<< Previous Next >>
client side
The Reflective DLL Injection technique pioneered by Stephen Fewer of
Harmony Security has been integrated into the framework. The new payloads
use the "reflectivedllinjection" stager prefix and share the same binaries
as the older DLL injection method.
Client-side browser exploits now benefit from a set of new javascript
obfuscation techniques developed by Egypt. This improvement leads to a
greater degree of anti-virus bypass for client-side exploits.
Metasploit contains dozens of exploit modules for web browsers and
third-party plugins. The new browser_autopwn module ties many of these
But, sometimes, you don't want to apply this workaround. In example, if
you have an Oracle RAC cluster, all the cluster's instances must be
registered in both TNS Listeners so, this workaround is not suitable for
Oracle RAC clusters. To apply this workaround with Oracle RAC
environments one needs to implement load balancing at the client side,
changing all the client's tnsnames.ora configuration file to add the
complete list of Oracle RAC nodes.
However, there is another possible workaround that, sometimes, is
suitable for Oracle RAC environments. Edit the file protocol.ora or, for
standard controls built into PRADO, if the latter try to display or use string type
information that begins with user-supplied data fragments. This can be used by a remote
attacker to hijack a victim's session and steal sensitive information.
The vulnerability exists because the affected standard controls do not escape user-supplied
textual information properly when rendering the JavaScript code for their client-side wrappers,
and because the PRADO Framework provides currently no way for the application or component
developers to supply textual information to said controls in an XSS-safe way. The latter also
means that several 3rd party components or application might be also affected by the issue,
even if they don't use any of the vulnerable standard controls, but pass information the same
way to the client-side as the former do.
Vulnerble functionality lies under SYSTEM --> Diagnostics --> Tools.
The Java Server page /corporate/Controller requires several parameters
to the server when a user attempts to perform these diagnostic
actions. The parameter 'host' is vulnerable to OS command injection.
Some client-side validation is performed to check that the IP address
provided is in valid format, however no such validation is performed
on server-side. Hence, a malicious user can easily bypass client-side
validation checks by using an in-line proxy tool and inject an OS
command.
>
>
> ##### Vulnerability #####
>
> When adding a new course to the schedule, the application relies on
> Client Side controls for input. This can easily be bypassed by
> using an intercepting proxy or CSRF attack.
>
>
> ##### Affected Variables #####
>
Class: Improper Input Validation (CWE-20)
Remote: No
Discovered by: Patroklos Argyroudis
We have discovered two improper input validation vulnerabilities in the
FreeBSD kernel's NFS client-side implementation (FreeBSD 8.0-RELEASE,
7.3-RELEASE and 7.2-RELEASE) that allow local unprivileged users to
escalate their privileges, or to crash the system by performing a denial
of service attack.
Details
exclusive to the Metasploit Framework and a large number of new modules.
Microsoft SQL Server 2000 through 2008 versions have been tested with
the new modules. The MSSQL and Oracle login modules can now brute force
passwords from a dictionary file.
Automated client-side exploitation has been overhauled with a rewrite of
the browser_autopwn module by James Lee. A number of existing
client-side exploits have been updated to use better fingerprinting and
evasion techniques. All TCP-based exploits can now be launched through
SOCKS4, SOCKS5, and HTTP proxies.
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Client-side Denial of Service
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 31061
CVE Name: CVE-2008-3950
(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/DirectAdmin )
Abstract:
=========
A Vulnerability Laboratory Researcher discovered multiple client side Cross Site Scripting Vulnerabilities on DirectAdmins Management Application.
Report-Timeline:
================
2012-04-25: Public or Non-Public Disclosure
Pictures:
../ive1.png
1.2
Multiple cross site request forgery vulnerabilities are detected on client-side of the edian waf appliance.
The vulnerability allows an attacker to force client-side module requests of application functions.
Vulnerable: Cross Site Request Forgery Vulnerabilities (Client-Side|Non Persistent)
Vulnerable Module(s):
ImageIO Memory Corruption - CVE-2010-1845
22/11/2010
Dominic Chell of NGS Secure has discovered a high risk memory corruption vulnerability affecting the ImageIO rendering framework. Viewing a maliciously crafted PSD image may lead to an unexpected application termination or arbitrary code execution. This issue can be remotely (client-side) exploited through any application using the framework including Mail, Safari and QuickLook.
Versions affected include:
Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4
arbitrary code with the privileges of the nobody user. In addition, the
attacker has access to the raw socket used by the snoop program. This
allows them to capture any traffic visible to the network interface
used.
Often in client-side vulnerabilities, an attacker only has a single
chance to exploit the vulnerability. However, the snoop utility will
handle any segmentation violations and attempt to continue capturing
network traffic. This gives an attacker multiple opportunities to
exploit a vulnerability, which increases the likelihood of successful
exploitation.
>> exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
>> attacker can make a Web application unavailable to its intended users. ReDoS
>> is commonly known as a “bug” in systems, but Alex Roichman and Adar Weidman
>> from Checkmarx show how serious it is and how using this technique, various
>> applications can be “ReDoSed”. These include, among others, Server-side of
>> Web applications and Client-side Browsers. The art of attacking the Web by
>> ReDoS is by finding inputs which cannot be matched by Regexes and on these
>> Regexes a Regex-based Web systems get stuck.
>>
>> For further reading:
>> http://www.checkmarx.com/NewsDetails.aspx?id=23&cat=3
Solutionary ID: SERT-VDN-1007
Solutionary public disclosure URL: http://www.solutionary.com/index/SERT/Vuln-Disclosures/CodeMeter-WebAdmin.html
Vulnerability Description: The applications web interface contains an injection point, which allows for execution of Cross-site Scripting (XSS) attacks. Arbitrary client side code such as JavaScript can be included into certain parameters throughout the web application. The hardware dongle must be inserted in order to reproduce the vulnerability. The following parameters and web pages have been tested and verified; however, it is possible additional views and parameters within the application may be vulnerable:
Reflected XSS
Licenses.html (BoxSerial parameter)
Affected software versions: WebAdmin version 3.30 and 4.30 (previous versions may also be vulnerable)
>> >> Therefore mitigation falls to other parties.
>> >>
>> >> 1. Browsers must check CRLs by default.
>> >
>> > Isn't this a good argument for blacklisting the keys on the client
>> > side?
>>
>> Isn't that exactly what "Browsers must check CRLs" means in this context
>> anyway? What alternative client-side blacklisting mechanism do you suggest?
>
> It's easy to compute all the public keys that will be generated
=======
An ActiveX control (atucfobj.dll) that is used by the Cisco WebEx
Meeting Manager contains a buffer overflow vulnerability that may
result in a denial of service or remote code execution. The WebEx
Meeting Manager is a client-side program that is provided by the
Cisco WebEx meeting service. The Cisco WebEx meeting service
automatically downloads, installs, and configures Meeting Manager the
first time a user begins or joins a meeting.
When users connect to the WebEx meeting service, the WebEx Meeting
Release mode: User release
2. *Vulnerability Information*
Class: Command injection, Client side
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 35105
CVE Name: CVE-2009-1792
features that are very desirable for network filesystems. Currently, Coda has
several features not found elsewhere.
1. disconnected operation for mobile computing
2. is freely available under a liberal license
3. high performance through client side persistent caching
4. server replication
5. security model for authentication, encryption and access control
6. continued operation during partial network failures in server network
7. network bandwidth adaptation
8. good scalability
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-1681
Bugtraq ID: 39836
>>>> Therefore mitigation falls to other parties.
>>>>
>>>> 1. Browsers must check CRLs by default.
>>>
>>> Isn't this a good argument for blacklisting the keys on the client
>>> side?
>>
>> Isn't that exactly what "Browsers must check CRLs" means in this
>> context anyway? What alternative client-side blacklisting mechanism do
>> you suggest?
>
following a link can arbitrarily execute system commands on the device.
The following examples will allow an attacker to enable remote access to
the
iSpot and ClearSpot 4G, and add their own account to the device. This level
of access also provides a device's client-side SSL certificates, which are
used to perform device authentication. This could lead to a compromise of
ClearWire accounts as well as other personal information.
Add new user:
<form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi"
Description:
AjaxTerm, an open source web based terminal, uses a form of random session id
generation which can lead to remote session hijacking.
The ajaxterm.js script allocates session ids on the client side using the
following method:
var sid=""+Math.round(Math.random()*1000000000);
The javascript random function used in combination with round does not provide
----------------------------------
Although this vulnerability affects another software of the LScube
project I have preferred to include it here since only when used with
Feng this bug can be considered a security bug (Netembryo in fact is
used also in libnemesi which is a client-side library).
The usage of the ':' char after the backslash allows an attacker to
crash the server on which is used the Url_init() function of the
Netembryo library.
In short when an urlname like /: is used the port_begin and path_begin
CLASSIFICATION: Trust of OpenSSL Certificate Without Validation (CWE-599)
RESEARCHER: Derek Callaway
IMPACT: Client-side code execution
SEVERITY: High
DIFFICULTY: Moderate
CVE-2009-1473: Cryptographic weakness in key exchange
When the windows/java client connects to the device, the kvm switch
and the client negotiate a symmetric session key. This key negotiation
uses RSA in an insecure way. An attacker who can monitor the traffic
between the client and the kvm switch is able to repeat client-side
calculations to get the session key. By using this session key an
attacker can decrypt the traffic and reconstruct the keystrokes.
Furthermore it is also possible to carry out a man in the middle
attack and gain access to the machines connected to the KVM switch.
Both the Windows and the Java clients are affected.
1.2
Multiple non persistent cross site scripting vulnerability is detected in DIY v1.0 Content Management System.
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with high required
user inter action or local low privileged user account. Successful exploitation can result in account steal, phishing
& client-side content request manipulation.
Vulnerable Module(s):
[+] Poll - Question & Answer Input/Output
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary client
side script
on vulnerable installations of Novell Groupwise WebAccess.
Authentication is not
required to exploit this vulnerability.
The specific flaw exists within handling html messages sent to a Novell
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Client side
Remotely Exploitable: Yes
Locally Exploitable: Yes
Bugtraq ID: 33178
CVE Name: CVE-2009-1140
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2010-0265
Public disclosure date: 12/10/2010
Type of vulnerability: Stored Cross-site Scripting (XSS)
Exploit vectors: Local and Remote
Vulnerability description: Users can include and store arbitrary client side code such as JavaScript in the Novell Vibe web application. The code then can be executed within an unsuspecting victim’s browser.
The vulnerability exists due to the “/gwtTeaming.rpc” code not properly sanitizing user input into the “What Are You Working On?” or Micro Blog entry field. Also, the application fails to encode the output allowing for the execution of the script.
Tested on: Cent OS 5.5 (kernel 2.6.18-194), MySQL Version 14.12 Distribution 5.0.77, and Novell Vibe 3 BETA OnPrem.
Affected software versions: Vibe 3 BETA OnPrem
<<Previous Next>>
|
