Next Page >>
Internet Domain Name
------------------------------------------------------------------------
getPlus insufficient domain name validation vulnerability
------------------------------------------------------------------------
Yorick Koster, April 2009
------------------------------------------------------------------------
See also
------------------------------------------------------------------------
APSB10-08 [2] Security update available for Adobe Download Manager
CVE-2010-0189 [3]
char namestring[1024+1];
and value for MAXDNAME we can find here:
"/usr/include/arpa/nameser.h"
#define NS_MAXDNAME 1025 /* maximum domain name */
So... in fact vulnerability function will try to copy by function
sprintf string for bufor wich have length 256 bytes. Max domain length
is 1025 but all tests in program 'mtr' which i don't paste (if you want
just look for source code) don't allow domain which is longer than 256 bytes
Risk : Very high
What u can do with this bug is :
u can have a access to all the server with reseller privilege (Th3 r00t)
how it's work ?
when u want to create an account in shell what will happen ?
./script/wwwact [domainname] [username] [password] [Email address] lab lab lab
that u can run it with a web base program ! ( cpanel : doamin:2086)
example :
http://domain:2086/scripts/wwwacct [domainname] [username] [password] [Email address] lab lab lab
it means you got a access to wwwacct in the scripts folder (Th3 r00t)
so u can run other command with root access like that
--On Wednesday, November 21, 2007 21:45:35 +1100 XSS Worm XSS Security
Information Portal <cross-site-scripting-security@xssworm.com> wrote:
>
> In the case of Yahoo, security firm Finjan said hackers exploited an
> unused IP address within Yahoo's hierarchy and used that as the domain
> address behind a forged Google Analytics domain name. This fooled the
> Finjan Web-filtering product into believing a person was going to a
> highly trusted Yahoo domain. The victims, customers of Finjan, never knew
> they were on a malicious Web site, and neither did the security
> mechanisms on the network. (In this case, Finjan's Web-filtering
> product.)
advisory is being published. Email will be sent to the freebsd-security
mailing list when the binaries are available via freebsd-update.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
Dynamic update messages may be used to update records in a master zone
on a nameserver.
This update upgrades the service console rpms for bind-utils and
bind-lib to version 9.2.4-22.el3.
Version 9.2.4.-22.el3 addresses the recently discovered
vulnerability in the BIND software used for Domain Name
resolution (DNS). VMware doesn't install all the BIND packages
on ESX Server and is not vulnerable by default to the reported
vulnerability. Of the BIND packages, VMware only ships bind-util
and bind-lib in the service console and these components by
themselves cannot be used to setup a DNS server. Bind-lib and
Problem Description:
Multiple vulnerabilities was discovered and corrected in kdelibs4:
KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a
\'\0\' (NUL) character in a domain name in the Subject Alternative
Name field of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted certificate
issued by a legitimate Certification Authority, a related issue to
CVE-2009-2408 (CVE-2009-2702).
Problem Description:
Multiple vulnerabilities was discovered and corrected in kdelibs4:
KDE KSSL in kdelibs does not properly handle a \'\0\' (NUL)
character in a domain name in the Subject Alternative Name field of
an X.509 certificate, which allows man-in-the-middle attackers to
spoof arbitrary SSL servers via a crafted certificate issued by a
legitimate Certification Authority, a related issue to CVE-2009-2408
(CVE-2009-2702).
FROM" command.
2) An insufficient length check when copying data with a predefined
log message into a buffer using strcpy_s() may result in an unhandled
invalid parameter error. This can be exploited to crash the SMTP
service (MESMTPC.exe) via an overly long domain name in the "RCPT TO"
command.
======================================================================
5) Solution
3. VULNERABILITY
Once vim successfully connects to an FTP server using a user name and
password credentials, it will re-use them in all subsequent FTP
sessions, regardless of the domain name or TCP port.
This behaviour is documented, although the documentation states the
credentials are ``retained on a per-session basis''. Apparently the Vim
session, not the FTP session:
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
A logic error in the BIND code causes the BIND daemon to accept bogus
serverAddress
sessionId
clientIPLower
clientIPHigher
userName
domainName
dnsSuffix
=== Proof of Concept 2 ===
Problem Description:
Multiple vulnerabilities has been found and corrected in irssi:
Irssi before 0.8.15, when SSL is used, does not verify that the server
hostname matches a domain name in the subject's Common Name (CN)
field or a Subject Alternative Name field of the X.509 certificate,
which allows man-in-the-middle attackers to spoof IRC servers via an
arbitrary certificate (CVE-2010-1155).
core/nicklist.c in Irssi before 0.8.15 allows remote attackers to cause
http://www.davidsopas.com/2008/09/sql-injection-in-easyrealtorpro/
"EasyRealtorPRO 2008 provides you with all features you need to setup
your own business oriented real estate website on your own domain
name. Our support team will install the script on your server and then
you can start selling packages to home sellers at ease." in vendor
website easyrealtorpro.com
This PHP script is vulnerable to SQL Injection in site_search.php file.
Security issues in nss prior to 3.12.3 could lead to a
man-in-the-middle attack via a spoofed X.509 certificate
(CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
cause a denial-of-service and possible code execution via a long
domain name in X.509 certificate (CVE-2009-2404).
This update provides the latest versions of NSS and NSPR libraries
which are not vulnerable to those attacks.
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in wget:
GNU Wget before 1.12 does not properly handle a '\0' (NUL) character
in a domain name in the Common Name field of an X.509 certificate,
which allows man-in-the-middle remote attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate Certification
Authority, a related issue to CVE-2009-2408 (CVE-2009-3490).
This update provides a solution to this vulnerability.
KDE Konqueror allows remote attackers to cause a denial of service
(memory consumption) via a large integer value for the length property
of a Select object, a related issue to CVE-2009-1692. (CVE-2009-2537)
KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a
'\0' (NUL) character in a domain name in the Subject Alternative Name
field of an X.509 certificate, which allows man-in-the-middle attackers
to spoof arbitrary SSL servers via a crafted certificate issued by a
legitimate Certification Authority, a related issue to CVE-2009-2408
(CVE-2009-2702).
Debian bug : 541439
CVE Ids : CVE-2009-2409 CVE-2009-2730
Dan Kaminsky and Moxie Marlinspike discovered that gnutls, an implementation of
the TLS/SSL protocol, does not properly handle a '\0' character in a domain name
in the subject's Common Name or Subject Alternative Name (SAN) field of an X.509
certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate Certification
Authority. (CVE-2009-2730)
>
> 3. VULNERABILITY
>
> Once vim successfully connects to an FTP server using a user name and
> password credentials, it will re-use them in all subsequent FTP
> sessions, regardless of the domain name or TCP port.
>
> This behaviour is documented, although the documentation states the
> credentials are ``retained on a per-session basis''. Apparently the Vim
> session, not the FTP session:
>
http://www.microsoft.com/technet/security/bulletin/fq99-054.mspx
-----
What's the problem with the search algorithm?
When IE 5 starts, it will begin searching for a WPAD server, if it is
configured to use WPAD. It starts the search by adding the hostname "WPAD" to
current fully-qualified domain name. For instance, a client in
a.b.Microsoft.com would search for a WPAD server at wpad.a.b.microsoft.com. If
it could not locate one, it would remove the bottom-most domain and try again;
for instance, it would try wpad.b.microsoft.com next. IE 5 would stop searching
when it found a WPAD server or reached the third-level domain,
wpad.microsoft.com.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417
Description:
Previous versions of the curl package do not properly validate X.509
certificates with NULL bytes in the domain name portion of the Common
Name field, which can allow man-in-the-middle attacks which spoof
arbitrary SSL servers by presenting crafted certificates signed by
legitimate certification authorities.
http://wiki.rpath.com/Advisories:rPSA-2009-0124
10.04 LTS updates.
Original advisory details:
It was discovered that untrusted Java applets could create domain
name resolution cache entries, allowing an attacker to manipulate
name resolution within the JVM. (CVE-2010-4448)
It was discovered that the Java launcher did not did not properly
setup the LD_LIBRARY_PATH environment variable. A local attacker
could exploit this to execute arbitrary code as the user invoking
> We have used a well defined PHP script in this demo combining with a URL
> obfuscation issue. Since spoofing aims at
> manipulating the security features in user interfaces, it requires a new
> model dialog for HTTP authentication that should disseminate
> the realm value from domain name. Restricting, the string length of
> Realm value could be a good lead here.
More usefully, the realm should be clearly separated from the domain
and labeled in the dialog like Opera does it. See the screenshot of
that in my paper. There could still be some confusion, but it's
>
>> | Note that all domains that contain hosts should have a "localhost" A
>> | record in them.
>
>> That RFC was obsoleted by RFC 1912 in 1996, so there's no RFC
>> conformance issue if you omit the domain names. But it explains why
>> there are so many zones that contain them.
>
> I've always assumed that the reasoning for this is as "localhost"
> looks like an unqualified domain name, the search path in resolv.conf/...
> will be applied.
* Astabis reported a crash in the block reflow implementation related
to large images (CVE-2008-2811).
* John G. Myers, Frank Benkstein and Nils Toedtmann reported a
weakness in the trust model used by Mozilla, that when a user accepts
an SSL server certificate on the basis of the CN domain name in the
DN field, the certificate is also regarded as accepted for all domain
names in subjectAltName:dNSName fields (CVE-2008-2809).
The following vulnerabilities were reported in Firefox, SeaMonkey and
XULRunner:
Problem Description:
A vulnerability has been found and corrected in qt4:
src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x
does not properly handle a '\0' character in a domain name in the
Subject Alternative Name field of an X.509 certificate, which allows
man-in-the-middle attackers to spoof arbitrary SSL servers via a
crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408 (CVE-2009-2700).
: #####################################################################################
: # Site : Http://IRCRASH.COM #
: ###################################### TNX GOD ######################################
Yet, you can find the time to type in your domain/name at least 4 times in
this post..
Someone recently pointed out that 'vulnerability disclosures' like this
may actually be a form of covert broadcast designed to manipulate search
engines.
Well, we allready trust many CA's for such purposes. Random names:
AOL, VISA etc...
Creating a CA hierarchy attached to DNS seems nice from one point of view:
a DN-CA would verify certs belonging under it's domain name tree only.
That's good.
Every registar and every end-entity that bought a domain
would have to introduce policies and procedures for certification
management/enrollment/revocation etc -> whole PKI.
Security issues in nss prior to 3.12.3 could lead to a
man-in-the-middle attack via a spoofed X.509 certificate
(CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
cause a denial-of-service and possible code execution via a long
domain name in X.509 certificate (CVE-2009-2404).
This update provides the latest versions of NSS and NSPR libraries
which are not vulnerable to those attacks.
Update:
The implementation of this verification, however, is flawed, and can be
circumvented by creating hostnames which begin with the string
localhost, or 127.0.0.1 even if they are not localhost.
Due to domain naming restrictions the 127.0.0.1 prefix cannot be used in
exploitation, as http://127.0.0.1.seekersec.com is not a valid domain
name - subdomain names cannot be digits only. However, redirects to
http://localhost.seekersec.com or http://localhostie.seekersec.com are
valid. The following prefixes can be provided into the Source parameter
to exploit this vulnerability:
localhostaaa, localhost.seekersec.com, etc.
An attacker can generate an attack by creating a site containing
Next Page>>
|
