[Full-disclosure] Conceptronic Grab’n’Go Network Storage and Sitecom Home Storage Center - Authentication Bypass Vulnerability in - AA-001
Conceptronic Grab’n’Go Network Storage and Sitecom Home Storage Center -
Authentication Bypass Vulnerability in - AA-001
Severity Rating: High
Discovery Date: May 5, 2012
Vendor Notification: May 31, 2012
=Impact
- System Access
- Exposure of sensitive information
=Severity Rating
Alcyon rates the severity of this vulnerability as high due to the following
properties:
- Ease of exploitation;
- No authentication credentials required;
- No knowledge about individual victims required;
- No interaction with the victim required.
=Products and firmware versions affected
-Conceptronic CH3ENAS, firmware version 3.0.8 and below
-Conceptronic CH3HNAS, firmware version 2.4.11 and below
-Sitecom MD-253, firmware version 2.4.15 and below
-Sitecom MD-254, firmware version 2.4.15 and below
Our investigation showed that the mentioned products originate from the
Taiwanese manufacturer Mapower. Possibly other re-branded Mapower network
storage products are affected by the same flaw.
=Risk Assessment
An attacker could instantly gain administrator-level access, including but not
limited to reading and writing files stored on the device and altering the
device’s configuration.
This means an attacker could:
-Steal sensitive data stored on the device;
-Leverage the device to drop and/or host malware;
-Abuse the device to send spam through the victim’s Internet connection;
-Use the device as a pivot point to access locally connected systems or launch
attacks directed to other systems.
An investigation on our part shows that a multitude of affected devices are
directly accessible through Internet. It appears that this type of NAS-devices
is popular amongst SMB . We have seen examples of video production companies
and copy shops that utilize this device for sharing files with their
customers. Other cases of exposure seem unintended. Since some ISP’s assign
multiple public IP-addresses to their customers, devices that are connected to
the router obtain an Internet-routable IP-address.
=Vulnerability
The web management UI makes use of a static cookie value to assess whether a
request is part of an authenticated administrator’s session. The cookie itself
is evaluated by client side JavaScript code that, in the absence of the magic
value, redirects the user to the login page:
if(document.cookie.indexOf(2L:CH3ENAS) location.replace ('login.htm');
Since an attacker has complete control over the client he could easily
circumvent this mechanism by:
-Setting the cookie to the expected value, so the session will handle
subsequent request as part of an authenticated session;
-Fullifying the session validation routines by means of an intercepting proxy
or a browser plug-in;
-Forging POST requests directly, e.g. by using WGET, cURL and alike.
=Proof of Concept
Paste and execute the following code into Firefox JavaScript Scratchpad to set
the magic cookie value to obtain an authenticated, administrator-level session:
var victimIP = '1.2.3.4';
document.location.replace('http://'+victimIP+'/home.htm');
document.cookie=2L:CH3ENAS
document.location.replace('http://'+victimIP+'/index.html');
This code was tested with a Conceptronic CH3ENAS. Note that the magic value of
the cookie is different for each brand/model combination.
=Risk Mitigation
Updating your NAS firmware to the latest version will protect you from this
particular attack, but the presence of this type of flaws and the vendors’
responses seem to be an indicator for the lack of security awareness on their
part.
Aside, for owners of similar, other branded products originating from Mapower,
a patched firmware version may be unavailable at this time.
We recommend that you limit access to the web management UI of the device by
utilizing proper packet filtering and/or NAT on your router in order to limit
network access to your NAS. Although this will not completely eliminate the
risk of exploitation, it becomes substantially harder to leverage a successful
attack, because it would involve either compromise of another host on the
victim’s local network or a client side attack that overcomes the Same Origin
Policy restrictions of the victim’s web browser.
=Vendor responses
2L/Conceptronic acknowledged the presence of this flaw in the particular model
and firmware version we reported, but did not disclose details on other
products affected. Instead, the same flaw was silently patched in the firmware
of a similar product. Updated firmware is available on the Conceptronics’s
website since July 27, 2012. The vendor did not coordinate the release of this
firmware update with us.
Sitecom appears to have fixed this particular issue in a firmware version dated
back to December 2011. Note that apparently the flaw was known and fixed prior
to our report. however it was not disclosed publicly.
As soon as our investigation pointed out that the affected devices all
originated from the Taiwanese manufacturer Mapower, we tried to contact them
[Full-disclosure] Conceptronic Grab’n’Go Network Storage - Password disclosure Vulnerability - AA-002
Conceptronic Grab’n’Go Network Storage - Password disclosure Vulnerability -
AA-002
Severity Rating: High
Discovery Date: May 5, 2012
Vendor Notification: May 31, 2012
=Impact
- System Access
- Exposure of sensitive information
=Severity Rating
Alcyon rates the severity of this vulnerability as high due to the following
properties:
- Ease of exploitation;
- No authentication credentials required;
- No knowledge about individual victims required;
- No interaction with the victim required.
=Products and firmware versions affected
-Conceptronic CH3ENAS, firmware version 3.0.8 and below
-Conceptronic CH3HNAS, firmware version 2.4.11 and below
Our investigation showed that the mentioned products originate from the
Taiwanese manufacturer Mapower. Possibly other rebranded Mapower network
storage products are also affected by this flaw.
=Risk Assessment
An attacker can harvest administrator credentials and log into the web
management UI. Possibilities include but are not limited to reading and writing
files stored on the device and altering the device’s configuration.
This means an attacker could:
-Steal sensitive data stored on the device;
-Leverage the device to drop and/or host malware;
-Abuse the device to send spam through the victim’s Internet connection;
-Use the device as a pivot point to access locally connected systems or launch
attacks directed to other systems.
An investigation on our part shows that a multitude of affected devices are
directly accessible through the Internet. It appears that this type of
NAS-device is popular amongst small businesses. We have seen examples of video
production companies and copy shops that utilize this device for file sharing
purposes with their customers. Other cases of exposure seem to be
unintentional. Since some ISP’s assign multiple public IP-addresses to their
customers, devices that are connected to the router obtain an Internet-routable
IP-address.
=Vulnerability
The web management UI validates the user’s login credentials through a
JavaScript routine that queries hidden page elements:
function LoginSubmit(){ var data = document.getElementById(Users).value;
data = data.split(:);
var UserName = document.getElementById(UserName).value; var UserPasswd =
document.getElementById(UserPasswd).value;
if((UserName==data[0])(UserPasswd==data[1])){ document.cookie =
2L:CH3HNAS location.replace ('index.html'); } else {
document.getElementById(UserName).value = '';
document.getElementById(UserPasswd).value = '';
alert(getWord(login_unauthorized));
setTimeout(function(){document.getElementById(UserName).focus();},10);
return false; }}if(document.cookie.indexOf(2L:CH3ENAS) location.replace
('login.htm');}
While client side validation and relying on a static session token are
weaknesses in themselves (please refer to advisory AA-001), an additional risk
of password disclosure is present in the affected firmware versions.
These hidden elements are populated by two different JavaScript functions found
in login.js:
function Login(){
getContent('','/cgi-bin/login.cgi?webmaster',function:showLogin);}
function showLogin(msg){ msg = msg.split(\n);
window.document.getElementById('data').innerHTML = '';
setTimeout(function(){document.getElementById(UserName).focus();},10);}
The getContent function is responsible for querying a URL and passing the
result to the showLogin function. In this case the result of the web request
consists of the username and password of the admin user in clear text form.
=Proof of Concept
Paste the following URL into a web browser’s address bar to obtain the
administrator’s username and password:
http:///cgi-bin/login.cgi?webmaster1Conceptronic2009
Risk Mitigation
=Risk Mitigation
Updating your NAS firmware to the latest version will protect you from this
particular attack, but the presence of this type of flaw and the vendors’
responses seem to be an indication for a lack of security awareness on their
part.
Additionally, for owners of similar, other branded products originating from
Mapower, a patched firmware version may be unavailable at this time.
We recommend that you limit access to the web management UI of the device by
utilizing proper packet filtering and/or NAT on your router in order to limit
network access to your NAS. Although this will not completely eliminate the
risk of exploitation, it becomes substantially more difficult to leverage a
successful attack, because it would involve either a compromise of another host
on the victim’s local network or a client side attack that overcomes the Same
Origin Policy restrictions of the victim’s web browser.
=Vendor responses
2L/Conceptronic acknowledged the presence of this flaw in the particular model
and firmware version we reported, but did not disclose details on other
products affected. Instead, the same flaw was silently patched in the firmware
of a similar product. Updated firmware is available on
[Full-disclosure] OpenSecurityTraining Exploits 2 class
We have just released the class materials and first day of videos from Corey K's three-day Exploits 2 class. This class focuses on Windows and its exploit mitigations, whereas the previous Exploits 1 class focused on Linux. http://OpenSecurityTraining.info/Exploits2.html We also offer classes on x86 assembly and the PE binary format for those who do not already have backgrounds in those areas. http://OpenSecurityTraining.info/Training.html The OST Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20111208-01: Security Notice for CA SiteMinder [updated]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CA20111208-01: Security Notice for CA SiteMinder
Issued: December 08, 2011
Updated: August 22, 2012
CA Technologies Support is alerting customers to a potential risk in
CA SiteMinder, CA Federation Manager, CA SOA Security Manager, CA
SiteMinder Secure Proxy Server, and CA SiteMinder SharePoint Agent. A
vulnerability exists that can allow a malicious user to execute a
reflected cross site scripting (XSS) attack. CA Technologies has
issued patches to address the vulnerability.
The vulnerability, CVE-2011-4054, occurs due to insufficient
validation of postpreservationdata parameter input utilized in the
login.fcc form. A malicious user can submit a specially crafted
request to effectively hijack a victim's browser.
Risk Rating
Medium
Platform
All
Affected Products
CA SiteMinder R6 SP6 CR7 and earlier
CA SiteMinder R12 SP3 CR8 and earlier
CA Federation Manager 12.1 SP3 and earlier
CA SOA Security Manager 12.1 SP3 and earlier
CA SiteMinder Secure Proxy Server 12.0 SP3 and earlier
CA SiteMinder Secure Proxy Server 6.0 SP3 and earlier
CA SiteMinder SharePoint Agent 12.0 SP3 and earlier
Non-Affected Products
CA SiteMinder R6 SP6 CR8
CA SiteMinder R12 SP3 CR9
CA Federation Manager 12.1 SP3 CR00.1
CA SOA Security Manager 12.1 SP3 CR01.1
CA SiteMinder Secure Proxy Server 12.0 SP3 CR01.1
CA SiteMinder Secure Proxy Server 6.0 SP3 CR07.1
CA SiteMinder SharePoint Agent 12.0 SP3 CR0.1
How to determine if the installation is affected
Check the Web Agent log or Installation log to obtain the installed
release version. Note that the webagent.log file name is
configurable by the SiteMinder administrator.
Solution
CA has issued patches to address the vulnerability.
CA SiteMinder R6:
Upgrade to R6 SP6 CR8 or later
CA SiteMinder R12:
Upgrade to R12 SP3 CR9 or later
CA Federation Manager 12.1 SP3:
Apply fix RS47435
CA SOA Security Manager 12.1 SP3:
Apply fix RS47436
CA SiteMinder Secure Proxy Server 12.0 SP3:
Apply fix RS47431
CA SiteMinder Secure Proxy Server 6.0 SP3:
Apply fix RS47432
CA SiteMinder SharePoint Agent 12.0 SP3:
Apply fix RS47433
CR releases can be found on the CA SiteMinder Hotfix/Cumulative
Release page (URL may wrap):
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5AE61E
29-C3DE-405E-9151-9EEA72D965CE}.
Workaround
None
References
CVE-2011-4054 - CA SiteMinder login.fcc XSS
Acknowledgement
CVE-2011-4054 - Jon Passki of Aspect Security, via CERT
Change History
Version 1.0: Initial Release
Version 1.1: Updated R6 fix information
Version 1.2: Added information for Federation Manager, SOA Security
Manager, SiteMinder Secure Proxy Server, SiteMinder SharePoint Agent
If additional information is required, please contact CA Technologies
Support at https://support.ca.com.
If you discover a vulnerability in a CA Technologies product, please
report your findings to the CA Technologies Product Vulnerability
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilj...@ca.com
-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8
wj8DBQFQO7sGeSWR3+KUGYURAvlVAJwNzRfo5NORDDMQhau8SfLHOGnMqACfYEfY
xM1DGynkf5e0fdgSVhvVYGM=
=JTJo
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Printer in the DMZ
Yup, they're all mine. Congrats on ur diskovery of the century. You know what you should do? you should make some sort of database for google dorks, like hmm, maybe call it GHDB? Impressive find, very impressed. If it's people like you that miss the point of my posts, to point out how absurd this list is and it's many failings, then I think I have succeeded. Stay classy, keep fighting whatever fight you're fighting. On Mon, Aug 27, 2012 at 5:45 PM, Igor Igor unclyi...@gmail.com wrote: Robots.txt not supported in any printer.. too bad, all listed in all major search engine Benji, are they belong to you ? You are the only one that I can think off that would put that in a DMZ 152.1.23.62 - HP ColorLaserJet 2605dn 152.1.31.62 - HP ColorLaserJet CP4005 152.1.32.10 - Dell 5230n Laser Printer 152.1.32.53 - HP Designjet T1100ps 44in 152.1.40.7 - HP LaserJet P2055dn 152.1.40.8 - HP LaserJet P2055dn 152.1.40.14 - HP LaserJet P2055dn 152.1.40.16 - HP LaserJet P2055dn 152.1.40.34 - HP LaserJet P2055dn 152.1.40.42 - HP LaserJet P2055dn 152.1.40.54 - HP Color LaserJet 4700 152.1.40.88 - HP LaserJet P2055dn 152.1.40.97 - HP LaserJet P2055dn 152.1.40.120 - HP LaserJet 2300 152.1.40.172 - HP LaserJet P2055dn 152.1.40.203 - HP LaserJet P2055dn 152.1.40.222 - HP LaserJet P2055dn 152.1.40.232 - HP LaserJet P2055dn 152.1.40.249 - HP LaserJet P2055dn 152.1.55.155 - HP Color LaserJet CP4525 152.1.72.177 - Dell Color Laser 3110cn 152.1.72.244 - HP Procurve 152.1.111.13 - Brother HL-5370DW 152.1.111.136 - Brother HL-5250DW 152.1.111.189 - RICOH Pro 1107EX 152.1.117.197 - HP Color LaserJet CP4525 152.1.120.67 - HP LaserJet P3005 152.1.120.89 - HP LaserJet P2055dn 152.1.120.205 - HP LaserJet P3005 152.1.120.208 - HP LaserJet 4350 152.1.152.23 - HP Color LaserJet CP3505 152.1.181.30 - HP Color LaserJet CM3530 MFP 152.1.198.230 - HP LaserJet P3015 152.1.228.225 - HP LaserJet 9050 152.1.228.229 - HP LaserJet 9050 152.1.228.230 - HP LaserJet 9050 152.14.71.92 - HP Color LaserJet 4700 - 1g0r ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Conceptronic Grab’n’Go Network Storage - Password disclosure Vulnerability - AA-002
* Updated to include Sitecom MD-253 and MD254
* Minor textual changes
==
Conceptronic Grab’n’Go and Sitecom Storage Center - Password disclosure
Vulnerability - Security Advisory AA-002
Severity Rating: High
Discovery Date: May 5, 2012
Vendor Notification: May 31, 2012
=Impact
- System Access
- Exposure of sensitive information
=Severity Rating
Alcyon rates the severity of this vulnerability as high due to the following
properties:
- Ease of exploitation;
- No authentication credentials required;
- No knowledge about individual victims required;
- No interaction with the victim required.
=Products and firmware versions affected
-Conceptronic CH3ENAS, firmware version 3.0.8 and below
-Conceptronic CH3HNAS, firmware version 2.4.11 and below
-Sitecom MD-253 and MD254, firmware version 2.4.11 and below
Our investigation showed that the mentioned products originate from the
Taiwanese manufacturer Mapower. Possibly other rebranded Mapower network
storage products are also affected by this flaw.
=Risk Assessment
An attacker can harvest administrator credentials and log into the web
management UI. Possibilities include but are not limited to reading and writing
files stored on the device and altering the device’s configuration.
This means an attacker could:
-Steal sensitive data stored on the device;
-Leverage the device to drop and/or host malware;
-Abuse the device to send spam through the victim’s Internet connection;
-Use the device as a pivot point to access locally connected systems or launch
attacks directed to other systems.
An investigation on our part shows that a multitude of affected devices are
directly accessible through the Internet. It appears that this type of
NAS-device is popular amongst small businesses. We have seen examples of video
production companies and copy shops that utilize this device for file sharing
purposes with their customers. Other cases of exposure seem to be
unintentional. Since some ISP’s assign multiple public IP-addresses to their
customers, devices that are connected to the router obtain an Internet-routable
IP-address.
=Vulnerability
The web management UI validates the user’s login credentials through a
JavaScript routine that queries hidden page elements:
function LoginSubmit(){ var data = document.getElementById(Users).value;
data = data.split(:);
var UserName = document.getElementById(UserName).value; var UserPasswd =
document.getElementById(UserPasswd).value;
if((UserName==data[0])(UserPasswd==data[1])){
document.cookie = 2L:CH3HNAS
location.replace ('index.html');
} else {
document.getElementById(UserName).value = '';
document.getElementById(UserPasswd).value = '';
alert(getWord(login_unauthorized));
setTimeout(function(){
document.getElementById(UserName).focus();},10);
return false;}
}
if(document.cookie.indexOf(2L:CH3ENAS) location.replace ('login.htm');}
While client side validation and relying on a static session token are
weaknesses in themselves (please refer to advisory AA-001), an additional risk
of password disclosure is present in the affected firmware versions.
These hidden elements are populated by two different JavaScript functions found
in login.js:
function Login(){
getContent('','/cgi-bin/login.cgi?webmaster',function:showLogin);}
function showLogin(msg){
msg = msg.split(\n);
window.document.getElementById('data').innerHTML = '';
setTimeout(function(){document.getElementById(UserName).focus();},10);
}
The getContent function is responsible for querying a URL and passing the
result to the showLogin function. In this case the result of the web request
consists of the username and password of the admin user in clear text form.
=Proof of Concept
Paste the following URL into a web browser’s address bar to obtain the
administrator’s username and password:
http:///cgi-bin/login.cgi?webmaster1Conceptronic2009
=Risk Mitigation
Updating your NAS firmware to the latest version will protect you from this
particular attack, but the presence of this type of flaw and the vendors’
responses seem to be an indication for a lack of security awareness on their
part.
Unfortunately, for owners of similar, other branded products originating from
Mapower, a patched firmware version may be unavailable at this time.
We recommend that you limit access to the web management UI of the device by
utilizing proper packet filtering and/or NAT on your router in order to limit
network access to your NAS. Although this will not completely eliminate the
risk of exploitation, it becomes substantially more difficult to leverage a
successful attack, because it would involve either a compromise of another host
on the victim’s local network or a client side attack that overcomes the Same
Origin Policy restrictions of the victim’s web browser.
=Vendor responses
2L/Conceptronic acknowledged the
[Full-disclosure] Zend Framework - Local file disclosure via XXE injection
Hello! I'm reminding my letter to Full-Disclosure list. - Original Message - From: MustLive mustl...@websecurity.com.ua To: Vladimir '3APA3A' Dubrovin 3ap...@security.nnov.ru; submissi...@packetstormsecurity.org Sent: Saturday, August 11, 2012 11:50 PM Subject: Zend Framework - Local file disclosure via XXE injection Hello! I'll give you additional information concerning SEC Consult Vulnerability Lab Security Advisory 20120626-0 (http://securityvulns.ru/docs28331.html). This advisory was about Local file disclosure via XXE injection in Zend Framework and was talking only about Local File Disclosure attack vector. It was just mentioned in description that via this vulnerability it's also possibility to open arbitrary TCP connections. LFD attack vector is important and is has more risk, so it's clear why Daniel concentrated on it. But I think that other attack vector is also important, so will bring your attention to it. As I've wrote in my July's article Using XML External Entities (XXE) for attacks on other sites, which I've announced last week in WASC Mailing List (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-August/008481.html), XXE vulnerabilities could be used for attacks on other sites. Similarly as AoF vulnerabilities, about which I've wrote in my 2010's article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html). In this article I've wrote about possibility of attacks on other sites via Abuse of Functionality and Remote File Include vulnerabilities, and showed examples of Abuse of Functionality holes at different web sites (including sites of Google, Yahoo and W3C). In similar way XXE vulnerabilities can be used for conducting CSRF and DoS attacks on other sites. XEE (WASC-43): For the attack it's needed to send the next XML data in POST request: ?xml version=1.0? !DOCTYPE foo [ !ELEMENT methodName ANY !ENTITY xxe SYSTEM http://site/page; ] methodCall methodNamexxe;/methodName /methodCall It concerns as Zend Framework and different web applications, which are using Zend Framework (XXE holes in some of them were disclosed recently), as to those applications, holes in which were disclosed earlier. Like Adobe BlazeDS, Adobe LiveCycle Data Services ES2, Adobe ColdFusion, Adobe LiveCycle ES2 (http://securityvulns.ru/Xdocument288.html). So there are multiple web applications and thousands of web sites, which are vulnerable to these attacks (via Zend Framework and web applications based on it and via old versions of multiple Adobe's products). Not thousands of web applications (about AoF vulnerabilities in which I've wrote during 2010-2011) and millions of web sites, but still a lot, and in total we have a lot of web sites, which can be used for attacks on other sites via different vulnerabilities (AoF, RFI, XXE). So web developers also should draw attention to this attack vector. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XXE Injection in CakePHP and Squiz CMS
Hello! I'm reminding my letter to Full-Disclosure list. - Original Message - From: MustLive mustl...@websecurity.com.ua To: Vladimir '3APA3A' Dubrovin 3ap...@security.nnov.ru; submissi...@packetstormsecurity.org Sent: Sunday, August 12, 2012 7:27 PM Subject: XXE Injection in CakePHP and Squiz CMS Hello! I'll give you additional information concerning advisories CakePHP 2.x-2.2.0-RC2 XXE Injection (http://securityvulns.ru/docs28331.html) and Squiz CMS Multiple Vulnerabilities (http://securityvulns.ru/docs28220.html). It's about XXE Injection in CakePHP and Squiz CMS. Similarly to earlier mentioned by me XXE Injection vulnerabilities in Zend Framework and multiple Adobe products, in case of CakePHP and Squiz CMS it's also possible to conduct attacks on other sites. CakePHP uses PHP SimpleXML similarly as Zend Framework, so it's vulnerable to the same XXE Injection. And in CakePHP advisory it's only mentioned about local file inclusion attack vector, which is the most significant one. And in Squiz CMS advisory it's also not mentioned about attack on other sites (only demonstrated PoC for port scanning). So I'll supplement advisories of Pawel Wylecial and Sense of Security, and will bring your attention to another attack vector. Because I think that this attack vector is also important. I've wrote in my July's article Using XML External Entities (XXE) for attacks on other sites, which I've announced last week in WASC Mailing List (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-August/008481.html), that XXE vulnerabilities could be used for attacks on other sites. Similarly as Abuse of Functionality and Remote File Include holes, about which I've wrote in my 2010's article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html). So in similar way XXE vulnerabilities can be used for conducting CSRF and DoS attacks on other sites (and at using of multiple web sites it's possible to conduct DDoS attacks). And in article DDoS attacks via other sites execution tool (DAVOSET) (http://lists.grok.org.uk/pipermail/full-disclosure/2010-July/075622.html) I've described efficiency of such attacks and the tool for their automation. XXE (WASC-43): For the attack it's needed to send the next XML data in POST request. PoC for CakePHP: !DOCTYPE cakephp [ !ENTITY xxe SYSTEM http://site/page; ] request xxexxe;/xxe /request PoC for Squiz CMS: !DOCTYPE scan [ !ENTITY xxe SYSTEM http://site/page;] scanxxe;/scan In total we have a lot of web applications and millions of web sites, which can be used for attacks on other sites via different vulnerabilities (AoF, RFI, XXE). So web developers also should draw attention to this attack vector. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Dangerous of Fakeroot
Hello full disclosure fakeroot can give you real root http://blog.egeektronic.com/post/30307776836 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Printer in the DMZ
Robots.txt not supported in any printer.. too bad, all listed in all major search engine Benji, are they belong to you ? You are the only one that I can think off that would put that in a DMZ 152.1.23.62 - HP ColorLaserJet 2605dn 152.1.31.62 - HP ColorLaserJet CP4005 152.1.32.10 - Dell 5230n Laser Printer 152.1.32.53 - HP Designjet T1100ps 44in 152.1.40.7 - HP LaserJet P2055dn 152.1.40.8 - HP LaserJet P2055dn 152.1.40.14 - HP LaserJet P2055dn 152.1.40.16 - HP LaserJet P2055dn 152.1.40.34 - HP LaserJet P2055dn 152.1.40.42 - HP LaserJet P2055dn 152.1.40.54 - HP Color LaserJet 4700 152.1.40.88 - HP LaserJet P2055dn 152.1.40.97 - HP LaserJet P2055dn 152.1.40.120 - HP LaserJet 2300 152.1.40.172 - HP LaserJet P2055dn 152.1.40.203 - HP LaserJet P2055dn 152.1.40.222 - HP LaserJet P2055dn 152.1.40.232 - HP LaserJet P2055dn 152.1.40.249 - HP LaserJet P2055dn 152.1.55.155 - HP Color LaserJet CP4525 152.1.72.177 - Dell Color Laser 3110cn 152.1.72.244 - HP Procurve 152.1.111.13 - Brother HL-5370DW 152.1.111.136 - Brother HL-5250DW 152.1.111.189 - RICOH Pro 1107EX 152.1.117.197 - HP Color LaserJet CP4525 152.1.120.67 - HP LaserJet P3005 152.1.120.89 - HP LaserJet P2055dn 152.1.120.205 - HP LaserJet P3005 152.1.120.208 - HP LaserJet 4350 152.1.152.23 - HP Color LaserJet CP3505 152.1.181.30 - HP Color LaserJet CM3530 MFP 152.1.198.230 - HP LaserJet P3015 152.1.228.225 - HP LaserJet 9050 152.1.228.229 - HP LaserJet 9050 152.1.228.230 - HP LaserJet 9050 152.14.71.92 - HP Color LaserJet 4700 - 1g0r ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Printer in the DMZ
:-) Awesome stuff guys :-) Thank you for making my day ... On Mon, Aug 27, 2012 at 3:32 PM, Benji m...@b3nji.com wrote: Yup, they're all mine. Congrats on ur diskovery of the century. You know what you should do? you should make some sort of database for google dorks, like hmm, maybe call it GHDB? Impressive find, very impressed. If it's people like you that miss the point of my posts, to point out how absurd this list is and it's many failings, then I think I have succeeded. Stay classy, keep fighting whatever fight you're fighting. On Mon, Aug 27, 2012 at 5:45 PM, Igor Igor unclyi...@gmail.com wrote: Robots.txt not supported in any printer.. too bad, all listed in all major search engine Benji, are they belong to you ? You are the only one that I can think off that would put that in a DMZ 152.1.23.62 - HP ColorLaserJet 2605dn 152.1.31.62 - HP ColorLaserJet CP4005 152.1.32.10 - Dell 5230n Laser Printer 152.1.32.53 - HP Designjet T1100ps 44in 152.1.40.7 - HP LaserJet P2055dn 152.1.40.8 - HP LaserJet P2055dn 152.1.40.14 - HP LaserJet P2055dn 152.1.40.16 - HP LaserJet P2055dn 152.1.40.34 - HP LaserJet P2055dn 152.1.40.42 - HP LaserJet P2055dn 152.1.40.54 - HP Color LaserJet 4700 152.1.40.88 - HP LaserJet P2055dn 152.1.40.97 - HP LaserJet P2055dn 152.1.40.120 - HP LaserJet 2300 152.1.40.172 - HP LaserJet P2055dn 152.1.40.203 - HP LaserJet P2055dn 152.1.40.222 - HP LaserJet P2055dn 152.1.40.232 - HP LaserJet P2055dn 152.1.40.249 - HP LaserJet P2055dn 152.1.55.155 - HP Color LaserJet CP4525 152.1.72.177 - Dell Color Laser 3110cn 152.1.72.244 - HP Procurve 152.1.111.13 - Brother HL-5370DW 152.1.111.136 - Brother HL-5250DW 152.1.111.189 - RICOH Pro 1107EX 152.1.117.197 - HP Color LaserJet CP4525 152.1.120.67 - HP LaserJet P3005 152.1.120.89 - HP LaserJet P2055dn 152.1.120.205 - HP LaserJet P3005 152.1.120.208 - HP LaserJet 4350 152.1.152.23 - HP Color LaserJet CP3505 152.1.181.30 - HP Color LaserJet CM3530 MFP 152.1.198.230 - HP LaserJet P3015 152.1.228.225 - HP LaserJet 9050 152.1.228.229 - HP LaserJet 9050 152.1.228.230 - HP LaserJet 9050 152.14.71.92 - HP Color LaserJet 4700 - 1g0r ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Dangerous of Fakeroot
On Mon, Aug 27, 2012 at 9:49 AM, Teguh i...@egeektronic.com wrote: Hello full disclosure fakeroot can give you real root http://blog.egeektronic.com/post/30307776836 LD_PRELOAD is not a good idea...: Breaking the links: Exploiting the linker, www.nth-dimension.org.uk/pub/BTL.pdf. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Dangerous of Fakeroot
this will only work if the desired user is in sudo and has permissions to execute as root. Otherwise, this post was a huge troll to get traffic to the website this article is hosted on. [20101:20100 - 0:501] 02:31:36 [nethic@nekobus:/dev/pts/9 +1] ~ $ fakeroot [20209:20194 - 0:501] 02:31:39 [root@nekobus:/dev/pts/9 +3] ~ $ ls /root ls: cannot open directory /root: Permission denied [20209:20194 - 0:502] 02:31:47 [root@nekobus:/dev/pts/9 +3] ~ $ python Python 2.7.3 (default, Apr 20 2012, 22:39:59) [GCC 4.6.3] on linux2 Type help, copyright, credits or license for more information. import os os.system(sudo su) ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored. [sudo] password for nethic: Sorry, try again. [sudo] password for nethic: Sorry, try again. [sudo] password for nethic: Sorry, try again. sudo: 3 incorrect password attempts 256 os.system(touch /root/test) touch: cannot touch `/root/test': Permission denied 256 Better luck next time 3 3 3 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Dangerous of Fakeroot
Yep, actually had a reply in my drafts. I think he's serious. We've been getting those lately. t On Aug 27, 2012, at 2:37 PM, Wiliam Steck codeinject...@gmail.com wrote: this will only work if the desired user is in sudo and has permissions to execute as root. Otherwise, this post was a huge troll to get traffic to the website this article is hosted on. [20101:20100 - 0:501] 02:31:36 [nethic@nekobus:/dev/pts/9 +1] ~ $ fakeroot [20209:20194 - 0:501] 02:31:39 [root@nekobus:/dev/pts/9 +3] ~ $ ls /root ls: cannot open directory /root: Permission denied [20209:20194 - 0:502] 02:31:47 [root@nekobus:/dev/pts/9 +3] ~ $ python Python 2.7.3 (default, Apr 20 2012, 22:39:59) [GCC 4.6.3] on linux2 Type help, copyright, credits or license for more information. import os os.system(sudo su) ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored. [sudo] password for nethic: Sorry, try again. [sudo] password for nethic: Sorry, try again. [sudo] password for nethic: Sorry, try again. sudo: 3 incorrect password attempts 256 os.system(touch /root/test) touch: cannot touch `/root/test': Permission denied 256 Better luck next time 3 3 3 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Dangerous of Fakeroot
It actually doesn't matter what OS or what kind of kernel security is on going, this 'hole' of yours does not exist. and why would I want to 'try make program exec /bin/sh 'n setuid it to root' that's just moronic. so in closing, and once again this will NOT work on any Linux OS or Linux Kernel Thanks for all the fish. 3 On Mon, Aug 27, 2012 at 6:52 PM, Teguh i...@egeektronic.com wrote: @ Jeffrey Walton thx for the references @ Wiliam Steck what OS you tested on? 'n kernel security feature security you use On 8/28/12, Wiliam Steck codeinject...@gmail.com wrote: this will only work if the desired user is in sudo and has permissions to execute as root. Otherwise, this post was a huge troll to get traffic to the website this article is hosted on. [20101:20100 - 0:501] 02:31:36 [nethic@nekobus:/dev/pts/9 +1] ~ $ fakeroot [20209:20194 - 0:501] 02:31:39 [root@nekobus:/dev/pts/9 +3] ~ $ ls /root ls: cannot open directory /root: Permission denied [20209:20194 - 0:502] 02:31:47 [root@nekobus:/dev/pts/9 +3] ~ $ python Python 2.7.3 (default, Apr 20 2012, 22:39:59) [GCC 4.6.3] on linux2 Type help, copyright, credits or license for more information. import os os.system(sudo su) ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored. [sudo] password for nethic: Sorry, try again. [sudo] password for nethic: Sorry, try again. [sudo] password for nethic: Sorry, try again. sudo: 3 incorrect password attempts 256 os.system(touch /root/test) touch: cannot touch `/root/test': Permission denied 256 Better luck next time 3 3 3 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Dangerous of Fakeroot
No problem, Even pro's make mistakes. 3 On Mon, Aug 27, 2012 at 8:33 PM, Teguh i...@egeektronic.com wrote: ups, my bad I will check more carefully next time should not work on production os i forgot clean the shell while playing the ctf os On 8/28/12, Thor (Hammer of God) t...@hammerofgod.com wrote: Yep, actually had a reply in my drafts. I think he's serious. We've been getting those lately. t On Aug 27, 2012, at 2:37 PM, Wiliam Steck codeinject...@gmail.com wrote: this will only work if the desired user is in sudo and has permissions to execute as root. Otherwise, this post was a huge troll to get traffic to the website this article is hosted on. [20101:20100 - 0:501] 02:31:36 [nethic@nekobus:/dev/pts/9 +1] ~ $ fakeroot [20209:20194 - 0:501] 02:31:39 [root@nekobus:/dev/pts/9 +3] ~ $ ls /root ls: cannot open directory /root: Permission denied [20209:20194 - 0:502] 02:31:47 [root@nekobus:/dev/pts/9 +3] ~ $ python Python 2.7.3 (default, Apr 20 2012, 22:39:59) [GCC 4.6.3] on linux2 Type help, copyright, credits or license for more information. import os os.system(sudo su) ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored. [sudo] password for nethic: Sorry, try again. [sudo] password for nethic: Sorry, try again. [sudo] password for nethic: Sorry, try again. sudo: 3 incorrect password attempts 256 os.system(touch /root/test) touch: cannot touch `/root/test': Permission denied 256 Better luck next time 3 3 3 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
