Pre Auth
III. ANALYSIS
Summary:
A) Remote Code Execution (RCE) Vulnerability
B) Local File Inclusion (LFI) Vulnerability (pre-auth)
C) Cross Site Scripting (XSS) Vulnerabilities (pre-auth, reflected)
D) Cross Site Scripting (XSS) Vulnerabilities (post-auth, reflected)
A) Remote Code Execution (RCE) Vulnerability
or malware) comes from inside the network. This post describes how to
exploit IGDs remotely via UPnP even when no services are publicly
available (WAN interface).
** Preauth XSS + SOAP payload = remote UPnP exploitation **
If you sniff yourself while running software that uses UPnP in the
background to help you configure your router, you'll see that UPnP is
nothing more than SOAP. Our AJAX knowledge tells us about a feature
that allows us to craft arbitrary XML requests: the XMLHttpRequest [3]
=================
The KDC in releases krb5-1.7 and later are vulnerable, if they are
configured to respond to PKINIT requests. Earlier releases did not
contain the vulnerable code. Additionally, third-party
preauthentication plugins that generate TYPED-DATA in the e-data field
of a KRB-ERROR message may be vulnerable.
FIXES
=====
PR: n/a I: 10,500 L: 0 LD: 246,240 I: 70400 Rank: 18167 Age: Feb 17, 2004 I: 0 whois source Density Links: 0|0
#!/usr/bin/python
###############################################################################
# BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day)
# Matteo Memelli aka ryujin
# http://www.r57shell.in - http://adult.wikipediatr.com - http://www.wikipediatr.com
# 04/13/2008
# Tested on Windows 2000 Sp4 English
# Vulnerable process is AntServer.exe
Director. SFCB usually listens on TCP ports 5988 (HTTP) or 5989 (HTTPS)
and is used in many Linux distributions and some VMware / Dell products.
[=] Vulnerabilities
* CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow
using a forged Content-Length header
When parsing a HTTP request, SFCB will use any positive Content-Length
value to allocate a buffer. Then, memcpy tries to copy the user-provided
POST data in this buffer. By sending a small value in the Content-Length
#!/usr/bin/env python
###################################################################################
#
# Cerberus FTP Server Denial of Service Exploit (Pre Auth)
# Found By: Francis Provencher (Protek Research Lab's)
# Tested On: Windows XPSP2
# Usage: ./script <Target IP>
#
###################################################################################
Details:
========
A remote sql injection vulnerability is detected on the famous Sonicwall Viewpoint Application v6.x.
The vulnerability allows an attacker to inject/execute (pre-auth) own sql statements. The successfully
exploitation of the vulnerability can lead to unauthorized database access.
Notice: The file is not just located on viewpoint ;)
Application: Ipswitch Instant Messaging
http://www.ipswitch.com/products/instant_messaging
Versions: <= 2.0.8.1
Platforms: Windows
Bugs: A] pre-auth NULL pointer crash in decryption function
B] format string in logging
C] arbitrary empty files creation
Exploitation: remote
A] versus both server and clients
B] versus server
-- Vulnerability Details:
This vulnerability allows remote attackers to inject arbitrary commands
on vulnerable installations of Oracle Secure Backup. Authentication is
required to exploit this vulnerability but may be bypassed.
The specific flaw exists in the handling of the 'preauth' variable to
the script index.php used in the administration server running on port
443. Due to improper filtering of user data a specially crafted request
could lead to arbitrary commands being executed under the credentials of
the service.
Double-Take is a disaster recovery and backup software distribuited
also under other different names depending by the company which
distribuites it like for example HP StorageWorks Storage Mirroring
(where version 4.5.0.1629 is vulnerable to a pre-auth buffer overflow).
#######################################################################
=======
Dear IT Security colleagues,
Mid-June 2010, TEHTRI-Security will be at SyScan Singapore for an
outstanding conference.
There, we will release more than 13 remote pre-auth zero-days against
many different products (yes: 13 0days...).
We will also propose multiple generic technical solutions that might
help white hats when they want to counter-strike most exploits packs
systems and web attackers.
vulnerabilities I found.
http://www-01.ibm.com/support/docview.wss?uid=swg21372517IBM DB2
1. "IZ37697: SECURITY: MALICIOUS CONNECT DATA STREAM CAN CAUSE DENIAL OF
SERVICE."
First is pre-auth DoS vulnerability. Here is exploit: it require
"DB2TEST" database present on target database, because its name is
hardcoded into packet.
2. IZ39653: SECURITY: MALICOUS DATA STREAM CAN CAUSE THE DB2 SERVER TO TRAP.
The second DoS vulnerability, it is require also "DB2TEST" database
INFIGO IS Security Advisory #ADV-2008-01-06
http://www.infigo.hr/en/
Title: McAfee E-Business Server Remote Preauth Code Execution / DoS
Advisory ID: INFIGO-2008-01-06
Date: 2008-01-09
Advisory URL: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-01-06
Impact: Remote code execution
Risk Level: High
LuckySploit is a tool used by attackers to penetrate companies or
personal computers by abusing client-side vulnerabilities. This malware
exploitation kit is full of anti Microsoft technologies.
By auditing this Malware, TEHTRI-Security has found a pre-auth remote
exploit in the file /mod/to.php
By sending a specially crafted HTTP packet with a POST argument, it's
possible to simulate a configuration modification, and to inject PHP
code that will be able to be executed after.
Once you extract your claim ticket file from a laptop (note that doing
so will involve executing code on the box, simple directory traversal
style bugs are inadequate), you get to keep it. You also get to
participate in 3com / Tipping Point's Zero Day Initiative, with the top
award for remote, pre-auth, vulnerabilities being increased this year.
Fine print and details on the cash prizes are available from
TippingPoint's DVLabs blog (http://dvlabs.tippingpoint.com/).
More fine print and rules for the contest will be found at
the http://cansecwest.com/ site.
Once you extract your claim ticket file from a laptop (note that doing
so will involve executing code on the box, simple directory traversal
style bugs are inadequate), you get to keep it. You also get to
participate in 3com / Tipping Point's Zero Day Initiative, with the top
award for remote, pre-auth, vulnerabilities being increased this year.
Fine print and details on the cash prizes are available from
TippingPoint's DVLabs blog (http://dvlabs.tippingpoint.com/).
More fine print and rules for the contest will be found at
the http://cansecwest.com/ site.
http://www.infigo.hr/en/
Title: McAfee E-Business Server Remote Preauth Code Execution / DoS
Advisory ID: INFIGO-2008-01-06
Date: 2008-01-09
Advisory URL: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-01-06
Impact: Remote code execution
Risk Level: High
More info: http://www.barracudanetworks.com
.:: DESCRIPTION
The Web Administration Console is vulnerable to a Pre-Auth Cross-Site
Scripting due to a failure of the application to properly
sanitize user-supplied input prior to including it in dynamically generated
web document when logging in with a username that
contains javascript injections and only while the "Monitor Web Syslog"
screen is open.
Application: SAP MaxDB
https://www.sdn.sap.com/irj/sdn/maxdb
http://www.sap.com
Versions: <= 7.6.03 build 007
Platforms: Windows, Linux and Solaris
Bug: pre-auth remote commands execution
Exploitation: remote
Date: 09 Jan 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
Abstract
Microsoft Windows is prone to a remote Kernel Denial of Service due to the way srv.sys handles malformed WRITE_ANDX SMB packets.
Remote attackers could exploit this issue without having valid credentials on the target machine. In order to achieve a successful exploitation, the attacker needs enough privileges to remotely send WRITE_ANDX packets to an interface that uses a Named Pipe as endpoint. Those interfaces that allow NULL Sessions vary between Windows versions, in Vista the reliability of a preauth attack through the “\LSARPC” has been successfully demonstrated.
Affected versions
Theorically verified on: Windows 2000, XP, Server 2003, Vista, Server 2008.
Successfully exploited on: Microsoft Windows Vista SP1 with latest security updates.
http://marc.info/?l=bugtraq&m=109658688505723&w=2
A remote attacker can read, list and retrieve nearly all files on the System remotely.
Required is a valid samba account for a share which is writeable OR
a writeable share which is configured to be a guest account share,
in this case this is a preauth exploit.
The attacker can write for example into /tmp or where the account
he is connecting with has access to (/home/<user> etc).
Exploit session (using the patched smbclient exploit):
======
The MobiLink server is affected by a heap overflow which happens during
the handling of some strings like username, version and remote ID (all
pre-auth) when have a lenght major than 128 bytes.
#######################################################################
===========
|
