Next Page >>
If I
Hello Thierry!
> Your saying above that this attack works if "Initialise and script
> ActiveX control not marked as safe" is ENABLED.
This Saved XSS hole works even with this option disabled (i.e. with default
settings). But when we want to use ActiveX in our code (e.g. for Code
Execution attack), than such problem occurs. It's bug in IE (when there is
preceding comment tag), which I found when researching possibility of making
CE via XSS in IE. So I found the workaround for this bug - to set up this
If an admin who doesn't follow bugtraq doesn't know about the issue it's
not full disclosure to him. It's like when you hear about a "known
issue" from Microsoft. If I didn't know about it, how in the heck is
it a known issue? Just because someone in Redmond knows about it
doesn't mean the rest of us do.
I have captcha on a blog site I run. I get folks able to bypass the
filter and post spam comments that get filtered and then a week later or
so gets deleted off and the CPU use on the site sucks. But that could
also be the software I'm running.
Hey man - hope all is well.
FYI- I tried your example file and by default nothing worked on Windows 7. The "loading and embedded file" says "this file is blocked", The file spawn requires a script prompt with a "automation error" after that, the windows control panel didn't launch at all, and the files required me to save them, etc.
The text from the uri handler did work, but I'm not sure what the ramifications of that are. Oh, the Action Panel did show up.
I agree this isn't an "exploit" but I guess it is somewhat interesting. Of course, downloading random .chm files is akin to downloading any remote content-rendering document, except that .chm won't automatically run from the internet in the first place, even with your rendering code in it that must be accepted by the user to load in the first place.
As such (again, notwithstanding the mild interest around it) I'm confused by the "This was the response I expected" comment because if I read it right, it sounds as if you are being condemning for some reason. Are you saying "this is the response I expected" because it is the correct response and you are aware of what would be required to push out supported hotfixes for low impact issues, or are you saying "this is the response I expected" because you somehow think it SHOULD be hotfixed, but is not, and that is "typical" (as in "irresponsible") or something like that?
You can't waste your time chasing things that "might lead to cats & dogs living together in sin". Specifically, there's no "privilege escalation" beyond that which began with "if I install..." It's pretty well understood that once you have the ability to place your own code on a machine, it's "game over".
Don'tet me wrong; I think it's quite valid for someone to report something they feel is a vuln; even (or maybe even especially) if they can't demonstrate an exploit based on it. There have been plenty of reports herein and without that were actually proven by others. This is one of the things that makes open discussion so valuable.
So far, no one has demonstrated an exploit that depends on this behavior _alone_.
Jim
________________________________________
From: James C. Slora Jr. [james.slora@phra.com]
Maybe what some of us need to learn from this is that we should never think in absolutes such as local VS domain users. There are numerous account types and the overrides to take into account with any OS and they change.
This is more of a wakeup call to brush up on our understanding of permissions.
I know this is not a vulnerability but it was a great posting to wake some of us up and remind us that things are never absolute when it comes to permissions. We learn about things in such a manner that we forget to think outside the box. Even if controls are designed to work a specific way that doesn't mean they will.
This is not directed at anyone rather an observation that might help other with similar thought on the subject.
Mike
> It's about reality & priorities.
>
> What we're both saying is:
> 1. it's a bug and should be fixed in accordance with its impact on real
> (not imagined) functionality & security
> 2. unless this provides some exploit that doesn't start with "if I can
> install software on the host", it's not more than "a bug in a security
> mechanism"
>
> If someone can demonstrate an actual vulnerability or exploit on the
> basis of this bug _alone_, then they may have something to make noise
It's about reality & priorities.
What we're both saying is:
1. it's a bug and should be fixed in accordance with its impact on real (not imagined) functionality & security
2. unless this provides some exploit that doesn't start with "if I can install software on the host", it's not more than "a bug in a security mechanism"
If someone can demonstrate an actual vulnerability or exploit on the basis of this bug _alone_, then they may have something to make noise about. There are enough real bugs and security vulns in software to deal with. Not every security issue spells doom and damnation or warrants immediate corrective response from the vendor.
Jim
If Jim is going to get Nancy to run a program, and that's "not all that
hard," then why not just have that program do what you want in the first
place rather than worrying about the power switch nonsense? This is the
one million and fourth time: "If your 'vulnerability' begins with 'if I
can get the user to run code' then whatever comes after the 'then'
doesn't matter. Period."
t
I noticed on my HTC Hermes with latest available WM6 (not 6.1!), that
after I entered the password for my WLAN, auto-copletion knows the
phrase and suggests my WLAN-password for almost any input-field.
Further, the memory for passwordstorage is way too small. I can enter
my whole password (auto-completion shows it correctly) but i still
can't connect. If I re-enter the settings, I get shown only 17 dots.
But this isn't enough for my password.
any1 can see the same behavior on his device?
vulnerabilities.
4. Write custom IDS/IPS signatures to detect said vulnerabilities (not
the exploits, big difference).
5. *If* these systems must, for whatever stupid reason, be attached to
the regular LAN with the regular users, the IDS/IPS signatures will
disallow the malicious connectivity they detect. If I am really
paranoid, or feel that I cannot construct an adequate mitigation
strategy that allows access, then all access is disallowed until a patch
is available.
6. *If* the systems are not accessible, but in the future they have to
be, for whatever stupid reason, I have some sigs and some steps I can take.
This attack works in Internet Explorer when option “Initialize and
script ActiveX control not marked as safe” (for Local intranet) is turned
on (Enabled or Prompt). It's such bug in hole of Microsoft :-) and it's
method of bypassing of the bug. This setting is needed only during attack
via this XSS, when JS code placed on the same line, where there is a
comment. Because if it's on other line (i.e. without preceding comment),
then code will work and without this setting (Disable). That can be
achieved in case, when attack made not via XSS, but the attack code is
placed (in appropriate way) directly in body of page.
==============
http://www.securityfocus.com/archive/1/498558/30/0/threaded
Where is there any condition related to National Security?
If you read the vulnerability advisory you would see that the problem is "a
design flaw in the SSH specification". OpenSSH was merely used as an example of
an implementation of SSH written to implement the specification.
It only takes a few seconds to realise that SSH is used in critical systems. We
have seen in recent weeks and months that we are all vulnerable to the security
of the banking systems. Anyone who uses online banking makes use of systems that
not what they need anymore?
So one more entity that just want to benefit from FOSS, but not
contribute...
If I were the developpers, then I would just retaliate (humoristically)
by sending them a similar (fake)-contract/NDA, asking them not to use
OpenSSH, but share National Sensitive information. In other words, just
ask them to share THEIR knowledge without US providing our tools.
There are some times where I hate the BSD licence, because it does not
If I open specialy crafted html file - ok, exploit is working,
but if I put that file on the server and receive it from the network
with my opera,
exploit does not work!
why???
Personal Sticky Threads is an addon for vbulletin that allows users to create personal stickies. There appears to be a small problem when toggling the personal sticky on a thread you do not have persmission to access.
If I am denied persmission to:
http://forums.somesite.com/showthread.php?t=7
Toggling personal stickies for the thread to on I am able to view the thread title, author, and pages:
http://forums.somesite.com/misc.php?do=togglestick&thread=47
3. Joyce, Andrea, and perhaps others seem to be conflating local access
(what StenoPlasma was talking about) with gaining domain admin privileges on
domain controllers and other resources on separate machines (which nobody
appears to have shown is possible using locally cached credentials).
If I've missed something obvious please educate me.
Regards,
Kurt Dillard
(http://whid.xiom.com/WHID/2009/10/MacRumorsLive_feed_hacked)
* WHID 2009-8: Wired.com Image Viewer Hacked to Create Phony Steve Jobs
Health Story
(http://whid.xiom.com/whid-2009-8_Wired_Hacked_to_Create_Phony_Steve_Jobs_He
alth_Story)
If I had ten cents for each hack involving Steve Jobs health....
* WHID 2009-9: MetaFilter suffers an SQL injection attack
(http://whid.xiom.com/whid-2009-9-MetaFilter_suffers_an_SQL_injection_attack
)
uint16_t comp_cpi; // Compression Parameter Index
};
The Compression Parameter Index indicates which compression algorithm was used
to compress the ipcomp payload, which is expanded and then routed as requested.
Although the CPI field is 16 bits wide, in reality only 1 algorithm is widely
implemented, RFC1951 DEFLATE (cpi=2).
It's well documented that ipcomp can be used to traverse perimeter filtering,
however this document discusses potential implementation flaws observed in
popular stacks.
Thor (Hammer of God) wrote:
> "Leaking" a pdf with 'e:\nethome\joe_kitten_lover' doesn't remotely
> "prove" anything. If I create a user called
> MayIMommaDogFaceToTheBannanPatch and "leaked" a pdf, it doesn't mean
> Steve Martin was culpable. This is a non-issue, no matter how much you
> might want to create some fanciful "bonsai kitten" theory to get Joe in
> trouble, dawg.
Oddly, or not, that doyen of security sensibility, Microsoft, disagrees
>
> It would be interesting if you could provide more information, since if
> this is actually doing what you say it's doing it would be a horrifying
> attack vector for worms and viruses.
>
> As an aside, I noticed that if I run "smc.exe -p" it crashes too, with
> or without the tilde ("~") on the end. If I run "smc -p" (omit the .exe)
> it doesn't crash, but "smc -p ~" crashes. (qualifying note: in all these
> cases this is just the smc.exe process that was started by the command
> that crashed, not the smcgui.exe process.) And yes, I tried adding the
> space after the tilde as you originally quoted in the email :)
frozen and reboot was only option.
--Wednesday, May 27, 2009, 7:56:56 PM, you wrote to cert@cert.org:
JP> If I understand the process, saving the text at [IV. Proof of
JP> concept] (following the "~~~..." to an .XHTML file, and launch the
JP> file using Firefox, I should lose functionality ("Browser doesn't
JP> respond any longer to any user input, all tabs are no longer
JP> accessible, your work if any (hail to the web 2.0) might be lost.")
It would be interesting if you could provide more information, since if
this is actually doing what you say it's doing it would be a horrifying
attack vector for worms and viruses.
As an aside, I noticed that if I run "smc.exe -p" it crashes too, with
or without the tilde ("~") on the end. If I run "smc -p" (omit the .exe)
it doesn't crash, but "smc -p ~" crashes. (qualifying note: in all these
cases this is just the smc.exe process that was started by the command
that crashed, not the smcgui.exe process.) And yes, I tried adding the
space after the tilde as you originally quoted in the email :)
Read again:
Affected : All Firefox versions that support SVG.
Then think about what version of Firefox you are using.
JP> If I understand the process, saving the text at [IV. Proof of
JP> concept] (following the "~~~..." to an .XHTML file, and launch the
JP> file using Firefox, I should lose functionality ("Browser doesn't
JP> respond any longer to any user input, all tabs are no longer
JP> accessible, your work if any (hail to the web 2.0) might be lost.")
If I understand the process, saving the text at [IV. Proof of concept] (following the "~~~..." to an .XHTML file, and launch the file using Firefox, I should lose functionality ("Browser doesn't respond any longer to any user input, all tabs are no longer accessible, your work if any (hail to the web 2.0) might be lost.")
Using FF2.0.0.20 and the file does not result in loss of use. All tabs are functional. All JAVA links continue function. Same result for naming the POC file to .HTML, .HTM.
>>> Thierry Zoller <Thierry@Zoller.lu> 05/26/2009 13:13 >>>
For those that failed to reproduce, try naming the POC file with an XHTML
extension.
On http://support.microsoft.com/gp/lifepolicy MS says that the
"Extended Support Phase" includes "Security Update Support". If I have
a Premier Support contract (which entitles me to Extended Support)
aren't MS contractually obliged to make this fix available to me?
2009/9/16 Aras "Russ" Memisyazici <nowhere@devnull.com>:
> :)
>
> Thank you all for your valuable comments... Indeed I appreciated some of the
If an office of my client is on the high floor of a building and
physical security is so strict, I cannot find my way to the area a
legitimate access point covers. I can change my attack vector to wait
for my client's employees to buy some coffee at the ground floor and,
therefore, I can steal "WPA handshake" for the employees. Then, I need
to spend some times cracking for WPA key. If I successfully crack the
key, I, now, can connect with Android devices of my client's employees
and they might think that they are connecting with their very powerful
access points of their workplace. At this point, I could launch
karmetasploit-style attacks in order to get malware into the device.
Every process here does not require me to get network my client's networks.
}
boolean flag1 = false;
Iterator iterator1 = localhostIPList.iterator();
do
{
if(!iterator1.hasNext())
break;
String s2 = (String)iterator1.next();
if(!s.equalsIgnoreCase(s2))
continue;
flag1 = true;
(Fixing rejected post)
Meh. I replied to something similar off-list.
"Leaking" a pdf with 'e:\nethome\joe_kitten_lover' doesn't remotely "prove" anything. If I create a user called MayIMommaDogFaceToTheBannanPatch and "leaked" a pdf, it doesn't mean Steve Martin was culpable. This is a non-issue, no matter how much you might want to create some fanciful "bonsai kitten" theory to get Joe in trouble, dawg.
t
From: WebDawg [mailto:webdawg@gmail.com]
Our deepest sympathies, hearts and prayers go out to Steven's family and
friends.
-------------
If I were a customer of theirs I'd be cutting them some slack. I'm just
sayin'.
MustLive wrote:
> Hello Bugtraq!
>
Hey everybody,
I just wanted to clarify our policy about accepting posts that contain
real domains and websites in proof-of-concept and exploit examples. We
don't. If I see this, my normal response is to bounce it back to the poster and
ask them to sanitize the example and resend their post. But this
causes delays in moderation and occasionally the poster doesn't resend
the message, which is unfortunate. You may ask why I don't just
sanitize it myself... well it is my policy not to edit posts unless it
is at the behest of the poster.
Next Page>>
|
