Next Page >>
Samples
WAS Core System:
1. Integrated Solutions Console XSS vulnerability.
WAS Samples:
2. PlantsByWebSphere Sample multiple XSS vulnerabilities.
3. JAX-WS Web Services MTOM Sample XSS vulnerability.
4. JAX-WS Web Services Ping and Echo Sample multiple XSS vulnerabilities.
5. Dynamic Query - Employee Finder Sample multiple XSS vulnerabilities.
On Thu, Jan 19, 2012 at 09:21:17AM +0100, valentino.angeletti@enel.com wrote:
> may ask you what software (and how it works brute force ecc) you used?
John the Ripper, indeed - generating a custom .chr file (which is based
on trigraph frequencies) from a sample of 1 million of pwgen'ed
passwords and then using this file to crack another (non-overlapping)
sample of pwgen'ed passwords. My initial notification to oss-security
and Bugtraq included these links, which describe this in more detail:
http://www.openwall.com/lists/john-users/2010/11/17/7
INTRODUCTION
============
According to QuickTime's specification, The sample description atom
(STSD) stores information that allows QuickTime to decode samples in
the media.
It has the following structure:
0 DWORD Size
4 DWORD Type
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.
Affected Systems
-----------------------------
Using the sample program it was possible to verify this issue on following operating systems and configurations:
* Microsoft Windows Vista Enterprise 32 bit & 64 bit
* Microsoft Windows Vista Ultimate 32 bit & 64 bit
It is very likely that other versions of Windows Vista are affected by this issue.
Additional details:
SQL query:
SQL:
SELECT id FROM cube_CubeCart_search WHERE searchstr='''
Sample HTTP Request:
GET /cubecart_4/index.php?_a=viewCat&searchStr='&Submit=Go HTTP/1.1
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect: enabled
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;
ccUser=7c970bfe00c50261d25166dbab43c294
anonymously over TCP/1900.
Technical Details:
ARCserve L&D uses TCP/1900 as its "RPC" interface to manage ARCserve L&D
servers. An example of sample benign traffic follows:
0000000027rxrLogin~~administrator
---------------------------------------------
Field 1: 10-digit base10 command length field ("0000000027")
Field 2: RPC command ("rxrLogin")
"A QuickTime file stores the description of the media separately from
the media data. The description, or meta-data, is called the movie and
contains information such as the number of tracks, video compression
format, and timing information. The movie also contains an index of
where all the media data is stored. The media data is all of the actual
sample data, such as video frames and audio samples. The media data may
be stored in the same file as the QuickTime movie, in a separate file,
or in several files.
...QuickTime uses two basic structures for storing information: atoms
and QT atoms. Both atoms and QT atoms allow you to construct arbitrarily
ones (due to the serialization of the transaction ID as
little endian, those bits are serialized in the second
byte) leaving the transaction ID with practical entropy of
12 bits (instead of the ideal 16 bits). However, if one
follows my paper, it's trivial to see that by gathering few
dozen samples, one can extract K (or very few candidates),
and one can then predict the 487 possible values for the
next transaction ID, i.e. the transaction ID entropy is
less than 9 bits.
But an attacker can do better than this. By having the
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
cache-poisoning.net. The victim has a recursive DNS server that the
attacker can query (ns.victim.com). Victim's server runs Microsft DNS
server. Attacker wants victim's DNS cache to think that www.hotmail.com
has IP address 127.0.0.1 (or any other).
First the attacker gathers a sample of DNS transaction IDs that
ns.victim.com uses for outgoing queries. He makes a number of recursive
queries to ns.victim.com for hosts in cache-poisoning.net zone.
Ns.victim.com will query the name server for cache-poisoning.net. The
attacker records the transaction IDs of the requests sent to the name
server of cache-poisoning.net by ns.victim.com.
out. Find more info on the forums at
https://forum.defcon.org/showthread.php?t=9295.
The Race to Zero:
This one is generating a whole lot of buzz in the press. The Race to Zero
involves contestants being given a sample set of viruses and malcode to
modify and upload through the contest portal. The portal passes the modified
samples through a number of antivirus engines and determines if the sample
is a known threat. The first team or individual to pass their sample past
all antivirus engines undetected wins that round. Each round increases in
complexity as the contest progresses. Further details are available here:
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Jetty Persistent XSS in Sample Cookies Application
1. *Advisory Information*
vulnerable installations of Apple QuickTime. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the way Quicktime handles the
Sample-to-Chunks table in media files with 'twos' audio codec. If a
value for 'samples per chunk' is bigger than 8 times the sample rate
from the 'Sample Description Atom' it will cause a buffer overflow
during the parsing of the atom sample table. This can result in remote
code execution under the context of the current user.
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks RealPlayer. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within how the ATRC codec parses sample data
out of the media file. When reading bit sizes from the sample, the
application will seek a structure that is used for consuming bits from
the sample stream outside the bounds of the correct data. When decoding
the sample, the application will use the transformed data to initialize
another structure. Due to the sizes being unbound, this can be used to
TZ>> 17.04.2009 - As I have no way to reproduce and IBM gives no details
TZ>> about their OH-SO Secret propretary software I state that
TZ>> "I cannot verify nor reproduce your statements as such I will leave
TZ>> this CVE entry as disputed." "Please provide tangible proof that
TZ>> you detect the samples. Screenshots, logs, outputs."
TZ>> AND
TZ>> "My worktime is not open source either[..] Yet I
TZ>> am currently working for your interests and customers, for free. I can
TZ>> stop reporting responsibly if this is what you are trying to achieve."
17.04.2009 - As I have no way to reproduce and IBM gives no details
about their OH-SO Secret propretary software I state that
"I cannot verify nor reproduce your statements as such I will leave
this CVE entry as disputed." "Please provide tangible proof that
you detect the samples. Screenshots, logs, outputs."
AND
"My worktime is not open source either[..] Yet I
am currently working for your interests and customers, for free. I can
stop reporting responsibly if this is what you are trying to achieve."
As you can see in the SQL query (or the stack trace), in order to alter
the SQL statement sent to the database you need to use a double qoute
(not a single one, as in most SQL injections).
Sample HTTP request:
GET
/zenphoto_1_3/zp-core/full-image.php?a=%24%7binjecthere%7d&i=system-bug.jpg&q=75
HTTP/1.1
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect: enabled
feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions
7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SIP
inspection is enabled by default.
To check if SIP inspection is enabled, issue the "show service-policy |
include sip" command and confirm that some output is returned. Sample
output is displayed in the following example:
ciscoasa#show service-policy | include sip
Inspect: sip , packet 0, drop 0, reset-drop 0
TZ> 17.04.2009 - As I have no way to reproduce and IBM gives no details
TZ> about their OH-SO Secret propretary software I state that
TZ> "I cannot verify nor reproduce your statements as such I will leave
TZ> this CVE entry as disputed." "Please provide tangible proof that
TZ> you detect the samples. Screenshots, logs, outputs."
TZ> AND
TZ> "My worktime is not open source either[..] Yet I
TZ> am currently working for your interests and customers, for free. I can
TZ> stop reporting responsibly if this is what you are trying to achieve."
Hi,
To show the progress of the OSSTMM 3 we have released a 20 page sample
with the ToC included. You'll see the graphics have not been put in
nor the new cover attached and there's still some chapters missing and
2 needing editing but this sample should give you a good idea of the
extensive content we're working with and how far we've come since the
Lite version was released. It's a completely new re-write from 2.0
with a big focus on clarity for the end user. Let's just say we don't
want it to read like stereo instructions again ;)
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
Due to the WeFi client storing the keys in memory, a dump is able to show valid WEP, WPA and WPA2 keys that can be used by a local attacker. This information can often be found around the 044296C0 offset. An attacker could easily dump the credentials from memory whilst walking past a laptop with an autorun U3 USB. The file that keeps the keys in memory is as follows:
C:\Program Files\WeFi\WeFi.exe
==================================================
SAMPLE 1
==================================================
Here is a sample of the hexadecimal memory dump:
Offset 00 01 02 03 04 05 06 07 08 09 ASCII
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
###################
The cause of the vulnerability is a bound checking error in the code
used to decompress Windows Media Audio Voice compressed audio files
(located in wmspdmod.dll). Namely, the vulnerability is caused by not
properly sanitizing the audio sample rate information contained in the
.wma voice file.
The maximum allowed sample rate for .wma voice files is 22050 Hz.
However, it can be set as high as 96000 Hz (the maximum for any .wma
file) without being rejected.
By setting the sample rate in .wma voice file between 22050 Hz and
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ZDI-11-334 : RealNetworks RealPlayer genr Sample Size Parsing Remote
Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-334
November 28, 2011
- -- CVE ID:
CVE-2011-4251
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks Real Player. User interaction
is required to exploit this vulnerability in that the target must visit
a malicious page or open a malicious file.
The specific flaw exists within how the application parses sample data
encoded with the RV30 codec. When parsing this sample data, the
application will make an allocation and then fail to completely
initialize the buffer. During decoding of the sample data, the
application will explicitly trust an index from the partially filled
buffer and then use that to calculate an address to write to. This can
vulnerable installations of RealNetworks RealPlayer. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the way that the application allocates
space for parsing sample data encoded with the RV20 codec. After
allocation, the application will partially fill the allocation with
sample data. Upon usage of this sample data, the application will use
the uninitialized data to calculate an index that is then written into.
This can lead to code execution under the context of the application.
vulnerable installations of Apple QuickTime Player. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within how the application decodes video
samples encoded with the RLE codec. When decompressing the sample, the
application will fail to accommodate for the canvas the sample is
rendered into. This can cause a buffer overflow and thus can be taken
advantage of in order to gain code execution under the context of the
application.
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
[48bits Advisory] QuickTime Panorama Sample Atom Heap Overflow
Abstract:
QuickTime is prone to a heap overflow vulnerability when parsing
malformed Panorama Sample Atoms, which are used in QuickTime Virtual
Reality
Movies. This Vulnerability allows attackers to execute code on
vulnerable installations. Successful exploitation via Web Browser
requires that the
Next Page>>
|
