[Full-disclosure] Default SSL Keys in Multiple Routers
Many routers that provide an HTTPS administrative interface use default or hard-coded SSL keys that can be recovered by extracting the file system from the device's firmware. The LittleBlackBox project contains a database of over 2,000 (and growing) private SSL keys that are correlated with their respective public certificates, and hardware/firmware versions. While most of these certificates are from DD-WRT firmware, there are also private keys from other vendors including Cisco, Linksys, D-Link and Netgear. Private keys can be recovered by supplying LittleBlackBox with the corresponding public key. If the public key is not readily available, LittleBlackBox can retrieve the public certificate from a pcap file, live traffic capture, or by directly querying the target host. LittleBlackBox can be downloaded from http://littleblackbox.googlecode.com. More information is available at http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
Let's see, flash is: - Cross-platform - Cross-architecture - Has it's own programming language - Is embedded on websites - Access to javascript to popup, local caches, etc. It's not ineptness, it's what you get when you right software that can actually do stuff. If Java applets were still the hip thing, you'd see the same thing about that. Victor Rigo, CISSP Computer Security Consultant +5411-4316-1900 Buenos Aires, Argentina --- On Sat, 12/18/10, Jeffrey Walton noloa...@gmail.com wrote: From: Jeffrey Walton noloa...@gmail.com Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again! To: Maciej Gojny v...@ariko-security.com Cc: full-disclosure@lists.grok.org.uk Date: Saturday, December 18, 2010, 5:53 PM On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny v...@ariko-security.com wrote: hello full disclosure! After six months from the first contact with Adobe security team, important adobe.com subdomain is still vulnerable to SQL injection attacks. We hope that this time, serious people will try to solve the problem. There's a reason Adobe is the most attacked software [1,2], and its probably because they write the most vulnerable software (or adversaries are looking for a challenge, which seems less intuitive and highly unlikely to me). It appears insecurity is an enterprise wide practice, and not just limited to their software. Jeff [1] Adobe surpasses Microsoft as favorite hacker’s target (Jul 2009) http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [2] Adobe predicted as top 2010 hacker target (Dec 2009) http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Default SSL Keys in Multiple Routers
These manufacturers use the same key on each of their models? That seems ridiculous to me... T From: Craig Heffner Sent: Sunday, December 19, 2010 5:56 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Default SSL Keys in Multiple Routers Many routers that provide an HTTPS administrative interface use default or hard-coded SSL keys that can be recovered by extracting the file system from the device's firmware. The LittleBlackBox project contains a database of over 2,000 (and growing) private SSL keys that are correlated with their respective public certificates, and hardware/firmware versions. While most of these certificates are from DD-WRT firmware, there are also private keys from other vendors including Cisco, Linksys, D-Link and Netgear. Private keys can be recovered by supplying LittleBlackBox with the corresponding public key. If the public key is not readily available, LittleBlackBox can retrieve the public certificate from a pcap file, live traffic capture, or by directly querying the target host. LittleBlackBox can be downloaded from http://littleblackbox.googlecode.com. More information is available at http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
Yet Flashblock has 10 million downloads On Sat, Dec 18, 2010 at 8:30 PM, Victor Rigo victor_r...@yahoo.com wrote: Let's see, flash is: - Cross-platform - Cross-architecture - Has it's own programming language - Is embedded on websites - Access to javascript to popup, local caches, etc. It's not ineptness, it's what you get when you right software that can actually do stuff. If Java applets were still the hip thing, you'd see the same thing about that. Victor Rigo, CISSP Computer Security Consultant +5411-4316-1900 Buenos Aires, Argentina --- On *Sat, 12/18/10, Jeffrey Walton noloa...@gmail.com* wrote: From: Jeffrey Walton noloa...@gmail.com Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again! To: Maciej Gojny v...@ariko-security.com Cc: full-disclosure@lists.grok.org.uk Date: Saturday, December 18, 2010, 5:53 PM On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny v...@ariko-security.comhttp://mc/compose?to=v...@ariko-security.com wrote: hello full disclosure! After six months from the first contact with Adobe security team, important adobe.com subdomain is still vulnerable to SQL injection attacks. We hope that this time, serious people will try to solve the problem. There's a reason Adobe is the most attacked software [1,2], and its probably because they write the most vulnerable software (or adversaries are looking for a challenge, which seems less intuitive and highly unlikely to me). It appears insecurity is an enterprise wide practice, and not just limited to their software. Jeff [1] Adobe surpasses Microsoft as favorite hacker’s target (Jul 2009) http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [2] Adobe predicted as top 2010 hacker target (Dec 2009) http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Default SSL Keys in Multiple Routers
Quite interesting. It was one of those those things I just assumed was part of the build process. Thanks for the app and info. t Sent from my Windows Phone emulator. From: Craig Heffner Sent: Sunday, December 19, 2010 10:03 AM To: Thor (Hammer of God) Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Default SSL Keys in Multiple Routers From a security standpoint, it is. But it's easier and probably more cost effective for the manufacturer. Sometimes the key will be different between firmware versions, sometimes it won't. Sometimes the same key will be used for two different models. It just depends. Some models don't have hard coded keys, but most of the consumer grade stuff (and even some of the low-end business stuff) does. - Craig On Sun, Dec 19, 2010 at 12:17 PM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: These manufacturers use the same key on each of their models? That seems ridiculous to me... T From: Craig Heffner Sent: Sunday, December 19, 2010 5:56 AM To: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Default SSL Keys in Multiple Routers Many routers that provide an HTTPS administrative interface use default or hard-coded SSL keys that can be recovered by extracting the file system from the device's firmware. The LittleBlackBox project contains a database of over 2,000 (and growing) private SSL keys that are correlated with their respective public certificates, and hardware/firmware versions. While most of these certificates are from DD-WRT firmware, there are also private keys from other vendors including Cisco, Linksys, D-Link and Netgear. Private keys can be recovered by supplying LittleBlackBox with the corresponding public key. If the public key is not readily available, LittleBlackBox can retrieve the public certificate from a pcap file, live traffic capture, or by directly querying the target host. LittleBlackBox can be downloaded from http://littleblackbox.googlecode.com. More information is available at http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
On Sat, Dec 18, 2010 at 6:30 PM, Victor Rigo victor_r...@yahoo.com wrote: Let's see, flash is: - Cross-platform - Cross-architecture - Has it's own programming language - Is embedded on websites - Access to javascript to popup, local caches, etc. * Insecure (Adobe's implementation) It's not ineptness, it's what you get when you right software that can actually do stuff. For completeness, I did not claim they are inept - only insecure. Insecurity in the absence of ineptness is probably more egregious - they should know better. It will be interesting to see if HTML 5 has as many security problems. I would love to see an Adobe implementation of HTML 5 go head to head with Chrome or IE. Its too bad (or perhaps we are fortunate) that Adobe does not make browsers. Jeff --- On *Sat, 12/18/10, Jeffrey Walton noloa...@gmail.com* wrote: From: Jeffrey Walton noloa...@gmail.com Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again! To: Maciej Gojny v...@ariko-security.com Cc: full-disclosure@lists.grok.org.uk Date: Saturday, December 18, 2010, 5:53 PM On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny v...@ariko-security.comhttp://mc/compose?to=v...@ariko-security.com wrote: hello full disclosure! After six months from the first contact with Adobe security team, important adobe.com subdomain is still vulnerable to SQL injection attacks. We hope that this time, serious people will try to solve the problem. There's a reason Adobe is the most attacked software [1,2], and its probably because they write the most vulnerable software (or adversaries are looking for a challenge, which seems less intuitive and highly unlikely to me). It appears insecurity is an enterprise wide practice, and not just limited to their software. Jeff [1] Adobe surpasses Microsoft as favorite hacker’s target (Jul 2009) http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [2] Adobe predicted as top 2010 hacker target (Dec 2009) http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things. - Marsh Ray I'll keep using that quote till I die... On Sun, Dec 19, 2010 at 9:32 PM, Marsh Ray ma...@extendedsubset.com wrote: On 12/18/2010 05:30 PM, Victor Rigo wrote: Let's see, flash is: - Cross-platform - Cross-architecture - Has it's own programming language - Is embedded on websites - Access to javascript to popup, local caches, etc. Not on my machine? It's not ineptness, it's what you get when you right software that can actually do stuff. Adobe comes from a time when you could write PC software without caring about security. Yeah, it was a heck of a lot easier to write just about anything back then because it was well and proper that anything could do anything. Nowdays, the first questions after hey our software could do this must be but should it do that? What else could someone leverage that new capability to do? How does it combine with every other feature in our app or even on the whole platform? What if somebody does it repeatedly in a tight loop? With pathological inputs? and so on. These questions take a long time to answer. So if a vendor is known for letting app developers do more stuff and not also known for letting users control what stuff gets done on their own machines then they are laggards, not leaders, in my view. If Java applets were still the hip thing, you'd see the same thing about that. There's undoubtedly some truth to that. But at the same time, it doesn't seem like a useful line of reasoning: * It's still not an argument for using Flash. * That Java plugins have had chronic security bugs doesn't mean that Flash doesn't suck too. * You seem to imply that you don't think that Adobe is likely to secure Flash any time soon. You're not saying Adobe will secure Flash in the next patch and then it will be great. But you listed all the great stuff it does, so I have to think you would have said something like that if you believed it. You may be making Flash look worse than it is. * It's basically an appeal to futility argument: no one could make a development platform and browser plugin that is significantly more secure (or does a better job of managing the security vs. doing stuff trade off) so therefore we should accept the status quo. That's why it's not useful: it gives no guidance on directions in which to improve. Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
Concurred. No file format is as obnoxious as SWF. However, with the debut of HTML 5, we're finding that video is being offloaded to video and open codecs are being integrated into browsers. Further, HTML 5's media capabilities are making flash cumbersome. Try disabling flash extension on Firefox and enjoy real internet. Victor Rigo, CISSP Independent Computer Security Consultant Buenos Aires, AR +5411-4316-1901 --- On Sun, 12/19/10, Christian Sciberras uuf6...@gmail.com wrote: From: Christian Sciberras uuf6...@gmail.com Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again! To: Marsh Ray ma...@extendedsubset.com Cc: Victor Rigo victor_r...@yahoo.com, full-disclosure@lists.grok.org.uk Date: Sunday, December 19, 2010, 9:25 PM Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things. - Marsh Ray I'll keep using that quote till I die... On Sun, Dec 19, 2010 at 9:32 PM, Marsh Ray ma...@extendedsubset.com wrote: On 12/18/2010 05:30 PM, Victor Rigo wrote: Let's see, flash is: - Cross-platform - Cross-architecture - Has it's own programming language - Is embedded on websites - Access to javascript to popup, local caches, etc. Not on my machine? It's not ineptness, it's what you get when you right software that can actually do stuff. Adobe comes from a time when you could write PC software without caring about security. Yeah, it was a heck of a lot easier to write just about anything back then because it was well and proper that anything could do anything. Nowdays, the first questions after hey our software could do this must be but should it do that? What else could someone leverage that new capability to do? How does it combine with every other feature in our app or even on the whole platform? What if somebody does it repeatedly in a tight loop? With pathological inputs? and so on. These questions take a long time to answer. So if a vendor is known for letting app developers do more stuff and not also known for letting users control what stuff gets done on their own machines then they are laggards, not leaders, in my view. If Java applets were still the hip thing, you'd see the same thing about that. There's undoubtedly some truth to that. But at the same time, it doesn't seem like a useful line of reasoning: * It's still not an argument for using Flash. * That Java plugins have had chronic security bugs doesn't mean that Flash doesn't suck too. * You seem to imply that you don't think that Adobe is likely to secure Flash any time soon. You're not saying Adobe will secure Flash in the next patch and then it will be great. But you listed all the great stuff it does, so I have to think you would have said something like that if you believed it. You may be making Flash look worse than it is. * It's basically an appeal to futility argument: no one could make a development platform and browser plugin that is significantly more secure (or does a better job of managing the security vs. doing stuff trade off) so therefore we should accept the status quo. That's why it's not useful: it gives no guidance on directions in which to improve. Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MyBB 1.6 = Cross Site Scripting (XSS) Vulnerability
MyBB 1.6 = Cross Site Scripting (XSS) Vulnerability 1. OVERVIEW MyBB was vulnerable to Cross Site Scripting Vulnerability. 2. APPLICATION DESCRIPTION MyBB is a free bulletin board system software package developed by the MyBB Group. It's supposed to be developed from XMB and DevBB bulletin board applications. 3. VULNERABILITY DESCRIPTION Two XSS vulnerabilities were found. One is user-driven XSS on url parameter. User will get xssed upon successful log-in. The other is a reflected XSS on posthash parameter where the valid tid (topic id) is required for successful attack. The anti-CSRF check against my_post_key parameter was not done in thread/post preview mode and thus there came a way for XSS to be successful. 4. VERSIONS AFFECTED MyBB 1.6 and lower 5. PROOF-OF-CONCEPT/EXPLOIT User-driven XSS http://attacker.in/mybb/member.php?action=loginurl=javascript:alert%28/XSS/%29 Reflected XSS http://attacker.in/mybb/newreply.php?my_post_key=subject=XSSaction=do_newreplyposthash=;scriptalert(/XSS/)/scriptquoted_ids=lastpid=1from_page=1tid=1method=quickreplymessage=testpreviewpost=Preview Post 6. SOLUTION Upgrade to 1.6.1 7. VENDOR MyBB Development Team http://www.mybb.com/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-09: notified vendor 2010-12-15: vendor released fixed version 2010-12-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[mybb1.6]_cross_site_scripting About MyBB: http://www.mybb.com/about/mybb #yehg [2010-12-20] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/