Next Page >>
Thread
OS Version: Mac OS X 10.5.6 (9G55)
Report Version: 6
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000007e33d590
Crashed Thread: 0
Thread 0 Crashed:
0 libSystem.B.dylib 0x01d7e325 tiny_malloc_from_free_list + 235
1 libSystem.B.dylib 0x01d7710d szone_malloc + 180
2 libSystem.B.dylib 0x01d77018 malloc_zone_malloc + 81
(gdb) run /home/wargame/prova.pls
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/wargame/test/bin/rhythmbox /home/wargame/prova.pls
[Thread debugging using libthread_db enabled]
[New Thread 0x7f01a0a907c0 (LWP 1757)]
[New Thread 0x41691950 (LWP 1760)]
(rhythmbox:1757): Rhythmbox-WARNING **: Unable to grab media player keys: Could not get owner of name 'org.gnome.SettingsDaemon': no such name
[New Thread 0x41e92950 (LWP 1761)]
it will continue .. and other files too
modules/forum/index.php
lines [31-49]
if (@$_POST['post']=='thread')
{
if (@$_POST['id'] && $_POST['title'] && $_POST['contents'])
{
// Add the thread to the specified section
$ins = "INSERT INTO `".PREFIX."threads` VALUES ('', '".addslashes($_POST['id'])."', '-1', '".addslashes($_POST['title']).
#Written By Michael Brooks
#contact: th3(dot)r00k(at)gmail(dot)com
#SMF 1.1.3 Extremely fast Blind SQL Injection Exploit!
# -Binary Search
# -Multi-Threaded
# -NO benchmark()'s
#
#Two SQL Injection flaws.
#Works with magic_quotes_gpc=On or Off.
#Total Bypass of SMF's SQL Injection filter.
Severity: Moderate
Overview:
An attacker who has the rights to start a new thread or to reply
to an existing one, is able to include javascript code using the topic,
that is executed when other users use the quick reply button shown
for every post.
This point of injection is possible because the topic text is part
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FreeBSD <= 6.1 suffers from classical check/use race condition on SMP
systems in kevent() syscall, leading to kernel mode NULL pointer
dereference. It can be triggered by spawning two threads:
1st thread looping on open() and close() syscalls, and the 2nd thread
looping on kevent(), trying to add possibly invalid filedescriptor.
The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
was not recognized as security vulnerability.
Personal Sticky Threads is an addon for vbulletin that allows users to create personal stickies. There appears to be a small problem when toggling the personal sticky on a thread you do not have persmission to access.
If I am denied persmission to:
http://forums.somesite.com/showthread.php?t=7
Toggling personal stickies for the thread to on I am able to view the thread title, author, and pages:
http://forums.somesite.com/misc.php?do=togglestick&thread=47
As an update, Keep track of this thread as well.
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=26289
--------------------------------------------------
From: "Sandeep Cheema" <51l3n7@live.in>
Sent: Friday, February 20, 2009 11:01 AM
To: <bugtraq@securityfocus.com>
Subject: Re: SEPKILL /im SMC.EXE /f
?>
(gdb)run 1.php
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1217608000 (LWP 29444)]
0xb76ed3e5 in iconv_close () from /lib/tls/libc.so.6
2) iconv_mime_decode_headers()
<?php
Please note the following. I have reported this to Symantec at
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&thread.id=25786&view=by_date_ascending&page=2
Symantec,
4. Exploiting it.
What it is interesting in this flaw is the way of exploiting it. NDIS
calls are "context-free" by definition, so when a packet arrives or is
sent, the NDIS call can be invoked in an arbitrary thread context.
Therefore, the callback we are modifying could be invoked in any other
thread than ours. There is an intrinsic race condition in the exploit.
Let's imagine a scenario where the exploit modifies the callback to
point to the address of its shellcode at 0x401000. However,before the
> </html>
>
> If an attacker send a link in a pm for example, to the admin with a site
> like the example code, the admin's usertitle updating and have a the code
> of the attacker.The code executing if the admin have a post done in a
> thread etc. An attacker can use this to steal the cookie of all user's who
> are reading the thread.
>
>
> ##Explanation(Deutsch/German)##:
>
</body>
</html>
If an attacker send a link in a pm for example, to the admin with a site
like the example code, the admin's usertitle updating and have a the code of
the attacker.The code executing if the admin have a post done in a thread
etc. An attacker can use this to steal the cookie of all user's who are
reading the thread.
##Explanation(Deutsch/German)##:
Sent: Thursday, February 19, 2009 12:50 PM
To: <bugtraq@securityfocus.com>
Subject: Re: SEPKILL /im SMC.EXE /f
> Please note the following. I have reported this to Symantec at
> https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&thread.id=25786&view=by_date_ascending&page=2
>
>
>
>
> Symantec,
shell at dotshell dot net
http://www.securityfocus.com/archive/1/479435
[3] http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4901
[4] http://www.securityfocus.com/bid/25659
[5] http://secunia.com/advisories/26786/
[6] "AIM 6.1 problems" thread on AOL‟s AIM Support & more technical forum
http://messageboards.aol.com/aol/en_us/articles.php?boardId=565563&articleId=16537
[7] "IM problems" thread in AOL‟s AIM 6 Technical Issues forum
http://messageboards.aol.com/aol/en_us/articles.php?boardId=565563&articleId=16537
[8] "Copyright and Confidentiality notice?" thread on AOL‟s AIM 6
Technical Issues forum
shell at dotshell dot net
http://www.securityfocus.com/archive/1/479435
[3] http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4901
[4] http://www.securityfocus.com/bid/25659
[5] http://secunia.com/advisories/26786/
[6] "AIM 6.1 problems" thread on AOL‟s AIM Support & more technical forum
http://messageboards.aol.com/aol/en_us/articles.php?boardId=565563&articleId=16537
[7] "IM problems" thread in AOL‟s AIM 6 Technical Issues forum
http://messageboards.aol.com/aol/en_us/articles.php?boardId=565563&articleId=16537
[8] "Copyright and Confidentiality notice?" thread on AOL‟s AIM 6
Technical Issues forum
> (gdb) set args konqueror.html
> (gdb) r
> Starting program: /usr/bin/konqueror konqueror.html
> (no debugging symbols found)
> [...]
> [Thread debugging using libthread_db enabled]
> [New Thread -1234381104 (LWP 5982)]
> (no debugging symbols found)
> [...]
> Qt: gdb: -nograb added to command-line options.
> Use the -dograb option to enforce grabbing.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions. Type "show copying" to see the conditions. There is
absolutely no warranty for GDB. Type "show warranty" for details. This
GDB was configured as "i386-linux"...(no debugging symbols found)
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) run `perl -e 'print "A"x4124 . "B"x4'`
Starting program: /usr/local/uvscan/uvscan `perl -e 'print "A"x4124 .
"B"x4'`
(no debugging symbols found)
23/02/2010 Details sent, including screenshots.
25/02/2010 Trend Micro, asked again to retest LeakProof in certain
circumstances.
03/03/2010 Service Request #1 automatically closed due to inactivity
16/03/2010 Trend Micro assigned a Service Request Number #2
16/03/2010 Thread retaken and I explained to Trend Micro about the
technical
nature of the flaw.
18/03/2010 I got no response, so, I warned them about the soon public
disclosure
24/03/2010 Service Request #2 automatically closed due to inactivity
Arian,
Sorry for the slow reply. I'm overseas right now and it's tough to
keep up with email.
I think this thread might be about dead, but I will respond to a few
comments:
> All good ideas, but I believe stillborn at this point. You would get
> far more mileage IMO out of promoting "HTTP 2.0" and issuing in a
This new Immunity Debugger release provides a lot of new scripts and
important fixes. New scripts to improve your debugging experience
include: gflags, hookssl, and hookndr.
The API has been reinforced with new functionality which allows you to
gather more information from the remote process, such as Threads,
findRetValue. This release also includes some important fixes such as
correct Memory Page protection flags, which are also available via the
Python API.
Check the Changelog below for the details of this exciting release.
This new Immunity Debugger release provides a lot of new scripts and
important fixes. New scripts to improve your debugging experience
include: gflags, hookssl, and hookndr.
The API has been reinforced with new functionality which allows you to
gather more information from the remote process, such as Threads,
findRetValue. This release also includes some important fixes such as
correct Memory Page protection flags, which are also available via the
Python API.
Check the Changelog below for the details of this exciting release.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
::Information about this vulnerabilty
If a moderator or an admin close a thread in phpBB 2.0.X, the sessionid
is sending with GET:
http://site.tld/phpBB2/modcp.php?t=1&mode=lock&sid=[session]
The admin/moderator are going to be redirected to the thread(with the
SCCP Inspection Denial of Service Vulnerability
+----------------------------------------------
* CSCsz79757 ("Traceback - Thread Name: Dispatch Unit with skinny
inspect enabled")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Now about benchmarking attacks:
-------------------------------
Timing attacks are harder to realize on local environments and against specific applications because
modern CPUs are designed for multi-threading (as are applications) and current clock frequencies
make the millisecond a pretty obsolete unit of measurement. You have to think of more complicated
strategies to obtain exploitable information against a specific component. This is where
benchmarking becomes useful.
When you speak of a 'benchmark' you are not only speaking about how fast a process is running but
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Information[ 1 ];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
DWORD WINAPI LegoThread(LPVOID lpThreadParameter)
{
while(TRUE)
{
Sleep(0x1000);
+------------------------------------------------------------------------+
| Description | On certain implementations of libc, the scanf family of |
| | functions uses an unbounded amount of stack memory to |
| | repeatedly allocate string buffers prior to conversion |
| | to the target type. Coupled with Asterisk's allocation |
| | of thread stack sizes that are smaller than the default, |
| | an attacker may exhaust stack memory in the SIP stack |
| | network thread by presenting excessively long numeric |
| | strings in various fields. |
| | |
| | Note that while this potential vulnerability has existed |
####################################################################
WoltLab Burning Board Lite 2 Beta 1 Thread Delete CSRF Vulnerability
Vendor: woltlab.de
Version: Lite 2 Beta 1 (Released: March 6 2008)
Bug found by NBBN on March 8 2008
####################################################################
::Example
<html><head></head><body onLoad="javascript:document.attack.submit()">
Local exploitation of an access validation vulnerability in Apple Inc.'s
Mac OS X could allow an attacker to execute arbitrary code with root
privileges.
When executing a setuid-root binary, the Mach kernel does not reset the
current thread Mach port, or the current thread Mach Exception Port. By
first creating and obtaining write access to a Mach port, and then
executing a set-uid root binary, an attacker can write arbitrary data
into the address space of the process running as root. This leads to
arbitrary code execution in the privileged process.
########################################################
Woltlab Burning Board 2.3.6 PL2 Remote Delete Thread XSRF Vulnerability
by NBBN
Founed: December 2007 Type: Cross-Site Request Forgery
########################################################
Code:
<html>
<head>
Next Page>>
|
