Next Page >>
md5 hash
The patches are available from http://itrc.hp.com
Instructions for installing the files are contained in the readme_for_ovalarmsrv.txt file.
Instruction File - readme_for_ovalarmsrv.txt
MD5 Sum - 8b0cf8a7fd2e0d1dcdc6fe91047fad19
OV NNM v7.53
=======================
Operating_System - HP-UX (IA)
Required_Patch - No patch to base NNM v7.53 is required
OV NNM v7.53
Operating System - HP-UX (IA)
Required Patch - No patch to base NNM v7.53 is required
Archive File - ovas_7.53_hotfix.tar
Archive File MD5 Sum - f9e3a993b3e274fd98e2cea6e255a051
Operating System - HP-UX (PA)
Required Patch - No patch to base NNM v7.53 is required
Archive File - ovas_7.53_hotfix.tar
Archive File MD5 Sum - f9e3a993b3e274fd98e2cea6e255a051
OV NNM v7.53
Operating System - HP-UX (IA)
Required Patch - No patch to base NNM v7.53 is required
Archive File - SSRT080024_NNM7.53.tar
Archive File MD5 Sum - a3a224d2bd9d5461ea9908c7388ff116
Operating System - HP-UX (PA)
Required Patch - No patch to base NNM v7.53 is required
Archive File - SSRT080024_NNM7.53.tar
Archive File MD5 Sum - a3a224d2bd9d5461ea9908c7388ff116
OV NNM v7.53
Operating System - HP-UX (IA)
Required Patch - No patch to base NNM v7.53 is required
Archive File - SSRT080024-2_NNM7.53.tar
Archive File MD5 Sum - 50ea3050712e789027cebbe0fefd81e7
Operating System - HP-UX (PA)
Required Patch - No patch to base NNM v7.53 is required
Archive File - SSRT080024-2_NNM7.53.tar
Archive File MD5 Sum - 50ea3050712e789027cebbe0fefd81e7
- Unix-style crypt() passwords: uses a 12 bit salt (4096
possible values) and only the first 8 characters of the
cleartext password are used
- SHA hashes: no salt; any given password can have only one
{SHA} representation
- MD5 passwords: based on the BSD MD5 crypt routine, this
provides for 48 bits of salt, for a theoretical 281 trillion
(281,474,976,710,656) possible representations of any password
Apache web server includes a command-line utility called 'htpasswd'
for managing the files used for HTTP Basic authentication. It can be
Note: The files for NNM v7.01 and NNM v7.51 listed below have not changed from rev.1 of this Security Bulletin.
Instructions for installing the files are contained in the readme_for_ovalarmsrv.txt file.
Instruction File - readme_for_ovalarmsrv.txt
MD5 Sum - ec31d95a22d68195297570c48e072cd0
OV NNM v7.53
===========
The patches are available from http://itrc.hp.com
Instructions for installing the files are contained in the readme_for_ovtopmd.txt file.
Instruction File - readme_for_ovtopmd.txt
MD5 Sum - 1f169a097b6f267887ce6ba9c0cfbdb4
OV NNM v7.53
===========
The session handlers uses two different cookies, one for logged in users
named fws_cust and one for guest users that is named fws_guest. FWS
will first check if the fws_cust cookie has been set by the browser. If
this is the case, it will split the cookie value on the dash character
(-) and it sets the name, customerid and md5pass parameters.
includes/readcookie.inc.php:
// open the cookie and read the fortune ;-)
if (isset($_COOKIE['fws_cust'])) {
Until patches or upgrades are released, HP has made binary files available to resolve the vulnerability:
1. Download the appropriate named file from this ftp site into a secure directory:
ftp://ss071449:ss071449@hprc.external.hp.com/
2. Unpack using gunzip and verify the cksum or md5sum:
572766271 2613248 named_9.2.0_11.11
3606788661 4750744 named_9.2.0_11.23IA
653361159 2330624 named_9.2.0_11.23PA
903130469 2330624 named_9.3.0_11.11
that it is possible to enter a file path to any files on the local
system hosting the SugarCRM application.
As a result SugarCRM does not display the new RSS feed in the list as it
is not a valid RSS URL Feed. However, the application creates a local
file with the filename of the md5 hash of the URL entered. The file is
created in the directory cache/feeds . If the Apache web server is used,
the file is created with the user www-data containing read permission.
== Exploitation ==
Resolved in Preliminary Firmware Version - lj9050-50fw_08_110_spcl110A.rfu
Product - HP LaserJet 9050
Resolved in Preliminary Firmware Version - lj9050-50fw_08_110_spcl110A.rfu
Optionally, verify the MD5 sums.
File - lj24x0fw_08_112_spcl112A.rfu
MD5 Sum - b3dbcc8d6d465b0a264b662b13a19685
File - lj4x50fw_08_015_spcl015A.rfu
URL: ftp://srt80118:srt80118@hprc.external.hp.com
HP-UX Release - B.11.11 (IPv4 and IPv6)
Apache Depot name - HPUXWSA-B219-03-1111ipv6.depot
MD5 Sum - 166ac363bed403ba5eba2ad02863315d
HP-UX Release - B.11.23 PA-32
Apache Depot name - HPUXWSA-B219-03-1123-32.depot
MD5 Sum - b59c377a377c86067115012c19b316f5
PW> providing reasonably good entropy sources, there's little reason not to
PW> "do it right". It's not the worst mistake I've seen, by far not the most
PW> dangerous. But it's sloppy of the Apache Group to have ignored it for half
PW> a decade.
It's quite easy. Precomputing rainbow table for MD5 crypt with known
salt is somehow equivalent to MD5 crypt bruteforcing, if you don't mind
about required amount of storage. So, predictable salt and narrowed salt
space will have some impact if salt changes in a time comparable with
time required for bruteforcing. Salt changing once in a second is really
good one, because bruteforcing takes much longer.
As many times before in phpnuke insecurities history the attack comes through
base64 encoding/decoding. After base64_decode() there can be single quotes in
"$abadmin", but no variable sanitize applied! And it is easy to see sql
injection possibilities here. This can lead to stealing arbitrary information
from underlying database, inlcuding admin username and password md5 hash.
Next step can be cracking hash to reveal plaintext password or using md5 hash
directly for cookie manipulation, both leading to gain phpnuke admin privileges.
Now why it is critical sql injection IMHO?
3. Unpack the gz files using gunzip.
4. Verify the cksum or md5sum:
765964855 13967360 XPL_COMPONENT_3.10.040_HPUX.tar
964115406 22978560 XPL_COMPONENT_3.10.040_IPF.tar
1071892883 2324480 XPL_COMPONENT_3.10.040_Linux.tar
2657852015 11857920 XPL_COMPONENT_3.10.040_SOL.tar
1507786934 1510091 XPL_COMPONENT_3.10.040_Win.zip
3. Unpack the gz files using gunzip.
4. Verify the cksum or md5sum:
765964855 13967360 XPL_COMPONENT_3.10.040_HPUX.tar
964115406 22978560 XPL_COMPONENT_3.10.040_IPF.tar
1071892883 2324480 XPL_COMPONENT_3.10.040_Linux.tar
2657852015 11857920 XPL_COMPONENT_3.10.040_SOL.tar
1507786934 1510091 XPL_COMPONENT_3.10.040_Win.zip
The kits provide a patched version of the BIND Server.
Product/Patch kit
ITRC Download Location
MD5 and SHA1 Checksum
HP Tru64 UNIX v 5.1B-4 PK6 (BL27)
T64KIT1001630-V51BB27-ES-20090803
https://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001630-V51BB27-ES-20090803
This works only from internal LAN where an attacker have and ip like 192.168.1.XX.
The ip packet send to router must have the following feature:
1)IP-protocol-number 255 (there's a RAW SOCKET listening on the router)
2)Payload size 8 byte
3)The payload are the first 8 byte of a salted md5 of the mac address of device br0
4)br0 in these modems has the same mac of eth0
When the modem receives the packet all services will be enabled.
$this->msg('Entering local dictionnary attack ('.count($dico_c).' words)', 0);
$this->msg('You should take a drink ...', 0);
foreach( $dico_c as $line )
{
$md5 = md5(trim($line).$this->p_sql_u);
$md5 = md5($this->p_uid.'-'.$ip_a[0].'-'.$ip_a[1].'-'.$this->p_hash).$md5;
$md5 = md5($md5);
if( $this->p_shold === $md5 )
{
#Gr33tz-Team
#Dork : intitle:"CCMS v3.1 Demo PW"
print "______________________________________\n";
print "-=-=-=-=-=-=+-=-=-=-=-=-=-+-=-=-=-=-=|\n";
print "-=-=-=-=-=-=+CCMS Exploit...+-=-=-=-=|\n";
print "-=-=-=-=-=-=+Remote MD5 Hash+-=-=-=-=|\n";
print "-=-=-=-=-=-=+By Pr0metheus..+-=-=-=-=|\n";
print "-=-=-=-=-=-=+Gr33tz to :+-=-=-=-=|\n";
print "-=-=-=-=-=-=+pawel2827, d3d!k, J4Z0, chez, fir3+-=-=-=-=|\n";
print "______________________________________\n";
print "[+] Enter SITE:\n";
http://ayyildiz.org
Ayyildiz Team İnternationel Force
Cs Guestbook admin name & admin hass md5 vuln.
http://xxx.com/base/usr/0.php
admin name & md5
1) Authentication bypass - CVE-2010-4279 - CVSS: 10/10
An attacker could access to any account user, including admin, using the
"hash login" authentication process. This kind of authentication method
works providing a username and a hash. The issue could be exploited
remotely providing a username and the md5 of it when
$config['loginhash_pwd'] is empty, that in fact is the default
configuration.
Snippet of vulnerable code in index.php:
RESOLUTION
HP has made the following patches for the BIND server available to resolve the vulnerability. The patches are available from the HP ITRC. Patch kit
ITRC Download Location
MD5 and SHA1 Checksum
T64KIT1001630-V51BB27-ES-20090803
https://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001630-V51BB27-ES-20090803
MD5 results: 639bf32e22db9ca317b0e91818a100fb
SHA1 results: 53d4010e7e982b57f2e4f4fb5aa33ac1f5114ff3
RESOLUTION
HP has made the following patches for the BIND server available to resolve the vulnerability. The patches are available from the HP ITRC. Patch kit
ITRC Download Location
MD5 and SHA1 Checksum
T64KIT1001630-V51BB27-ES-20090803
https://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001630-V51BB27-ES-20090803
MD5 results: 639bf32e22db9ca317b0e91818a100fb
SHA1 results: 53d4010e7e982b57f2e4f4fb5aa33ac1f5114ff3
T64V51B-IX688-SAMBA3032-SSRT161-20090416.tar.gz
Location:
http://www11.itrc.hp.com/service/patch/patchDetail.do?patchid=T64V51B-IX688-SAMBA3032-SSRT161-20090416
MD5:
82a2-c576-709b-6285-39cd-ad62-ae03-92f8
SHA1:
dd0a-f116-219f-3707-6c5a-d7c2-4196-284c-fa51-2375
HP LaserJet 9050
lj9040-50fw_08_110_spcl110A-1.rfu
Optionally, verify the MD5 or SHA-1 sums.
File
MD5 Sum
SHA-1 Sum
The authentication process checks the cookies to see if the user has a given role. The user and role defined in the cookie is not validated during this process. An attacker can add a cookie (shown below) in order to bypass authentication.
BASERole=10000|nidem|794b69ad33015df95578d5f4a19d390e;
Explanation:
Each page checks to see if the user is has sufficent privledges. The user's role is checked using the hasRole method which then calls the readRoleCookie method. The code below is the readRoleCookie method as written in includes/base_auth.inc.php in rev 1.23 and earlier. This function retrieves the role of the user as read from the cookie. The cookie contains three pieces of information role, user, and md5 hash and is delimited by the pipe character.
function readRoleCookie()
{
// reads the roleCookie and returns the role id
$cookievalue = @$_COOKIE['BASERole'];
HP LaserJet 9050
lj9040-50fw_08_110_spcl110A-1.rfu
Optionally, verify the MD5 or SHA-1 sums.
File
MD5 Sum
SHA-1 Sum
OV NNM v7.53 with Intermediate Patch 22
===============================
Operating System
Required Patch
Archive File
Archive File MD5 Sum
HP-UX (IA)
PHSS_39246
SSRT090008.QCCR1B26779.753_IP22_rev1.hotfix.tar
67f6631e8af8a0791d79fe017d0a9b49
if (($tmp == 0) && ($nrows == 1)) {
$U = DB_fetchArray($result);
$uid = $U['uid'];
if ($U['status'] == USER_ACCOUNT_DISABLED) {
// banned, jump to here to save an md5 calc.
return USER_ACCOUNT_DISABLED;
} elseif ($U['passwd'] != SEC_encryptPassword($password)) {
return -1; // failed login
} elseif ($U['status'] == USER_ACCOUNT_AWAITING_APPROVAL) {
Next Page>>
|
