Next Page >>
Plain Text
certificate, so that there can be no "man in the middle" (servers
usually don't verify client certificates).
The problem discussed in this writeup is caused by a software flaw.
The flaw allows an attacker to inject client commands into an SMTP
session during the unprotected plaintext SMTP protocol phase (more
on that below), such that the server will execute those commands
during the SMTP-over-TLS protocol phase when all communication is
supposed to be protected.
The injected commands could be used to steal the victim's email or
Background:
For most web application logins a user fills out an HTTP form, which sets up the user with a session cookie. The cookie content is merely a session ID, which allows the server-side application to match incoming requests to a specific user and session. If the cookie gets compromised, such as using XSS, the attacker might be able to impersonate the user for the duration of the session but it typically does not allow the attacker to obtain the user's login credentials.
Vulnerability:
The web management interface of Citrix NetScaler stores the user's credentials in an encrypted form in the cookie, namely values ns1 and ns2. In addition the cookie contains other encrypted information in values ns3, ns4, and ns5. Since the encryption is a simple XOR with a fixed key stream it is possible to determine parts of the key stream by XOR'ing a known plaintext with its corresponding ciphertext. This in turn allows the attacker to recover the plaintext form of the user's credentials by applying the key stream to cookie values ns1 and ns2. Furthermore, the cipher does not in any way pad the plaintext before it gets encrypted so the length of the ciphertext is equal to the length of the plaintext, which also provides a clue about the plaintext.
There are several approaches to obtain the ciphertext for some known plaintext:
* Log into the management console with the attacker's own credentials (if the attacker is a configured user, even with minimal privileges) and analyze his own cookie.
* Make an educated guess about the username contained in ns1. (As an example, the default root user on NetScaler is "nsroot".)
23/tcp open telnet
80/tcp open http
Port 80 gives access through an HTML interface to the configuration menu as would be expected, but although you can control access to that interface using a password, there is no control over the telnet port. So, telnetting to port 23 (on is default IP 192.168.0.1) the users get automatically access to the filesystem, by providing no credentials at all. Now the file system of the device may be used for malicious communication and temporary data storage. Too, a user may download the upgrade firware's HTML code from the www directory and modify it locally so allow other files than IMGs to be uploaded and replace the existing firmware, making the device useless.
Also, one can view the contents of /etc/htpasswd file, where everything is in plaintext, and retrieve the web-based administrator's (admin) password. Some of the possible implications, that can be triggered from the web-interface, but not limited to the following, are:
1. Intruders are now capable to open the configuration page and go through the submenus where they can get the wireless key in use (the wireless key is being displayed in plaintext, as well)
2. They can perform a trivial DoS attack (factory restart the modem and everything stops working) similarly from the telnet session, by issuing the command "reboot" the device will obey and it will restart itself
3. They can change configurations and policies for clients causing confusion
4. Or they could download a backup copy of the configuration file for the device (the same file can be obtained by viewing the contents of "/tmp/nvram"); by viewing that file one can easily extract the ADSL account logins or any other information is curious about, as everything is stored in plaintext - once again)
OpenSSH Security Advisory: cbc.adv
Regarding the "Plaintext Recovery Attack Against SSH" reported as
CPNI-957037[1]:
The OpenSSH team has been made aware of an attack against the SSH
protocol version 2 by researchers at the University of London.
Unfortunately, due to the report lacking any detailed technical
description of the attack and CPNI's unwillingness to share necessary
information, we are unable to properly assess its impact.
> connection.
>
>> > The usage pattern where the attack is most likely to succeed is where an
>> > automated connection is configured to retry indefinitely in the event of
>> > errors. In this case, it might be possible to recover as much as 14 bits
>> > of plaintext per hour
[...]
>> Given the amount of data pumped down the typical automated connection
>> per hour, this is hardly anything to worry about .. surely ?
>
> That depends on the data that is being transferred. If it includes
> Based on the description contained in the CPNI report and a slightly
> more detailed description forwarded by CERT this issue appears to be
> substantially similar to a known weakness in the SSH binary packet
> protocol first described in 2002 by Bellare, Kohno and Namprempre[2].
> The new component seems to be an attack that can recover 14 bits of
> plaintext with a success probability of 2^-14
Could someone please help the uncomprehending [i.e. me :-)] understand
why or whether this is anything to be worried about at all ?
Quick calculator session :
- -----------------------------------------------------------------------
iViZ Techno Solutions Pvt. Ltd.
http://www.ivizsecurity.com
- -----------------------------------------------------------------------
* Title: Hewlett-Packard BIOS Plain Text Password Disclosure
* Date: 25/08/2008
* Software: Hewlett-Packard BIOS
* Vendor Bug Tracker : SSRT080104
- Session fixation
- Session impersonation
- Remote buffer overflow
- Privilege escalation in two applications
- Missing authentication in configuration panel
- Admin password is delivered in plaintext inside the server response
- Cookies are set for root path, not application path
- Crawler endless loop
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
----------------------------
evalsmsi 2.1.03 contains multiple vulnerabilities.
1 - Insecure storage of password
The passwords are stored in plaintext in the database.
table : authentification
column: password
2 - Authentication Bypass
9. *Report Timeline*
. 2009-06-04:
Core Security Technologies notifies the WordPress team of the
vulnerabilities (security@wordpress.org) and offers a technical
description encrypted or in plain-text. Advisory is planned for
publication on June 22th.
. 2009-06-08:
Core notifies again the WordPress team of the vulnerability.
FGA-2008-16: EMC Dantz Retrospect 7 backup Client PlainText Password Hash
Disclosure Vulnerability
http://www.fortiguardcenter.com/advisory/FGA-2008-16.html
July 20, 2008
-- Affected Vendors:
EMC
-- Affected Products:
EMC Dantz Retrospect 7 backup Client 7.5.116
- -----------------------------------------------------------------------
iViZ Techno Solutions Pvt. Ltd.
http://www.ivizsecurity.com
- -----------------------------------------------------------------------
* Title: Intel BIOS Plain Text Password Disclosure
* Date: 25/08/2008
* Software: Intel BIOS
* CERT temporary tracker : VU#604539
9. *Report Timeline*
. 2010-03-25:
Core Security Technologies notifies Alex Rabe of the vulnerability,
offering a draft for this advisory in plaintext or encrypted form (if
proper keys are sent). April 5th, 2010, is proposed as a release date.
. 2010-03-25:
Alex Rabe acknowledges Core Security Technologies's e-mail, and asks
for the advisory draft in plain text.
Intro
----
Roundcube Webmail is a browser-based IMAP client that uses
"chuggnutt.com HTML to Plain Text Conversion" library to convert
HTML text to plain text, this library uses the preg_replace PHP
function in an insecure manner.
Vulnerable versions:
Round Cube RoundCube Webmail 0.2-3 beta
> -----------------------------------------------------------------------
> iViZ Techno Solutions Pvt. Ltd.
> http://www.ivizsecurity.com
> -----------------------------------------------------------------------
> * Title: McAfee SafeBoot Device Encryption
> Plain Text Password Disclosure
> * Date: 17/09/2008
> * Software: McAfee SafeBoot Device Encryption v4, Build 4750 and below
> --[ Synopsis:
> The password checking routine of SafeBoot Device Encryption fails to
> sanitize the BIOS keyboard buffer after reading passwords, resulting
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?
Yes; it's not that difficult for someone on the same network segment to
proxy all your traffic, and if you don't check your certificate then you
might as well have sent it plaintext.
- Description
The Communigate Pro webmail framework is prone to a stored Cross Site
Scripting vulnerability through crafted plain text email messages.
- Affected version:
5.2.14 and prior as reported from Communigate:
http://www.communigate.com/cgatepro/History52.html
- Details
This vulnerability can be exploited if an attacker sends a plain text
Baidu Hi IM software parsing plaintext stack overflow
-- CVE ID:
Not assigned
-- Affected Vendors:
Baidu
-- Affected Products:
Baidu Hi IM software
* Chris Thomas reported that background tabs could create a
borderless XUL pop-up in front of pages in other tabs
(CVE-2008-1241).
* oo.rio.oo discovered that a plain text file with a
"Content-Disposition: attachment" prevents Firefox from rendering
future plain text files within the browser (CVE-2008-0592).
* Martin Straka reported that the ".href" property of stylesheet DOM
nodes is modified to the final URI of a 302 redirect, bypassing the
Cyberoam SSL VPN Client - Plain-text Storage of Username and Password
Vulnerability Summary:
Product: Cyberoam SSL VPN Client v1.0
Vendor: eLiteCore
Website: http://www.cyberoam.com/
Platform: Windows
Vulnerability Classification: Insecure Storage of User Credentials
Issue Fixed in Version: Cyberoam SSL VPN 9.6.0.78
Issue Discovered By: Wasim Halani (washal)
ManageEngine ADSelfService Plus is a web-based password management
infrastructure for Microsoft Windows Active Directory environments.
By default a local administrative account is configured, named "admin". The
administrative password is stored inside the local database in base64(md5(P|S))
form (P is the plain-text password, S is a password salt, and '|' is the string
concatenation operator). In the default installation, password for user "admin"
is also "admin", but the password can be changed after first login.
Unfortunately, due to a bug in the authentication procedure, malicious users
can authenticate without knowing the current plain-text password value.
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
uncommon to store sensitive data in them.
Exploiting this vulnerability requires modification of the
serialized view object, which is not stored in a plaintext
format. The Deface tool[12] can be used to provide
proof-of-concept attacks.
Remediation Steps:
company assumed they would be revoking our license/contract as way to
quell the issue.
CERT - Assigned VU#120593
+Subject
Meridian Prolog Manager Username and Plain Text Password Disclosure
+Version
All Prolog Manager Versions (2007, 7.5 and pre 7.5 versions)
+Impact
Microsoft Office Outlook is a personal information manager. It is often
mainly used as an e-mail application, but it also includes a calendar,
task manager, contact manager, note taking, a journal and web browsing.
Outlook supports various e-mail formats, including plain text, HTML and
TNEF. TNEF is a proprietary format used by Microsoft Outlook and
Microsoft Exchange Server. TNEF messages or TNEF streams exist of
message and/or attachment attributes. These attributes contain basic
properties, such as message subject, date sent and attachment title
(file name). Additional attributes can be set using MAPI properties,
SEC Consult Security Advisory < 20090429-0 >
=======================================================================
title: Proxy bypass vulnerability & plain text passwords
in LevelOne AMG-2000
product: LevelOne AMG-2000 Wireless AP Management Gateway
vulnerable version: Firmware <=2.00.00build00600
impact: critical
homepage: http://www.level1.com
found: 2008-12-16
by: J. Greil / SEC Consult / www.sec-consult.com
NetSaro Enterprise Messenger Server Plaintext Password Storage Vulnerability
CVSS Risk Rating: 4.6 (Medium)
Product: NetSaro Enterprise Messenger Server
Application Vendor: SEM Software
Vendor URL: http://www.netsaro.com/
> > Based on the description contained in the CPNI report and a slightly
> > more detailed description forwarded by CERT this issue appears to be
> > substantially similar to a known weakness in the SSH binary packet
> > protocol first described in 2002 by Bellare, Kohno and Namprempre[2].
> > The new component seems to be an attack that can recover 14 bits of
> > plaintext with a success probability of 2^-14
>
> Could someone please help the uncomprehending [i.e. me :-)] understand
> why or whether this is anything to be worried about at all ?
>
> Quick calculator session :
+ Acceptable Formats
* Open Document
* PDF
* Plain Text
* RTF
+ Agenda
* beginning of proposals : now
- -----------------------------------------------------------------------
iViZ Techno Solutions Pvt. Ltd.
http://www.ivizsecurity.com
- -----------------------------------------------------------------------
* Title: IBM Lenovo BIOS Plain Text Password Disclosure
* Date: 25/08/2008
* Software: IBM Lenovo BIOS
- --[ Synopsis:
Formshield1. The value of the properties parameter changed each time
new text was populated in the CAPTCHA image. Changing content of this
parameter results in no new text being generated at all. The encrypted
properties value though is obtained by a dynamic key in the
__VIEWSTATE variable. If the contents of the __VIEWSTATE variable can
be obtained then we have a plaintext cipher text match which can be
replayed every time for every new request.
Details of the Attack
To carry out this attack we need to intercept and modify HTTP(S)
Next Page>>
|
