old version
3. *Vulnerability Description*
Google SketchUp is a 3D modeling program designed for architects, civil
engineers, filmmakers, game developers, and related professions. Google
SketchUp bundles an old version of 'lib3ds', a library used to process
3DS files. This library is being compiled in a way that leads to
improper validation of data when importing 3DS files; this condition can
be exploited by remote attackers to trigger a memory corruption
vulnerability by enticing an unsuspecting user to open a specially
crafted 3DS file, possibly leading to arbitrary code execution.
Namanya sih bukan CMS Balitbang, cuma berhubungan CMS ini dikembangin oleh Balitbang Kemendiknas makanya lebih terkenal dengan sebutan CMS Balitbang. CMS Balitbang ini ditujukan untuk kepentingan dunia pendidikan Indonesia terutama untuk sekolah sekolah yang belum punya Website Sekolahnya. Harapannya kedepan Balitbang menginginkan semua sekolah di Indonesia punya Sistem Informasi Berbasis Website yang bisa diakses oleh banyak orang.
----------------------------------
Vulnerability details:
CMS Balitbang is using the old version of FCKeditor for upload file to all user.And all know the old version of FCKeditor have a vulnerability and attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked.
Here is the code:
/webtemp/functions/editor/filemanager/connectors/php/config.php
global $Config ;
Kini Anda tinggal fokus pada peningkatan penjualan online Anda.
----------------------------------
Vulnerability details:
JagoanStore CMS is using the old version of FCKeditor for upload file to all user.And all know the old version of FCKeditor have a vulnerability and attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked.
Here is the code:
/manage/fckeditor/editor/filemanager/connectors/php/config.php
global $Config ;
vulnerable installations of Adobe Reader X. User interaction is required
to exploit this vulnerability in that the target must visit a malicious
page or open a malicious file.
The specific flaw exists within because Adobe Reader X includes an old
version of libtiff. Adobe can be tricked in using this library by
parsing a specially crafted PDF file containing U3D data. Due to the old
version of libtiff Adobe Reader is vulnerable to the issue described in
CVE-2006-3459 which can be leveraged to execute remote code under the
context of the user running the application.
> * now supports downloading debugging symbols from Microsoft (thanks Neitsa!)
> * new tool: sehtest.py (Windows SEH buffer overflow jump address bruteforcer,
> inspired by the same tool by Nicolas Economou)
> * the tutorial is now available in chm and pdf formats
> * now with only one MSI installer for all supported Python versions
> * added support for diStorm 3 (falls back to the old version if not found)
> * now using cerealizer instead of pickle whenever possible
> * added new command to the command line debugger to show the SEH chain
> * a few more anti-anti-debug tricks were added, still more to go!
> * several improvements to the Window instrumentation classes
> * more code examples
-----------
During a security audit for a customer we have discovered
a serios vulnerability in MailMarshal (an E-Mail Security Gateway)
when unpacking TAR archives.
MailMarshal uses an old version of GNU tar (1.11.8 + 1.5win32).
Sending a special crafted TAR file it is possible to traverse
through directories and even drives. Thus files can be spread
onto the system and existing files can be overwritten depending
on the privileges of running MailMarshal processes (default:
System privileges) This can lead to a complete system compromise.
* now supports downloading debugging symbols from Microsoft (thanks Neitsa!)
* new tool: sehtest.py (Windows SEH buffer overflow jump address bruteforcer,
inspired by the same tool by Nicolas Economou)
* the tutorial is now available in chm and pdf formats
* now with only one MSI installer for all supported Python versions
* added support for diStorm 3 (falls back to the old version if not found)
* now using cerealizer instead of pickle whenever possible
* added new command to the command line debugger to show the SEH chain
* a few more anti-anti-debug tricks were added, still more to go!
* several improvements to the Window instrumentation classes
* more code examples
I found a vulnerability in VMware Workstation 6.0 which allows an unprivileged user in the host OS to crash the system and potentially run arbitrary code with kernel privileges.
The issue is in the vmstor-60 driver, which is supposed to mount VMware images within the host OS. When sending the IOCTL code FsSetVoleInformation with subcode FsSetFileInformation with a large buffer and underreporting its size to at max 1024 bytes, it will underrun and potentially execute arbitrary code.
Interestingly the vmstor driver (which is the old version supposed to mount VMware images prior to version 6.0) is not vulnerable.
I have originally reported this vulnerability on 21-May-07 and got response from the VMware security team, but so far the investigation hasn't gone any further and no update has been released.
how to reproduce:
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-028
Application: Velocity web-server (a part of Velocity Security Management System)
Versions Affected: Old version 1.0
Vendor URL: http://hirschelectronics.com
Bugs: Directory traversal File Download
Exploits: YES
Reported: 03.03.2008
Second report: 14.03.2008
to have so much vulnerabilities. I think it is not serious for a firewall
vendor to have so much easily detectable bugs.
I would like to excuse myself to the Exec-Shield developers. This paper is
not about how to bypass Exec-Shield -and have the reader into account we are
evaluating an old version- but is about Check Point firewall security.
Kernel patches are a must but we must not rely on them. Buggy software is
difficult to protect, even by the most advanced kernel protections.
Exec-Shield is a wonderful work and I have learned a lot by reading its
code.
CompressionMethod compression_methods_;
...
where ID_LEN is 32 elements long, MAX_SUITE_SZ 64 and RAN_LEN (Random)
is 32.
The ProcessOldClientHello function called when an old version of the
Hello packet is received doesn't have the needed checks for limiting
the amount of data which will fill these 3 fields leading to a
buffer-overflow vulnerability exploitable for executing code remotely.
From handshake.cpp:
Core states that they are ready to release this advisory on January
11th, and that releasing two separate advisories seems pointless now
because the release date of both would be very similar, and the original
idea was to mitigate the risk posed by the .wrf vulnerability. Core also
states that they are reviewing the best course of action to take with
the issue regarding clients running the old version of WebEx (T27SP21)
that according to Cisco are unable to upgrade to SP22 since this was not
accounted for previously.
. 2011-01-13:
Core states that since they have committed previously to release the
2008 and for which I wrote also a testing attack (number 7) in my
doubletakedown proof-of-concept:
http://aluigi.org/adv/doubletakedown-adv.txt
Anyway it's an old version of Double-Take so should be not considered,
in fact I mentioned that old bug in my advisory only for thoroughness
but without the minimal consideration since the bug was already
found and patched by the same vendor (Double-Take, not HP).
issues when parsing malformed PDF documents. If a user or automated system
were tricked into opening a crafted PDF file, an attacker could cause a
denial of service or execute arbitrary code with privileges of the user
invoking the program. (CVE-2009-3606, CVE-2009-3608, CVE-2009-3609)
KOffice in Ubuntu 9.04 uses a very old version of Xpdf to import PDFs into
KWord. Upstream KDE no longer supports PDF import in KOffice and as a
result it was dropped in Ubuntu 9.10. While an attempt was made to fix the
above issues, the maintenance burden for supporting this very old version
of Xpdf outweighed its utility, and PDF import is now also disabled in
Ubuntu 9.04.
2008 and for which I wrote also a testing attack (number 7) in my
doubletakedown proof-of-concept:
http://aluigi.org/adv/doubletakedown-adv.txt
Anyway it's an old version of Double-Take so should be not considered,
in fact I mentioned that old bug in my advisory only for thoroughness
but without the minimal consideration since the bug was already
found and patched by the same vendor (Double-Take, not HP).
userName=asd1&firstName=asd2&middleName=asd3&lastName=asd4&email=asd5%40asd.com&password=asd6&retypePassword=asd6&redirect=null&passwordModifed=false&isReportUser=false&roleId=1&supervisorId=1&departmentId=1&locationId=1
(c) Web server vulnerabilities
VirtualIQ runs on top of an old version of Apache Tomcat: 5.5.9, for which
multiple public vulnerabilities have been released. As a
PoC, a directory traversal attack (CVE-2008-2938)
can be performed as:
http://server:9080/tvserver/server/%C0%AE%C0%AE/WEB-INF/web.xml
Even if we are not reinventing the wheel, I honestly think that the exploitation scenario is far from "confortable"... At the end a P.o.C. exploit has been released for those who want to check that the vulnerability is really exploitable.
What we want to show is that this exploitation has been possible because of the large number of overflows found in the target. At the end we found a suitable one to exploit! I think this is not serious for a certified product to have so much vulnerabilities. I think it is not serious for a firewall vendor to have so much easily detectable bugs.
I would like to excuse myself to the Exec-Shield developers. This paper is not about how to bypass Exec-Shield -and have the reader into account we are evaluating an old version- but is about Check Point firewall security. Kernel patches are a must but we must not rely on them. Buggy software is difficult to protect, even by the most advanced kernel protections. Exec-Shield is a wonderful work and I have learned a lot by reading its code.
The paper can be downloaded from:
http://www.pentest.es/checkpoint_hack.pdf
* now supports downloading debugging symbols from Microsoft (thanks Neitsa!)
* new tool: sehtest.py (Windows SEH buffer overflow jump address bruteforcer,
inspired by the same tool by Nicolas Economou)
* the tutorial is now available in chm and pdf formats
* now with only one MSI installer for all supported Python versions
* added support for diStorm 3 (falls back to the old version if not found)
* now using cerealizer instead of pickle whenever possible
* added new command to the command line debugger to show the SEH chain
* a few more anti-anti-debug tricks were added, still more to go!
* several improvements to the Window instrumentation classes
* more code examples
flaw was probably fixed in eFront v3.6 (publicly available).
. 2010-03-12:
eFront team confirms the flaw was fixed in v3.6 and they will issue a
patch for versions 3.5.5 and below. eFront team also notifies the
patches for old version will be available next Monday, 2010-Mar-15.
. 2010-03-12:
Core announces its plan to publish the advisory on March 16th, 2010.
. 2010-03-12:
|
