port number
Software are currently known to be affected by this vulnerability.
Details
=======
Completion of the 3-way handshake to the associated TCP port number
(s) of any of the features outlined below is required in order for
the vulnerability to be successfully exploited.
Airline Product Set (ALPS)
+-------------------------
stream data transfer, reliability, efficient flow control, full-duplex
operation, and multiplexing.
When TCP connections are terminated in Cisco IOS Software, they are
allocated a transmission control block (TCB). All allocated TCBs,
associated TCP port numbers, and the TCP state are displayed in the
output of the "show tcp brief all" command-line interface (CLI) command.
Cisco IOS Software version 15.1(2)T contains a vulnerability that could
cause an embryonic TCP connection to remain in SYNRCVD or SYNSENT
state without a further TCP state transition. Examining the output of
=======
The Cisco IOS IP Service Level Agreement (IP SLA) feature contains a
denial of service (DoS) vulnerability. The vulnerability is triggered
when malformed UDP packets are sent to a vulnerable device. The
vulnerable UDP port numbers depend on the device configuration.
Default ports are not used for the vulnerable UDP IP SLA operation or
for the UDP responder ports.
Cisco has released free software updates that address this
vulnerability.
Syslog Fuzzer v0.1 by Jaime Blasco (c) 2008
www.aitsec.com
-h : Host
-p : Port Number
Example:
aitsec@ubuntu:~/lab/fuzzer_syslog# perl syslog-fuzzer.pl -h 192.1683.76 -p 514
temptation to resolve targets to 127.0.0.1 or similar addresses for
sensitive domains.
[0] It appears to be a common mistake to confuse the JavaScript SOP and
the HTTP originating host definition for Cookies with regard to port
number. The JavaScript SOP
(http://www.mozilla.org/projects/security/components/same-origin.html)
does include the port number, where as RFC2109
(http://www.ietf.org/rfc/rfc2109.txt) explicitly does not. This
behaviour is arguably incorrect, making it impossible to securely host a
website from a multi-user machine, but nevertheless is the case, and is
Crafted HTTPS packet will crash device
+--------------------------------------
A device configured for SSLVPN may reload or hang when it receives a
specially crafted HTTPS packet. Completion of the 3-way handshake to
the associated TCP port number of the SSLVPN feature is required in
order for the vulnerability to be successfully exploited, however
authentication is "not" required. The default TCP port number for
SSLVPN is 443.
This vulnerability is documented in Cisco bug ID CSCsk62253
$this->proxyhost = $proxy;
$this->proxyport = (int)$proxyp;
}
if($this->proxyport > 65535)
die("Error: Invalid port number");
}
/**
* This function allows you to use an
Using Interface Access Control Lists
+-----------------------------------
Access lists that filter UDP packets destined to port 1975 can be
used to mitigate this vulnerability. UDP port 1975 is a registered
port number that can be used by certain applications. However,
filtering all packets that are destined to UDP port 1975 may cause
some applications to malfunction. Therefore, access lists need to
explicitly deny UDP 1975 packets that are sent to any router
interface IP addresses and permit transit traffic. Such access lists
need to be applied on all interfaces to be effective. Since the IPC
address (192.168.1.64) in the NewInternalClient tag with the IP
address of a random Internet web server and the value of the
NewInternalPort tag to 80. This effectively allows an attacker to use
the vulnerable BT Home Hub router as a proxy - aka onion router. In
other words, when probing the router's NATed IP address on port 1337,
the attacker is effectively probing the IP address and port number
specified by the port-forwarding rule - except the routers IP address
would be shown in logs of the target web server, as opposed to the
attacker's real IP address. I thought this is a nice real example of
how a vulnerable router can be used as a zombie by simply having a
user visit a page with malicious scripting (XSS + UPnP SOAP request).
#!/usr/bin/perl -w
#IpTools(0.1.4) - Rcmd Remote Crash PoC by demonalex@163.com
#-------------------------------------------------------------
use IO::Socket;
$remote_host = '127.0.0.1'; #victim ip as your wish
$remote_port = 23; #rcmd default port number
$sock = IO::Socket::INET->new(PeerAddr => $remote_host, PeerPort => $remote_port,
Timeout => 60) || die "$remote_host -> $remote_port is closed!\n";
$sock->recv($content, 1000, 0);
$count=0;
while($count<=255){
conformance issue if you omit the domain names. But it explains why
there are so many zones that contain them.
> The JavaScript SOP
> (http://www.mozilla.org/projects/security/components/same-origin.html)
> does include the port number, where as RFC2109
> (http://www.ietf.org/rfc/rfc2109.txt) explicitly does not. This
> behaviour is arguably incorrect, making it impossible to securely
> host a website from a multi-user machine, but nevertheless is the
> case, and is implemented by most major browsers.
With the ease of database access to filenames, it is trivial to script up a client app to download all published files on the server without authentication over SSL.
Further, it is trivial to determine if someone is running EFSWS, even on an alternate port, by using the following Googledork: inurl:vfolder.ghp. There are other more accurate Googledorks, but I'll leave that up to the researcher.
This will show the (typically) unique file "vfolder.gph" results, where you can retrieve the full company URL from, including portnumber. This too can be scripted.
I am still trying different methods to access the USERS.SDB file, also in the root application directory, which contains all users (even administrative) and passwords (in the clear) in an effort to bypass any mandatory authentication applied, but have not found a way to gain access to this file externally yet.
Vulnerable Versions:
The current version is 5.0, released in August of this year. While certain vulnerability testing took place in our Hammer of God labs in Bermuda, we were not able to check all versions of the software. Self-assessment is trivial, so we will leave it up to user to perform his/her own testing.
aaa authentication secure-http-client
aaa authentication listener https inside port https
A configuration affected by this vulnerability will contain the
command aaa authentication secure-http-client or aaa authentication
listener https inside port <port number>. Note that with the
configuration in the preceding example, the device is vulnerable to
attacks coming from the inside interface.
TLS Proxy for Encrypted Voice Inspection
+---------------------------------------
===========
Rob Leslie reported that the
originates_from_local_legacy_unicast_socket() function in
avahi-core/server.c does not account for the network byte order of a
port number when processing incoming multicast packets, leading to a
multicast packet storm.
Impact
======
1. Enumerating Service Owner Usernames
2. Enumerating Computer names for a particular Service Owner
3. Enumerating Service Owner Server IP address and Port number
4. Hijacking Insecure Communication in Service Pages
5. Hosting Phishing Pages and other Malware on Trusted Operaunite.com
"localhost", /* server hostname or IP address */
"monty", /* mysql user */
"montypython", /* password */
NULL, /* default database to use, NULL
for none */
0, /* port number, 0 for default */
NULL, /* socket file or named pipe name */
CLIENT_FOUND_ROWS /* connection flags */ ))
{
puts ("Connect failed\n");
}
=======
A Cisco IOS device that is configured for SSLVPN or SSH may reload
when it receives a specially crafted TCP packet on TCP port 443
(SSLVPN) or TCP port 22 (SSH). Completion of the three-way handshake
to the associated TCP port number of these features is required for
the vulnerability to be successfully exploited; however,
authentication is not required. A Cisco IOS device that is configured
for IKE encrypted nonces may reload when it receives a specially
crafted UDP packet on port 500 or 4500 (if configured for NAT
Traversal (NAT-T)).
versions are suspected to be vulnerable.
V. WORKAROUND
Employing firewalls to limit access to the affected service's open ports
(TCP and UDP port 407) can help prevent potential exposure to these
vulnerabilities.
VI. VENDOR RESPONSE
Motorola Inc. has addressed these vulnerabilities by releasing version
Although DNS cache poisoning attacks are not new, a security researcher
recently presented a technique that allows an attacker to mount
successful DNS cache poisoning attacks with low complexity tools and
low traffic requirements. This technique exploits a weakness in most
implementations of the DNS protocol. The fundamental implementation
weakness is that the DNS transaction ID and source port number used to
validate DNS responses are not sufficiently randomized and can easily
be predicted, which allows an attacker to create forged responses to
DNS queries that will match the expected values. The DNS server will
consider such responses to be valid.
45: free(psBuf);
46: return 0;
47: }
48: psTmp2[0] = '\0';
49:
50: /* remove port number from URL */
51: if(bRemovePort)
52: {
53: psTmp2 = _mbschr(psTmp, ':');
54: if(psTmp2)
55: {
===============
The Acronis Agent is an essential component of Acronis True Image Echo
Server (Workstation and Enterprise packages) and is a server running on
the TCP and UDP port 9876 which allows the local and remote management
of Acronis TrueImage.
The Acronis True Image Windows Agent must be not confused with the
Acronis Snap Deploy Management Agent which uses the same ports but a
different protocol and so it's not affected by this bug.
Problem Description:
A vulnerability was reported in the SquirrelMail Mail Fetch plugin,
wherein (when the plugin is activated by the administrator) a user
is allowed to specify (without restriction) any port number for their
external POP account settings. While the intention is to allow users
to access POP3 servers using non-standard ports, this also allows
malicious users to effectively port-scan any server through their
SquirrelMail service (especially note that when a SquirrelMail server
resides on a network behind a firewall, it may allow the user to
options:
--version show program's version number and exit
-h, --help show this help message and exit
-i IPADDRESS, --ipaddress=IPADDRESS
Server IP address
-p PORT, --port=PORT Port number (defaults to 1234)
-t TARGET, --target=TARGET
Target Version: 8 -> Protheus 8 | 10 -> Protheus 10.
Defaults to 10
[waKKu@localhost: codes] # ./totvs_users_enumerator.py --target 10
aaa authentication secure-http-client
aaa authentication listener https inside port https
A configuration affected by this vulnerability will contain the command
"aaa authentication secure-http-client" or "aaa authentication listener
https inside port <port number>".
Note that with the particular configuration in the preceding example,
the device is vulnerable to attacks coming from the *inside* interface.
TLS Proxy for Encrypted Voice Inspection
Unified Communications Manager Administration interface. The software
version can also be determined by running the "show version active"
command via the command-line interface.
A SIP trunk must be configured for the Cisco Unified CallManager
server to begin listening for SIP messages on TCP and UDP port 5060
and TCP/5061. However, in Cisco Unified Communications Manager
versions 5.x and later, the use of SIP as a call signaling protocol
is enabled by default and cannot be disabled.
Cisco IOS Software is also affected by this vulnerability, but it is
With the ease of database access to filenames, it is trivial to script up a client app to download all published files on the server without authentication over SSL.
Further, it is trivial to determine if someone is running EFSWS, even on an alternate port, by using the following Googledork: inurl:vfolder.ghp. There are other more accurate Googledorks, but I'll leave that up to the researcher.
This will show the (typically) unique file "vfolder.gph" results, where you can retrieve the full company URL from, including portnumber. This too can be scripted.
I am still trying different methods to access the USERS.SDB file, also in the root application directory, which contains all users (even administrative) and passwords (in the clear) in an effort to bypass any mandatory authentication applied, but have not found a way to gain access to this file externally yet.
Vulnerable Versions:
The current version is 5.0, released in August of this year. While certain vulnerability testing took place in our Hammer of God labs in Bermuda, we were not able to check all versions of the software. Self-assessment is trivial, so we will leave it up to user to perform his/her own testing.
A DoS vulnerability exists in the computer telephony integration (CTI) server
component of the Cisco UCCX product. The CTI server is only started when the
Integrated Call Distribution (ICD) license is enabled, Cisco Unified IP
Interactive Voice Response (Cisco Unified IP IVR) deployments are not affected
by the CTI server DoS vulnerability. The CTI server listens by default on TCP
port 42027, although the port number can be changed in the System Port
Parameters screen. This vulnerability is triggered by malformed CTI messages
addressed to the vulnerable systems that could cause the CTI server and the
Cisco Unified CCX Node Manager to fail, and all active agents will be logged
out. The DoS condition will be temporal and the Cisco UCCX system will become
operational again once the node manager and the CTI server complete their
Crashing ZoneAlarm 8.0.020.000 by Checkpoint (Component : TrueVector)
==========================================
- Keep ZoneALarm 8 running with vsmon.exe running (which runs by default)
- On System A : Run the rogue proxy (attached) za_crasher_proxy.exe and set a port number (eg: za_crasher_proxy.exe 5938)
- On System B : Use Internet Explorer 6 and set proxy settings as IP of System A and port 5938 for HTTP connections
By default IE 6 has homepage as
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Leave it unchanged.
|
