Next Page >>
domain name
------------------------------------------------------------------------
getPlus insufficient domain name validation vulnerability
------------------------------------------------------------------------
Yorick Koster, April 2009
------------------------------------------------------------------------
See also
------------------------------------------------------------------------
APSB10-08 [2] Security update available for Adobe Download Manager
CVE-2010-0189 [3]
char namestring[1024+1];
and value for MAXDNAME we can find here:
"/usr/include/arpa/nameser.h"
#define NS_MAXDNAME 1025 /* maximum domain name */
So... in fact vulnerability function will try to copy by function
sprintf string for bufor wich have length 256 bytes. Max domain length
is 1025 but all tests in program 'mtr' which i don't paste (if you want
just look for source code) don't allow domain which is longer than 256 bytes
Risk : Very high
What u can do with this bug is :
u can have a access to all the server with reseller privilege (Th3 r00t)
how it's work ?
when u want to create an account in shell what will happen ?
./script/wwwact [domainname] [username] [password] [Email address] lab lab lab
that u can run it with a web base program ! ( cpanel : doamin:2086)
example :
http://domain:2086/scripts/wwwacct [domainname] [username] [password] [Email address] lab lab lab
it means you got a access to wwwacct in the scripts folder (Th3 r00t)
so u can run other command with root access like that
This update upgrades the service console rpms for bind-utils and
bind-lib to version 9.2.4-22.el3.
Version 9.2.4.-22.el3 addresses the recently discovered
vulnerability in the BIND software used for Domain Name
resolution (DNS). VMware doesn't install all the BIND packages
on ESX Server and is not vulnerable by default to the reported
vulnerability. Of the BIND packages, VMware only ships bind-util
and bind-lib in the service console and these components by
themselves cannot be used to setup a DNS server. Bind-lib and
implementation of the Oracle Java platform.
CVE-2011-3377
The Iced Tea browser plugin included in the openjdk-6 package
does not properly enforce the Same Origin Policy on web content
served under a domain name which has a common suffix with the
required domain name.
CVE-2011-3563
The Java Sound component did not properly check for array
boundaries. A malicious input or an untrusted Java application
--On Wednesday, November 21, 2007 21:45:35 +1100 XSS Worm XSS Security
Information Portal <cross-site-scripting-security@xssworm.com> wrote:
>
> In the case of Yahoo, security firm Finjan said hackers exploited an
> unused IP address within Yahoo's hierarchy and used that as the domain
> address behind a forged Google Analytics domain name. This fooled the
> Finjan Web-filtering product into believing a person was going to a
> highly trusted Yahoo domain. The victims, customers of Finjan, never knew
> they were on a malicious Web site, and neither did the security
> mechanisms on the network. (In this case, Finjan's Web-filtering
> product.)
else
return TRUE;
}
function is_alive($domain_name)
{
if(gethostbyname($domain_name) != $domain_name)
return TRUE;
else
It was discovered that libnet-dns-perl generates very weak transaction
IDs when sending queries (CVE-2007-3377). This update switches
transaction ID generation to the Perl random generator, making
prediction attacks more difficult.
Compression loops in domain names resulted in an infinite loop in the
domain name expander written in Perl (CVE-2007-3409). The Debian
package uses an expander written in C by default, but this vulnerability
has been addressed nevertheless.
Decoding malformed A records could lead to a crash (via an uncaught
Problem Description:
A vulnerability has been found and corrected in fetchmail:
socket.c in fetchmail before 6.3.11 does not properly handle a '\0'
(NUL) character in a domain name in the subject's Common Name (CN)
and subjectAlt(ernative)Name fields of an X.509 certificate, which
allows man-in-the-middle attackers to spoof arbitrary SSL servers via
a crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408 (CVE-2009-2666).
The implementation of this verification, however, is flawed, and can be
circumvented by creating hostnames which begin with the string
localhost, or 127.0.0.1 even if they are not localhost.
Due to domain naming restrictions the 127.0.0.1 prefix cannot be used in
exploitation, as http://127.0.0.1.seekersec.com is not a valid domain
name - subdomain names cannot be digits only. However, redirects to
http://localhost.seekersec.com or http://localhostie.seekersec.com are
valid. The following prefixes can be provided into the Source parameter
to exploit this vulnerability:
localhostaaa, localhost.seekersec.com, etc.
An attacker can generate an attack by creating a site containing
Security issues in nss prior to 3.12.3 could lead to a
man-in-the-middle attack via a spoofed X.509 certificate
(CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
cause a denial-of-service and possible code execution via a long
domain name in X.509 certificate (CVE-2009-2404).
A vulnerability was found in xmltok_impl.c (expat) that with
specially crafted XML could be exploited and lead to a denial of
service attack. Related to CVE-2009-2625.
KDE Konqueror allows remote attackers to cause a denial of service
(memory consumption) via a large integer value for the length property
of a Select object, a related issue to CVE-2009-1692. (CVE-2009-2537)
KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a
'\0' (NUL) character in a domain name in the Subject Alternative Name
field of an X.509 certificate, which allows man-in-the-middle attackers
to spoof arbitrary SSL servers via a crafted certificate issued by a
legitimate Certification Authority, a related issue to CVE-2009-2408
(CVE-2009-2702).
}
//////////////////////////////////////////////////////////////////////////////
It is clear that stripos_clone checks HTTP_REFERER value whether it
matches the target domain or not.
Attacker can easily bypass it by creating victim domain name under his
web root folder like:
http://attacker.in/victim.com/
From there, he could effectively perform CSRF attacks against php-Nuke users.
Security issues in nss prior to 3.12.3 could lead to a
man-in-the-middle attack via a spoofed X.509 certificate
(CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
cause a denial-of-service and possible code execution via a long
domain name in X.509 certificate (CVE-2009-2404).
This update provides the latest versions of NSS and NSPR libraries
which are not vulnerable to those attacks.
_______________________________________________________________________
serverAddress
sessionId
clientIPLower
clientIPHigher
userName
domainName
dnsSuffix
=== Proof of Concept 2 ===
10.10.
Original advisory details:
It was discovered that untrusted Java applets could create domain
name resolution cache entries, allowing an attacker to manipulate
name resolution within the JVM. (CVE-2010-4448)
It was discovered that the Java launcher did not did not properly
setup the LD_LIBRARY_PATH environment variable. A local attacker
could exploit this to execute arbitrary code as the user invoking
Debian bug : 541439
CVE Ids : CVE-2009-2409 CVE-2009-2730
Dan Kaminsky and Moxie Marlinspike discovered that gnutls, an implementation of
the TLS/SSL protocol, does not properly handle a '\0' character in a domain name
in the subject's Common Name or Subject Alternative Name (SAN) field of an X.509
certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate Certification
Authority. (CVE-2009-2730)
FROM" command.
2) An insufficient length check when copying data with a predefined
log message into a buffer using strcpy_s() may result in an unhandled
invalid parameter error. This can be exploited to crash the SMTP
service (MESMTPC.exe) via an overly long domain name in the "RCPT TO"
command.
======================================================================
5) Solution
Problem Description:
A vulnerability has been found and corrected in curl:
lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is
used, does not properly handle a '\0' character in a domain name in
the subject's Common Name (CN) field of an X.509 certificate, which
allows man-in-the-middle attackers to spoof arbitrary SSL servers via
a crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408 (CVE-2009-2417).
Problem Description:
Multiple vulnerabilities was discovered and corrected in kdelibs4:
KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a
\'\0\' (NUL) character in a domain name in the Subject Alternative
Name field of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted certificate
issued by a legitimate Certification Authority, a related issue to
CVE-2009-2408 (CVE-2009-2702).
Problem Description:
A vulnerability has been found and corrected in kdelibs4:
kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not
properly verify that the server hostname matches the domain name of
the subject of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a certificate issued by
a legitimate Certification Authority for an IP address, a different
vulnerability than CVE-2009-2702 (CVE-2011-1094).
problems:
CVE-2009-2408
Dan Kaminsky and Moxie Marlinspike discovered that icedove does not
properly handle a '\0' character in a domain name in the subject's
Common Name (CN) field of an X.509 certificate (MFSA 2009-42).
CVE-2009-2404
Moxie Marlinspike reported a heap overflow vulnerability in the code
Problem Description:
A vulnerability has been found and corrected in qt4:
src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x
does not properly handle a '\0' character in a domain name in the
Subject Alternative Name field of an X.509 certificate, which allows
man-in-the-middle attackers to spoof arbitrary SSL servers via a
crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408 (CVE-2009-2700).
Problem Description:
A vulnerability has been found and corrected in fetchmail:
socket.c in fetchmail before 6.3.11 does not properly handle a '\0'
character in a domain name in the subject's Common Name (CN) field
of an X.509 certificate, which allows man-in-the-middle attackers
to spoof arbitrary SSL servers via a crafted certificate issued by a
legitimate Certification Authority, a related issue to CVE-2009-2408
(CVE-2009-2666).
Problem Description:
A vulnerability was discovered and corrected in openldap:
libraries/libldap/tls_o.c in OpenLDAP, when OpenSSL is used, does
not properly handle a \'\0\' (NUL) character in a domain name in
the subject's Common Name (CN) field of an X.509 certificate, which
allows man-in-the-middle attackers to spoof arbitrary SSL servers via
a crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408 (CVE-2009-3767).
: #####################################################################################
: # Site : Http://IRCRASH.COM #
: ###################################### TNX GOD ######################################
Yet, you can find the time to type in your domain/name at least 4 times in
this post..
Someone recently pointed out that 'vulnerability disclosures' like this
may actually be a form of covert broadcast designed to manipulate search
engines.
> | Note that all domains that contain hosts should have a "localhost" A
> | record in them.
> That RFC was obsoleted by RFC 1912 in 1996, so there's no RFC
> conformance issue if you omit the domain names. But it explains why
> there are so many zones that contain them.
I've always assumed that the reasoning for this is as "localhost"
looks like an unqualified domain name, the search path in resolv.conf/...
will be applied. To avoid having to walk the entire search path
Problem Description:
A vulnerability has been found and corrected in mutt:
Mutt does not verify that the smtps server hostname matches the
domain name of the subject of an X.509 certificate, which allows
man-in-the-middle attackers to spoof an SSL SMTP server via an
arbitrary certificate, a different vulnerability than CVE-2009-3766
(CVE-2011-1429).
The updated packages have been patched to correct this issue.
10.04 LTS updates.
Original advisory details:
It was discovered that untrusted Java applets could create domain
name resolution cache entries, allowing an attacker to manipulate
name resolution within the JVM. (CVE-2010-4448)
It was discovered that the Java launcher did not did not properly
setup the LD_LIBRARY_PATH environment variable. A local attacker
could exploit this to execute arbitrary code as the user invoking
http://www.microsoft.com/technet/security/bulletin/fq99-054.mspx
-----
What's the problem with the search algorithm?
When IE 5 starts, it will begin searching for a WPAD server, if it is
configured to use WPAD. It starts the search by adding the hostname "WPAD" to
current fully-qualified domain name. For instance, a client in
a.b.Microsoft.com would search for a WPAD server at wpad.a.b.microsoft.com. If
it could not locate one, it would remove the bottom-most domain and try again;
for instance, it would try wpad.b.microsoft.com next. IE 5 would stop searching
when it found a WPAD server or reached the third-level domain,
wpad.microsoft.com.
Next Page>>
|
