Next Page >>
Proof of Concept Code
-----Original Message-----
From: Barry Raveendran Greene [mailto:bgreene@senki.org]
Sent: Monday, December 21, 2009 9:16 PM
To: 'RedTeam Pentesting GmbH'; bugtraq@securityfocus.com
Subject: RE: TLS Renegotiation Vulnerability: Proof of Concept Code
(Python)
Also, can you change this:
"Transport Layer Security (TLS) Renegotiation Indication Extension, IETF
This vulnerability was discovered and researched by Jorge Luis Alvarez
Medina from Core Security Consulting Services (SCS). Additional research
was made by Federico Muttis from Core Security Exploit Writers Team (EWT).
8. *Technical Description / Proof of Concept Code*
Internet Explorer uses a feature known as URL Security Zones [2], which
defines a set of privileges for Web sites and applications depending on
their apparent level of trustworthiness. The zones available in the
product include:
This vulnerability was discovered and researched by Jorge Luis Alvarez
Medina from Core Security Technologies.
*Technical Description / Proof of Concept Code*
Internet Explorer is the most popular Internet browser in the world as
it is an integrated component of every Windows installation. It
introduces the concept of URL Security Zones, as explained in [2], which
basically define a set of privileges for web applications (such as
This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
IBM SolidDB server listens and accepts remote connections on port
2315/tcp. The service is implemented by 'solid.exe' which is started
automatically on boot. For certain transactions, upon receiving a packet
from the network the service will attempt to determine and display an
from Core Security Technologies during Bugweek 2010 [4]. Additional
research was performed by Alejandro Rodriguez. Publication was
coordinated by Carlos Sarraute.
8. *Technical Description / Proof of Concept Code*
The administrative console (also known as Integrated Solutions Console)
of IBM WebSphere Application Server is vulnerable to Cross-Site Request
Forgery (CSRF) [2] attacks, which can be exploited by remote attackers
to force a logged-in administrator to perform unwanted actions on the
This vulnerability was discovered and researched by Anibal Sacco and
Matias Eissler from Core Security Technologies. The publication of
this advisory was coordinated by Carlos Sarraute.
8. *Technical Description / Proof of Concept Code*
The use of Apple events is possible within the several default
profiles as no-network, no-internet (kSBXProfileNoNetwork,
kSBXProfileNoInternet) and others. A compromised application
hypothetically restricted by the use of the no-network profile may
*Credits*
This vulnerability was discovered by Sebastian Gottschalk.
*Technical Description / Proof of Concept Code*
The firewall functionality of CORE FORCE is as a port of OpenBSD's PF
firewall implemented as an NDIS complaint kernel driver that mediates
communications between the Network card and the TCP/IP stack of the
operating system. Thus stateful, bi-directional firewalling rules can be
These vulnerabilities were discovered and researched by Ariel
Futoransky, Fernando Russ and Alfredo Ortega from Core Security
Technologies.
8. *Technical Description / Proof of Concept Code*
Multiple integer overflow vulnerabilities have been discovered in
UltraVNC and TightVNC. The vulnerable functions are located in
'ClientConnection.cpp', and they are:
Olea and Nahuel Riva from Core Security Technologies. Publication of
this advisory was coordinated by Carlos Sarraute from Core Security
Advisories team.
8. *Technical Description / Proof of Concept Code*
XnView is prone to a security vulnerability when processing MBM files.
The version used in our tests in XnView 1.97.4 running on Windows 2000
SP4. By enticing the user of XnView to open a specially crafted file, a
remote attacker may exploit this vulnerability to gain arbitrary code
These vulnerabilities were researched by Anibal Sacco and Damian Saura
from Core Security Technologies.
*Technical Description / Proof of Concept Code*
We have found that BitDefender Antivirus, Rising Antivirus, Comodo
Firewall and Sophos Antivirus have hooks that do not properly validate
the arguments of the hooked functions before accessing them, and lead to
the program trying to reference some invalid memory, leading in some
researched by Nicols Economou
[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Nicolas_Economou].
The identity of the original discoverer is unknown.
8. *Technical Description / Proof of Concept Code*
The vulnerabilities were found and researched on a Windows XP SP3 system
by identifying binary differences in 'smtpsvc.dll' after applying the
corresponding patch from MS10-024. The dll versions '6.0.2600.5512' and
'6.0.2600.5949' were compared.
This vulnerability was discovered by Gerardo Richarte while developing an
exploit for vulnerability CVE-2007-1744. The final exploit for both
vulnerabilities was developed by Nicolas Economou, both of them from CORE
IMPACT's Exploit Writing Team (EWT), Core Security Technologies.
*Technical Description / Proof of Concept Code*
While developing an exploit for the CVE-2007-1744 vulnerability [4] the
root cause of the original bug was identified in the way that the
'PathName' parameter is processed by the VMware API that provides the
Shared Folders functionality in the Guest operating system.
This vulnerability was discovered and researched by Alfredo Ortega from
Core Security Technologies.
7. *Technical Description / Proof of Concept Code*
The function 'protocol_client_msg()' in the file 'vnc.c' ('qemu/vnc.c'
in kvm-66) is in charge of processing incoming VNC low-level messages. A
listing of the vulnerable source follows:
*Credits*
This vulnerability was discovered by Muhammad Haroon from Innovative Solutions KSA. OWASP Chapter Lead of Pakistan. haroon [at] live [dot] it
----
*Proof of Concept Code*
This is a Cross Site Scripting (XSS) vulnerability within vBulletin community forum solution. In order to exploit this flaw following vector would be used.
http://www.example.com/forums/admincp/?"><script>alert('Xss_found_By_M.Haroon')</script>
----
These vulnerabilities were discovered and researched by Oren Isacson
from Core Security Technologies.
7. *Technical Description / Proof of Concept Code*
Several buffer overflows have been found in HP OpenView Network Node
Manager, which can be exploited to remotely compromise a user's system.
While working on an exploit for the vulnerabilities disclosed in the
These vulnerabilities were discovered and researched by Francisco Falcn
from Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
PDF files may include actions (i.e., 'Go to a page view', 'Open/Execute
a file', 'Open a web link', 'Execute a menu item') associated with
different triggers (i.e., 'Mouse Up', 'Mouse Down', 'Page Visible',
'Page Invisible'). The way Foxit Reader handles an 'Open/Execute a file'
*Credits*
This vulnerability was discovered by Lucas Lavarello from the CORE
Security Consulting Services (CORE SCS) team.
*Technical Description / Proof of Concept Code*
The standard protocol that AIM clients use to communicate is called OSCAR
(Open System for CommunicAtion in Realtime), which is a closed protocol
also used by AOL's secondary Instant Messaging client, ICQ (I Seek You).
On top of the OSCAR protocol, AIM clients have implemented support for
This vulnerability was discovered by Core Security Technologies team
"Los Plomeros vs. Blue Demon" during Bugweek 2007: Ariel Waissbein,
Pedro Varangot, Martin Mizrahi, Oren Isacson, Carlos Garcia and Ivan Arce.
*Technical Description / Proof of Concept Code*
Upon initial connection with a SILC server, mutual authentication
between peers (client, routers and servers) is performed and a key
negotiation protocol is executed to obtain a shared key that is
subsequently used to encrypt communications. While a detailed analysis
This vulnerability was discovered and researched by Sebastian Muniz from
the Exploit Writers Team (EWT) at Core Security Technologies.
*Technical Description / Proof of Concept Code*
WonderWare SuiteLink is a service that runs on Microsoft Windows
Operating Systems listening for connections on port 5413/tcp.
Un-authenticated client programs connecting to the service can send a
This vulnerability was discovered and researched by Federico Muttis from
Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
8.1. *Overview*
The flaw exists within the function 'msn_slplink_process_msg()' of
These vulnerabilities were discovered and researched by Dan Crowley from
Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
8.1. *Nginx Web Server*
The following configuration snippet for Nginx Web Server will process
This vulnerability was discovered and researched by Felipe Manzano and
Anibal Sacco from Core Security Technologies.
*Technical Description / Proof of Concept Code*
First some information from Quicktime File Format Specification (may 1996):
"A QuickTime file stores the description of the media separately from
the media data. The description, or meta-data, is called the movie and
The publication of this advisory was coordinated by Fernando Russ from
Core Security Advisories Team.
7. *Technical Description / Proof of Concept Code*
Blender [2] .blend project files can be modified to execute arbitrary
commands without user intervention by design. An attacker can take
full control of the machine where Blender is installed sending a
specially crafted .blend file and enticing the user to open it.
This vulnerability was discovered and researched by Diego Juarez from
Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
Ston3D is a cross-platform technology allowing applications developed
with ShiVa product [2] to be run from various media, such as a website,
CD/DVD or interactive equipment. This technology provides a scripting
interface [5] based on the Lua programming language, within this
This vulnerability was discovered by Damian Frizza and Alfredo Ortega,
from the Exploit Writers team of Core Security Technologies.
*Technical Description / Proof of Concept Code*
The vulnerability was found in the following code, used to parse FLAC
comments inside MPlayer:
/-----------
This vulnerability was discovered by Damian Frizza from Core Security
Technologies.
8. *Technical Description / Proof of Concept Code*
A stack-based buffer overflow can be triggered when Excel XP parses a
.XLS file with a crafted PivotTable Cache Data Record (offset C6h). The
vulnerability occurs if the member 'cfdbTot' has a value equal to 0.
Modifying this record allows an exploitable condition to be triggered as
The publication of this advisory was coordinated by Jorge Lucangeli Obes
from Core Security Technologies Advisories Team.
8. *Technical Description / Proof of Concept Code*
Cross-site scripting (XSS) vulnerabilities allow an attacker to execute
arbitrary scripting code in the context of the user browser (in the
vulnerable application's domain). For example, an attacker could exploit
an XSS vulnerability to steal user cookies (and then impersonate the
This vulnerability was discovered and researched by Federico Muttis from
Core Security Technologies.
*Technical Description / Proof of Concept Code*
This is a Cross Site Scripting (XSS) vulnerability within vBulletin
community forum solution. In order to exploit this flaw the following
option needs to be activated:
'http://victim/vBulletin/profile.php?do=editoptions' (Show New Private
This vulnerability was discovered and researched by Ricardo Narvaja,
from CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
A vulnerability has been found in the way that Microsoft Word handles
specially crafted Word files. A Word file with a specially crafted
'lcbPlcfBkfSdt' field value (offset '0x4f0') inside the File Information
Block (FIB) can corrupt the heap structure on vulnerable Word versions,
This vulnerability was discovered by Aureliano Calvo from Core Security
Technologies during Bugweek 2009 [3].
8. *Technical Description / Proof of Concept Code*
The problem resides in the 'CookieDump.java' file from the examples.
/-----
Cookie[] cookies = request.getCookies();
Next Page>>
|
