Next Page >>
brute force
(http://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded).
09.03.2010 - disclosed at my site.
-----------------------------
Details:
These are Brute Force and Insufficient Authorization vulnerabilities.
Earlier in 2008 I already wrote about Brute Force vulnerability in WordPress
(http://websecurity.com.ua/2007/), which was found by Kad already in 2007
(http://securityvulns.ru/Pdocument580.html). And as I found at 02.03.2010 in
WordPress 2.9.2 this vulnerability still wasn't fixed. And also I found new
> Exploit targets:
>
> Id Name
> -- ----
> 0 Linux vsyscall
> 1 Linux Heap Brute Force (Debian/Ubuntu)
> 2 Linux Heap Brute Force (Gentoo)
> 3 Linux Heap Brute Force (Mandriva)
> 4 Linux Heap Brute Force (RHEL/CentOS)
> 5 Linux Heap Brute Force (SUSE)
> 6 Linux Heap Brute Force (Slackware)
Exploit targets:
Id Name
-- ----
0 Linux vsyscall
1 Linux Heap Brute Force (Debian/Ubuntu)
2 Linux Heap Brute Force (Gentoo)
3 Linux Heap Brute Force (Mandriva)
4 Linux Heap Brute Force (RHEL/CentOS)
5 Linux Heap Brute Force (SUSE)
6 Linux Heap Brute Force (Slackware)
about them in Internet.
19.03.2010 - disclosed at my site.
-----------------------------
Details:
These are Insufficient Anti-automation and Brute Force vulnerabilities.
Insufficient Anti-automation:
http://site/about/contacts/
http://site/register/getpassword/
Exploit targets:
Id Name
-- ----
0 Linux vsyscall
1 Linux Heap Brute Force (Debian/Ubuntu)
2 Linux Heap Brute Force (Gentoo)
3 Linux Heap Brute Force (Mandriva)
4 Linux Heap Brute Force (RHEL/CentOS)
5 Linux Heap Brute Force (SUSE)
6 Linux Heap Brute Force (Slackware)
"If called without the optional min, max arguments rand() returns a pseudo-random
integer between 0 and getrandmax().
Note: On some platforms (such as Windows), getrandmax() is only 32767."
So it appears, that on Windows platform there is only about 32768 possible
filenames and therefore simple bruteforce can reveal valid path to uploaded file.
###############################################################################
4. Inadequate Encryption Strength
###############################################################################
Hello Bugtraq!
I want to warn you about Cross-Site Scripting and Brute Force
vulnerabilities in AltConstructor. It's Ukrainian commercial CMS.
-------------------------
Affected products:
-------------------------
Vulnerable are all versions of CMS AltConstructor, before version released
Application: Flyspray (web-based bug tracking system)
Versions Affected: 0.9.9.4
Vendor URL: http://www.flyspray.org
Bugs: SiXSS, Stored XSS, Brute Force
Exploits: YES
Reported: 08.02.2008
Vendor response: 08.02.2008
Solution: 24.02.2008
Date of Public Advisory: 03.03.2008
----------------------------------------------------------------
Script : Nooms 1.1
Type : Multiple Vulnerabilities (Cross Site Scripting/Redirect/Mysql Brute Force Local Access)
Risk : Medium
----------------------------------------------------------------
Subject: Re: Android wireless accepts fake response (No interaction requires)
(Vulnerability ?)
You are not wrong. However, in this case, the point is to capture "WPA
handshake"(not WPA key) in order to brute-force for WPA key. This attack
allows an attacker to capture your "WPA handshake" even though the
legitimate access point is not there. The attacker could create a fake
access point to steal "WPA handshake"(from a client) when you attend
conferences. This attack would not work with iPhone, iPad or other PCs
with Windows OS because they would discard fake probe response at the
You are not wrong. However, in this case, the point is to capture "WPA
handshake"(not WPA key) in order to brute-force for WPA key. This attack
allows an attacker to capture your "WPA handshake" even though the
legitimate access point is not there. The attacker could create a fake
access point to steal "WPA handshake"(from a client) when you attend
conferences. This attack would not work with iPhone, iPad or other PCs
with Windows OS because they would discard fake probe response at the
first place.
Description:
= Theory =
Most hash functions used in hash table implementations can be broken
faster than by using brute-force techniques (which is feasible for hash
functions with 32 bit output, but very expensive for 64 bit functions)
by using one of two “tricks”: equivalent substrings or a
meet-in-the-middle attack.
== Equivalent substrings ==
Introduction:
=============
The SonicWall NSA 4500 web admin interface generates session ID's that are stored in the "SessId" cookie variable. The ID's are guessable via brute force, wich leads to admin session hijacking.
Report-Timeline:
================
target server, it may be possible to escalate database privileges or
run arbitrary system commands.
For example, icesurfer's excellent sqlninja tool (>= 0.1.3) can be used
to detemine various information about the server hosting the
CallManager install, launch a brute-force attack against the database
"sa" account password, and run arbitrary commands on the server if the
"sa" attack succeeds.
http://sqlninja.sourceforge.net/
I was thinking about the problem of Cross Site Request Forgery and current mitigation strategies used in the Industry. In many of the real world applications I have tested so far, I see the use of random tokens appended as part of url. If the request fails to provide any token or provide a token with incorrect value, then the request is rejected. This prevents CSRF or any cross domain unauthorized function execution.
Uptil now, it was considered infeasible for an attacker to discover your CSRF token using Brute Force Attacks on the server.
The reasons being:
1. It generates lot of noise on the network and is slow. So most probably an IDS or Web App Firewall will pick up the malicious behavior and block your ip. For example, a Base16 CSRF token of length 5 characters (starting with a character) will generate approximately 393,216 requests.
2. Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values. E.g. 30.
I am going to change this belief by showing you a technique to quicky find csrf tokens without generating alerts. This technique is a client side attack, so there is almost no network traffic generated and hence, your server and IDS/Web App Firewalls won’t notice it at all. This attack is based on the popular CSS History Hack found by Jeremiah Grossman 3 years ago.
Hi there,
Due to the high number of requests, I have decided to release a fully
usable version of HTTPBruteForcer, the free and easy to use web-based
login forms' bruteforcer for Windows.
HTTP BruteForcer is a tool designed for webmasters, programmers and
websites administrators, or pentesters, to perfom a password strength
check against a simple web login form.
The old demo version was limited to a limited built-in wordlist.
Mon amie,
why someone have to choose your HttpBruteForcer and not fscan[1] of
Andrea Tarasco?
fscan is with with source code, with multi thread support, customizable
user forms and support proxies and you can compile on linux too.
The unique problem it's the command line execution, but if you are not a
script kiddie or sunday lamer you can use without difficulties.
So, why someone have to choose your software if he can use a software
with public source available?
print "PHP-Nuke Module Advertising Blind SQL Injection\n";
print "by 0x90\n";
print "Visit: WwW.0x90.CoM.Ar\n\n";
print "Victima : " . $_[0] . "\n";
print "Tiempo Default : " . $_[1] . " secondi\n";
print "Hash Bruteforce : " . chr($array[$_[2]]) . "\n";
print "Bruteforce n Caracter Hash : " . $_[5] . "\n";
print "Tiempo sql : " . $_[4] . " secondi\n";
print "Hash : " . $_[3] . "\n";
}
WordPress in local or remote MySQL databases. When using this installation page
the user is asked to supply the database name, the server the database resides
on, and a valid MySQL username and password.
Malicious users can omit the "dbname" parameter during this process, allowing
them to continually bruteforce MySQL instance usernames and passwords. This
includes any local or remote MySQL instances which are accessible to the
target web server. This can also be used as a method to proxy MySQL bruteforce
attacks against other MySQL instances outside of the target organization.
Proof of Concept:
%2527 OR 1=%2522%2527%2522 UNION ...
OR 1=%2522%2527%2522 #
Now we're apt to get each value stored in the database.
We can try to get a valid session_id, we can also
bruteforce the hash (combined with the salt) in order
to get a password. We don't need specific PHP
configuration, and we can do that with guest rights.
This flaw occurs due to an insecure password hashing implementation in
the authentication library (loginLib) of the VxWorks operating system.
Regardless of what password is set for a particular account, there are a
only small number (~210k) of possible hash outputs. Typical passwords
consisting of alphanumeric characters and symbols fall within an even
smaller range of hash outputs (~8k), making this trivial to brute force
over the network. To excaberate matters, loginLib has no support for
account lockouts and the FTP daemon does not disconnect clients that
consistently fail to authenticate. This reduces the brute force time for
the FTP service to approximately 30 minutes.
Version 1.1.0 of ZAP has now been released.
This release adds the following main features:
OWASP rebranding
Brute Force scanner c/o the OWASP DirBuster project
Port scanner
Active Scan tab
Enhancements to the Spider tab
Smartcard support c/o Andiparos
A new 'Attack' menu
Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:
* When abusing the X-FORWARDED-FOR header, an attacker could bypass
the lockout policy allowing a possible brute-force discovery of a
valid user password.
* An attacker can get access to some bug information using
the victim's credentials using a specially crafted HTML page.
The RSA EnVision platform provides a web console which enables administration of the solution and analysis of security events.
A vulnerability exists in this web application, allowing a remote anonymous attacker to retrieve the hash of the password used for authentication.
Using a dictionnary or a bruteforce attack against this hash, a remote attacker can gain administration privilege on the EnVision web console.
This vulnerability is due to a lack of access control on the user profile functionnality.
Step to reproduce:
Eg.: result is 716, so you know that the password is AT LEAST 5 letters and AT MAX 8
letters.
Using this weakness an attacker will easily discriminate strong and weak passwords as he also
may gain a lot of time in passwords brute-force attempts.
Benchmarking attacks and security:
----------------------------------
Application: Zeacom Chat Application <= 5.0 SP4
Severity:
Usage of weak Weak Session management exists within the Zeacom web-chat application
enabling the bruteforce of the sessionid which can enable the hijacking of anothers chat session.
The Zeacom application handles new sessions through a 10 character string (JSESSIONID),
resulting in an effective 9 bit entropy level for session management. The end result of an
attack would enable an attacker to hijack a session where private information is revealed
within a chat session or a denial of service within the application server resulting in
a complete crash of the application server. (Tomcat)
Communication to the web interface can be sniffed by the attacker.
#2 System doesn't force administrator to change default password upon first login
Many administrators leave it unchanged.
#3 Brute-force attack on admin account
Login attempts are not limited at all.
#4 Login and password stored in cookie
Admisnitrator's login and password are stored in a cookie in plain text.
improvement, --keep-alive switch (Miroslav).
* Implemented several optimization switches to speed up the exploitation
of SQL injections (Bernardo and Miroslav).
* Support to parse and test forms on target url, --forms switch
(Bernardo and Miroslav).
* Added switches to brute-force tables names and columns names with a
dictionary attack, --common-tables and --common-columns. Useful for
instance when system table 'information_schema' is not available on
MySQL (Miroslav).
Complete list of changes at
Published: 22 March 2011
===========
Description
===========
Due to the device(s) returning differing responses to IKE requests it is possible to enumerate valid group names from the VPN device(s). With the correct group name the pre-shared key can then be captured and a brute-force attack carried out off-line.
=================
Technical Details
=================
This output shows an aggressive query against the device specifying an invalid group:
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
Next Page>>
|
