Next Page >>
administrator
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
HTTP Response Splitting vulnerability in Sun Delegated Administrator
1. *Advisory Information*
>change permissions / passwords for another user or another user, thus
>getting full admin rights on all systems for a long period of time. Plus whatever
>havoc might be caused by having the ability to change rights on fileshares to
>allow the new domain admin to see confidential files..
People, PLEASE at least take the time to read the OP before just adding comments. You don't get any "temporary domain admin privileges." Period. Authenticating against cached domain credentials on a local system cannot be used for ANYTHING other than logging on to the local system when a controller is not available. Period. Now, please read this part carefully: *You must be a local administrator to use utilities to overwrite the cached verifier of cached credentials.* The most you can do is to allow yourself to log on as an account that has local admin. YOU ARE ALREADY A LOCAL ADMIN AT THIS POINT.
1) You MUST be local admin to access the cached domain credentials.
2) You can't log on to any network resources as the cached user.
3) You can't long on to another workstation as the cached user.
4) You can't access any EFS or other user-based data as the cached user.
to see confidential files..
I would expect that the intent is to use another flaw for a normal
user to become a local admin, and then jump to domain admin via this.
So yes. In an enterprise environment, the "domain administrator" is "bigger".
Cheers,
On Fri, Dec 10, 2010 at 4:15 PM, Thor (Hammer of God)
<thor@hammerofgod.com> wrote:
fileshares to allow the new domain admin to see confidential files..
I would expect that the intent is to use another flaw for a normal user to
become a local admin, and then jump to domain admin via this.
So yes. In an enterprise environment, the "domain administrator" is
"bigger".
Cheers,
On Fri, Dec 10, 2010 at 4:15 PM, Thor (Hammer of God) <thor@hammerofgod.com>
> fileshares to allow the new domain admin to see confidential files..
>
> I would expect that the intent is to use another flaw for a normal user to
> become a local admin, and then jump to domain admin via this.
>
> So yes. In an enterprise environment, the "domain administrator" is
> "bigger".
>
> Cheers,
>
> On Fri, Dec 10, 2010 at 4:15 PM, Thor (Hammer of God) <thor@hammerofgod.com>
exploit was published in January 2009.
Attackers without a registered account or with a comment level account
can exploit cross site scripting (XSS) to steal cookies from other
users, cross site request forgery (CSRF) vulnerability to execute
administrator functions including adding a new administrator account and
can exploit a file path disclosure vulnerability.
Attackers with an administrator account, possibly gained by using the
exploits described above can exploit local file inclusion and command
execution vulnerabilities to execute arbitrary commands. Journalist and
Wow. I guess you didn't read the post either. I'm a bit surprised that a Sr. Network Engineer thinks that Group Policies "differentiate between local and Domain administrators." You're making it sound like you think Group Policy application has some "magic permissions" or something, or that a "domain administrator" is a "bigger" administrator than the local administrator.
Group Policy loads from the client via the Group Policy Client service. If I'm a local admin, I can just set my local system to not process group policy via the GPExtensions hive. Done. If I take the domain admin out of my local administrators, they can't do anything. Done.
How exactly do you think this is problematic for "shops that differentiate between desktop support and AD support"? (whatever that means).
t
>-----Original Message-----
>From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-
A vulnerability was found in the way that WordPress handles some URL
requests. This results in unprivileged users viewing the content of
plugins configuration pages, and also in some plugins modifying plugin
options and injecting JavaScript code. Arbitrary native code may be run
by a malicious attacker if the blog administrator runs injected
JavasScript code that edits blog PHP code. Many WordPress-powered blogs,
hosted outside 'wordpress.com', allow any person to create unprivileged
users called subscribers. Other sensitive username information
disclosures were found in WordPress.
Document ID: ASPR #2008-03-11-2-PUB
Vendor: BEA Systems (http://www.bea.com)
Target: BEA WebLogic Server 10.0
Impact: There is a session fixation vulnerability [1] in Bea
WebLogic 10.0 Administration Console that allows the
attacker to assume administrator's identity and thus
gain administrative access to console.
Severity: High
Status: Official patch available, workarounds available
Discovered by: Mitja Kolsek of ACROS Security
Document ID: ASPR #2008-03-11-2-PUB
Vendor: BEA Systems (http://www.bea.com)
Target: BEA WebLogic Server 10.0
Impact: There is a session fixation vulnerability [1] in Bea
WebLogic 10.0 Administration Console that allows the
attacker to assume administrator's identity and thus
gain administrative access to console.
Severity: High
Status: Official patch available, workarounds available
Discovered by: Mitja Kolsek of ACROS Security
Administration Console that allows the attacker to gain administrative
access to the server. It is possible to craft such URL that will, when
requested from the server, return a document with arbitrarily chosen HTML
injected. An obvious use for this type of vulnerability is cross- site
scripting that can be used, among other things, for obtaining session
cookies from WebLogic administrators. These cookies, when stolen, provide
the attacker with administrative access to WebLogic Administration
Console, compromising the security of the entire web server.
This vulnerability is exploitable even if the Administration Console is
only being accessed via HTTPS, and even if the Administrative Port is
Administration Console that allows the attacker to gain administrative
access to the server. It is possible to craft such URL that will, when
requested from the server, return a document with arbitrarily chosen HTML
injected. An obvious use for this type of vulnerability is cross- site
scripting that can be used, among other things, for obtaining session
cookies from WebLogic administrators. These cookies, when stolen, provide
the attacker with administrative access to WebLogic Administration
Console, compromising the security of the entire web server.
This vulnerability is exploitable even if the Administration Console is
only being accessed via HTTPS, and even if the Administrative Port is
> TITLE:
> Flaw in Microsoft Domain Account Caching Allows Local Workstation
> Admins to Temporarily Escalate Privileges and Login as Cached Domain
> Admin Accounts
There is NO privilege escalation. A local administrator is an admistrator
is an administrator...
> SUMMARY AND IMPACT:
> All versions of Microsoft Windows operating systems allow real-time
> modifications to the Active Directory cached accounts listing stored
Your objections are mostly true in a normal sense. However, it is not
true when Group Policy is taken into account. Group Policies
differentiate between local and Domain administrators and so this
vulnerability is problematic for shops that differentiate between
desktop support and AD support.
George Carlson
Sr. Network Engineer
(804) 423-7430
>> TITLE:
>> Flaw in Microsoft Domain Account Caching Allows Local Workstation
>> Admins to Temporarily Escalate Privileges and Login as Cached Domain
>> Admin Accounts
>
>There is NO privilege escalation. A local administrator is an admistrator is an
>administrator...
>
>> SUMMARY AND IMPACT:
>> All versions of Microsoft Windows operating systems allow real-time
>> modifications to the Active Directory cached accounts listing stored
> TITLE:
> Flaw in Microsoft Domain Account Caching Allows Local Workstation
> Admins to Temporarily Escalate Privileges and Login as Cached Domain
> Admin Accounts
There is NO privilege escalation. A local administrator is an admistrator
is an administrator...
> SUMMARY AND IMPACT:
> All versions of Microsoft Windows operating systems allow real-time
> modifications to the Active Directory cached accounts listing stored
http://[host]/admin/information_form.php?title=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Successful exploitation of this vulnerability requires that "register_globals" is enabled.
1.5 Input passed via the "search" GET parameter to /admin/xsell.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.
The following PoC demonstrates the vulnerability:
http://[host]/admin/xsell.php?search=%27%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
displaying unsanitized user input received from an invalid
login attempt.
This can be exploited without valid credentials or social
engineering. Access to device administration IP address is
needed and an administrator has to view event log at some point,
however.
Successful attack requires that an administrator visits event
log page, thus enabling the attacker to control the chassis
and blade configuration by running the injected content which
Administration Console that allows the attacker to gain administrative
access to the server. It is possible to craft such URL that will, when
requested from the server, return a document with arbitrarily chosen HTML
injected. An obvious use for this type of vulnerability is cross-site
scripting that can be used, among other things, for obtaining session
cookies from WebLogic administrators. These cookies, when stolen, provide
the attacker with administrative access to WebLogic Administration
Console, compromising the security of the entire web server.
This vulnerability is exploitable even if the Administration Console is
only being accessed via HTTPS, and even if the Administrative Port is
Default credentials
+------------------
Default credentials are assigned for several predefined user accounts
on the device including the administrative user account. Any user
with network access to the device can log in as an administrator and
take complete control over the vulnerable device.
* CSCtb83495 ( registered customers only) has been assigned the CVE
identifier CVE-2010-0595.
While we are at it... quite a few Thin Clients based on Windows XPe
deply with Administrator / Administrator and User / User as default
user / pass combinations. By default User is part of the
Administrator group. For an Aded bonus there is a VNC password of Wyse
or viewonly with the default VNC service.
-KF
On May 14, 2009, at 10:16 AM, Susan Bradley wrote:
Weak session management:
------------------------
CMC-TC PU II uses unixtime from login moment as session identifier,
thus having insufficient randomization.
If administrator login time is known and session is still valid, it
can be brute-forced with relatively little effort. Proof-of-concept
tool is provided, but any web application security tool (such as
Burp Intruder) can be used for this.
Successful exploitation requires that administrator login time is
#!/usr/bin/perl
#
# Indonesian Newhack Security Advisory
# ------------------------------------
# AuraCMS 2.x (user.php) - Security Code Bypass & Add Administrator Exploit
# Waktu : Feb 28 2008 08:00PM
# Software : AuraCMS
# Versi : 2.0
# 2.1
# 2.2.1
cookie);</script>
* Cross-Site-Request-Forgery (XSRF) (CVE-2010-3891)
The forms in the administrator interface are not protected against XSRF. The
attacker can do any action in the context of the victim.
An example attack scenario could be:
The attacker creates a malicious website with a prepared form to add a new
user, which will be submitted on load.
Summary
=======
Tandberg C Series Endpoints and E/EX Personal Video units that are
running software versions prior to TC4.0.0 ship with a root
administrator account that is enabled by default with no password. An
attacker could use this account in order to modify the application
configuration or operating system settings.
Resolving this default password issue does not require a software
upgrade and can be changed or disabled by a configuration command for
Joomla! is licensed under the GPL <http://en.wikipedia.org/wiki/GNU_General_Public_License>, and is the result of a fork <http://en.wikipedia.org/wiki/Fork_%28software_development%29> of Mambo <http://en.wikipedia.org/wiki/Mambo_%28CMS%29>.
Severity
========
Mild. It requires an administrator to be logged in and to be tricked into a specially
crafted webpage.
Summary
=======
Log into bytehoard using a non privileged user.
Perform any desired actions, then log out.
Click on the "Lost Details" link.
Input the desired username you want to have access to ("admin" to get
administrator access) and submit the data.
The system will either return an error message or a "mail sent" message.
Ignore the last message and go directly to the index.php page (easily
obtained by erasing the "?page=passreset" part)
You should have access to the desired account.
had only infected about 150,000 systems--a very small percentage of Windows
machines.
2. This issue is not about a user on the host compromising a virtual guest.
It is about a *non-privileged* user on the host being logged in to guest
machines as an administrator, and a worm--running in the context of that
non-privileged user on the host--being able to access the admin-level
context of the guest machines without knowing those administrator
credentials. Also remember that since I am talking about a non-privileged
user on the host, there will be limits on what this user could do to
accomplish some of the other attacks mentioned.
To all,
The reason I wrote this article was not to explain how to create a hidden
user account. I wrote the article to show you that you can modify the SAM
in real time in a way that is undetectable by ANYONE. This modification
allows you to masquerade any user account as the built-in Administrator.
Christian,
"Continued Access" to a system means that someone has compromised a system
and they have continued access. This implies that the administrators don't
Hi!
>
> The reason I wrote this article was not to explain how to create a hidden
> user account. I wrote the article to show you that you can modify the SAM
> in real time in a way that is undetectable by ANYONE. This modification
> allows you to masquerade any user account as the built-in Administrator.
>
> Christian,
>
> "Continued Access" to a system means that someone has compromised a system
> and they have continued access. This implies that the administrators don't
Next Page>>
|
