Next Page >>
see
Los Angeles, California (Pasadena Hilton)
http://layerone.info/
The fifth annual LayerOne information technology conference is now
accepting submissions for topic and speaker selection. As always, we
are interested seeing a broad range of pertinent topics, and encourage
all submissions. Some of our past presentations have included:
- Hacking FedEx/Kinkos Smart Cards
- Anti-Forensics Techniques
- RFID Hacking
GET /index.php HTTP/1.1\r\n
Host: localhost\r\n
X-Forwarded-For: 127.0.0.1\r\n
Connection: keep-alive\r\n\r\n
Later, we'll see how to gain the administrator's session
id. Even if we got the good session id, there is a
protection that "normally" don't permit to be logged in.
Let's see a part of the file "scripts/sb_login.php":
28| // Check if user is logged in.
| | | Vulnerable; first |
| 12.2SED | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SEE | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SEF | Not vulnerable | fixed in Release |
| | | 12.2SE |
| | | in Release 12.2SE |
|------------+--------------------+--------------------------|
| 12.2SED | Not vulnerable | Vulnerable; First fixed |
| | | in Release 12.2SE |
|------------+--------------------+--------------------------|
| 12.2SEE | Not vulnerable | Vulnerable; First fixed |
| | | in Release 12.2SE |
|------------+--------------------+--------------------------|
| 12.2SEF | Not vulnerable | Vulnerable; First fixed |
| | | in Release 12.2SE |
|------------+--------------------+--------------------------|
| | | Vulnerable; first |
| 12.2SED | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SEE | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; first |
| 12.2SEF | Not vulnerable | fixed in Release |
| | | 12.2SE |
| | Vulnerable; first | Vulnerable; first |
| 12.2SED | fixed in Release | fixed in Release |
| | 12.2SE | 12.2SE |
|------------+-----------------------+-----------------------|
| | Vulnerable; first | Vulnerable; first |
| 12.2SEE | fixed in Release | fixed in Release |
| | 12.2SE | 12.2SE |
|------------+-----------------------+-----------------------|
| | Vulnerable; first | Vulnerable; first |
| 12.2SEF | fixed in Release | fixed in Release |
| | 12.2SE | 12.2SE |
| | | Vulnerable; First |
| 12.2SED | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; First |
| 12.2SEE | Not vulnerable | fixed in Release |
| | | 12.2SE |
|------------+-----------------------+-----------------------|
| | | Vulnerable; First |
| 12.2SEF | Not vulnerable | fixed in Release |
| | | 12.2SE |
| | vulnerable | Release 12.2SE |
|------------+--------------+--------------------------------|
| 12.2SED | Not | Vulnerable; first fixed in |
| | vulnerable | Release 12.2SE |
|------------+--------------+--------------------------------|
| 12.2SEE | Not | Vulnerable; first fixed in |
| | vulnerable | Release 12.2SE |
|------------+--------------+--------------------------------|
| 12.2SEF | Not | Vulnerable; first fixed in |
| | vulnerable | Release 12.2SE |
|------------+--------------+--------------------------------|
|------------+--------------------------+---------------------------|
| 12.2SEC | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SED | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEE | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEF | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEG | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
|------------+--------------------------+---------------------------|
| 12.2SEC | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SED | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEE | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEF | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEG | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
|------------+--------------------------+---------------------------|
| 12.2SEC | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SED | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEE | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEF | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEG | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEC | Not Vulnerable | Not Vulnerable |
|------------+---------------------------+--------------------------|
| 12.2SED | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.2SE |
|------------+---------------------------+--------------------------|
| 12.2SEE | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.2SE |
|------------+---------------------------+--------------------------|
| 12.2SEF | Not Vulnerable | Not Vulnerable |
|------------+---------------------------+--------------------------|
| | | Releases prior to 12.2 |
| | | Release 12.2SE |
|------------+------------------+----------------------------|
| 12.2SED | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+------------------+----------------------------|
| 12.2SEE | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+------------------+----------------------------|
| 12.2SEF | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+------------------+----------------------------|
| | | Release 12.2SE |
|------------+----------------+------------------------------|
| 12.2SED | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+----------------+------------------------------|
| 12.2SEE | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+----------------+------------------------------|
| 12.2SEF | Not vulnerable | Vulnerable; First fixed in |
| | | Release 12.2SE |
|------------+----------------+------------------------------|
As previously indicated there are two different bugs, the first, the one
that I discovered on April 2008 that can be used independently for some
purposes and the second one, discovered by barbarianbob that uses the
first one to archieve a better goal.
Let's see the details.
- PHP filesystem functions path normalization attack
PHP normalizes / and /. in path names allowing for example
/etc/passwd/ or /etc/passwd/. to be succesfully opened as a file.
m_freem(m);
/* ... */
Where inetsw[] contains definitions for supported protocols, and nxt is a
protocol number, usually associated with ip->ip_p (see
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml), but in
this case from ipcomp->comp_nxt. m is the mbuf structure adjusted to point to
the unpacked payload.
The unpacked packet is dispatched to the appropriate protocol handler
I - INTRODUCTION
Before continuing, you need to know some stuff about how
user's inputs are handled. All superglobal arrays which
can be partially modified by the user, are passed to the
function "parse_clean_globals()". Let's see the content
of the file "sources/ipsclass.php":
4847| $this->clean_globals( $_GET );
4848| $this->clean_globals( $_POST );
4849| $this->clean_globals( $_COOKIE );
Note: This vulnerability can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
b. WebAccess Virtual Machine Name Cross-site Scripting Vulnerability
3.4. Vulnerabilities
3.4.1. Statistics
How many Vim Scripts use ``execute''?:
$ find /usr/local/share/vim -type f -name \*.vim -exec grep -l
'\<exe\(c\(u\(te\?\)\?\)\?\)\?\>' {} \; | wc -l
159
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords.
2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. e.g. an attacker can gain remote desktop of server using this bug and uploading an ASP file!
3- [Remote Attacker] can make a new user.
4- [Remote Attacker] can change all user's profiles.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
7- [User] can uninstall other's FrontPage extensions.
8- [User] can delete all of gateway information.
9- [User] can enable or disable pay type.
10- [[User] can see all usernames in the server by "fp2000/NEWSRVR.asp".
// Router
if (isset($request->get['route'])) {
$action = new Action($request->get['route']);
-----------------[ source code end ]-----------------------------------
We can see, that user submitted parameter "route" is used as argument
for class "Action" initialization.
Source code snippet from vulnerable script "action.php":
-----------------[ source code start ]---------------------------------
final class Action {
This software is but insecure; it installs and uses:
- the libraries LIBEAY32.DLL and SSLEAY32.DLL of the completely
outdated, unsupported and vulnerable OpenSSL 0.9.6g from
2002-08-19 (see <http://www.openssl.org/news/>);
- the library LIBCURL.DLL of the outdated, unsupported and
vulnerable cURL 7.14.1 from 2005-09-05 (see
<http://curl.haxx.se/libcurl/>);
if(!$contents)
trackback_response(1,
$main_smarty->get_config_vars('PLIGG_Visual_Trackback_BadURL'));
The $tb_url variable gets it's value directly from a post variable
as seen @ line 36, so, we can see how this can be easily used to
enumerate the existence of files on the web server both inside and
outside of the web accessible directories. If the file exists we will
get the "PLIGG_Visual_Trackback_BadURL" error. In addition to this
issue, an attacker may also include arbitrary files via a malformed
template request. Both template and language data within Pligg are
Last date for filing submissions is Friday November 02, 2007.
All those individuals who would like to present are urged to
at least send their abstracts as early as possible to the
mail above. To see guidelines for submission, please visit
the following page:
http://www.chase.org.pk/en/index.html
Yeah, by generating another request to the host and sending it directly
within the parameters/input to the end-point script/application. This is
again, expected behavior for a signed applet. Since I was not able to
reproduce your results using the an older version of Java and without
signing the applet (see below), I do not understand how you came to
these results.
Here is the remaining code, FWIW...
String cookie;
1. libeay32.dll and ssleay32.dll of OpenSSL 0.9.8i, from 2008-09-15
updated 8 times due to fixed vulnerabilities, current release is
0.9.8r; see <http://openssl.org/news/> and
<http://openssl.org/news/vulnerabilities.html>
2. msvcrt80.dll version 8.0.50727.42, from 2005-09-23
After installation on a fully patched Windows XP with Service Pack 3
the following vulnerable Microsoft runtime libraries are found:
1. %SystemRoot%\SYSTEM32\GDIPLUS.DLL 5.1.3097 2001-06-15 21:00
GDIPLUS.DLL has been patched several times since 2001, see
<http://www.microsoft.com/technet/security/bulletin/MS08-052.mspx>
or <http://support.microsoft.com/kb/954593/en-us> for the current
version, 5.1.3102.5581 (XP SP3) or 5.1.3102.3352 (XP SP2).
MALUS #1:
Samba Remote Directory Traversal
logic fuckup discovered & exploited by Kingcope in 2010
It seems there was a quite similar bug found back in 2004:
http://marc.info/?l=bugtraq&m=109658688505723&w=2
A remote attacker can read, list and retrieve nearly all files on the System remotely.
Required is a valid samba account for a share which is writeable OR
a writeable share which is configured to be a guest account share,
in this case this is a preauth exploit.
Server and Fusion.
- Upgrade tools in the virtual machine (virtual machine users
will be prompted to upgrade).
Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5
- Install the relevant patches (see below for patch identifiers)
- Manually upgrade tools in the virtual machine (virtual machine
users will not be prompted to upgrade). Note the VI Client will
not show the VMware tools is out of date in the summary tab.
Please see http://tinyurl.com/27mpjo page 80 for details.
Server and Fusion.
- Upgrade tools in the virtual machine (virtual machine users
will be prompted to upgrade).
Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5
- Install the relevant patches (see below for patch identifiers)
- Manually upgrade tools in the virtual machine (virtual machine
users will not be prompted to upgrade). Note the VI Client will
not show the VMware tools is out of date in the summary tab.
Please see http://tinyurl.com/27mpjo page 80 for details.
Next Page>>
|
