Next Page >>
response
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Research by Hernan Pereira and associates.
No response from Speedy in the past 15 days.
Proceeding with disclosure.
A DoS vulnerability exists in NetCache proxies of at least some areas
of Speedy Argentina ISP (201.255.64/18), by which a URL could be rendered
inaccessible by means of the prefetch cache control directive.
Summary
=======
Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco
Unified IP Interactive Voice Response (Unified IP-IVR) contain a
directory traversal vulnerability that may allow a remote,
unauthenticated attacker to retrieve arbitrary files from the
filesystem.
Cisco has released free software updates that address this
Microsoft Server Message Block (SMB) Protocol is a Microsoft network
file sharing protocol also used for sharing printers, communications
abstractions such as named pipes and mailslots, and performing Remote
Procedure Calls (DCE/RPC over SMB) [1].
NTLM (NT Lan Manager) is a challenge-response authentication protocol
used by the SMB protocol [2].
Windows systems commonly use the SMB protocol with NTLM authentication
for network file/printer sharing and remote administration via DCE/RPC.
Summary:
A) Prelude to the vulnerabities
B) Cross Site Scripting
C) HTTP Response Header Injection
D) HTTP Response Splitting
A) Prelude to the vulnerabities
What follows is the code used to validate the user input:
- Table of Contents -
OPENNMS MULTIPLE VULNERABILITIES 1
Vendor 3
Application Description 3
OpenNMS HTTP Response Splitting Vulnerability 3
Vulnerability Information 3
Vulnerability Details 3
Proof-of-Concept 4
OpenNMS Cross-Site Scripting Vulnerabilities 5
Vulnerability Information 5
<object classid="clsid:DD01C8CA-5DA0-4B01-9603-B7194E561D32"
id="obj">
</object>
</html></body>
Vendor Response:
No response received.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
12/05/2007 - Initial Discovery
12/12/2007 - Contacted Cert Coordination Center to attempt to obtain
appropriate vendor contact information.
12/17/2007 - Additional work on details, proof of concept
interim - No response from Macrovision either directly or through Cert (who
kept in constant contact with me).
01/02/2008 - Posted to product request site for security contact information.
01/08/2008 - Automated sales response, asking how "Product Evaluation" is
going.
01/18/2008 - In contact with sales representative @ Macrovision
Details
=======
SCCP and SIP-Related Vulnerabilities
* DNS Response Parsing Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SCCP and SIP firmware contain a buffer overflow
vulnerability in the handling of DNS responses. A
specially-crafted DNS response may be able to trigger a buffer
Affected Vendor: Cisco Systems, Inc
Affected Product: Cisco Unified Communications Manager
Platform: All
Impact: Privilege Escalation
Vendor response: Patch. IntelliShield ID 21656
CVE: CVE-2010-3039
Credit: Knud / nSense
Technical details
---------------------------------------------------------------
-----Original Message-----
From: Security Mailing List <s3clist@hotmail.com>
Date: Thu, 15 Mar 2012 10:33:19
To: Zach C.<fxchip@gmail.com>
Cc: <bugtraq@securityfocus.com>
Subject: Re: Android wireless accepts fake response (No interaction requires)
(Vulnerability ?)
You are not wrong. However, in this case, the point is to capture "WPA
handshake"(not WPA key) in order to brute-force for WPA key. This attack
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
#Response
HTTP/1.1 200 OK
Date: Thu, 17 Nov 2011 10:19:25 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Disclosure Timeline (YYYY/MM/DD):
=================================
2008.02.??: Vulnerability found
2008.02.??: Reported to Vendor (no response)
2009.11.28: Tested the current versions and update this advisory
2009.11.30: Asked vendor for a PGP Key
2009.11.30: Vendor sent PGP Key
2009.11.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.12.17) to Vendor
=================================
2009.09.09: Vulnerability found
2009.09.15: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.10.01) to Vendor
2009.09.15: Vendor response asking for resending the poc in a zipped and
password protected file (AV problem)
2009.09.15: Resending zipped and password protected
2009.09.17: Symantec Security Response Team verifies the vulnerability
2009.09.22: Symantec product team verifies the finding
2009.09.29: Ask for a status update, because the planned release date is
Vulnerability Explaination
=======================================
Let's wait for the Cisco response, so, we'll have a better understanding on this
issue. Meanwhile...
I think this is a design error because ACE XML doesn't have in mind that the
client could probably be in the same network segment internally, so, it receives
the request, which cannot be processed, and throws an error message disclosing
#5 turn off SSID broadcasting
Disclousure timeline:
11 V 2009: Detailed information with examples and PoCs sent to vendor
(cert@telekomunikacja.pl).
12 V 2009: Initial vendor response.
19 V 2009: Question about the status sent to the vendor.
19 V 2009: No reasonable response from the vendor.
9 VI 2009: Question about the status sent to the vendor.
No response.
16 VI 2009: Notification that bulletin will be released send to the vendor.
the box".
II. DESCRIPTION
Multiple vulnerabilities exist in Cacti software (XSS, SQL Injection,
Path Disclosure, HTTP Response Splitting).
III. ANALYSIS
Summary:
A) XSS Vulnerabilities
Apache mod_negotiation Xss and Http Response Splitting
Date: January 22th, 2008
Tested Versions: Apache <=1.3.39
<= 2.0.61
<= 2.2.6
Minded Security ReferenceID:
MSA01150108
Depending on the application server and web server configuration, this
could be used to bypass security controls implemented on the web
server.
In addition, by injecting secondary requests which are unseen by the web
server, this causes the pairings of requests and responses to lose
correct synchronization. When attacking web servers that are
configured using simple proxy pairings (for instance, under Apache HTTPD
with WebLogicHost and WebLogicPort settings), this does not appear to
create many avenues of attack since web server TCP connections appear to
be directly paired with TCP connections to the application server.
handshake"(not WPA key) in order to brute-force for WPA key. This attack
allows an attacker to capture your "WPA handshake" even though the
legitimate access point is not there. The attacker could create a fake
access point to steal "WPA handshake"(from a client) when you attend
conferences. This attack would not work with iPhone, iPad or other PCs
with Windows OS because they would discard fake probe response at the
first place.
Nevertheless, I do not confirm this behavior as a vulnerability. I
personally do not see much opportunity to exploit this behavior. The
only opportunity I can think about is the situation where attacking
____
From: Security Mailing List [s3clist@hotmail.com]
Sent: Monday, March 12, 2012 2:25 AM
To: bugtraq@securityfocus.com
Subject: Android wireless accepts fake response (No interaction
requires) (Vulnerability ?)
## Android wireless accepts fake response (No interaction requires)
(Vulnerability ?) ##
Vendor contact timeline:
------------------------
2011-09-19: Contacting vendor through securityteam@openoffice.org
2011-09-21: Vendor response, clarification request
2011-09-21: Sent answer
2011-10-05: Vendor response, clarification request
2011-10-05: Sent answer
2011-10-13: Contacted vendor asking for status
2011-11-23: Contacted vendor asking for status
======================================================================
6) Time Table
26/03/2010 - Vendor contacted to obtain security contact details.
29/03/2010 - Vendor response with details on security contact.
29/03/2010 - Vulnerability report sent to security contact (along with
references to SA30403 and SA26800).
07/04/2010 - Vendor response (requesting additional details).
07/04/2010 - Additional details provided.
08/04/2010 - Vendor response (fix expected within 2-3 days).
Summary
-------
A vulnerability exists in the Microsoft SMB client which allows an attacker to
trigger a kernel pool memory corruption by sending a specific
'Negotiate Protocol' response.
Successful exploitation of this issue may result in remote code execution with
kernel privileges. Failed attempts may result in a remote denial of service.
Description
The document module of the SharePoint server allows attackers to inject
malicious scripts into dynamically generated web content through file
uploading. These scripts will be executed in the browser of any user viewing
the infected content (persistent cross site scripting).
Further research and correspondence with Microsoft Security Response Center
has identified that a partial mention of this vulnerability appears in
CVE-2008-5026. However, as this is only partial, there is no bugtraq record
for this vulnerability and there is no fix (making it still valid on most
SharePoint deployments), we have decided to release this to the list.
Disclosure Timeline (YYYY/MM/DD):
=================================
2008.02.??: Vulnerability found
2008.02.??: Reported to Vendor (no response)
2009.11.28: Tested the current versions and update this advisory
2009.11.30: Asked vendor for a PGP Key
2009.11.30: Vendor sent PGP Key
2009.11.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.12.17) to Vendor
"test-jetty-webapp/src/main/java/com/acme/CookieDump.java".
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
protected void handleForm(HttpServletRequest request,
HttpServletResponse response)
{
String action = request.getParameter("Action");
String name = request.getParameter("Name");
String value = request.getParameter("Value");
String age = request.getParameter("Age");
Summary
=======
Cisco Unified Contact Center Express (Cisco Unified CCX) server contains
both a directory traversal vulnerability and a script injection
vulnerability in the administration pages of the Customer Response
Solutions (CRS) and Cisco Unified IP Interactive Voice Response (Cisco
Unified IP IVR) products. Exploitation of these vulnerabilities could
result in a denial of service condition, information disclosure, or a
privilege escalation attack.
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller
(WLC) platforms. This security advisory outlines the details of the
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
}
CSCO_WebVPN['process'] = a;
csco_wrap_js('');
</script></html>
Vendor Response:
This vulnerability has been corrected in versions 8.0.4.34,
and 8.1.2.25.
Updated Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
operators. Nevertheless in the vast majority of cases operators do not
have the capability to detect and respond to security incidents or do a
forensic analysis of its traces that can be used in a lawsuit.
Jurisdiction in most countries is starting to change and applies
regulations on legal duty to maintain safety on operators of IT. Hence
incident response capabilities become indispensable to avoid successful
assertion of claims for damages caused by compromised or misused
systems.
CONFERENCE GOALS
Next Page>>
|
