Next Page >>
setting
Terribly sorry, gmail messed up the GPG signature. Hope this one can
get through.
=== WordPress Charset SQL Injection Vulnerability ===
Release date: 2007-12-10
Last modified: 2007-12-10
Source: Abel Cheung <abelcheung at gmail dot com>
Affected version: WordPress <= 2.3.1
Recently, David Litchfield asked me to help him out a bit with a research project he was working on by having me set up a network capture in my DMZ to log SQL Slammer attacks. I don't publish any services here at my Santa Cruz facility (meaning there are no required inbound protocols and no references in DNS anywhere) so I figured it would be nice "quiet" circuit to use for testing. I basically port-forwarded UDP 1434 to a laptop in my DMZ running NetMon3 also filtering for UDP 1434. After about 4 days of running NetMon, I had captured almost 30 (verified) random SQL Slammer attacks. What I found interesting was that every single one of them was sourced in China (all from different addresses).
Now, it's not my intent to start some geopolitical debate here, but I've long heard about how some people would block entire countries at the border in order to obviate issues with malicious traffic. There are obviously some issues with this (both from a technical and potential customer standpoint) so I set out to do a bit of research on my own. First thing I found out was that if one does decide to block entire countries, that it's going to be a bit of work from a rule standpoint. Sure, if I wanted to block all of China I could block APNIC, but that would block WAY more than I would want. So I set about finding a good resource for country-by-country IP ranges. Fortunately, Wade Alcorn, one of my colleagues at NGSSoftware turned me on to one that seemed pretty decent (there are a few around, though). But finding the resource was just the beginning... The list I got included 234 countries, comprised by almost 100,000 records of IP ranges.
Making a firewall rule to block China, for instance, would require entering in almost 600 IP ranges - so the "manual" route was clearly out. The thing is, I just didn't want to block countries without more research, so I needed a way to gather some statistics first. Enter ISA Server - as many of you know, I'm a big fan of ISA - it's a true enterprise security product with great scripting capabilities, so I set to work creating an automated method by which to create computer sets in ISA for each country. Basically, I created a SQL database and loaded all the records into it - I then wrote a little COM app to reach out and grab the data by countries, create the sets in ISA, and loop through the different ranges of IP's to add them to the set. It worked great.
This accomplished two things - one, I now have full detailed computer sets for each country to do with as I please. Secondly, I have an excellent way of producing detailed reports for traffic analysis in ISA- this was key. With data collection points set up at different places around the world, I was able to capture 3.1 million inbound connection attempts. The results were quite interesting. While China still led with connection attempts overall, it was interesting to see that Canada was a close second. However, while China's traffic consisted of SQL Slammer, HTTP, SMTP, probes for GhostProxy, etc, almost all of Canada's traffic was MESSENGER spam (UDP 1026,1027,1208). The world leader for HTTP was Brazil, strangely enough. Now, all of this will change based on who and where you are, and the types of services being offered. For example, I only got 5 SMTP connection attempts to my cable modem in a week, but my ISP in BM got hundreds of thousands (understandably) in the same time period. I'll whip up some cool reports for what I found and post them once I get some more data in from different collection points, but the valuable outcome of the project was the creation of these individual country-by-country Computer Sets for ISA.
Beforehand, I had no real way of easily and effectively reporting on traffic patterns by source country. Whether you can or can't block entire countries is your business, but at least this affords someone an easy way of doing research. You may not be able to (or even want) to block HTTP from China, but you very well may want to block SMTP - with ISA and computer sets, you can easily do this. Even if you don't block anything at all, you can use the sets to get rich reports of what kind of traffic your are getting from a particular country. While the validity of the practice of blocking entire countries (or particular protocols for that matter) may be up for debate, you now at least have the option to make your own decision based on factual information - to be sure, you've always been able to do this obviously, it's just been my experience that maintaining rule lists by country/protocol has been quite difficult and time consuming.
I've exported every countries entire list to ISA 2006 .XML format, and have posted them on the HoG site for community use. Since I've automated the Set creation process, I'll be updating the sets each month or so to ensure that changes are processed correctly. I would like to thank NGSSoftware for purchasing the required business services to receive the updates - their donation makes it possible for me to give you updated sets for free.
mail_extra_groups=mail setting is often used insecurely to give Dovecot
access to create dotlocks to /var/mail directory. If you don't use
mboxes in /var/mail, make sure this setting is cleared.
If you do use /var/mail mboxes and Dovecot gives permission errors
without it, do one of the following (in the preferred order):
a) Upgrade to v1.0.11 and use the new mail_privileged_group setting
instead of mail_extra_groups.
b) Make /var/mail sticky and world-writable (chmod 01777 /var/mail) and
Affecting 2.10.12.03 and 2.10.12.04:
7. Netriding with ops, using zannels
Affecting very old up to and including 2.10.12.05:
8. Timestamps in bounces ignored
Affecting 2.10.12.01 up to and including 2.10.12.05:
9. Any op setting or changing Apass when server restarts
Affecting very old up to and including 2.10.12.05:
10. Desync: unkick/deopable ops
Affecting very old up to and including 2.10.12.05:
11. Getting hidden IP's of +x users
The following workarounds can prevent exploitation of the vulnerability:
. Use Internet Explorer's Protocol Lockdown feature control to
restrict the "file" protocol to prevent HTML from UNC path to run script
or ActiveX controls.
. Set the Security Level setting for the Internet and Intranet Zones
to High to prevent IE from running scripts or ActiveX controls.
. Manually disable Active Scripting for the Internet and Intranet
Zone with a custom security setting.
. Only run IE in Protected Mode if it is available on the operating
system.
Asterisk Project Security Advisory - AST-2011-013
Product Asterisk
Summary Possible remote enumeration of SIP endpoints with
differing NAT settings
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known Yes
Reported On 2011-07-18
The first notable vulnerability is the Metadata Block Size Overflow
vulnerability. Editing any Metadata Block Size value to a large value
such as 0xFFFFFFFF may result in a heap based overflow in the decoding
software.
Whenever vulnerable software open or process a malformed FLAC file, they
use the size fields for reference points to allocate memory (malloc) and
write the contents of these files into those memory buffers. Setting
these values to an overly large value, such as 0xFFFFFFFF, could cause
an exploitable condition. Passing a size of 0xFFFFFFFF would cause a
malloc(0) immediately followed by a buffer overflow on the read. This
results in an exploitable heap overflow. Exploitation is dependent on
---------------------------------------------------------------------------
Title: Setting arbitrary Personas without user interaction in Firefox 3.6
Product: Mozilla Firefox
Version: 3.6
PoC: http://wtikay.com/personas/
By: Artur Janc
Date: 01/26/2010
---------------------------------------------------------------------------
1. OVERVIEW
example, a client build number of 26.49.9.2838 indicates a WBS
26-based software version.
For the WBS 26 version:
1. Browse to the WebEx meeting server at
https://<servername>.webex.com/.
2. Select Support from the left side of the web page.
3. Select Downloads from the left side of the web page.
4. The version of the client software that is provided by the server
is listed next to Client build.
> Your saying above that this attack works if "Initialise and script
> ActiveX control not marked as safe" is ENABLED.
This Saved XSS hole works even with this option disabled (i.e. with default
settings). But when we want to use ActiveX in our code (e.g. for Code
Execution attack), than such problem occurs. It's bug in IE (when there is
preceding comment tag), which I found when researching possibility of making
CE via XSS in IE. So I found the workaround for this bug - to set up this
option to Enabled or Prompt (for Local intranet).
A Metasploit module is attached that demonstrates how to enumerate
Asterisk sip peers that have a nat setting different to the global sip
nat setting as described in Asterisk Security Advisory AST-2011-013.
The example below finds all peers with nat=yes, but the metasploit module
will also work when global nat=yes and peers have nat=no.
Vulnerability discovered and exploit created by Ben Williams.
References:
http://downloads.asterisk.org/pub/security/AST-2011-013.html
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
Sent: Saturday, January 19, 2008 10:41 AM
To: bugtraq@securityfocus.com
Subject: RE: Country by Country ISA Computer Sets
There is nothing irrational about identifying the source of unwanted
traffic, qualifying what is or isn't malicious, and then taking whatever
action you feel is appropriate.
manage devices via the WAN connection. This action will result in
a loss of management connectivity to the device.
Remote Management is enabled by default. Administrators can disable
this feature by choosing "Administration > Web Access Management".
Change the setting for the Remote Management field to Disabled.
Disabling remote management limits exposure because the
vulnerability can then be exploited from the inter-LAN network only.
* Limit Remote Management Access to Specific IP Addresses
Pursuant to this point, it looks like I won't be able to use MaxMind as a source for the data as their licensing agreement does not allow for the data to be used in this manner, which is really too bad. So it looks like my source for this data will have to continue to be a compilation of the data that is freely available on the Internet. This means that I probably won't be able to provide monthly updates, but I certainly will be updating the sets as I can. Therefore, there really can't be a "link" to the source other than the data itself, as we certainly don't want to violate any license agreements with anyone...
t
> -----Original Message-----
> From: Thor (Hammer of God)
> Sent: Wednesday, January 16, 2008 2:20 PM
> To: 'GomoR'
manage devices using the WAN connection. This action will result
in a loss of management connectivity to the device.
Remote Management is disabled by default. If it is enabled,
administrators can disable this feature by choosing
Administration > Web Access Management. Change the setting for
the Remote Management field to Disabled.
Disabling remote management limits exposure because the
vulnerability can then be exploited from the inter-LAN network
only.
DISCLAIMER: THIS SECURITY ADVISORY IS PROVIDED AS-IS, AND WITHOUT ANY GUARANTEE OF ANY KIND THAT THE INFORMATION IS ACCURATE, OR THAT THE WORKAROUND, SOLUTIONS, OR PATCHES PROVIDED WILL PROTECT SYSTEMS, OR THAT THEY WILL NOT CREATE NEW PROBLEMS. THE AUTHOR ACCEPTS NO LIABILITY OF ANY FORM FOR THE INFORMATION CONTAINED WITHIN OR THE CONSEQUENCES OF ITS USE OR MISUSE.
Synopsis:
Most current installations of PHP set up to run via FastCGI with suexec are vulnerable to a local exploit, where anyone with the ability to run code as the user the webserver runs as can gain access as any user with an account set up to run PHP. It is anticipated that this issue will especially affect shared web hosts who use FastCGI + suexec thinking it will give them additional security.
Conditions for exploitation:
=> PHP needs to be used via CGI or FastCGI.
=> The system must be set up to use suexec (rather than, say, having PHP run as an external FastCGI server).
=> The attacker must be able to run code as the same user that the webserver runs as. This is unlikely to be a problem for many local attackers, because there are a multitude of possible attack vectors, such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also installed), and likely numerous other options.
=> Depending on the configuration, setting an open_basedir might protect an installation. However, this only applies if open_basedir is set, php-cgi is not installed directly into the web space, but is instead called from a script which doesn't pass any parameters from the script command line.
there is some research in the public domain, there is much more
attention that needs to be paid to UPnP.
UPnP allows you to perform administrative functions. Some functions
are very standardized and supported by most devices. Examples include
obtaining network settings, and enabling port forwarding rules. Other
functions are make/model specific. Some very scary functions such as
obtaining administrative username and password pairs have been
reported [2] in the past. As a reminder, this works without submitting
any administrative password whatsoever since UPnP is a
authenticationless protocol. On top of this, most IGDs support UPnP by
http://CACTIHOST/graph.php?action=zoom&local_graph_id=1&graph_end=1%27%20style=visibility:hidden%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cx%20y=%27
This vulnerability is only exploitable if the victim is allowed to view
graphs. This will be true if the victim has previously authenticated
against Cacti or if both the guest user has been activated (default:
disabled) and the graph view permission was set to 'guest' (default:
'No User').
This vulnerability was tested with Firefox 3.0.6.
The Cacti group provides a patch to fix this vulnerability:
> 3.1. Keyword Lookup -- The ``K'' Command
>
> 3.1.1. Shell Commands and Ex Commands
>
> Because the string passed to the shell for execution is not
> sanitized, it is possible to specify arbitrary shell commands
> where Vim expects an argument for the keyword program. Same
> applies to arbitrary Ex commands.
The K command is designed to execute an arbitrary program. The user can set the program by setting the keywordprg option. Minr's exploits require setting vim options to implausible values, either using a modeline (which no sensible user ever allows on untrustworthy files, and no truly security-conscious user enables at all) or monumental user stupidity. Given that, why not simply set keywordprg? Or do anything else that a modeline allows?
Release Date: 2007-11-26
Author: Ernesto Alvarez / Activesec SA
Kudos to: Rodrigo Seguel / Activesec SA for suggesting the session
destruction approach
Contact info: ealvarez at activesec biz
Developer response: None. No response to mail, forum inactive and
bugtracker operating intermitently.
Privilege escalation in bytehoard 2.1
and V1.1 have reached end of life, and no further firmware
updates are being made available.
To check the version of system firmware that is running on the device,
log into the device with the web management interface, and navigate to
the screen: Setup --> Summary. Under "System Information" is a field
labeled "Firmware Version:". The number directly beside this field label
is the system firmware version. An example would be V1.3.0.3.
Products Confirmed Not Vulnerable
- ---------------------------------
If you can parse out XML, I'm sure you can script up something to "build" sets for IPTables. However, I don't know that IPTables has the ability to "group" the individual IP ranges into "sets" as opposed to simply putting them in as line-by-line rules.
That's the beauty of ISA/TMG/UAG - the xml files build individual sets comprised of IP ranges which you can apply by themselves to whatever protocols you wants to/from whatever network sources you want. But, regardless of the chosen platform, at least you can parse out the XML to get what you want.
The important fields are:
<fpc4:IPFrom dt:dt="string">66.227.2.137</fpc4:IPFrom>
<fpc4:IPTo dt:dt="string">66.227.2.144</fpc4:IPTo>
<fpc4:Name dt:dt="string">AL1122173577-1122173584</fpc4:Name>
Where IPFrom is the beginning IP of the range, IPTo is the ending IP of the range, and "Name" is a unique name for the range itself. I chose to have the same simply be the country code followed by the range so it could be immediately identified even if used outside of a set.
traffic, qualifying what is or isn't malicious, and then taking whatever
action you feel is appropriate.
If there is no reason (business, personal, or otherwise) for traffic
from the US or the UK to be reaching your network, then by all means
block all of it if that is what you choose to do. If you re-read my
post, you'll see that the purpose for the sets is for people to make
*educated* decisions regarding what they may choose to block and from
where. In my case (and cases where colleagues tested this) blocking all
SMTP from China resulted in a dramatic (not just "noticeable") reduction
in overall SPAM. In the case of the site that I own (HoG) I decided to
access and the Cisco Quick Virtual Private Network (QVPN)
Utility.
Remote Management is disabled by default. Administrators can
disable this feature by choosing Network Management > Remote
Management. Change the setting for this field to Disabled.
Disabling remote management limits exposure because the
vulnerabilities can then be exploited from the inter-LAN network
only.
Disabling remote management limits the exposure as the
http://www.cisco.com/cgi-bin/tablebuild.pl/gss-3des?psrtdcat20e2
Workarounds
===========
A workaround for this vulnerability includes setting the property
"ServerConfig.dnsserver.returnError" to disabled (or zero). The
following example shows how to set the property to disabled. It is
enabled by default:
GSS#config terminal
==[ Overview
ICQ (I Seek You) Instant Messenger is one of the most popular internet
chat software. Since 1996, it has grown to a community of over 180
million users. It has features for instant messaging, chat, sending
e-mail, SMS, file transfer, wireless-pager messages, etc.
==[ Vulnerability
INFIGO IS's security team identified a critical remote buffer overflow
Summary:
Under certain conditions, Miranda ignores the "Use TLS" setting in
Jabber accounts and uses an unencrypted connection.
Affected: Miranda IM (instant messenger), at least versions 0.8.16,
0.9.0 alpha build #6 Unicode and SVN rev. 11383
Description:
If the following conditions are met:
- "Use TLS" is enabled in the jabber account settings (Network -
While doing a quick sweep over the code base of FreeWebshop.org (FWS)
several vulnerabilities have been found in FWS. These vulnerabilities
allow attackers to obtain arbitrary information from the webserver and
database. It is even possible to execute arbitrary code with the
privileges of FWS. In some cases it may even be possible to fully
compromise the system on which FWS is installed. Most of these issues
are related to the fact that FWS fully trusts the content of the cookies
that it receives. These issues were discovered within a very small
time frame, it is likely that more issues exist within FWS. A full
security review of the code base is recommended to increase the security
of FWS.
bound by sshd(8) and is therefore not being securely forwarded.
III. Impact
A malicious user could listen for X11 connections on a unused IPv4
port, e.g tcp port 6010. When an unaware user logs in and sets up X11
fowarding the malicious user can capture all X11 data send over the
port, potentially disclosing sensitive information or allowing the
execution of commands with the privileges of the user using the
X11 forwarding.
and allocating the memory and the other stuff needed for decoding the
frames.
If the 4th field ("version") is below/equal than 8 then it allocates
the needed memory otherwise it returns a NULL which is correctly
handled by the caller function that sets even a result value to -1 but
it's completely ignored by the rest of the code:
086071BE |. 6A 05 PUSH 5
086071C0 |. 55 PUSH EBP
086071C1 |. E8 1AFFFFFF CALL vp6.086070E0 ; readbits 5
Next Page>>
|
