Next Page >>
protected
. Internet Explorer 7 on Windows XP sp2
. Internet Explorer 7 on Windows XP sp3
. Internet Explorer 7 on Windows Vista sp1
. Internet Explorer 7 on Windows Vista sp2
. Internet Explorer 7 on Windows Server 2003 sp2 if
Protected Mode is OFF and not using Enhanced Security Configuration
. Internet Explorer 7 on Windows Server 2008 i
if Protected Mode is OFF and
not using Enhanced Security Configuration
. Internet Explorer 8 on Windows XP sp2
. Internet Explorer 8 on Windows XP sp3
thanks for the feedback.
From: "Naujoks, Hans-Dietmar" <Hans-Dietmar.Naujoks@tuev-sued.de>
> I think Microsoft does not consider metadata attached to a document as
> part of the document and so they decided not to include it in the
> content protected by the certificate.
Considering that the MetaData not protected by the signature contains
among others:
1.) Author
2.) Dates of creation and last change
> thanks for the feedback.
>
> From: "Naujoks, Hans-Dietmar" <Hans-Dietmar.Naujoks@tuev-sued.de>
>> I think Microsoft does not consider metadata attached to a document as
>> part of the document and so they decided not to include it in the
>> content protected by the certificate.
>
> Considering that the MetaData not protected by the signature contains
> among others:
> 1.) Author
> 2.) Dates of creation and last change
thanks for the feedback.
From: "Naujoks, Hans-Dietmar" <Hans-Dietmar.Naujoks@tuev-sued.de>
> I think Microsoft does not consider metadata attached to a document as
> part of the document and so they decided not to include it in the
> content protected by the certificate.
Considering that the MetaData not protected by the signature contains
among others:
1.) Author
2.) Dates of creation and last change
1. Set up an HTML page with the following contents:
<html><body>
<img src="http://evil.example.com/image.png" />
</body></html>
This page should not be protected by any authentication and should be hosted
at:
http://victim.example.org/test-img.html
2. Set up an HTTP digest protected area under the following URL:
4. *Vulnerable packages*
. Internet Explorer 5.01 Service Pack 4
. Internet Explorer 6.0
. Internet Explorer 6.0 Service Pack 1
. Internet Explorer 7 (not exploitable with Protected mode on,
available on Vista)
4.1. *Vulnerable platforms*
http://www.akitasecurity.nl/advisory/AK20090402/003_dlm_launch_file_warning_dialog.png
Figure 3: Download Manager launch warning dialog
It should be noted that if Download Manager is started from Internet
Explorer on Windows Vista, an extra warning dialog is displayed when
Internet Explorer runs in Protected Mode. This warning is displayed as
Download Manager tries to start Manager.exe with the privileges of the
currently logged on user, thus elevating from the low integrity Internet
Explorer process.
http://www.akitasecurity.nl/advisory/AK20090402/004_dlm_open_outside_protected_mode.png
ZDI-11-249: (Pwn2Own) Microsoft Internet Explorer Protected Mode Bypass Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-249
August 9, 2011
-- CVSS:
6.4, (AV:N/AC:L/Au:N/C:P/I:P/A:N)
-- Affected Vendors:
Microsoft has always had links to external applications. That isn't
new.
IE protected mode doesn't protect you as much as you assume. IE-PM
protects you from drive by downloads. If you download any program
manually it is executed in normal user mode (medium integrity) or in
elevated mode (high integrity) with admin rights if elevated. This is
the same for any program downloaded in IE and run by the user, or for a
Sidebar gadget. IE-PM protects you from the stuff the browser downloads
when you surf to a web site, but not from anything you intentionally
Microsoft has always had links to external applications. That isn't
new.
IE protected mode doesn't protect you as much as you assume. IE-PM
protects you from drive by downloads. If you download any program
manually it is executed in normal user mode (medium integrity) or in
elevated mode (high integrity) with admin rights if elevated. This is
the same for any program downloaded in IE and run by the user, or for a
Sidebar gadget. IE-PM protects you from the stuff the browser downloads
when you surf to a web site, but not from anything you intentionally
Aten produces several IP KVM Switches. This devices can be used like a
normal kvm switch with an attached keyboard, mouse and monitor.
However, it is also possible to access the hosts connected to the kvm
switch via a network using an ordinary PC as a client. As this can
also be used via an insecure network, it is very important that this
connection is cryptographically protected against sniffing of
confidential data (e.g. keystrokes, monitor signals) and man in the
middle attacks. The affected products provide an SSL encrypted web
interface. After authenticating to the web interface the user can
download a client program (java or windows). The client program
contains temporary authentication data so that it can connect to the
for class "Action" initialization.
Source code snippet from vulnerable script "action.php":
-----------------[ source code start ]---------------------------------
final class Action {
protected $file;
..
public function __construct($route, $args = array()) {
$path = '';
$parts = explode('/', str_replace('../', '', (string)$route));
Summary
=======
Cisco Network Access Control (NAC) Guest Server system software
contains a vulnerability in the RADIUS authentication software that
may allow an unauthenticated user to access the protected network.
Cisco has released free software updates that address this
vulnerability.
This advisory is posted at:
dialogs that users have to mechanically click through before they get to see
the dancing bunnies". There's no real security present that I can see, just a
lot of dialog boxes to click past. In fact the blog specifically mentions
things like:
Internet Explorer Protected Mode
Protected Mode is not applicable to gadgets as they are code present on the
local computer and interact with files and APIs on the local computer.
>PG> because it's moved the dancing
*Vulnerable Packages*
. Internet Explorer 5 under Windows 2000/2003/XP
. Internet Explorer 6 under Windows 2000/2003/XP
. Internet Explorer 7 under Windows 2000/2003/XP
. Internet Explorer 7 under Windows Vista (when protected mode is turned
off)
*Non-vulnerable Packages*
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The Formshield CAPTCHA library that is used to prevent automated bots
from functioning is vulnerable to a replay attack. It is possible to
fix the CAPTCHA value to a specific value and send that value to the
server as part of every request and gain access to protected
resources.
The Formshield CAPTCHA uses a dynamic key stored in the __VIEWSTATE of
the request and sends encrypted text to the server for obtaining and
displaying new image text in the CAPTCHA on the page every time. There
dialogs that users have to mechanically click through before they get to see
the dancing bunnies". There's no real security present that I can see, just a
lot of dialog boxes to click past. In fact the blog specifically mentions
things like:
Internet Explorer Protected Mode
Protected Mode is not applicable to gadgets as they are code present on the
local computer and interact with files and APIs on the local computer.
>PG> because it's moved the dancing
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The Formshield CAPTCHA library that is used to prevent automated bots
from functioning is vulnerable to a replay attack. It is possible to
fix the CAPTCHA value to a specific value and send that value to the
server as part of every request and gain access to protected
resources.
The Formshield CAPTCHA uses a dynamic key stored in the __VIEWSTATE of
the request and sends encrypted text to the server for obtaining and
displaying new image text in the CAPTCHA on the page every time. There
Summary
=======
Cisco Network Access Control (NAC) Guest Server system software
contains a vulnerability in the RADIUS authentication software that
may allow an unauthenticated user to access the protected network.
Cisco has released free software updates that address this
vulnerability.
This advisory is posted at:
workaround is applied.
Vendor statement:
CitectSCADA is not designed to be accessible on public networks and
recommends that the SCADA and control networks be protected by firewall
or similar on live sites.
The system must be network hardened regardless of the corrupt packet
software change to ensure a secure system given the likelihood that on
the same network are open industry standard protocol devices perhaps
demo and LAN servers are not vulnerable.
Resuming:
Both the bugs A and B are in-game so the attacker must have access to
the server like knowing its password if it's protected or being not
banned.
Bugs C and D instead work versus any server except demo and LAN servers
and are not in-game so any attacker can crash any server, password
protected too.
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 92bc0000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Description:
Although IIS5 is very old, finding one is not impossible! Therefore, I want to introduce a technique to bypass the IIS authentication methods on a directory.
This vulnerability is because of using Alternate Data Stream to open a protected folder.
All of IIS authentication methods can be circumvented. In this technique, we can add a “:$i30:$INDEX_ALLOCATION” to a directory name to bypass the authentication.
In a protected folder such as “AuthNeeded” which includes “secretfile.asp”:
It is possible to run “secretfile.asp” by using:
“/AuthNeeded:$i30:$INDEX_ALLOCATION/secretfile.asp”
Instead of:
“/AuthNeeded/secretfile.asp”
to descend /a and /a/b. At some point user1 does a cd to /a/b. Then
at some later point, while the user still has that shell open, the
sysadmin closes off permission to /a, and user1 no longer can descend
it. But it doesn't matter... user1 has already got a shell open in
/a/b, and therefore full access to all the files there which are not
otherwise protected against that user's access. user1 can copy them,
mail them to friends, make hard links to them, etc.... Anything
desired, until that shell is closed. This case won't work if you
close off /a/b, because you need to be able to modify the directory in
order to write to the file (I'm getting to that)...
Details:
~~~~~~~~
BIOS firmware on a motherboard contains special code with multiple
SMI handlers that run in System Management Mode and are loaded at
boot time into protected part of RAM (SMRAM).
Disassembly of the code of $SMISS handler, one of SMI handlers in
the BIOS firmware in ASUS Eee PC 1000HE system.
0003F073: 50 push ax
This advisory addresses the renegotiation related vulnerability
disclosed recently in Transport Layer Security protocol [1][2]. This
vulnerability may allow a Man-in-the-Middle (MITM) attacker to inject
arbitrary data into the beginning of the application protocol stream
protected by TLS.
The only ArubaOS component that seems affected by this issue is the
HTTPS WebUI administration interface. If a client browser (victim) is
configured to authenticate to the WebUI over HTTPS using a client
certificate, an attacker can potentially use the victim's credentials
No disrespect taken - we're all just people here ;)
Thing is, in a "perfect world" we wouldn't need security at all (well,
depending on your definition of "perfect world" is of course) - it's
"real world" issues that require we build multiple layers of defenses to
ensure that assets are protected when other layers, mechanisms, or
policies fail. And not being able to predict the future is *precisely*
why security in depth is required. For example-- Back in January of
2003 (where has the time gone?) I published an article on Security Focus
discussing how to secure Exchange Server deployments.
(http://www.securityfocus.com/infocus/1654 if you want to check up on
Updated August 31, 2010
Summary:
RSA Access Manager Server contains a potential vulnerability that could be exploited to bypass certain security restrictions, potentially enabling unauthorized access to protected resources.
CVE Identifier: CVE-2010-3018
/cmgr/control
/cmgr/event
/cdir/control
/cdir/event
/Cmd.cgi -- Accessible without arguments, but does not appear
to allow ACL bypass to normally protected
sub-commands. Unknown if any hidden commands exist.
/SendHttp.cgi -- When authentication is enabled, this appears to be
protected. However in a default configuration with
no authentication, it could provide for interesting
www.dsecrg.com
www.pcidss.ru
-----------------------------------
This message and any attachment are confidential and may be privileged or otherwise protected
from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure
is strictly prohibited. If you have received this message in error, please notify the sender immediately
either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence
via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding
statements by e-mail unless otherwise agreed.
Next Page>>
|
