Next Page >>
Internet connection
Knowledge Austria/Germany and IronPort.
DeepSec Organisation Team.
https://deepsec.net/contact
Internet Access at the conference is provided by: http://www.nets.at/
A customer service message from ZoneAlarm …
On Tuesday, Microsoft rolled out an automatic update to all of their users. Unfortunately, this cut off Internet access for anyone on Windows XP or Windows 2000 using the ZoneAlarm firewall. This is the #1 free firewall in the world, and is also included in other security products sold by ZoneAlarm.
For ways to fix this, go here: http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html
Or call Customer Service here: 1-877-966-5221
Credit: Daniel Teixeira
Vulnerability Details:
Common consumer routers Web Management Interface, allows internet access password disclosure simply by inspecting the DSL password <INPUT> field with development tools such as Safari Web Inspector or Firebug.
Demo: http://vimeo.com/16480521
[Software/Hardware]
- LinkSys DSL Router BEFSR41 V2
[Vendor Product Description]
- This Router will allow your computers to share a high-speed Internet
connection as well as resources, including files and printers.
[Bug Description]
- Linksys does not validate the input size leading to stored Xss bug.
- Host name,User Name(PPPoE and PPTP),Customized Applications and
Introduction
============
The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all together and lets your whole network share a high-speed cable or DSL Internet connection.
Security Risk
=============
Linksys WRT54GL is prone to an authentication-bypass vulnerability. Reportedly, the device permits changes in its configuration settings without requring authentication (CSRF).
Introduction
============
"Feature complete yet easy to use, WebMail Server Pro provides feature
rich Web 2.0 web-based access to email, calendars, contacts, files and
shared data from any computer with browser and internet connection,
without the usual configuration hassle. Thanks to advanced technologies
and application-like look and feel, Pro suggests it was born to become
the ultimate replacement of Outlook and similar desktop mail clients."
(from the vendor's homepage)
Dear List,
This Message is thrown together in a hurry with limited Internet
access, please take my aplogise for typos and missing information,
more will follow soon :)
My call for an OSS Bluetooth sniffer during the last 23C3
in Berlin has not been left unanswered, first there was
Max Moser("Bluetooth - Getting raw access") that uncovered
5. Once an attacker has access to a modem (through telnet and/or a firmware update), he/she can launch the following attacks and/or more:
* use MITM attacks to capture encrypted data, including passwords, credit-card numbers and other confidential data
* inject malicious content into the network stream which can hijack the user's system [viruses, trojans, malware, bots]
* sniff, tap and monitor the network user and his/her actions online
* redirect user's traffic and subject the user to SPAM, Ads, or use DNS poisoning in inventive ways
* generate network traffic to launch DDoS attacks - effectively hijacking the user's internet connection and making them zombie bots
* redirect nefarious network activities through hijacked modems to make it difficult/impossible to track the attack source/origin, and carry out illegal activities. In such cases, the blame might go to an innocent Airtel subscriber as his/her IP would apparently be the source of the illegal activity.
There is no limit to the creativity of attackers once a vulnerability is available, so these are just my guesses. There may be other attacks
possible. I believe, the ones I have listed are bad enough.
There is a fairly in depth discussion of the issue here:
http://arstechnica.com/web/news/2010/01/facebook-att-play-fast-and-loose-with-user-authentication.ars
Not a routing issue, more of a proxy issue, and not uncommon in mobile carrier networks. Getting security right in a mobile application is tricky given how carriers manage Internet access. With the growth of smartphones these kinds of issues will become more prevalent until carriers refactor how they manage traffic via their proxy's. I'll also note that while the referenced article suggests the use of SSL, there are issues with support in the mobile environment for SSL in terms of which certificate authorities are pre-installed on phones, whether applications have access to the certificate store on the mobile device (or need an embedded certificate), how certificate chaining and wildcarding is supported, and so on.
*********** REPLY SEPARATOR ***********
On 1/16/2010 at 7:39 AM Michael Scheidell wrote:
Hi All,
I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to:
"Enable the Jura Impressa F90 to communicate with the Internet, via a PC.
Download parameters to configure your espresso machine to your own personal taste.
If there's a problem, the engineers can run diagnostic tests and advise on the solution without your machine ever leaving the kitchen."
Guess what - it can not be patched as far as I can tell ;) It also has a few software vulnerabilities.
Introduction
============
"Feature complete yet easy to use, WebMail Server Pro provides feature
rich Web 2.0 web-based access to email, calendars, contacts, files and
shared data from any computer with browser and internet connection,
without the usual configuration hassle. Thanks to advanced technologies
and application-like look and feel, Pro suggests it was born to become the
ultimate replacement of Outlook and similar desktop mail clients."
(from the vendor's homepage)
====================================================
3) Summary
"The 3Com OfficeConnect Wireless Cable/DSL Router is a high-speed, affordable,
and easy-to-use small office solution that lets wireless and wired PCs and
laptops securely share a single broadband Internet connection."
This device is very common due to the affordable price and versatility.
For these reasons it is widely installed by large telecom providers in all Europe
(e.g. In Poland, Orange is currently deploying this device for its residential DSL).
From GFI's website:
"GFI WebMonitor offers web security features that allow you to control your
employees Internet access by monitoring what files employees are downloading, to
block file types such as MP3s and to scan all files for viruses, spyware and malware
using multiple antivirus engines. GFI WebMonitor lowers the risk of social engineering
by blocking access to phishing websites through the use of an auto-updatable database
of phishing urls. The web monitoring features also allow you to monitor and block
Live Messengenger (MSN) chat sessions and file transfers."
> learning exercise for the coders on this product. It seems to be
> assumed that only trust-worthy users will connect only to trust-worthy
> sites. I could not find any evidence of input validation.
>
> Through the magic of Web Scarab and Paros proxy, one can capture the
> Internet communications used by the F90 Internet Connection Kit
> software. What you soon see is that the software does not account for
> either bypassing the local application and changing the input or in
> spoofed and re-directed sites.
>
> The software does not validate the site it gets the information from
So in common case, when name of database, prefix and date are known, it'll
have to do up to 1048576 combinations (folder) + up to 1000 combinations
(file) = up to 1049576 combinations (full path to the file). On average it's
524788 combinations, which can be picked up quickly enough with fast
Internet connection.
------------------------------
Protection against this vulnerability.
------------------------------
Introduction
============
"Feature complete yet easy to use, WebMail Server Pro provides feature
rich Web 2.0 web-based access to email, calendars, contacts, files and
shared data from any computer with browser and internet connection,
without the usual configuration hassle. Thanks to advanced technologies
and application-like look and feel, Pro suggests it was born to become
the ultimate replacement of Outlook and similar desktop mail clients."
(from the vendor's homepage)
Hello,
Huawei HG510 is a device offered by the Serbian telecom operator, to provide ADSL Internet connection.
Administration of settings on this device is allowed only from local LAN network but not only from
private IP address (eg 192.168.1.1) then You can access with public IP address (only from local LAN again).
There is no CSRF protection so we can create malicious web pages and create some CSRF attacks.
Is user is logged on his device we can change passwords or some another settings.
>
> ============
>
>
>
> The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all together and lets your whole network share a high-speed cable or DSL Internet connection.
>
>
>
>
>
> > assumed that only trust-worthy users will connect only to trust-
> worthy
> > sites. I could not find any evidence of input validation.
> >
> > Through the magic of Web Scarab and Paros proxy, one can capture the
> > Internet communications used by the F90 Internet Connection Kit
> > software. What you soon see is that the software does not account
for
> > either bypassing the local application and changing the input or in
> > spoofed and re-directed sites.
> >
Recommendation:
Vendor refused to comment on whether they would develop a patch or even notify
existing client base.
Workaround: Remove ConnX server from public Internet access and protect behind
corporate firewalls, SSL-VPN, web application firewall etc.
References:
aushack.com advisory
http://www.aushack.com/200904-q2solutions.txt
[>>] Proviso SiteKiosk File Download Vulnerability [<<]
[x] Vendor Information:
"SiteKiosk is a software for public access internet terminals and lets you turn any computer into a secure multilanguage Internet terminal (already 20 different languages included), allowing the user to access the Internet but protecting the underlying operating system and files. Possible uses include presentations, exhibitions, libraries, and more. SiteKiosk works with normal displays and Touchscreens. A keyboard doesn't even have to be attached -- text can be entered via a keypad with a mouse. Plentiful options let you decide the amount of security your kiosk needs, from hard-disk protection to prohibiting specific Websites. The program can be used with either a direct network connection or Dial-Up Networking, providing Internet access "on demand." Other features include multiple-window support, automatic shutdown/restart, Shell-Replacement, hard-disk protection, thorough event-logging support, Log-Out Button, content-advisor, great website filtering (with automatic update)
, an easy-to-use configuration wizard, and more. SiteKiosk supports different payment methods like coin machines, bill acceptors, smart cards and others. Also very nice is the webcam support which enables users to send voice, video and photo emails. It is also possible to administer terminals by remote. SiteKiosk uses Internet Explorer as its basis but presents a much simplified interface that even the novice user will understand. Excellent online help is included."
[x] Attack Information
SiteKiosk tries to block and avoid file downloads. If you click on a link which saves a file automatically on your hard drive (e.g. an exe download link) or if you right click something and select "save as..." a window will pop up which says that it isn't possible to download the file. But you can bypass the issue with a special url - you've got to use the "about:"-url. SiteKiosk uses the microsoft internet explorer engine to display web sites, so you can also use "about:" to display anything directloy from the url. For example "about:hello" will display the text "hello" directly in the browser. Of course you can use HTML too: "about:<b>hello</b>" will display the text "hello" bold. Normally this is harmless, but in SiteKiosk you can use it to download files.
Impact
------
An attacker can
- get victim's PPP password by accessing /js/connection.js
- disconnect victim's internet connection
- send SMS with victim's router
- gain access to victim's WIFI password
Recovery
--------
OCSP_basic_verify(), but it does not verify the status of the
certificate itself. Thus, if an attacker has access to a revoked
certificate and its matching private key, the attacker is able to get
authenticated against the FreeRADIUS server.
This allows the attacker to gain access to all network resources that
are accessible due to the FreeRADIUS authentication, e.g. Internet access.
To avoid the issue, the status of the certificate has to be checked with
the OCSP_resp_find_status() function by comparing the returned status
value against 'V_OCSP_CERTSTATUS_GOOD', and by checking the freshness of
the OCSP response with OCSP_check_validity().
>
> ============
>
>
>
> The Linksys Wireless-G Broadband Router is really three devices in one box. First, there's the Wireless Access Point, which lets you connect both screaming fast Wireless-G (802.11g at 54Mbps) and Wireless-B (802.11b at 11Mbps) devices to the network. There's also a built-in 4-port full-duplex 10/100 Switch to connect your wired-Ethernet devices together. Connect four PCs directly, or attach more hubs and switches to create as big a network as you need. Finally, the Router function ties it all together and lets your whole network share a high-speed cable or DSL Internet connection.
>
>
>
>
>
Version affected: 10.3.2 and below
Product description: IceWarp WebMail is the web front-end for the IceWarp
Mail Server, which provides email access on over 50,000 servers. IceWarp
WebMail provides web-based access to email, calendars, contacts, files
and shared data from any computer with a browser and Internet connection.
Credit: David Kirkpatrick of Trustwave's SpiderLabs
Finding 1: XML External Entity Injection
CVE: CVE-2011-3579
• Digital Rights Management
• Privacy & Security
• Smart Grid / Critical Infrastructure Security
Speakers are encouraged to use multi-media and/or live demo, if appropriate.
Internet access will be available at the venue.
Speakers should submit an outline of their proposed talk along with an abstract. Papers will be judged on topic originality and technical content. Electronic submission is required in pdf or standard Microsoft Office applications (Word, Powerpoint). Vendors are allowed to submit proposals, however any vendor submission must be vendor neutral and approach the topic area from a technical/technology/solution approach rather than vendor specific products/solutions.
Submit your proposal to: paranoia (at)watchcom (dot)no
* Short biography
* Abstract (5 to 10 lines)
* Topics / Keywords
* Includes a demo? YES | NO
* Release during the festival? YES | NO
* Internet connection required? YES | NO
+ Acceptable Formats
* Open Document
* PDF
The issue is a lack of input validation. OWASP would be a great learning exercise for the coders on this product. It seems to be assumed that only trust-worthy users will connect only to trust-worthy sites. I could not find any evidence of input validation.
Through the magic of Web Scarab and Paros proxy, one can capture the Internet communications used by the F90 Internet Connection Kit software. What you soon see is that the software does not account for either bypassing the local application and changing the input or in spoofed and re-directed sites.
The software does not validate the site it gets the information from nor does it sufficiently validate the input to the software.
At the moment as I think there are so few people as crazy as I am who actually have to have a gadget just as it is Internet connected; this is not likely to become a widespread attack vector.
The software is an oversized web proxy with other stuff to connect to the coffee machine thrown in. Jura did not make the assumption that an evil attacker could purposefully modify and publish "evil" coffee "recipes.
Introduction
============
"Feature complete yet easy to use, WebMail Server Pro provides feature
rich Web 2.0 web-based access to email, calendars, contacts, files and
shared data from any computer with browser and internet connection,
without the usual configuration hassle. Thanks to advanced technologies
and application-like look and feel, Pro suggests it was born to become
the ultimate replacement of Outlook and similar desktop mail clients."
(from the vendor's homepage)
HITB Europe. No further information will be shared to the public before
Apple release a patch.
o Security-Advisory: TEHTRI-SA-2010-026 - 0day on ThalysNet
TEHTRI-Security found some security issues on Thalys European trains,
with the Internet access on board. To us, many Internet access shared on
airports, stations, trains, in-flights, hotels, etc, are full of
security vulnerabilities, because no penetration test were organized
with IT Security experts before the service is open to the public.
Dealing with ThalysNet, it concerns half a million of end-users.
ThalysNet was contacted.
Next Page>>
|
