Next Page >>
resetting
Release Date: 2008/09/12
Last Modified: 2008/09/12
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Wordpress <= 2.6.1
Severity: MySQL column truncation allows resetting the passwords of
wordpress users to random strings. Combined with weaknesses
in PHP's PRNG this allows determining the admin password.
Risk: High
Vendor Status: Vendor has released Wordpress 2.6.2 which fixes this issue
Reference: http://www.sektioneins.de/advisories/SE-2008-05.txt
www.sektioneins.de
-= Security Advisory =-
Advisory: Joomla Weak Random Password Reset Token Vulnerability
Release Date: 2008/09/11
Last Modified: 2008/09/11
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Joomla <= 1.5.7
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: MyBB Password Reset Weak Random Numbers Vulnerability
Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: MyBB <= 1.4.11
OS to guarantee certain behaviours. The problem here is that there is
a mechanism which causes a guarantee to be violated.
> > Also, other signals which could be triggered by the predecessor (e.g.
> > SIGALRM triggered due to alarm() followed by exec()) can normally be
> > prevented by specific means (e.g. resetting any outstanding timers).
> > This bug means that such steps are insufficient.
> >
> > A consequence of this bug is that no signal can be trusted.
>
> Sure.
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: MyBB Password Reset Email BCC: Injection Vulnerability
Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: MyBB <= 1.4.11
no matter how. Well written program must not depend on anything that is out of
it's control.
> Also, other signals which could be triggered by the predecessor (e.g.
> SIGALRM triggered due to alarm() followed by exec()) can normally be
> prevented by specific means (e.g. resetting any outstanding timers).
> This bug means that such steps are insufficient.
>
> A consequence of this bug is that no signal can be trusted.
>
Sure.
Protocol (BGP) feature. The vulnerability manifests itself when a BGP
peer announces a prefix with a specific, valid but unrecognized
transitive attribute. On receipt of this prefix, the Cisco IOS XR
device will corrupt the attribute before sending it to the
neighboring devices. Neighboring devices that receive this corrupted
update may reset the BGP peering session.
Affected devices running Cisco IOS XR Software corrupt the
unrecognized attribute before sending to neighboring devices, but
neighboring devices may be running operating systems other than Cisco
IOS XR Software and may still reset the BGP peering session after
goals are to be faster, smaller and less graphically intensive as
compared to other discussion boards. PunBB has fewer features
than many other discussion boards, but is generally faster and
outputs smaller, semantically correct XHTML-compliant pages."
PunBB comes with a password reset feature that allows resetting a
forgotten password. When a password reset is requested an email
is sent to the user containing a new random password and an
activation link that needs to be visited in order for the password
change to become effective.
Sawmill suffers from multiple critical vulnerabilities which allow an
_unauthenticated_ attacker to gain administrative rights. Furthermore
it is possible to access (RW) the file system and execute arbitrary
commands on the operating system without authentication.
Attackers with valid accounts are able to reset the root password or
add/delete log profiles, view and manipulate admin settings etc.
It must be noted that further vulnerabilities are to be expected
within the software (such as buffer overflows, etc.). Due to lack of
time no further vulnerabilities could be searched.
only be generated by kill()) can only be received as a result of an
action by a sufficiently privileged process.
Also, other signals which could be triggered by the predecessor (e.g.
SIGALRM triggered due to alarm() followed by exec()) can normally be
prevented by specific means (e.g. resetting any outstanding timers).
This bug means that such steps are insufficient.
A consequence of this bug is that no signal can be trusted.
Also, if it's possible to set the signal to one which cannot be
> many, many, many other ways.
All of these are known, documented behaviours. The signals involved
can be blocked or ignored, and the mechanisms which send those signals
can be disabled (tcsetattr() can disable Ctrl-C etc, unused
descriptors can be closed, timers can be reset, etc).
Setuid programs will normally take such steps at startup if they have
critical sections which should avoid being interrupted (e.g. to
prevent stale lock files).
Summary
It is possible for a non admin user to gain admin privileges on
bytehoard 2.1, by overwriting a session variable if the php option
"register_globals" is enabled. This variable can be overwritten by
abusing the "register user" or the "password reset" module.
Impact
A non-admin user can gain admin privileges, access another accounts and
do operations under nonexistent accounts.
> access at all times of that Asus netbook it's arguably more secure in
> some circumstances.
Not just XP Home. I can confirm that this "vulnerability" is a standard feature
of several OEM and MS released versions of both XP Home and XP Professional.
In both cases I've had to manually re-set the password to something.
This seems to be a "feature" - since if you have to use the recovery console
it'll ask you for the password for "Administrator"... by default it's blank
and you can just hit enter.
- ---------------------------------------------------------------------
Summary
=======
Cisco IOS XR will reset a Border Gateway Protocol (BGP) peering
session when receiving a specific invalid BGP update.
The vulnerability manifests when a BGP peer announces a prefix with a
specific invalid attribute. On receipt of this prefix, the Cisco IOS
XR device will restart the peering session by sending a notification.
logically separated from the optical data network and isolated from
the Internet. This limits the exposure to the exploitation of this
vulnerability from the Internet.
A crafted stream of TCP traffic to the control cards on a node will
result in a reset of the corresponding control cards on this node. A
complete 3-way handshake is required on any open TCP port to be able
to exploit this vulnerability.
The timing for the data channels traversing the switch is provided by
the control cards.
>> Susan Bradley wrote:
>>
>>> 3. For XPs it's kinda handy to have a blank admin password when you
>>> sometimes come in on a network and need to get to that particular
>>> machine and you didn't set it up, otherwise you have to use the Admin
>>> password boot disk trick and reset the password to blank.
>>>
>>
>> You should only do the above recommendation, if you like to have your
>> boxes owned.
>>
> Susan Bradley wrote:
>
>> 3. For XPs it's kinda handy to have a blank admin password when you
>> sometimes come in on a network and need to get to that particular
>> machine and you didn't set it up, otherwise you have to use the Admin
>> password boot disk trick and reset the password to blank.
>>
>
> You should only do the above recommendation, if you like to have your
> boxes owned.
>
>>> Susan Bradley wrote:
>>>
>>>> 3. For XPs it's kinda handy to have a blank admin password when you
>>>> sometimes come in on a network and need to get to that particular
>>>> machine and you didn't set it up, otherwise you have to use the Admin
>>>> password boot disk trick and reset the password to blank.
>>>>
>>>
>>> You should only do the above recommendation, if you like to have your
>>> boxes owned.
>>>
Susan Bradley wrote:
> 3. For XPs it's kinda handy to have a blank admin password when you
> sometimes come in on a network and need to get to that particular
> machine and you didn't set it up, otherwise you have to use the Admin
> password boot disk trick and reset the password to blank.
You should only do the above recommendation, if you like to have your
boxes owned.
You should not have any administrative accounts named "Administrator"
5001, 9100-9104, 9200, 9300, 9400, 9500-9501 & 9600) The FTP service
exception handler does not properly
maintain the state of the flood protection when passive FTP
connections are aborted. Once a sufficient number
of passive FTP connections have timed out (typically 15), the flood
protection is enabled and is never reset.
The flood protection can be reset by resetting the network adapter, or
by power cycling the device.
#####################################################################################
- IE5,6,7,8 : allocates 2GB of memory then the Browser crashes
- Opera : Allocated and commits as much memory as available,
will not crash but other applications will become unstable
- Nintento WII (Opera) : Console hangs, needs hard reset
Video: http://vimeo.com/2937101 (Thanks to David Raison)
- Sony PS3 - Console hangs, needs hard reset
Video: http://vimeo.com/2937101 (Thanks to Chris Gates)
2WIRE GATEWAY AUTHENTICATION BYPASS & PASSWORD RESET
====================================================
DESCRIPTION
-----------------
There is an authentication bypass vulnerability in page=CD35_SETUP_01
that allows you to set a new password even if the password was
previously set.
of the applications functionality is accessible via a front end web application.
II. DETAILS
Multiple CSRF vulnerabilities exist that can allow for arbitrary
commands to be executed on the Zenoss server as well as reset the Zenoss
admin password.
Attack scenario: If an administrator has an active Zenoss
session and visits one of these links or visits a malicious page that
contains resources to point to these URL's
It starts where Stefan Esser's wonderful article "mt_srand and not so random numbers" ( http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ ) ended.
I've made some improvements to his idea. Since mt_srand()/mt_rand() are very slow (~17 hours to try all possible 2^32 seeds on my AMD Phenom 2.6 ghz machine) and lookup tables are huge (at least 32 GB), I implemented rainbow tables. With a chain length of 10000 and 512k rows, the table size is 11MB and average search takes only about 35 min. Rainbow table parameters can be tuned (longer chains = less space, but slower seed crack, shorter chains and more rows = more space, but less time to crack the seed).
Since it's about password reset attacks, time to predict the random string is crucial for the effectiveness of the attack.
I also demonstrate a real PoC against installations of PHP-Nuke and PunBB hosted on a same server with keep-alives enabled. In my example, it took 7 minutes and 4 HTTP requests to reset the PunBB's admin password by predicting the "password reset" URL.
I also gave my ideas cents on how those attacks can be improved even further (e.g comparing sequences of PRNs instead of just the last values in case we have pseudorandom numbers generated in a smaller interval like mt_rand(1,1000);)
>
I disagree with you in that. Any hard guarantee can be given only by God.
I repeat, signals are in general not a reliable information source since they
can be generated in a couple of ways, even by an unkind superuser :-) .
> > In fact, PDEATHSIG should be reset for every binary, not just suid/sgid, since
> > it emits signal that exec()ed program may not expect.
>
> Are you talking about the parent exec()ing or the child?
>
No matter.
Description
-----------
pyForum is a 100% python-based message board system based in the excellent web2py framework.
We have discovered a backdoor in PyForum. Anyone could force a password reset on behalf of other users whose emails are known. More importantly, the software author, specifically, can obtain the new Administrator's password remotely.
The problem is in module ``forumhelper.py``. A new password is generated and saved in the database. Then a notification email which contains this new password in plaintext is sent to the user. There is no password reset confirmation code or similar verification action required. This causes a mild annoyance, or at most an account lockout.
When it comes to Administrator account, however, the problem is more severe. This default account's email is set to ``administrator@pyforum.org`` and can only be changed directly in the database. Therefore, new password is sent to the software author by default. And since this email address is known, everyone can request a password reset easily.
WebSTAR modems and firmware versions may be vulnerable as well.
1. Cross-site request forgery (CSRF). Several features provided by the web
interface fail to properly establish sessions that restrict access to
authorized users, including forms for changing the administrative password,
resetting the modem, and installing new firmware. An attacker may create a
malicious website that, when visited by a victim, updates these settings on the
victim's modem on the victim's behalf without their authorization or need for
any additional user interaction. This can be used to deny service by resetting
the modem or wiping the firmware, to change the default administrative
password, or potentially to steal information from the victim by installing
> Susan Bradley wrote:
>
>> 3. For XPs it's kinda handy to have a blank admin password when you
>> sometimes come in on a network and need to get to that particular
>> machine and you didn't set it up, otherwise you have to use the Admin
>> password boot disk trick and reset the password to blank.
>>
>
> You should only do the above recommendation, if you like to have your
> boxes owned.
>
> Susan Bradley wrote:
>
>> 3. For XPs it's kinda handy to have a blank admin password when you
>> sometimes come in on a network and need to get to that particular
>> machine and you didn't set it up, otherwise you have to use the Admin
>> password boot disk trick and reset the password to blank.
>>
>
> You should only do the above recommendation, if you like to have your
> boxes owned.
>
#!/usr/bin/python
#--------------------------------------------------------------------------------
#(POST var 'resetpwemail') BLIND SQL INJECTION EXPLOIT --AlumniServer v-1.0.1-->
#--------------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.alumniserver.net/
#-->DOWNLOAD: http://www.alumniserver.net/
#-->DEMO: N/A
Next Page>>
|
