Next Page >>
caching
2) Vulnerability Description
Microsoft DNS server generates predictable DNS transaction IDs. If the
server is configured to allow recursive queries it is possible to insert
fake records in the DNS cache (DNS cache poisoning) by guessing the next
transaction ID that the server will use and sending a spoofed DNS reply
to the server. To observe the transaction IDs an attacker needs to
control a DNS server that is authoritative for some domain and to be
able to send a recursive queries to the caching Microsoft DNS server.
1 Background
=============
Android applications are executed in a sandbox environment, to ensure that no
application can access sensitive information held by another, without adequate
privileges. For example, Opera Mobile holds sensitive information such as
cookies, cache and history, and this cannot be accessed by third-party apps. An
android app may request specific privileges during its installation; if granted
by the user, the app's capabilities are extended.
One mechanism which Android uses in order to implement the sandbox, is running
each application as a separate process, and as a Linux user which is private to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Cisco Products Vulnerable to DNS Cache
Poisoning Attacks
Advisory ID: cisco-sa-20080708-dns
http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
3. *Vulnerability Description*
DNS spoofing and cache poisoning attacks have been known security
threats that result from design weaknesses of the DNS protocol since the
early 1990s as described by Christopher Schuba [1] and Paul Vixie [2].
In 1997 a practical implementation of a blind remote DNS cache poisoning
attack that relies solely on exploiting the predictability of the ID
field of DNS query packets was described by Arce and Kargieman [3]. This
After 6 months - fix available for Microsoft DNS cache poisoning
attack
On April this year I discovered a new vulnerability that enables
DNS cache poisoning attack against the Windows DNS server. Today
(November 13th, 2007) - six and a half months after being informed
- Microsoft released a fix for this vulnerability. As the fix is
now publicly available, I can finally share my research finding
with you.
The Microsoft Windows DNS stub resolver (the component in Windows
that queries the upstream DNS server for address resolutions on
behalf of most Windows programs, e.g. browsers) sends predictable
DNS queries with respect to DNS transaction ID and source UDP
port. This allows some interesting attacks on DNS clients (i.e.
desktops), including DNS cache poisoning of the client's local
DNS cache (which is maintained by the stub resolver).
Affected products: Windows Vista, Windows XP SP2, Windows 2003
and Windows 2000 SP4.
BIND 8 EOL and BIND 8 DNS Cache Poisoning
Note: this is a different attack from BIND 9 DNS cache poisoning.
I discovered a new weakness in BIND 8 DNS server which enables "DNS
Forgery Pharming". An attacker can remotely poison the cache of any
BIND 8 caching DNS server and force users who use this DNS server to
reach fraudulent websites each time they try to access real websites.
BIND 8 is still a very popular DNS server nowadays thus this attack
applies to a big part of Internet users.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
PHP APC is an opcode cache for PHP, or, as the developers say: "APC is a
free, open, and robust framework for caching and optimizing PHP
intermediate code."
http://pecl.php.net/package/APC
While at least some of its developers do not consider this an issue
Newly emerging techniques of DNS cache poisoning have caused quite a
stir recently, prompting security researchers to speculate on the nature
of the issue, and naturally inducing press stunts by some individuals,
including "accidential" information leaks and hasty exploit releases.
Many other, more relaxed researchers, who had figured out the attack and
had coded working exploits within a few hours (which, by the way, was
incredibly easy to do, knowing that an undocumented attack actually
existed), decided to coordinate with Dan Kaminsky, who had organized a
huge multi-vendor security patch, and withhold information for the
proposed 30 days.
>
> ===============/========================================================
> Exploit ID: CAU-EX-2008-0002
> Release Date: 2008.07.23
> Title: bailiwicked_host.rb
> Description: Kaminsky DNS Cache Poisoning Flaw Exploit
> Tested: BIND 9.4.1-9.4.2
> Attributes: Remote, Poison, Resolver, Metasploit
> Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
> Author/Email: I)ruid <druid (@) caughq.org>
> H D Moore <hdm (@) metasploit.com>
=============================================================================
FreeBSD-SA-10:01.bind Security Advisory
The FreeBSD Project
Topic: BIND named(8) cache poisoning with DNSSEC validation
Category: contrib
Module: bind
Announced: 2010-01-06
Credits: Michael Sinatra
Vendor Contact Date: 4/20/2010
Status: Vendor does not want to fix the vulnerability.
Vulnerability Details:
RSA Key Manager Client software uses an SQLite database to cache its encryption keys. The software fails to properly validate the metadata embedded inside of the RSA Key Manager encrypted data when it perform a key lookup when the encrypted data is being decrypted.An attacker can inject SQL commands into the metadata section of the RSA Key Manager encrypted data, which will be executed by the Key Manager Client software. For example, an attacker can inject SQL statements to modify existing encryption keys, remove existing encryption keys, add new encryption keys, etc.
The Key Manager client uses two types of cache: memory cache and file cache. As long as both or either of the caches are enabled the problem can be triggered easily.
RSA Key Manager Client 1.5.x uses the following format when it encrypts data:
Field 1 = KeyIdStringField 2 = NULL TerminatorField 3 = Encryption IVField 4 = Encrypted Data
Encryptionn Key Cache tables:
===============/========================================================
Exploit ID: CAU-EX-2008-0002
Release Date: 2008.07.23
Title: bailiwicked_host.rb
Description: Kaminsky DNS Cache Poisoning Flaw Exploit
Tested: BIND 9.4.1-9.4.2
Attributes: Remote, Poison, Resolver, Metasploit
Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
Author/Email: I)ruid <druid (@) caughq.org>
H D Moore <hdm (@) metasploit.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ZDI-11-287 : Internet Explorer Select Element Cache Remote Code
Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-287
October 15, 2011
- -- CVE ID:
CVE-2011-1996
{
struct resolve *rp;
if ((rp = findip(ip))) {
...
<try to find this IP in local cache which mtr create>
...
}
rp = allocresolve();
rp->state = STATE_PTRREQ1;
rp->expiretime = sweeptime + ResRetryDelay1;
>To: Thor (Hammer of God)
>Cc: George Carlson; bugtraq@securityfocus.com; full-
>disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows
>Local Workstation Admins to Temporarily Escalate Privileges and Login as
>Cached Domain Admin Accounts (2010-M$-002)
>
>I hope I'm not just feeding the troll...
No, you are perpetuating inaccurate vulnerability claims.
vulnerabilities in Django, a Python web framework:
CVE-2011-4136
When using memory-based sessions and caching, Django sessions are
stored directly in the root namespace of the cache. When user data is
stored in the same cache, a remote user may take over a session.
CVE-2011-4137, CVE-2011-4138
Django's field type URLfield by default checks supplied URL's by
to overflow buffer on heap via integer overflow vulnerability.
Description:
Mod_proxy implements a proxy/cache for Apache. It implements proxying capability for FTP, CONNECT (for SSL),
HTTP/0.9, HTTP/1.0, and (as of Apache 1.3.23) HTTP/1.1. The module can be configured to connect to other
proxy modules for these and other protocols.
Details:
The following exploit is a semi-stored XSS attack and has been tested
with the following setup:
- Apache 2.x with IP based virtual hosting
- Wordpress 2.6.3 installed in /blog/
- WP Super Cache 0.84
- Firefox 3.0.4
WP Super Cache is a popular WordPress plugin that adds static file
caching to WordPress. It greatly increases performance and is
Hello Bugtraq!
Vulnerability "wordpress plugins WP Super Cache v0.8.3 Remote File Inclusion
Vulnerability" is non-working. Because mentioned RFI doesn't exist.
Cru3l.b0y, please, always check all vulnerabilities which you find. As I
already said to author of fake vulnerability in WordPress Plugin Related
Sites 2.1 (http://websecurity.com.ua/3281/), no need to litter security
space in Internet with non-working vulnerabilities.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: pdnsd: Denial of Service and cache poisoning
Date: January 11, 2009
Bugs: #231285
ID: 200901-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* Verify that each certificate's signature is valid.
* Verify that the current date and time fall within
each certificate's validity period.
* Verify that each certificate is not corrupt or malformed.
3. Each certificate in the certificate chain is checked for
revocation status. The local cache is checked to see if a time valid
version of the issuing CA's base CRL is available in the cache. If the
base CRL is not available in the local cache, or the version in the
local cache has expired, the base CRL is downloaded from the URLs
available in the CDP extension of the evaluated certificate. If
available, it is confirmed that the certificate's serial number is not
/**
* includes Snoopy class for remote file access
*/
require(XOOPS_ROOT_PATH."/class/snoopy.class.php");
..
function getData($forcecache=false)
{
if(_PHPSYNDICATION_CONNECTED && $forcecache != true && (!file_exists($this->cacheDir.$this->cacheFile) || (filemtime($this->cacheDir.$this->cacheFile) + $this->cacheTimeout - time()) < 0))
{
$snoopy = new Snoopy;
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/
Microsoft Office Excel PivotTable Cache Data Record Buffer Overflow
1. *Advisory Information*
So far I agree with Thor. Did I miss something? Has anyone demonstrated
using the locally cached credentials to access resources across the network?
So far I haven't seen anything new or interesting in this thread:
1. StenoPlasma claims that a local admin can access and reuse the cached
credentials of other users.
2. Stefan, Thor, et al yawn.
3. Joyce, Andrea, and perhaps others seem to be conflating local access
(what StenoPlasma was talking about) with gaining domain admin privileges on
domain controllers and other resources on separate machines (which nobody
currently looking for when it comes to advanced persistent threats.
On Dec 13, 2010 11:54 AM, "Kurt Dillard" <kurtdillard@msn.com> wrote:
> So far I agree with Thor. Did I miss something? Has anyone demonstrated
> using the locally cached credentials to access resources across the network?
> So far I haven't seen anything new or interesting in this thread:
>
> 1. StenoPlasma claims that a local admin can access and reuse the cached
> credentials of other users.
> 2. Stefan, Thor, et al yawn.
* Chris (Matasano Security) reported that Opera may crash if it is
redirected by a malicious page to a specially crafted address
(CVE-2008-4694).
* Nate McFeters reported that Opera runs Java applets in the context
of the local machine, if that applet has been cached and a page can
predict the cache path for that applet and load it from the cache
(CVE-2008-4695).
* Roberto Suggi Liverani (Security-Assessment.com) reported that
Opera's History Search results does not escape certain constructs
http://www.debian.org/security/ Florian Weimer
July 08, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : bind
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1447
CERT advisory : VU#800113
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01506861
Version: 6
HPSBUX02351 SSRT080058 rev.6 - HP-UX Running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-07-16
Last Updated: 2010-12-15
authentication sequence the user session is redirected via a HTTP meta
refresh header in an HTML response. The browser subsequently uses this
within the next GET request (and the referer header field of the next
HTTP request), placing the session ID in history files, and both client
and server logs. The use of the session ID within the HTML content is
made worse by the application not setting the HTTP cache control headers
appropriately, which can lead to the HTML content being stored within
the local browser cache.
Where this is a particularly problem, is where the web portal is
accessed from a shared or public access terminal, such as an Internet
Next Page>>
|
