Next Page >>
USB connector
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01404119
Version: 1
HPSBMA02323 SSRT080032 rev.1 - HP USB Floppy Drive Key (Option) for ProLiant Servers, Local Virus Infection
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-04-03
Last Updated: 2008-04-03
Dear Seth Fogie,
In a same way you can plug an USB Ethernet network adapter with
notebook attached. No active sync required at all. This is a question
of physical security.
--Tuesday, September 30, 2008, 6:08:05 PM, you wrote to bugtraq@securityfocus.com:
SF> White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x
http://www.whitewolfsecurity.com
August 21, 2008
Risk Level:
Medium - Full TCP/IP access via RNDIS protocol over USB from
Windows Mobile device.
Summary:
With the introduction of ActiveSync 4.x, Microsoft significantly
There are many other options outside of the sony key without the rootkit
problem. One of the best devices that I have read about is from stealth.
While I have yet to personally evaluate this product as I understand it
there is no software outside of the standard USB driver needed to recognize
and use a standard usb key outside of the initial device programming or a
lockout state.
http://www.gcn.com/print/26_14/44484-1.html
powered PC and Windows Mobile powered device, enabling the transfer
of Outlook information, Office documents, pictures, music, videos and
applications from your desktop to your device.
A vulnerability has been discovered in the mechanism that Microsoft
uses to obfuscate the password when it's sent over the USB network
interface between the device and the host machine. This enables malicious
software on the host to either impersonate a device in order to obtain
the current password or, if in a position to sniff network traffic, obtain
the password for trivial decoding.
San Diego, CA 92101
http://www.hotelsolamar.com
CRASH COURSE IN PENETRATION TESTING
Instructors: Joseph McCray & Chris Gates
Includes: 250GB 2.5" USB Harddrive preloaded with lab VMWare images
This course will cover some of the newer aspects of pen-testing covering; Open Source Intelligence Gathering with Maltego and other Open Source tools, Scanning, Enumeration, Exploitation (Both remote and client-side) and Post-Exploitation relying heavily on the features included in the Metasploit Framework. We'll discuss our activities from both the Whitebox and Blackbox approach keeping stealth in mind for our Blackbox activities.
Web Application penetration testing will be covered as well with focus on practical exploitation of cross-site scripting (XSS), cross-site request forgery (CSRF), local/remote file includes, and SQL Injection.
With this bug anyone can change a user PIN without having the PIN or PUK
or the superusers PIN or PUK. However it can not be used to figure out the
PIN. If the PIN on your card is still the same you always had, there's a
reasonable chance that this vulnerability has not been exploited.
This vulnerability affects only smart cards and USB crypto tokens based on
Siemens CardOS M4, and within that group only those that were initialised
with OpenSC. Users of other smart cards and USB crypto tokens, or cards
that have been initialised with some software other than OpenSC, are not
affected.
I'll have to protest here - I never hit at the original article. As you
can read in the blog entry (this is also why I posted the link) I think
that they have done everything alright.
> says "This USB
> stick with rootkit-like behavior" and openly acknowledges that the
> purpose of hiding files by the device is probably to try and prevent
> tampering with the fingerprint authentication.
Which is why I agree with them.
2.6.23 allows remote attackers to cause a denial of service (crash)
via a crafted SKB length value in a runt IEEE 802.11 frame when
the IEEE80211_STYPE_QOS_DATA flag is set, aka an off-by-two
error. (CVE-2007-4997)
The disconnect method in the Philips USB Webcam (pwc) driver in Linux
kernel 2.6.x before 2.6.22.6 relies on user space to close the device,
which allows user-assisted local attackers to cause a denial of service
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
>
> I'll have to protest here - I never hit at the original article. As you
> can read in the blog entry (this is also why I posted the link) I think
> that they have done everything alright.
>
> > says "This USB
> > stick with rootkit-like behavior" and openly acknowledges that the
> > purpose of hiding files by the device is probably to try and prevent
> > tampering with the fingerprint authentication.
>
> Which is why I agree with them.
With this bug anyone can change a user PIN without having the PIN or PUK
or the superusers PIN or PUK. However it can not be used to figure out the
PIN. If the PIN on your card is still the same you always had, there's a
resonable chance that this vulnerability has not been exploited.
This vulnerability affects only smart cards and USB crypto tokens based on
Siemens CardOS M4, and within that group only those that were initialised
with OpenSC. Users of other smart cards and USB crypto tokens, or cards
that have been initialised with some software other than OpenSC, are not
affected.
having the PIN or PUK, or the superuser's PIN or PUK (CVE-2008-2235).
Please note that this issue can not be used to discover the PIN on
a card. If the PIN on a card is the same that was always there,
it is unlikely that this vulnerability has been exploited. As well,
this issue only affects smart cards and USB crypto tokens based on
Siemens CardOS M4, and then only those devices that were initialized
by OpenSC. Users of other smart cards or USB crypto tokens, or cards
that were not initialized by OpenSC, are not affected.
After applying the update, executing 'pkcs15-tool -T' will indicate
2.6.23 allows remote attackers to cause a denial of service (crash)
via a crafted SKB length value in a runt IEEE 802.11 frame when
the IEEE80211_STYPE_QOS_DATA flag is set, aka an off-by-two
error. (CVE-2007-4997)
The disconnect method in the Philips USB Webcam (pwc) driver in Linux
kernel 2.6.x before 2.6.22.6 relies on user space to close the device,
which allows user-assisted local attackers to cause a denial of service
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
2.6.23 allows remote attackers to cause a denial of service (crash)
via a crafted SKB length value in a runt IEEE 802.11 frame when
the IEEE80211_STYPE_QOS_DATA flag is set, aka an off-by-two
error. (CVE-2007-4997)
The disconnect method in the Philips USB Webcam (pwc) driver in Linux
kernel 2.6.x before 2.6.22.6 relies on user space to close the device,
which allows user-assisted local attackers to cause a denial of service
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
may or may not have worked for somebody else and now they too can be
yours without ever having to know why! Interestingly, while certain
"facts" about security have long been known, there are nearly no
sizable, formal studies which measure the best practices people are
encouraged or even mandated to apply. And if there is beauty in truth
than marvel at these gorgeous Best Practices:
"Update your anti-virus every 8 hours"
"Use a firewall in front of your network"
"Lick the USB connector before inserting it"
2.6.23 allows remote attackers to cause a denial of service (crash)
via a crafted SKB length value in a runt IEEE 802.11 frame when
the IEEE80211_STYPE_QOS_DATA flag is set, aka an off-by-two
error. (CVE-2007-4997)
The disconnect method in the Philips USB Webcam (pwc) driver in Linux
kernel 2.6.x before 2.6.22.6 relies on user space to close the device,
which allows user-assisted local attackers to cause a denial of service
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
I can't see anything in your article that adds anything to your email,
why did you want him to read it?
Also, the article by f-secure that you're having a go at, says "This USB
stick with rootkit-like behavior" and openly acknowledges that the
purpose of hiding files by the device is probably to try and prevent
tampering with the fingerprint authentication. Their main point is that:
2.6.23 allows remote attackers to cause a denial of service (crash)
via a crafted SKB length value in a runt IEEE 802.11 frame when
the IEEE80211_STYPE_QOS_DATA flag is set, aka an off-by-two
error. (CVE-2007-4997)
The disconnect method in the Philips USB Webcam (pwc) driver in Linux
kernel 2.6.x before 2.6.22.6 relies on user space to close the device,
which allows user-assisted local attackers to cause a denial of service
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
Description
===========
Multiple vulnerabilities have been discovered in Wireshark:
* David Maciejak discovered a vulnerability in packet-usb.c in the
USB dissector via a malformed USB Request Block (URB)
(CVE-2008-4680).
* Florent Drouin and David Maciejak reported an unspecified
vulnerability in the Bluetooth RFCOMM dissector (CVE-2008-4681).
handle certain high-traffic conditions. A remote attacker could exploit
this by sending specially crafted traffic to a guest OS, causing the
guest to crash, leading to a denial of service. (Only affected Ubuntu
8.04 LTS.) (CVE-2010-0741)
Marcus Meissner discovered that the USB subsystem did not correctly handle
certain error conditions. A local attacker with access to a USB device
could exploit this to read recently used kernel memory, leading to a
loss of privacy and potentially root privilege escalation. (CVE-2010-1083)
Neil Brown discovered that the Bluetooth subsystem did not correctly
Network/Applications Controlled
* Email: Microsoft Outlook, Lotus Notes and SMTP Email
* Web mail: MSN/Hotmail, Yahoo, GMail, AOL Mail, and more
* Instant Messaging: MSN, AIM, Yahoo, and more
* Network Protocols: FTP, HTTP/HTTPS and SMTP Endpoint Devices Controlled
* USB, CD/DVD, COM & LPT ports, removable disks, floppy, infrared and
imaging
devices, print screen, modems, PCMCIA
3.- DISCLOSURE TIMELINE
available. See above for remediation details.
c. Windows-based VMware Workstation and Player host privilege
escalation
A vulnerability in the USB service allows for a privilege
escalation. A local attacker on the host of a Windows-based
Operating System where VMware Workstation or VMware Player
is installed could plant a malicious executable on the host and
elevate their privileges.
CVE-2007-5093
Alex Smith discovered an issue with the pwc driver for certain webcam
devices. If the device is removed while a userspace application has it
open, the driver will wait for userspace to close the device, resulting
in a blocked USB subsystem. This issue is of low security impact as
it requires the attacker to either have physical access to the system
or to convince a user with local access to remove the device on their
behalf.
CVE-2007-6063
add Q5 emulation detection in lfxtype.py
I'm also very pleased to unveil what I believe is an industry first: a
two-in-one LF and HF reader. The LAHF (Low And High Frequency) unit
provides both Low Frequency (125/134.2kHz) and High Frequency (13.56MHz)
in a single USB interfaced box. More details here:
http://www.rfidiot.org/
Latest software can be found here:
Description
===========
Chaskiel M Grundman reported that OpenSC uses weak permissions (ADMIN
file control information of 00) for the 5015 directory on smart cards
and USB crypto tokens running Siemens CardOS M4.
Impact
======
A physically proximate attacker can exploit this vulnerability to
CVE-2007-5093
Alex Smith discovered an issue with the pwc driver for certain webcam
devices. If the device is removed while a userspace application has it
open, the driver will wait for userspace to close the device, resulting
in a blocked USB subsystem. This issue is of low security impact as
it requires the attacker to either have physical access to the system
or to convince a user with local access to remove the device on their
behalf.
CVE-2007-6063
NCP (CVE-2007-6111), PPP (CVE-2007-6112), DNP (CVE-2007-6113), SSL and
iSeries (OS/400) Communication traces (CVE-2007-6114), ANSI MAP
(CVE-2007-6115), Firebird/Interbase (CVE-2007-6116), HTTP
(CVE-2007-6117), MEGACO (CVE-2007-6118), DCP ETSI (CVE-2007-6119),
Bluetooth SDP (CVE-2007-6120), RPC Portmap (CVE-2007-6121), SMB
(CVE-2007-6438), IPv6 amd USB (CVE-2007-6439), WiMAX (CVE-2007-6441),
RPL (CVE-2007-6450), CIP (CVE-2007-6451). The vulnerabilities were
discovered by Stefan Esser, Beyond Security, Fabiodds, Peter Leeming,
Steve and ainsley.
Impact
CVE-2007-5093
Alex Smith discovered an issue with the pwc driver for certain webcam
devices. If the device is removed while a userspace application has it
open, the driver will wait for userspace to close the device, resulting
in a blocked USB subsystem. This issue is of low security impact as
it requires the attacker to either have physical access to the system
or to convince a user with local access to remove the device on their
behalf.
These problems have been fixed in the stable distribution in version
Hi All,
Apparently Sony cannot learn from their past and have introduced another
rootkit with another of their devices. This time it is their Microvault
USB drive that has fingerprint security.
Have a read of
http://hiltont.blogspot.com/2007/08/sony-rootkit-version-2.html for my
"WHAT!?!?!? You're kidding?" on it and also
http://www.f-secure.com/weblog/archives/archive-082007.html#00001263 for
CVE-2007-5093
Alex Smith discovered an issue with the pwc driver for certain webcam
devices. If the device is removed while a userspace application has it
open, the driver will wait for userspace to close the device, resulting
in a blocked USB subsystem. This issue is of low security impact as
it requires the attacker to either have physical access to the system
or to convince a user with local access to remove the device on their
behalf.
CVE-2007-6063
Next Page>>
|
