[Full-disclosure] [SECURITY] [DSA 2571-1] libproxy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2571-1 secur...@debian.org http://www.debian.org/security/ Raphael Geissert November 04, 2012 http://www.debian.org/security/faq - - Package: libproxy Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2012-4505 The Red Hat Security Response Team discovered that libproxy, a library for automatic proxy configuration management, applied insufficient validation to the Content-Length header sent by a server providing a proxy.pac file. Such remote server could trigger an integer overflow and consequently overflow an in-memory buffer. For the stable distribution (squeeze), this problem has been fixed in version 0.3.1-2+squeeze1. For the testing distribution (wheezy), and the unstable distribution (sid), this problem has been fixed in version 0.3.1-5.1. We recommend that you upgrade your libproxy packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlCWsmsACgkQYy49rUbZzlo4kACght+LkStSm+BZ1MpDojGJFrlK 5zEAoIuBhw0iAdzerNtnERemVaJOopRv =pp86 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [waraxe-2012-SA#096] - Multiple Vulnerabilities in Zenphoto 1.4.3.3
[waraxe-2012-SA#096] - Multiple Vulnerabilities in Zenphoto 1.4.3.3
===
Author: Janek Vind waraxe
Date: 03. November 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-96.html
Description of vulnerable software:
~~~
Zenphoto is a standalone CMS for multimedia focused websites. Our focus lies on
being easy to use and having all the features there when you need them (but out
of the way if you do not.)
Zenphoto features support for images, video and audio formats, and the Zenpage
CMS plugin provides a fully integrated news section (blog) and custom pages to
run entire websites.
http://www.zenphoto.org/
https://code.google.com/p/zenphoto/
Affected versions: Zenphoto 1.4.3.3 and older
Patched version: Zenphoto 1.4.3.4
###
1. SQL Injection in zp-core/zp-extensions/failed_access_blocker.php
###
Reason: insufficient sanitization of user-supplied data
Attack vector: user-supplied HTTP header X_FORWARDED_FOR
Preconditions:
1. plugin failed_access_blocker activated (disabled by default)
failed_access_blocker plugin will log every failed authentication attempt:
Php script zp-core/zp-extensions/failed_access_blocker.php line 75:
[ source code start ]--
function failed_access_blocker_adminGate($allow, $page) {
...
// add this attempt
$sql = 'INSERT INTO '.prefix('plugin_storage').' (`type`, `aux`,`data`) VALUES
(failed_access, '.time().','.getUserIP().')';
query($sql);
// check how many times this has happened recently
count = db_count('plugin_storage','WHERE `type`=failed_access AND
`data`='.getUserIP().'');
[ source code end ]
IP address of the user comes from function getUserIP() and is used in SQL
query. Let's look at the function getUserIP().
Php script zp-core/functions.php line 1979:
[ source code start ]--
function getUserIP() {
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
return sanitize($_SERVER['HTTP_X_FORWARDED_FOR'], 0);
} else {
return sanitize($_SERVER['REMOTE_ADDR'], 0);
[ source code end ]
Function sanitize() does following things to the input data:
1. strips slashes if magic_quotes_gpc=on
2. strips null bytes
3. strips html tags
So we can see, that function sanitize() will prevent null byte tricks and
most of the XSS exploits, but it does not escape or delete single and double
quotes, therefore SQL Injection may still be possible. Actually this function
makes SQL Injection more likely to occur because it reverts effects of the
magic_quotes_gpc. As result of such insuffient input data sanitization,
attacker can use HTTP header X_FORWARDED_FOR for SQL Injection.
Test:
Let's use Firefox browser with Tamper Data Add-on.
1. Open admin page:
http://localhost/zenphoto1433/zp-core/admin.php
2. Activate Tamper data (Start Tamper)
3. Try to log in with bogus credentials, Tamper Data triggers
4. Tamper with request? - Tamper
5. Add element - X_FORWARDED_FOR=waraxe
6. Click OK and tampered request will go to the server
As result we will see blank page (OK 200 response code, content length 0).
But let's look at debug.log in zp-data:
Backtrace: USER ERROR: MySql Error: ( emINSERT INTO `[prefix]plugin_storage`
(`type`, `aux`,`data`) VALUES (failed_access, 1349792737,waraxe)/em )
failed. MySql returned the error emYou have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right
syntax to use near 'axe)'
###
2. SQL Injection in zp-core/zp-extensions/search_statistics.php
###
Reason: insufficient sanitization of user-supplied data
Attack vector: user-supplied HTTP header X_FORWARDED_FOR
Preconditions:
1. plugin search_statistics activated (disabled by default)
Php script zp-core/zp-extensions/search_statistics.php line 101:
[ source code start ]--
static function handler($search_statistics, $type, $success, $dynamic,
$iteration) {
...
$sql = 'INSERT INTO '.prefix('plugin_storage').' (`type`, `aux`,`data`) VALUES
(search_statistics, '.getUserIP().','.db_quote(serialize($store)).')';
query($sql);
[ source code end ]
User's IP address comes from function getUserIP() and is used in SQL query.
As shown in previous case, it is possible to use HTTP header X_FORWARDED_FOR
for
[Full-disclosure] [SECURITY] [DSA 2572-1] iceape security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2572-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst November 4, 2012 http://www.debian.org/security/faq - - Package: iceape Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-3982 CVE-2012-3986 CVE-2012-3990 CVE-2012-3991 CVE-2012-4179 CVE-2012-4180 CVE-2012-4182 CVE-2012-4186 CVE-2012-4188 Several vulnerabilities have been discovered in Iceape, an internet suite based on Seamonkey: CVE-2012-3982 Multiple unspecified vulnerabilities in the browser engine allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2012-3986 Icedove does not properly restrict calls to DOMWindowUtils methods, which allows remote attackers to bypass intended access restrictions via crafted JavaScript code. CVE-2012-3990 A Use-after-free vulnerability in the IME State Manager implementation allows remote attackers to execute arbitrary code via unspecified vectors, related to the nsIContent::GetNameSpaceID function. CVE-2012-3991 Icedove does not properly restrict JSAPI access to the GetProperty function, which allows remote attackers to bypass the Same Origin Policy and possibly have unspecified other impact via a crafted web site. CVE-2012-4179 A use-after-free vulnerability in the nsHTMLCSSUtils::CreateCSSPropertyTxn function allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2012-4180 A heap-based buffer overflow in the nsHTMLEditor::IsPrevCharInNodeWhitespace function allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2012-4182 A use-after-free vulnerability in the nsTextEditRules::WillInsert function allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2012-4186 A heap-based buffer overflow in the nsWav-eReader::DecodeAudioData function allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2012-4188 A heap-based buffer overflow in the Convolve3x3 function allows remote attackers to execute arbitrary code via unspecified vectors. Additionally, this update fixes a regression in the patch for CVE-2012-3959, released in DSA-2554-1. For the stable distribution (squeeze), these problems have been fixed in version 2.0.11-16. For the testing distribution (wheezy), these problems have been fixed in version 10.0.10esr-1. For the unstable distribution (sid), these problems have been fixed in version 10.0.10esr-1. We recommend that you upgrade your iceape packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJQlrM6AAoJEFb2GnlAHawEMK0IAIJt3yn9RCPn/j6yduLhPFbF MRyYJJ6d0Z2bzkyjLW5IjGzf5jhMe1CLQ+CG9ENIhD58/m2Jws6qKb4KCNiwjtXj JhaTeAbX+cu8IX52vcfQitGKMNbuViXxUozczCaB9sdZSWm31KGDXCikoBmmfPhE lSpNRk70tN4umCPgVu2D6+wDCArKiwZ+aDVa6SA83iPsss3SyukehI75xqPoiW42 yaefldVx2O0KoCPonLSu/l56KVqMm0Qbjp1LqmEHgLMCeigEV750uskcNtYzvq6p kcF228ygc2MY5bTPBOB162OUOzV/Cmb4xrzG2MVklaAKbul+N+5dlUzykCGdecs= =cZ6P -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AWAuctionScript CMS v1.x - Multiple Web Vulnerabilities
Title: == AWAuctionScript CMS v1.x - Multiple Web Vulnerabilities Date: = 2012-11-04 References: === http://www.vulnerability-lab.com/get_content.php?id=741 VL-ID: = 741 Common Vulnerability Scoring System: 8.5 Introduction: = AwAuctionScript is a powerful auction marketplace where people purchasing online businesses can post their website for sale, domain for sale or webmaster ad. AwAuctionScript earns revenue from users listing fees and various upgrade fees. The included admin system gives the site owner control of the site. Users - registration with activation email - listing management - private messages - edit account - payment history log - create a website or domain listing - create ad space or webmaster ad space - add credits via paypal Admin System - change password Settings site configurations --- site address --- header title --- keywords --- meta content --- upgrade fee controls --- promotion credits control --- listing length controls User Management user list management --- edit, remove users user credit management --- add, remove, edit credits to account newsletter management --- view newsletter users Cost: $249 USD (Copy of the Vendor Homepage: http://codango.com/php/fnc/review/?id=9724910 ) Abstract: = The independent Vulnerability Laboratory Researcher (X-Cisadane) discovered multiple critical Web Vulnerabilities in the AWAuctionScript v1.0 CMS. Report-Timeline: 2012-11-04: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: 1.1 A remote SQL Injection vulnerability is detected in the AWAuctionScript v1.0 Content Management System Web Application. The vulnerability allows an attacker (remote) or local low privileged user account to execute a SQL commands on the affected application dbms. The sql injection vulnerability is located in listing.php file with the bound vulnerable PageNo parameter request. Successful exploitation of the vulnerability results in dbms application compromise. Exploitation requires no user interaction without privileged user account. Vulnerable File(s): [+] Listing.php Vulnerable Module(s): [+] Category Vulnerable Parameter(s): [+] PageNo 1.2 A webshell upload vulnerability is detected in the in the AWAuctionScript v1.0 Content Management System Web Application. The vulnerability allows remote attackers to upload own files via a misconfigured upload function (restriction). The bug is located in the avatar upload function and the bound vulnerable (accessable) thumbnail path. Successful exploitation of the vulnerability result in malicious file uploads like webshell, malware and co. to compromise the application system itself. Vulnerable Module(s): [+] Upload Avatar - Edit Account 1.3 A persistent input validation vulnerability is detected in the AWAuctionScript v1.0 Content Management System Web Application. The bug allow remote attackers to implement/inject own malicious script code on the application side (persistent). The persistent vulnerabilities is located in the login module with the bound vulnerable username parameter. Successful exploitation of the vulnerability can lead to session hijacking(manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action low privileged web application user account. Vulnerable Module(s): [+] Login - User Management Vulnerable Parameter(s): [+] Username Proof of Concept: = 1.1 The SQL Injection vulnerability can be exploited by remote attackers without required user inter action or privileged application user account. For demonstration or reproduce ... PoC: http://[Server]/[PATH]/listing.php?category=WebsitePageNo=-1'[SQL-Injection Vulnerability!] Reference(s): http://www.xxx.net/listing.php?category=WebsitePageNo=-1'[SQL-Injection Vulnerability!] http://www.xxx.com/sellyoursite/listing.php?category=WebsitePageNo=-1'[SQL-Injection Vulnerability!] http://xxxbuyandsellwebsite.org/listing.php?category=WebsitePageNo=-1'[SQL-Injection Vulnerability!] http://www.xxx.net/offers/listing.php?category=WebsitePageNo=-1'[SQL-Injection Vulnerability!] http://xxx.com/listing.php?category=WebsitePageNo=-1'[SQL-Injection Vulnerability!] http://xxx.com/listing.php?category=WebsitePageNo=-1'[SQL-Injection Vulnerability!] http://www.xxx.com/listing.php?category=WebsitePageNo=-1'[SQL-Injection Vulnerability!] Dork(s): inurl:/listing.php?category=Website --- SQL Error Logs --- 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-12,6' at
[Full-disclosure] HTP Zine 4
http://pastebin.com/raw.php?i=jhLt7s83 http://htp4.hack-the-planet.tv/htp4/HTP-4.txt http://doxbinumfxfyytnh.onion/HTP4.7z http://uplink.sh/htp4/ http://dikline.org/ http://empathy.hardchats.org/htp4/HTP-4.txt Enjoy ;) -HTP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [HITB-Announce] #HITB2013AMS Call For Papers Now Open
The Call for Papers for the fourth annual HITBSecConf in Europe is now open! Taking place on the 8th till 11th of April at the Okura Hotel, Amsterdam, #HITB2013AMS will be a triple track conference (with HITB Labs) and features keynotes by Eddie Schwartz, Chief Information Security Officer at RSA and Bob Lord, Chief Security Officer at Twitter As always, talks that are more technical or that discuss new and never before seen attack methods are of more interest than a subject that has been covered several times before. Submissions are due _no later than 8th February 2013_ HITB CFP: http://cfp.hackinthebox.org/ Event Website: http://conference.hitb.org/ (The conference website goes live on the 12th of November 2012) === Topics of interest include, but are not limited to the following: Cloud Security File System Security 3G/4G/WIMAX Security SS7/GSM/VoIP Security Security of Medical Devices Critical Infrastructure Security Smartphone / MobileSecurity Smart Card and Physical Security Network Protocols, Analysis and Attacks Applications of Cryptographic Techniques Side Channel Analysis of Hardware Devices Analysis of Malicious Code / Viruses / Malware Data Recovery, Forensics and Incident Response Hardware based attacks and reverse engineering Windows / Linux / OS X / *NIX Security Vulnerabilities Next Generation Exploit and Exploit Mitigation Techniques NFC, WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security Each accepted submission will entitle the speaker / speakers to accommodation for 3 nights / 4 days and travel expense reimbursement up to EUR1200.00 per speaking slot. Your submission will be reviewed by The HITB CFP Review Committee: Charlie Miller (formerly Principal Research Consultant, Accuvant Labs) Katie Moussouris, Senior Security Strategist, Microsoft Itzik Kotler, Chief Technology Officer, Security Art Cesar Cerrudo, Chief Technology Officer, IOActive Jeremiah Grossman, Founder, Whitehat Security Andrew Cushman, Senior Director, Microsoft Saumil Shah, Founder CEO Net-Square Thanh 'RD' Nguyen, THC, VNSECURITY Alexander Kornburst, Red Database Fredric Raynal, Sogeti/Cap Gemini Shreeraj Shah, Founder, BlueInfy Emmanuel Gadaix, Founder, TSTF Andrea Barisani, Inverse Path Philippe Langlois, TSTF Ed Skoudis, InGuardians Haroon Meer, Thinkst Chris Evans, Google Raoul Chiesa, TSTF/ISECOM rsnake, SecTheory Gal Diskin, Intel Skyper, THC We do not accept product or vendor related pitches. If you would like to showcase your company's products or technology, please contact us for further participation opportunities. --- Hafez Kamal, HITB Conference Core Crew (.MY), Hack in The Box (M) Sdn. Bhd. 36th Floor, Menara Maxis, Kuala Lumpur City Centre, 50088 Kuala Lumpur, Malaysia Tel: +603-26157299 Fax: +603-26150088 PGP Key ID: 0xC0DC7DF8 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] multiple critical vulnerabilities in sophos products
List, I've completed the second paper in my series analyzing Sophos Antivirus internals, titled Practical Attacks against Sophos Antivirus. As the name suggests, this paper describes realistic attacks against networks using Sophos products. The paper includes a working pre-authentication remote root exploit that requires zero-interation, and could be wormed within the next few days. I would suggest administrators deploying Sophos products study my results urgently, and implement the recommendations. I've also included a section on best practices for Sophos users, intended to help administrators of high-value networks minimise the potential damage to their assets caused by Sophos. The paper is available to download at the link below. https://lock.cmpxchg8b.com/sophailv2.pdf A working exploit for Sophos 8.0.6 on Mac is available, however the techniques used in the exploit easily transfer to Windows and Linux, due to multiple critical implementation flaws described in the paper. Testcases for the other flaws described in the paper are available on request. https://lock.cmpxchg8b.com/sophail-rev3-exploit.tar.gz It is my understanding that Sophos plan to publish their own advice to their customers today. I have not been given an opportunity to review the advice in advance, so cannot comment on it's accuracy. I have had a working exploit since September, but Sophos requested I give them two months to prepare for this publication before discussing it. A timeline of our interactions is included in the paper. I believe CERT are also preparing an advisory. I'm currently working on the third paper in the series, which I'll announce at a later date. Please contact me if you would like to be a reviewer. I will add any last minute updates to twitter, at http://twitter.com/taviso. If you would like to learn more about Sophos internals, you can read my previous paper in the series here https://lock.cmpxchg8b.com/sophail.pdf I've reproduced a section of the conclusion below. Tavis. Conclusion As demonstrated in this paper, installing Sophos Antivirus exposes machines to considerable risk. If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure. In response to early access to this report, Sophos did allocate some resources to resolve the issues discussed, however they were cearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher. A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease. Sophos claim their products are deployed throughout healthcare, government, finance and even the military. The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient. -- - tav...@cmpxchg8b.com | pgp encrypted mail preferred --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] multiple critical vulnerabilities in sophos products
Reading the paper now. The previous one about internals was awesome. enumerating badness keyword :D ROFL Cheers antisnatchor On Mon, Nov 5, 2012 at 3:14 PM, Tavis Ormandy tav...@cmpxchg8b.com wrote: List, I've completed the second paper in my series analyzing Sophos Antivirus internals, titled Practical Attacks against Sophos Antivirus. As the name suggests, this paper describes realistic attacks against networks using Sophos products. The paper includes a working pre-authentication remote root exploit that requires zero-interation, and could be wormed within the next few days. I would suggest administrators deploying Sophos products study my results urgently, and implement the recommendations. I've also included a section on best practices for Sophos users, intended to help administrators of high-value networks minimise the potential damage to their assets caused by Sophos. The paper is available to download at the link below. https://lock.cmpxchg8b.com/sophailv2.pdf A working exploit for Sophos 8.0.6 on Mac is available, however the techniques used in the exploit easily transfer to Windows and Linux, due to multiple critical implementation flaws described in the paper. Testcases for the other flaws described in the paper are available on request. https://lock.cmpxchg8b.com/sophail-rev3-exploit.tar.gz It is my understanding that Sophos plan to publish their own advice to their customers today. I have not been given an opportunity to review the advice in advance, so cannot comment on it's accuracy. I have had a working exploit since September, but Sophos requested I give them two months to prepare for this publication before discussing it. A timeline of our interactions is included in the paper. I believe CERT are also preparing an advisory. I'm currently working on the third paper in the series, which I'll announce at a later date. Please contact me if you would like to be a reviewer. I will add any last minute updates to twitter, at http://twitter.com/taviso. If you would like to learn more about Sophos internals, you can read my previous paper in the series here https://lock.cmpxchg8b.com/sophail.pdf I've reproduced a section of the conclusion below. Tavis. Conclusion As demonstrated in this paper, installing Sophos Antivirus exposes machines to considerable risk. If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure. In response to early access to this report, Sophos did allocate some resources to resolve the issues discussed, however they were cearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher. A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease. Sophos claim their products are deployed throughout healthcare, government, finance and even the military. The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient. -- - tav...@cmpxchg8b.com | pgp encrypted mail preferred --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- /antisnatchor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] multiple critical vulnerabilities in sophos products
Also, They told me they will work on this, and will improve their internal security practices. is just ridiculous. I have the same feeling you had while reaching out with them, when the results from some of my product pentests cannot be disclosed even after patching. I wish we could always go Full Disclosure, like old times. Unfortunately lawsuits are a scary beast. Finally, honestly, not interested in buying a new kitchen for my house. Cheers antisnatchor On Mon, Nov 5, 2012 at 3:29 PM, Michele Orru antisnatc...@gmail.com wrote: Reading the paper now. The previous one about internals was awesome. enumerating badness keyword :D ROFL Cheers antisnatchor On Mon, Nov 5, 2012 at 3:14 PM, Tavis Ormandy tav...@cmpxchg8b.com wrote: List, I've completed the second paper in my series analyzing Sophos Antivirus internals, titled Practical Attacks against Sophos Antivirus. As the name suggests, this paper describes realistic attacks against networks using Sophos products. The paper includes a working pre-authentication remote root exploit that requires zero-interation, and could be wormed within the next few days. I would suggest administrators deploying Sophos products study my results urgently, and implement the recommendations. I've also included a section on best practices for Sophos users, intended to help administrators of high-value networks minimise the potential damage to their assets caused by Sophos. The paper is available to download at the link below. https://lock.cmpxchg8b.com/sophailv2.pdf A working exploit for Sophos 8.0.6 on Mac is available, however the techniques used in the exploit easily transfer to Windows and Linux, due to multiple critical implementation flaws described in the paper. Testcases for the other flaws described in the paper are available on request. https://lock.cmpxchg8b.com/sophail-rev3-exploit.tar.gz It is my understanding that Sophos plan to publish their own advice to their customers today. I have not been given an opportunity to review the advice in advance, so cannot comment on it's accuracy. I have had a working exploit since September, but Sophos requested I give them two months to prepare for this publication before discussing it. A timeline of our interactions is included in the paper. I believe CERT are also preparing an advisory. I'm currently working on the third paper in the series, which I'll announce at a later date. Please contact me if you would like to be a reviewer. I will add any last minute updates to twitter, at http://twitter.com/taviso. If you would like to learn more about Sophos internals, you can read my previous paper in the series here https://lock.cmpxchg8b.com/sophail.pdf I've reproduced a section of the conclusion below. Tavis. Conclusion As demonstrated in this paper, installing Sophos Antivirus exposes machines to considerable risk. If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure. In response to early access to this report, Sophos did allocate some resources to resolve the issues discussed, however they were cearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher. A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease. Sophos claim their products are deployed throughout healthcare, government, finance and even the military. The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient. -- - tav...@cmpxchg8b.com | pgp encrypted mail preferred --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- /antisnatchor -- /antisnatchor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2012-2733 Apache Tomcat Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-2733 Apache Tomcat Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.27 - - Tomcat 6.0.0 to 6.0.35 Description: The checks that limited the permitted size of request headers were implemented too late in the request parsing process for the HTTP NIO connector. This enabled a malicious user to trigger an OutOfMemoryError by sending a single request with very large headers. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.28 or later - - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: This issue was identified by Josh Spiewak. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQmERaAAoJEBDAHFovYFnnn3MQAOpo2bXRZqp7m6B9Baixivr3 XsahCY6g+lk1G9PZewYirHQ9I8rX0Zte0c+7M+D0jfn5kxDsvOzHGSHxn9IMQkYU 4dRKYrSi75b2RvwxWB1AT0PMDLEk6ttaPLSlA0/JdnPluh54dzVJ+4DPCm1NDfzh 7+UTGSIXESstOo9ogJG8oslXdv5m4aYscMdxrJMEDe3SeHp/vtphY8JfO5F8aGlF zUVrl/JY8lXl0UH79dMUHoyFbVeLLfv5vyNauSEQZKIa/2y58B9396H4sMlfAXoe +NcVTo9vb419CQs6I0G4qiN15lZKQk9+bF5hgjTX0GSxi3E88ZJMGuk9rCK8MXr+ XfTTX+YjnRfSjRlrbbd4zejovFUJukVGqkbmXj01Zm42kDmqQnem5lsKWo8IrmCJ Qe9gQstoqfWUY+gBAJ2msfg3HkJkPvehYYvmVO+pIdI7EemOAKOfgGxSjg947gtd gf97Z2BOmpWHUH8+erZ3ro8OaOdhHa9ixmDl2EZxZwjngAn59f9P/srBwmPtTsbh o9GYr3KgU7rfEVOgsZN1aUXvTFjwF50Ju8Yz4D+PagLPnGaraQLIkFc/MdvAFRm6 VP/UxJCRJDdxwjU/cj9jx6/6ZS99JL1ItfYF/v+v/0GCsERcKLphKNzhYpcY888u gpYL4yE7b4ZmqBUuoK1T =+jW7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.29 - - Tomcat 6.0.0 to 6.0.35 - - Tomcat 5.5.0 to 5.5.35 - - Earlier, unsupported versions may also be affected Description: Three weaknesses in Tomcat's implementation of DIGEST authentication were identified and resolved: 1. Tomcat tracked client rather than server nonces and nonce count. 2. When a session ID was present, authentication was bypassed. 3. The user name and password were not checked before when indicating that a nonce was stale. These issues reduced the security of DIGEST authentication making replay attacks possible in some circumstances. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.30 or later - - Tomcat 6.0.x users should upgrade to 6.0.36 or later - - Tomcat 5.5.x users should upgrade to 5.5.36 or later Credit: The first issue was identified by Tilmann Kuhn. The second and third issues were identified by the Tomcat security team during the code review resulting from the first issue. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQmEReAAoJEBDAHFovYFnnZxwP/2AZNEbwqQXw+7JYHOgjzr7T DyNJFlOSA0AwsflhvCQFJ75qyFgYzYjmyCVJGl/GniBkdnYwLS/wPGrBED3bn1lw 9nXMDLjXToLl4o7qv52gyIlvv60YJs6DW2YzqT7R0WtjF5lTx+JxatUmibFGp826 T+CNwMdGbZUTf57O9JnWnzaiTimC42+5d8q/o6JPmKGWrLrKM8QuS+LtIDckn6o3 FJNly5Sfcc8CAVj3dblRAwVXc6+a0U/A9cLGPDUoEAWHnPfq3VwbMlc90xuKMJno R1huGGxxbp7tOL2qOrI1Tl2ro3ofnVkzdLKOxp5DjSt8+fmPJttOztt8zTCtLNYd 2qFOHxwNrM0tL8RAviQbF1G+sVJtZPO9QrS5EwPTi36nCdZaKWEfhNAtLZ7WRDQ7 0Yxcce+EVjsEJdGNtFOe7CvKTwoRx50OflQeQj9ho3xqJuu6kwKzDUah2Hqlv0Pk 9cTIB5jI/gosvK42KXxq6tKPn+ieHNoL+w58bFAlqBoejQ82E9f4PRV+FFs4mMrt aq5EA/rN3WmorZpTVvecLfyHDg7O4lfWnSvZV6sEWZZyUdKxV7O/IbvHYkfbBg1/ ypZyjcQRZ9VovbDWLdbvy5hb7NMFijGaWeK1ZPVQRMO7DJ7ny61CCa5Rm/2XYDKp 8+W6GnYLC/a4LopbH53O =ANZP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
