<< Previous Next >>
requested
Remote exploitation of an invalid free vulnerability in Microsoft
Corp.'s Active Directory Server allows attackers to exhaust all virtual
memory.
According to section 2.4 of the IETF Request For Comments (rfc) 4514,
LDAP requests can contain strings that have been encoded using
hexadecimal encoding. When Active Directory on Windows 2000 encounters
such a request, it fails to release the memory associated with the
hexadecimal encoded portion of the request. By continually making such
requests, an attacker can exhaust virtual memory on the targeted
Current eOffice users are strongly advised to switch to other email clients such as the free Thunderbird, Sylpheed, Outlook Express, or commercial Outlook in the MS Office suite until the bug has been resolved.
Fix
---
Customers are advised to contact and request a fix directly from the vendor.
Disclosure
----------
Due to negative response in previous report (`<bmsa200806.html>`_), Blue Moon Consulting decided not to report this bug to the vendor but contacted the Vietnam Computer Emergency Response Team -- VNCERT.
functionality for users to store, for example, contact information,
notes, a journal or files. A search form can be used to search for such
stored items.
When users search, for example, for certain files, using the provided
search form, an HTTP POST request containing the search query in XML
form is sent from the browser to the PHP script at
https://example.com/webmail/server/webmail.php:
----- HTTP POST request ------------------------------------------------
<iq sid="73aaafec4a8db27af49c4c43bca4ac13"
not to be vulnerable to the specific exploit identified and reported by
OuTian/Ryeo. However, all implementations which accept overlong paths,
including Glassfish, remain vulnerable insofar as any access control is
implemented at the proxy or gateway layer of an http service. Apache Tomcat
release 6.0.18 is no longer vulnerable with respect to its URI path, as
6.0.18 rejects all requests where the decoded value changes the path
representation, but is still exposed due to this vector in other
characteristics.
That said, the underlying vector for this vulnerability identified by Rowe
is actually within the UTF-8 charset implementation of the
PR07-11: Cross-site Request Forgery (CSRF) on Sun Java System Identity
Manager
Date Found: 11th June 2007
Vendor Contacted: 18th June 2007
Date Public: 10th November 2008
Severity: Medium/High
as seen @ line 36, so, we can see how this can be easily used to
enumerate the existence of files on the web server both inside and
outside of the web accessible directories. If the file exists we will
get the "PLIGG_Visual_Trackback_BadURL" error. In addition to this
issue, an attacker may also include arbitrary files via a malformed
template request. Both template and language data within Pligg are
accepted via cookie input and are used in file handling operations
with no sanitation. The vulnerable code in question can be found in
config.php @ lines 65-68.
/settemplate.php?template=../LICENSE.txt%00
1. DESCRIPTION
There is a DoS vulnerability in Cisco Linksys router WRH54G http service. Any anonymous attacker could crash the http service easily by sending a malformed http request, and needn't any privilege.
When the device attempts to process the malformed request, it will be possible to corrupt sensitive memory. Although unconfirmed, it may also be possible to modify various configuration settings or execute malicious code.
After being attacked, Cisco Linksys router can't be accessed remotely by any user. Http service is not recovered and the attacked router can not be managed without a hard reboot. A reboot of router may cause network disconnected.
Further more, the firewall can still route packets.
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
* headers) of the request. Others useful functions can be used for debugging.
* A manual is actually in development but to know how to use it, you can
* read the comments.
Description:
mod_jk2 versions prior to 2.0.4 are vulnerable to multiple stack
overflow vulnerabilities. Specifically, IOActive has discovered multiple
locations where these vulnerabilities are exploitable via the Host
request header in any given request. These overflows all result in
remote code execution under the user of the running Apache process.
Although a legacy module which is end of life, certain vendors may use
this module in their products rendering them vulnerable to remote
exploitation.
I. BACKGROUND
~~~~~~~~~~~~~
NOTE: This advisory will use OWASP's Stinger and Struts framework to
illustrate the concept, however this technique should be applicable to
other input validation servlet filters that do not handle multipart
requests properly and frameworks that automatically parse multipart
requests.
Java Servlets provide a filter component which can dynamically intercept
requests and responses to transform information contained in the
requests or responses[1]. Servlet filters are often recommended as an
> link:
>
> http://www.security-assessment.com/files/advisories/java_net_urlconnection_sop_bypass_demo.swf
>
> Proof of Concept (PoC) in demo demonstrates that a
> Cross Site Request Forgery (XSRF) attack can be leveraged
> by using a Java Applet which implements the
> java.net.URLConnection class. Traditionally, XSRF is used
> to force a user to perform an unwanted action on a target
> web site. In this case, the PoC shows that XSRF can be
> used to capture sensitive information such as cookie
Multiple CGI command injection vulnerabilities exist in Cisco
TelePresence endpoint devices that could allow a remote,
authenticated attacker to execute arbitrary commands with elevated
privileges. To exploit these vulnerabilities, an attacker must submit
a malformed request to an affected device via TCP port 8082.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.
* Cisco TelePresence endpoint - CSCtb31640 ( registered customers
A number of sensitive Java Servlets delivered via a Java Servlet
framework in the Cisco Telepresence Multipoint Switch could allow a
remote, unauthenticated attacker to perform actions that should be
restricted to administrative users only. The attacker would need the
ability to submit a crafted request to an affected device on TCP port
80, 443, or 8080.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities.
- Tomcat 5.5.0 to 5.5.33
- Earlier, unsupported versions may also be affected
Description:
Apache Tomcat supports the AJP protocol which is used with reverse
proxies to pass requests and associated data about the request from the
reverse proxy to Tomcat. The AJP protocol is designed so that when a
request includes a request body, an unsolicited AJP message is sent to
Tomcat that includes the first part (or possibly all) of the request
body. In certain circumstances, Tomcat did not process this message as a
request body but as a new request. This permitted an attacker to have
01/11/2007 - Microsoft states that the vulnerability is fixed by the
patches released in MS06-069.
02/11/2007 - Vendor informed that MS06-069 does not fix the
vulnerability, which was tested against a fully patched
system.
23/11/2007 - Vendor contacted (status update requested).
23/01/2008 - Vendor contacted (status update requested again).
05/02/2008 - Vendor informed that due to no response to status
requests an advisory will be published in two weeks).
05/02/2008 - Vendor response (vulnerability successfully reproduced
and asks for coordinated disclosure).
VIII. DISCLOSURE TIMELINE
08/25/2008 - Initial Contact
09/22/2008 - Second Contact attempt
09/22/2008 - PoC Requested
09/24/2008 - PoC Requested
11/05/2008 - PoC Sent
11/06/2008 - Clarification requested
11/21/2008 - Clarification requested
12/05/2008 - Clarification Sent
I must express my disagreement. I consider that if someone can automate
the process of password cracking, exist a security problem. I have
programmed a Python script that implements the process that I explain in
the proof of concept paragraph, and it has allowed me to run thousands
of automated requests and obtain the password of one of my test accounts.
> Gmail has all sorts of additional limits on password brute forcing.
> The confusion here is the difference between "login incorrect" (due to
> bad password) and "login incorrect" (due to excessive login attempts).
> This protection kicks in after a small number of failed attempts,
========================================================
DD/MM/YYYY
09/09/2009 The vulnerability was discovered.
20/02/2010 Trend Micro was informed about the vulnerability.
21/02/2010 Trend Micro assigned a Service Request Number #1
23/02/2010 Trend Micro asked to reproduce the vulnerability with certain
policies
and Web browsers as well as the details of the testing environment.
23/02/2010 Details sent, including screenshots.
25/02/2010 Trend Micro, asked again to retest LeakProof in certain
===============================================================
Scientific Atlanta DPC2100 Cable Modem
Cross-Site Request Forgery and Insufficient Authentication
May 24, 2010
CVE-2010-2025, CVE-2010-2026
===============================================================
==Description==
Scientific Atlanta, a Cisco company (www.cisco.com), produces the WebSTAR line
> are not revealed until an attack is conducted or a malicious use of
> the account is done. For example:
> - Use of catpcha for avoiding automated processes (e.g., in the users
> authentication or in the new users sign up).
> - Temporary IP locking in case of detecting unusual application
> activities (e.g., multiple new account creation requests)
> - Temporary account locking in case of detecting unusual use of the
> user account (e.g., when doing multiple consecutive request to the
> same resource).
> - Detection of concurrent access to the account from different
> geolocated IP addresses added to the number of these accesses.
05/05/2009 - Initial Contact
05/05/2009 - Autonomy first response
05/05/2009 - Symantec first response
05/05/2009 - IBM first response
05/05/2009 - Autonomy POC request
05/05/2009 - IBM POC request
05/06/2009 - Autonomy clarification request
05/06/2009 - Symantec clarification request
05/06/2009 - Request public key from Autonomy
05/06/2009 - Sent POC to IBM, Symantec
The NTLMv1 authentication protocol is a challenge-response protocol that
consists of the following messages:
1. The client sends to the server a message containing a set of flags of
features supported/requested to perform authentication.
2. The server responds with a message containing a set of flags
supported/required by the server enabling both ends to agree on the
authentication parameters and, more importantly, an 8-byte random
challenge/nonce.
3. The client uses the random challenge/nonce and the user's
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
------------------------------------------------------------------------------------------------------------------------
Class: Cross Site Request Forgery, Cross Site Scripting, File Path
Disclosure, Local File Inclusion, Authentication Bypass and PHP Command
Injection
Remotely Exploitable: Yes
Locally Exploitable: No
====================
Vulnerability :
When used as a Server Load Balancer and/or SSL offloader it's possible
to do requests
to the backend without leaving any ip address in the http server logs.
it's possible
then to do any L7 http attacks anonymousely.
A Bug request has been opened at cisco TAC, it has been classified
are not revealed until an attack is conducted or a malicious use of
the account is done. For example:
- Use of catpcha for avoiding automated processes (e.g., in the users
authentication or in the new users sign up).
- Temporary IP locking in case of detecting unusual application
activities (e.g., multiple new account creation requests)
- Temporary account locking in case of detecting unusual use of the
user account (e.g., when doing multiple consecutive request to the
same resource).
- Detection of concurrent access to the account from different
geolocated IP addresses added to the number of these accesses.
2) Description
Sun Identity Manager facilitates centralized identity provisioning for
variety of application and platforms. Its web interface allows end users
to request password change. To handle such requests the system has to
manipulate account databases on the target resources. In the case of
*NIX-based systems the management server remotely logs in to a target
server and issues a series of shell command, using send-expect technique.
The system allows users to submit passwords containing control
A buffer overflow that could allow for the execution of arbitrary
code exists in the "mapserv" CGI program. In mapserv.c are the
following lines of code:
406: strncpy(mapserv->Id, mapserv->request->ParamValues[i], IDSIZE);
1112: int main(int argc, char *argv[]) {
1114: char buffer[1024], *value=NULL;
1783: sprintf(buffer, "%s%s%s%s", mapserv->map->web.imagepath, \
parameters. This causes an SQL Injection attack possible. Follow an
example of blind SQL injection (by an authenticated user):
http://www.example.com/cacti/graph_view.php?action=preview&style=selective&graph_list=bla'%20or%20'1'='1
The following request needs admin permission to be executed, so it has
limited impact:
http://www.example.com/cacti/tree.php?action=edit&id=1&subaction=foo&leaf_id=1%20or%201%20=%201
Same as above graph_xport.php is also vulnerable to an SQLi exploitable
CVE-2008-0530 leavingcisco.com and Cisco Bug IDs CSCsj74818 and
CSCsk21863.
SCCP-Only Related Vulnerabilities
* Large ICMP Echo Request DoS
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SCCP firmware contain a DoS vulnerability. It is possible
to cause a vulnerable device to reboot by sending a large ICMP
echo request packet. This vulnerability is corrected in SCCP
><script>[PAYLOAD]</script>
The vulnerable (non-sanitized) parameters are the following: devname,
snmp_getcomm, snmp_setcomm, c4_trap_ip_. Additionally, all HTTP
requests are not tokenized with random values. Thus, all requests to
the router's HTTP interface are vulnerable to Cross-site Request
Forgeries (CSRF), perhaps by design. The following is an example of a
HTTP request (notice the lack of non-predictable tokens):
POST /setup.cgi HTTP/1.1
<<Previous Next>>
|
