| New User, Welcome! Login |
Next Page >>
question
employee self update of personal details (e.g. telephone numbers, etc)
in Microsoft Windows Active Directory. Administrators find it easy to
automate password resets, account unlocks while managing optimizing the
expenses associated with helpdesk calls.
The security question mechanism used for password recovery can be
weakened by tampering the HTTP POST request containing the answers,
allowing an attacker to pass the security check by guessing just one of
the security answers. Additionally, the CAPTCHA mechanism can be
bypassed in the same manner, enabling the automation of the guessing
attempts.
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with high required
user inter action or local low privileged user account. Successful exploitation can result in account steal, phishing
& client-side content request manipulation.
Vulnerable Module(s):
[+] Poll - Question & Answer Input/Output
1.3
A cross site request forgery vulnerability is detected in DIY v1.0 Content Management System. The bugs allow remote
attackers with high required user inter action to edit user accounts. Successful exploitation can lead to account access.
-----Original Message-----
From: hsukowa@yahoo.com [mailto:hsukowa@yahoo.com]
Sent: Sunday, August 05, 2007 10:35 PM
To: bugtraq@securityfocus.com
Subject: Question about exploit exposing SSN & user info
My apologies if this question is inappropriate for this email list, but
it is a last resort and a friend recommended posting this question here.
In the last 36 hours I uncovered an exploit that compromises the private
My apologies if this question is inappropriate for this email list, but it is a last resort and a friend recommended posting this question here.
In the last 36 hours I uncovered an exploit that compromises the private information of thousands of individuals - including SSN and address information. I cannot judge whether or not the exploit is easy to find. I do know that if found, it would not be difficult to write a simple script in php or perl to exploit the hole.
My concern is that the company responsible for this hole (for whom I am currently employed) will patch the problem on seeing it occur on Monday (a good thing) but do little or nothing to notify any user whose private information is on their system (downplaying the likelihood of risk). This exploit has very likely existed for years and whether or not a company typically keeps logs for years is beyond my knowledge - the exploit is however detectable through web log files. I also lack faith in the company's ability to make an objective determination whether or not the exploit has been used to download the private information of its' users.
My question is this - does anyone out there have any experience dealing with this type of a situation? --- Where a company has silenced an exploit without notifying customers who may have been victims of it? Does anyone have any recommendations for a course of action I might take to somehow ensure users whose private information may have been compromised are notified in the event the company chooses to "sweep it under the rug"?
Again my apologies if my asking this question in the wrong forum has offended anyone.
# Header #
Product - Banner Student System by SunGard
Specific Page - http://www.EXAMPLE.com/PATH/twbkwbis.P_SecurityQuestion (Change Security Question)
Version - 7.4 / earlier versions could be effected also
Product URL - http://www.sungardhe.com/Products/Product.aspx?id=1024
Bug Type - Cross Site Scripting (XSS)
Discovery Date - 04/06/2009
Notification Date - 04/06/2009
Dear Felix,
While I love your comment and really welcome constructive criticism,
I actually think you should keep the focus on the Fox News style
question marks. Nowhere is being said that this is the end of
Defence in Depth (as a paradigm), we ask the question.
Then again you seem to be judging about something you haven't seen
nor read. Is this because I ask the Fox News style questions and you
give Fox News style comments ?
>>>>>
> XP
>
>>>>> and we do not use Windows Firewall," read one of the user
>>>>>
> questions.
>
>>>>> "We use a third-party vendor firewall product. Even assuming that
>>>>>
> we
>
Dear Mr. Poehls,
yes, I can see your point and I agree that there's a risk for an unexperienced user to be spoofed by showing an Author, Time Stamps and State that could have been tampered with after the original owner has signed the document.
But in my opinion, this again emphasizes the need for sufficient knowledge of users about the way how applications may change the appearance of signed documents in a way not intended by the author at the time of signing and that's a question far beyond the considerations concerning the behavior of individual applications like MS Office.
In fact the visual clue you gave for a signed document in Word 2007 shows that in the context for those document properties there are also attributes like keywords, category and comments which are less misleading to the assumption those properties could be part of the signed document. So for example users of SharePoint Office Server are acquainted with the behavior of showing data that is managed and shown on server side in that area above the document. You should also mention that the label on the menu for showing this area reads "Prepare Document for Publishing" which also in my opinion gives a clue that this data is not part of the signed document.
Although I would appreciate if Word 2007 would give more visual clue for the fact that this data isn't part of the signed document, I still believe that this is not a major security issue.
Regards,
[Disclosure: I work for Microsoft. But this is my opinion, not Microsoft's]
If I click on the test link in IE 7, by itself, it does not have the vulnerability.
The applications in question are accepting abitrary input and not validating correctly.
How is that a Microsoft or Windows problem?
Don't get me wrong, I want to protect end-users as much as the next person (as does MS), but if it is the application not validating correctly, could there not be hundreds of potential characters and strings that cause input validation problems in particular circumstances, which will vary according to the application?
>>>>>>>
>>> XP
>>>
>>>>>>> and we do not use Windows Firewall," read one of the user
>>>>>>>
>>> questions.
>>>
>>>>>>> "We use a third-party vendor firewall product. Even assuming that
>>>>>>>
>>> we
>>>
> That would work, but might have undesirable consequences of its own.
>
> In particular, it prevents a non-malicious caller from using PDEATHSIG
> to send e.g. SIGINT, which the setuid program may reasonably handle.
>
So I don't understand you, whether is the bug in question a DoS issue or not in
your opinion? IOW, do we need to reset pdeath_signal on exec()ing the
setuid/setgid binary or not?
> > > SIGKILL and SIGSTOP cannot be blocked, handled or ignored.
> >
>> certain
>>
>>>> scenarios, their machines might be at risk. "We still use Windows
XP
>>>> and we do not use Windows Firewall," read one of the user
questions.
>>>> "We use a third-party vendor firewall product. Even assuming that
we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldn't then Windows XP be vulnerable to this?"
>>>>
>>> certain
>>>
>>>>> scenarios, their machines might be at risk. "We still use Windows
> XP
>>>>> and we do not use Windows Firewall," read one of the user
> questions.
>>>>> "We use a third-party vendor firewall product. Even assuming that
> we
>>>>> use the Windows Firewall, if there are services listening, such as
>>>>> remote desktop, wouldn't then Windows XP be vulnerable to this?"
>>>>>
> The quote that stands out most for me:
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsoft's
> security team to explain why it wasn't patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and we do not use Windows Firewall," read one of the user questions.
> "We use a third-party vendor firewall product. Even assuming that we
> use the Windows Firewall, if there are services listening, such as
> remote desktop, wouldn't then Windows XP be vulnerable to this?"
>
> "Servers are a more likely target for this attack, and your firewall
The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsoft's
security team to explain why it wasn't patching XP, or if, in certain
scenarios, their machines might be at risk. "We still use Windows XP and
we do not use Windows Firewall," read one of the user questions. "We use
a third-party vendor firewall product. Even assuming that we use the
Windows Firewall, if there are services listening, such as remote
desktop, wouldn't then Windows XP be vulnerable to this?"
"Servers are a more likely target for this attack, and your firewall
Thanks for the link. The problem here is that not enough information is given, and what IS given is obviously watered down to the point of being ineffective.
The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsoft's security team to explain why it wasn't patching XP, or if, in certain scenarios, their machines might be at risk. "We still use Windows XP and we do not use Windows Firewall," read one of the user questions. "We use a third-party vendor firewall product. Even assuming that we use the Windows Firewall, if there are services listening, such as remote desktop, wouldn't then Windows XP be vulnerable to this?"
"Servers are a more likely target for this attack, and your firewall should provide additional protections against external exploits," replied Stone and Bryant.
</snip>
If an employee managing a product that my company owned gave answers like that to a public interview with Computerworld, they would be in deep doo. First off, my default install of XP Pro SP2 has remote assistance inbound, and once you join to a domain, you obviously accept necessary domain traffic. This "no inbound traffic by default so you are not vulnerable" line is crap. It was a direct question - "If RDP is allowed through the firewall, are we vulnerable?" A:"Great question. Yes, servers are the target. A firewall should provide added protection, maybe. Rumor is that's what they are for. Not sure really. What was the question again?"
its code) in multiple webapps, which makes them vulnerable, I used the same
approach as with vulnerabilities in WP-Cumulus. And I already reported to
security mailing lists about vulnerabilities in WP-Cumulus and in other web
applications which are using tagcloud.swf in the end of 2009 and in 2010.
So why not you, nor other readers of the list are asking the question (aka
moaning) about the same vulnerabilities in these webapps - which all are
using vulnerable tagcloud.swf? Why you and others are only moaning about
webapps with CaptchaSecurityImages.php, but not webapps with tagcloud.swf?
And there are a lot of sites (so there are many webapps) with tagcloud.swf,
as it clear from my article XSS vulnerabilities in 34 millions flash files
>> The quote that stands out most for me:
>> <snip>
>> During the Q&A, however, Windows users repeatedly asked Microsoft's
>> security team to explain why it wasn't patching XP, or if, in certain
>> scenarios, their machines might be at risk. "We still use Windows XP
>> and we do not use Windows Firewall," read one of the user questions.
>> "We use a third-party vendor firewall product. Even assuming that we
>> use the Windows Firewall, if there are services listening, such as
>> remote desktop, wouldn't then Windows XP be vulnerable to this?"
>>
>> "Servers are a more likely target for this attack, and your firewall
> >> <snip>
> >> During the Q&A, however, Windows users repeatedly asked Microsoft's
> >> security team to explain why it wasn't patching XP, or if, in
> certain
> >> scenarios, their machines might be at risk. "We still use Windows XP
> >> and we do not use Windows Firewall," read one of the user questions.
> >> "We use a third-party vendor firewall product. Even assuming that we
> >> use the Windows Firewall, if there are services listening, such as
> >> remote desktop, wouldn't then Windows XP be vulnerable to this?"
> >>
> >> "Servers are a more likely target for this attack, and your firewall
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsoft's
> security team to explain why it wasn't patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and
> we do not use Windows Firewall," read one of the user questions. "We
> use
> a third-party vendor firewall product. Even assuming that we use the
> Windows Firewall, if there are services listening, such as remote
> desktop, wouldn't then Windows XP be vulnerable to this?"
>
>> certain
>>
>>>> scenarios, their machines might be at risk. "We still use Windows
XP
>>>> and we do not use Windows Firewall," read one of the user
questions.
>>>> "We use a third-party vendor firewall product. Even assuming that
we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldn't then Windows XP be vulnerable to this?"
>>>>
disabled option) for those, who will not happy with situation, when it's
needed to have this option in Enabled or Prompt state. Who want attack even
with this option disabled, than don't use this XSS hole, and use only social
engineering for making of an attack.
> My question is, if this attack works with disabling access to unsafe
> controls without "preceding comment", why use the preceding comment
> at all ?
I understand reasons of your question :-). It's because in this article I
didn't wrote in detail about Saved XSS hole in IE (I referred to original
>>>> security team to explain why it wasn't patching XP, or if, in
>>>>
>> certain
>>
>>>> scenarios, their machines might be at risk. "We still use Windows XP
>>>> and we do not use Windows Firewall," read one of the user questions.
>>>> "We use a third-party vendor firewall product. Even assuming that we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldn't then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your firewall
* Country: France
* Country: Libya
* Outcome: Planting of Malware
* Vertical: Government
To iframe or not to iframe, this is the question. As malware becomes more
popular, the number of incidents, mostly insignificant, in which malware was
planted on a hacked site is rising and WHID is not the right place to list
all of them. We currently report such incidents if the hacked site is of
interest or if the attack method is known.
I agree this isn't an "exploit" but I guess it is somewhat interesting. Of course, downloading random .chm files is akin to downloading any remote content-rendering document, except that .chm won't automatically run from the internet in the first place, even with your rendering code in it that must be accepted by the user to load in the first place.
As such (again, notwithstanding the mild interest around it) I'm confused by the "This was the response I expected" comment because if I read it right, it sounds as if you are being condemning for some reason. Are you saying "this is the response I expected" because it is the correct response and you are aware of what would be required to push out supported hotfixes for low impact issues, or are you saying "this is the response I expected" because you somehow think it SHOULD be hotfixed, but is not, and that is "typical" (as in "irresponsible") or something like that?
It actually brings up a question that I find more interesting than the issue itself, which is "how far is too far?" If MSFT designs a system around identifying files sourced from different zones in an attempt to mitigate risk of end-users downloading unknown content and immediately executing it, how far beyond user-acknowledgment and feature disabling (as even your "bypass" example shows) do you think a vendor is supposed to go (Not YOU, but the royal "you")?
I think it is a valid and applicable question. We have Apple seizing every opportunity they can to make user-acknowledgement for mitigation marketed as an actual Bad Thing, yet when a file downloaded from untrusted sources on the internet is marked as Internet Zone, and the user has to explicitly attempt to open it, and doing so generates a warning and they open it anyway, and for even then the "bypass" code doesn't even work, yet MSFT say they'll fix it in a service pack anyway, the entire issue you found gets reduced to "This was the response I expected."
The real issue here is that the more we criticize vendors for not Thinking For The User in Every Possible Circumstance, the more we see countries like AU thinking they will solve security issues by requiring AV and FW on every computer. If I posted that my Fedora box (if I had one) allowed me to do something like this, nix security people would attack me with religious furor. Yet the moment a left-handed, sideways, and round-the-back "issue" arises that really doesn't even work, and the vendor decides to fix it in schedule maintenance, it's still not "good enough."
> Planting ProofOfConcept
>
> But it *is* worth mentioning that you have to create the
> malicious dll file, copy it to the system, create folders
> etc, and all the other mumbo jumbo to "exploit" this in the
> "default configuration." So, the answer to Dan's question
> is actually, "no, you can't." Which brings into question the
> actual "worth" of mentioning this in the first place. :)
>
> t
>
Hi Team SHATTER,
Apologies for the very late reply, but I had a question regarding your
advisory. I am CC'ing Oracle's security contact in hopes they can also
reply with clarification.
: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11)
: Details:
Malicious Software removal tool: "Windows will now install a program which will report
suspicious activity to Microsoft". As far as I can recall on any Windows update, there has
never been any mention of it.
"But this is a wonderful tool, why are you being such a troll and knocking Microsoft for
doing the right thing!". The question slash qualm I have about this tool is I'd like to know
what, why, when and how things are being done on my machine. It's not a matter of
condemning Microsoft, but what happens if at some point in time Microsoft along with
government get an insane idea to branch away from obtaining other data for whatever
intents and purposes?
> How a user would distinguish digitally signed data (Document-Content and
> formatting) from unsigned data (MetaData)?
> Or to use your example: What is the envelope and what is the inside?
>
> One big problem I see is that the user is left alone answering this
> question, and I have my doubts that a user would even ask
> herself/himself this question in the first place.
>
> Best Regards,
> Henrich C. Phls
>
Dear Roger,
RAG> The applications in question are accepting abitrary input and not validating correctly.
Please define "correctly" in case of an Uri handler. I am not aware
of special attack vectors or injections that I should be filtering in
case of mailto: calls, are there any? If yes, where are they
documented and where can I find them ? As a developer I have no
control over what Windows does with this handler, I have to trust it.
Are all Application developers now required to work around obvious bugs
Next Page>>
|
|
|
