Next Page >>
command
vulnerability discovered by DATA_SNIPER.
bug discovred in 25/11/2008.
infected version:All Version
greetz go to:www.at4re.com(Arab Team 4 Reverse Engineering),arab4services.net
Critical: Highly critical
Impact:Command Execution
------------------------------------------------------------------
this is litel POC that can execute arabitrary command in victime machine.
in unexpected way the attacker can put in the project file ".rap file" command instead of the linker path or Macro Assembler "ML.exe" path.
project file look like this.
" some data has been cuted for making it readable"
> vulnerability discovered by DATA_SNIPER.
> bug discovred in 25/11/2008.
> infected version:All Version
> greetz go to:www.at4re.com(Arab Team 4 Reverse Engineering),arab4services.net
> Critical: Highly critical
> Impact:Command Execution
> ------------------------------------------------------------------
> this is litel POC that can execute arabitrary command in victime machine.
> in unexpected way the attacker can put in the project file ".rap file" command instead of the linker path or Macro Assembler "ML.exe" path.
> project file look like this.
> " some data has been cuted for making it readable"
each component of the solution is addressed independently in its own
advisory. This advisory addresses Cisco TelePresence endpoint devices
and details the following vulnerabilities:
* Unauthenticated Common Gateway Interface (CGI) Access
* CGI Command Injection
* TFTP Information Disclosure
* Malicious IP Address Injection
* XML-Remote Procedure Call (RPC) Command Injection
* Cisco Discovery Protocol Remote Code Execution
This vulnerability affects the Cisco AVS 3110, 3120, 3180, and 3180A
Management Station appliances that are running software versions prior
to AVS 5.1.0. Administrators can determine the software version of the
AVS appliances by logging in to the Management Station web-based user
interface or from the command-line interface (CLI) of the appliance
operating system.
Customers who use the AVS 3180 or 3180A Management Station can determine
their node software versions by navigating to the Cluster Information
Page. Each registered node will display the corresponding software
Devices running vulnerable versions of Cisco FWSM Software are
affected by this vulnerability if the following conditions are
satisfied:
* The device has interfaces with IPv6 addresses
* System logging is enabled (command logging enable)
* The device is configured in any way to generate system log
message 302015 (refer to the following examples)
System log message 302015 has a default severity level of 6
(informational) so, assuming that the system administrator has not
The default inspected ports are listed at the following link:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html
Note: The Cisco ASA UDP inspection can be applied to non-default UDP
ports via class-map and policy-map commands. Any instance of use of
the Cisco ASA UDP inspection engines may be vulnerable to this
vulnerability, thus, configurations that include non-default UDP ports
but use the Cisco ASA UDP inspection engine are considered vulnerable.
To determine whether any of the above inspections are enabled, issue
Versions 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SunRPC
inspection is enabled by default.
To check if SunRPC inspection is enabled, issue the "show
service-policy | include sunrpc" command and confirm that output, such
as what is displayed in the following example, is returned.
ciscoasa# show service-policy | include sunrpc
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
software is free of flaws, and b) clients verify the server's TLS
certificate, so that there can be no "man in the middle" (servers
usually don't verify client certificates).
The problem discussed in this writeup is caused by a software flaw.
The flaw allows an attacker to inject client commands into an SMTP
session during the unprotected plaintext SMTP protocol phase (more
on that below), such that the server will execute those commands
during the SMTP-over-TLS protocol phase when all communication is
supposed to be protected.
feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions
7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SIP
inspection is enabled by default.
To check if SIP inspection is enabled, issue the "show service-policy |
include sip" command and confirm that some output is returned. Sample
output is displayed in the following example:
ciscoasa#show service-policy | include sip
Inspect: sip , packet 0, drop 0, reset-drop 0
by this vulnerability. In order to be vulnerable both support for
IPv6 protocol and IPv4 UDP-based services must be enabled on the
device. The IPv6 is not enabled by default in Cisco IOS software.
To determine the software running on a Cisco IOS product, log in to
the device and issue the show version command to display the system
banner. Cisco IOS software will identify itself as "Internetwork
Operating System Software" or simply "IOS." On the next line of
output, the image name will be displayed between parentheses,
followed by "Version" and the Cisco IOS software release name. Other
Cisco devices will not have the show version command, or will give
Vim: Arbitrary Code Execution in Commands: K, Control-], g]
1. SUMMARY
Product : Vim -- Vi IMproved
Versions : 3.0--current, possibly older
Impact : Arbitrary code execution
Wherefrom: Local
Original : http://www.rdancer.org/vulnerablevim-K.html
All non-fixed 2.x, 3.x and 4.x versions of the FWSM software are
affected by this vulnerability.
To determine the version of the FWSM software that is running, issue
the "show module" command-line interface (CLI) command from Cisco IOS
Software or Cisco Catalyst Operating System Software to identify what
modules and sub-modules are installed in the system.
The following example shows a system with an FWSM (WS-SVC-FWM-1)
installed in slot 4.
2. Overview
``Vim is an almost compatible version of the UNIX editor Vi. Many new features
have been added: multi-level undo, syntax highlighting, command line history,
on-line help, spell checking, filename completion, block operations, etc.''
-- VIM 7.1 README.txt
Parts of Vim are written in the Vim script language. A feature of this
language widely used in the Vim code is the ``execute'' command, an equivalent
Application: Toribash
http://www.toribash.com
Versions: <= 2.71
Platforms: Windows, Mac and Linux
Bugs: A] dedicated server format string
B] client commands buffer-overflow
C] client unicode buffer-overflow in the SAY command
D] server crash through uninitialized values
E] line-feed dropping
F] Windows dedicated server hell bell
G] clients kicked by malformed packet
Note: Other SSL/HTTPS related features than WebVPN and SSL VPN are
not affected by this vulnerability.
To determine whether SSLVPN is enabled on a device, log in to the
device and issue the command-line interface (CLI) command "show
running-config | include webvpn". If the device returns any output
then SSLVPN is configured and the device may be vulnerable.
Vulnerable configurations vary depending on whether the device is
supporting Cisco IOS WebVPN (introduced in Release 12.3(14)T) or
Cisco IOS SSLVPNs (introduced in Release 12.4(6)T). The following
2. BACKGROUND
``Vim is an almost compatible version of the UNIX editor Vi. Many new
features have been added: multi-level undo, syntax highlighting,
command line history, on-line help, spell checking, filename
completion, block operations, etc.''
-- Vim README.txt
``When one edits a *.tar file, this plugin will handle displaying a
Summary
=======
The server side of the Secure Copy (SCP) implementation in Cisco IOS
software contains a vulnerability that could allow authenticated
users with an attached command-line interface (CLI) view to transfer
files to and from a Cisco IOS device that is configured to be an SCP
server, regardless of what users are authorized to do, per the CLI
view configuration. This vulnerability could allow valid users to
retrieve or write to any file on the device's file system, including
the device's saved configuration and Cisco IOS image files, even if
vulnerability.
Determination of Software Versions
+---------------------------------
The "show version" command-line interface (CLI) command can be used to
determine whether a vulnerable version of the Cisco PIX or Cisco ASA
software is running. The following example shows a Cisco ASA Adaptive
Security Appliance that runs software version 8.0(4):
ASA#show version
information regarding vulnerabilities affecting the PIX
and ASA can be found in the companion advisory located at
http://www.cisco.com/warp/public/707/cisco-sa-20071017-asa.shtml.
To determine if you are running a vulnerable version of FWSM software,
issue the "show module" command-line interface (CLI) command from
Cisco IOS or Cisco CatOS to identify what modules and sub-modules are
installed in the system.
The following example shows a system with a Firewall Service Module
(WS-SVC-FWM-1) installed in slot 4.
Cisco FWSM Software version 3.x and 4.x are affected by these
vulnerabilities only if SunRPC inspection is enabled. SunRPC
inspection is enabled by default.
To check if SunRPC inspection is enabled, use the "show service-policy
| include sunrpc" command and confirm that the command returns output,
as shown in the following example:
fwsm#show service-policy | include sunrpc
Inspect: sunrpc , packet 0, drop 0, reset-drop 0
administrator account that is enabled by default with no password. An
attacker could use this account in order to modify the application
configuration or operating system settings.
Resolving this default password issue does not require a software
upgrade and can be changed or disabled by a configuration command for
all affected customers. The workaround detailed in this document
demonstrates how to disable the root account or change the password.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110202-tandberg.shtml.
Additional information below. For current updates to Cisco PSIRT
response, please see the Intellishield response URL stated above.
---------------------------------------------------------------------
NX-OS - "less" sub-command - Command injection / sanitization issues.
---------------------------------------------------------------------
Affected Products:
==================
acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[\\(\\)_'\\s]+";
Under certain circumstances these restrictions can be bypassed to
execute malicious Java code.
1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator)
When an exception occurs while applying parameter values to properties
the value is evaluated as OGNL expression. For example this occurs when
setting a string value to a property with type integer. Since the
values are not filtered an attacker can abuse the power of the OGNL
cd $II_SYSTEM/ingres
or
cd <patch_directory>
3. Copy the download maintenance update file in to the current
directory and uncompress
4. Read in the update file with the following commands:
umask 022
tar xf [update_file]
This will create the directory:
$II_SYSTEM/ingres/patchXXXXX
or
All non-fixed 4.x versions of Cisco FWSM Software are affected by this
vulnerability if SCCP inspection is enabled. SCCP inspection is enabled
by default.
To check if SCCP inspection is enabled, issue the "show service-policy
| include skinny" command and confirm that the command returns output.
Example output follows:
fwsm#show service-policy | include skinny
Inspect: skinny , packet 0, drop 0, reset-drop 0
is running an affected version of 12.2 or 12.4 Cisco IOS system
software. Then check for the process L2TP mgmt daemon running on the
device.
To determine the software version running on a Cisco product, log in
to the device and issue the show version command to display the
system banner. Cisco IOS software will identify itself as
"Internetwork Operating System Software" or simply "IOS." On the next
line of output, the image name will be displayed between parentheses,
followed by "Version" and the IOS release name. Other Cisco devices
will not have the show version command or will give different output.
Versions 3.1.x, 3.2.x, 4.0.x, and 4.1.x of Cisco FWSM software are
affected by this vulnerability if SCCP inspection is enabled. SCCP
inspection is enabled by default.
To determine whether SCCP inspection is enabled, issue the "show
service-policy | include skinny" command and confirm that the command
returns output. Example output follows:
fwsm#show service-policy | include skinny
Inspect: skinny , packet 0, drop 0, reset-drop 0
Examples of affected Cyrus SASL authentication methods are CRAM-MD5,
DIGEST-MD5, EXTERNAL, GSSAPI, KERBEROS_V4, NTLM, OTP, PASSDSS-3DES-1,
and SRP.
The error was introduced with the Postfix SASL patch, and is present
in all Postfix versions where the command "postconf mail_release_date"
reports a value of 20000314 (March 14, 2000) or greater.
This problem was discovered by Thomas Jarosch of Intra2net AG.
The memory corruption is known to result in a program crash (SIGSEV).
Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All
affected products are command-line versions of
the AVs.
----------------------------
Vulnerability Descriptions
----------------------------
1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes
evades detection.
Security Advisory
-----------------
FlatPress 0.804-0.812.1 Local File Inclusion to Remote Command Execution
Researcher Information
----------------------
Discovered by: Giuseppe `Zmax` Fuggiano
Website: http://www.giusef.net
Contact: giuseppe(dot)fuggiano(at)gmail(dot)com
Next Page>>
|
