[Full-disclosure] Avast Antivirus
Hello, Avast Antivirus also comes with sandbox and a SafeZone. But both can be circumvented using simple dll-injection and they seem to do nothing about it: http://forum.avast.com/index.php?topic=82291.0 Maybe this post here will encourage them to fix it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Avast Antivirus
Nothing to be done, really. Most users run as admin. On Tue, Jan 17, 2012 at 4:19 PM, Floste flo...@gmx.de wrote: Hello, Avast Antivirus also comes with sandbox and a SafeZone. But both can be circumvented using simple dll-injection and they seem to do nothing about it: http://forum.avast.com/index.php?topic=82291.0 Maybe this post here will encourage them to fix it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Reflection Scan: an Off-Path Attack on TCP
Hi, This TCP session hijacking technique might be of interest to some of you. Abstract: The paper demonstrates how traffic load of a shared packet queue can be exploited as a side channel through which protected information leaks to an off-path attacker. The attacker sends to a victim a sequence of identical spoofed segments. The victim responds to each segment in the sequence (the sequence is reflected by the victim) if the segments satisfy a certain condition tested by the attacker. The responses do not reach the attacker directly, but induce extra load on a routing queue shared between the victim and the attacker. Increased processing time of packets traversing the queue reveal that the tested condition was true. The paper concentrates on the TCP, but the approach is generic and can be effective against other protocols that allow to construct requests which are conditionally answered by the victim. A proof of concept was created to asses applicability of the method in real-life scenarios. The paper in ps and pdf is available at http://mixedbit.org and http://arxiv.org/abs/1201.2074 Proof of concept: https://github.com/wrr/reflection_scan Thanks, Jan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Twitter [Mobile] Account Settings Cross Site Scripting and Multiple Html Injection
*Description of script:* Twitter providing features to protect the user privacy, using account setting you can protect your Tweets, you can change Username, you can change your password, and you can change your E-mail address. *Affected script URL:* URL #1: https://mobile.twitter.com/settings/screen_name URL #2: https://mobile.twitter.com/settings/name *Vulnerability Description:* 1) Cross Site Scripting Vulnerability ( Twitter mobile is infected User Side XSS as well as it was protected to click jacking ): Cross-Site Scripting attack is type of injection, in which malicious java scripts are injected into the web sites dynamic page. 2) HTML Injection Vulnerability (Twitter mobile is infected User Side , one html injection was stored ) HTML Injection is a type of injection, in which malicious HTML Code injected into the web sites Pages. *Exploit Description + Proof of Concept:* URL #1: https://mobile.twitter.com/settings/name Title #1: Stored HTML Injection Vulnerability In the above URL there is one input box to change the name. The HTML code of the input box is following. for more details http://www.karmacyberintel.net/2012/01/twitter-mobile-account-settings-cross-site-scripting-and-multiple-html-injection-vulnerability/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 83, Issue 21
That seems extreme, unless of course long random urls could have caused a buffer overflow in the webserver or something. Sent from my BlackBerry® wireless device available from bmobile. -Original Message- From: valdis.kletni...@vt.edu Sender: full-disclosure-boun...@lists.grok.org.uk Date: Tue, 17 Jan 2012 14:23:45 To: Benjamin Kreuterben.kreu...@gmail.com Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Full-Disclosure Digest, Vol 83, Issue 21 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2012:008 ] perl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:008 http://www.mandriva.com/security/ ___ Package : perl Date: January 18, 2012 Affected: 2010.1, 2011. ___ Problem Description: Multiple vulnerabilities has been found and corrected in perl: Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow (CVE-2011-2939). Eval injection in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor (CVE-2011-3597). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3597 ___ Updated Packages: Mandriva Linux 2010.1: a660dcc681b704173977b78b4dc43c41 2010.1/i586/perl-5.10.1-10.2mdv2010.2.i586.rpm 668b200bbf88c5f7347c48afb87eeeaa 2010.1/i586/perl-base-5.10.1-10.2mdv2010.2.i586.rpm 8069e10bc5c68262c06d2a4e8b47bd3d 2010.1/i586/perl-devel-5.10.1-10.2mdv2010.2.i586.rpm c9181aa3608d8e66147916eb9d2aea73 2010.1/i586/perl-doc-5.10.1-10.2mdv2010.2.i586.rpm c4ae0e4afc100fae4847191914f24fe6 2010.1/i586/perl-suid-5.10.1-10.2mdv2010.2.i586.rpm 55afcd3b034232d067c3426093726e46 2010.1/SRPMS/perl-5.10.1-10.2mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 7a906f6da5c2944a711341493dfb0540 2010.1/x86_64/perl-5.10.1-10.2mdv2010.2.x86_64.rpm 9224dee63ac4d5d3fce13e8d3940583f 2010.1/x86_64/perl-base-5.10.1-10.2mdv2010.2.x86_64.rpm 32b5bf046fca55f4f8afaf993716244d 2010.1/x86_64/perl-devel-5.10.1-10.2mdv2010.2.x86_64.rpm a1ece8459a135c623dbdf8d96f81bdef 2010.1/x86_64/perl-doc-5.10.1-10.2mdv2010.2.x86_64.rpm 2f7535cb9479f99ea5b370a86f1d89bf 2010.1/x86_64/perl-suid-5.10.1-10.2mdv2010.2.x86_64.rpm 55afcd3b034232d067c3426093726e46 2010.1/SRPMS/perl-5.10.1-10.2mdv2010.2.src.rpm Mandriva Linux 2011: 11a242d72e1b80af300cb6029e3fe899 2011/i586/perl-5.12.3-8.1-mdv2011.0.i586.rpm 0e9f9f73545305446de47e93749e2749 2011/i586/perl-base-5.12.3-8.1-mdv2011.0.i586.rpm 3d2824c80363645e41af96300bf0af73 2011/i586/perl-devel-5.12.3-8.1-mdv2011.0.i586.rpm 989bbaf7bf4caf1047dd0a04c6fb2ac4 2011/i586/perl-doc-5.12.3-8.1-mdv2011.0.noarch.rpm ff748b5ac9db9e66a7104edcce994007 2011/SRPMS/perl-5.12.3-8.1.src.rpm Mandriva Linux 2011/X86_64: 43e4ddb93c3538fe81e76480dd79c012 2011/x86_64/perl-5.12.3-8.1-mdv2011.0.x86_64.rpm 290de224b5706a026160ce520ead64dd 2011/x86_64/perl-base-5.12.3-8.1-mdv2011.0.x86_64.rpm cc131b0d903866d8fa2eeb72eb1c86f4 2011/x86_64/perl-devel-5.12.3-8.1-mdv2011.0.x86_64.rpm 6f3c4e5c0a4dce779c596266e594aaa0 2011/x86_64/perl-doc-5.12.3-8.1-mdv2011.0.noarch.rpm ff748b5ac9db9e66a7104edcce994007 2011/SRPMS/perl-5.12.3-8.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPFreHmqjQ0CJFipgRAjf4AKDGfk5CMr6pA4tSSpv8rv8V+MuucgCfZf50 Mcz1dTxWLNP4jPfBKYhc4QM= =Lpb9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2012:009 ] perl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:009 http://www.mandriva.com/security/ ___ Package : perl Date: January 18, 2012 Affected: Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in perl: Eval injection in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor (CVE-2011-3597). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3597 ___ Updated Packages: Mandriva Enterprise Server 5: fd9783a1f65d16aad7576cd2252b9815 mes5/i586/perl-5.10.0-25.4mdvmes5.2.i586.rpm 1c5de8eb53d0e0a6b6f13d3ef9593ccd mes5/i586/perl-base-5.10.0-25.4mdvmes5.2.i586.rpm 81e1cb7cb1d4d5643dc5f4877d6c9bcf mes5/i586/perl-devel-5.10.0-25.4mdvmes5.2.i586.rpm 359d70c0a25a880032c62951ef9f73d5 mes5/i586/perl-doc-5.10.0-25.4mdvmes5.2.i586.rpm b6e93b6999b36fc7126a0d8c72dfa89d mes5/i586/perl-suid-5.10.0-25.4mdvmes5.2.i586.rpm ada6308c9ff77d9f00eb8a9a50161cc2 mes5/SRPMS/perl-5.10.0-25.4mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: fd5e6046098c0058f89d3450440b990a mes5/x86_64/perl-5.10.0-25.4mdvmes5.2.x86_64.rpm 03707243b35433c2a4b457ea28e8c07c mes5/x86_64/perl-base-5.10.0-25.4mdvmes5.2.x86_64.rpm d1848a153de9c9d2b483d9873ebf mes5/x86_64/perl-devel-5.10.0-25.4mdvmes5.2.x86_64.rpm c75b1de99042200711b988ab7ec1d3f5 mes5/x86_64/perl-doc-5.10.0-25.4mdvmes5.2.x86_64.rpm 5bffec684de883588db7c3b6b98fd351 mes5/x86_64/perl-suid-5.10.0-25.4mdvmes5.2.x86_64.rpm ada6308c9ff77d9f00eb8a9a50161cc2 mes5/SRPMS/perl-5.10.0-25.4mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPFr41mqjQ0CJFipgRAn5XAKDsA3WzoN3YYsiqOXEIgqFQ8YybmgCfXxM+ 7n6AVOb6T/+n9fz8uk0Q3JA= =MXjG -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Cisco IP Video Phone E20 Default Root Account
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco IP Video Phone E20 Default Root Account Advisory ID: cisco-sa-20120118-te Revision 1.0 For Public Release 2012 January 18 16:00 UTC (GMT) +- Summary === Cisco TelePresence Software version TE 4.1.0 contains a default account vulnerability that could allow an unauthenticated, remote attacker to take complete control of the affected device. The vulnerability is due to an architectural change that was made in the way the system maintains administrative accounts. During the process of upgrading a Cisco IP Video Phone E20 device to TE 4.1.0, an unsecured default account may be introduced. An attacker who is able to take advantage of this vulnerability could log in to the device as the root user and perform arbitrary actions with elevated privileges. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120118-te Affected Products = Cisco TelePresence TE Software runs on Cisco IP Video Phone E20 devices. Vulnerable Products +-- Cisco IP Video Phone E20 devices that have been upgraded to TE 4.1.0 are affected. The TE 4.1.0 release has been deferred from Cisco.com and Tandberg.com, and is no longer available for download. The deferral notice can be found at the following link: Software Deferral Notice Administrators can determine the version of software running on their device by logging in to the command-line interface (CLI) as the admin user and issuing the xstatus systemunit command and finding the SystemUnit Software Version field. Example: $: ssh admin@203.0.113.134 TANDBERG Codec Release TE4.1.0.137456 SW Release Date: 2011-11-18 OK xstatus systemunit *s SystemUnit ProductType: TANDBERG Codec *s SystemUnit ProductId: TANDBERG E20 *s SystemUnit Uptime: 91273 *s SystemUnit Software Version: TE4.1.0.137456 *s SystemUnit Software Name: s52100 *s SystemUnit Software ReleaseDate: 2011-11-18 *s SystemUnit Hardware Module SerialNumber: M1AD18B023025 *s SystemUnit Hardware Module MainBoard: 101390-6 *s SystemUnit Hardware Module BootSoftware: U-Boot 2010.06-36 *s SystemUnit State System: Initialized *s SystemUnit State Subsystem Application: Initialized *s SystemUnit State Cradle: On *s SystemUnit State CameraLid: Off *s SystemUnit ContactInfo: demo.u...@example.com *s SystemUnit Bluetooth Devices 1 Name: 9xxPlantronics *s SystemUnit Bluetooth Devices 1 Address: L023:8F:425M3D *s SystemUnit Bluetooth Devices 1 Type: 2360324 *s SystemUnit Bluetooth Devices 1 Status: bonded *s SystemUnit Bluetooth Devices 1 LastSeen: 2011-12-20 11:49:36 ** end OK Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco TelePresence TE Software historically has contained a single account that acted as both admin and root. This single super account utilized the same password for both the admin and root authentication and was always enabled. With the introduction of TE 4.1.0, an architectural change was made to help harden the devices by allowing administrators to disable the root account. The intended result of this change is to separate the super account into two accounts, root and admin, while subsequently disabling the root account by default. It was found that in many cases, customers upgrading from a previous release of TE software to TE 4.1.0 are likely to experience an error condition in which the root account is not properly disabled. This creates a situation in which the root account is accessible via SSH with a default password. It was subsequently discovered that the command implemented to allow an administrator to enable or disable the root account does not function correctly. Workarounds are available in the Workarounds section of this document. These workarounds involve changing the root and admin passwords to administrator-defined values. This vulnerability is documented in Cisco bug ID CSCtw69889 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-4659. Vulnerability Scoring Details = Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help
[Full-disclosure] Cisco Security Advisory: Cisco Digital Media Manager Privilege Escalation Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Digital Media Manager Privilege Escalation Vulnerability Advisory ID: cisco-sa-20120118-dmm Revision 1.0 For Public Release 2012 January 18 16:00 UTC (GMT) +- Summary === Cisco Digital Media Manager contains a vulnerability that may allow a remote, authenticated attacker to elevate privileges and obtain full access to the affected system. Cisco Show and Share is not directly affected by this vulnerability. However, because Cisco Show and Share relies on Cisco Digital Media Manager for authentication services, attackers who compromise the Cisco Digital Media Manager may gain full access to Cisco Show and Share. Cisco has released free software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120118-dmm Affected Products = Vulnerable Products +-- The following table indicates which versions of Cisco Digital Media Manager are affected by this vulnerability: +---+ |Version| Affected | |---+---| | prior to 5.2 | YES | |---+---| | 5.2.1 | YES | |---+---| | 5.2.1.1 | YES | |---+---| | 5.2.2 | YES | |---+---| | 5.2.2.1 | NO| |---+---| | 5.2.3 | YES | |---+---| | 5.3 | NO| +---+ Note: Cisco Digital Media Manager versions prior to 5.2 reached end of software maintenance. Customers running versions prior to 5.2 should contact their Cisco support team for assistance in upgrading to a supported version of Cisco Digital Media Manager. How To Determine The Software Version + To determine the Cisco Digital Media Manager software version that an appliance is running, administrators can access the Cisco Digital Media Manager web interface. The version information is reported under Digital Media Manager in the center of the page. Optionally administrators can log in to the Appliance Administration Interface (AAI), and access the main menu. The software version is identified next to the Cisco Digital Media Manager field. The following example identifies a Digital Media Manager appliance running version 5.2.1 Cisco Digital Media Manager Application Administration Interface Main Menu IP: 192.168.0.1 Cisco Digital Media Manager 5.2.1 http://dmm.cisco.com:8080 SHOW_INFO Show system information. BACKUP_AND_RESTORE Back up and restore. APPLIANCE_CONTROL Configure advance options NETWORK_SETTINGSConfigure network parameters. DATE_TIME_SETTINGS Configure date and time CERTIFICATE_MANAGEMENT Manage all certificates in the system OK LOG OUT Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco Digital Media Manager (DMM) is a centralized web-based platform used to manage Cisco media network hardware, software, and services. It allows users to remotely perform management tasks for Cisco Digital Signs, Cisco Cast, and Cisco Show and Share. Cisco Digital Media Manager contains a vulnerability that may allow a remote, authenticated attacker to elevate privileges and obtain full access to the affected system. The vulnerability is due to improper validation of unreferenced URLs, which may allow an unprivileged attacker to access administrative resources and elevate privileges. An authenticated attacker could exploit this vulnerability by sending the unreferenced URL to the affected system. Cisco Show and Share is not directly affected by this vulnerability. However, because Cisco Show and Share relies on Cisco Digital Media Manager for authentication services, attackers who compromise the Cisco Digital Media Manager may gain
Re: [Full-disclosure] Full-Disclosure Digest, Vol 83, Issue 21
On Tue, 17 Jan 2012 19:33:30 GMT, metasans...@gmail.com said: That seems extreme, unless of course long random urls could have caused a buffer overflow in the webserver or something. You can say it seems extreme. But what's going to matter is whether the jury believes the DA or your lawyer. pgpT9qXu2SU7C.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS
# Exploit Title: Drupal CKEditor 3.0 - 3.6.2 - Persistent EventHandler XSS
# Google Dork: inurl:sites/all/modules/ckeditor -drupalcode.org
# Google Results: Approximately 379.000 results
# Date: 18th January 2012
# Author: MaXe @InterN0T (Found in a private Hatforce.com Penetration
Test)
# Software Link: http://ckeditor.com/ http://drupal.org/node/1332022
# Version: 3.0 - Current 3.6.2 (Drupal module: 6.x-1.8)
# Screenshot: http://i.imgur.com/8TP6w.png
# Tested on: Windows + FireFox 8.0 Internet Explorer 8.0
Drupal CKEditor - Persistent / Stored Cross-Site Scripting
Versions Affected: 3.0 - 3.6.2 (Developers confirm all versions since 3.0
are affected.)
Info:
CKEditor is a text editor to be used inside web pages. It's a WYSIWYG
editor, which
means that the text being edited on it looks as similar as possible to the
results users
have when publishing it. It brings to the web common editing features
found on desktop
editing applications like Microsoft Word and OpenOffice.
External Links:
http://ckeditor.com/
http://drupal.org/node/1332022
Credits: MaXe (@InterN0T) - Hatforce.com
-:: The Advisory ::-
CKEditor is prone to Persistent Cross-Site Scripting within the actual
editor, as
it is possible for an attacker could maliciously inject eventhandlers
serving java-
script code in preview / editing in html mode.
If an attacker injects an eventhandler into an image, such as
onload='alert(0);',
then the javascript will execute, even if the data is saved and previewed
in editing
mode later on. (The XSS will only executing during preview / editing in
html mode.)
If an administrator tries to edit the comment afterward, or is logged in
and browses
to the edit page of the malicious comment, then he or she will execute the
javascript,
allowing attacker controlled code to run in the context of the browser.
Proof of Concept:
Switching to raw mode in CKEditor and then writing:
pimg onload=alert(0);
src=http://1.images.napster.com/mp3s/2348/resources/324/363/files/324363272.jpg;
//p
Will become this when it is saved:
pimg data-cke-pa-onload=alert(0);
src=http://1.images.napster.com/mp3s/2348/resources/324/363/files/324363272.jpg;
data-cke-saved-src=http://1.images.napster.com/mp3s/2348/resources/324/363/files/324363272.jpg;/p
If one searches for alert(0); in Firebug after the code has been injected
and executed, the location of the script will be:
$full_url_to_script/event/seq/4/onload
Where $full_url_to_script is e.g. the following:
http://localhost/drupal/drupal-6.22/?q=comment/edit/3/event/seq/4/onload
The content of this script is:
function onload(event) {
alert(0);
}
As there is a HTML filter in Drupal, it does not matter whether the img
tag is allowed in this case, as it was possible to execute the eventhandler
either way. (And even store the data.)
-:: Solution ::-
There is currently no solution, as it's not a critical bug according to
developers. See comments at: https://dev.ckeditor.com/ticket/8630 for more
information.
At the same page there is an unofficial patch that should fix the problem,
however it seems that it will not fix the bug in Chrome.
Disclosure Information:
6th December 2011 - Vulnerability found during a private
http://www.hatforce.com Penetration Test
7th December 2011 - Researched and confirmed the vulnerability
4th January 2012 - Reported to Drupal and CKEditor via
http://drupal.org/project/ckeditor and http://dev.ckeditor.com/ and
http://cksource.com/contact
18th January 2012 - Developers of CKEditor has been contacted several
times, nothing has happened in two weeks and the advisory has been
available to the public via bugtrackers. Vulnerability released to the
general public.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Exploit Pack - New release
Exploit Pack is a Security Tool that will assist you while you test the security of your workstations or networks. With a friendly and easy to use interface, it has an update manager to keep you up to date and an IDE for develop or modify it’s modules. Also we provide you with technical support if you need it. Try it out and purchase a subscription now. Make your computer safe using Exploit pack. Make your workstation safe by testing it security before hackers do, virus or malware do. Mitigate, monitor and manage the latest security threats vulnerabilities and implement active security policies by performing penetration tests across your infrastructure and applications. Visit us: http://exploitpack.com Exploit Pack Team Juan Sacco Dev Lead ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Exploit Pack - Happy new year!
Exploit Pack Team is happy to announce that we reach a new frontier +20k active users and 15+ developers. We want to thank you all for this excelent years we hope to continue improving all our proyects. We have made a new roadmap for 2012 including a lot of bug fixing, new modules and features. Happy Chrismas and Happy new year Exploit Pack Team Juan Sacco Dev Lead http://exploitpack.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 83, Issue 21
BMF to Valdis: Yes, people *have* been prosecuted for playing twiddle the URL games before. I'd have to go dig up a cite, but it's happened (hacker was basically abusing a site's predictable URL scheme). Here is one relatively recent incident of twiddle the URL which got someone prosecuted and will be familiar to some here... http://simonhunt.wordpress.com/2011/01/19/two-charged-with-data-theft-from-june-10s-att-hack/ That's not really twiddle-the-URL is hacking though. They allegedly (cough, splutter!) knowingly and wilfully twiddled a specific URL in a specific way that they had already determined led to the exposure of account details of users other than themselves, et seq. If that is the case they clearly were in breech of all manner of unauthorized access laws. That has little to do with true twiddle- the-URL is hacking. To get a purer example of twiddle-the-URL is hacking, I seem to recall that there was a German case back in the late 90s/very earlier 00s where the court ruled that a trivial act of URL pruning -- taking a published URL and removing the tail, and/or traversing back up the directory tree exposed by the _published_ URL -- was an act of hacking (I don't recall the exact German legal issue/charge, but am fairly sure it was something other than a trivial/silly (mis-) application of unauthorized access). I can't be bothered trying to find a record of that case -- previous attempts last time I recall this issue arising in this list failed -- but I will refer you to a UK case from 2005: http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/ http://www.pmsommer.com/CLCMA1205.pdf Basically, given a URL like http://example.com/?foobar or http://example.com/foobar.php has been published in some way, and http://example.com/ has not, this case suggests that trying to access that second URL is an unauthorized access offence. In particular, note from p. 2 of the PDF in the second URL, above: But the prosecution said that Cuthbert must have known the directory traversal was unauthorised. It was this interpretation the court accepted; in effect, overall intent was irrelevant, there were no circumstances in which there was consent for directory traversal. This conviction seems to be pretty widely seen as a trivial/silly mis- application of the UK's Computer Misuse Act unauthorized access offence: http://www.legislation.gov.uk/ukpga/1990/18/section/1 There are bound to be other vaguely similar cases in the UK and other jurisdictions. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reflection Scan: an Off-Path Attack on TCP
On 18 January 2012 09:45, Jan Wrobel w...@mixedbit.org wrote: Hi, This TCP session hijacking technique might be of interest to some of you. Abstract: The paper demonstrates how traffic load of a shared packet queue can be exploited as a side channel through which protected information leaks to an off-path attacker. The attacker sends to a victim a sequence of identical spoofed segments. The victim responds to each segment in the sequence (the sequence is reflected by the victim) if the segments satisfy a certain condition tested by the attacker. The responses do not reach the attacker directly, but induce extra load on a routing queue shared between the victim and the attacker. Increased processing time of packets traversing the queue reveal that the tested condition was true. The paper concentrates on the TCP, but the approach is generic and can be effective against other protocols that allow to construct requests which are conditionally answered by the victim. A proof of concept was created to asses applicability of the method in real-life scenarios. The paper in ps and pdf is available at http://mixedbit.org and http://arxiv.org/abs/1201.2074 Proof of concept: https://github.com/wrr/reflection_scan Thanks, Jan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Very cool :) Thanks for showing this as a 'type' ofsequencing,id love to test this with winBITS and see what makes a difference in there...but yea, nice stuff from the snippets i have read and could comprehend without making a packetting app :P hehe..great work, and great paper for ANY hat to wear. Might have to try it oneday and see if it is as effective as it seems! great stuff tho, anything todo with bugs within TCP-IP stacks, should be al;ways encouraged... thanks for the encouragement :-) Cheers,and Ill maybe add more on this and another persons pi3.com.pl ) tcp ip session hijacking, wich people have even said, is impossible... i guess they should find and watch that video, or just ask the author of the blog, to explain it more...nmaybe would have them something to actually see as a 'p0c' anyhow, many thanks in your input and, again any futher addons and appendices to the papers just, let the list know, and ill makesure the topic maybe gets a better coverage, as, this is also a topic many ppl called me a wanker on...or maybe one of them :s megh, i dont count now,. i just read the msgs from 3 ppl and delete the rest :) best way to use fd, is to take what your iven, and stfu... i dont know why somany ppl seem to call me this, whebn, i am only interested, in bugs i can actually exploit...yet, somuch bullsh1t on this forum, they have forgotten what a bug is, and,. what a poc is./and now, these are 'design flaws' lolanyhow, pease keep up the ressearch, we like it! Oh thats, the ppl like, 3 of ypou (maybe) who actually, seem cool ;) You also do, and your on a great topic, dont let idiots pick out any flaws in anything on this subject, coz believe me, behind every trolling ive been thru, that was the worst when i spoke about, methods of hijacking tcp ip stackand did not give out the poc...well, now, the poc is available to see on video for those who are not idiots and abuse, but actually, want to see it working :) Ok, thats my 2bob, dont expect any answers, unless your a VERY well known person, i will auto delete it, so, i hope to see you in my channel, anytime online... and there, we could discuss ANYTHING :) Why some of you are there, and see what i do, i guess are not the haters on this list but, also, they get what 'theyre given' ,wich is ALO in the cases where people are coolso, i guess the moral of the story is, dont smash the stack t hard enjoy budddy, im probably one of few who would even understand it but anyghow :P Thanks!I Drew. PS: NOT a top poster anymore, omg, whats this, not using Glow XD , what is this, madness!! omg! Seriously folks, you should all read more of people like this's work, and then maybe, contribute some of your own frigging srcs, instead of relying on ppl like kcope to fist fuck you, wich is fine bvy me : i hope he fucks this list over, nonstop till your arses bleed, but hey, thats JUST me! love you all long fucking time arseholes, goto hell, and dont even try taklkin to me, ever, if your not already in the addy book, you will fkn known about it and oh, i CAN ddos you, and i WILL, so, anytime you like to shit me, in private, and wish to test your fwall, go hard, i dun care, i should say, we...but,. it really doesnt matter, coz, i dont even have to press the buttons for the wankers who have al;ready flamed me in past anymore, you will only feel what i love best, TCP./IP and, possibly UDP! Have a fucking GREAT day arsefucker. Oh and, lickers are cool so, no offence there nor for them :) PEACE TO YOU MOFOS
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
Now, heres the one wich works, without in_chksum bug ;) http://pastebin.com/x1ShKAUT now, sorry but, had to try it remotely, sheesh, and, you dont cripple, code of old bugs and, half of this code is from an old bug anyhow, so why the heck not leave it... i guess now your starting to look like Jon Oberheldie the king of fucked up cripples... lol... ewnjoy folks. this version, may even work! omg isnt this amazing!! XD says to FD a BIG FUCKS YOU ,well cept kcope and few other decent guys like me :P ,and nme, and tropic and well, #Haxnet :) now go fucking shoot yourselves away with your newbie working undeadattack.. dont know why someone did not inform me they would cripple it, and maybe forward a copy to me but, now this file, goes where the rest go, to the shame files... On 18 January 2012 08:11, HI-TECH . isowarez.isowarez.isowa...@googlemail.com wrote: Demonstration of the Exploit: http://www.youtube.com/watch?v=78nAxh70yZE (thanks ClsHack) see attached content /Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reflection Scan: an Off-Path Attack on TCP
Is there a diagram or a video? I'm not a professional IT guy so I'm gunna need something of a tutorial! HAHA! On Thu, Jan 19, 2012 at 11:22 AM, xD 0x41 sec...@gmail.com wrote: On 18 January 2012 09:45, Jan Wrobel w...@mixedbit.org wrote: Hi, This TCP session hijacking technique might be of interest to some of you. Abstract: The paper demonstrates how traffic load of a shared packet queue can be exploited as a side channel through which protected information leaks to an off-path attacker. The attacker sends to a victim a sequence of identical spoofed segments. The victim responds to each segment in the sequence (the sequence is reflected by the victim) if the segments satisfy a certain condition tested by the attacker. The responses do not reach the attacker directly, but induce extra load on a routing queue shared between the victim and the attacker. Increased processing time of packets traversing the queue reveal that the tested condition was true. The paper concentrates on the TCP, but the -- Robert Q Kim High Volume and Digital Printing Company in Seoul http://www.youtube.com/watch?v=CaWEWl8saHw San Diego, CA 92007 310 598 1606 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
Here, maybe handy, for anyone wishing to completely 'fix this thing.. i will perhaps, fix it so it only sends out the once, it doesnt need half of that code there...so, i guess i will update this or the ICMP v3 membership bug from windows... http://pastebin.com/Xq6e10ab Now, i hope 95% of you, all go blow yourselfs up and, this is NO dfd0s app tools here... for those getting excited, but, it is a decent framework and, addition wich, could change the whol sequence of events! woweee isnt tcp and icmp s fun ya must remmeber, the win7 blind tcp hijacking ?? i hopeso, coz, all the doubters are going to have a bigarse bite, on the ARSE. now, once again, most of u will NOT get thru so, go fk yourselfs, as YOU, blocked me :), so, you can say your blocking me, but really, your watching me on the list, and are now, to worried about what i have shown a cpl of you twerps already now, wich was, thunder from downunder ;) wasnt it just goslly goshy fun? really for those of you who had 100bots, just imagine, they were all bsd, so, i should maybe have sent 400 ? i will makesure next time, to keep u ones happy the ones i am waiting for to attack me, pls, go aheadeven tho, im helpng you, eveytime in these emails...and , dont top post, unless it is MY damn posts... now* thx to a henri for tht tip but anyhow, for the 98% of u i hate, goto hell, the rest, may you have some fun with this and, maybe, you will actually have a workable pentester! yes :) or, would u rather have, taken the video and .c as gospel...and not read it :) i bet 995 of yas did thoso leet this list iz... now, gofukyourselfs, drew On 18 January 2012 08:11, HI-TECH . isowarez.isowarez.isowa...@googlemail.com wrote: Demonstration of the Exploit: http://www.youtube.com/watch?v=78nAxh70yZE (thanks ClsHack) see attached content /Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reflection Scan: an Off-Path Attack on TCP
there is a video,and proper PoC's,and yes, theyre not yet public and this is NOT 100% right either... maybe, wait abit, i have shown one person only the actual proof of this and, how it works well, the vid of it.. but, it stays pvt that was to one FD lister who, can actually keep shit to themselves...and will repect the fact, that he has it, and, the writer, knows this also, and, i assume since this has been annoying 3ppl, coz, 90% of this list are fkn lamers, seriously, or, why would they continually fuck this up, and, it only took a LINUX expert, to debug it on both win and linux :s on win7 actually...so really, i hope when he posts it, itll shut half of these ppl up and, really, i have madesure one decent person knows that i dont lie, and, i can promise you now, this bug is here and works, and has codes for, BUT, the video is ONLY part available and b. fd doesnt deserve it thru me, since the maker of the actual pocs is ON this list, i will assume he can see when it is the right time...to post it but, believe me, it is real.. it just depends on how it is done. now, go away. guy does not explain it right...and, when the person releases the video to the list, im sure, he will soon... On 19 January 2012 17:18, Robert Kim App and Facebook Marketing evdo.hs...@gmail.com wrote: Is there a diagram or a video? I'm not a professional IT guy so I'm gunna need something of a tutorial! HAHA! On Thu, Jan 19, 2012 at 11:22 AM, xD 0x41 sec...@gmail.com wrote: On 18 January 2012 09:45, Jan Wrobel w...@mixedbit.org wrote: Hi, This TCP session hijacking technique might be of interest to some of you. Abstract: The paper demonstrates how traffic load of a shared packet queue can be exploited as a side channel through which protected information leaks to an off-path attacker. The attacker sends to a victim a sequence of identical spoofed segments. The victim responds to each segment in the sequence (the sequence is reflected by the victim) if the segments satisfy a certain condition tested by the attacker. The responses do not reach the attacker directly, but induce extra load on a routing queue shared between the victim and the attacker. Increased processing time of packets traversing the queue reveal that the tested condition was true. The paper concentrates on the TCP, but the -- Robert Q Kim High Volume and Digital Printing Company in Seoul http://www.youtube.com/watch?v=CaWEWl8saHw San Diego, CA 92007 310 598 1606 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
