<< Previous Next >>
ports
session-based services providing protocol interworking, security, and
admission control and management. The SBC is a multimedia device that
sits on the border of a network and controls call admission to that
network. A vulnerability exists in the Cisco SBC where an
unauthenticated attacker may cause the Cisco SBC card to reload by
sending crafted TCP packets over port 2000. Repeated exploitation
could result in a sustained DoS condition.
Note: Only the Cisco SBC module reloads after successful
exploitation. The Cisco 7600 series router does not reload and it is
not affected by this vulnerability.
Cisco Unified Communications Manager contains two DoS vulnerabilities
that involve the processing of SIP packets. Each vulnerability is
triggered by a malformed SIP message that could cause a critical
process to fail, resulting in the disruption of voice services. All
SIP ports (TCP 5060 and 5061, UDP 5060 and 5061) are affected by
these vulnerabilities.
The first SIP DoS vulnerability is documented in Cisco Bug ID
CSCsi46466 and has been assigned the CVE identifier CVE-2009-2050.
The first vulnerability is fixed in Cisco Unified Communications
The following Python script is a proof of concept of the
vulnerability, and will crash the Novell iManager instance specified
via command-line arguments:
/-----
#Usage: $ python poc.py <iManager_IP> <iManager_Port>
#E.g: $ python poc.py 192.168.0.1 48080
import socket
import sys
import time
>
> Shutting down the port is useful for security in the way that it helps
> prevent the type of attack that Xperience has described. When BPDU Guard
> is implemented the port will be shut down if any Spanning Tree packets
> are seen. It is risky turning off Spanning Tree as any loops in the
> network will create a denial of service by causing broadcast traffic to
> be sent out every port on the switch in a continuous loop. An
> interesting thing to note is what happens if a cable is plugged into two
> ports on a switch, essentially creating a loop. For this reason when
Vulnerable Products
+------------------
Cisco devices that are running Cisco IOS Software are vulnerable when
they are configured for NAT and contain support for one or more of
the following features:
* NetMeeting Directory NAT (LDAP on TCP port 389)
* NAT for Session Initiation Protocol (SIP)
* NAT for H.323
The next example shows a product running Cisco IOS Software Release
12.3(11)T3 with an image name of C3845-ADVIPSERVICESK9-M:
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.3(11)T3, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Additional information about Cisco IOS release naming can be found at
http://www.cisco.com/warp/public/620/1.html.
Design flaw in AS3 socket handling allows port probing
# Summary
Due to a design flaw in ActionScript 3 socket handling, compiled
Flash movies are able to scan for open TCP ports on any host
reachable from the host running the SWF, bypassing the Flash Player
Security Sandbox Model and without the need to rebind DNS.
# Technical background
In AS3 Adobe introduced a new socket-related event called
* Cisco Unified Communications Manager 7.x
Note: Cisco Unified Communications Manager version 5.1 reached the
End of Software Maintenance on February 13, 2010. For customers using
Cisco Unified Communications Manager 5.x versions, please contact
your Cisco support team for assistance in upgrading to a supported
version of Cisco Unified Communications Manager.
Products Confirmed Not Vulnerable
+--------------------------------
An unauthenticated attacker may be able to exploit this issue to access
sensitive information that could be leveraged to launch subsequent
attacks.
This vulnerability can be exploited over all open HTTP ports; TCP ports
80 (Default HTTP port), 443 (Default HTTPS port) and 8090 (Alternate
HTTP and HTTPS port), as well as those that are configured as part of
the HTTP proxy.
In Cisco content delivery system software 2.5.3 and earlier, it is
* HTTP Server DoS
Cisco Unified IP Phone 7935 and 7936 devices running SCCP
firmware contain a DoS vulnerability in their internal HTTP
server. By sending a specially crafted HTTP request to TCP port
80 on a vulnerable phone, it may be possible to cause the phone
to reboot. It is possible to workaround this issue by disabling
the internal HTTP server on vulnerable phones. The internal HTTP
server only listens to TCP port 80. This vulnerability is
corrected in SCCP firmware version 3.2(17) for 7935 devices and
A number of sensitive Java Servlets delivered via a Java Servlet
framework within the Cisco TelePresence Recording Server could allow
a remote, unauthenticated attacker to perform actions that should be
restricted to administrative users. To successfully exploit this
vulnerability, the attacker would need the ability to submit a
crafted request to an affected device on TCP port 80, TCP port 443,
or TCP port 8080.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities.
Summary
=======
Cisco Security Manager contains a vulnerability when it is used with
Cisco IPS Event Viewer (IEV) that results in open TCP ports on both
the Cisco Security Manager server and IEV client. An unauthenticated,
remote attacker could leverage this vulnerability to access the MySQL
databases or IEV server.
Cisco has released free software updates that address this
The gist of your suggestion is to use different base URLs
for the untrusted content, so that "same origin" policies
act as a sort of firewall. You propose different hostnames;
back in 2001, the acmemail webmail project did something
similar, but rather than hostnames, we chose to offer the
option of using different port numbers. Many of us ran
acmemail on https URLs, and that meant either using wildcard
certs for https (which would expose other hosts to any
flaws in acmemail) or different ports. You can see the source here:
http://acmemail.cvs.sourceforge.net/viewvc/acmemail/acmemail/AcmemailConf.pm?view=log
Vulnerable Products
+------------------
IKE is enabled by default if IPsec is used. Cisco IOS devices that
are configured for IKE will listen on UDP port 500, UDP port 4500 if
the device is configured for NAT Traversal (NAT-T), or UDP ports 848
or 4848 if the device is configured for Group Domain of
Interpretation (GDOI). The following outputs show a router that is
listening on UDP port 500:
In addition to inspecting the Cisco IOS device configuration for a
dial-peer command that causes the device to process SIP messages,
administrators can also use some show commands to determine if the
Cisco IOS device is running processes that handle SIP messages, or if
the device is listening on the SIP ports.
The command show processes | include SIP can be used to determine
whether Cisco IOS is running the processes that handle SIP messages.
In the following example, the presence of the processes
CCSIP_UDP_SOCKET and CCSIP_TCP_SOCKET indicates that the Cisco IOS
Category: contrib
Module: bind
Announced: 2008-07-13
Credits: Dan Kaminsky
Affects: All supported FreeBSD versions.
Corrected: 2008-07-12 10:07:33 UTC (RELENG_6, 6.3-STABLE)
2008-07-13 18:42:38 UTC (RELENG_6_3, 6.3-RELEASE-p3)
2008-07-13 18:42:38 UTC (RELENG_7, 7.0-STABLE)
2008-07-13 18:42:38 UTC (RELENG_7_0, 7.0-RELEASE-p3)
CVE Name: CVE-2008-1447
Category: contrib
Module: openssh
Announced: 2008-04-17
Credits: Timo Juhani Lindfors
Affects: All supported versions of FreeBSD
Corrected: 2008-04-16 23:58:33 UTC (RELENG_7, 7.0-STABLE)
2008-04-16 23:58:52 UTC (RELENG_7_0, 7.1-RELEASE-p1)
2008-04-16 23:59:35 UTC (RELENG_6, 6.3-STABLE)
2008-04-16 23:59:48 UTC (RELENG_6_3, 6.3-RELEASE-p2)
2008-04-17 00:00:04 UTC (RELENG_6_2, 6.2-RELEASE-p12)
The following example shows a system with a Firewall Service Module
(WS-SVC-FWM-1) installed in slot 4.
switch#show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ----------------- -----------
1 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX SAxxxxxxxxx
4 6 Firewall Module WS-SVC-FWM-1 SAxxxxxxxxx
5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE SAxxxxxxxxx
6 2 Supervisor Engine 720 (Hot) WS-SUP720-BASE SAxxxxxxxxx
}
}
function syntax() {
print (
"Syntax: php ".$argv[0]." [host] [path] [user] [pass] [OPTIONS] \n". "Options: \n". "--c:[uid:hash ] - use your user cookie, instead of uses/pwd pair \n". "--port:[port] - specify a port \n". " default->80 \n". "--uid:[n] - specify an uid other than default (2,usually admin)\n". "--proxy:[host:port] - use proxy \n". "--skiptest - skip preliminary tests \n". "--test - run only tests \n". "Examples: php ".$argv[0]." 192.168.0.1 /geeklog/ bookoo pass \n". " php ".$argv[0]." 192.168.0.1 / bookoo pass --proxy:1.1.1.1:8080\n". " php ".$argv[0]." 192.168.0.1 / bookoo pass --uid:3 \n". " php ".$argv[0]." 192.168.0.1
/geeklog/ * * -c:3:5f4dcc3b5aa765d61d8327deb882cf99");
die();
}
error_reporting(E_ALL ^ E_NOTICE);
Vulnerable Products
+------------------
Devices running affected versions of Cisco IOS Software are
vulnerable if configured with SSL VPN and HTTP port redirection.
The following methods may be used to confirm if the device is
configured for Cisco IOS SSL VPNs and is vulnerable:
If the output from show running-config | include webvpn contains
class of web exploits originally coined cross-protocol scripting, but now more
commonly referred to as inter-protocol exploitation.
Goatse Security has a double feature for you, starting with a 0day vuln:
* Safari (and other webkit-based)browser port blocking bypassed by integer overflow
and a technique that, as far as I know, has not been premiered before:
* XHR (XMLHttpRequest) as a vector for mail merging or wordlist attacks in
XPS/IPE attacks
>The gist of your suggestion is to use different base URLs
>for the untrusted content, so that "same origin" policies
>act as a sort of firewall. You propose different hostnames;
>back in 2001, the acmemail webmail project did something
>similar, but rather than hostnames, we chose to offer the
>option of using different port numbers. Many of us ran
>acmemail on https URLs, and that meant either using wildcard
>certs for https (which would expose other hosts to any
>flaws in acmemail) or different ports. You can see the source here:
>
>http://acmemail.cvs.sourceforge.net/viewvc/acmemail/acmemail/AcmemailConf.pm?view=log
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
Note: In the previous example, the "Product Name" VAM2+ is displayed,
indicating that the router has the VAM2+ installed. The Enabled
keyword under "State" indicates that the VAM2+ is enabled and active.
IKE is enabled by default if IPsec is used. Cisco IOS devices that
are configured for IKE will listen on UDP port 500, UDP port 4500 if
the device is configured for NAT Traversal (NAT-T), or UDP ports 848
or 4848 if the device is configured for Group Domain of
Interpretation (GDOI). The following outputs show a router that is
listening on UDP port 500:
determine if the CTL Provider service is enabled on a CUCM server.
The CTL Provider service of the CUCM contains a heap overflow
vulnerability that could allow a remote, unauthenticated user to
cause a DoS condition or execute arbitrary code. The CTL Provider
service listens on TCP port 2444 by default, but the port can be
modified by the user. This issue is documented in Cisco Bug ID
CSCsj22605.
Vulnerability Scoring Details
=============================
3. *Vulnerability Description*
Built using the GlassFish Server Open Source Edition, Oracle GlassFish
Server delivers a flexible, lightweight and extensible Java EE 6
platform. It provides a small footprint, fully featured Java EE
application server that is completely supported for commercial
deployment and is available as a standalone offering.
The Administration Console of Oracle GlassFish Server, which is
listening by default on port 4848/TCP, is prone to an authentication
bypass vulnerability. This vulnerability can be exploited by remote
The NTLMv1 authentication protocol is a challenge-response protocol that
consists of the following messages:
1. The client sends to the server a message containing a set of flags of
features supported/requested to perform authentication.
2. The server responds with a message containing a set of flags
supported/required by the server enabling both ends to agree on the
authentication parameters and, more importantly, an 8-byte random
challenge/nonce.
3. The client uses the random challenge/nonce and the user's
Multiple CGI command injection vulnerabilities exist in Cisco
TelePresence endpoint devices that could allow a remote,
authenticated attacker to execute arbitrary commands with elevated
privileges. To exploit these vulnerabilities, an attacker must submit
a malformed request to an affected device via TCP port 8082.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.
* Cisco TelePresence endpoint - CSCtb31640 ( registered customers
Level-One WBR-3460A latest firmware available 1.00.12
Level-One WBR-3460A firmware version 1.00.11
II Non-affected Products:
=========================
WBR-3460A comes with firmware version 1.00.06 installed, this happens to be the only available version that is not affected by the vulnerability described below, however it lacks of WPA2-PSK support and also of external/internal port mapping in Virtual servers configuration page, amongst other things.
II Background:
==============
The Level-One WBR-3460A is an ADSL2/2+ Modem/Wireless Router which runs Linux BusyBox v0.61.pre on a 32-bit RISC 4KEc V4.8 processor at 211 BogoMIPS, it incorporates 14 MB of RAM and four 10/100 Ethernet ports.
*Vulnerability Description*
The Borland Interbase 2007 database server [1] is vulnerable to an
integer overflow when a malformed packet is sent to the default TCP port
3050. The integer overflow can cause a stack overflow, which allows
arbitrary code execution with system privileges.
*Vulnerable Packages*
<<Previous Next>>
|
