Next Page >>
located
s.send("PASS anonymous\r\n")
s.recv(1024)
### fixRet ###
# ret is located @ 0x009afe64 & needs to be replaced with part of our
payload (or NOPs)
fixRet = (
"\x31\xc0" + # xor %eax,%eax
"\x31\xdb" + # xor %ebx,%ebx
"\x31\xc9" + # xor %ecx,%ecx
print s.recv(4000)
- -----------/
A debugger was used on a Windows system to see where the 'OvOSLocale'
overflow is located. The call stack shows that '_OVresetLangEnv' in
'ovutil.dll' calls 'ov.sprintf_new' in 'ov.dll' that calls '_vsnprintf'
in 'msvcrt.dll'. The destination buffer of the '_vsnprintf' is located
on the stack, the count is 0x7fff, the format is 'OV_LANG=%s', and the
string is too large for the stack buffer, causing the stack overflow. A
new CVE name was assigned, CVE-2009-0920, marking this bug as unfixed or
Summary:
HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and write or read arbitrary files, via a ../ in a pathname. This can be leveraged for code execution by writing to a Startup folder.
Description:
There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Windows Mobile 6 and Windows Mobile 6.1. The OBEX FTP server is located in \Windows\obexfile.dll. Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically.
A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls from a Linux box to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.
The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it; however, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and BD_ADDR address spoofing, can be used in order to avoid this. Devices must have Bluetooth enabled and File Sharing over Bluetooth service active when the attack is performed. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
This advisory is posted at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111019-cs
Note:Effective October 18, 2011, Cisco moved the current list of
Cisco Security Advisories and Responses published by Cisco PSIRT. The
new location is:
http://tools.cisco.com/security/center/publicationListing
You can also navigate to this page from the Cisco
Products and Services menu of the Cisco Security Intelligence
Operations (SIO) Portal. Following this transition, new Cisco Security
Advisories and Responses will be published to the new location.
introduces the concept of URL Security Zones, as explained in [2], which
basically define a set of privileges for web applications (such as
accessing and modifying the local computer files) depending on their
level of trustworthiness, namely:
* Local Intranet Zone: for content located on an organization's
intranet. Because the servers and information are within an
organization's firewall, it is reasonable to assign a higher level of
trust to content on the intranet.
* Trusted Sites Zone: for content located on Web sites that are
+-----------------------+
| Remote Code Execution |
+-----------------------+
The vulnerable code is located in /www/editor/tiny_mce/plugins/save_template/save_template.php
8. if ($_POST['templateName']) {
9. $dir = '../../../../content/editor_templates/'.$_SESSION['s_login'];
10. if (!is_dir($dir) && !mkdir($dir, 0755)) {
11. throw new Exception(_COULDNOTCREATEDIRECTORY);
malloc(0) immediately followed by a buffer overflow on the read. This
results in an exploitable heap overflow. Exploitation is dependent on
the data allocation location, heap structure and error handlers of the
affected software. After overwriting a large amount of memory and
pointers with arbitrary data, code execution could then be redirected to
the attacker's payload located inside the FLAC file.
Vulnerability #2: VORBIS Comment String Size Field Heap Overflow
The second vulnerability lies within the parsing of any VORBIS Comment
String Size fields. Settings this fields to an overly large size, such
as 0xFFFFFFF, could also result in another heap-based overflow allowing
protect against all the attack vectors (as URI or DOM XSS that can work
also if encoded), this is why various vulnerabilities exist.
B) Cross Site Scripting vulnerability
Line 293: the "redirect" variable is used to write the location header
value. Its value is not filtered so it's possible to perform both
HTTP Header Injection and an HTTP Response Splitting attacks.
Since Header Injection is one of the most versatile attack vectors we
could use it (like "downgrade it") to perform a Cross Site Scripting
Overview:
/////////
The flaw is located in the software called HP Software Update shipped with the HP notebooks to support automatic software updates and critical vulnerability patching. One of the ActiveX controls deployed by default by the vendor contains an insecure method giving a potential attacker the remote system arbitrary file write access.
Impact:
///////
Details
_______________
- File Transfer to Client -
OneNote accepts a command switch to specify the location of the
local cache directory. By specifying this switch on the URL It is
possible to specify an arbitrary location on the client, which
will be used to cache the opened notebooks.
If a notebook is loaded from a remote share, a local copy will be
Corel Paint Shop Pro Photo X2 [2] is a professional image editing
software, that allows users to edit photos, create graphics, draw and
paint. Corel Paint Shop Pro Photo X2 is prone to a heap-based buffer
overflow when processing malformed FPX files, because it trusts
user-controlled data located inside a FPX file and uses it as a loop
counter when copying data from a FPX file into a fixed-size buffer
located in the heap. This vulnerability can be exploited to overwrite
adjacent heap chunks metadata, and possibly to gain arbitrary code
execution.
st\..\..\..\..\..\BackSlashPoC
4. The Total Commander will strip the backslashes, and will show only
BackSlashPoC in the lister window.a
5. The user presses F5 (copy) on the file and Enter. The dots and backslashes
will be shown there, but the uses in most cases will not notice it (this has
been tested). If the file is located inside a directory or was selected for
batch copying the user will never be informed about the additional path
traversal.
6. The file is downloaded to the location
UserChosen\st\..\..\..\..\..\..BackSlashPoC
CA Service Desk 12.1
Windows Environment:
1. Locate the files "webengine.exe" and "freeaccess.spl". The files
are located in the "$NX_ROOT\bin" and "$NX_ROOT\bopcfg\www" directory
respectively.
2. Right click on each of the files and select Properties.
3. Select the General tab.
4. If either file timestamp is earlier than indicated in the below
table, the installation is vulnerable.
While importing 3DS files, Google SketchUp reads a sequence of 2-byte
words from the .3DS file, starting at offset 0x6F49F. These words are
used as operands in pointer arithmetics to calculate an index for an
array where data will be copied to. However, the application does not
check if the calculated index is inside the bounds of the destination
array. By crafting a 3DS file with large values for the words located at
the mentioned offset, the lack of bounds-checking can be exploited to
write data outside the limits of the array, leading to a memory
corruption vulnerability.
The following disassembled code of the Google SketchUp 3DS Importer
their apparent level of trustworthiness. The zones available in the
product include:
. *Internet Zone: * For Web sites on the Internet that do not belong
to another zone.
. *Local Intranet Zone: * For content located on an organization's
intranet.
. *Trusted Sites Zone: * For content located on Web sites that are
considered more reputable or trustworthy than other sites on the Internet.
. *Restricted Sites Zone: * For Web sites that contain content that
can cause (or have previously caused) problems when downloaded.
The following “Resolved Caveat” is listed in the Release Notes:
CSCsr09163 webvpn - +webvpn+/index.html http response splitting problem.
Details
When a user connects to the web interface of the ASA via HTTP, they are automatically redirected to the SSL encrypted version. The web server issues a 301 Moved Permanently status code to the connecting client to facilitate this redirection. If the client appends the carriage return (%0d) and line feed (%0a) characters to the URL, the web server will parse these and allow the client to inject arbitrary HTTP response headers. Using this method, it is possible to inject a second Location header to the client. The client web browser will act on only the last Location header it encounters and redirect there.
SecureWorks Risk Scoring
Likelihood (scale of 1-5, with 5 being high): 5 – This device is designed to be on the perimeter of a network to allow remote access.
// continue on as this is okay
}
elseif (( false === isset( $_COOKIE[$gFolderName] )) ||
( $theChecksum !== $_COOKIE[$gFolderName] ))
{
header( "Location: /mailbox/pin.php?" . NAME_KEY .
"=" . $gFolderName ); exit;
}
Vulnerability 2: Authentication not validated
==24080== Address 0xffffff38 is not stack'd, malloc'd or (recently)
free'd
In fact, there is an off by one in t1lib responsible for the wrong
reading
of 4 null bytes from a mapped (t1lib's data) location at:
=> 0x4005f348: mov DWORD PTR [ebx+0x32b8],eax
Later on, this memory location is used to initialize eax with the value
of a (wrong) function pointer :
=> 0x4005f86a: imul eax,DWORD PTR [ebx+0x32b8],0x68
This advisory is posted at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-camera
Note: Effective October 18, 2011, Cisco moved the current list of
Cisco Security Advisories and Responses published by Cisco PSIRT. The
new location is:
http://tools.cisco.com/security/center/publicationListing
You can also navigate to this page from the Cisco Products and
Services menu of the Cisco Security Intelligence Operations (SIO)
Portal. Following this transition, new Cisco Security Advisories and
Description:
Most Windows Mobile 5.0 & 6 devices are shipped with Microsoft Bluetooth stack, only few of them use others like Widcomm Bluetooth stack. Among all the Bluetooth services that may be implemented in the stack, OBEX FTP is the most common service.
OBEX FTP Bluetooth service can be used to share files through Bluetooth, not only by sending files but also by allowing remote devices to browse local shared folders and download files. Usually, the service is configured in such a way that a specific directory is shared and the user can place there all the files he would like to share with other people. The default directory is My Device\My Documents\Bluetooth Share. A different directory may be selected by the user, however the Bluetooth wizard usually doesn't allow specifying any other from the filesystem out of My Device\My Documents\ or Memory Card\My Documents\ paths. This is because of safety reasons, so the user can't expose sensitive files or information through Bluetooth.
There exists a Directory Traversal vulnerability in the OBEX FTP Service in Microsoft Bluetooth Stack implemented in Windows Mobile 5.0 & 6 devices. A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP to traverse to parent directories out of the default Bluetooth shared folder. This means the attacker can browse folders located on a lower level, download files contained in those folders as well as upload files to those folders.
The only requirement is that the attacker must have authentication and authorization privileges over the OBEX FTP service. Pairing up with the remote Windows Mobile device should be enough to get it. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
As described above, the attacker can take three risky actions:
validate the content of the uploaded file. As a result, an attacker can
upload any file type with any file name. When combined with the other
bugs, this give the attacker the ability to overwrite existing files, or
write a binary into the Startup Folder.
More details are located at:
http://www.informit.com/guides/content.aspx?g=security&seqNum=320
http://www.informit.com/guides/content.aspx?g=security&seqNum=321
MetaSploit module is located at:
http://www.whitewolfsecurity.com/security/metasploit/fileutility.txt
How to determine if you are affected:
For products on Windows:
1. Using Windows Explorer, locate the file "arclib.dll". By
default, the file is located in the
"C:\Program Files\CA\SharedComponents\ScanEngine" directory (*).
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated below, the
installation is vulnerable.
A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls over Linux to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.
The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it. However, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and MAC address spoofing, can be used in order to avoid this. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
Scope of the attack:
The Directory Traversal vulnerability allows a remote attacker to browse folders located anywhere in the file system and download any file contained in any folder.
1) List arbitrary directories
Any directory within the file system of the phone can be browsed, beyond the limits of the default shared folder (the SDCard).
interface.
2. Select the option "About VPN Client..." from the "Help" menu. This
menu option will display a dialog box that contains text similar to
"Cisco Systems VPN Client Version 4.8.01.0300."
Note: By default, the "Cisco Systems VPN Client" folder is located in the
"Programs" sub-menu of the Windows Start menu. The system administrator
may have chosen to use a different name or location.
Alternatively, the Cisco VPN Client version information can be obtained
from a Microsoft Windows Command Prompt using the "vpnclient.exe version"
> place November 3rd to 6th, 2010 in Lucerne. The conference is the first
> of its kind in Switzerland and is organized by DEFCON Switzerland, a
> non-profit association with the aim to give experts and professionals a
> platform to transfer insights into the information security domain and
> to sensitize users to information security topics. The official
> conference web site is located at: https://www.hashdays.ch.
>
> The Call For Paper (CFP) is now open and we are accepting interesting &
> innovative proposals for 50-minute talks.
>
> Scope
Advisories Team.
8. *Technical Description / Proof of Concept Code*
This flaw is located in the hypervisor driver 'vmswitch.sys' of Windows
systems. The Proof of Concept showed in [Sec. 8.1] was tested on the
latest released version 6.1.7600.16701 of the above mentioned driver.
When digging into the vulnerability, in the 0x20 position of a
hypervisor packet there is a QWORD (0x3333333333333333 in the PoC) that
How to determine if the installation is affected
For products on Windows:
1. Using Windows Explorer, locate the file "arclib.dll". By
default, the file is located in the
"C:\Program Files\CA\SharedComponents\ScanEngine" directory (*).
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated below, the
installation is vulnerable.
The conference will be held at the Melkweg club at Lijnbaansgracht
234a, 1017 PH Amsterdam, The Netherlands.
By foot/bicycle
The Melkweg is located practically on the Leidseplein square, behind
the Stadsschouwburg on the right. Parking places for bicycles around
Leidseplein are limited. Any bicycles not parked inside the stands will
be removed. Locker (a secure bicycle parking facility located to the
right of the Paradiso on Weteringschans) is the best place to park your
bicycle in safety. It is open 24 hours a day, 7 days a week, and only
arbitrary code execution in the context of the logged on user. This
vulnerability is present only on Windows Guest Operating Systems.
In order for an attacker to exploit the vulnerability, the attacker
would need to be able to plant their malicious executable in a
certain location on the Virtual Machine of the user. On most
recent versions of Windows (XP, Vista) the attacker would need to
have administrator privileges to plant the malicious executable in
the right location.
Steps needed to remediate this vulnerability: See section 3.a.
arbitrary code execution in the context of the logged on user. This
vulnerability is present only on Windows Guest Operating Systems.
In order for an attacker to exploit the vulnerability, the attacker
would need to be able to plant their malicious executable in a
certain location on the Virtual Machine of the user. On most
recent versions of Windows (XP, Vista) the attacker would need to
have administrator privileges to plant the malicious executable in
the right location.
Steps needed to remediate this vulnerability: See section 3.a.
Next Page>>
|
