[Full-disclosure] (CVE-2013-1059) Linux Kernel libceph Null Pointer Dereference Vulnerability
Original URL: http://hkpco.kr/advisory/CVE-2013-1059.txt Linux Kernel libceph Null Pointer Dereference Vulnerability (CVE-2013-1059) Author - Chanam Park (@hkpco) Website - http://hkpco.kr/ Date - 2013. 07. 06 0. Introduction This is very brief advisory just to record the vulnerability which I discovered in my spare time. A remote attacker, malicious ceph monitor, can make an exploit to cause a denial-of-service condition by sending the crafted auth_reply message. It could possibly lead to another impacts such as remote code execution if some other vulnerabilities are combined. An explanation is based on linux kernel 3.10 which is latest version now. 1. What's Ceph? Check these links below. http://en.wikipedia.org/wiki/Ceph_(storage) http://ceph.com/ 2. Vulnerability The vulnerability is triggered by a null pointer dereferencing problem which can raise a kernel crash remotely. Here, I will show you the code flow about vulnerability. Let's start with the dispatch() function which handles incoming auth message from the ceph monitor. http://lxr.linux.no/linux+v3.10/net/ceph/mon_client.c --- 963 static void dispatch(struct ceph_connection *con, struct ceph_msg *msg) 964 { 965struct ceph_mon_client *monc = con-private; 966int type = le16_to_cpu(msg-hdr.type); 967 968if (!monc) 969return; 970 971switch (type) { 972case CEPH_MSG_AUTH_REPLY: 973handle_auth_reply(monc, msg); *** [1] *** 974break; ... --- As shown in part [1], It calls handle_auth_reply() once ceph client receives the auth reply message from monitor. See handle_auth_reply() implementation in the same module, then. --- 886 static void handle_auth_reply(struct ceph_mon_client *monc, 887 struct ceph_msg *msg) 888 { 889int ret; 890int was_auth = 0; 891int had_debugfs_info, init_debugfs = 0; 892 893mutex_lock(monc-mutex); 894had_debugfs_info = have_debugfs_info(monc); 895was_auth = ceph_auth_is_authenticated(monc-auth); 896monc-pending_auth = 0; 897ret = ceph_handle_auth_reply(monc-auth, msg-front.iov_base, *** [2] *** 898 msg-front.iov_len, 899 monc-m_auth-front.iov_base, 900 monc-m_auth-front_max); ... --- At in part [2], It calls ceph_handle_auth_reply(). Move to take a look at the function. http://lxr.linux.no/linux+v3.10/net/ceph/auth.c --- 174 int ceph_handle_auth_reply(struct ceph_auth_client *ac, 175 void *buf, size_t len, 176 void *reply_buf, size_t reply_len) 177 { 178void *p = buf; 179void *end = buf + len; 180int protocol; ... 239ret = ac-ops-handle_reply(ac, result, payload, payload_end); 240if (ret == -EAGAIN) { 241ret = ceph_build_auth_request(ac, reply_buf, reply_len); *** [3] *** 242} else if (ret) { 243pr_err(auth method '%s' error %d\n, ac-ops-name, ret); 244} --- As you can see in the part [3] above, ceph_build_auth_request() contains a vulnerable code to cause the null pointer dereference. Let's see how the function implements a vulnerable code below. http://lxr.linux.no/linux+v3.10/net/ceph/auth.c --- 144 static int ceph_build_auth_request(struct ceph_auth_client *ac, 145 void *msg_buf, size_t msg_len) 146 { 147struct ceph_mon_request_header *monhdr = msg_buf; 148void *p = monhdr + 1; 149void *end = msg_buf + msg_len; 150int ret; 151 152monhdr-have_version = 0; 153monhdr-session_mon = cpu_to_le16(-1); 154monhdr-session_mon_tid = 0; 155 156ceph_encode_32(p, ac-protocol); 157 158ret = ac-ops-build_request(ac, p + sizeof(u32), end); *** [3] *** 159if (ret 0) { 160pr_err(error %d building auth method %s request\n, ret, 161 ac-ops-name); 162goto out; 163} 164dout( built request %d bytes\n, ret); 165ceph_encode_32(p, ret); 166ret = p + ret - msg_buf; 167 out: 168return ret; 169 } --- The code above, at part [3], calls a function pointer from ceph_auth_client structure without any value checking whether it's null or something else. Moreover, you can see in the next part soon, some function pointers in the structure hasn't been defined at all. Here's the problematic structure prototypes below. http://lxr.linux.no/linux+v3.9.6/include/linux/ceph/auth.h --- ... 25 struct ceph_auth_client_ops { 26const char *name; 27 ... 40/* 41 * build requests and process replies during monitor 42 * handshake. if handle_reply returns -EAGAIN, we
Re: [Full-disclosure] VLC media player MKV Parsing POC
Are you really that dumb or are you just pretending? The crash you showed does not control eip. It's not even write access violation. Instead it's READ access violation. And you try to write into the register (not even arbitrary memory, hence even if read is successful you may or may not gain anything depending on further instructions). Btw. Nice linkedin profile. You must be top-notch security expert. Blya! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Ground Zero Summit - Call For Papers
Hi All, Ground Zero Infosec Summit is an initiative of independent apex not-for-profit body and is an outcome of an alliance between industry and Government of India to tackle emerging cyber security threats against critical information infrastructure. The summit is supported by the Govt. of India. Call for Papers and workshops is open for Ground Zero Summit. We expect quality papers with highly technical research in the field of information security. At Ground zero summit it is our endeavour to promote new and interesting ideas that will change the outlook of information security. Hence we have decided to reward new research with an honorarium of USD 500 in addition to the speaker benefits. Please read the CFP below for details on the speaker benefits and the format of submission. *Tracks and relevant submissions* G0S will be a triple track conference and we are looking for paper submissions under any one of the tracks. *1. Systems Track* (OS/Systems/Application/Hardware) - OS exploitation - Application hacking - Rootkits and Malware - Forensics and Anti-forensics - SCADA security and exploitation - Telecom equipment security and exploitation - Embedded device/hardware security and exploitation - Malware on the mobile platform – Android, Windows OS, Symbian - Mobile Application Security *2. Communications Track* (Communication and Networks) - Protocol exploitation and security - Botnet communication, CC and takedowns - Web hacking - Radio communication hacking - GSM/3G/LTE/5G networks – security and exploitation - Satellite communication hacking - Network security - Intrusion prevention (and evasion) techniques - APT prevention (and evasion) techniques - Replacing network Security with “Intelligent, self automated Networks” - Growth of Mobile Data Networks with repercussions for the same *3. Strategy Track* (Gov/GRC/Cyber warfare/CII) - GRC - Privacy - Social media in context of security and Privacy - Surveillance - Auditing - New age Cyber warfare/Cyber intelligence/Cyber terrorism/Cyber crimes - Upcoming information security trends - Critical infrastructure Protection - Cyber security in context of the Govt. - Global Cyber Diplomacy - IT Act 2008 in light of Prism Surveillance - Security VS privacy - Evolving role of CERT to protect country’s citizens against external and internal intrusions - Repercussions of PRISM surveillance leak on Social Media *Paper Presentation* 1. Talk duration: 1 Hr including QA 2. Paper has to be innovative. *Workshops* 1. Workshop duration: Half day, One day or Two Days 2. Workshop has to be up-to-date, hands-on and have very limited or no theory. *Speaker Privileges* The speaker privileges are provided to only one speaker in case there are two or more speakers. 1. Return economy airfare. We will book the ticket for the speaker. In case the speaker wants to book his/her own tickets, he/she needs to inform us about the same and a maximum of USD 1400 or the ticket cost which ever is less will be reimbursed to the speaker. 2. Three nights accommodation. 3. One speaker pass and one complementary conference pass. 4. Invitation to Conference party. 5. Honorarium: An honorarium of USD 500 will be given to only those talks that are new, highly technical and have never been presented or published before (before G0S 2013) anywhere online or offline. Please note that the Ground Zero staff will determine whether the paper is to be considered for an honorarium or not and their decision will be final based on the technical depth of the talk and whether it has been presented/published before. The selected speakers will be notified about the same in our acceptance email. The honorarium is only for paper presentations. *Important dates* 1. CFP opens – 25th June 2013 2. First round of speaker list – 1st August 2013 3. CFP closes – 30th September 2013 4. Final speaker list – 10th October 2013 *Submit* Send an email to cfp[ at ]g0s.org with the subject: G0S 2013 CFP *Submission format* 1. Paper Title 2. Name 3. Organization and Designation 4. Brief Profile of yourself 5 Phone No. 6. Track: 7. Abstract of the Paper/Workshop 8. Have you presented/published/submitted this paper anywhere else? Where? 9. Why do you think it is a quality presentation/workshop? 10. Detailed Paper/Workshop (please attach with the email) 11. Your photo (please attach with the email) - G0S CFP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
My initial thoughts after adding the user and rebooting was that it was only valid in the recovery console session or something as once i rebooted it was gone... Tried it again today in a different place and same deal. Reboot no new user... Anyone have this working after reboot? Once you've inserted your payload with admin-or-better rights, it can be anything from a rootkit that GP can't touch to a patched GP subsys that doesn't apply AD policies. This isn't really a caveat. On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote: There may be an Active Directory domain policy which only allows a configured set of groups/users to be admin of your workstation. Keep in mind domain policies are applied at startup and periodically. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VLC media player MKV Parsing POC
1.The crash you showed does not control eip (its not a stack-based bof) 2.not even arbitrary memory (check further instructions) On Wed, Jul 10, 2013 at 3:03 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hello list, regarding to nonsense VLC post http://www.jbkempf.com/blog/post/2013/More-lies-from-Secunia?pub=0#pr 1.we said that this was a crash, not an exploitable security issue and funny publication Comment You forget to mention most important thing: If Secunia Research is professional, why don't they provide you with working exploit? (in example EIP = 0x41414141) I'm sure company like VUPEN would do just that to prove they point. Isn't worth to point out on other sites? (e.g. netsec) I really like this https://twitter.com/Secunia/status/...https://twitter.com/Secunia/status/337140449712156672 you can spot _two_ lies - first they don't find ANY vuln, second their lying about timeframe. Here is your VUPEN 0x41414141 ModLoad: 64fb 650d8000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll (be8.f0c): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8 edi=00890178 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 ntdll!RtlImageNtHeader+0xe37: 77163fbb 8b11mov edx,dword ptr [ecx] ds:002b:41414141= 0:010 g (be8.f0c): Access violation - code c005 (!!! second chance !!!) eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8 edi=00890178 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 ntdll!RtlImageNtHeader+0xe37: 77163fbb 8b11mov edx,dword ptr [ecx] ds:002b:41414141= 0:010 r ecx ecx=41414141 0:010 d ecx 41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? POC included Stay Secure Regards Kaveh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VLC media player MKV Parsing POC
On Wed, Jul 10, 2013 at 10:57 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: 1.The crash you showed does not control eip (its not a stack-based bof) And? You still need to control EIP or the exploit doesn't, you know, actually work. :P 2.not even arbitrary memory (check further instructions) You posted only one instruction and it's a read operation, proving nothing. You're either lazy or don't actually get what's going on. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VLC media player MKV Parsing POC
You're either lazy i did i really don't appreciate your troll (with out any investigation and analysis ) On Wed, Jul 10, 2013 at 3:03 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hello list, regarding to nonsense VLC post http://www.jbkempf.com/blog/post/2013/More-lies-from-Secunia?pub=0#pr 1.we said that this was a crash, not an exploitable security issue and funny publication Comment You forget to mention most important thing: If Secunia Research is professional, why don't they provide you with working exploit? (in example EIP = 0x41414141) I'm sure company like VUPEN would do just that to prove they point. Isn't worth to point out on other sites? (e.g. netsec) I really like this https://twitter.com/Secunia/status/...https://twitter.com/Secunia/status/337140449712156672 you can spot _two_ lies - first they don't find ANY vuln, second their lying about timeframe. Here is your VUPEN 0x41414141 ModLoad: 64fb 650d8000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll (be8.f0c): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8 edi=00890178 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 ntdll!RtlImageNtHeader+0xe37: 77163fbb 8b11mov edx,dword ptr [ecx] ds:002b:41414141= 0:010 g (be8.f0c): Access violation - code c005 (!!! second chance !!!) eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8 edi=00890178 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 ntdll!RtlImageNtHeader+0xe37: 77163fbb 8b11mov edx,dword ptr [ecx] ds:002b:41414141= 0:010 r ecx ecx=41414141 0:010 d ecx 41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? POC included Stay Secure Regards Kaveh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VLC media player MKV Parsing POC
Mario, As far as I see, the code snippet provided (the only insn) dereferences an attacker-controlled value. What happens next is not really clear since it is only one insn in the dump and I am too lazy to actually install VLC and dig in, but it shows that you can at least control the contents of ECX. If Kaveh would be so kind as to post the following insns in the stream, we could see what this may lead to. If the next insn is, say, CALL [EDX+10h], well, there you go -- you own the control flow. 2013/7/10 Mario Vilas mvi...@gmail.com On Wed, Jul 10, 2013 at 10:57 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: 1.The crash you showed does not control eip (its not a stack-based bof) And? You still need to control EIP or the exploit doesn't, you know, actually work. :P 2.not even arbitrary memory (check further instructions) You posted only one instruction and it's a read operation, proving nothing. You're either lazy or don't actually get what's going on. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple vulnerabilities found in NSA website
On 30 June 2013 16:57, Kingcope wrote: The US is spying on us .. Huh? Why didn't you tell us before ! He's also the only one still detecting communism in 2013... -- Marco Ermini root@human # mount -t life -o ro /dev/dna /genetic/research http://www.linkedin.com/in/marcoermini Jesus saves... but Buddha makes incremental back-ups! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
It won't. The whole point is to have full local access to hard-drives (from a locked workstation for eg), to modify/read things in it. The loaded environment IS a live environment. I would say: almost a copy of the install CD loaded from the hard-drive. What you can do is : take the SAM, modify somewhere else (not a windows expert tough), re-inject and gain local access. (which is kind of useless since local data are already available once the recovery is booted, unless there's software you would like to run in that workstation once the password is reset). On 9 July 2013 20:39, some one s3cret.squir...@gmail.com wrote: My initial thoughts after adding the user and rebooting was that it was only valid in the recovery console session or something as once i rebooted it was gone... Tried it again today in a different place and same deal. Reboot no new user... Anyone have this working after reboot? Once you've inserted your payload with admin-or-better rights, it can be anything from a rootkit that GP can't touch to a patched GP subsys that doesn't apply AD policies. This isn't really a caveat. On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote: There may be an Active Directory domain policy which only allows a configured set of groups/users to be admin of your workstation. Keep in mind domain policies are applied at startup and periodically. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-056 - Stage File Proxy - Denial of Service
View online: https://drupal.org/node/2038801 * Advisory ID: DRUPAL-SA-CONTRIB-2013-056 * Project: Stage File Proxy [1] (third-party module) * Version: 7.x * Date: 2013-July-10th * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities DESCRIPTION - This module saves time and disk space by sending requests to your development environment's files directory to the production environment and making a copy of the production file in your development site. An attacker could make repeated requests to the server, even over a long period, which would degrade the performance of all file handling and potentially prevent certain file operations. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Stage File Proxy 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Stage File Proxy [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Stage File Proxy module for Drupal 7.x, upgrade to Stage File Proxy 7.x-1.4 [5] Also see the Stage File Proxy [6] project page. REPORTED BY - * Mike Carper [7] FIXED BY * Stefan M. Kudwien [8] * Greg Knaddison [9] the module maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/stage_file_proxy [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/stage_file_proxy [5] https://drupal.org/node/2038799 [6] http://drupal.org/project/stage_file_proxy [7] http://drupal.org/user/282446 [8] http://drupal.org/user/48898 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-055 - Hatch - Cross Site Scripting
View online: https://drupal.org/node/2038363 * Advisory ID: DRUPAL-SA-CONTRIB-2013-055 * Project: Hatch [1] (third-party theme) * Version: 7.x * Date: 2013-July-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Hatch theme is a simple and minimal portfolio theme for photographers, illustrators, designers, or photobloggers. The theme didn't sufficiently escape user supplied text prior to printing them. This vulnerability is mitigated by the fact that an attacker must have a role with the permission Administer content, Create new article, or Edit any article type content . CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Hatch theme 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Hatch [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Hatch theme for Drupal 7.x, upgrade to Hatch 7.x-1.4 [5] Also see the Hatch [6] project page. REPORTED BY - * Daniel Nitsche [7] FIXED BY * Daniel Nitsche [8] COORDINATED BY -- * Lee Rowlands (larowlan) [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/hatch [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/hatch [5] https://drupal.org/node/2038189 [6] http://drupal.org/project/hatch [7] https://drupal.org/user/1151108 [8] https://drupal.org/user/1151108 [9] http://drupal.org/user/395439 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-057 - TinyBox - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2038807 * Advisory ID: DRUPAL-SA-CONTRIB-2013-057 * Project: TinyBox (Simple Splash) [1] (third-party module) * Version: 7.x * Date: 2013-July-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - TinyBox module uses TinyBox, a lightweight and standalone modal window script. The main purpose of this module is to provide Splash Screen/Window as simple as possible. The module doesn't filter user-supplied text prior to display. The vulnerability is mitigated by the fact that an attacker must have the permission administer tinybox. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * TinyBox 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed TinyBox (Simple Splash) [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the TinyBox module for Drupal 7.x, upgrade to TinyBox 7.x-2.2 [5] Also see the TinyBox (Simple Splash) [6] project page. REPORTED BY - * Daniel Nitscher [7] FIXED BY * Wendy William, S.Kom [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] and Peter Wolanin [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/tinybox [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/tinybox [5] https://drupal.org/node/2031575 [6] http://drupal.org/project/tinybox [7] https://security.drupal.org/user/38183 [8] https://drupal.org/user/75798 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/49851 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability
Title: == Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability Date: = 2013-07-09 References: === http://www.vulnerability-lab.com/get_content.php?id=1000 VL-ID: = 1000 Common Vulnerability Scoring System: 6.7 Introduction: = Turn your iPhone, iPod touch, and iPad into a wireless disk. Share your files and photos over network, no USB cable or extra software required. Features ... [Server] function Easily access your files from any web browser. Easily upload and download your photo from photo libraries via web browser. [My Files] function Preview/Move/Copy/Delete/Unzip/Rename/Email file and Create new directory on your iPhone, iPod touch iPad. Image: png, jpg, gif Document: Word, PowerPoint, Excel, PDF Compressed: zip Text-base: txt, html, php, js, css Media: mp3, wav, mp4, mov Save Word, PowerPoint, Excel and PDF files from other apps to Air Drive, include Apple’s Email app and Safari. Open All types of file from Air Drive to other apps such as Dropbox. [Settings] function Add Password to prevent unauthorized access to your files. Customize the Server port and Real-time On/Off the sharing functions and takes effect immediately to restrict the access from web browser (Copy of the Homepage: https://itunes.apple.com/de/app/air-drive-plus-your-file-manager/id422806570 ) Abstract: = The Vulnerability Laboratory Research Team discovered a remote file include vulnerability in the Air Drive Plus 2.4 application (Apple iOS - iPadiPhone). Report-Timeline: 2013-07-09:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Apple AppStore Product: Air Drive Plus 2.4 Exploitation-Technique: === Remote Severity: = High Details: A local file include and arbitrary file upload web vulnerability is detected in the Air Drive Plus 2.4 application (Apple iOS - iPadiPhone). The vulnerability allows remote attackers to upload files via POST method with multiple extensions to unauthorized access them on application-side of the service. The vulnerability is located in the file upload/add (AirDriveAction_file_add) module of the web-server (http://localhost:8000/) when processing to request a manipulated filename via POST. The injected file will be accessable via the index listing module of the application. Remote attackers can exchange the filename with a double or tripple extension bia POST method to bypass the upload validation and filter process. After the upload the attacker access the file with one extension and exchange it with the other one to execute for example php codes. A persistent script code injection is detected in the filename parameter. Attackers can tamper the request and exchange the file name with persistent malicious script code or tags. The code will be executed in the main index site when processing to list the object (file) items. Attackers are also able to inject persistent code with local frame requests to unauthorized access application data/apps or restricted application information. The execution of the persistent code also occurs when an application user is processing to delete the malicious context. The injected code is stored and will be executed from the delete notification and protection message. Exploitation of the vulnerability requires no user interaction and also without privilege application user account (no password standard). Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload. Vulnerable Application(s): [+] Air Drive Plus 2.4 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload (Web Server) [Remote] Vulnerable File(s): [+] AirDriveAction_file_add Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Application Index Listing (http://localhost:8000/) Proof of Concept: = The arbitrary file upload vulnerability can be exploited by remote attackers without privileged application user account and also without user interaction. For demonstration or reproduce ... 1.1 trtdimg src=Air%20Drive%20-%20Files_files/file.png height=20px width=20px/tdtda target=_blank href=http://192.168.2.104:8000/AirDriveAction_file_show/;/private/var/mobile/Applications;;/private/var/mobile/Applications//a/td td27,27KB/tdtd align=center2013-07-08 23:07:52/tdtd align=center a onclick=javascript:delfile(/private/var/mobile/Applications); class=transparent_buttonDelete/a/td/tr 1.2 trtdimg src=Air%20Drive%20-%20Files_files/file.png height=20px width=20px/tdtda target=_blank
[Full-disclosure] OpenSSH User Enumeration Time-Based Attack
Hi List, today, we will show a bug concerning OpenSSH. OpenSSH is the most used remote control software nowadays on *nix like operating systems. Legacy claims it replaced unencrypted daemons like rcp, rsh and telnet. Find a version at: https://www.openssh.com. By testing several OpenSSH installations we figured there is a delay of time when it comes to cracking users (not) existing on a system. A normal Brute-force-Attack tests for the correct user and password combination, usually without knowledge if the user on the system exists. For instance, the attacker is interested in the all-mighty “root” aka “toor” account. He might go for password combinations like: root:root root:toor root:password root:system and so on. Permanent attacks against the service normally running on Port 22/tcp implicate that Ssh-Brute-force-Attacks are still profitable. If you are an Auditor and want to check for interesting accounts it might be worthy to know which ones are available on the system to run a more focused attack. To assist you in this issue, there is a little trick to find out a User name before trying to cracking it. To do this the length of the password needs to be increased massively. In our case we go with 39.000 characters(A’s). Trying those passwords at an existing and a non-existing account shows a quite high delay. Find the rest of the post + some example code at the blogpost. http://cureblog.de/openssh-user-enumeration-time-based-attack/ Cheers, Curesec Research Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VULNERABLE (3rd party) components in Adobe Reader 11.0.03, and dangling reference to Acrobat.exe
Hi @ll, the current Adobe Reader 11.0.03 installs the following VULNERABLE (3rd party) components: 1. Adobe Flash Player Plugin 11.5.502.110 | X:\filever.exe /S %ProgramFiles%\Adobe\npswf*.dll |x:\program files\adobe\reader 11.0\reader\npswf*.dll | --a-- W32i DLL ENU11.5.502.110 shp 14,588,632 05-11-2013 npswf32.dll Cf. http://www.adobe.com/support/security/bulletins/apsb13-17.html, http://www.adobe.com/support/security/bulletins/apsb13-16.html, http://www.adobe.com/support/security/bulletins/apsb13-14.html, http://www.adobe.com/support/security/bulletins/apsb13-11.html http://www.adobe.com/support/security/bulletins/apsb13-09.html, http://www.adobe.com/support/security/bulletins/apsb13-08.html, http://www.adobe.com/support/security/bulletins/apsb13-05.html, http://www.adobe.com/support/security/bulletins/apsb13-04.html, http://www.adobe.com/support/security/bulletins/apsb13-01.html and http://www.adobe.com/support/security/bulletins/apsb12-27.html The wise guys at Adobe missed 10 security updates of their own product! 2. MSVC++ 2008 runtime libraries 9.0.21022.8 | X:\filever.exe /S %SystemRoot%\WinSxS\msvc?90.dll | x:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvc?90.dll | --a-- W32i DLL ENU 9.0.21022.8 shp224,768 11-06-2007 msvcm90.dll | --a-- W32i DLL ENU 9.0.21022.8 shp568,832 11-07-2007 msvcp90.dll | --a-- W32i DLL ENU 9.0.21022.8 shp655,872 11-07-2007 msvcr90.dll These DLLs have been updated several times since 2007-11-07, cf. http://support.microsoft.com/kb/973551 and http://support.microsoft.com/kb/973552 alias http://www.microsoft.com/technet/security/bulletin/ms09-035 as well as http://support.microsoft.com/kb/2467174 and http://support.microsoft.com/kb/2538243 alias http://www.microsoft.com/technet/security/bulletin/ms11-025 JFTR: Adobe Reader XI was released 2012-09-24, more than one year after MS11-025! 3. MSVC++ 2010 runtime libraries 10.0.40219.1 | X:\filever.exe /S %SystemRoot%\System32\msvc?100.dll |x:\windows\system32\msvcp100.dll | --a-- W32i DLL ENU10.0.40219.1 shp421,200 02-19-2011 msvcp100.dll |x:\windowsp\system32\msvcr100.dll | --a-- W32i DLL ENU10.0.40219.1 shp773,968 02-19-2011 msvcr100.dll Cf. http://support.microsoft.com/kb/24671743 and http://support.microsoft.com/kb/2565063 alias http://www.microsoft.com/technet/security/bulletin/ms11-025 JFTR: Adobe Reader XI was released 2012-09-24, more than one year after MS11-025! Unfortunately, the wise guys at Adobe don't know the platform on which their product runs and include the MSVC++ 2008 and 2010 runtimes via MSI merge module. Due to a well-known idiosyncrasy of Windows Update Agent M$FT components installed via MSI merge module are NOT detected and thus not updated by M$FT ... although M$FT advises their users to do so! From the FAQ section of http://www.microsoft.com/technet/security/bulletin/ms11-025 | In the case where a system has no MFC applications currently installed but | does have the vulnerable Visual Studio or Visual C++ runtimes installed, | Microsoft recommends that users install this update as a defense-in-depth | measure, in case of an attack vector being introduced or becoming known at | a later time. 4. Additionally, the following dangling references to Acrobat.exe are created: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithList\Acrobat.exe] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pdfxml\OpenWithList\Acrobat.exe] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AcroExch.Document.11\protocol\StdFileEditing\server] @=\Acrobat.exe\ The latter allows the execution of a rogue program named Acrobat.exe from CWD via OLE in the security context of the logged on user. Cf. http://technet.microsoft.com/security/advisory/2269637 5. On Window XP the following superfluous registry entries are created: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}] Policy=dword:0003 AppPath=X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\ AppName=AcroBroker.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{358E6F10-DE8A-4602-8424-179CA217F8EE}] Policy=dword:0003 AppPath=X:\\Program Files\\Adobe\\Reader 11.0\\Reader AppName=AcroRd32Info.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}] Policy=dword:0003 AppPath=X:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\ AppName=AdobeARM.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}] Policy=dword:0003
[Full-disclosure] nginx 1.3.9/1.4.0 x86 brute force remote exploit (CVE-2013-2028)
(see attachment) Kingcope ngxunlock.pl Description: Binary data ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Foreground Security 2013-001]: Joomla AICONTACTSAFE 2.0.19 Extension Cross-Site Scripting (XSS) vulnerability
Joomla AICONTACTSAFE 2.0.19 Extension Cross-Site Scripting (XSS) vulnerability FOREGROUND SECURITY, SECURITY ADVISORY 2013-001 - Original release date: July 10, 2013 - Discovered by: Adam Willard (Software Security Analyst at Foreground Security) - Verified by: Jose Carlos de Arriba (Pentest Team Manager at Foreground Security) - Contact: (awillard (at) foregroundsecurity (dot) com) - Severity: 4.3/10 (Base CVSS Score) I. VULNERABILITY - Algis Info aiContactSafe Extension 2.0.19 (latest) Cross-Site Scripting (XSS) vulnerability - (prior versions have not been checked but could be vulnerable too). II. BACKGROUND - Algis Info aiContactSafe is a native Joomla component developed by Algis Info. You can use it to place a complex contact form on your web page. Here are some of the facilities that it can offer: - custom fields - captcha - custom text related to the contact informations - multilingual support ( through Joomfish ) - SEFthrough Artio JoomSEF or sh404SEF III. DESCRIPTION - Algis Info aicontactsafe 2.0.19 (latest) Extension presents a Cross-Site Scripting (XSS) vulnerability in the url due to an insufficient input/output sanitization. A malicious user could perform session hijacking or phishing attacks. IV. PROOF OF CONCEPT - (This section has been removed per vendor request). V. BUSINESS IMPACT - An attacker could perform session hijacking or phishing attacks. VI. SYSTEMS AFFECTED - Joomla Extension, AlgisInfo com_aicontactsafe_2_0_19_stable Extension (prior versions have not been checked but could be vulnerable too). VII. SOLUTION - Fixed on 2.0.21.stable version release. VIII. REFERENCES - http://www.algisinfo.com/ http://www.foregroundsecurity.com/ IX. CREDITS - This vulnerability has been discovered by Adam Willard (awillard (at) foregroundsecurity (dot) com), verification and release coordination by Jose Carlos de Arriba (jcarriba (at) foregroundsecurity (dot) com). X. REVISION HISTORY - - July 10, 2013: Initial release. XI. DISCLOSURE TIMELINE - April 2, 2013: Vulnerability discovered by Adam Willard. April 3, 2013: Vulnerability verified by Jose Carlos de Arriba. April 15: AlgisInfo aiContactSafe Author contacted by email. April 15: Response from author and security advisory sent to him. April 16: Vulnerability fixed on 2.0.21.stable version release July 10: Security advisory released XII. LEGAL NOTICES - The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. Jose Carlos de Arriba, CISSP Pentest Team Manager Foreground Security 305-340-9964 jcarriba (at) foregroundsecurity . com www.foregroundsecurity.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright jo...@grok.org.uk - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-requ...@lists.grok.org.uk, send the word 'help' in either the message subject or body for details. - Moderation Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclosure@lists.grok.org.uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a consensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VULNERABLE (3rd party) components in Adobe Reader 11.0.03, and dangling reference to Acrobat.exe
While the detail is satisfying, I think this could all be filed under a single CVE entitled Almost all Windows software ships outdated MSVC and other Microsoft runtime components in direct contravention of the license. I gave up trying to report this sort of thing back with Dropbox, years ago, when I pointed out that possibly Python 2.5 wasn't the best version to ship with the Windows client. To their credit, one of the developers blew me off within scant minutes, which is an almost unprecedented response time for security issues. Still, if you're interested in outdated MSVC components, I suggest Cyberlink PowerDVD ( http://www.cyberlink.com/products/powerdvd-ultra/features_en_US.html ). On my last examination, it shipped multiple, internally redundant versions of MSVC6, 7, 8, and 9. It probably includes oudated MSVC10 DLLs by now, too. PS: Most applications seem to include thoroughly outdated Windows components for extra credit; such as UNICOWS.DLL--very common--or old DirectX components. I'm reasonably certain that redistributing core Windows DLLs has always been in contravention of the Windows licenses. On 2013-07-10 17:21:48 (+0200), Stefan Kanthak wrote: Hi @ll, the current Adobe Reader 11.0.03 installs the following VULNERABLE (3rd party) components: ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
On Jul 10, 2013 1:51 PM, Gregory Boddin greg...@siwhine.net wrote: It won't. The whole point is to have full local access to hard-drives (from a locked workstation for eg), to modify/read things in it. The loaded environment IS a live environment. I would say: almost a copy of the install CD loaded from the hard-drive. What you can do is : take the SAM, modify somewhere else (not a windows expert tough), re-inject and gain local access. (which is kind of useless since local data are already available once the recovery is booted, unless there's software you would like to run in that workstation once the password is reset). Hmm, not sure about this... Haven't tried but lets say we can copy the SAM off the box somehow, recovery console is running as system which can read the SAM and On 9 July 2013 20:39, some one s3cret.squir...@gmail.com wrote: My initial thoughts after adding the user and rebooting was that it was only valid in the recovery console session or something as once i rebooted it was gone... Tried it again today in a different place and same deal. Reboot no new user... Anyone have this working after reboot? Once you've inserted your payload with admin-or-better rights, it can be anything from a rootkit that GP can't touch to a patched GP subsys that doesn't apply AD policies. This isn't really a caveat. On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote: There may be an Active Directory domain policy which only allows a configured set of groups/users to be admin of your workstation. Keep in mind domain policies are applied at startup and periodically. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Haven't tried but lets say we can copy the SAM off the box somehow, recovery console is running as system which can read the SAM and Did Candlejack get you or somethi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
On Jul 10, 2013 9:16 PM, some one s3cret.squir...@gmail.com wrote: On Jul 10, 2013 1:51 PM, Gregory Boddin greg...@siwhine.net wrote: It won't. The whole point is to have full local access to hard-drives (from a locked workstation for eg), to modify/read things in it. The loaded environment IS a live environment. I would say: almost a copy of the install CD loaded from the hard-drive. What you can do is : take the SAM, modify somewhere else (not a windows expert tough), re-inject and gain local access. (which is kind of useless since local data are already available once the recovery is booted, unless there's software you would like to run in that workstation once the password is reset). Oops, pressed send... Try again... Hmm, not sure about this... Haven't tried but lets say recovery console is running as system which can read the SAM and it lets us copy it off the box to a share or usb or whatever, if we can get it off i'm guessing we can rip out the hashes for the users and attempt to crack them, spray them about or whatever... But changing one so we know the password and then putting it back, doubt this will work will it, as essentially we are changing the SAM file anyway aren't we when we create a new legit user through net commands and it discards this change when we reboot, or are there 2 SAM files? One in live environment which dissapears and the real one... Pass, i will try it out again when i get 10mins..:-) On 9 July 2013 20:39, some one s3cret.squir...@gmail.com wrote: My initial thoughts after adding the user and rebooting was that it was only valid in the recovery console session or something as once i rebooted it was gone... Tried it again today in a different place and same deal. Reboot no new user... Anyone have this working after reboot? Once you've inserted your payload with admin-or-better rights, it can be anything from a rootkit that GP can't touch to a patched GP subsys that doesn't apply AD policies. This isn't really a caveat. On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote: There may be an Active Directory domain policy which only allows a configured set of groups/users to be admin of your workstation. Keep in mind domain policies are applied at startup and periodically. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenSSH User Enumeration Time-Based Attack
Oh your one of the group that's been pounding ports over the last couple months from a block of /28's and /30's ? Sure do appreciate the kind regard and heads up. Funny how about a week to two weeks after that ends your report shows up here. Good going... This is old knowledge and research is still considered unauthorized access to systems not in your control no matter what you call it. -- Jason Hellenthal JJH48-ARIN On Jul 10, 2013, at 9:38, Curesec Research Team c...@curesec.com wrote: Hi List, today, we will show a bug concerning OpenSSH. OpenSSH is the most used remote control software nowadays on *nix like operating systems. Legacy claims it replaced unencrypted daemons like rcp, rsh and telnet. Find a version at: https://www.openssh.com. By testing several OpenSSH installations we figured there is a delay of time when it comes to cracking users (not) existing on a system. A normal Brute-force-Attack tests for the correct user and password combination, usually without knowledge if the user on the system exists. For instance, the attacker is interested in the all-mighty “root” aka “toor” account. He might go for password combinations like: root:root root:toor root:password root:system and so on. Permanent attacks against the service normally running on Port 22/tcp implicate that Ssh-Brute-force-Attacks are still profitable. If you are an Auditor and want to check for interesting accounts it might be worthy to know which ones are available on the system to run a more focused attack. To assist you in this issue, there is a little trick to find out a User name before trying to cracking it. To do this the length of the password needs to be increased massively. In our case we go with 39.000 characters(A’s). Trying those passwords at an existing and a non-existing account shows a quite high delay. Find the rest of the post + some example code at the blogpost. http://cureblog.de/openssh-user-enumeration-time-based-attack/ Cheers, Curesec Research Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenSSH User Enumeration Time-Based Attack
I havent tried this yet but it makes sense. To avoid linearization attacks from figuring out sensitive data, there are specific precautions that are taken. (some UNIX login program had a similar timing issue if I am not mistaken). From the looks of it, sshd is looking for the username in some file and if it doesn't exist, it waits sometime and returns, if it does, then it calculates the long hash. On Wed, Jul 10, 2013 at 6:38 AM, Curesec Research Team c...@curesec.comwrote: Hi List, today, we will show a bug concerning OpenSSH. OpenSSH is the most used remote control software nowadays on *nix like operating systems. Legacy claims it replaced unencrypted daemons like rcp, rsh and telnet. Find a version at: https://www.openssh.com. By testing several OpenSSH installations we figured there is a delay of time when it comes to cracking users (not) existing on a system. A normal Brute-force-Attack tests for the correct user and password combination, usually without knowledge if the user on the system exists. For instance, the attacker is interested in the all-mighty “root” aka “toor” account. He might go for password combinations like: root:root root:toor root:password root:system and so on. Permanent attacks against the service normally running on Port 22/tcp implicate that Ssh-Brute-force-Attacks are still profitable. If you are an Auditor and want to check for interesting accounts it might be worthy to know which ones are available on the system to run a more focused attack. To assist you in this issue, there is a little trick to find out a User name before trying to cracking it. To do this the length of the password needs to be increased massively. In our case we go with 39.000 characters(A’s). Trying those passwords at an existing and a non-existing account shows a quite high delay. Find the rest of the post + some example code at the blogpost. http://cureblog.de/openssh-user-enumeration-time-based-attack/ Cheers, Curesec Research Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Swair Mehta ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2719-1] poppler security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-2719-1 secur...@debian.org http://www.debian.org/security/ Michael Gilbert July 10, 2013 http://www.debian.org/security/faq - - Package: poppler Vulnerability : several vulnerabilities Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-1788 CVE-2013-1790 Debian Bug : 702071 Multiple vulnerabilities were discovered in the poppler PDF rendering library. CVE-2013-1788 Multiple invalid memory access issues, which could potentially lead to arbitrary code execution if the user were tricked into opening a malformed PDF document. CVE-2013-1790 An uninitialized memory issue, which could potentially lead to arbitrary code execution if the user were tricked into opening a malformed PDF document. For the oldstable distribution (squeeze), these problems have been fixed in version 0.12.4-1.2+squeeze3. For the stable (wheezy), testing (jessie), and unstable (sid) distributions, these problems have been fixed in version 0.18.4-6. We recommend that you upgrade your poppler packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQQcBAEBCAAGBQJR3goFAAoJELjWss0C1vRzoKgf/R+OofgadYk3a//DkMkzsV5N nr+AffqAVZWkesDiq/HplDY4OSIPsmHyxDcVqJTbnp11Tcv4dDI8IqbYakAA/+C6 SBClk00Nnel2ut/eCU4Sn7T5PIgbhedfrGZDs0sf9uQZmxbyzo9jhuTDnmPxk9aL qsTV4Druu8VcicNGHhUwPuCtZ5veHAEvvZs+cmAuPnzq4Ckh7l6Gf0cFu/SmJtXE 2eKkAtRUJwyTn9q9JffjnSmlNzt4Qg4+B7Itej1bn6QurPf116spPUxaBlQ0zOid Ae7xHILIl7MglqKrJjh+sNBulzwHWDddmcxDi0kXvpzRrdccPvOyIRYTK55kkzTQ jRaAT8AnN7M3H6OZu0IFhAY3AGQGl/44VdAaF8/K8V4nMgFINOBl0VtDyKojf2Y4 YbrVX3RbBFmAQS25f9Z/eXa8zRv9z9VJ+0CAgdoJ9t2hoqc/gCp5jE6HIZI0r0IW qM/JjvTmJ3EjpKIiR8nu418X2Ep0NoiBOIyh6FCgvTUm2N8v4FGMUIXWwvg295Y9 tOGkSqL1nyv81q5jzjZDGx2pJyDgdbati0j1k99vnC0dQIJCnRl6TsNKeQU4ck43 4i3tXs2nxspdLK2Ln+GySmn0tXf1vjQ0c22wTpwz0JxTbOgx0RUjshwG9p1vSz9W 5m0V17a/vr/99e2W3Mr9oJumT8CFitymBocZ3wBEE66k0efPxIFlSbrLoDs/FEYr uxbNZp6ntWnqxhFRiZ6QVxAvQV/ucedC0mo7FH5jJ2jT0+UTKFy/TFE73x9jnrbU 0IVDiSc0kcGFWdQ2icVnA1uaK0hKVT0fAziZMKeKyq6megN/T+/JmALXh/+BmZq5 CO5o6t66uTUzuzpg2aJSSiFZzgi0VhS4LmuVgvA8lN4l15E/a3zTDRdDN/c3Fs+m dRFu5Z+Mt+PmCFrop8HP2CG8SIhLfcb5XF6xBLq6Ux61cBkxb965jqHGG5n5F46r aDzm4hRHr1IKeaJyRGptcR/1IqnSYMfJ38Yj4QhgdIoeCSv5tmA9QlUoyb6L0Qry oKK5oIetqjSSgoERMF308WIkgpKo4pXbisCIbOkxQFjdBwb0ky22NqPfkPMtPEyH DdFxBgqm0ChD7BW1APYhDdvOxY3StucrhSzmB0SpICQM8qyVw6/UQUXzTPEsNnuQ u1y0otoNEnGtV51+M+ysSInm1RpLVvw525R2ERK6rY/00Y5UjRic/Nwg04nq209+ gF4L2LS6y5iS6m7qxR1FrXL+xZuoaayF2sxEg6scF8Yi8BHof7T7mjOTO42AwfBR A8Sa9gugKfjIJfxJeuxUd8SkwvwKErHG9QTMz0qbAAmYV0oBc/g9QtF+CiO6OBQ= =VmMP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/