Next Page >>
end
super(update_info(info,
'Name' => 'DNS BailiWicked Host Attack',
'Description' => %q{
This exploit attacks a fairly ubiquitous flaw in DNS implementations which
Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single
malicious host entry into the target nameserver by sending random sub-domain
queries to the target DNS server coupled with spoofed replies to those
queries from the authoritative nameservers for the domain which contain a
malicious host entry for the hostname to be poisoned in the authority and
additional records sections. Eventually, a guessed ID will match and the
spoofed packet will get accepted, and due to the additional hostname entry
> super(update_info(info,
> 'Name' => 'DNS BailiWicked Host Attack',
> 'Description' => %q{
> This exploit attacks a fairly ubiquitous flaw in DNS implementations which
> Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single
> malicious host entry into the target nameserver by sending random sub-domain
> queries to the target DNS server coupled with spoofed replies to those
> queries from the authoritative nameservers for the domain which contain a
> malicious host entry for the hostname to be poisoned in the authority and
> additional records sections. Eventually, a guessed ID will match and the
> spoofed packet will get accepted, and due to the additional hostname entry
AOLserver 4.5.1
Yaws 1.85
Boa 0.94.14rc21
Severity Medium
Impact (CVSSv2) Medium 5/10, vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Vendor http://www.nginx.net/
http://varnish.projects.linpro.no/
http://www.cherokee-project.com/
http://www.ruby-lang.org/
http://www.acme.com/software/thttpd/
http://www.acme.com/software/mini_httpd/
Subversion 1.6.4
Subversion 1.5.7
(Search for "Patch" below to see the patches from 1.6.3 -> 1.6.4 and
1.5.6 -> 1.5.7. Search for "Recommendations" to get URLs for the
1.6.4 release and associated APR library patch.)
Details:
========
$message = "Username not found.";
...
if ($origmsg && $delete == "yes")
mysql_query("DELETE FROM messages WHERE id=$origmsg") or sqlerr();
-----------------------------[source code end]---------------------------------
2. Weak password generation algorithm in "account-recover.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source code snippet from script "index.php":
-----------------[ source code start ]---------------------------------
// Router
if (isset($request->get['route'])) {
$action = new Action($request->get['route']);
-----------------[ source code end ]-----------------------------------
We can see, that user submitted parameter "route" is used as argument
for class "Action" initialization.
Source code snippet from vulnerable script "action.php":
Original release: 2011-02-08
Last update: 2011-02-08
Topic: KDC denial of service attacks
CVE-2011-0281: KDC vulnerable to hang when using LDAP back end
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVSSv2 Base Score: 7.8
Original release: 2011-10-18
Last update: 2011-10-18
Topic: KDC denial of service vulnerabilities
CVE-2011-1527: null pointer dereference in KDC LDAP back end
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVSSv2 Base Score: 7.8
Abstract
Microsoft Windows is prone to a remote Kernel Denial of Service due to the way srv.sys handles malformed WRITE_ANDX SMB packets.
Remote attackers could exploit this issue without having valid credentials on the target machine. In order to achieve a successful exploitation, the attacker needs enough privileges to remotely send WRITE_ANDX packets to an interface that uses a Named Pipe as endpoint. Those interfaces that allow NULL Sessions vary between Windows versions, in Vista the reliability of a preauth attack through the “\LSARPC” has been successfully demonstrated.
Affected versions
Theorically verified on: Windows 2000, XP, Server 2003, Vista, Server 2008.
Successfully exploited on: Microsoft Windows Vista SP1 with latest security updates.
III. Solution
This vulnerability was fixed with the latest Apple update APPLE-SA-2007-12-17.
IV. Vendor Response
2007/12/06 Initial contact with <product-security@apple.com>
2007/12/06 Acknowledgement of received report
2007/12/12 Agreement on public release date
2007/12/17 Coordinated release of updates and advisory
It turns out I was not alone to write an exploit for this bug, and to
publish the exploit this year.
Timeline:
2005/04/04 - FreeBSD-SA-05:02.sendfile published:
http://security.freebsd.org/advisories/FreeBSD-SA-05:02.sendfile.asc
2005/04/16 - reliable FreeBSD 4.x local exploit written ...
2005/04/21 - ... and updated to work on 5.x as well (up to 5.3)
Vuln name: Ruby rb_ary_fill() DOS
Systems affected: ruby 1.8.x, 1.9.x
Systems not affected: -
Severity: Medium
Local/Remote: Local/Remote
Vendor URL: http://www.ruby-lang.org/
Author(s): Vincenzo "snagg" Iozzo - snagg@securenetwork.it
Vendor disclosure: 23rd June 2008
Vendor acknowledged: 25th June 2008
Vendor patch release: 25th June 2008
Public disclosure: 30th June 2008
Advisory URL:
[http://www.coresecurity.com/content/symantec-intel-handler-service-remote-dos]
Date published: 2010-12-13
Date of last update: 2010-12-13
Vendors contacted: Symantec
Release mode: User release
2. *Vulnerability Information*
|------------------------------------+--------------------------|
| 4.0.1 on Microsoft Windows | 4.0.1 |
+---------------------------------------------------------------+
Note: CiscoWorks LAN Management Solution versions prior to 3.2
reached end of software maintenance. Customers should contact
their Cisco support team for assistance in upgrading to a
supported version of CiscoWorks LAN Management Solution.
* Cisco Security Manager
To verify if NAT is enabled on a Cisco IOS device, log into the
device and issue the command "show ip nat statistics". The following
example shows a device configured with NAT:
Router# show ip nat statistics
Total translations: 2 (0 static, 2 dynamic; 0 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet1
Hits: 135 Misses: 5
Expired translations: 2
Dynamic mappings:
:)
Thank you all for your valuable comments... Indeed I appreciated some of the
links/info extended (Susan, Thor and Tom) However, in the end, it sounded
like:
a) As a sysadmin in charge of maintaining XP systems along with a whole
shebang of other mix setups, unless I deploy a "better" firewall solution, I
seem to be SOL.
On http://support.microsoft.com/gp/lifepolicy MS says that the
"Extended Support Phase" includes "Security Update Support". If I have
a Premier Support contract (which entitles me to Extended Support)
aren't MS contractually obliged to make this fix available to me?
2009/9/16 Aras "Russ" Memisyazici <nowhere@devnull.com>:
> :)
>
> Thank you all for your valuable comments... Indeed I appreciated some of the
Aras "Russ" Memisyazici wrote:
> :)
>
> Thank you all for your valuable comments... Indeed I appreciated some of the
> links/info extended (Susan, Thor and Tom) However, in the end, it sounded
> like:
>
> a) As a sysadmin in charge of maintaining XP systems along with a whole
> shebang of other mix setups, unless I deploy a "better" firewall solution, I
> seem to be SOL.
>> Aras "Russ" Memisyazici wrote:
>>> :)
>>>
>>> Thank you all for your valuable comments... Indeed I appreciated
>>> some of the
>>> links/info extended (Susan, Thor and Tom) However, in the end, it
>>> sounded
>>> like:
>>>
>>> a) As a sysadmin in charge of maintaining XP systems along with a whole
>>> shebang of other mix setups, unless I deploy a "better" firewall
VMware ESX 2.5.5 without update patch 8
VMware ESX 2.5.4 without update patch 19
NOTES: Hosted products VMware Workstation 5.x, VMware Player 1.x,
and VMware ACE 1.x will reach end of general support
2008-11-09. Customers should plan to upgrade to the latest
version of their respective products.
ESX 3.0.1 is in Extended Support and its end of extended
support (Security and Bug fixes) is 2008-07-31. Users should plan
Title: Multiple vulnerabilities in iCal
Advisory ID: CORE-2008-0126
Advisory URL: http://www.coresecurity.com/?action=item&id=2219
Date published: 2008-05-21
Date of last update: 2008-05-21
Vendors contacted: Apple Inc.
Release mode: Coordinated release
*Vulnerability Information*
Title: Multiple vulnerabilities in iCal
Advisory ID: CORE-2008-0126
Advisory URL: http://www.coresecurity.com/?action=item&id=2219
Date published: 2008-05-21
Date of last update: 2008-05-21
Vendors contacted: Apple Inc.
Release mode: Coordinated release
*Vulnerability Information*
variable "username" would not be set, and therefore would not be
overwritten by the php interpreter.
Recommended actions
Change the variable name "username" first referenced in line 22 of
"modules/passreset.inc.php" to something else.
Change the variable name "username" first referenced in line 24 of
"modules/signup.inc.php" to something else.
Advisory URL:
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1924
Date published: 2009-09-25
Date of last update: 2007-09-25
Vendors contacted: AOL LLC.
Release mode: Forced Release
*Vulnerability Information*
Advisory URL:
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1924
Date published: 2009-09-25
Date of last update: 2007-09-25
Vendors contacted: AOL LLC.
Release mode: Forced Release
*Vulnerability Information*
app you guys just deface the site or throw up drive-by attacks. So I figured, persistent XSS on the
front page is equally as valuable, especially with yet another IE 0-day in the wild. The chain is within
the application its self. Process sand-boxing like chroot/AppArmor/SELinux/Application-V(MS)
doesn't come into play. It works regardless of the operating system or configurations (Suhosin,
safemode, magic_quotes_gpc and register_globals doesn't come into play). I focused on the
application's internal configurations that could break the exploitation process. In this case seo friendly
urls and requiring an account before posting.
"This web application [OpenClassifieds] is developed to be fast, light, secure and SEO friendly."
Usually when I see that an application claims to be secure, they really don't know what the fuck they
are doing. OpenClassifieds' Security model is deeply flawed and as a result there are MANY
[
Opt::RPORT(80),
OptString.new('PASSWORD', [ true, 'What you want the password reset to', 'admin'])
], self.class)
end
def run
begin
print_status("Attempting to rest password to #{datastore['PASSWORD']} on #{rhost}\n")
res = send_request_cgi(
the Cisco Clientless VPN solution. A remote, unauthenticated attacker
who could convince a user to connect to a malicious web page could
exploit this issue to execute arbitrary code on the affected machine
with the privileges of the web browser.
The affected ActiveX control is distributed to endpoint systems by
Cisco ASA. However, the impact of successful exploitation of this
vulnerability is to the endpoint system only and does not compromise
Cisco ASA devices.
Cisco has released free software updates that address this
VMware ESX 2.5.5 without Upgrade Patch 15.
Notes:
Effective May 2010, VMware's patch and update release program during
Extended Support will be continued with the condition that all
subsequent patch and update releases will be based on the latest
baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1,
ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section
"End of Product Availability FAQs" at
http://www.vmware.com/support/policies/lifecycle/vi/faq.html for
VMware ESX 2.5.5 without Upgrade Patch 15.
Notes:
Effective May 2010, VMware's patch and update release program during
Extended Support will be continued with the condition that all
subsequent patch and update releases will be based on the latest
baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1,
ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section
"End of Product Availability FAQs" at
http://www.vmware.com/support/policies/lifecycle/vi/faq.html for
Next Page>>
|
