full information in order to receive the major prize: The Nessus Professional Edition from Tenable! We would like to thanks to Tenable for providing us the prize and for Bonsai for developing such an interesting game. Regards, Rodrigo. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: MailEnable SMTP Service Two Denial of Service Vulnerabilities
== Secunia Research 13/09/2010 - MailEnable SMTP Service Two Denial of Service Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * MailEnable 4.25 Standard, Professional, and Enterprise Editions. NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote == 3) Vendor's Description of Software "MailEnable's mail server software provides a powerful, scalable hosted messaging platform for Microsoft Windows. MailEnable offers stability, unsurpassed flexibility and an extensive feature set which allows you to provide cost-effective mail services." Product Link: http://www.mailenable.com/default.asp == 4) Description of Vulnerability Secunia Research has discovered two vulnerabilities in MailEnable, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An insufficient length check when appending data to a predefined log message into a buffer using strcat_s() may result in an unhandled invalid parameter error. This can be exploited to crash the SMTP service (MESMTPC.exe) via an overly long email address in the "MAIL FROM" command. 2) An insufficient length check when copying data with a predefined log message into a buffer using strcpy_s() may result in an unhandled invalid parameter error. This can be exploited to crash the SMTP service (MESMTPC.exe) via an overly long domain name in the "RCPT TO" command. == 5) Solution Update to version 4.26 or apply hotfix ME-10044. == 6) Time Table 03/09/2010 - Requested security contact from the vendor. 04/09/2010 - Vendor response. 06/09/2010 - Vulnerability details provided to the vendor. 08/09/2010 - Vendor provides fixed version. 10/09/2010 - Secunia Research confirms fixes. 13/09/2010 - Vendor releases fixed version. 13/09/2010 - Public disclosure == 7) Credits Discovered by Dmitriy Pletnev, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-2580 for the vulnerabilities. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-112/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.or
Re: [Full-disclosure] KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll)
Christian Sciberras wrote: > I can't take THAT seriously. At least not all of it. > > The part that interested me most: > >> 4. Should I find such vulnerability in many applications as I can? >> >> You should not. It's just a waste of time and your energy. Focus on most >> popular application types/classes. > > If, say, DWM.dll is exploitable, why not point *that* out rather than > point out the many applications that are using it (wrongly)? ANY DLL is/may be exploitable when referenced without its (often well-known) complete pathname. It IS necessary to name all the applications with unqualified references and to have them fixed by their authors/vendors. And there are MANY places where DLLs or EXEs are referenced, not just in binaries: the registry, DESKTOP.INI files (especially in the start menu and %ProgramFiles%), batch files (do you reference CMD.EXE always as %SystemRoot%\System32\CMD.EXE? No? It really doesn't hurt!), scripts (including AUTORUN.INF.-), ... Stefan > Oh, and the "report". For obvious reasons, I cannot include the full > report. If I missed passing any detail, just ask and I'll fix right > away. > > http://img189.imageshack.us/img189/4801/31998033.png > > > On Thu, Sep 9, 2010 at 8:10 PM, YGN Ethical Hacker Group > wrote: >> Hi Christian >> >> The reason I use "Clean" doesn't mean (or I'm not accusing) your >> Windows is infected. >> It's better to test DLL Hijacking in Clean Copy of Windows without any >> prior applications messup. >> >> Please take a look at >> http://core.yehg.net/lab/pr0js/texts/when_testing_for_dll_hijacking.txt >> >> We thank ACROS Security for bringing life to this issue. >> We'll take social responsibility as a security community to stop this >> issue as much as we could. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2097-2] New phpmyadmin packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2097-2 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst September 11, 2010http://www.debian.org/security/faq - Package: phpmyadmin Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id(s) : CVE-2010-3055 CVE-2010-3056 The update in DSA 2097 for phpMyAdmin did not correctly apply the intended changes, thereby not completely addressing the vulnerabilities. Updated packages now fix the issues described in the original advisory text below. Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-3055 The configuration setup script does not properly sanitise its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. In Debian, the setup tool is protected through Apache HTTP basic authentication by default. CVE-2010-3056 Various cross site scripting issues have been discovered that allow a remote attacker to inject arbitrary web script or HTML. For the stable distribution (lenny), these problems have been fixed in version 2.11.8.1-5+lenny6. For the testing (squeeze) and unstable distribution (sid), these problems have been fixed in version 3.3.5.1-1. We recommend that you upgrade your phpmyadmin package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1.orig.tar.gz Size/MD5 checksum: 2870014 075301d16404c2d7d58216efc14f7a50 http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny6.diff.gz Size/MD5 checksum:74349 e6f8e4ff6d973af576abeb4760caf5e0 http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny6.dsc Size/MD5 checksum: 1548 d6b8c634186104661caee4ac419a10ea Architecture independent packages: http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny6_all.deb Size/MD5 checksum: 2886448 dcfc410cc5bcebc61bb32e33662e7fd3 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJMi5HuAAoJEOxfUAG2iX57mq4H/jpm3TX1OTgjyFcivXT2WLGP 7wzuKKTl8TxoO4aqCEH9LmEtu2a+La7Vcme64HgXgVR3MG/+ZIXAEv6YQrnKwgfE mli4nLPwKkMsjY6iq/60F/AZp1NIKrSrfIMNOYM9SciLp+mhdzAup+JRx+1bPlxE 6pFEiKfs1/FHmuQFxPHZYtzCFwm//3p+ihP46fJvRqaD91iX3kFdHEdBB2Xctet4 NmhNRXQnugTE7NtnhRB0I9Kz4e92l5wLFbU+WUZhmrbOPyX2n9TjnST0IO++/Jtn 40ClfqAlERCY6qFFDON005OCmIX7bGAcO3j28I3feMOts6CGsbTyxrW7gyVo/8o= =Ehxb -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mac OS X 10.6 Security Configuration Guides Released
fwd for FD - Mac OS X 10.6 Security Configuration Guide - Link Posted on NSA's IA Guidance Portal I am very pleased to announce the immediate availability of the much anticipated Security Configuration Guide for Mac OS X 10.6 at the NSA Information Assurance / Security Guidance Documents Portal. ___ NSA Information Assurance / Security Guidance Documents Security Configuration Guides (All Products) http://www.nsa.gov/ia/guidance/security_configuration_guides/ Operating Systems Guides http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml Apple Products http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#AppleMac (NOTE: NSA link on the page above links back directly to Apple's original posting as of May 13, 2010) ___ Apple Product Security Configuration Guides http://www.apple.com/support/security/guides/ If you have any comments, concerns, suggestions or submissions relevant to the security guides, you are more than welcome to either respond directly to this release announcement or submit to http://bugreport.apple.com/ . - Shawn _ Shawn Geddis - Security Consulting Engineer - Apple Enterprise ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox same-origin policy for fonts
On 9/12/2010 4:43 PM, paul.sz...@sydney.edu.au wrote: > Firefox's interpretation of the same-origin policy is more strict than > most other browsers, and it affects how fonts are loaded with the > @font-face CSS directive. ... > There is a solution to this, however, if you manage the server ... > create a file called .htaccess that contains the following lines: ... > Header set Access-Control-Allow-Origin "*" > > That would suggest that this same-origin policy can be defeated by > settings on the "evil" server: the policy is not enforced, useless. > Did I misunderstand something? The same-origin rules on WOFF are about IP rights rather than security. Unlike images, a page can only use a WOFF font with the cooperation of the font-hosting site. If it happens to be a licensed font and is being misused then the foundry knows who to talk to. A site using a font they don't have a license for will have to host it themselves, they can't hide behind the link being just text and claim it was the browser that did the infringing. https://developer.mozilla.org/en/About_WOFF -Dan Veditz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/