Next Page >>
private
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Virtual Private Dial-up Network
Denial of Service Vulnerability
Advisory ID: cisco-sa-20080326-pptp
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
Cisco Industrial Ethernet 3000 (IE 3000) Series switches running
Cisco IOS Software releases 12.2(52)SE or 12.2(52)SE1, contain a
vulnerability where well known SNMP community names are hard-coded
for both read and write access. The hard-coded community names are
"public" and "private."
Cisco recommends that all administrators deploy the mitigation
measures outlined in the Workarounds section or perform a Cisco IOS
Software upgrade.
Minor point:
No need to limit such accumulations to nation-states though. People interested
in fiddling with other peoples' computers have come up with attacks that don't
get instantly published at least since the 1970s, and have had more-or-less private
channels to communicate them. The motives these days, if you believe the press,
may be more around money than simple mischief, but the practice of not disclosing
bugs and exploits to the world has been with us a long time. Such exploits are 0day
exploits until someone gets wind of them who will do something to defend against
them. This can be a vendor, someone who publishes workarounds for admins, or whatnot,
=============================================================================
FreeBSD-SA-11:09.pam_ssh Security Advisory
The FreeBSD Project
Topic: pam_ssh improperly grants access when user account has
unencrypted SSH private keys
Category: contrib
Module: pam
Announced: 2011-12-23
Credits: Guy Helmer, Dag-Erling Smorgrav
*Technical Description / Proof of Concept Code*
This is a Cross Site Scripting (XSS) vulnerability within vBulletin
community forum solution. In order to exploit this flaw the following
option needs to be activated:
'http://victim/vBulletin/profile.php?do=editoptions' (Show New Private
Message Notification Pop-Up enabled). There are many forums with this
option enabled by default for all new users.
The title is not being encoded in the following rendered HTML code:
HyperVM is a virtualization application that runs off a host node and can provide
several Virtual Private Servers. There is a previously unreported vulnerability in
HyperVM/Kloxo.
It was originally documented in ISSUE 14 by an anonymous author:
http://www.milw0rm.com/exploits/8880
It turns out that he was showing how a root shell can be created:
[user1@testing574 tmp]$ ls -al
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Multicast Virtual Private Network
(MVPN) Data Leak
Advisory ID: cisco-sa-20080326-mvpn
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
conscientious company will respect your efforts and appreciate your
dedication to the company and its customers.
Regular contributors to this forum are sure to provide you with a lot of
good advice. They have a lot of experience with this sort of problem
within the private sector as well as at the state/federal level. No
matter what advice comes your way, remember that at the end of the day
we are just advisors. You have to live the consequences of your
discovery. Make sure that you protect yourself as well as your company
and your customers.
Chad Perrin wrote:
> On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote:
>
>> A "private 0day exploit" (the case I was concerned with) would be where
>> someone develops an exploit, but does not deploy or publish it, holding
>> it in reserve to attack others at the time of their choosing. Presumably
>> if such a person wanted to keep it for very long, they would have to
>> base it on a vulnerability that they themselves discovered, and did not
>> publish.
>>
authenticated attacker
A user who is authenticated to the device can inject arbitrary
commands into the underlying operating system with root
privileges, via the ping test and traceroute test parameters.
* Retrieval of admin SSL certificate private key
The admin SSL certificate private and public keys can be
retrieved (used for Quick VPN) by a remote unauthenticated user.
These vulnerabilities are documented in Cisco bug ID CSCtn23871 and has
been assigned Common Vulnerabilities and Exposures (CVE) IDs:
Certain Cisco Catalyst 6500 Series and Cisco 7600 Router devices that
run branches of Cisco IOS based on 12.2 can be vulnerable to a denial
of service vulnerability that can prevent any traffic from entering
an affected interface. For a device to be vulnerable, it must be
configured for Open Shortest Path First (OSPF) Sham-Link and Multi
Protocol Label Switching (MPLS) Virtual Private Networking (VPN).
This vulnerability only affects Cisco Catalyst 6500 Series or
Catalyst 7600 Series devices with the Supervisor Engine 32 (Sup32),
Supervisor Engine 720 (Sup720) or Route Switch Processor 720 (RSP720)
modules. The Supervisor 32, Supervisor 720, Supervisor 720-3B,
Supervisor 720-3BXL, Route Switch Processor 720, Route Switch
--------------------------
1) An attacker is able to access the administration interface from the WLAN by
manipulating the "Host:" header and Request-URI in the HTTP GET request to the
proxy server running on the AMG-2000. It is possible to specify arbitrary IP
addresses (such as 127.0.0.1 or IPs from the internal network of the
management "private LAN" port) which an attacker is then able to access. The
squid proxy runs on port 2128 by default on the AMG-2000.
2) All passwords from local user accounts, such as on-demand guest users, are
shown in plain text in the admin interface (e.g. also see manual screenshots).
/**** Paste the following into a new .def file: *************
LIBRARY "iebsfix1.dll"
EXPORTS
DllCanUnloadNow PRIVATE
DllGetClassObject PRIVATE
DllRegisterServer PRIVATE
DllUnregisterServer PRIVATE
***************************************************************/
* This function is called by the
* get()/post()/formdata() functions.
* You don't have to call it, this is
* the main function.
*
* @access private
* @return string $this->recv ServerResponse
*
*/
function sock()
{
My apologies if this question is inappropriate for this email list, but it is a last resort and a friend recommended posting this question here.
In the last 36 hours I uncovered an exploit that compromises the private information of thousands of individuals - including SSN and address information. I cannot judge whether or not the exploit is easy to find. I do know that if found, it would not be difficult to write a simple script in php or perl to exploit the hole.
My concern is that the company responsible for this hole (for whom I am currently employed) will patch the problem on seeing it occur on Monday (a good thing) but do little or nothing to notify any user whose private information is on their system (downplaying the likelihood of risk). This exploit has very likely existed for years and whether or not a company typically keeps logs for years is beyond my knowledge - the exploit is however detectable through web log files. I also lack faith in the company's ability to make an objective determination whether or not the exploit has been used to download the private information of its' users.
My question is this - does anyone out there have any experience dealing with this type of a situation? --- Where a company has silenced an exploit without notifying customers who may have been victims of it? Does anyone have any recommendations for a course of action I might take to somehow ensure users whose private information may have been compromised are notified in the event the company chooses to "sweep it under the rug"?
Again my apologies if my asking this question in the wrong forum has offended anyone.
the checkSession() function is called but now I show you because it is bypassed,
again from the decompiled FlashServiceImpl.class:
..
private void checkSession()
throws AxisFault
{
if(!enableSessionCheck)
return;
MessageContext messagecontext = MessageContext.getCurrentMessageContext();
Cisco uBR10012 series devices need to communicate with an RF Switch
when configured for linecard redundancy. This communication is based
on SNMP (Simple Network Management Protocol). When linecard
redundancy is enabled on a Cisco uBR10012 series device, SNMP is also
automatically enabled with a default community string of private that
has read/write privileges. Since there are no access restrictions on
this community string, it may be exploited by an attacker to gain
complete control of the device.
Changing the default community string, adding access restrictions on
A vulnerability exists in the Cisco IOS software implementation of
Layer 2 Tunneling Protocol (L2TP), which affects limited Cisco IOS
software releases.
Several features enable the L2TP mgmt daemon process within Cisco IOS
software, including but not limited to Layer 2 virtual private
networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack
Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up
Networks (VPDN). Once this process is enabled the device is
vulnerable.
On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote:
>
> A "private 0day exploit" (the case I was concerned with) would be where
> someone develops an exploit, but does not deploy or publish it, holding
> it in reserve to attack others at the time of their choosing. Presumably
> if such a person wanted to keep it for very long, they would have to
> base it on a vulnerability that they themselves discovered, and did not
> publish.
>
> I continue to dismiss the requirement that an 0day be found maliciously
Many routers that provide an HTTPS administrative interface use default or hard-coded SSL keys that can be recovered by extracting the file system from the device's firmware.
The LittleBlackBox project contains a database of over 2,000 (and growing) private SSL keys that are correlated with their respective public certificates, and hardware/firmware versions. While most of these certificates are from DD-WRT firmware, there are also private keys from other vendors including Cisco, Linksys, D-Link and Netgear.
Private keys can be recovered by supplying LittleBlackBox with the corresponding public key. If the public key is not readily available, LittleBlackBox can retrieve the public certificate from a pcap file, live traffic capture, or by directly querying the target host.
LittleBlackBox can be downloaded from http://littleblackbox.googlecode.com.
More information is available at http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/.
R7-0038: Check Point Endpoint Security Server Information Disclosure
February 7, 2011
-- Vulnerability Details:
The Check Point Endpoint Security Server and Integrity Server products inadvertently expose a number of private directories through the web interface. These directories include the SSL private keys, sensitive configuration files (often containing passwords), and application binaries.
Examples of exposed files include:
https://server/conf/ssl/apache/integrity-smartcenter.cert
https://server/conf/ssl/apache/integrity-smartcenter.key
sshd_config), then remove the setuid bit from ssh-keysign.
4. Details
ssh-keysign is a setuid helper program that is used to mediate
access to the host's private host keys during host-based
authentication. It would use its elevated privilege to open
the keys and then immediately drop privileges to complete its
cryptographic signing operations.
After privilege was dropped, ssh-keysign would ensure that
Description
===========
Multiple vulnerabilities were found in OpenSC:
* b.badrignans discovered that OpenSC incorrectly initialises private
data objects (CVE-2009-0368).
* Miquel Comas Marti discovered that src/tools/pkcs11-tool.c in
pkcs11-tool in OpenSC 0.11.7, when used with unspecified third-party
PKCS#11 modules, generates RSA keys with incorrect public exponents
Attacker opens my_priv and waits.
>pavel@toy:/tmp/my_priv$ echo this file should never be writable > unwritable_file
># lock down directory
>pavel@toy:/tmp/my_priv$ chmod 700 .
># relax file permissions, directory is private, so this is safe
># check link count on unwritable_file. We would not want someone
># to have a hard link to work around our permissions, would we?
>pavel@toy:/tmp/my_priv$ chmod 666 unwritable_file
>pavel@toy:/tmp/my_priv$ cat unwritable_file
>this file should never be writable
analysis of a secure component you want to unsecure. These are known as "timing attacks".
Timing attacks were very popular years ago and this field of research is still under progress.
Briefly, timing attacks consist of analyzing the time it takes for a system to compute data in
order to predict private information about these data. The information you obtain from a timing
attack will lower the security of the component under analysis.
Benchmarking attacks include timing attacks and I found relevant enough to speak of timing
attacks prior speaking of benchmarking attacks for those of you who are not familiar with this
field of research.
The Mobile IP Support NAT Traversal feature is documented in RFC
3519. It introduces an alternative method for tunneling Mobile IP
data traffic. New extensions in the Mobile IP registration request
and reply messages have been added for establishing User Datagram
Protocol (UDP) tunneling. This feature allows mobile devices in
collocated mode that use a private IP address (RFC 1918) or foreign
agents (FAs) that use a private IP address for the care-of address
(CoA) to establish a tunnel and traverse a NAT-enabled router with
mobile node (MN) data traffic from the home agent (HA).
More information on Mobile IP NAT Traversal feature can be found at
Summary
=======
Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and
configured for Multiprotocol Label Switching (MPLS) Virtual Private
Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and
using Border Gateway Protocol (BGP) between Customer Edge (CE) and
Provider Edge (PE) devices may permit information to propagate
between VPNs.
an implementation of SSH written to implement the specification.
It only takes a few seconds to realise that SSH is used in critical systems. We
have seen in recent weeks and months that we are all vulnerable to the security
of the banking systems. Anyone who uses online banking makes use of systems that
include SSH. Do the oil companies have a private network for ordering stocks?
What about weather stations or tidal guages, are they on private networks? Are
there any ISPs who don't use remote mangement?
on 24/11/08 8:04 PM, guillaume.muller@freesurf.fr wrote:
HTTP/1.1 200 OK
Date: Tue, 20 Oct 2009 09:01:58 GMT
Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.3 with Suhosin-Patch
mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-2ubuntu4.3
Pragma: private
Cache-control: private, must-revalidate
Content-Disposition: attachment; filename=cubecartlatest_20Oct09.sql
Content-length: 80864
Content-Transfer-Encoding: binary
Content-Type: application/octet-stream
keep your
board running smoothly. Moderators will also enjoy the full range of
options
available to them via built-in tools and moderators control panel.
Members
will appreciate the ability to subscribe to topics, send private
messages, and
perform a host of other options through the user control panel.
III. INTRODUCTION
-------------------------
Next Page>>
|
