Re: [Full-disclosure] Medium severity flaw in BlackBerry QNX Neutrino RTOS
Might have been helpful to attach the advisory. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20140311.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Medium severity flaw in BlackBerry QNX Neutrino RTOS
Summary This advisory concerns the forced disclosure of 2 vulnerabilities that were previously disclosed to BlackBerry. Disclosure has been forced since these vulnerabilities have been publicly disclosed (with PoC) on the exploit-db web site. Two local privilege escalation vulnerabilities have been identified that would ultimately result in malicious code being executed in a trusted context. The first allows direct code execution (http://www.exploit-db.com/exploits/32153/) whilst the second allows for the root password to be disclosed (http://www.exploit-db.com/exploits/32156/). It should be noted that Nth Dimension do not believe that the bug collision are due to a leak within BlackBerry but rather that these are the simply instances of multiple researchers identifying the same vulnerable code paths. Current As of the 11th March 2014, both the privilege escalation attacks have been disclosed by a 3rd party. In light of this and in the absence of any timely response from BlackBerry, Nth Dimension have opted to make full details public. -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CVE-2013-1643 - Unauthorised Access To Other Users Email Messages in Symantec PGP Universal Web Messenger
VDBs, please note that the referenced CVE ID is wrong. CVE-2014-1643 was actually assigned to this issue by Symantec. Tim -- Tim Brown mailto:t...@65535.com signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [OVSA20131108] OpenVAS Manager And OpenVAS Administrator Vulnerable To Partial Authentication Bypass
Summary It has been identified that OpenVAS Manager and OpenVAS Administrator are vulnerable to authentication bypass due to an incorrect state assignment when processing OMP and OAP requests. It has been identified that this vulnerability may allow unauthorised access to OpenVAS Manager and OpenVAS Administrator on vulnerable systems. CVE-2013-6765 has been assigned to this vulnerability in Manager and CVE-2013-6766 to the same vulnerability in Administrator. It should be noted that not all of the newly available commands are functional and that exploitation typically requires SSH access to the host on which the services are installed. Current Status As of the 8th November, the state of the vulnerabilities is believed to be as follows. Patches have been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both OpenVAS Manager and OpenVAS Administrator have also been created which incorporate these patches. Thanks OpenVAS would like to thank Antonio Sanchez Arago for his help in reporting the vulnerability and apologise to all concerned for the substantial delay in triaging his report. -- Tim Brown mailto:t...@openvas.org http://www.openvas.org OpenVAS Security Advisory (OVSA20131108) Date: 8th November 2013 Product: OpenVAS Manager 3.0.7 and 4.0.4 and OpenVAS Administrator 1.2.2 and 1.3.2 Vendor: OpenVAS http://www.openvas.org/ Risk: Low Summary It has been identified that OpenVAS Manager and OpenVAS Administrator are vulnerable to authentication bypass due to an incorrect state assignment when processing OMP and OAP requests. It has been identified that this vulnerability may allow unauthorised access to OpenVAS Manager and OpenVAS Administrator on vulnerable systems. CVE-2013-6765 has been assigned to this vulnerability in Manager and CVE-2013-6766 to the same vulnerability in Administrator. Current Status As of the 8th November, the state of the vulnerabilities is believed to be as follows. Patches have been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both OpenVAS Manager and OpenVAS Administrator have also been created which incorporate these patches. Technical Details It has been identified that OpenVAS Manager and OpenVAS Administrator are vulnerable to authentication bypass due to an invalid state assignment when processing OMP and OAP requests. Upon processing an OMP and OAP request to retrieve the version information from OpenVAS Administrator and OpenVAS Manager, the state is incorrectly set to CLIENT_AUTHENTIC, allowing additional OMP and OAP commands to be called. This can be seen in the omp_xml_handle_end_element() function from omp.c (for OpenVAS Manager): if (client_state) set_client_state (CLIENT_AUTHENTIC); else set_client_state (CLIENT_TOP); break; In this instance, the first condition will always hold. Rather, the check should be whether client_state is currently set to CLIENT_GET_VERSION_AUTHENTIC. It should be noted that not all of the newly available commands are functional, since they often rely upon additional session state information being present which will not be the case where the authentication has been bypassed. Furthermore, the vulnerable code path is typically only accessible to users who have logged into a host running OpenVAS Manager or OpenVAS Administrator via SSH as the affected services are typically only bound to localhost. Fix OpenVAS recommends that the publicly available patches are applied. If building from source, then patches r18285 (for OpenVAS Administrator 1.2.x) or r18281 (for Administrator 1.3.x) and r18276 (for OpenVAS Manager 3.0.x) or r18271 (for Manager 4.0.x) should be obtained from the OpenVAS SVN repository. A fresh tarball containing the latest stable release of Administrator can be obtained from: * http://wald.intevation.org/frs/download.php/1442/openvas-administrator-1.3.2.tar.gz A fresh tarball containing the latest stable release of Manager can be obtained from: * http://wald.intevation.org/frs/download.php/1434/openvas-manager-4.0.4.tar.gz In the event that OpenVAS has been supplied as part of a distribution then the vendor or organisation concerned should be contacted for a patch. Known major distributors of OpenVAS precompiled packages have already been notified. History On the 3rd August 2013, Antonio Sanchez Arago initially attempted to contact the OpenVAS security team to report the issue in OpenVAS Manager however it was missed as many of the team were on annual leave. Unfortunately, it was not picked up until Antonio attempted to contact us again on in late October. On this occasion, it was picked up and the team were able to reproduce the vulnerability. On the 7th November, we contacted Antonio to confirm that the team had successfully reproduced the issue and Greenbone Networks to notify them of the vulnerability and request assistance in coordinating the disclosure. Major
[Full-disclosure] Low severity flaw in RIM BlackBerry PlayBook OS browser
Summary The web browser which comes as part of the RIM BlackBerry PlayBook OS can be tricked into disclosing the contents of local files through the planting of a malicious HTML file through the standard download mechanism. It should be noted that in order to exploit this issue, user interaction is required as the user will need to confirm the download of the malicious HTML file. After discussions with the vendor, CVE-2012-5828 was assigned to this vulnerability. Current As of 1st Novmeber 2012, the state of the vulnerability is believed to be as follows. RIM have begun shipping a patch which it is believed successfully resolves the reported issue. Thanks Nth Dimension would like to thank all the security folk at RIM, in particular the BlackBerry Incident Response team for the way they worked to resolve the issue. -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nth Dimension Security Advisory (NDSA20121030) Date: 30th October 2012 Author: Tim Brown mailto:t...@nth-dimension.org.uk URL: http://www.nth-dimension.org.uk/ / http://www.machine.org.uk/ Product: RIM BlackBerry PlayBook OS 1.0.8.6067 http://www.rim.com/products/blackberry_tablets.shtml Vendor: RIM http://www.rim.com/ Risk: Low Summary The web browser which comes as part of the RIM BlackBerry PlayBook OS can be tricked into disclosing the contents of local files through the planting of a malicious HTML file through the standard download mechanism. It should be noted that in order to exploit this issue, user interaction is required as the user will need to confirm the download of the malicious HTML file. After discussions with the vendor, CVE-2012-5828 was assigned to this vulnerability. Solutions Nth Dimension recommends that the vendor supplied patches should be applied. Technical Details It was identified that the PlayBook web browser could be forced to download rather than render HTML files and that whilst the browser does prompt the user to confirm the location of the download, this download process defaults to an attacker chosen location. Furthermore, once downloaded, it is possible to use the Location header to load the file from the attacker's chose location using the file:// URL handler in such a manner that the downloaded HTML then has trusted access to the PlayBook filing system. It is possible to craft a HTML download which when opened will lead to arbitrary JavaScript being executed in the local context. The file:// URL handler is trusted to execute across domains. History On 12th February 2012, Nth Dimension supplied a PoC exploit for this issue to representatives of RIM. BBSIRT responded on the 20th to confirm that they had recieved the report and were investigating. RIM further notified Nth Dimension to confirm that all reported vulnerabilities were handled based on CVSS and that only critical vulnerabilities were deemed candidates for out-of-band patching. Less critical issues would however be addressed in future product updates. Nth Dimension responded on 7th March 2012 to confirm that they agreed with this approach and that in their opinion the issue was not critical and did not warrant an expedited response. Nth Dimension asked to be kept in the loop regarding the release of a patch for this issue in due course. On 19th September 2012, Nth Dimension asked for an update, in particular to establish whether a CVE had been assigned by RIM for this issue. On 1st November 2012, RIM responded to say that the The changes for the issues are in the latest 2.1 builds for PlayBook. The build is currently available for WiFi only PlayBooks and weâre working with our carrier partners for testing and availability for build for the in-market cellular-enabled PlayBooks. On 6th November 2012, RIM confirm that CVE-2012-5828 has been assigned. They also confirm they believe testing of cellular PlayBooks will be completed by the end of the month. Nth Dimension repond, proposing 1st Deceber 2012 as the embargo date. Current As of 1st Novmeber 2012, the state of the vulnerability is believed to be as follows. RIM have begun shipping a patch which it is believed successfully resolves the reported issue. Thanks Nth Dimension would like to thank all the security folk at RIM, in particular the BlackBerry Incident Response team for the way they worked to resolve the issue. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQuU6xAAoJEPJhpTVyySo7xcoQAM7KB/2KYIq/IElrO15jr/hH 8Pytj9Q+k0VTmousVUWs5EP+uurZ28dGH8QNdsBv/kmp9M6gPQbex38pVVp+UJxh DcVoGhVJLsrzATQH+1LH/zVVkV4idERSQvGMjbikHWMdObfr6H37iN/UwK1+O27T tFQkIbM/rRNZk/OUz+B25D+2C53tdjTsCStkbnmYXKBlMYf0h3M28sFR3bcB5mBg MFNO7Vr/t16NdFRN+MPgfiRZTATH2gCqklMoe8rmQbu+Fumf1+7T5jlnXORUIiUb tTKvDjw9o0dL513b58JuIsheiyx0IlvGo4RyfXfWRAZaZiTPSnbzPwl83Bj1JpW+ PJ4Z+4yKcwQcRIfvCDH6vc8o4uMTM7g9SMuLxZBoZN3mFUAOLwy9wJde+w8bmpFA Z6KWtmzcAlt1QoRhNPS8s+udMc1HSXKpyNjTdaqEmhjVNReDeIp
[Full-disclosure] [OVSA20121112] OpenVAS Manager Vulnerable To Command Injection
Summary It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems. CVE-2012-5520 has been assigned to this vulnerability. Current Status As of the 20th January 2011, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both 3.0.x and 4.0.x have also been created which incorporate this patch. Thanks OpenVAS would like to thank Andre Heinecke of Greenbone Networks for his help in reporting the vulnerability. -- Tim Brown mailto:timb@openvas,org http://www.openvas.org/ OpenVAS Security Advisory (OVSA20121112) Date: 12th November 2012 Product: OpenVAS Manager 3.0.4 and 4.0+beta4 Vendor: OpenVAS http://www.openvas.org/ Risk: Medium Summary It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems. CVE-2012-5520 has been assigned to this vulnerability. Current Status As of the 20th January 2011, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both 3.0.x and 4.0.x have also been created which incorporate this patch. Technical Details It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when sending reports to a Sourcefire Defense Center. The processing of requests containing malicious values for the ip address or port causes the command below to be executed with the privileges of the OpenVAS Manager (typically root) using the send_to_sourcefire() function from manage_sql.c: command = g_strdup_printf (/bin/sh %s %s %s %s %s /dev/null 2 /dev/null, script, ip, port, pkcs12_file, report_file); ... if (ret = system (command)... As you can see, an attacker can influence both the ip address and port within the concatenated string. The vulnerable code path is only accessible to authenticated users of OpenVAS Manager. Fix OpenVAS recommends that the publicly available patches are applied. If building from source, then either patch r14404, r14405 and r14421 (trunk) or r14437 (3.0.x) should be obtained from the OpenVAS SVN repository. A fresh tarball containing the latest stable release can be obtained from: * http://wald.intevation.org/frs/download.php/1212/openvas-manager-3.0.4.tar.gz In the event that OpenVAS has been supplied as part of a distribution then the vendor or organisation concerned should be contacted for a patch. History On the 7th November 2012, Greenbone Networks contacted the OpenVAS security team to notify them of the vulnerability and request assistance in coordinating the disclosure. OpenVAS Manager 3.0.4 was released on the 7th. The OpenVAS security team and Greenbone Networks opened a dialogue in order to draft this advisory and on the 12th November, CVE-2012-5520 was assigned for this vulnerability. Thanks OpenVAS would like to thank Andre Heinecke of Greenbone Networks for his help in reporting the vulnerability. signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google Talk s2s SSL configuration
Hi all, I'm reporting this publicly since Google have not responded to my private enquiries dating back to February this year (#963055119 according to their security@ auto responder). So I run a XMPP server and by default I demand a 256-bit cipher for my dialback peers: host xmpp=yes tls=256/ However with Talk, I vaguely recall needing to set it explicitly per host to accept ciphers with 128 bit keys before it would work. Anyway, I recently rebuilt my server and on the new server I no longer appear to be able to negotiate TLS with Talk at all. (I'm not sure if my old server could in its final days either however TLS negotiation still works for other s2s dialback peers - such as jabber.org). To get my server to talk to Talk I needed to set: host name=gmail.com xmpp=yes tls=yes/ which is opportunistic and which results in the following in my logs: 20120212T11:00:41: [notice] (s2s.jabber.nth-dimension.org.uk): connected to gmail.com (unencrypted, no cert, auth=db, stream=preXMPP, compression=none) For reference I have manually validated that traffic to Talk is unencrypted. It's possible that this is a problem at my end, but as I said earlier TLS appears to work fine with other peers. Can anyone else confirm if this is expected behavior? If that is the case, does anyone know if there a reason why TLS is not currently supported? Obviously the implications if I'm correct are that any traffic between a user on a privately operated XMPP server and a user on Talk are open to man in the middle attacks even without the cooperation of Google. Tim PS I am aware of discussions on various XMPP lists around this issue, but noone seems to have come up with a satisfactory answer. -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress
On Wednesday 25 Jan 2012 15:22:39 Henri Salo wrote: There is A LOT of these open installation pages in the Internet. It is not uncommon to leave those open by accident. Some people also do this, because they just don't understand the risks. I am wondering if WordPress would apply patch if we create one as a collaborative effort. I would be more than happy to help creating a patch for this if this is the case. I may have missed something, but does simply having the file exposed make you vulnerable. From looking at it, it starts of with a bunch of file_exists(), which essentially evaluate if you've installed or not and wp_die() if you have. Tim -- Tim Brown mailto:t...@65535.com signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Breaking the links: Exploiting the linker
CVEs have now been assigned to the two previously reported bugs as follows: 1) http://www.nth-dimension.org.uk/downloads.php?id=83 - Privesc attack using DB2 from normal user to root, the PoC is for Linux but based on testing the AIX version looks iffy too although I couldn't get gcc to generate a valid library to exploit it. CVE-2011-4061. FWIW I now have a version of the exploit for this working on AIX, based on a copy of kbbacf1 from IBM Tivoli Monitoring 6.1.0.6. It therefore appears that the vulnerable version of kbbacf1 isn't just shipped with DB2. 2) http://www.nth-dimension.org.uk/downloads.php?id=80 - Generic attack on the QNX runtime linker which abuses an arbitrary file overwrite and race condition to get root. CVE-2011-4060. Cheers, Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Medium severity flaw with Ark
I recently discovered that the Ark archiving tool is vulnerable to directory traversal via malformed. When attempts are made to view files within the malformed Zip file in Ark's default view, the wrong file may be displayed due to incorrect construction of the temporary file name. Whilst this does not allow the wrong file to be overwritten, after closing the default view, Ark will then attempt to delete the temporary file which could result in the deletion of the incorrect file. After discussions with the vendor, CVE-2011-2725 was assigned to this vulnerability. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20110726.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Breaking the links: Exploiting the linker
I've recently been working on a paper on Linux and POSIX linkers, the most recent release of which can be found at: * http://www.nth-dimension.org.uk/downloads.php?id=77 I'm particularly interested in feedback on references or threats that I may have missed. As per the abstract, the aim of the paper wasn't to claim everything as my own but rather to document as much as possible about common flaws and how to identify them. Whilst working on the paper I came across a number of interesting bugs (some exploitable, others sadly not). The paper itself touches on the circumstances around CVE-2011-1126 but two other bugs also mentioned in the paper (one of which I released the advisory NDSA20110310 for) are potentially more useful so I've written PoC to exploit them: 1) http://www.nth-dimension.org.uk/downloads.php?id=83 - Privesc attack using DB2 from normal user to root, the PoC is for Linux but based on testing the AIX version looks iffy too although I couldn't get gcc to generate a valid library to exploit it. 2) http://www.nth-dimension.org.uk/downloads.php?id=80 - Generic attack on the QNX runtime linker which abuses an arbitrary file overwrite and race condition to get root. The paper is still a work in progress but both DB2 and QNX are available for download if you want to take them for a spin. Anyway, enjoy! Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Medium severity flaw in Konqueror
On Tuesday 12 April 2011 03:36:24 Vincent Danen wrote: * [2011-04-11 22:07:24 +0100] Tim Brown wrote: I was recently taking a look at Konquerer and spotted an example of universal XSS. Essentially, the error page displayed when a requested URL is not available includes said URL. If said URL includes HTML fragments these will be rendered. CVE-2010-2952 has been assigned to this issue. Actually, CVE-2011-1168 was assigned to this issue as noted in the upstream advisory: http://www.kde.org/info/security/advisory-20110411-1.txt Hi Vincent, You're quite right, not sure how the wrong CVE ended up in the email. That's a different CVE for another of my advisories :/. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Medium severity flaw in Konqueror
I was recently taking a look at Konquerer and spotted an example of universal XSS. Essentially, the error page displayed when a requested URL is not available includes said URL. If said URL includes HTML fragments these will be rendered. CVE-2010-2952 has been assigned to this issue. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20110321.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Medium severity flaw in QNX Neutrino RTOS
I was recently taking a look at the state of play regarding the security of POSIX runtime linkers and was pointed at the QNX Neutrino RTOS to take a look. In doing so I noticed a problem relating to the way that it handles LD_DEBUG_OUTPUT which allows for the creation or overwriting of an arbitrary file. Moreover the technique by which this can be achieved can be triggered even where the binary being executed is setUID and is running as another user. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20110310.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [OVSA20110118] OpenVAS Manager Vulnerable To Command Injection
Summary It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability allows privilege escalation within the OpenVAS Manager but more complex injection may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems. CVE-2011-0018 has been assigned to this vulnerability. The vulnerable code path is only accessible to authenticated users of OpenVAS Manager however it may also be triggered either directly or by using a cross- site request forgery based attack via the Greenbone Security Assistant web application. Current Status As of the 20th January 2011, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both 1.0.x and 2.0.x have also been created which incorporate this patch. Note that the cross-site address forgery elements of this vulnerability have not yet been addressed in the Greenbone Security Assistant web application. Thanks OpenVAS would like to thank Ronald Kingma and Alexander van Eee of ISSX for their help in reporting the vulnerability. -- Tim Brown mailto:t...@openvas.org http://www.openvas.org/ OpenVAS Security Advisory (OVSA20110118) Date: 18th January 2011 Product: OpenVAS Manager = 1.0.3 and 2.0rc2 Vendor: OpenVAS http://www.openvas.org/ Risk: Medium Summary It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability allows privilege escalation within the OpenVAS Manager but more complex injection may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems. CVE-2011-0018 has been assigned to this vulnerability. The vulnerable code path is only accessible to authenticated users of OpenVAS Manager however it may also be triggered either directly or by using a cross-site request forgery based attack via the Greenbone Security Assistant web application. Current Status As of the 20th January 2011, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both 1.0.x and 2.0.x have also been created which incorporate this patch. Note that the cross-site address forgery elements of this vulnerability have not yet been addressed in the Greenbone Security Assistant web application. Technical Details It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability allows an authenticated user of the Greenbone Security Assistant web application (which communicates with OpenVAS Manager using OMP) to escalate their privileges with just a few clicks although more complex attacks may also be possible. Escalation of privileges can be achieved accessing the Greenbone Security Assistant, creating an escalator with a modified POST request as follows: Content-Disposition: form-data; name=method_data:to_address none@none/var/lib/openvas/users/alexander/isadmin The processing of this request causes GSA to make a request to OpenVAS Manager which causes the command below to be executed with the privileges of the OpenVAS Manager (typically root) using the email() function from manage_sql.c: command = g_strdup_printf (echo \ To: %s\n From: %s\n Subject: %s\n \n %s\ | /usr/sbin/sendmail %s /dev/null 21, to_address, from_address ? from_address : automa...@openvas.org, subject, body, to_address); ... if (ret = system (command)... As you can see, an attacker can influence both the to and from addresses within the concatenated string. The OpenVAS Manager uses the presence of the file isadmin to determine the privileges associated with the account. The vulnerable code path is only accessible to authenticated users of OpenVAS Manager however it may also be triggered either directly or by using a cross-site request forgery based attack via the Greenbone Security Assistant web application. Fix OpenVAS recommends that the publicly available patches are applied. If building from source, then either patch r9974 (trunk) or r9976 (1.0.x) should be obtained from the OpenVAS SVN repository. A fresh tarball containing the latest stable release can
[Full-disclosure] Medium security flaw in Apache Traffic Server
I was recently taking a look at the Apache Traffic Server project (which I believe was formerly developed by Yahoo Inc) and notice a series of potential problems relating to the way that it handles DNS. This proxy does not rely on the OS supplied resolver library for resolving hostnames but instead implements its own asynchronous resolver. Whilst reviewing the code, I spotted 3 potential issues which I believe might significantly increase the chances of Traffic Server's internal DNS cache being poisoned. The Apache Software Foundation have assigned CVE-2010-2952 to these issues. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DLL hijacking on Linux
All, If you've seen the recent Microsoft advisory. I put together a nice post on a similar DLL hijacking issue that affects Linux (and other POSIX-alikes). You can read the full details on my blog (http://www.nth- dimension.org.uk/blog.php?id=87) but the key point is that an empty directory specification statement in LD_LIBRARY_PATH, PATH (and probably others) is equivalent to $CWD. That is to say that LD_LIBRARY_PATH=:/lib is equivalent to LD_LIBRARY_PATH=.:/lib. It can occur when a script has LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib or similar and LD_LIBRARY_PATH hasn't previously been defined. It's worth checking for this kind of thing in scripts that may be run via sudo/su when auditing hosts. I don't believe it's a vulnerability per se, but particular instances of broken scripts may well be. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking on Linux
On Wednesday 25 August 2010 10:38:37 Mihai Donțu wrote: man sudo(8): Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of setuid executables, including sudo. Depending on the operating system this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. These type of variables are removed from the environment before sudo even begins execution and, as such, it is not possible for sudo to preserve them. Absolutely, but in the case I gave, the path is set /by the script/, not inherited from the original user. The script sets the dangerous path, but since sudo hasn't changed the CWD it points at the directory the user running sudo was in. Tim -- Tim Brown mailto:t...@65535.com signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Medium security hole in Rekonq web browser
I've identified that that Rekonq versions up to and including 0.5 were vulnerable to universal XSS affecting the error page. CVE-2010-2536 was assigned for this vulnerability. Cheers, Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20100810.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Medium security hole in Varnish reverse proxy
Hi, I've identified a couple of security flaws affecting the Varnish reverse proxy which may allow privilege escalation. These issues were reported by email to the vendor but he feels that it is a configurational issue rather than a design flaw. Whilst I can partially see his point in that the administrative interface can be disabled, I'm not convinced that making a C compiler available over a network interface without authentication is sound practice, especially when the resultant compiled code can be made to run as root rather trivially. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20090908.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Medium security hole in Varnish reverse proxy
On Monday 29 March 2010 18:12:38 John Adams wrote: Post some code that people can evaluate. I don't really like posting PoC code, but consider: param.set user root stop start vcl.inline test backend default { .host = \127.0.0.1\; .port = \8080\; } C{ #include aheaderfile.h }C sub vcl_recv { C{ system(\touch /tmp/foo\); }C } vcl.use test Should give you some ideas For starters, There's no reason why varnish ever has to run as root. It never listens on privileged ports, and the C compiler is never available over a network interface. The proxy process doesn't run as root by default, but that's not much consolation if the master process can reconfigure it at will. The C compiler is available over whatever interface the master port is bound to, and in most cases that will be localhost:6082. I've seen that as a default configuration for FreeBSD, Fedora, Debian and Ubuntu packages. You can ask varnish to reload a configuration and recompile it, but you'd have to have write access to the filesystem first. Not strictly true, have a look at vcl.inline (as per the example above). You an also only cause recompilation to occur if the admin interface is up and running, which can be easily disabled. True, but up until the latest version this was your only option since there was no authentication support and the default in many cases (including as noted in my advisory, the Redhat packaging files included in Varnish trunk) was to enable it. The addition of authentication in 2.1.0 will /if enabled/ improve the situation no end. Poul is probably correct. Any vulnerabilities in Varnish with regards to privilege escalation are configuration issues. Technically he is probably right but I still think the design sucks too, and let's be honest, an attacker probably doesn't need to make the distinction anyway. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] High security hole in NullLogic Groupware
Hi, I've identified a couple of security flaws affecting the NullLogic Groupware which may allow compromise of accounts, denial of service or even remote code execution. These issues were reported by email to the developer but no response was forthcoming. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20090413.txt.asc Description: application/pgp-keys signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Medium security hole in TekRADIUS
Hi, I've identified a couple of security flaws affecting the TekRADIUS radius server for Windows which may allow privilege escalation. These issues were reported by email to the vendor and have I believe been resolved. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20090412.txt.asc Description: application/pgp-keys signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS Browser hijacking PoC?
On Monday 16 June 2008 12:26:48 Hanno Böck wrote: Am Mittwoch 11 Juni 2008 schrieb Aaron Katz: Several months ago, there was a post about a proof of concept for complete browser hijacking via XSS. IIRC, the hijacked browser would periodically query a management server, and the management server would track the hijacked browsers in a database. The person controlling the management server could then instruct the hijacked browsers to do his bidding. The thing is, I can't find the tool. I'm wondering if anyone still knows where it is. BeEF? (google for it, according to german law I'm probably not allowed to post this link) http://www.google.com/search?q=xssshell Cheers, Tim -- Tim Brown mailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Medium security hole affecting Festival on Debian unstable/testing and Ubuntu Hardy Heron
It has been recently been identified that the Festival text to speech server was vulnerable to unauthenticated remote code execution. Further research indicated that this vulnerability has already been reported as a local privilege escalation against both the Gentoo and SuSE GNU/Linux distributions and had assigned CVE-2007-4074. The remote form of this vulnerability was originally identified in the default configuration of Festival 1.96~beta-5 as distributed in Debian unstable but Ubuntu Hardy Heron was also affected. Both Debian and Ubuntu have since released patches to resolve this flaw. An advisory for this flaw which provides further information is attached. A short analysis of Debian's response can be found at http://www.nth-dimension.org.uk/blog.php?id=68. Cheers, Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ NDSA20080215.txt.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Serious holes affecting SiteBar 3.3.8
All, As a result of a short security audit of SiteBar, a number of security holes were found. The holes included code execution, a malicious redirect and multiple cases of Javascript injection. After liasing with the developers, the holes have been patched. Attached are the advisory and patch relating to these flaws. CVEs open already relating to this audit: * CVE-2006-3320 (Javascript injection) - previously reported by other parties but not resolved and so included for completeness * CVE-2007-5492 (code execution) - first reported in my attached advisory to the vendor, independently rediscovered by Robert Buchholz of Gentoo whilst auditing the differences between the patched and unpatched versions (3.3.8 vs 3.3.9) * CVE-2007-5491 (file permissions issue) - apparently patched by the vendor at the same time as my issues were resolved and discovered by Robert Buchholz of Gentoo whilst auditing the differences between the patched and unpatched versions (3.3.8 vs 3.3.9) It is intended that CVE-2007-5492 will be updated to reference both code execution flaws I reported. All other issues in the advisory have been patched but no CVEs have yet been requested or assigned to the best of my knowledge. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ Index: command.php === --- command.php (revision 412) +++ command.php (working copy) @@ -94,8 +94,15 @@ { if (!$this-um-isAuthorized($this-command, in_array($this-command, array('Log In', 'Log Out', 'Sign Up')), -SB_reqVal('command_gid'), SB_reqVal('nid_acl'), SB_reqVal('lid_acl'))) +SB_reqValInt('command_gid'), SB_reqValInt('nid_acl'), SB_reqValInt('lid_acl'))) { +$bld = 'build' . $this-shortName(); +$cmd = 'command' . $this-shortName(); + +if (!method_exists($this,$bld) !method_exists($this,$cmd)) +{ +$this-command = 'Unknown command!'; +} $this-um-accessDenied(); return; } @@ -849,6 +856,7 @@ // be otherwise lost. Needed to go back. if ($disabled $params['type'] == 'text') { +$params['value'] = str_replace('',',$params['value']); ? input type=hidden name=?php echo SB_safeVal($params,'name') ? value=?php echo $params['value']? ?php @@ -857,6 +865,7 @@ if ($name{0} == '-') { +$params['value'] = str_replace('',',$params['value']); ? input type=hidden name=?php echo $params['name']? value=?php echo $params['value']? ?php @@ -927,7 +936,7 @@ } elseif (isset($params['type']) ($params['type'] == 'button') || ($params['type'] == 'addbutton')) { -if (!$this-um-isAuthorized($name,false,null,SB_reqVal('nid_acl'),SB_reqVal('lid_acl'))) continue; +if (!$this-um-isAuthorized($name,false,null,SB_reqValInt('nid_acl'),SB_reqValInt('lid_acl'))) continue; if ($params['type'] == 'button') { @@ -1664,7 +1673,7 @@ function buildDeleteTree() { -$node = $this-tree-getNode(SB_reqVal('nid_acl',true)); +$node = $this-tree-getNode(SB_reqValInt('nid_acl',true)); if (!$node) return null; $fields['Folder Name'] = array('name'='name','value'=$node-name, 'disabled'=null); @@ -1677,10 +1686,10 @@ function commandDeleteTree() { -$this-tree-removeNode(SB_reqVal('nid_acl'), false); +$this-tree-removeNode(SB_reqValInt('nid_acl'), false); if ($this-um-getParam('user','use_trash')) { -$this-tree-purgeNode(SB_reqVal('nid_acl')); +$this-tree-purgeNode(SB_reqValInt('nid_acl')); } SB_unsetVal('nid_acl'); $this-forwardCommand('Maintain Trees'); @@ -1834,7 +1843,8 @@ return; } -if (SB_reqChk('forward')) +// This should handle login from translator.php, we should avoid external redirect +if (SB_reqChk('forward') strpos(SB_reqVal('forward'),'/') === false) { header('Location: '.SB_reqVal('forward')); exit; @@ -2681,14 +2691,14 @@ return null; } -if (SB_reqVal('uid') == SB_ADMIN) +$uid = intval(SB_reqVal('uid')); + +if ($uid == SB_ADMIN) { $this-error('Cannot modify administrator!'); return null; } -$uid = SB_reqVal('uid'); - $fields = array(); $user = $this-um-getUser($uid); $fields['Username'] = array('name'='email', 'value'=$user['username'], 'disabled' = null); @@ -3960,7 +3970,7 @@ function buildAddFolder() { $fields = array(); -$node = $this-tree-getNode(SB_reqVal('nid_acl',true)); +$node = $this-tree-getNode(SB_reqValInt
[Full-disclosure] SSHatter 0.6
All, SSHatter, the SSH brute forcer is now up to release 0.6. New since the last announcement include: * Changes allowing rudimentary username enumeration via timing attacks (as described in http://www.securityfocus.com/archive/1/archive/1/448025/100/0/threaded) have been implemented. These changes has been validated against OpenSSH 3.5p1. * Targets and usernames are now specified in a file and targets can now be specified one per line in the format hostname[:portnumber]. * Reconnection can optionally be enabled where support on connection failures have occurred. * A default passwords list (taken from http://www.nth-dimension.org.uk/downloads.php?id=30) has also been added. * Fixes for systems configured with AllowUsers have added as these systems do not return Permission denied on Net::SSH::Perl-login(). This latest version can be downloaded from http://www.nth-dimension.org.uk/downloads.php?id=34. Remember, auditing systems without permission may be a crime, always read the label. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API
On Monday 17 September 2007 13:26:36 Roger A. Grimes wrote: I'm sorry, we'll have to agree to disagree. I don't see the new attack vector here. I, the attacker, have to make you download my malicious trojan program, which you install on your computer. Irrespective of the rest of what Roger says (which I agree with FTR), this bit is simply wrong. Look at the PoC that has been made public: https://strikecenter.bpointsys.com/articles/2007/08/26/vista-gadget-patches-in-ms07-048 It's not (just) about downloading malware gadgets. It's about exploiting vulnerabilities *in* gadgets (the default gadgets in Vista, in the case of the PoC). Essentially anywhere a gadget calls for example eval() on untrusted data you *may* have a a problem. Tim -- Tim Brown mailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API
Firstly, the sky isn't falling, the risks posed by the gadget API already existed elsewhere in Windows generally, but this is another new attack surface without any legacy dependencies. This is my general view on the gadget API. On Sunday 16 September 2007 13:34:32 Thierry Zoller wrote: PG No, this is an entirely new level of attack, New level of attack, what makes you believe that? As I previously stated, unlike Peter I don't consider this a new level of attack, I'm just a bit surprised that the threat model wasn't examined by Microsoft a little more closely before they decided to include the gadget API. Unlike other APIs that Microsoft have released there was no legacy requirement to include all of the new functionality highlighted in my paper. Moreover, irrespective of the design decisions how did at least 3 Microsoft gadgets get through SDL without input validation being tested and the vulnerabilities. PG because it's moved the dancing PG bunnies problem onto the Windows desktop. Huh ? What is different to let's say the southpark worm we saw years ago? Or any other normal binary that promised to be a screensaver or similar ? Because it's not just about downloading rogue gadgets. I don't want to overhype the gadget API - it's just another attack surface after all - but if you look at all the PoCs so far, the greater risk comes from malware being injected into 'trusted' gadgets. PG Given what an incredible attack vector they are What is incredible in this attack vector ? What is actually new ? What is the differnce with the User downloads screensaver and get's owned attack vector ? Allowing gadgets - trusted or otherwise - to download and execute arbitrary parts of the internet becomes a tad more dangerous when you explicitly allow them access to APIs for reading and write arbitrary files (subject to Vista ACLs) and executing arbitrary binaries. The process of securing IE has largely been to remove and mitigate such vectors by which this can occur, so why reintroduce them in non-legacy code. Finally, why on earth does the trust model for gadgets consist of full trust and nothing more. Why not allow gadgets to state in their manifest that for example they don't need to execute things, won't make use of ActiveX controls and will only connect to a specific host? Tim -- Tim Brown mailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API
On Saturday 15 September 2007 13:55:24 Peter Gutmann wrote: (The original article was cross-posted to a lot of lists, maybe the discussion could be moved to vuln-dev only, unless everyone wants to see all of this stuff). I shall respond in turn to the interesting points from all responses. Peter wrote: I first saw this issue covered at the AVAR conference last year (before Vista had even been released), there's only the abstract online at http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good idea of what the anti-virus guys are concerned about here. Eric's talk seems to be a good start on risk analysis of gadgets generically. The design of Vista gadgets seems particularly troubling since it seemed to have several design flaws which were the subject of the paper. Given what an incredible attack vector they are (it's pretty much an open invitation to get malware onto PCs), I'm amazed there haven't been any serious exploits yet. I guess the relatively low uptake of Vista (compared to the XP installed base) has meant that they're not a significant target for the malware industry just yet, since it's still more profitable to do a drive-by iframe exploit and hit all OSes than to mount a Vista-only attack. Likewise, I was amazed when I got the tip off about gadgets from a developer friend at the turn of the year. We've seen 3 PoC exploits so far, so I'm sure the malware community will be taking note. Todd wrote: Good paper; Since this is out there I figure I'll forward the much shorter article I wrote that details an attack against the contact gadget, which was patched last month. Thanks, it's pretty interesting to see the various PoC coming out in almost in synchronisation with the paper. I'm glad I'm not the only one concerned by the functionality they provide. Roger wrote: Yes, this is a new attack vector, but it is always game over anyway if I can get you to run my untrusted program. In my testing, installing any Vista sidebar gadget results in a minimum of 3 warnings, each saying that the code being installed could be harmful, before it is installed. 5 warnings if the gadget is unsigned. New, maybe not... it's simply an mashup (to use another buzzword ;)) of numerous existing attack vectors. What's interesting here for me is that the gadget API is a new codebase and still we're facing Microsoft making the same old mistakes. Honestly, irrespective of design flaws, how did the already reported vulnerable gadgets make it through the SDL. We're talking about basic input validation flaws in a web app after all. That for me is the crux. It's not just about the dangers of installing rogue gadgets but the exploitation of existing gadgets. It's something to be aware of, because malicious hackers will exploit them, and many end-users will ignore any warning, but not the most worrisome problem on my plate. Secondly, I can completely control the install of any gadgets in my environment using Active Directory group policies to a granular level. I would like to think my paper is fair in this regard. I have provided details of Microsoft's mitigations including the AD policy stuff in the references section of the paper. Aviv wrote: I don't understand why Microsoft rated this vulnerability as important, instead of critical. As Peter wrote, maybe its the size of the install base ;). I would guess that it's because you'll only end up with user level accounts. Although I suspect haven't counted on ad fraud attacks, hijacking of cookies etc in their risk analysis. Tim -- Tim Brown mailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Next generation malware: Windows Vista's gadget API
A paper has just been released on the Windows Vista's gadget API. The abstract is as follows: Windows has had the ability to embed HTML into it’s user interface for many years. Right back to and including Windows NT 4.0, it has been possible to embed HTML into the task bar, but the OS has always maintained a sandbox, from which the HTML has been unable to escape. All this changes with Windows Vista. This paper seeks to inform system administrators, users and the wider community on both potential attack vectors using gadgets and the mitigations provided by Windows Vista. The full paper can be found at http://www.portcullis-security.com/165.php. Cheers, Tim -- Tim Brown mailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Tutorial on Fuzzled
In preparation for the imminent release of Fuzzled 1.1, I spent this evening writing a short paper entitled Writing a fuzzer using the Fuzzled framework. The paper includes some of the techniques I use to dismantle protocols including documentation, observation and static analysis. It then moves on to the fundamentals of implementing a protocol using the framework. I talk about base requests, namespaces and tieing them together with factories with reference to Fuzzled::Protocol::HTTP, an example included in the framework. The paper also highlights a few tricks to the framework, including developing multi-threaded fuzzers, identifying offsets and parsing packets. It ends with my techniques to identify vulnerabilities highlighted by fuzzers. I'm sure none of the techniques themselves are new, but the application of them in the context of using the Fuzzled framework may provide some inspiration to others. The full paper can be found at: http://www.nth-dimension.org.uk/utils/get.php?downloadsid=35. Cheers, Tim PS If anyone wants to try a release candidate of Fuzzled 1.1, contact me off list and we'll see what we can do. -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SSHatter
All, Whilst working on the next version of Fuzzled, I started playing with Parallel::ForkManager. At the same time, a friend was bemoaning not having a tool to carry out auditing of passwords via SSH. A couple of hours later, SSHatter was born. SShatter is a password brute forcer for SSH, it is multi threaded and can audit more than one system and account in a given session. It can be downloaded from http://www.nth-dimension.org.uk/downloads.php?id=34. Credit must be given to the authors of Parallel::ForkManager (Szabó, Balázs (dLux)) and Net::SSH::Perl (Benjamin Trott, David Rolsky, David Robins) on whose code SSHatter is dependant. Remember, auditing systems without permission may be a crime, always read the label. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Serious holes affecting JFFNMS
As a result of a short security audit of JFFNMS, a number of security holes were found, even from the perspective of a non authenticated user. The holes included authentication bypass via SQL injection. Javascript injection and a serious case of information disclosure. After liasing with the developers, the holes have been resolved. Attached are the advisory and patch relating to these flaws. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' jffnms-0.8.3/htdocs/admin/adm/test.php jffnms-0.8.4-pre2/htdocs/admin/adm/test.php --- jffnms-0.8.3/htdocs/admin/adm/test.php 2006-09-16 20:31:13.0 -0300 +++ jffnms-0.8.4-pre2/htdocs/admin/adm/test.php 1969-12-31 21:00:00.0 -0300 @@ -1 +0,0 @@ -? phpinfo(); ? \ No newline at end of file diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' jffnms-0.8.3/htdocs/auth.php jffnms-0.8.4-pre2/htdocs/auth.php --- jffnms-0.8.3/htdocs/auth.php 2006-09-16 20:31:13.0 -0300 +++ jffnms-0.8.4-pre2/htdocs/auth.php 2002-08-13 23:14:54.228705056 -0300 @@ -46,11 +46,6 @@ session_start(); } - if (($jffnms_version==0.0.0) ($_SERVER[REMOTE_ADDR]==128.30.52.13)) { //W3C Validator - $_REQUEST[user]=admin; - $_REQUEST[pass]=admin; - } - if (!isset($_SESSION[authentification])) $authentification = $jffnms-authenticate ($_REQUEST[user],$_REQUEST[pass],true,from .$_SERVER[REMOTE_ADDR]); diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' jffnms-0.8.3/lib/api.classes.inc.php jffnms-0.8.4-pre2/lib/api.classes.inc.php --- jffnms-0.8.3/lib/api.classes.inc.php 2006-09-16 20:31:14.0 -0300 +++ jffnms-0.8.4-pre2/lib/api.classes.inc.php 2002-08-13 23:14:55.656488000 -0300 @@ -677,7 +677,7 @@ $auth_type = 1; $cant_auth = 0; - if (isset($user) isset($pass)) { + if (preg_match(/[EMAIL PROTECTED],20}$/, $user) isset($pass)) { $query_auth = select id as auth_user_id, usern as auth_user_name, passwd, fullname as auth_user_fullname from auth where usern = '$user'; $result_auth = db_query ($query_auth); $cant_auth = db_num_rows($result_auth); @@ -693,18 +693,20 @@ } if (($auth==0) ($cant_auth == 0)){ //not found in DB - if (isset($user) isset($pass)) { + + if (preg_match(/[EMAIL PROTECTED],20}$/, $user) isset($pass)) { $query_auth = select id as auth_user_id, username as auth_user_name, name as auth_user_fullname from clients where username= '$user' and password = '$pass'; $result_auth = db_query ($query_auth); $auth = db_num_rows( $result_auth); } + if ($auth==1) { $reg = db_fetch_array($result_auth); $auth_type = 2; } } - if (($log_event==true) (!empty($user))) + if (($log_event==true) preg_match(/[EMAIL PROTECTED],20}$/, $user)) insert_event(date(Y-m-d H:i:s,time()),get_config_option(jffnms_internal_type),1,Login,(($auth==1)?successful:failed),$user,$log_event_info,,0); unset ($reg[passwd]); NDSA20070524.txt.asc Description: application/pgp-keys signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Medium security hole affecting DSL-G624T
On Thursday 03 May 2007 22:13:15 3APA3A wrote: This vulnerability for D-Link DSL-G624T was already reported by Jose Ramon Palanco. See http://securityvulns.ru/Odocument816.html Previously, same problem was reported for D-Link DSL-G604T by Qex http://securityvulns.ru/Mdocument578.html There were also few more problems reported about /cgi-bin/webcm, see http://securityvulns.ru/Idocument664.html http://securityvulns.ru/Idocument759.html I quite agree, the Summary of my attached advisory makes this point. However, as I also point out in the Solutions section, all of the issues you list were against major version 1 of the firmware. We're now at major version 3 and directory traversal is still a problem. Moreover, the advisories that cover directory traversal (http://securityvulns.ru/Mdocument578.html and http://securityvulns.ru/Mdocument578.html) only talk about /etc/passwd. Neglecting the fact that the web server runs as root and that /etc/shadow is therefore available. Secondly, the Javascript injection issue describe is as far as I know /entirely new/. It's not a short walk to the point where these two issues alone could be use to compromise devices, irrespective of the firmware issues you also link to. Maybe, I'm hoping that by version 10 of the firmware in the year 2014, D-Link may actually manage to fix some of these reported problems? Moreover, maybe they'll actually make it possible for researchers to report these things in a manner whereby they actually respond to the reports when contacted. Not holding my breath though. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fuzzled - Perl fuzzing framework
Having noticed the popularity of fuzzing tools recently, I was feeling a bit left out. Where is the Perl framework to complete the family? With that in mind I've spent the last months working on something that should fill the gap - Fuzzled. Fuzzled is a powerful fuzzing framework. Fuzzled includes helper functions, namespaces, factories which allow a wide variety of fuzzing tools to be developed. Fuzzled comes with several example protocols and drivers for them. Fuzzled v1.0 can be found at http://www.portcullis-security.com/16.php. Cheers, Tim -- Tim Brown mailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Medium level security hole in FreeProxy
The FreeProxy HTTP proxy server suffers from a denial of service condition which causes the server to hang. This occurs when an attacker makes a request for the hostname/portnumber combination in use by the server itself. The vendor was notified on the 10th January 2007 and a fix was made available on the 24th. Full details can be found in the attached advisory. -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ NDSA20070206.txt.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Low security hole affecting IPCalc's CGI wrapper
Hi, I believe I've found a low level security hole relating to the way IPCalc's CGI wrapper sanitises input, which allows Javascript injection. Hole is considered low since IPCalc's CGI wrapper has no privileged functionality, however of course it might be possible to use it as a vector to attack other applications hosted on the same web server. I contacted the author (Krischan Jodies - http://www.jodies.de/) on the 7th, offering them 14 days to respond but have had no reply to acknowledge that the problem even exists, I've decided to publish this warning. Tim -- Tim Brown, Nth Dimension mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ NDSA20060705.txt.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] thc.org
On Wednesday 28 June 2006 16:35, joe haldon wrote: Hey thc.org is down. anyone know if those guys will come back? also, off-topic but what ever happened to windowmaker.org :( ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://thc.segfault.net/ -- Tim Brown mailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Move to Remove
On Friday 31 March 2006 14:50, Edward Pearson wrote: Please don't turn this into spam/flame/troll. This is a quick note to say, would all those who'd like n3td3v (the worlds greatest hacker and legend in his own mind) to unsubscribe from this list, and not post again, please make it known. An observation; by my calculations there have been 876 posts referencing n3td3v, of which only 230 belong to n3td3v. If everyone configured filters to suit their tastes (this is f-d and should therefore NOT be filtered at source), we'd be down by 646 emails. The point is that those of you who complain about him are as much of the problem as he is or isn't since you increase the noise on the wire. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.machine.org.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Misunderstanding Javascript injection: A paper on web application abuse via Javascript injection
Hi, I've just released a paper (to be found at http://www.nth-dimension.org.uk/news/entry.php?e=156579087) which covers two issues with Javascript injection that I've recently been playing with. That of Javascript injection via CSS manipulation and further more the use of AJAX within injection points. I realise that perhaps neither are massively new (certainly the MySpace worm touches on the AJAX issues discussed) but I found it interesting and hope others may do too. Tim -- Tim Brown mailto:[EMAIL PROTECTED] -- Tim Brown mailto:[EMAIL PROTECTED] http://www.machine.org.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Call to participate: GNessUs security scanner
On Mon, 10 Oct 2005, security curmudgeon wrote: Hi Tim, Don't take this as anything but honest questions please! I am curious Not at all. Appologies for not replying sooner. *snip* All that said, my questions: Why do you see a need to fork the Nessus tree at this time? Why haven't you or anyone else contributed in the past? Finally, do you think that if more people supported Nessus with contributions of code/time/enhancements, that they would have kept things the same? I guess for me personally, there have been two reasons for this. Until I moved jobs just under a year ago, whilst I was engaged in security testing/research, the role I occupied was not one where I had time, support or desire to get involved in Nessus. Secondly, the rumblings for me started when the announcement was made of the splitting of the plugin feed. I guess up until that point, people were happy with Tenable's stewardship of the project. A number of those who I've talked to *have* been involved in Nessus in the past and expressed a concern as to the direction the project was taking. Cheers, Tim PS GNessUs is going to have to be renamed, why not join gnessus-announce and gnessus-discuss and help us set the name/agenda. -- Tim Brown, GNessUs mailto:[EMAIL PROTECTED] http://www.gnessus.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Call to participate: GNessUs security scanner
On Tue, 11 Oct 2005, [EMAIL PROTECTED] wrote: All in all, instead of a fork, I'd rather see planning to make sure somebody is ready to take over stewardship/maintenance of the code when Tenable finally wants to get out of keeping the Nessus 2.X tree. Valdis, I would say this is one of the main goals I have. To look forwards to this time and make sure adequate infrastructure is in place. PS GNessUs is going to have to be renamed, why not join gnessus-announce and gnessus-discuss and help us set the name/agenda. -- Tim Brown, GNessUs mailto:[EMAIL PROTECTED] http://www.gnessus.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Call to participate: GNessUs security scanner
On Tue, 11 Oct 2005, MadHat wrote: Not all of 2.2 is GPL. Many of the NASL scripts are not, and this includes ALL of the SMB stuff. Only the engine is GPL. All of the SMB stuff (meaning the functions to connect to Windows shares and query the registry and check SMB specific stuff) is implemented in NASL code, not in the engine. When 2.2 came out, the shift to non-GPL scripts changed more than just the checks, some of the inner workings of NASL through include scripts and dependancies also became non-GPL, though I don't think most people noticed this. It has been observed. This is one reason we chose the GNU/Debian code base rather than a straight copy from CVS. If anyone is likely to have cleaned non-GPLd code, it will be them. That being said, one of the first jobs I have pencilled in, is to carry out a full source code review to ensure the code we distribute is GPL. Cheers, Tim -- Tim Brown, GNessUs mailto:[EMAIL PROTECTED] http://www.gnessus.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Call to participate: GNessUs security scanner
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 GNessUs is a GPL fork of the Nessus security scanner. As a result of recent announcements by Tenable, we believe a fork of Nessus is required to allow future free development of this tool. Whilst we would like to believe that we will be able to continue to take updates of the Nessus 2 source code from the Nessus web site we will be endeavoring to add fresh functionality and plugins as part of the GNessUs project. The fork will be based on the current nessus 2.2.5 packages from GNU/Debian, the source of which can be found above in a slightly modified form. We would welcome contact from any interested developers. This intention to fork has come after numerous pub and work discussions between myself and colleagues of mine from within the UK security industry. Cheers, Tim - -- Tim Brown, GNessUs mailto:[EMAIL PROTECTED] http://www.gnessus.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (SunOS) iD8DBQFDSuhoVAlO5exu9x8RAjtrAKC9XV1pp15Mlexa+GQwiRkS15HhWQCffC0O MkOHARE6nX4akH1KmxQLY24= =Eiy0 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Low security hole affecting Mentor's ADSLFR4II router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've found a number of low risk issues with Mentor's ADSLFR4II router. I initially spoke to them on the 20th July, passing them full details of my findings on the 21st of July. I then emailed them again on the 4th of August asking for an update and notifying them of my intent to publish after close of business on the 11th of August unless I recieved adequate assurance that they are working on these issues. As it stands, I've had no contact since the 21st July and therefore have decided to publish this warning: - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nth Dimension Security Advisory (NDSA20050719) Date: 19th July 2005 Author: Tim Brown mailto:[EMAIL PROTECTED] URL: http://www.nth-dimension.org.uk/ / http://www.machine.org.uk/ Product: ADSL-FR4II router (firmware v.2.00.0111 2004.04.09) http://www.bona.com.tw:8080/product/ADSL-FR4II.htm Vendor: Mentor http://www.bona.com.tw/ Risk: Low Summary This product has 4 vulnerabilities. 1) An undocumented port 5678/tcp is open on the internal interface, which allows access to the web application used to administer the router. 2) There is no default password configured for the web application user to administer the router. 3) The routers state table for active TCP connections to the device is such that a simple scan of all ports will prevent the router responding to valid connections to open TCP ports. 4) Backup configuration files downloaded from the router contain the administrative password for the web application used to configure the router in plain text. Technical Details 1) Connecting to port 5678/tcp on the routers internal IP with a web browser presents the same web application as can be found on port 80/tcp. It may therefore be possible to access the application even where internal firewalls are blocking access to port 80/tcp. This would be of particular concern if there is another password that will allow access to the application in a similar manner to that described in http://www.securityfocus.com/bid/12507. 2) By default, the web appplication used to administer the router does not have a password configured. If a password is not configured then in combination with vulnerability 1 it may be possible to compromise the router. 3) Running scanrand ip:all will prevent the router responding to valid connections to open TCP ports on either the external or internal interface, most likely due to the state table becoming full. 4) Running strings over backup configuration files downloaded from the router reveals the administrative password for the web application used to configure the router in plain text. If a system holding one of these backup configuration files is compromised then it may be possible to compromise the router. Solutions Unfortunately, Nth Dimension are unware of any fixes for these issues at the current time. - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (SunOS) iD8DBQFC3hHaVAlO5exu9x8RAsVHAKCzO9cRj7jUhD2m7FPmQZMK3SQkUgCeOmsV yJKqMejxWUt+ePJMDKannIk= =QM8X - -END PGP SIGNATURE- Cheers, Tim - -- Tim Brown mailto:[EMAIL PROTECTED] http://www.machine.org.uk/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (SunOS) iD8DBQFC/cYSVAlO5exu9x8RArifAKCy5fVgX5ZtR6ZG+U7gRO6Mr5d/sQCgntRS wxrjcpmjXiW8mxy6BNVrb2E= =icxb -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Port scanner for Windows CE
Does anyone happen to know of a decent port scanner for Windows CE? I'm on a job where the only way we can see the infrastructure we're testing is from a Windows CE device. In fact, whilst I'm here are there any other tools that might be useful. We're hitting a proxy, so maybe some kind of intercepting proxy / packet sniffer, if such a beast exists for Windows CE. Cheers, Tim -- Tim Brown, Portcullis Computer Security Ltd mailto:[EMAIL PROTECTED] http://www.portcullis-security.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/