======
VersantD is the service used for managing the Versant database and by
default listens on port 5019 with the subsequent assigning of a new
port after a client connects to it, so the client connects to port 5019
where is handled by the ss.exe process and after the initial exchange
of data the connection continues on the new port.
The first incredible thing which happens when a client connects is that
the full paths which will be used by the server to launch the needed
Product Homepage:http://dd-wrt.com/
Impact:
1)Remote root command execution /bin/sh
2)Change web administration password and enable remote administration
3)create new Port Forwarding rules to bypass NAT.
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
short. Open up a Safari browser on your favorite chode-sniffing operating
system. Go to a "banned" port like 25 and you'll get an error:
___Not allowed to use restricted network port___ (WebKitErrorDomain:103)
Add 65536 to 25 to make 65561 and revisit the site on this new port-- no such
cockblocking. You're good to go. You can now use the Safari web browser as a
device to hit any port on any address with a cross-protocol scripting attack.
HOWTO video! http://vimeo.com/10302434
. 2008-05-14: Vendor sends information for the advisory, including steps
to protect from the vulnerability and considering the issue closed.
. 2008-05-15: Core asks the vendor if the response is final and
communicates that the steps described by the vendor are only ineffective
mitigations that can be bypassed by a skilled attacker (i.e. finding any
new port and erasing the Interbase logs). If the response is final,
advisory will be published on May 26th as scheduled.
. 2008-05-15: Vendor confirms that the response is final and that any
further information will be notified to the customers.
. 2008-05-15: Core decides and communicates the vendor that the advisory
will be published on May 20th, no further postponement is required by
