Next Page >>
non/existing
Details
=======
Documented in RFC2661, L2TP and RFC3931, L2TPv3 are protocols for
tunneling network traffic between two peers over an existing network.
A device running affected 12.2 and 12.4 versions of Cisco IOS and
that has the L2TP mgmt daemon process running will reload when
processing a specially crafted L2TP packet.
1975 access to the affected device. Cisco IOS software releases
12.2BC and 12.2SCA support the CoPP feature. CoPP may be configured
on a device to protect the management and control planes to minimize
the risk and effectiveness of direct infrastructure attacks by
explicitly permitting only authorized traffic sent to infrastructure
devices in accordance with existing security policies and
configurations. The following example can be adapted to your network.
Note: CoPP is not supported on uBR10012 series devices.
fclose($newpm);
------------------------------------------------------------------------------------------------
Bug Explanation:
The platform presents some vulnerabilities in the "login system" and in the "private message sender system".
The first vulnerability is in index.php that verifies the login without sql database verifying the existence of files with the structure Nick.HashMD5Password.php in a dir "db".
The cms'coder didn't thought about directory transversal. In fact if we try to login with these cookies:
rem_user = /../users/Nick
rem_pass = HashMD5Password
fclose($newpm);
------------------------------------------------------------------------------------------------
Bug Explanation:
The platform presents some vulnerabilities in the "login system" and in the "private message sender system".
The first vulnerability is in index.php that verifies the login without sql database verifying the existence of files with the structure Nick.HashMD5Password.php in a dir "db".
The cms'coder didn't thought about directory transversal. In fact if we try to login with these cookies:
rem_user = /../users/Nick
rem_pass = HashMD5Password
access-list 150 deny udp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 123
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations. Permit all other traffic to transit the
!--- device.
access-list 150 permit ip any any
Microsoft SQL Server 2000 through 2008 versions have been tested with
the new modules. The MSSQL and Oracle login modules can now brute force
passwords from a dictionary file.
Automated client-side exploitation has been overhauled with a rewrite of
the browser_autopwn module by James Lee. A number of existing
client-side exploits have been updated to use better fingerprinting and
evasion techniques. All TCP-based exploits can now be launched through
SOCKS4, SOCKS5, and HTTP proxies.
The payload encoding library can now embed Metasploit payloads into
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1998
!---
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations Permit all other traffic to transit the
!--- device.
!---
access-list 150 permit ip any any
1. Postfix local privilege escalation via hardlinked symlinks
=============================================================
Sebastian Krahmer of SuSE has found a privilege escalation problem.
On some systems an attacker can hardlink a root-owned symlink to
for example /var/mail, and cause Postfix to append mail to existing
files that are owned by root or non-root accounts. This can happen
on operating systems with specific non-standard behavior.
Symlinks (symbolic links) implement aliasing for UNIX pathnames.
They were introduced with 4.2BSD UNIX in 1983, and were adopted by
!--- other sources destined to infrastructure addresses.
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 161
!--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!--- with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any anyinterface serial 2/0ip access-group 150 in
traffic to the device. Cisco IOS software releases 12.0S, 12.2SX,
12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be
configured on a device to protect the management and control planes
to minimize the risk and effectiveness of direct infrastructure
attacks by explicitly permitting only authorized traffic sent to
infrastructure devices in accordance with existing security policies
and configurations. The following example, which uses 192.168.100.1
to represent a trusted host, can be adapted to your network. If FST
is not used, protocol 91 may be completely filtered. Additionally, if
UDP is disabled with the "dlsw udp-disable" command, UDP port 2067
may also be completely filtered.
II. Overview
During an audit of the MapServer v5.2.1 source code, five (5)
vulnerabilities were identified ranging from low to medium/high
severity. They include stack and heap overflows, a relative path
writing weakness, a file content leakage, as well as a file existence
leakage. Furthermore, after reporting these issues to the vendor, a
second audit by the project maintainer not only determined that v4.10.3
was also affected, but that four (4) additional stack overflows existed
in the code as well.
untrusted sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T,
12.4, and 12.4T support the CoPP feature. CoPP may be configured on a
device to protect the management and control planes to minimize the
risk and effectiveness of direct infrastructure attacks by explicitly
permitting only authorized traffic sent to infrastructure devices in
accordance with existing security policies and configurations. The
following example can be adapted to the network
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
* CSCsj98521 (registered customers only), CVE ID CVE-2010-1562
* CSCsk04588 (registered customers only), CVE ID CVE-2010-1563
* CSCsz13590 (registered customers only), CVE ID CVE-2010-1567
The following vulnerability may cause an affected device to be unable
to accept or create a new TCP connection. Existing calls will not be
terminated, but no new SIP connections will be established. If
exploited, this vulnerability will also prevent the device from
establishing any new HTTP, SSH or Telnet sessions.
* CSCsk13561 (registered customers only), CVE ID CVE-2010-1565
untrusted sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T,
12.4, and 12.4T support the CoPP feature. CoPP may be configured on a
device to protect the management and control planes to minimize the
risk and effectiveness of direct infrastructure attacks by explicitly
permitting only authorized traffic sent to infrastructure devices in
accordance with existing security policies and configurations. The
following example can be adapted to specific network configurations:
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
!-- to determine what traffic needs to be dropped by a control plane
{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\DifXInstall32.exe" or
"%ALLUSERSPROFILE%\Application Data\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}\x64\
DifXInstall64.exe", which could for example add the unprivileged attacker to
the Administrators group in Windows when DifXInstall32.exe or DifXInstall64.exe
is executed by a privileged user. During installation, the installer won't
overwrite an existing DifXInstall32.exe or DifXInstall64.exe; it will execute
the existing program in the context of Local System.
On the other hand, if iTunes is already installed on the system, an
unprivileged attacker won't have access to overwrite DifXInstall32.exe,
DifXInstall64.exe, or DIFxAPI.dll. However, unprivileged attackers still have
TCPIP$BIND_SERVER.EXE_SECURITY_V55_ECO3_ALPHA
TCPIP$BIND_SERVER.EXE_SECURITY_V56_ECO4_ALPHA
After backing up the TCPIP$BIND_SERVER.EXE file, copy the new file to the TCPIP$BIND_SERVER.EXE image already existing in the SYS$COMMON: [SYSEXE] directory and restart the BIND server.
Use these steps to install the new images on a system:
1. Make a safe backup copy of TCPIP$BIND_SERVER.EXE image already existing in the SYS$COMMON: [SYSEXE] directory.
Disabling AIC HTTP Deep Packet Inspection
+----------------------------------------
To disable AIC HTTP Deep Packet Inspection, remove the linkage
between policy-map type inspect layer4-policymap and policy-map type
inspect http layer7-policymap. This example shows an existing
configuration, followed by how to remove AIC HTTP Deep Packet
Inspection:
!--- Existing Configuration
untrusted sources. Cisco IOS software releases 12.0S, 12.2SX, 12.2S,
12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be
configured on a device to protect the management and control planes
to minimize the risk and effectiveness of direct infrastructure
attacks by explicitly permitting only authorized traffic sent to
infrastructure devices in accordance with existing security policies
and configurations. The following example can be adapted to your
network:
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
effectiveness of direct infrastructure attacks, administrators are
advised to deploy ACLs to perform policy enforcement of traffic sent
to core infrastructure equipment. PIM is IP protocol 103. As an
additional workaround, administrators can explicitly permit only
authorized PIM (IP protocol 103) traffic sent to infrastructure
devices in accordance with existing security policies and
configurations. An ACL can be deployed as shown in the following
example:
ip access-list extended Infrastructure-ACL-Policy
+---------------------------------------
The TLS proxy for encrypted voice inspection feature allows the
security appliance to decrypt, inspect and modify (as needed, for
example, performing NAT fixup), and re-encrypt voice signaling
traffic while all of the existing VoIP inspection functions for SCCP
and Session Initiation Protocol (SIP) protocols are preserved. Once
voice signaling is decrypted, the plain-text signaling message is
passed to the existing inspection engines. The security appliance
accomplishes this by acting as a TLS proxy between the IP phone and
Cisco Unified CallManager and Cisco Unified Communications Manager,
TLS Proxy for Encrypted Voice Inspection
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This feature allows the security appliance to decrypt, inspect and
modify (as needed, for example, performing NAT fixup), and re-encrypt
voice signaling traffic while all of the existing VoIP inspection
functions for Skinny and Session Initiation Protocol (SIP) protocols are
preserved. Once voice signaling is decrypted, the plain-text signaling
message is passed to the existing inspection engines. The security
appliance accomplishes this by acting as a TLS proxy between the IP
phone and Cisco Unified CallManager, which implies that TLS sessions are
version 6.00.2900.3527, the vulnerability is not exploitable because
the corrupted VTABLE address is not a mappable userland address.
IV. DETECTION
iDefense confirmed the existence of this vulnerability in Internet
Explorer versions 6 and 7. Internet Explorer versions 5 and 8 do not
appear to be affected.
V. WORKAROUND
In addition, this update introduce a more conservative query behavior
in the presence of repeated DNSSEC validation failures, addressing the
"roll over and die" phenomenon. The new version also supports the
cryptographic algorithm used by the upcoming signed ICANN DNS root
(RSASHA256 from RFC 5702), and the NSEC3 secure denial of existence
algorithm used by some signed top-level domains.
This update is based on a new upstream version of BIND 9, 9.6-ESV-R1.
Because of the scope of changes, extra care is recommended when
installing the update. Due to ABI changes, new Debian packages are
II. DESCRIPTION
The solution adopted to avoid SQL Injection flaws is not
appropriate. This allows the existence of many SQL
Injection flaws.
III. ANALYSIS
- ImagingLib arbitrary code execution vulnerability (CVE-2010-0847).
- AWT Library Invalid Index Vulnerability (CVE-2010-0848).
Additional security issues that was fixed with IcedTea6 1.6.2:
- deprecate MD2 in SSL cert validation (CVE-2009-2409).
- ICC_Profile file existence detection information leak
(CVE-2009-3728).
- JRE AWT setDifflCM stack overflow (CVE-2009-3869).
- JRE AWT setBytePixels heap overflow (CVE-2009-3871).
- JPEG Image Writer quantization problem (CVE-2009-3873).
- ImageI/O JPEG heap overflow (CVE-2009-3874).
Google Chrome
For all Apple's talk of "think different" the only one actually doing so in
regards to browser security is Google. XSS, XPS/IPE, all the traditional
methods fail against Chrome. Google, I don't even care that you are the most
ruthlessly evil corporation in existence anymore. Your stuff just works. You
had me sold at functional reliability. There was a time in my life that I had
large concern about corporate ethics. Now I know that all corporations are
evil. Some more than others. The one who is evil and smart will only ruin you
with malice, where the one that is evil and stupid can ruin you out of both
malice and out of sheer incompetence.
In addition, this update introduce a more conservative query behavior
in the presence of repeated DNSSEC validation failures, addressing the
"roll over and die" phenomenon. The new version also supports the
cryptographic algorithm used by the upcoming signed ICANN DNS root
(RSASHA256 from RFC 5702), and the NSEC3 secure denial of existence
algorithm used by some signed top-level domains.
This update is based on a new upstream version of BIND 9, 9.6-ESV-R1.
Because of the scope of changes, extra care is recommended when
installing the update. Due to ABI changes, new Debian packages are
Other software packages using Outside In were not investigated.
It is interesting to note that this vulnerability was fixed some time
between the release of version 8.1.5 and version 8.1.9. No public
record exists documenting the existence of this vulnerability.
IV. DETECTION
iDefense confirmed the existence of this vulnerability using the follow
versions of Outside In on Windows Server 2003.
Description: Profense Web Application Firewall with default configuration has a default password hash.
Technical Description:
Versions 2.4 and 2.2 of Profense Web Application Firewall with the default configuration the root password hash is the same default in all available products. The SSH server is enabled by default on the administrative interface and accepts root authentication using user and password credential. The hashing algorithm used is OpenBSD's blowfish password hash which is known to be strong. However the existence of a static password means that if this password is leaked in some way or another, then the attacker potentially has access to all exposed administrative interfaces.
__________________________________________________________________
Exploit code:
Console is not a default option in the installation of the System
Center.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Symantec
Client Security version 3.1. Previous versions may also be affected.
Symantec has confirmed the existence of this vulnerability in the
following products:
Next Page>>
|
