Next Page >>
extra
However, I have not found any evidence of accessing freed memory -- as
far as I can tell, the problem is a logic bug. The CDispNode family
of classes contains a flags field that happens to be located
immediately after the vtable pointer, the lowest four bits of which
I'll refer to as the "extra size index."
CDispNode::SetExpandedClipRect uses the extra size index of a class
instance as an index into CDispNode::_extraSizeTable, a constant array
where each element represents a count of machine words of, I guess,
extra data that precedes the class instance. (This means that a
CDispNode-family class instance is not expected to snugly occupy its
Summary
=======
A vulnerability in the Cisco implementation of Multicast Virtual
Private Network (MVPN) is subject to exploitation that can allow a
malicious user to create extra multicast states on the core routers
or receive multicast traffic from other Multiprotocol Label Switching
(MPLS) based Virtual Private Networks (VPN) by sending specially
crafted messages.
Cisco has released free software updates that address this
'CLayout::EnsureDispNode' method. This method is called to recalculate
the location of various HTML elements within the page. This function
passes a 'CDispNodeInfo' object to another function,
'CLayout::GetDispNodeInfo', which is supposed to initialize the object
passed in. However, the function fails to properly initialize a flags
value that is used later to determine how many "extra" bytes to
allocate for a heap buffer. This eventually leads to undersized buffer
being allocated to hold a 'CDispClipNode' object in the
'CLayout::EnsureDispNodeCore' function. The vulnerability manifests
itself when the 'CDispNode::SetExpandedClipRect' function attempts to
use the invalid "extra size" to calculate an offset into the object,
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | When configured with pedantic=yes the SIP channel driver |
| | performs extra request URI checking on an INVITE |
| | received as a result of a SIP spiral. As part of this |
| | extra checking the headers from the outgoing SIP INVITE |
| | sent and the received SIP INVITE are compared. The code |
| | incorrectly assumes that the string for each header |
| | passed in will be non-NULL in all cases. This is |
</script>
<body onLoad="DoS()">
Which made FireFox consume from 100mb ram to 250mb in less than 5-7 seconds. (I havent' been able to check how much more ressources it might consume if i ran it longer, but it would render my Windows installation at work useless).
This will ONLY work if FireFox does NOT know which program to use.
If FireFox knows the application and thereby wont ask, then the above script would only consume 15-25% of the CPU ressources, but no extra ram.
I'm sorry if this has already been reported for FireFox, I just stumbled over it.
If someone decides to make this a DoS vulnerability then I believe some credit (to me) is in order ;-) (I'll post it on my own website anyway, giving you credit too of course.)
> On another note, why is it that everyone arguing the all-or-nothing case
> likes to ignore the other very-usable-now mitigation of randomizing
> source ports? I don't use BIND and I don't care to check it's current
> behavior, but has the ISC finally gotten around to randomizing the
> source ports? If not, why not? The extra few bits of entropy can go a
> long way, particularly if a good PRNG is used.
Yes, ISC has finally gotten around to randomizing the source ports, as of
9.5.0a2. It is controlled by the "use-queryport-pool" option in the server
section of the BIND configuration file. It defaults to "yes".
to unspecified CGI scripts (CVE-2007-5624, CVE-2008-1360).
The updated packages provide Nagios 3.0 and Nagios Plugins 1.4.11
which are not vulnerable to these issues, and provide a number of
other enhancements and bug fixes. In addition, the packaging has been
optimized to reduce the number of extra dependencies that would have
to be installed; as a result you may have to install extra plugins
independantly that were once part of the full nagios-plugins package.
_______________________________________________________________________
References:
Since the ISP has its proxies infrastructure half-migrated to BlueCoat
proxies (which don't honor prefetch directive), this vulnerability may
look randomly observable on big sites (like Google) due to the
destination IP-based load balancing. Additionally it seems to be an
extra load balancing which makes some remote IP addresses be caught by
a BlueCoat proxy even though the same IP was handled nearly all times
by a NetCache.
This vulnerability was not present earlier but since Speedy made their
proxies unable to go out with their own IPs, the prefetch couldn't
downloaded that kiddie porn the suggested angle might not work.
A law requiring log data to be retained for 6 momths should be a major problem
to enforce. Last time I think the UK mooted this it did not happen
(disclaimer: this might have been a trial balloon designed to generate flak).
My reaction at the ISP end was "OK, will you buy us the extra hardware
required?" with the intention the answer would be "no" and the plan quietly
killed. (Thinking that plain daft things will not be enacted is not always
reliable, unfortunately).
Of course the "hand over your keys" law is a lot less effective tbat the
The ZIP file format:
Local file header:
Offset Length Contents
0 4 bytes Local file header signature (0x04034b50)
4 2 bytes Version needed to extract
6 2 bytes General purpose bit flag
8 2 bytes Compression method
10 2 bytes Last mod file time
12 2 bytes Last mod file date
14 4 bytes CRC-32
############################################################################
#####
01 Introduction
02 Features
03 Extra Notes
04 Running the Tool
05 Example
06 Credits
01 Introduction
As such, it appears that the PHP developers do not intend to add any technical measures against this vulnerability. It should be noted that while this is a vulnerability in a way of installing PHP, it appears that there is no way to securely set up a suexec + FastCGI + PHP installation using an unpatched version of PHP and so it is hoped that the PHP developers will reconsider in time.
Work-arounds:
A proposed patch is provided later which can be applied to PHP to protect against this vulnerability (when coupled with an appropriate configuration). This patch has been briefly tested to ensure it works, but requires more testing and review before it should be used in production. No guarantees are made about it.
Using a permanently running external FastCGI process per user is an alternative solution if the cost of these extra processes is tolerable.
Setting open_basedir from within php.ini may be a possible workaround (but only if nowhere in open_basedir is writable to the attacker), but only if PHP is called from a script which also sets SERVER_SOFTWARE and doesn't pass through the command line arguments. For example:
#!/bin/bash
export SERVER_SOFTWARE=blah
/usr/bin/php-cgi -c /home/myuser/php.ini
I. Details
Digital Armaments officially announce the launch of November-December hacking challenge.
The challenge starts on November 1. For the November-December Challenge, Digital Armaments will give 10.000$ and 5000 credits EXTRA for each submission that results in a Diffuse Client Application (example: Internet Explorer, Firefox, Safari, Microsoft Office, Winzip, Zip, MSN, Skype) Vulnerability. This should include example and documentation.
The submission must be sent during the November/December months and be received by midnight EST on December 31, 2007. The 10.000$ and 5000 credits will be an extra added to the normal vulnerability payment (check the DACP scheme).
I. Details
Digital Armaments officially announce the launch of September-October hacking challenge.
The challenge starts on September 1. For the September-October Challenge, Digital Armaments will give 5000 credits EXTRA for each submission that results in a Symbian Vulnerability. This should include example and documentation. The submission must be sent during the September/October months and be received by midnight EST on October 31, 2007. The 5000 credits will be an extra added to the normal vulnerability payment (check the DACP scheme).
II. References
cryptographic algorithm used by the upcoming signed ICANN DNS root
(RSASHA256 from RFC 5702), and the NSEC3 secure denial of existence
algorithm used by some signed top-level domains.
This update is based on a new upstream version of BIND 9, 9.6-ESV-R1.
Because of the scope of changes, extra care is recommended when
installing the update. Due to ABI changes, new Debian packages are
included, and the update has to be installed using "apt-get
dist-upgrade" (or an equivalent aptitude command).
For the stable distribution (lenny), these problems have been fixed in
-------------------------------------------------
IEEE/AEIT members 300 400
Students^ 150 200
Non-members# 360+VAT 460+VAT
Social Dinner* 35 40
Extra copy of Proceed. 50 50
Fee entitles to: admission to Sessions, coffee break and light lunch
package, 1 copy of book of Proceedings or CD (at choice)
Footnotes:
You are familiar with Cross Site Request Forgery attacks? Wikipedia gives some
good introduction:
http://en.wikipedia.org/wiki/CSRF
All forms in web applications doing changes that require authentication need
some extra protection to prevent CSRF. Usually this is done by some random
token that may be created out of a random session value stored on the
application site combined with an id of the form. This has to be checked
before any action is executed.
advisory is quoted in full below for reference.
It was discovered that git-daemon which is part of git-core, a popular
distributed revision control system, is vulnerable to denial of service
attacks caused by a programming mistake in handling requests containing
extra unrecognized arguments which results in an infinite loop. While
this is no problem for the daemon itself as every request will spawn a
new git-daemon instance, this still results in a very high CPU consumption
and might lead to denial of service conditions.
For the oldstable distribution (etch), this problem has been fixed in
> redirection parameters is not equal to a vulnerability since as mz said,
> the attacker could just redirect to his own site.
>
> The best way to defend against any Cross Site Scripting attacks is to
> sanitize all inputs and outputs properly on your website and perhaps run
> NoScript as an extra safety precaution as well.
>
> If it was possible to execute system() commands directly through the
> browser and not javascript nor html then that would be a vulnerability
> since One could almost do anything with a malicious site, if the input in
> this example to this function wouldn't be sanitized of course.
...
CREATE TABLE `CubeCart_transactions` (
`id` int(11) NOT NULL auto_increment,
`gateway` varchar(255),
`extra` varchar(255),
`status` varchar(50),
`customer_id` int(11),
`order_id` varchar(255),
`trans_id` varchar(50),
`time` int(10),
CVE ID : CVE-2009-2108
It was discovered that git-daemon which is part of git-core, a popular
distributed revision control system, is vulnerable to denial of service
attacks caused by a programming mistake in handling requests containing
extra unrecognized arguments which results in an infinite loop. While
this is no problem for the daemon itself as every request will spawn a
new git-daemon instance, this still results in a very high CPU consumption
and might lead to denial of service conditions.
A vulnerability has been found and corrected in git:
git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to
cause a denial of service (infinite loop and CPU consumption) via a
request containing extra unrecognized arguments (CVE-2009-2108).
This update provides fixes for this vulnerability.
_______________________________________________________________________
References:
Best regards, hopes, peace and love,
MaXe - Founder of InterN0T - Undergrou...
http://www.intern0t.net/
PS: The extra long signature doesn't make a difference :-D
Hello Bugtraq!
I want to warn you about Denial of Service vulnerability in Google Chrome.
listen on port 445/tcp)
(Note 2: If you load 'conn.html' with Internet Explorer and
'conn.html' is stored on a local drive (e.g.:c:\conn.html) it is
possible Internet Explorer will prompt you to allow execution of the
javascript code within 'conn.html'. This is not a limitation of the
attack, it is just an extra protection implemented by Internet Explorer,
the 'conn.html' does not even need to contain javascript code, it uses
it just because it is convenient, you could just as easily 'hard-code'
all <IMG> tags. Also, loading the html file from the a local disk is not
a real attack scenario, all of this is for demonstration purposes).
This is a different and more practical approach to get a reverse shell
or code execution in SQL Injections (particularly in MSSQL). The idea
is simple. Getting a reverse shell from an SQL Injection with one HTTP
request without using an extra channel such as TFTP, FTP to upload the
initial payload.
White paper explains the steps and the details of the attack. Scripts
got all the tools you need to create your HTTP request with your own
payload.
> Yes, ISC has finally gotten around to randomizing the source ports, as of
> 9.5.0a2. It is controlled by the "use-queryport-pool" option in the server
> section of the BIND configuration file. It defaults to "yes".
>
> You can control how big the pool is with the "queryport-pool-ports" option. It
> defaults to 8 (an extra 3 bits of entropy).
>
> This set of ports is refreshed periodically, with a frequency controlled by the
> "queryport-pool-updateinterval" option. (Personally I think this option adds no
> little value from a security point of view, but it doesn't hurt.)
in under the door's closing time at a brisk pace or run.
Finally, hide in this location during a lower traffic time and wait
for someone to utilize the exit point. After they have exited the
door and are walking away, run to the door and enter before it has
closed and locked. Extra points are awarded for a spectacular dive
and/or roll to catch the door at the very last second.
References
==========
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of Thor (Hammer of
God)
> Sent: Thursday, January 10, 2008 9:59 PM
> To: focus-ms@securityfocus.com
> Subject: At long last - Extra Outlooks!
>
> As long as Outlook has been around, people have been trying to get two
> instances running at the same time. Not multiple profiles that you can
> load when starting Outlook, but two separate instances running
> concurrently, each with their own associated profile. After all,
a test script available in moth.
Other tools like this are available but they lack one very important
feature: a list of vulnerabilities included in the Web Applications!
In our case, we used the results gathered in the anantasec report to
solve this issue without any extra work.
There are three different ways to access the web applications and
vulnerable scripts:
- Directly
- Through mod_security
> a test script available in moth.
>
> Other tools like this are available but they lack one very important
> feature: a list of vulnerabilities included in the Web Applications!
> In our case, we used the results gathered in the anantasec report to
> solve this issue without any extra work.
>
> There are three different ways to access the web applications and
> vulnerable scripts:
> - Directly
> - Through mod_security
Next Page>>
|
