Next Page >>
Technical Description
Background
Non-technical description
Technical Description
Exploiting it
:: Summary
1. Background
2. Non-technical description
3. Technical Description
4. Exploiting it
5. References
6. Affected Products
7. Credits
CVE: CVE-2009-1593
Description: Profense Web Application Firewall with default configuration in negative model can be evaded to inject XSS.
Technical Description:
Versions 2.4 and 2.2 of Profense Web Application Firewall with the default configuration in negative model (blacklist approach) can be evaded to inject XSS (Cross-Site Scripting). The problem is due to the built-in core rules that can be abused using the flexibility provided by HTML and JavaScript.
The vulnerability can be reproduced by injecting a common XSS attack in a vulnerable application protected by Profense Web Application Firewall. Inserting extra characters in the JavaScript close tag will bypass the XSS protection mechanisms. An example is shown below:
coordinated by Pedro Varangot
[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Pedro_Varangot].
8. *Technical Description / Proof of Concept Code*
The 'smiGetNode' function returns a 'SmiNode' struct given the name of
a OID as a 'char *' in both either numeric (i.e. "1.3.6.1.2.1.4.17")
or human readable format (i.e. "ipForwarding"). This function uses a
static array of 128 elements of type 'unsigned int' to hold the OID in
Affected Software : GOM Player 2.1.16.4613 (Prior version may be also
affected)
PoC : http://security.bkis.vn/wp-content/uploads/2009/04/gom_poc.pl
2. Technical Description
Like other multimedia players, GOM Player supports displaying subtitles
(srt, smi...) when playing multimedia files. The flaw is found in this
function.
7. *Credits*
These vulnerabilities were discovered and researched by Jorge Luis
Alvarez Medina and Federico Muttis from Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
The bugs in this advisory as well as a number of specific methods to
combine them with insecure Internet Explorer features are discussed in
the paper "Abusing Insecure Features of Internet Explorer"[5].
Exploitation of these vulnerabilities as well as others disclosed
2 media player classic v6.4.9.0 and prior; and other produces base on it.
( mympc 1.0.0.1 and StormPlayer 1.0.4)
3 KMPlayer v2.9.3.1210 and prior
Technical Description
=====================
those vulnerabilities are discoered via playing with AVI
1) indx truck size
2) wLongsPerEntry
Remediation:
------------
Follow the recommended actions for the affected systems, as identified in the Nortel Advisory.
Technical Description:
----------------------
Flooding an IP phone with valid UNIStim messages freezes the IP phone. The IP phone needs to be rebooted by pulling the power cord in order to work again.
The proof-of-concept code uses "Mute / UnMute" UNIStim messages. The ID number is increased sequentially from 1 to 65535. After the packets have been sent, the phone is frozen and cannot be used. The phone does not ring if it's number is called and the LCD display is not updated.
This vulnerability was discovered and researched by Francisco Falcon
from Core Security Technologies.
*Technical Description / Proof of Concept Code*
The WePO ActiveX component has a parameter named "mainurl" that
indicates the local file name or the URL from where to retrieve the
content to print:
------------------------------------------------------------------------------------------------------------------------
These vulnerabilities were discovered and researched by Andrew Horton
(urbanadventurer) from MorningStar Security.
8. Technical Description / Proof of Concept
------------------------------------------------------------------------------------------------------------------------
8.1 Introduction
Many past advisories have been published for Cute News. An unpatched LFI
(using 3 different CVE names) but provides no technical details to
uniquely identify each one of them we’ve decided to roll a dice and picked
CVE-2007-0063 as the one to identify the bug reported in this advisory.
gracias.zip.
*Technical Description / Proof of Concept Code*
DHCP is built on a client-server model, where designated DHCP server hosts
allocate network addresses and deliver configuration parameters to
dynamically configured hosts. The term "server" refers to a host providing
initialization parameters through DHCP, and the term "client" refers to a
>
>
>
>
>
> Technical Description
>
> =====================
>
> Linksys WRT54GL is prone to an authentication-bypass vulnerability. The problem presents itself when a victim user visits a specially crafted web page on an attacker-controlled site. An attacker can exploit this vulnerability to bypass authentication and modify the configuration settings of the device.
>
This vulnerability was discovered and researched by Daniel Kazimirow,
from Core Security Technologies. Publication was coordinated by Jorge
Lucangeli Obes.
8. *Technical Description*
The vulnerability occurs in the 'VISIODWG.DLL' library. At offset '74ef'
in the library there is an unsafe call to 'strcpy', which can be used to
execute arbitrary code. This call is replaced with a call to 'strncpy',
at offset '81e7' in the new version of the library.
This vulnerability was discovered and researched by Francisco Falcon
from Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
VLC media player has support for the XML-based XSPF playlist format [1].
Every track in an XSPF playlist has a number of attributes, such as
'identifier, location, title and duration'. The 'identifier' attribute
is a numeric value that indicates the position of the track in the
This vulnerability was discovered and researched by Francisco Falcon
from Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
8.1. *Introduction*
Novell iManager [1] is a Web-based administration console that
>
>
>
>
>
> Technical Description
>
> =====================
>
> Linksys WRT54GL is prone to an authentication-bypass vulnerability. The problem presents itself when a victim user visits a specially crafted web page on an attacker-controlled site. An attacker can exploit this vulnerability to bypass authentication and modify the configuration settings of the device.
>
This vulnerability was discovered by Gerardo Richarte while developing an
exploit for vulnerability CVE-2007-1744. The final exploit for both
vulnerabilities was developed by Nicolas Economou, both of them from CORE
IMPACT's Exploit Writing Team (EWT), Core Security Technologies.
*Technical Description / Proof of Concept Code*
While developing an exploit for the CVE-2007-1744 vulnerability [4] the
root cause of the original bug was identified in the way that the
'PathName' parameter is processed by the VMware API that provides the
Shared Folders functionality in the Guest operating system.
This vulnerability was discovered by Damian Frizza from Core Security
Technologies.
7. *Technical Description / Proof of Concept Code*
Microsoft Windows is prone to a memory corruption vulnerability when
instantiating the 'HtmlDlgHelper Class Object'
('CLASSID:3050f4e1-98b5-11cf-bb82-00aa00bdce0b') in a Microsoft Office
Document (ie: .XLS, .DOC). The affected vulnerable module is part of
Sebastian Tello and Manuel Muradas from Core Security Technologies
during Bugweek 2010 as part of the "Cisco Baby Cisco!" team [2]. The
publication of this advisory was coordinated by Pedro Varangot.
8. *Technical Description*
8.1. *WebEx Player .wrf Buffer Overflow [CVE-2010-3269]*
WebEx Player can be used to playback recordings of WebEx sessions. These
Olea and Nahuel Riva from Core Security Technologies. Publication of
this advisory was coordinated by Carlos Sarraute from Core Security
Advisories team.
8. *Technical Description / Proof of Concept Code*
XnView is prone to a security vulnerability when processing MBM files.
The version used in our tests in XnView 1.97.4 running on Windows 2000
SP4. By enticing the user of XnView to open a specially crafted file, a
remote attacker may exploit this vulnerability to gain arbitrary code
Compass Security has not been able to verify the implemented
fix.
Technical Description
---------------------
The following description of the vulnerability in LSrunasE is
also applicable to Supercrypt.
LSrunasE has two components, lsrunas.exe and lsencrypt.exe.
- Firmware version 6.5.20 and higher
- Firmware version 7.1.39 and higher
- Firmware version 7.3.14 and higher
Technical Description:
----------------------
The web interface of the Snom VoIP/SIP phones is protected by
Basic Authentication or Digest Authentication.
The authentication can be completely bypassed by modifying the
HTTP request. A normal browser sets the request header "Host:"
7. *Credits*
This vulnerability was discovered by Ryan Dewhurst ( ryan -at- bonsai-sec.com ).
8. *Technical Description*
A SQL injection vulnerability was found in the dispatch.php script, more
specifically in the $user_id variable. The vulnerability can be triggered by
logging into Achievo and browsing to:
Not tested:
* N/A
Technical Description
---------------------
When handling HTTP requests, Boxalino does not properly check for
directory traversal specifiers. Therefore, by including a sequence such
as "../../../", an attacker is able to read files outside of the
intended location. The vulnerability exists for both, Windows and UNIX
Possible Causes
===============
Insecure web application programming or configuration
Technical Description
=====================
Session Fixation is an attack technique that forces a user's session ID to an explicit value. Depending on the functionality of the target web site, a number of techniques can be utilized to "fix" the session ID value. These techniques range from Cross-site Scripting exploits to peppering the web site with previously made HTTP requests. After a user's session ID has been fixed, the attacker waits for the user to login, and then uses the predefined session ID value to assume the user's online identity.
In general, there are two types of session management systems for ID values. The first type is "permissive" systems, that allow web browsers to specify any ID. The second type is "strict" systems, that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the web site. Strict systems require that the attacker maintain the "trap-session", with periodic web site contact, preventing inactivity timeouts.
from the Core Security Consulting Services (CSC) team of Core Security
Technologies, during Bugweek 2007. Special thanks to Norberto Kueffner
for infrastructure support.
*Technical Description / Proof of Concept Code*
A path or directory traversal attack technique forces access to files,
directories, and commands that potentially reside outside the web
document root directory. An attacker may manipulate the http requests in
such a way that the web site will write, execute or reveal the contents
This vulnerability was discovered by Damian Frizza and Alfredo Ortega,
from the Exploit Writers team of Core Security Technologies.
*Technical Description / Proof of Concept Code*
The vulnerability was found in the following code, used to parse FLAC
comments inside MPlayer:
/-----------
Nicolas Economou from Core Security Technologies discovered and
researched this vulnerability.
8. *Technical Description / Proof of Concept Code*
The vulnerability is located in the library 'WebKit' used by Safari on
iPhone.
The vulnerable function is
1/21/2010 - McAfee notified of vulnerability, provided with proof of concept
6/9/2010 - McAfee notified nGenuity of available fix and related information
Technical Description
*Example Exploit URL:
*
hxxp://192.168.0.1/cgi-bin/cgix/help?&page=web_list_block“><script
that has recently been implemented).
Vendor recommends upgrading to version 2009R1.3 or later.
Technical Description
Here is a non-malicious example. The input after login.php is inserted
into the permalink_base variable without being sanitized.
http://example.com/nagiosxi/login.php?%22;alert%281%29;//
Next Page>>
|
