<< Previous Next >>
IP addresses
If you read your own post you would realize that Mitsubishi
kept the device ipaddress prefix as 192.168.1 so only you can attack
yourself.
192.168 cannot be access from the internet ;-) [unless you NAT at which
point its your NAT config problem]
-----Original Message-----
80/tcp open http Dell Embedded Remote Access card webserver 1.0
443/tcp open ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open vnc?
Service Info: Devices: terminal server, remote management
Nmap finished: 1 IP address (1 host up) scanned in 21.559 seconds
$
To bring the SSH daemon running at the DRAC4 down, the following command
can be used in combination with the already described nmap version:
dlsw local-peer promiscuous
or
dlsw local-peer peer-id <IP address> promiscuous
To determine the software that runs on a Cisco IOS device, log in to
the device and issue the "show version" command to display the system
banner. Cisco IOS Software identifies itself as "Cisco Internetwork
Operating System Software" or "Cisco IOS Software." Other Cisco devices
layer 3 access, dropping all SNMP queries destined to the IE3000:
!---
!--- Deny SNMP traffic from all other sources destined to
!--- configured IP addresses on the IE3000.
!---
access-list 150 deny udp any host 192.168.0.1 eq snmp
access-list 150 deny udp any host 192.168.1.1 eq snmp
1. IBM Tivoli Provisioning Manager Express Multiple Cross-Site
Scripting Vulnerabilities
2. IBM Tivoli Provisioning Manager Express Remote Username
Enumeration Weakness
3. Computer Associates eTrust Threat Management Console
IP Address HTML Injection Weakness
4. Gadu-Gadu Skin Attribute Handling Remote Denial of Service
Vulnerability
5. Gadu-Gadu Remote User Addition Vulnerability
Cross Site Scripting and Arbitrary File Access vulnerabilities are caused by
assigning a variable from client data in file shopsessionsubs.asp, in
Sub CookielessGenerateFilename:
ipaddress = Request.Servervariables("REMOTE_HOST")
Variable ipaddress is concatenated with other data in
Sub CookielessGenerateFilename to construct a variable filename:
tempname=prefix & "_" & mm & dd & yy & "_" & Ipaddress
=======
The Domain Name System is an integral part of networks that are based
on TCP/IP such as the Internet. Simply stated, the Domain Name System
is a hierarchical database that contains mappings of hostnames and IP
addresses. The DNS protocol is part of the TCP/IP protocol suite and
allows DNS clients to query the DNS database to resolve hostnames to IP
addresses.
A DNS server is an application that implements the DNS protocol and that
has the ability to respond to queries made by DNS clients. When handling
activities (e.g., multiple new account creation requests)
- Temporary account locking in case of detecting unusual use of the
user account (e.g., when doing multiple consecutive request to the
same resource).
- Detection of concurrent access to the account from different
geolocated IP addresses added to the number of these accesses.
- Etc.
Anyway, is it possible to abuse the "Check for mail using POP3"
capability to do attacks to the passwords of the users in an automated
way, evading all referred security restrictions and controls and doing
Details
=======
In Cisco IOS Software an object group can contain a single object
(such as a single IP address, network, or subnet) or multiple objects
(such as a combination of multiple IP addresses, networks, or
subnets). In an ACL that is based on an object group, administrators
can create a single access control entry (ACE) that uses an object
group name instead of creating many ACEs, which each would require a
different IP address. A similar object group, such as a protocol port
> activities (e.g., multiple new account creation requests)
> - Temporary account locking in case of detecting unusual use of the
> user account (e.g., when doing multiple consecutive request to the
> same resource).
> - Detection of concurrent access to the account from different
> geolocated IP addresses added to the number of these accesses.
> - Etc.
>
> Anyway, is it possible to abuse the "Check for mail using POP3"
> capability to do attacks to the passwords of the users in an automated
> way, evading all referred security restrictions and controls and doing
|
528| if ( $comment_url != '' ) {
529| $save_data[ 'URL' ] = clean_post_text( $comment_url );
530| }
|
531| $save_data[ 'IP-ADDRESS' ] = $user_ip; // New 0.4.8
532| $save_data[ 'MODERATIONFLAG' ] = $hold_flag;
533|
534| // Implode the array
535| $str = implode_with_keys( $save_data );
536|
...
}
}
As we can see in [2] there is unsecure call for function sprintf().
Argument 'name' is RevDNS for IP address. In details exploiting this
situaction will be later becouse normal we can't do that!
Now let's look what call this function:
"display.c"
Workarounds
===========
It is possible to mitigate the vulnerabilities in this advisory by
disabling the translation of embedded IP addresses in the payload of
IP packets. Disabling NAT for the different protocols requires
different configurations. For some protocols, a single command can be
used. Other protocols require individual NAT translation rules be
added to the configuration.
80/tcp open http Dell Embedded Remote Access card webserver 1.0
443/tcp open ssl/http Dell Remote Access Controller http interface 2.0
5900/tcp open vnc?
Service Info: Devices: terminal server, remote management
Nmap finished: 1 IP address (1 host up) scanned in 21.559 seconds
$
To bring the SSH daemon running at the DRAC4 down, the following command
can be used in combination with the already described nmap version:
-h for help
options:
--version show program's version number and exit
-h, --help show this help message and exit
-i IPADDRESS, --ipaddress=IPADDRESS
Server IP address
-p PORT, --port=PORT Port number (defaults to 1234)
-t TARGET, --target=TARGET
Target Version: 8 -> Protheus 8 | 10 -> Protheus 10.
Defaults to 10
--On Wednesday, November 21, 2007 21:45:35 +1100 XSS Worm XSS Security
Information Portal <cross-site-scripting-security@xssworm.com> wrote:
>
> In the case of Yahoo, security firm Finjan said hackers exploited an
> unused IP address within Yahoo's hierarchy and used that as the domain
> address behind a forged Google Analytics domain name. This fooled the
> Finjan Web-filtering product into believing a person was going to a
> highly trusted Yahoo domain. The victims, customers of Finjan, never knew
> they were on a malicious Web site, and neither did the security
> mechanisms on the network. (In this case, Finjan's Web-filtering
Hi Yossi,
Are you doing something funky with your IP address, e.g., NAT'ed/short DHCP
lease? The reason I ask is because in 2008, Adrian Pastor stated
authentication in the 3Com Wireless 8760 was linked to the source IP
address [1]. It may well be the case (as you have discovered) that it
allows arbitrary IP addresses to access the config once an administrator
has authentication... However, I just wanted to hit this badboy up incase
there was some confusion.
"Disabled".
Disabling remote management limits the exposure of the
vulnerabilities to those on the local LAN.
* Limit remote management access to specific IP addresses
If remote management is required, harden the device so that it
can be accessed only by certain IP addresses, rather than the
default setting of "any". By entering the configuration screen at
Firewall --> Basic Settings, an administrator can change the
"Remote IP address" field to ensure only devices with the specified
Msn messenger 8.5.1
-------------------------------
Description :
The protocol MSNP15 Windows Live Messenger Client 8.5.1 transmit to the
information on the IP address public and private. Everything happens
during a conversation that starts with you in our contacts list.
By analyzing the conversation with Wireshark can be noted that in
addition to passing the information, such as the sessionid, the Cal, the
Ringing, and also pass Ipv4ExternalAddrsAndPorts
return (TrustedHost)aobj[0];
}
..
a request to the FlashServiceImpl Axis2 Web Service is originated
note that the ip address originating the request is 127.0.0.1 now!!!
So you are using the GWT RPC endpoint as a proxy for the mentioned
web service ...
from the decompiled FlashServiceImpl.class:
Vulnerability description:
--------------------------
1) An attacker is able to access the administration interface from the WLAN by
manipulating the "Host:" header and Request-URI in the HTTP GET request to the
proxy server running on the AMG-2000. It is possible to specify arbitrary IP
addresses (such as 127.0.0.1 or IPs from the internal network of the
management "private LAN" port) which an attacker is then able to access. The
squid proxy runs on port 2128 by default on the AMG-2000.
2) All passwords from local user accounts, such as on-demand guest users, are
> (Restart nginx and run only the second command to see its expected
> behavior; i.e., actually fetching http://www.google.com/.)
>
> This works because crc32("www.google.com.") ==
> crc32("www.google.com.9nyz309.crc32.dempsky.org."). The first request
> cached the IP address for www.google.com.9nyz309.crc32.dempsky.org,
> and then the second request used this IP address instead of querying
> for www.google.com's real IP address because of the matching CRCs and
> the common prefix.
>
> [1] http://marc.info/?l=nginx&m=125257590425747&w=2
>> activities (e.g., multiple new account creation requests)
>> - Temporary account locking in case of detecting unusual use of the
>> user account (e.g., when doing multiple consecutive request to the
>> same resource).
>> - Detection of concurrent access to the account from different
>> geolocated IP addresses added to the number of these accesses.
>> - Etc.
>>
>> Anyway, is it possible to abuse the "Check for mail using POP3"
>> capability to do attacks to the passwords of the users in an automated
>> way, evading all referred security restrictions and controls and doing
other
hand, a DNS server with recursion sends query with the recursion bit unset
(i.e.
iteration query), the reply has to have this bit unset, too.
C. The tool spoofs the source IP address of the queries. This is useful if
the
attacker does not want leave any trace of his IP address on the server.
D. The tool utilizes CNAME Record Type to inject the false entry. The way
the
Security-Assessment.com discovered that a Java Applet
making use of java.net.URLConnection class can be used
to bypass same-of-origin (SOP) policy and domain based
security controls in modern browsers when communication
occurs between two domains that resolve to the same IP
address. This advisory includes a Proof-of-Concept
(PoC) demo and a Java Applet source code, which
demonstrates how this security can be exploited to leak
cookie information to an unauthorised domain, which
resides on the same host IP address.
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
> Security-Assessment.com discovered that a Java Applet
> making use of java.net.URLConnection class can be used
> to bypass same-of-origin (SOP) policy and domain based
> security controls in modern browsers when communication
> occurs between two domains that resolve to the same IP
> address. This advisory includes a Proof-of-Concept
> (PoC) demo and a Java Applet source code, which
> demonstrates how this security can be exploited to leak
> cookie information to an unauthorised domain, which
> resides on the same host IP address.
>
control-plane
service-policy input drop-sip-traffic
Warning: Because SIP can utilize UDP as a transport protocol,
it is possible to easily spoof the sender's IP address, which may
defeat ACLs that permit communication to these ports from trusted
IP addresses.
In the above CoPP example, the access control list entries (ACEs)
that match the potential exploit packets with the "permit" action
member subslot <slot>/<card> working
or
hccp <group> protect <worker-member-id> <worker-ip-address>
Any version of Cisco IOS prior to the versions listed in the Software
Versions and Fixes section below is vulnerable.
Products Confirmed Not Vulnerable
control-plane
service-policy input control-plane-policy
Warning: Because SIP can use UDP as a transport protocol, it
is possible to easily spoof the IP address of the sender, which may
defeat access control lists that permit communication to these ports
from trusted IP addresses.
In the above CoPP example, the access control entries (ACEs) that
match the potential exploit packets with the "permit" action result
<<Previous Next>>
|
