Next Page >>
client side
October 30th, 2007. The date remains flexible on the basis of receiving
concrete and specific details about availability of fixes by Wednesday,
October 24th. An up to date copy of the security advisory provided for
comments and suggested workarounds.
2007-10-23: Email from Lotus Notes Security indicating that a ticket had
been opened with Autonomy and that since this is a client-side issue the
fix would be provided in one of the future maintenance releases of the
Lotus Notes client. Ongoing work with Autonomy needs to continue before
being able to confirm when the fix will be rolled into the product.
2007-10-23: Email from Core’s advisory team with follow up questions to
Lotus Notes Security: 1. Is it official policy to include fixes to
The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty outrageous (with regard to ASP.NET):
'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.'
I would disagree - it depends how the software developer implemented use of the VIEWSTATE's content. In ASP.NET, the interesting part here was that you appeared to be controlling an innerhtml property of a Form control through the VIEWSTATE. What your example didn't show, I'm assuming, is some code behind that pulled out the <IndexedString> and set the value in the form's innerHtml property/attribute. That's just dangerous coding, akin to trusting client-side input and no different than acting on client input that came from any method, form input, JSON, etc. Your repro was a bit confusing/misleading without that part. Otherwise, were you saying that some controls inherently populate their properties/attributes from VIEWSTATE content automagically?
There have been past discussions on VIEWSTATE's security:
Scott Mitchell documented tampering VIEWSTATE in a 2004 article:
http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12
I included any exploit that took any end-user's interaction into the 86%
number. I included the list of exploits and what I considered a
client-side attack (versus truly remote) in the article:
http://weblog.infoworld.com/securityadviser/archives/WindowsExploitAnaly
sis.xls
It's not perfect, and may even contain a few mistakes. However, I don't
think any of the mistakes would change the overall numbers much. The
exploit chart (I listed two years of vulnerabilities, not three as I
*Vulnerability Information*
Class: Input Validation
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 28629 28632 28633
CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007
[+] Select Month
[+] New Access Record - ID
[+] Department ID & Description
1.2
A client-side cross site vulnerability is detected on iGuards - Biometric Access Control Application.
The bug allows an remote attacker to attack (high user inter action) a customer on client-side. Successful exploitation can result in
phishing passwords or manipulation of content when processing client-side requests.
Vulnerable Module(s): (Non-Persistent)
*Vulnerability Information*
Class: Input Validation
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 28629 28632 28633
CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
although server-side storage is widely supported.
The affected vendors generally recommend that client-side
view states are cryptographically signed and/or encrypted,
but specific exploits have not been previously documented.
vulnerabilities in the ActiveX objects themselves or use their
functionality to, for example, read arbitrary files from the victim's
file system or even execute arbitrary shell commands in the victim's
workstation.
- - Directly attack vulnerable versions of Internet Explorer in user
workstations. This is a typical client-side attack scenario and could
lead to the remote execution of arbitrary code in the victim's
workstation. In this scenario "one-click" IE bugs (exploitation requires
user assistance) become "zero-click" bugs (exploitation does not require
user interaction).
Advisory: IceWarp WebMail Server: Client-Side Specification of "Forgot
Password" eMail Content
During a penetration test, RedTeam Pentesting discovered that the emails
sent by the IceWarp WebMail Server when using the "Forgot Password"
function are generated on the client side. Furthermore, the server
expands certain keywords in these emails to users' full names, usernames
and passwords. This allows for advanced social engineering attacks and
the potential disclosure of usernames and passwords.
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
Client-side products
---------------------
These will not be patched, trends reason is that
malware will be detected up on extraction. While this is true for end-user
setups this is not the case if you use such products to scan Fileservers,
Database servers or any server where an enduser does not actively extract
vulnerabilities in the ActiveX objects themselves or use their
functionality to, for example, read arbitrary files from the victim's
file system or even execute arbitrary shell commands in the victim's
workstation.
- - Directly attack vulnerable versions of Internet Explorer in user
workstations. This is a typical client-side attack scenario and could
lead to the remote execution of arbitrary code in the victim's
workstation. In this scenario "one-click" IE bugs (exploitation requires
user assistance) become "zero-click" bugs (exploitation does not require
user interaction).
Advisory: Client Side Authorization ZyXEL ZyWALL USG Appliances Web
Interface
The ZyXEL ZyWALL USG appliances perform parts of the authorization for
their management web interface on the client side using JavaScript. By
setting the JavaScript variable "isAdmin" to "true", a user with limited
access gets full access to the web interface.
Details
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
although server-side storage is widely supported.
The affected vendors generally recommend that client-side
view states are cryptographically signed and/or encrypted,
but specific exploits have not been previously documented.
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
although server-side storage is widely supported.
The affected vendors generally recommend that client-side
view states are cryptographically signed and/or encrypted,
but specific exploits have not been previously documented.
different third-party open source libraries to implement processing of
several image formats.
Android includes a web browser based on the Webkit framework that
contains multiple binary vulnerabilities when processing .GIF, .PNG and
.BMP image files, allowing malicious client-side attacks on the web
browser. A client-side attack could be launched from a malicious web
site, hosting specially crafted content, with the possibility of
executing arbitrary code on the victim's Android system.
These client-side binary vulnerabilities were discovered using the
Darwin/10.0.0d3 ). Update to iOS4 to improve your security.
More information here:
CVE-2010-1752 in http://support.apple.com/kb/HT4225
o Security-Advisory: TEHTRI-SA-2010-028 - 0day on BlackBerry
TEHTRI-Security found a security issue, and created a client-side attack
0day for BlackBerry cellphone devices (Hotspot Browser). The code was
shared with RIM who handled this vulnerability quickly, so that a fix
might be added in a future release. It allows an attacker to crash the
remote web application. This was scored with a CVSS of 5.
The reasons being:
1. It generates lot of noise on the network and is slow. So most probably an IDS or Web App Firewall will pick up the malicious behavior and block your ip. For example, a Base16 CSRF token of length 5 characters (starting with a character) will generate approximately 393,216 requests.
2. Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values. E.g. 30.
I am going to change this belief by showing you a technique to quicky find csrf tokens without generating alerts. This technique is a client side attack, so there is almost no network traffic generated and hence, your server and IDS/Web App Firewalls won’t notice it at all. This attack is based on the popular CSS History Hack found by Jeremiah Grossman 3 years ago.
In this exploit, we discover the csrf token by brute forcing the various set of urls in browser history. We will try to embed different csrf token values as part of url and check if the user has visited that url. If yes, there is a good chance that the user is either using the same CSRF token in the current active session or might have used that token in a previous session. Once we have a list of all such tokens, we can just try our csrf attack on the server using that small list. Currently this attack is feasible for tokens with length of 5 characters or shorter. I tried it on a base16 string of length 5 and was able to brute force the entire key space in less than 2 minutes.
Some of the prerequisites for this attack to work are either
Do not perform administrative access of security management consoles from computers exposed to the Internet through web browsing, email, and other applications. Lock down and heavily monitor systems used to perform administrative tasks such as accessing security management consoles.
Details
When a user loads the login page of the Network Security Manager, the server sets a cookie within the browser before authentication occurs. This cookie is accessible from client-side JavaScript because the “HttpOnly” flag is not set. An attacker with access to this cookie may gain privileged access to the Network Security Manager without the need to authenticate.
SecureWorks Risk Scoring
Likelihood: 2 – Best practice is to deploy the management console web application on a segmented management network.
Impact: 5 – Control over security appliances managed by the management console.
SEC Consult Vulnerability Lab Security Advisory < 20111012-0 >
=======================================================================
title: Client-side remote file upload & command execution
product: Microsoft Forefront Unified Access Gateway Remote
Access Agent (signed Java applet)
vulnerable version: 4.0.0.1
fixed version:
CVE number: CVE-2011-1969
impact: critical
homepage:
Class: Improper Input Validation (CWE-20)
Remote: No
Discovered by: Patroklos Argyroudis
We have discovered two improper input validation vulnerabilities in the
FreeBSD kernel's NFS client-side implementation (FreeBSD 8.0-RELEASE,
7.3-RELEASE and 7.2-RELEASE) that allow local unprivileged users to
escalate their privileges, or to crash the system by performing a denial
of service attack.
Details
Symantec multiple products - Generic PDF bypass
________________________________________________________________________
***********************************************************************
Cheap plug :
Speaking of PDF - If you are interested in client-side vulnerabilities
visit HACK.LU starting tomorrow [28-30 Oct] with :
Workshop:
* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani,
Billy K Rios
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Client-side Denial of Service
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 31061
CVE Name: CVE-2008-3950
F-SECURE multiple products - Generic PDF detection bypass
________________________________________________________________________
***********************************************************************
Cheap plug :
If you are interested in client-side vulnerabilities visit HACK.LU
starting tomorrow [28-30 Oct] with :
Workshop:
* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani,
Billy K Rios
##### Vulnerability #####
When adding a new course to the schedule, the application relies on
Client Side controls for input. This can easily be bypassed by using an
intercepting proxy or CSRF attack.
##### Affected Variables #####
>
>
> ##### Vulnerability #####
>
> When adding a new course to the schedule, the application relies on
> Client Side controls for input. This can easily be bypassed by
> using an intercepting proxy or CSRF attack.
>
>
> ##### Affected Variables #####
>
The Reflective DLL Injection technique pioneered by Stephen Fewer of
Harmony Security has been integrated into the framework. The new payloads
use the "reflectivedllinjection" stager prefix and share the same binaries
as the older DLL injection method.
Client-side browser exploits now benefit from a set of new javascript
obfuscation techniques developed by Egypt. This improvement leads to a
greater degree of anti-virus bypass for client-side exploits.
Metasploit contains dozens of exploit modules for web browsers and
third-party plugins. The new browser_autopwn module ties many of these
Notice that if you already updated your iPhone with iOS4, our exploits
for this particular vulnerability would not work anymore.
( search for "CVE-2010-1752" here: http://support.apple.com/kb/ht4225 )
But, thanks to our proof of concepts (client-side attacks), it was not
only possible to abuse the iPhone devices, but also any current Mac OS X
( Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through
v10.6.4, Mac OS X Server v10.6 through v10.6.4 ).
Hopefully, this week, Apple released many interesting security patches
Affected versions. 2.1.1 ((v2.1 Patch06)(9.1_02 Patch12))
(build b31g-fcs) verified and possibly
others
Severity Rating. Medium
Impact. Cookie/credential theft, impersonation,
loss of confidentiality, client-side
code execution
Attack Vector. Remote without authentication
Solution Status. Vendor patch
CVE reference. CVE-2011-2260
Oracle Bug ID. 7030596
exclusive to the Metasploit Framework and a large number of new modules.
Microsoft SQL Server 2000 through 2008 versions have been tested with
the new modules. The MSSQL and Oracle login modules can now brute force
passwords from a dictionary file.
Automated client-side exploitation has been overhauled with a rewrite of
the browser_autopwn module by James Lee. A number of existing
client-side exploits have been updated to use better fingerprinting and
evasion techniques. All TCP-based exploits can now be launched through
SOCKS4, SOCKS5, and HTTP proxies.
2. *Vulnerability Information*
Class: Stack-based Buffer Overflow [CWE-121], Stack-based Buffer
Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-3269, CVE-2010-3270
Bugtraq ID: N/A
Next Page>>
|
