Next Page >>
class
[1] - NULL pointer dereference:
-------------- xpdf-poc-null-pointer-dereference.pdf -------------
%PDF-1.3
% 'BasicFonts': class PDFDictionary
1 0 obj
% The standard fonts dictionary
<< /F1 2 0 R >>
endobj
% 'F1': class PDFType1Font
Crafted SSH Packet Vulnerability
+-------------------------------
SSH management traffic that can be received by the ACE is controlled
through the use of class maps, policy maps, and service policies.
This Management Traffic Service example denies unauthorized SSH
packets that are sent to an affected device. In the following
example, 192.168.100.1 is considered a trusted source that requires
SSH access to the affected device. Care should be taken to allow all
2. *Vulnerability Information*
Class: Stack-based buffer overflow [CWE-119], Off-by-one error [CWE-193]
Impact: Code execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2010-1929, CVE-2010-1930
Bugtraq ID: 40480, 40485
in the configuration:
ssl-server <context> http-header client-cert
Similarly, on the Cisco ACE, these issues may manifest themselves when
using a policy map with a class-default class, as shown below:
policy-map type loadbalance first-match SLB-VIP-REDIRECT
class class-default
serverfarm TEST-FARM
action DO-SOMETHING-WITH-HEADERS
------------------------------------------------------------------------
ATTACH_BY_REF_RESOLVE
------------------------------------------------------------------------
A message or attachment can have a Message Class property that loosely
defines the type of a message, contact or other personal information
manager objects. For normal e-mail messages, the message class is set to
IPM.Note. The Message Class is set by the TNEF attMessageClass
structure or by the PR_MESSAGE_CLASS MAPI property.
I understand that this is a vain hope that bugtraq will start posting something useful.
Author:Michael Brooks (Rook)<br>
Application:OpenClassifieds 1.7.0.3<br>
download: http://open-classifieds.com/download/<br>
Exploit chain:captcha bypass->sqli(insert)->persistant xss on front page<br>
If registration is required an extra link in the chain is added:<br>
Exploit chain:blind sqli(select)->captcha bypass->sqli(insert)->persistant xss on front page<br>
sites with SEO url's enabled:<br>
"powered by Open Classifieds" inurl:"publish-a-new-ad.htm" (85,000 results)<br>
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Piwik <= 0.4.5
Severity: Piwik unserializes() user input which allows an attacker
to send a carefully crafted cookie that when unserialized
utilizes Piwik's classes to upload arbitrary files or
execute arbitrary PHP code
Risk: Critical
Vendor Status: Piwik 0.5.0 was released which fixes this vulnerability
Reference:
http://www.sektioneins.com/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability/
circumstances:
- HTTP Layer 7 Application Control and Inspection and Cisco IOS
IPS are enabled.
- HTTP Layer 7 Application Control and Inspection with match
request arg regex parameter on the HTTP class map. This
configuration is affected regardless if Cisco IOS IPS is enabled
or not.
The device is not vulnerable under other configurations. A
summary of different configurations and their affect by this
Storage
Secure Programming/Development
PRIVILEGES
Speakers’ Privileges:
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.
Databases
Storage
PRIVILEGES
Speakers’ Privileges:
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.
The following policy can be configured as a workaround to mitigate
this vulnerability. Complete the following steps to deploy this
policy for the Cisco Security Agent running on the Management Center
for Cisco Security Agent server.
Create a New Application Class
+-----------------------------
Step 1. Specify the name of the application class as 'CSA MC - all
applications but not its descendants'.
Databases
**Storage*
*PRIVILEGES*
*Speakers’ Privileges:*
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.
Databases
Storage
PRIVILEGES
Speakers’ Privileges:
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.
Storage
Secure Programming/Development
*
*PRIVILEGES *
Speakers’ Privileges:
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.
Databases
Storage
PRIVILEGES
Speakers’ Privileges:
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com
Microsoft Office HtmlDlgHelper class memory corruption
1. *Advisory Information*
Title: Microsoft Office HtmlDlgHelper class memory corruption
Advisory Id: CORE-2010-0517
--- lib/webrick/httpstatus.rb (revision 26065)
+++ lib/webrick/httpstatus.rb (working copy)
@@ -13,5 +13,15 @@ module WEBrick
module HTTPStatus
- class Status < StandardError; end
+ class Status < StandardError
+ def initialize(message, *rest)
+ super(AccessLog.escape(message), *rest)
+ end
+ class << self
specially-crafted attack, Internet Explorer attempting to access a
freed object can lead to running attacker-supplied code."
However, I have not found any evidence of accessing freed memory -- as
far as I can tell, the problem is a logic bug. The CDispNode family
of classes contains a flags field that happens to be located
immediately after the vtable pointer, the lowest four bits of which
I'll refer to as the "extra size index."
CDispNode::SetExpandedClipRect uses the extra size index of a class
instance as an index into CDispNode::_extraSizeTable, a constant array
where each element represents a count of machine words of, I guess,
parameters
match protocol msn-im
log
!
policy-map global_policy
class inspection_default
inspect im MY-MSN-INSPECT
TACACS+ Authentication Bypass Vulnerability
+------------------------------------------
Reverse Code Engineering
Languages (Assembly, Python, Ruby etc)
PRIVILEGES
Trainers’ Privileges:
• 50% of net profit of class.
• Complimentary entry to SyScan'10 conference
• Trainers/Speakers Dinner on conference days
• After-conference party.
• A very healthy dose of alcohol and fun.
Inspect: sip , packet 0, drop 0, reset-drop 0
Alternatively, an appliance that has SIP inspection enabled has a
configuration similar to the following:
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
The following configuration commands are used to enable SunRPC
inspection in the Cisco ASA.
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
An integer overflow vulnerability has been discovered in the
EncoderParameter class of the .NET Framework. Exploiting this
vulnerability results in an overflown integer that is used to allocate a
buffer on the heap. After the incorrect allocation, one or more
user-supplied buffers are copied in the new buffer, resulting in a
corruption of the heap.
Additional information on the Cisco IOS release naming conventions
can be found on the document entitled "White Paper: Cisco IOS
Reference Guide", which is available at
http://www.cisco.com/warp/public/620/1.html
The device is vulnerable if the configuration has a Layer 7 class map
and Layer 7 policy map for HTTP deep packet inspection (DPI), and
these policies are applied to any firewall zone. To determine whether
the device is running a vulnerable configuration of Cisco IOS
firewall AIC for HTTP, log in to the device and issue the CLI command
show policy-map type inspect zone-pair | section packet inspection.
This two-day workshop revisits the basics of GSM, SS7, and OTA before
discussing their control and trust mechanics. It will become apparent
that technology providers and attackers can invade GSM users' location
and communication privacy in multiple ways. The workshop is targeted
at GSM users concerned with the confidentiality of their information
and location. The class provides technical and organizational
protection strategies for minimizing the attack surface and mitigating
the risks of the telecommunication infrastructure.
2) Exploit Laboratory with Saumil Shah:
The workshop brings you an action packed class teaching the art of
Hi,
First let me start by saying im not writing to flame anyone (or whatever you kids say these days). I know its can be a daunting to release a paper to the security community because if any of its incorrect you're gonna hear about it.
However releasing a paper and claiming it to be a new class (or sub-class) of vulnerability, well im sorry, its like wearing Gold football boots, you better get it right after a statement like that.
If this paper was titled "Bypassing Broken Input Validation Filters" then there would be no problems. However none of what exists in this document is new, in fact most of it is in the Web Application Hackers Handbook or in much older papers. Constructing attackers of all kinds to bypass black list filters is a common duty of the web application tester, also take a look at all of the recent SQL injection worms.
The main thing wrong here is claiming it to be something new, or even claiming it to be a "sub-class", it not!
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: PHPIDS <= 0.6.2
Severity: PHPIDS unserializes() user input which allows an attacker
to send a carefully crafted cookie that when unserialized
can utilize existing classes which e.g. can lead to
upload of arbitrary files or execution of arbitrary PHP
code in Zend Framework Applications
Risk: Critical
Vendor Status: PHPIDS 0.6.3.1 was released which fixes this vulnerability
Reference:
:. GOODFELLAS Security Research TEAM .:
:. http://goodfellas.shellcode.com.ar .:
FileFind class from MFC Library cause heap overflow.
===================================================
Internal ID: VULWKU200706142
introduction
> 2nd through 5th of 2012. The theme for this year's conference is "OWASP -
> Not just webapps anymore" to reflect the new and revised scope of OWASP to
> include all application security issues instead of focusing just on web
> application security. There will be training courses on April 2nd and 3rd
> followed by plenary sessions on the 4th and 5th. There are a total of six
> classrooms over two days or 12 training days available at the conference.
> Three classrooms hold 30 students and the other three have a capacity of 24
> students.
>
> The following conditions apply for people or organizations that want to
> provide training at the conference:
if (isset($request->get['route'])) {
$action = new Action($request->get['route']);
-----------------[ source code end ]-----------------------------------
We can see, that user submitted parameter "route" is used as argument
for class "Action" initialization.
Source code snippet from vulnerable script "action.php":
-----------------[ source code start ]---------------------------------
final class Action {
protected $file;
Next Page>>
|
