Next Page >>
authorized
MITKRB5-SA-2010-006
MIT krb5 Security Advisory 2010-006
Original release: 2010-10-05
Topic: KDC uninitialized pointer crash in authorization data handling
CVE-2010-1322
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:C/E:H/RL:OF/RC:C
There is possbile get username and password from "Proxy-Authorization" header, which is not correctly removed when authorization header sends WMP.
Requirements:
- IWSVA/IWSS basic authorization on
- Client is using WMP (8-11) as video player
- Standalone proxy (if upstream proxy is used, "Proxy-Authorization" header is removed by this upstream proxy)
Bug:
OSSIM - Open Source Security Information Management is vulnerable to multiple security vulnerabilities.
1. SQL Injections
2. Linked XSS
3. Unauthorized access
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-055
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Authorization bypass, Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 34035
CVE Name: CVE-2009-0836, CVE-2009-0837
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory:
Cisco IOS Secure Copy Authorization Bypass Vulnerability
Advisory ID: cisco-sa-20070808-scp
http://www.cisco.com/warp/public/707/cisco-sa-20070808-scp.shtml
scp server enable command enables the Cisco IOS SCP server.
The absence of the username command does not guarantee that the
device's configuration is not affected by this vulnerability because
the name of a CLI view can be supplied by means of an Authentication,
Authorization, and Accounting (AAA) server by using the cli-view-name
attribute.
Note: The CLI view attached to a user can be supplied by a AAA
server. When inspecting a device's configuration to determine if it
is affected by this vulnerability it is better to check if the SCP
Selected table.
SQL Injection:
Attack is conducted during access to admin panel of XAMPP - via
above-mentioned Insufficient Authorization vulnerability or via Insufficient
Authorization vulnerability which was found earlier, which I wrote about
(http://websecurity.com.ua/3220/).
At page http://site/xampp/adodb.php
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Finding 2: Directory Traversal in Camera Web Server
IronPort C-Series, X-Series, and M-Series appliances utilize code
covered by this advisory, but are not susceptible to any security
risk. IronPort C-Series, X-Series, and M-Series incorporate the
libraries under the advisory to provide anonymous read-only access to
system health data. There is no risk of escalated authorization
privileges allowing a 3rd party to make any configuration changes to
the IronPort devices. IronPort S-Series and Encryption Appliances are
not affected by this advisory. This announcement has also been posted
on the IronPort Support Portal, available to IronPort customers:
unexpectedly". In the Cisco ACS Reports and Activity tab, under ACS
Service Monitoring, the logs will indicate CSAuth is not running and
attempts to restart.
The CSRadius service handles communication between the service for
authentication and authorization (CSAuth service) and the access
device requesting the authentication and authorization services for
RADIUS.
Continued exploitation of this vulnerability will prevent Cisco
Secure ACS from processing all authentication and authorization
1.Vulnerability information
---------------------------
Impact: An unauthenticated remote attacker without any kind of
credentials can access the SMB service under the credentials of an
authorized user. Depending on the privileges of the authorized user, and
the configuration of the remote system, an attacker can gain read/write
access to the remote file system and execute arbitrary code by using
DCE/RPC over SMB.
Remotely Exploitable: Yes
Bugtraq Id: <unknown>
_______________________________________________________________________
Problem Description:
An input validation flaw was found in the X.org server's XFree86-Misc
extension that could allow a malicious authorized client to cause
a denial of service (crash), or potentially execute arbitrary code
with root privileges on the X.org server (CVE-2007-5760).
A flaw was found in the X.org server's XC-SECURITY extension that
could allow a local user to verify the existence of an arbitrary file,
Aaron Plattner discovered a buffer overflow in the Composite extension
of the X.org X server, which if exploited could lead to local privilege
escalation (CVE-2007-4730).
An input validation flaw was found in the X.org server's XFree86-Misc
extension that could allow a malicious authorized client to cause
a denial of service (crash), or potentially execute arbitrary code
with root privileges on the X.org server (CVE-2007-5760).
A flaw was found in the X.org server's XC-SECURITY extension that
could allow a local user to verify the existence of an arbitrary file,
_______________________________________________________________________
Problem Description:
An input validation flaw was found in the X.org server's XFree86-Misc
extension that could allow a malicious authorized client to cause
a denial of service (crash), or potentially execute arbitrary code
with root privileges on the X.org server (CVE-2007-5760).
A flaw was found in the X.org server's XC-SECURITY extension that
could allow a local user to verify the existence of an arbitrary file,
HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and write or read arbitrary files, via a ../ in a pathname. This can be leveraged for code execution by writing to a Startup folder.
Description:
There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Windows Mobile 6 and Windows Mobile 6.1. The OBEX FTP server is located in \Windows\obexfile.dll. Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically.
A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls from a Linux box to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.
The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it; however, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and BD_ADDR address spoofing, can be used in order to avoid this. Devices must have Bluetooth enabled and File Sharing over Bluetooth service active when the attack is performed. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
The scope of the Directory Traversal vulnerability allows the attacker to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. This security flaw leads to browse folders located anywhere in the file system, download files contained in any folder as well as upload files to any folder.
Control Plane Policing (CoPP) to block SIP traffic to the device from
untrusted sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T,
12.4, and 12.4T support the CoPP feature. CoPP may be configured on a
device to protect the management and control planes to minimize the
risk and effectiveness of direct infrastructure attacks by explicitly
permitting only authorized traffic sent to infrastructure devices in
accordance with existing security policies and configurations. The
following example can be adapted to specific network configurations:
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
Control Plane Policing (CoPP) can be used to block untrusted UDP
traffic to the device. Cisco IOS software releases 12.0S, 12.2SX,
12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can be
configured on a device to help protect the management and control
planes and minimize the risk and effectiveness of direct
infrastructure attacks by explicitly permitting only authorized
traffic that is sent to infrastructure devices in accordance with
existing security policies and configurations. The CoPP example below
should be included as part of the deployed CoPP, which will help
protect all devices with IP addresses in the infrastructure IP
address range.
this object to fool a plugin into granting access to data on another
site or the local file system. The behavior of older Firefox versions
has been restored (CVE-2010-0170).
Mozilla developer Justin Dolske reported that the new asynchronous
Authorization Prompt (HTTP username and password) was not always
attached to the correct window. Although we have not demonstrated
this, it may be possible for a malicious page to convince a user
to open a new tab or popup to a trusted service and then have the
HTTP authorization prompt from the malicious page appear to be the
login prompt for the trusted page. This potential attack is greatly
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: net-snmp: Authorization bypass
Date: January 13, 2010
Bugs: #250429
ID: 201001-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"netOffice Dwins is a free web based time tracking, timesheet, and
project management environment."
- Details
It is possible for an attacker to bypass authorization, upload arbitrary
PHP files, and then execute them on the server.
netOffice extracts all GET, POST, SESSION, SERVER, and COOKIE parameters
into the local variable space. This has the same effect as turning
on register globals. The code below is from includes/library.php.
privileges (according to Oracle's security representative - this is a
standard functionality of this component). While some pages may not be
directly accessible as a guest in this manner, this can be bypassed by
taking advantage of the session management behavior in the application.
2. Authorization Bypass
-----------------------
Malicious users can access and manage content of other users, relying on the
lack of access control in the page management interface. Attackers can use
parameter tampering techniques to directly access the resource identifiers
of pages owned by other users, and delete or modify their content.
Control Plane Policing (CoPP) to block SIP traffic to the device from
untrusted sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T,
12.4, and 12.4T support the CoPP feature. CoPP may be configured on a
device to protect the management and control planes to minimize the
risk and effectiveness of direct infrastructure attacks by explicitly
permitting only authorized traffic sent to infrastructure devices in
accordance with existing security policies and configurations. The
following example can be adapted to the network
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
features TCP traffic access to the device. Cisco IOS software
releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the
CoPP feature. CoPP can be configured on a device to protect the
management and control planes and minimize the risk and effectiveness
of direct infrastructure attacks by explicitly permitting only
authorized traffic that is sent to infrastructure devices in
accordance with existing security policies and configurations. The
CoPP example below should be included as part of the deployed CoPP
that will protect all devices with IP addresses in the infrastructure
IP address range.
+++ b/src/kdc/do_tgs_req.c
@@ -543,6 +543,7 @@ tgt_again:
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
+ enc_tkt_reply.authorization_data = NULL;
clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
}
@@ -554,6 +555,7 @@ tgt_again:
to the caller */
Application: WS_FTP Server Manager
http://www.wsftp.com
Versions: WS_FTP Server <= 6.1.0.0
Platforms: Windows
Bugs: A] authorization bypassing in log visualization
B] ASP source visualization
Exploitation: remote
Date: 06 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
Application: Now SMS/MMS Gateway
http://www.nowsms.com
Versions: <= v2007.06.27
Platforms: Windows
Bugs: A] web authorization buffer-overflow
B] SMPP buffer-overflow
Exploitation: remote
Date: 19 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
this object to fool a plugin into granting access to data on another
site or the local file system. The behavior of older Firefox versions
has been restored (CVE-2010-0170).
Mozilla developer Justin Dolske reported that the new asynchronous
Authorization Prompt (HTTP username and password) was not always
attached to the correct window. Although we have not demonstrated
this, it may be possible for a malicious page to convince a user
to open a new tab or popup to a trusted service and then have the
HTTP authorization prompt from the malicious page appear to be the
login prompt for the trusted page. This potential attack is greatly
[STANKOINFORMZASCHITA-10-02] ITS SCADA – Authorization bypass
Authors: Eugene Salov (eugene@itdefence.ru), Andrej Komarov (komarov@itdefence.ru)
Product: ITS SCADA
CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:R/C:C/I:C/A:C)
Impact Subscore: 10.0
Exploitability Subscore: 8.0
Availability of exploit: Yes
Product description:
ITS SCADA is Supervisory Control And Data Acquisition system (SCADA), which can be interfaces with various heterogeneous industrial automation equipment of Motorola MOSCAD family. Additionally, it can be installed with elements of Wonderware company products environment (Industrial SQL Server, MODBUS I/O Server).
Summary:
Kyocera Mita multifunction devices come with the ability to scan to
the user's desktop. Part of the solution requires a listener at the
PC/Mac, which handles authorization and document upload. This listener
has several logic bugs and, as a result, the authorization can be
bypassed, files can be uploaded, auditing can be spoofed, and the
storage location can be altered from the configured value.
Details:
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01539423
Version: 1
HPSBOV02364 SSRT080078 rev.1 - HP OpenVMS SMGRTL Run Time Library, Local Authorized User, Gain Privileged Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-09-10
Last Updated: 2008-09-10
Next Page>>
|
