Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
On Wed, 26 Jan 2011 21:43:28 PST, Michal Zalewski said: The real problem is that when mhtml: is used to fetch the container over an underlying protocol, it does not honor Content-Type and related headers (or even nosniff). Geez. It's 2011, and people are *still* doing that same basic error? /me tries to remember the first ignore the Content-Type header and handle it based on guessing based on filename/extension bug. CA-2001-36 seems to qualify, but I think there were ones before that. Anybody able to remember that far back? pgpnBGsesZFSh.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vanilla Forums 2.0.16 = Cross Site Scripting Vulnerability
== Vanilla Forums 2.0.16 = Cross Site Scripting Vulnerability == 1. OVERVIEW The Vanilla Forums 2.0.16 and lower versions were vulnerable to Cross Site Scripting. 2. BACKGROUND Vanilla Forums are open-source, standards-compliant, customizable discussion forums. It is specially made to help small communities grow larger through SEO mojo, totally customizable social tools, and great user experience. Vanilla is also built with integration at the forefront, so it can seamlessly integrate with your existing website, blog, or custom-built application. 3. VULNERABILITY DESCRIPTION The 'Target' parameter was not properly sanitized after user logs in, which allows attacker to conduct Cross Site Scripting attack. An attacker could prepare a link in a forum post that includes a link to a file which seems to require authentication. Upon logging in, user will get XSSed. 4. VERSIONS AFFECTED 2.0.16 and lower 5. PROOF-OF-CONCEPT/EXPLOIT http://vanilla/index.php?p=/entry/signinTarget=javascript:alert(document.cookie)//http:// 6. SOLUTION Upgrade to Vanilla Forums 2.0.17 or higher 7. VENDOR Vanilla Forums Development Team http://vanillaforums.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-14: notified vendor 2011-01-18: vendor released fix 2011-01-27: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[vanilla_forums-2.0.16]_cross_site_scripting What XSS Can Do: http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdf XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-01-27] - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
Security is a general,Many security issues are composed of many different vulnerabilities of different factory. like mhtml:http://www.google.com/gwt/n?u=[mhtml file url]! this vul so we come back this vul need two Conditions 1.www.google.com app don't filter the CRLF 2.IE support mhtml protocol handler to render the mhtml file format, and this is the why mhtml: is designed -- Both are indispensable. so google's vul is that don't take into account the security implications using mhtml, the MS vul is that it does not honor Content-Type and related headers (or even nosniff). like MZ saiy GG and MS ,both are vul... in addition, if MS saiy this is mhtml: 's original function, So google is very dangerous to the user who using IE Even if MS fixed it. how about the google users who do not have time to upgrade IE ? by superhei hitest 2011/1/26 Michal Zalewski lcam...@coredump.cx: 1.www.google.com app don't filter the CRLF This is not strictly required; there are other scenarios where this vulnerability is exploitable. 2.IE support mhtml protocol handler to render the mhtml file format, and this is the why mhtml: is designed The real problem is that when mhtml: is used to fetch the container over an underlying protocol, it does not honor Content-Type and related headers (or even nosniff). /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [VIDEO] Keylogger, RecordMic and Shell
Hey Steve, Thanks for your time. Probably this tool is not meant for you, since you use metasploit, I wasnt trying to reinvent the wheel, This tool is oriented to people with basic security skills, that need a way to do pentest to their sites among many other possibilities. Thanks again, dont forget to donate because you didnt But Im ok with that :-) Juan Sacco On Wed, Jan 26, 2011 at 3:33 PM, Steve Pinkham steve.pink...@gmail.comwrote: On 01/26/2011 01:25 PM, Juan Sacco wrote: Steve, is a lot easier get donation and rent a good hosting. Sorry Im going to pass your offer. Juan Sacco Sure, I understand. Unfortunately, that puts you back in the liar catagory about whether or not the software is actually free. Too bad, I just wasted 20 bucks and a few hours setting up quality hosting, and I was looking forward to trying out a new tool. Back to metasploit for me! -- | Steven Pinkham, Security Consultant| | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | -- _ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.0 was released stay tunned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [VIDEO] Keylogger, RecordMic and Shell
Oh, fuck this shit. http://rapidshare.com/files/444699301/InsectProFull.zip This is the previous version, you can guess what the new version should be like. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [VIDEO] Keylogger, RecordMic and Shell
Even though I am not an established Security Professional, I would like to make a comment regarding your software. I generally only donate to people/companies that produce software which I can see/experience. Unfortunately, your software is being released with the stipulation that a person donate first, then test/experience it second. I know as well as almost everyone else, that running costs and bandwidth for your website cannot be very expensive, especially considering the massive amount of low cost VPS providers available to host your content. Two people donating would cover most VPS hosts for one to two months. Essentially, I am wondering whether you can/will release the software for the public to test, and then if they decide to continue using it and/or decide that they want to support you, they can then donate. Andrew R. DeFilippis On Wed, Jan 26, 2011 at 11:07 AM, runlvl run...@gmail.com wrote: Steve, Insect Pro 2.0 is redistributable and I even talked with Microsoft ( they called me ) about that and there are no issues when it comes to copyrights. Ruby, Python, Metasploit and Our exploits are redistributables. Again, thanks for your time and interest! If you have any further question please let me know about it by email i...@insecurityresearch.com ! Juan Sacco -- _ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.0 was released stay tunned 2011/1/26 Steve Pinkham steve.pink...@gmail.com On 01/26/2011 01:40 PM, Juan Sacco wrote: Thanks again, dont forget to donate because you didnt But Im ok with that :-) For clarity, the $20 was for a unmetered, 100Mb/s VPS so I could make good on my part of the deal if you weren't lying about it being free. I haven't given you any money, and don't plan on it because your claims about it being freely redistributable are now proven false. Here's a reminder of our email exchanges: On 01/25/2011 11:27 PM, Steve Pinkham wrote: Put up or shut up time: I will pay to host the download on my own server for the next 6 months if the product license allows it(and it legal for me to do so as not infringing copyright, etc), or you need to stop claiming it is free. So, can I redistribute it for free, or are you a liar? Your reply: On 01/25/2011 11:59 PM, Juan Sacco wrote: Steve, yes you can! :-) Let me know by email when you are ready! and I hope you could make a personal review of Insect Pro 2.0 when you get a copy :P BTW I will change that word licence is consufing i guess, Thanks for support our software Juan Sacco My simple request is that you state that your software is free to redistribute, and make a testable assertion that it does not infringe other's copyright. I think I've made my case. If you change your mind, the offer still stands, and the server is all set up to host the file as soon as it is made available to me with appropriate legal disclaimers. Otherwise I think we are done here. -- | Steven Pinkham, Security Consultant| | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] http://security.goatse.fr/gaping-hole-exposed
BIG UPS TO KRASHED Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Wed, 2011-01-26 at 19:41 -0500, Andrew Kirch wrote: RLY? YARLY. (wasn't me of course) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml
Not a google vuln. Hunt down MSFT to pay for your bug. Oh wait they dont pay for free research.. 0noz, you wont get any candy ! 2011/1/27, IEhrepus 5up3r...@gmail.com: Security is a general,Many security issues are composed of many different vulnerabilities of different factory. like mhtml:http://www.google.com/gwt/n?u=[mhtml file url]! this vul so we come back this vul need two Conditions 1.www.google.com app don't filter the CRLF 2.IE support mhtml protocol handler to render the mhtml file format, and this is the why mhtml: is designed -- Both are indispensable. so google's vul is that don't take into account the security implications using mhtml, the MS vul is that it does not honor Content-Type and related headers (or even nosniff). like MZ saiy GG and MS ,both are vul... in addition, if MS saiy this is mhtml: 's original function, So google is very dangerous to the user who using IE Even if MS fixed it. how about the google users who do not have time to upgrade IE ? by superhei hitest 2011/1/26 Michal Zalewski lcam...@coredump.cx: 1.www.google.com app don't filter the CRLF This is not strictly required; there are other scenarios where this vulnerability is exploitable. 2.IE support mhtml protocol handler to render the mhtml file format, and this is the why mhtml: is designed The real problem is that when mhtml: is used to fetch the container over an underlying protocol, it does not honor Content-Type and related headers (or even nosniff). /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple Web Applications | Full Path Disclosure
The following web applications are found to have full path disclosure flaws (Ref: WASC-13, CWE-200). - htmlpurifier-4.2.0 phpids-0.6.5 PhpSecInfo 111WebCalendar-1.2.3 adodb aef-1.0.8 ATutor-2.0 auth b2evolution-3.3.3 bbpress-1.0.2 cftp-r80 claroline-1.9.7 clipbucket_2.0.9_stable_Fr cmsmadesimple-1.9.2 CodeIgniter_1.7.2 concrete5.4.0.5 concrete5.4.1.1 CopperminePhotoGallery-1.5.12 craftysyntax3.0.2 CubeCart-4.4.3 dokuwiki-2009-12-25c Dolphin-7.0.4 dotproject-2.1.4 drupal-7.0 e107_0.7.24 eggblog_4.1.2 elgg-1.7.6 ExoPHPDesk_1.2.1 eyeOS-2.2.0.0 fengoffice_1.7.2 freeway_1_5_alpha_Burstow frontaccounting-2.3.1 helpcenterlive-2.1.7 hesk-2.2 jcow.4.2.1 joomla-1.6.0 kamads-2_b3 kplaylist.1.8.502 lifetype-1.2.10 limesurvey190plus-build9642-20101214 linpha-1.3.4 mambo-4.6.5 mantisbt-1.2.4 moodle-2.0.1 mound-2.1.6 mybb-1.6 nucleus3.61 NuSOAP open-realty-2.5.8 OpenBlog-1.2.1 opencart_v1.4.9.3 opendocman-1.2.6-svn-2011-01-21 orangehrm-2.6.0.2 oscommerce-3.0a5 phorum-5.2.15a PHP-Easy-Survey-Package-2.1.1 PHP-Nuke-8.0 PHP-Point-Of-Sale-10.7 phpads-2.0 phpAlbum_v0.4.1.14.fix06 phpBook-2.1.0 phpcollab-2.5 PHPDevShell-V3.0.0-Beta-4b PHPfileNavigator-2.3.3 phpFormGen-2.09 phpfreechat-1.3 PhpGedView-all-4.2.3 phpicalendar-2.4 phpld-2-151.2.0 phpmyfaq-2.6.13 phprojekt-6.0.5 phpScheduleIt_1.2.12 phpwcms-1.4.7r412 piwigo-2.1.5 piwik-1.1 pixelpost_v1.7.3 pixie_v1.04 PliggCMS1.1.3 podcastgen1.3 prestashop_1.4.0.6 projectpier-0.8.0.3 serendipity-1.5.5 Smarty statusnet-0.9.6 SugarCRM-6.1.0 taskfreak-multi-mysql-0.6 tcexam_11.1.015 textpattern-4.2.0 thebuggenie_2.1.2 theHostingTool-v1.2.3 TinyMCE TinyWebGallery-1.8.3 tomatocart-1.1.3 vanilla-2.0.16 WebCalendar-1.2.3 WeBid-1.0.0 webinsta-mail-list-1.3e WebsiteBaker_2.8.1 wordpress-3.0.4 xajax xoops-2.5.0 YOURS Zend zikula-1.2.4 Vulnerable files list for each application can be found at http://yehg.net/lab/pr0js/advisories/path_disclosure/ http://yehg.net/lab/pr0js/advisories/path_disclosure.zip Solution: Disable php error_display off. For those who manage servers, set php error_display setting as 'on' in php.ini file. For those who don't, simple put php_flag error_display off in .htaccess file of web root directory (unless it is restricted by php_admin_flag) - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Full-Disclosure] http://security.goatse.fr/gaping-hole-exposed (is a troll)
Knowing one of the people listed in the shout-outs, I told them about the props and they got back with the following statement: After doing some digging, [I] found out that they did it to their own website to generate publicity. The person responsible told me he didn't think anything would happen from it so he used my old nick. He apologized to me and said he'll not do something like that in the future. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Free Download of Insect Pro 2.0 (Was: Re: [VIDEO] Keylogger, RecordMic and Shell)
I've received indications that Insect Pro 2.0 is free to redistribute and contains no copyright infringement, and as such am making it available from the following site: http://insectpro.highprofilesite.com/ The only assertions for legality and usefulness come from the author, juansa...@gmail.com. I am not affiliated in any way except agreeing to host the software for free for others to try out. The software is Windows only. I haven't even installed it yet, so can't make any claims. ;-) If anyone finds anything illegal or undesirable in the download, please don't hesitate to report it. Thanks, Steve -- | Steven Pinkham, Security Consultant| | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Free Download of Insect Pro 2.0 (Was: Re: [VIDEO] Keylogger, RecordMic and Shell)
Steve, thanks for the hosting and advertising, and also for the donation, I am taking it as a double donation! :-D Hope you can post some images and a review of the product real soon! Juan Sacco -- _ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.0 was released stay tunned 2011/1/27 Steve Pinkham steve.pink...@gmail.com I've received indications that Insect Pro 2.0 is free to redistribute and contains no copyright infringement, and as such am making it available from the following site: http://insectpro.highprofilesite.com/ The only assertions for legality and usefulness come from the author, juansa...@gmail.com. I am not affiliated in any way except agreeing to host the software for free for others to try out. The software is Windows only. I haven't even installed it yet, so can't make any claims. ;-) If anyone finds anything illegal or undesirable in the download, please don't hesitate to report it. Thanks, Steve -- | Steven Pinkham, Security Consultant| | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-028: Symantec AMS Intel Alert Service AMSSendAlertAct Remote Code Execution Vulnerability
ZDI-11-028: Symantec AMS Intel Alert Service AMSSendAlertAct Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-028 January 27, 2011 -- CVE ID: CVE-2010-110 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Symantec -- Affected Products: Symantec Alert Management System -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9423. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec Alert Management System. Authentication is not required to exploit this vulnerability. The specific flaw exists within the AMSLIB.dll module while processing data sent from the msgsys.exe process which listens by default on TCP port 38292. The DLL allocates a fixed length stack buffer and subsequently copies a user-supplied string using memcpy without validating the size. By supplying a large enough value this buffer can be overflowed leading to arbitrary code execution under the context of the vulnerable daemon. -- Vendor Response: Symantec has issued an update to correct this vulnerability. More details can be found at: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisoryamp;pvid=security_advisoryamp;year=2011amp;suid=20110126_00 -- Disclosure Timeline: 2009-07-14 - Vulnerability reported to vendor 2011-01-27 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-029: Symantec AMS Intel Alert Handler Service CreateProcess Remote Code Execution Vulnerability
ZDI-11-029: Symantec AMS Intel Alert Handler Service CreateProcess Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-029 January 27, 2011 -- CVE ID: CVE-2010-111 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Symantec -- Affected Products: Symantec Alert Management System -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9422. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec Alert Management System. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HDNLRSVC.EXE service while processing data sent from the msgsys.exe process which listens by default on TCP port 38292. This process passes user-supplied data directly to a CreateProcessA call. By supplying a UNC path to a controlled binary a remote attacker can execute arbitrary code under the context of the vulnerable daemon. -- Vendor Response: Symantec has issued an update to correct this vulnerability. More details can be found at: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisoryamp;pvid=security_advisoryamp;year=2011amp;suid=20110126_00 -- Disclosure Timeline: 2010-07-14 - Vulnerability reported to vendor 2011-01-27 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-030: Symantec AMS Intel Alert Handler Modem String Parsing Remote Code Execution Vulnerability
ZDI-11-030: Symantec AMS Intel Alert Handler Modem String Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-030 January 27, 2011 -- CVE ID: CVE-2010-111 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Symantec -- Affected Products: Symantec Alert Management System -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9415. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec Alert Management System. Authentication is not required to exploit this vulnerability. The specific flaw exists within the pagehndl.dll module while processing data sent from the msgsys.exe process which listens by default on TCP port 38292. The DLL allocates a fixed length stack buffer and subsequently copies a user-supplied modem string without validating the size. By supplying a large enough value this buffer can be overflowed leading to arbitrary code execution under the context of the vulnerable daemon. -- Vendor Response: Symantec has issued an update to correct this vulnerability. More details can be found at: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisoryamp;pvid=security_advisoryamp;year=2011amp;suid=20110126_00 -- Disclosure Timeline: 2009-07-14 - Vulnerability reported to vendor 2011-01-27 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-031: Symantec AMS Intel Alert Handler Pin Number Parsing Remote Code Execution Vulnerability
ZDI-11-031: Symantec AMS Intel Alert Handler Pin Number Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-031 January 27, 2011 -- CVE ID: CVE-2010-111 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Symantec -- Affected Products: Symantec Alert Management System -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9406. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec Alert Management System. Authentication is not required to exploit this vulnerability. The specific flaw exists within the pagehndl.dll module while processing data sent from the msgsys.exe process which listens by default on TCP port 38292. The DLL allocates a fixed length stack buffer and subsequently copies a user-supplied pin number string using sprintf without validating the size. By supplying a large enough value this buffer can be overflowed leading to arbitrary code execution under the context of the vulnerable daemon. -- Vendor Response: Symantec has issued an update to correct this vulnerability. More details can be found at: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisoryamp;pvid=security_advisoryamp;year=2011amp;suid=20110126_00 -- Disclosure Timeline: 2009-07-14 - Vulnerability reported to vendor 2011-01-27 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-032: Symantec Intel Alert Originator Service iao.exe Remote Code Execution Vulnerability
ZDI-11-032: Symantec Intel Alert Originator Service iao.exe Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-032 January 27, 2011 -- CVE ID: CVE-2010-111 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Symantec -- Affected Products: Symantec Alert Management System -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 5959. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of multiple Symantec products. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Intel Alert Originator (iao.exe) service. While processing messages sent from the msgsys.exe process a size check can be bypassed and a subsequent stack-based buffer overflow can be triggered. This can be leveraged by remote attackers to execute arbitrary code under the context of the Alert service. -- Vendor Response: Symantec has issued an update to correct this vulnerability. More details can be found at: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisoryamp;pvid=security_advisoryamp;year=2011amp;suid=20110126_00 -- Disclosure Timeline: 2009-10-27 - Vulnerability reported to vendor 2011-01-27 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20101231-01: Security Notice for CA ARCserve D2D (updated)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CA20101231-01: Security Notice for CA ARCserve D2D Issued: December 31, 2010 Last Updated: January 26, 2011 CA Technologies support is alerting customers to a security risk with CA ARCserve D2D. A vulnerability exists that can allow a remote attacker to execute arbitrary code. CA has issued an Information Solution to address the vulnerability. The vulnerability is due to default vulnerabilities inherent in the Tomcat and Axis2 3rd party software components. A remote attacker can exploit the implementation to execute arbitrary code. Risk Rating High Platform Windows Affected Products CA ARCserve D2D r15 How to determine if the installation is affected Using Windows Explorer, go to the directory D2D_HOME\TOMCAT\webapps\WebServiceImpl, and look for the existence of a folder called axis2-web. Solution CA has issued the following patch to address the vulnerability. CA ARCserve D2D r15: RO26040 If you are not able to apply the patch at this time, the following workaround can be implemented to address the vulnerability. 1. Stop CA ARCserve D2D Web Service from service control manager. 2. Go to the directory D2D_HOME\TOMCAT\webapps\WebServiceImpl, and remove the folder axis2-web. 3. Edit D2D_HOME\TOMCAT\webapps\WebServiceImpl\WEB-INF\web.xml, and remove the content of AxisAdminServlet's servlet and servlet mapping. The content to remove will look like the text below: - servlet display-nameApache-Axis Admin Servlet Web Admin/display-\ name servlet-nameAxisAdminServlet/servlet-name servlet-classorg.apache.axis2.transport.http.\ AxisAdminServlet/servlet-class load-on-startup100/load-on-startup /servlet - servlet-mapping servlet-nameAxisAdminServlet/servlet-name url-pattern/axis2-admin/*/url-pattern /servlet-mapping 4. Change the username and password parameters in the axis2.xml file to stronger credentials that conform to your organization's password policies. D2D_HOME\TOMCAT\webapps\WebServiceImpl\WEB-INF\conf\axis2.xml parameter name=userNameadmin/parameter parameter name=passwordaxis2/parameter 5. Start CA ARCserve D2D Web Service. References CVE-201X- - CVE Reference Pending CA ARCserve D2D r15 Web Service Apache Axis2 World Accessible Servlet Code Execution Vulnerability Poc Dec 30 2010 11:04AM http://www.securityfocus.com/archive/1/515494/30/0/threaded http://marc.info/?l=bugtraqm=129373168501496w=2 Computer Associates ARCserve D2D r15 Web Service Apache Axis2 World Accessible Servlet Code Execution Vulnerability Poc http://retrogod.altervista.org/9sg_ca_d2d.html Acknowledgement rgod Change History Version 1.0: Initial Release Version 2.0: Added patch information If additional information is required, please contact CA Technologies Support at https://support.ca.com If you discover a vulnerability in a CA Technologies product, please report your findings to the CA Technologies Product Vulnerability Response Team. http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Thanks and regards, Ken Williams, Director ca technologies Product Vulnerability Response Team ca technologies Business Unit Operations wilj...@ca.com -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.9.1 (Build 287) Charset: utf-8 wj8DBQFNQeWgeSWR3+KUGYURAmdOAJwMqjF7lfNulYGlU9kpBC0/7G7E7gCfSO3z 5v7+N15N6Gbuds7+vrMbRRk= =zbTD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2152-1] hplip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2152-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 27, 2011 http://www.debian.org/security/faq - - Package: hplip Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2010-4267 Debian Bug : 610960 Sebastian Krahmer discovered a buffer overflow in the SNMP discovery code of the HP Linux Printing and Imaging System, which could result in the execution of arbitrary code. For the stable distribution (lenny), this problem has been fixed in version 2.8.6.b-4+lenny1. For the testing distribution (squeeze), this problem has been fixed in version 3.10.6-2. For the unstable distribution (sid), this problem has been fixed in version 3.10.6-2. For the experimental distribution, this problem has been fixed in version 3.11.1-1. We recommend that you upgrade your hplip packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk1B8twACgkQXm3vHE4uyloSAQCeIk3fuepI8fZ8epLWoryTMAuO tEsAoOfSLElwab2TXBTUN6ONQAQIQT+2 =MH9s -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-033: Realplayer vidplin.dll AVI Parsing Remote Code Execution Vulnerability
ZDI-11-033: Realplayer vidplin.dll AVI Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-033 January 27, 2011 -- CVE ID: CVE-2010-4393 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10640. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Realnetworks Realplayer SP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the vidplin.dll module. A buffer is allocated according to the user supplied length value. User supplied data is then copied into the allocated buffer, without verifying length, allowing the data to be written past the bounds of the previously allocated buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the user running RealPlayer. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/01272011_player/en/ -- Disclosure Timeline: 2010-09-14 - Vulnerability reported to vendor 2011-01-27 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Juan Pablo Lopez Yacubian -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-033: Realplayer vidplin.dll AVI Parsing Remote Code Execution Vulnerability
ZDI-11-033: Realplayer vidplin.dll AVI Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-033 January 27, 2011 -- CVE ID: CVE-2010-4393 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10640. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Realnetworks Realplayer SP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the vidplin.dll module. A buffer is allocated according to the user supplied length value. User supplied data is then copied into the allocated buffer, without verifying length, allowing the data to be written past the bounds of the previously allocated buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the user running RealPlayer. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/01272011_player/en/ -- Disclosure Timeline: 2010-09-14 - Vulnerability reported to vendor 2011-01-27 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Juan Pablo Lopez Yacubian -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/