[Full-disclosure] cURL/libcURL Arbitrary File Access
cURL/libcURL Arbitrary File Access Release date: 03/Jan/2009 CVE: CVE-2009-0037 Quote from: http://curl.haxx.se/libcurl/: libcurl is a free and easy-to-use client-side URL transfer library, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE. This vulnerability could permit remote arbitrary file access and command execution under “less-likely” circumstances. This is a joint advisory release with cURL. The latest version addresses this problem. Full advisory available here: http://www.withdk.com/2009/03/03/curllibcurl-redirect-arbitrary-file-access/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Livelink UTF-7 XSS Vulnerability
Release date: 31/Jan/2008 Last Modified: N/A Author: David Kierznowski http://withdk.com Application: Linklink = 9.7.0 Risk: Medium Full details of advisory available here: http://www.withdk.com/2008/01/31/livelink-utf-7-xss-vulnerability/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hijacking Feeds with Feedburner
The famour Feedsmith Feedburner plugin is vulnerable to a CSRF attack that can allow an attacker to completely hijack blog feeds. Google responded quickly, and a fix is available. The advisory includes a proof of concept exploit: http://blogsecurity.net/wordpress/feedburner-feed-hijacking/ -- DK http://gnucitizen.org/about/dk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Testing from thr browser
Technika is a Firefox plugin http://www.gnucitizen.org/projects/technika/that myself http://gnucitizen.org/about/dk and pdphttp://gnucitizen.org/about/pdpwas toying with some months back. The original idea behind this project was to provide independent self-contained security tools based on JavaScript which can be loaded and executed from the browser. TS Framework is an automated web application testing framework that is launched from the browser . . . The advantages here over traditional security tools is that we utilize the existing browser functionality instead of re-inventing the wheel. In other words, Technika doesn't have to worry about network sockets, SSL libraries, whether its OS independent and so on. Basically, anything the browser can do, we can. Check out more info at: http://www.gnucitizen.org/blog/introducing-technika-security-framework/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WordPress wp-feedstats persistent XSS
A persistent XSS vulnerability was found in wp-feedstats 2.4 by David Kierznowski http://gnucitizen.org/about/dk of GNUCITIZEN. Details: http://blogsecurity.net/wordpress/news-260707/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WordPress Community Vulnerable
RE: WordPress Community Vulnerable Check out a recent survey of 50 WordPress blogs conducted at blogsecurity.net: http://blogsecurity.net/wordpress/articles/article-230507/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] One worm to rule them all
WordPress Adsense Deluxe Vulnerability This vulnerability reminds me of the the old Hacker movies, where a worm is released that steals random pennys from unsuspecting victims. This vulnerability is the closest I have seen to this scenario. See: http://michaeldaw.org/alerts/alerts-200507/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WordPress 2.1.3 Akismet Vulnerability
David Kierznowski http://michaeldaw.org/alerts/alert-140507/ of Operation n http://michaeldaw.org/ has discovered a serious flaw in the Akismethttp://akismet.com/anti-spam plugin that comes *by default* with the latest version of WordPress (2.1.3)http://wordpress.org/download/ ... More information at: http://michaeldaw.org/alerts/alert-140507/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Michael Daw Anthology Award
michaeldaw.org is pleased to announce the first Michael Daw Anthology award. For those of you curious, anthology is a collection of published works. The original idea behind the michaeldaw.org website was to build stories upon a fictional hacking icon named, Michael Daw, as well as to host other security related material. As a close friend pointed out to me, the name is very relevant when pondered upon. Some believe that the archangel Michael holds the keys to the doors of Heaven. The full details of the competition will be provided soon. We are currently seeking sponsors to donate towards the winnings. For those who want to take part, please see the following URL for more information: http://michaeldaw.org/news/100507/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anti-Virus vendors prove less-effective
James, this is the problem with AV in general and not specific to this problem. detecting the problem defense in depth mitigates zero-day, however, when very basic code gets past AV this is definitely an area that needs work. 24/04/07, James Matthews [EMAIL PROTECTED] wrote: How can these people put out a good product against scripts where you can change anything and it will still work! On 4/24/07, David Kierznowski [EMAIL PROTECTED] wrote: Web Backdoor Compilation along with Dancho Danchev AV research has proven how less-effective many of these products are when detecting web malware. The results are certainly not a shocker but definately an eye opener. WBC has certainly demonstrated what all security researchers already know, this area needs work! See: http://michaeldaw.org/news/news-042407/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Anti-Virus vendors prove less-effective
Web Backdoor Compilation along with Dancho Danchev AV research has proven how less-effective many of these products are when detecting web malware. The results are certainly not a shocker but definately an eye opener. WBC has certainly demonstrated what all security researchers already know, this area needs work! See: http://michaeldaw.org/news/news-042407/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WordPress template.php Exploit
Its been a few days since the release of: http://michaeldaw.org/md-hacks/wordpress-persistent-xss/. Other references: * http://www.securityfocus.com/bid/21782 * http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6808 Time to release a proof of concept exploit for this. I am sure the crackers will already be exploiting this in the wild. If you remember from my original advisory, our attack was limited due to our attack being passed through PHP's basename function. To get around this we borrow the characters from document.location. I wanted an exploit that was simple and compact. If your interested the full article and code can be found here: http://michaeldaw.org/md-hacks/wordpress-templatephp-exploit/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WordPress Persistent XSS
Deepan, Please see my most recent post: http://michaeldaw.org/md-hacks/wordpress-templatephp-exploit/ David On 30/12/06, Deepan [EMAIL PROTECTED] wrote: On Wed, 2006-12-27 at 09:33 +, David Kierznowski wrote: Vulnerability Title: WordPress Persistent XSS Author: David Kierznowski Homepage: http://michaeldaw.org Software Vendor: WordPress Persistent XSS Versions affected: Confirmed in v2.0.5 (latest) See homepage for more details. WordPress was contacted: 26/12/06 22:04 BST Reply received: 27/12/06 06:11 BST WordPress has fixed this for v2.0.6, see http://trac.wordpress.org/changeset/4665 Dont you need admin privileges to access the templates.php url ? I am overseeing anything ? -- --- Regards Deepan Chakravarthy N http://www.codeshepherd.com/ http://sudoku-solver.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Web Backdoor Compilation
I have collected some WEB backdoors in the past to exploit vulnerable file upload facilities etc. and have packaged them up. I think a library like this may be useful in a variety of situations. Interested parties can find version 1 of the package here: http://michaeldaw.org/projects/web-backdoor-compilation/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hacking HomePlug Networks
HomePlug specification products also protect data by utilizing powerful DES encryption, which makes hacking into a HomePlug network virtually impossible. I spent an amusing hour looking into this. Details at: http://michaeldaw.org/md-hacks/hacking_homeplugs/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CSRF with MS Word
CSRF with MS Word Our attack vector is found in exploiting MSWord's frame capabilities: By creating malicious frames in a document and pointing them to a malicious URL, we can exploit multiple, persistent (well almost, this is limited) CSRF vulnerabilities (and possibly the browser). See: http://michaeldaw.org/md-hacks/csrf-with-msword/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] retiring from public security stuff
http://michaeldaw.org/news/news-121106-0/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RSS Injection in Sage part 2
RSS Injection is Sage part 2 2 months ago, both pdp and myself released a vulnerability and proof of concept exploit for Sage. (see: http://michaeldaw.org/md-hacks/cross-context-scripting-with-sage/). This issue was resolved in Sage release 1.3.7 ( http://mozdev.org/bugs/show_bug.cgi?id=15101). I found a new vulnerability which affects the latest version, Sage 1.3.8. In addition to the XSS vulnerability, it should be noted (as with the previous vulnerability) this issue occurs within the Local Browser Context. This means arbitrary file access etc. Full details and POC can be found at: http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] JavaScript Web Ping Tool
JavaScript Web Ping Author: david.kierznowski_at_gmail.com http://michaeldaw.org The Idea: 1. We setup an Iframe 2. We dynamically load our target address with a timeout 3. If the document is loaded, we flag the host as being up. 4. If the host is down, the timeout is reached and we flag the host as down. Tool can be found here: http://michaeldaw.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] JSEScanner
JavaScript External File Scanner (JSEScanner) Author: david.kierznowski_at_gmail.com http://michaeldaw.org JSEScanner uses the JavaScript External File facility to access remote devices. It requests a specific JavaScript file which can then be used to fingerprint the remote web server type and possibly the version... Tool and Proof of Concept available at: http://michaeldaw.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ASP Auditor Beta 2 Released
ASP Auditor v2 BETA Author david.kierznowski_at_gmail.com http://michaeldaw.org Purpose: Look for common misconfigurations and information leaks in ASP.NET applications. This tool is based on H D Moore's Dot Net Application Scanner Author: H D Moore URL: http://www.digitaloffense.net/index.html?section=TOOLS HDM thanks for the feedback. Changelog: * Combined code from Asp Auditor v1 BETA and HDM's DNAScanner. * Version plugin allowing specific ASP.NET versioning. * Version brute force capabilities using JavaScript validate directories. * Check if global ASP.NET validate is being used. * Added brute force as option in usage() More information can be found at: http://michaeldaw.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Backdooring PDF Files
Recently, there has been alot of hype involving backdooring various web technologies. pdp (arcitect) has done alot of work centered around this area. I saw Jeremiah Grossman mention PDF's being BAD, however, I was unable to easily locate any practical reasons as to why. I decided to investigate this a little further. This article discusses two possible backdoor techniques for Adobe Acrabat Reader and Professional. It includes proof of concept code and backdoored PDF documents. The article can be found here: http://michaeldaw.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
I installed 7.0.8 (latest version) for testing. If the document is loaded from the browser you receive no warning. v7.0.8 seems to warn the user if the document is loaded from the desktop. I think this has to do with different Adobe contexts. -- David Kierznowski On 13/09/06, pdp (architect) [EMAIL PROTECTED] wrote: I have tested both of the examples and no warning boxes are showing. It seams that everybody is getting different results. Interesting! On 9/13/06, Juha-Matti Laurio [EMAIL PROTECTED] wrote: Proof of Concept for example 1 (backdoored1.pdf) opened with Adobe Reader 7.0.8 (i.e. no browser plug-in used) issued a Security Warning dialog box: The document is trying to conenct to the site: http://www.google.com/owned.html If you trust the site click Allow, otherwise click Block. Option Remember my action is in use as well. When clicking Allow this Google page was opened in MSIE (in fact FF is my default browser, however). Am I missing something related to differences between Reader plug-in and Reader application? - Juha-Matti David Kierznowski [EMAIL PROTECTED] wrote: Recently, there has been alot of hype involving backdooring various web technologies. pdp (arcitect) has done alot of work centered around this area. I saw Jeremiah Grossman mention PDF's being BAD, however, I was unable to easily locate any practical reasons as to why. I decided to investigate this a little further. This article discusses two possible backdoor techniques for Adobe Acrabat Reader and Professional. It includes proof of concept code and backdoored PDF documents. The article can be found here: http://michaeldaw.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSSing the Government
XSSing the Government Today, Michael Daw explores a fictional scenario of how terrorist cells used XSS to hack into government agencies. --snip Terrorists had found a way to track government intelligence agencies and gain access to highly protected computers using Cross Site Scripting attacks. --snip-- URL: http://michaeldaw.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Whitepaper: Awakening the Sleeping Giant v1.0
Awaking the Sleeping Giant v1.0 Demystifying Cross Site Scripting Attacks Author: David Kierznowski (david.kierznowski_at_gmail.com) This paper attempts to demystify and categorise current XSS entry nodes, attack capabilities and trends. XSS attacks are gaining popularity quickly. There are loads of vulnerabilities waiting to be found. It can be simple and difficult to prevent. it can propogate around the Internet in hours, exploit internal or private networks and offers the ability to manipulate web services for fun and profit without compromising a single system. The whitepaper can be found at: http://michaeldaw.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/