Next Page >>
fields
Comodo 7425, Sophos 4.61.0
CVE no -
CVE-2012-1438
21. 'padding' field in ELF files is parsed incorrectly.
If an infected ELF file's padding field is incremented by 1 it evades
detection.
Affected products -
eSafe 7.0.17.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7
The first notable vulnerability is the Metadata Block Size Overflow
vulnerability. Editing any Metadata Block Size value to a large value
such as 0xFFFFFFFF may result in a heap based overflow in the decoding
software.
Whenever vulnerable software open or process a malformed FLAC file, they
use the size fields for reference points to allocate memory (malloc) and
write the contents of these files into those memory buffers. Setting
these values to an overly large value, such as 0xFFFFFFFF, could cause
an exploitable condition. Passing a size of 0xFFFFFFFF would cause a
malloc(0) immediately followed by a buffer overflow on the read. This
results in an exploitable heap overflow. Exploitation is dependent on
Technical details:
* No Cross-Site-Request-Forgery (XSRF) protection (CVE-2009-3580)
The forms in SQL-Ledger are not protected against XSRF. They include the username
in the hidden field »login«, though, which has to be specified correctly. An
attacker is thus required to know the login name – it can be guessed, brute-forced
or retrieved using a Cross-Site-Scripting attack, though.
An example attack would be to send the following link to the user which unknowningly
changes his password to the application. Given network access to SQL-Ledger, the
/SubFilter /adbe.pkcs7.detached
/Contents <12[lots of hex digits ...]ef>
/ByteRange [0 123 456 789]
>>
The SubFilter field indicates the signature mechanism used, the Contents
field stores the signature blob produced by the signature mechanism as
a hexadecimal string, and the ByteRange field specifies the regions
of the file that are covered by the signature (it's a list of pairs,
where each pair specifies a start offset and the number of bytes to
include starting at that offset--it should, as per the specification,
6.3.Detecting if the SMB service generates duplicate 8-byte challenges
-----------------------------------------------------------------------
Detecting the generation of duplicate challenges can be verified
remotely by repeatedly sending 'SMB Negotiate Protocol Request' packets
to a Windows system with the 'Flags2' field set to 0xc001 (disabling
security signatures, extended attributes and extended security
negotiation) recording the 8-byte challenges obtained from the server
and waiting for duplicates.
The following Ruby script can be used to test for the presence of this
-[ MS02-039 Exploit Structure
Before we start talking about the techniques applied in ENG, let’s take a
look on how the exploit structure must be.
David Litchfield Very First Exploit
[VECTOR] [BUFFER ] [RETURN ADDRESS] [JUMP] [WRITABLE ADDRESS
] [NOPS ] [SHELLCODE]
[0x04 ] [AAAABBBB...] [0x42b0c9dc ] [0x0e] [0x42ae7001 (SP0) |
0x42ae7001 (SP1-2)] [0x90 ] [STATIC ]
BugTracker.net 3.4.3 SQL Injection
Name BugTracker.NET
Vendor http://www.ifdefined.com/www/
Versions Affected < 3.4.4 (when custom fields are used)
Author Mark van Tilburg
Website http://markvt.info
Contact markvantilburg [at] gmail [dot] com
Date 2010-08-22
2.1. Absolute Live Support XE (ASP version 5.1) (admin)
2.1.1. SQL Injection in "search.asp" by "orderby" parameter.
POC:
http://[URL]/xlaabsolutels/search.asp?orderby=[SQL INJECTION]
2.1.2. XSS in "search.asp" (all fields are vulnerable).
POC:
http://[URL]/xlaabsolutels/admin/search.asp
2.2. Absolute News Manager XE (ASP version 3.2) (admin)
2.2.1 SQL Injection in "search.asp".
DNS spoofing and cache poisoning attacks have been known security
threats that result from design weaknesses of the DNS protocol since the
early 1990s as described by Christopher Schuba [1] and Paul Vixie [2].
In 1997 a practical implementation of a blind remote DNS cache poisoning
attack that relies solely on exploiting the predictability of the ID
field of DNS query packets was described by Arce and Kargieman [3]. This
was followed up by further refinements and advancement of attack
techniques by Vagner Sacramento [4] and Joe Stewart [5] in 2002. Amit
Klein further investigated query Id predictability in BIND version 9[6]
and Windows DNS[7] server implementations in 2007. In 2008 a much
publicized advancement of the DNS cache poisoning technique was
Sun> The issue you have seen regarding a single digit argument is different
Sun> as this form of ambiguous username returns user information for
accounts
Sun> on the system which meet one of the following criteria:
Sun>
Sun> + an empty GECOS field
Sun> + leading spaces in the GECOS field
Sun> + trailing spaces in the GECOS field
Sun> + a GECOS field with two adjacent spaces
Sun> This latter issue has been addressed in Solaris 10 and later at this
Under these conditions it seems Foxit
allocates differents structures waiting
to complete that memory with the content
of the /ExtGState resource. However
when it finds fields associated with
a /Font resource, it tries to parse
them anyway, and it completes the memory
for that structures with incorrect
data. This situation occurs because some
functions (mainly the one located at
Under these conditions it seems Foxit
allocates differents structures waiting
to complete that memory with the content
of the /ExtGState resource. However
when it finds fields associated with
a /Font resource, it tries to parse
them anyway, and it completes the memory
for that structures with incorrect
data. This situation occurs because some
functions (mainly the one located at
Under these conditions it seems Foxit
allocates differents structures waiting
to complete that memory with the content
of the /ExtGState resource. However
when it finds fields associated with
a /Font resource, it tries to parse
them anyway, and it completes the memory
for that structures with incorrect
data. This situation occurs because some
functions (mainly the one located at
.text:0001A6CE cmp esi, edi
.text:0001A6D0 jz short loc_1A74F
.text:0001A6D2 mov edi, [ebp+ObjectAttributes]
.text:0001A6D5 mov eax, [edi+OBJECT_ATTRIBUTES.RootDirectory] ;
Here, the code retrieves the RootDirectory's field value from the
structure, controled by us.
.text:0001A6D8 test eax, eax
.text:0001A6DA jz short loc_1A71B
.text:0001A6DC push 0 ; ReturnLength
[CVE-2010-1929 | 40480] Novell iManager provides a feature to create
classes, under the 'Schema' menu. The class name is intended to have a
maximum length of 32 characters. This limitation is enforced on the
client side by setting a 'maxlength' property with a value of 32 in
the proper form field, but no verification is performed on the server
side to ensure that the user-defined class name is, at most, 32
characters long. By tampering the POST request that sends the class
name when creating a new class, an authenticated user can define an
overly long class name that will cause a stack-based buffer overflow
on the iManager web server, making it possible for the attacker to
Reasons:
1. insecure use of "eval()" php function
Precoditions:
1. Attacker must have admin rights for "Your Account" in
order to change custom fields
Comments:
1. This is privilege escalation vulnerability
Test:
specially-crafted attack, Internet Explorer attempting to access a
freed object can lead to running attacker-supplied code."
However, I have not found any evidence of accessing freed memory -- as
far as I can tell, the problem is a logic bug. The CDispNode family
of classes contains a flags field that happens to be located
immediately after the vtable pointer, the lowest four bits of which
I'll refer to as the "extra size index."
CDispNode::SetExpandedClipRect uses the extra size index of a class
instance as an index into CDispNode::_extraSizeTable, a constant array
where each element represents a count of machine words of, I guess,
ARCserve L&D uses TCP/1900 as its "RPC" interface to manage ARCserve L&D
servers. An example of sample benign traffic follows:
0000000027rxrLogin~~administrator
---------------------------------------------
Field 1: 10-digit base10 command length field ("0000000027")
Field 2: RPC command ("rxrLogin")
Field 3: Constant Argument Delimiter ("~~")
Field 4: Argument ("administrator")
Vulnerability #1: Authentication Username Overflow
Vulnerability Details
- ---------------------
Coda ioctls are passed through the Coda filesystem module before being sent to
Venus. The arguments to a Coda ioctl are encapsulated in a PioctlData struct,
which in turn contains a ViceIoctl struct. The ViceIoctl struct contains
"in_size" and "out_size" fields, dictating the expected size of the input and
output data corresponding to a particular ioctl request. The "in_size" field
is validated to prevent memory corruption via copying an unexpected amount of
data from userspace into a kernel buffer.
However, the "out_size" field was missing this validation. When copying the
+ When using email_in.pl, insufficiently escaped data may be passed to
sendmail.
+ Users using the WebService interface may access Bugzilla's
time-tracking fields even if they normally cannot see them.
We strongly advise that 2.20.x and 2.22.x users should upgrade to 2.20.5
and 2.22.3 respectively. 3.0 users, and users of 2.18.x or below, should
upgrade to 3.0.1.
The ActiveWeb Professional 3.0 web content management server is
vulnerable to remote operating system takeover. An unauthenticated
remote user can upload malicious files and backdoor ColdFusion
websites using the EasyEdit.cfm page. By accessing the "getImagefile"
section of the EasyEdit module, the remote attacker can change hidden
form fields to upload malicious applications and ColdFusion CFML
websites that execute those malicious applications or operating system
commands in the context of the ColdFusion service account (SYSTEM).
The remote user can now perform all functions of the system
administrator using uploaded CFML pages. The attacker can create a
SYSTEM level shell connection back to the attacker's computer, add
In McAfee Web Gateway it is possible to convert GET methods in CONNECT
methods, and after the connection, send the same get packet, without
modification and without cryptography. Even with the get packets
passing through the proxy without cryptography and with the Host field
pointing to a filtered site, the proxy will accept.
I think it is a vulnerability!
See my python code.
Thanks
Hello,
We might be able to fix this by simply doing a ping to the website
before connecting, so that the IP of the host specified matches the
connect field. In any case, the consistency of the host and connect is
indeed a big design flaw.
- Vikram
On Mon, Apr 16, 2012 at 6:12 PM, Gabriel Menezes Nunes
Cc: bugtraq
Subject: Re: McAfee Web Gateway URL Filtering Bypass
Hello,
We might be able to fix this by simply doing a ping to the website before connecting, so that the IP of the host specified matches the connect field. In any case, the consistency of the host and connect is indeed a big design flaw.
- Vikram
On Mon, Apr 16, 2012 at 6:12 PM, Gabriel Menezes Nunes <gab.mnunes@gmail.com> wrote:
> # Exploit Title: McAfee Web Gateway URL Filtering Bypass # Date:
==============
VULNERABILITY DETAILS
==============
The OpenBSD CARP implementation (and all derivatives, such as FreeBSD
and NetBSD) fails to include all fields contained in the "carp_header"
structure[1] when calculating the SHA1 HMAC hash of the packet in the
function carp_proto_input_c[2]. The two 8-bit fields not included in
the hash generation are "carp_advskew" and "carp_advbase". Among other
functions, the fields are both set to 255 by the master CARP node to
indicate that it wants to step down from the master role.
rules (chap 2.1) it's
easy to do an "Parse Error" which is honoured by the backend honor.
RFC extracts:
The version of an HTTP message is indicated by an HTTP-Version field
in the first line of the message.
HTTP-Version = "HTTP" "/" 1*DIGIT "." 1*DIGIT
HTTP/1.1 header field values can be folded onto multiple lines if the
level accounts can also exploit a partial file disclosure vulnerability
to view all usernames.
Cute News suffers from other security failures such as:
* User registration, in register.php the password input field should be
shown as stars to prevent shoulder surfing. This is fixed in UTF-8b.
* Email addresses are exposed by the news article template. The email
address should be obsfucated to prevent spam harvesting. There is an
option in both 1.4.6 and UTF-8b versions to hide the email address.
indicated in the Software Version and Fixes Table, are affected.
To view the version of system software that is currently running on
Cisco Unified Videoconferencing 5100 Series Products, access the
Cisco UVC device via the web GUI interface. On the status screen, the
"Software Version" field below the "Product Information" section
indicates the current system software.
Details for Reported Vulnerabilities
====================================
Author - gmar
Website - yougotxssed.com
# Bug in a nut shell #
Students that use this system could inject malicious code into the "New Question: " field (NAME="question"). When saving the changes, the system does not strip out HTML entities.
# Bug scenario #
Jim does not like his teacher / administrator at his school. He changes his forgotten pin security question. He puts in a specially crafted piece of code in the field to call a remote javascript file. He emails his teacher administrator and tells them he has forgotten his password and wonders if they could walk him through out to retrieve it. He tells them that he can not get it to work and asks them if the could try to retrieve his password. They enter in his username and hit the "forget password?" button. The next screen comes up and the script is launched. Jim could steal the session of the teacher / administrator, he could fake a login page and wait for his teacher /administrator to authenticate, or he could just do malicious things to their browser.
Novell NetStorage contains a wide variety of vulnerabilities that may
allow an attacker
to cause a denial of service, gain configuration information or exploit other
users of the application.
#1 - Filter Field XSS
The 'filter' field does not sanitize user-supplied input. An attacker
could use this
to carry out cross-site scripting attacks against other authenticated users.
Next Page>>
|
