<< Previous Next >>
Dan Kaminsky
Launch Internet Explorer 9 on Windows 7 (probably other IE/Win works too), go to File->Open (or press Ctrl+O), browse to Test.html and open it. No double-clicking and you couldn't launch an executable this way. Better?
Cheers,
Mitja
On Jul 8, 2011, at 9:10 PM, Dan Kaminsky <dan@doxpara.com> wrote:
> And here's where your exploit stops being one:
>
> ===
> Suppose the current version of Apple Safari (5.0.5) is our default web
Debian-specific: no
CVE Id(s) : CVE-2008-1447
CERT advisory : VU#800113
Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS spoofing and cache poisoning attacks. Among
other things, successful attacks can lead to misdirected web traffic
and email rerouting.
At this time, it is not possible to implement the recommended
engines. If a user were tricked into viewing a malicious website, a remote
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2009-3070,
CVE-2009-3071, CVE-2009-3072, CVE-2009-3074, CVE-2009-3075)
Jesse Ruderman and Dan Kaminsky discovered that Firefox did not adequately
inform users when security modules were added or removed via PKCS11. If
a user visited a malicious website, an attacker could exploit this to
trick the user into installing a malicious PKCS11 module. (CVE-2009-3076)
It was discovered that Firefox did not properly manage memory when using
Jordi Chancel discovered that Firefox did not properly display invalid URLs
for a blank page. If a user were tricked into accessing a malicious
website, an attacker could exploit this to spoof the location bar, such as
in a phishing attack. (CVE-2009-3985)
David Keeler, Bob Clary, and Dan Kaminsky discovered several flaws in third
party media libraries. If a user were tricked into opening a crafted media
file, a remote attacker could cause a denial of service or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2009-3388, CVE-2009-3389)
Debian-specific: no
CVE Id(s) : CVE-2008-1447
CERT advisory : VU#800113
Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.
The BIND 8 legacy code base could not be updated to include the
Debian-specific: no
CVE Id(s) : CVE-2008-1447
Debian Bug : 490217
Multiple weaknesses have been identified in PyDNS, a DNS client
implementation for the Python language. Dan Kaminsky identified a
practical vector of DNS response spoofing and cache poisoning,
exploiting the limited entropy in a DNS transaction ID and lack of
UDP source port randomization in many DNS implementations. Scott
Kitterman noted that python-dns is vulnerable to this predictability,
as it randomizes neither its transaction ID nor its source port.
code that handles regular expressions in certificate names. This
vulnerability could be used to compromise the browser and run arbitrary
code by presenting a specially crafted certificate to the client
(CVE-2009-2404).
IOActive security researcher Dan Kaminsky reported a mismatch in the
treatment of domain names in SSL certificates between SSL clients and
the Certificate Authorities (CA) which issue server certificates. These
certificates could be used to intercept and potentially alter encrypted
communication between the client and a server such as sensitive bank
account transactions (CVE-2009-2408).
[Sorry for duplicates, but I got multiple requests for a non-HTML
version, and I didn't want to fork the thread. Also sorry for
initially sending HTML; I didn't realize it was so abhorrent these
days. ]
On Fri, Aug 8, 2008 at 1:43 PM, Dan Kaminsky <dan@doxpara.com> wrote:
>>
>> It's easy to compute all the public keys that will be generated
>> by the broken PRNG. The clients could embed that list and refuse
>> to accept any certificate containing one of them. So, this
>> is distinct from CRLs in that it doesn't require knowing which servers have which cert...
Not in my testing, at least not for junctions and symlinks. User with
requisite authority could traverse the junctions and symlinks locally,
but not remotely via a share.
> But as Dan Kaminsky pointed out, you need to have administrative
rights
> to remotely create a junction on an SMB share, so the non-admin user
> cant get himself access to files outside a share he's allowed to
> access.
was followed up by further refinements and advancement of attack
techniques by Vagner Sacramento [4] and Joe Stewart [5] in 2002. Amit
Klein further investigated query Id predictability in BIND version 9[6]
and Windows DNS[7] server implementations in 2007. In 2008 a much
publicized advancement of the DNS cache poisoning technique was
disclosed by Dan Kaminsky [8] in conjunction with the release of
security fixes by several vendors. Microsoft's MS08-037
[http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx]Security
Bulletin addressed those DNS spoofing techniques in Windows DNS client
and server software.
After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Details follow:
Dan Kaminsky discovered OpenSSL would still accept certificates with MD2
hash signatures. As a result, an attacker could potentially create a
malicious trusted certificate to impersonate another site. This update
handles this issue by completely disabling MD2 for certificate validation.
can see Joxean's app is meant to group files of the same 'type,' not
provide 'diff' capabilities.
-Travis
On Tue, Jan 5, 2010 at 9:51 AM, Dan Kaminsky <dan@doxpara.com> wrote:
> I looked into a fair amount of this sort of normalization back when I was
> playing with dotplots. The idea was to upgrade from simple Levenshtein
> string comparison (with no knowledge of variable length x86 instructions,
> pointers that shift from compile to compile, etc) to something with at least
> some domain specific knowledge. What I found, somewhat surprisingly, was
- Charles Miller, Real World Fuzzing
CONFERENCE - Fri, Oct 19th to Sun, Oct 21st - $70
- Dan Kaminsky, Black Ops 2007: Design Reviewing the Web
- Charles Miller, Fuzzing with Code Coverage by Example
- Remorse, Textella: An Alternative Application of Peer to Peer
Structured Networks
- Matt Miller, Cthulhu: A software analysis framework built on Phoenix
- Scott Moulton, Advanced Hacking Flash/Hard Drive Recoveries
Jordi Chancel discovered that Firefox did not properly display invalid URLs
for a blank page. If a user were tricked into accessing a malicious
website, an attacker could exploit this to spoof the location bar, such as
in a phishing attack. (CVE-2009-3985)
David Keeler, Bob Clary, and Dan Kaminsky discovered several flaws in third
party media libraries. If a user were tricked into opening a crafted media
file, a remote attacker could cause a denial of service or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2009-3388, CVE-2009-3389)
Problem type : remote (local)
Debian-specific: no
CVE Id : CVE-2009-3389
Debian Bug : 572950
Bob Clary, Dan Kaminsky and David Keeler discovered that in libtheora, a
video library part of the Ogg project, several flaws allow allow
context-dependent attackers via a large and specially crafted media
file, to cause a denial of service (crash of the player using this
library), and possibly arbitrary code execution.
Topic: DNS cache poisoning
Category: contrib
Module: bind
Announced: 2008-07-13
Credits: Dan Kaminsky
Affects: All supported FreeBSD versions.
Corrected: 2008-07-12 10:07:33 UTC (RELENG_6, 6.3-STABLE)
2008-07-13 18:42:38 UTC (RELENG_6_3, 6.3-RELEASE-p3)
2008-07-13 18:42:38 UTC (RELENG_7, 7.0-STABLE)
2008-07-13 18:42:38 UTC (RELENG_7_0, 7.0-RELEASE-p3)
At Fri, 08 Aug 2008 10:43:53 -0700,
Dan Kaminsky wrote:
> Eric Rescorla wrote:
> > It's easy to compute all the public keys that will be generated
> > by the broken PRNG. The clients could embed that list and refuse
> > to accept any certificate containing one of them. So, this
> > is distinct from CRLs in that it doesn't require knowing
> > which servers have which cert...
> Funnily enough I was just working on this -- and found that we'd end up
> adding a couple megabytes to every browser. #DEFINE NONSTARTER. I am
On Feb 6, 2010, at 5:26 PM, "Stefan Kanthak" <stefan.kanthak@nexgo.de>
wrote:
> Dan Kaminsky wrote on February 06, 2010 6:43 PM:
>
>> You need admin rights to create junctions.
>
> OUCH!
> No, creating junctions (as well as the Vista introduced symlinks)
Dan Kaminsky wrote:
>
>
> Eric Rescorla wrote:
>> At Fri, 8 Aug 2008 17:31:15 +0100,
>> Dave Korn wrote:
>>
>>> Eric Rescorla wrote on 08 August 2008 16:06:
>>>
>>>
1 net-dns/bind < 9.4.2_p1 >= 9.4.2_p1
Description
===========
Dan Kaminsky of IOActive has reported a weakness in the DNS protocol
related to insufficient randomness of DNS transaction IDs and query
source ports.
Impact
======
Here's some talks to expect at the conference:
Keynote: Vernor Vinge
Some Consequences of Ubiquity
Dan Kaminsky
TBA
Joshua Wright
KillerBee: Practical ZigBee Exploitation Framework
Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A weakness was found in the DNS protocol by Dan Kaminsky. A remote
attacker could exploit this weakness to spoof DNS entries and poison
DNS caches. This could be used to misdirect users and services;
i.e. for web and email traffic (CVE-2008-1447).
This update provides the latest stable BIND releases for all platforms
Dan Kaminsky wrote on February 06, 2010 6:43 PM:
> You need admin rights to create junctions.
OUCH!
No, creating junctions (as well as the Vista introduced symlinks)
DOESN'T need admin rights!
[snip]
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-
> bounces@lists.grok.org.uk] On Behalf Of ACROS Security Lists
> Sent: Thursday, June 02, 2011 8:42 AM
> To: 'Dan Kaminsky'; security@acrossecurity.com
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: Re: [Full-disclosure] COM Server-Based Binary Planting Proof
> OfConcept
>
> It would hardly be worth mentioning otherwise.
Getting browsers, or OpenID installations, to check CRLs or use OCSP to
check for freshness is likely to be slow going. At this point I think
the momentum still favors fixing the remaining DNS systems that are
vulnerable to cache poisoning. This turnkey-MITM bug makes OpenSSL bad
certs far more exploitable, as Dan Kaminsky pointed out in his report.
OpenID is just one example of many where this is going to keep happening
as long as DNS is unpatched.
I thought of one possible mitigation that can protect OpenID end users
against remote web sites which have not patched their DNS. OpenID
could lead to local denial of service if a malformed filesystem image is
mounted.
CVE-2011-3188
Dan Kaminsky reported a weakness of the sequence number generation in the
TCP protocol implementation. This can be used by remote attackers to inject
packets into an active session.
CVE-2011-3191
111 W. Harbor Drive
San Diego, CA 92101
http://www.sdccc.org
SATURDAY - 50 minute talks
Dan Kaminsky - TBA
Alexander Sotirov - How To Impress Girls With Browser Memory Protection Bypass
Ben Feinstein - Loaded Dice: SSH Key Exchange & the OpenSSL PRNG Vuln
grutz - One XSS To Rule The Enterprise
Jason Ostrom - Targeted VoIP Eavesdropping: An Attack From Within
Jay Beale - Owning the Users with The Middler
library breaking the resolution of UTF-8 encoded record names. An
updated release is available which corrects this problem. For
reference, the original advisory text follows.
Multiple weaknesses have been identified in PyDNS, a DNS client
implementation for the Python language. Dan Kaminsky identified a
practical vector of DNS response spoofing and cache poisoning,
exploiting the limited entropy in a DNS transaction ID and lack of
UDP source port randomization in many DNS implementations. Scott
Kitterman noted that python-dns is vulnerable to this predictability,
as it randomizes neither its transaction ID nor its source port.
Moxie Marlinspike discovered that a buffer overflow in the regular
expression parser could lead to the execution of arbitrary code.
CVE-2009-2408
Dan Kaminsky discovered that NULL characters in certificate
names could lead to man-in-the-middle attacks by tricking the user
into accepting a rogue certificate.
CVE-2009-2409
After a standard system upgrade you need to restart Dnsmasq to effect
the necessary changes.
Details follow:
Dan Kaminsky discovered weaknesses in the DNS protocol as implemented
by Dnsmasq. A remote attacker could exploit this to spoof DNS entries
and poison DNS caches. Among other things, this could lead to
misdirected email and web traffic.
<<Previous Next>>
|
