Next Page >>
spoofing
3. *Vulnerability Description*
DNS spoofing and cache poisoning attacks have been known security
threats that result from design weaknesses of the DNS protocol since the
early 1990s as described by Christopher Schuba [1] and Paul Vixie [2].
In 1997 a practical implementation of a blind remote DNS cache poisoning
attack that relies solely on exploiting the predictability of the ID
field of DNS query packets was described by Arce and Kargieman [3]. This
Subsystem: Near Field Communication
-----------------------------
Executive Summary:
URI/URL Spoofing when displaying the content of a NDEF Smart Poster
and plain URI tag. Web browser does not display full hostname when
loading a web page.
Crash of the parser for various parts of NDEF records, reboots
graphical user interface (GUI) of phone.
Severity: High (in specific configurations)
Author: George D. Gal <ggal (a) vsecurity . com>
Vendor Status: Cisco CSS vulnerability remains unpatched, workarounds
available
Cisco ACE workarounds available
CVE Candidate: CVE-2010-1575 - Certificate Spoofing Flaw
CVE-2010-1576 - HTTP Request Parsing Flaw
Reference: http://www.vsecurity.com/resources/advisory/20100702-1/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
contains a vulnerability, it is even possible for unauthenticated remote
attackers to make similar changes. This can eventually lead to a
complete compromise of the entire system.
------------------------------------------------------------------------
IP spoofing
------------------------------------------------------------------------
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
Syhunt: HFS (HTTP File Server) Username Spoofing and Log
Forging/Injection Vulnerability
Advisory-ID: 200801163
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 1.5g to and including 2.3(Beta Build
#174); and possibly HFS version 1.5f
Non-Affected Applications: HFS 1.5e and earlier versions
Class: Log Forging/Injection, Username Spoofing
Hi Tim
First of all, the dialog spoofing issue still works in Google Chrome and
it has not been patched. A lot of tests have been
conducted considering different variants spoofing. I missed your paper
previously. I must say its a very good read. A similar issue about
Google URL obfuscation, which still persists because it has been
mentioned by the team itself some stuff is based on the
standards of HTTP protocol handler authentication schemes
(http://www.nice.com@evil.com). The link is as follows
Subsystem: Near Field Communication
-----------------------------
Executive Summary:
URL Spoofing when displaying the content of a NDEF
URI tag. Web browser does not display full hostname when
loading a web page.
Crash of the parser for parts of a NDEF record, reboots
graphical user interface (GUI) of phone.
CVE Id(s) : CVE-2008-1447
CERT advisory : VU#800113
Dan Kaminsky discovered that properties inherent to the DNS protocol
lead to practical DNS spoofing and cache poisoning attacks. Among
other things, successful attacks can lead to misdirected web traffic
and email rerouting.
At this time, it is not possible to implement the recommended
countermeasures in the GNU libc stub resolver. The following
Hi
Google Chrome ( 5.0.375.127 and previous versions) suffers from HTTP
Auth Dialog spoofing vulnerability due to possible
realm manipulation in the HTTP header. Previously, Google chrome has got
a similar bug which can be seen on the following link
http://code.google.com/p/chromium/issues/detail?id=36772
This bug was actually patched. The issue mentioned in this bug was
>
> This exploit targets a fairly ubiquitous flaw in DNS implementations
> which allow the insertion of malicious DNS records into the cache of the
> target nameserver. This exploit caches a single malicious host entry
> into the target nameserver. By causing the target nameserver to query
> for random hostnames at the target domain, the attacker can spoof a
> response to the target server including an answer for the query, an
> authority server record, and an additional record for that server,
> causing target nameserver to insert the additional record into the
> cache.
>
| CubilFelino Security Research Lab |
| proudly presents... |
+------------------------------------------------------------------------+
=======================================================
Security Advisory: WinRAR v3.80 - ZIP Filename Spoofing
=======================================================
Security Researcher Info:
=========================
This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver. This exploit caches a single malicious host entry
into the target nameserver. By causing the target nameserver to query
for random hostnames at the target domain, the attacker can spoof a
response to the target server including an answer for the query, an
authority server record, and an additional record for that server,
causing target nameserver to insert the additional record into the
cache.
E-mail address spoofing with RLO - http://wouter.coekaerts.be/2011/email-rlo
Introduction
=============
When we reply to an e-mail, the address we see in the To-field serves
a purpose beyond getting our answer back to original sender. We attach
a meaning to these addresses. If we see john.smith@example.com, we
expect that we're really sending a mail to someone at the Example
company.
We may have learned not to trust the "From" address: that's about as
Moin *
Mozilla based browsers (Firefox, Netscape, ...), Konqueror and Safari 2
do not bind a user-approved webserver certificate to the originating
domain name. This makes the user vulnerable to certificate spoofing by
"subjectAltName:dNSName" extensions.
I set up a demonstration at <http://test.eonis.net/>, check it out. For
details (vulnerable versions, vendor status, bug ids ...) see
Aditya,
> First of all, the dialog spoofing issue still works in Google Chrome and
> it has not been patched.
I'm not surprised. There didn't seem to be a lot of interest in these
issues from any browser vendor when I brought them to their attention.
> A lot of tests have been
> conducted considering different variants spoofing. I missed your paper
Hi Tim
You can have a look at the screenshot at below mentioned link
http://www.secniche.org/goog_chr_auth_spoof.jpg
Kind Regards
Aditya
else
$this->msg('Using ACP path "'.$this->p_acp.'"', 1);
# Init client headers:
# Only if we have the same IP as the targeted user (not admin),
# it resets session datas, so we try to spoof our
# IP as a random one in order to keep user's session datas while
# we bruteforce SQL fields.
$this->bypass_matches();
# Remove expired sessions ( time() - 60*60*2 = > 2 hours )
Rating: Moderately critical
Impact: SQL Injection
Cross-Site Scripting
Manipulation of Data
Spoofing
Where: Remote
======================================================================
3) Vendor's Description of Software
We should fill up %20 as many as possible to hide the payloads in
some wider screens.
The JavaScript Test 2 example is great for stealth phishing attacks
while status bar spoofing is great for hiding our attack payload.
I also made a record for hiding XSS payload.
http://yehg.net/lab/pr0js/vulnerables/status_bar_url_spoofing.htm
2) Vulnerability Description
Microsoft DNS server generates predictable DNS transaction IDs. If the
server is configured to allow recursive queries it is possible to insert
fake records in the DNS cache (DNS cache poisoning) by guessing the next
transaction ID that the server will use and sending a spoofed DNS reply
to the server. To observe the transaction IDs an attacker needs to
control a DNS server that is authoritative for some domain and to be
able to send a recursive queries to the caching Microsoft DNS server.
When an attacker sends a recursive query to a caching name server, the
rb_ary_replace() functions (CVE-2008-2726).
Furthermore, several other vulnerabilities have been reported:
* Tanaka Akira reported an issue with resolv.rb that enables
attackers to spoof DNS responses (CVE-2008-1447).
* Akira Tagoh of RedHat discovered a Denial of Service (crash) issue
in the rb_ary_fill() function in array.c (CVE-2008-2376).
* Several safe level bypass vulnerabilities were discovered and
all details in my blog =>
http://lostmon.blogspot.com/2009/07/google-chrome-aboutblank-spoof.html
and here
###########################################################
#######################################
Google Chrome About:blank spoof
vendor url:www.google.com
advisore:http://lostmon.blogspot.com/2009/07/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2010-015: EMC Celerra NFS authentication bypass vulnerability using IP
spoofing.
EMC Identifier: ESA-2010-015
CVE Identifier: CVE-2010-2860
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: dnsmasq: Denial of Service and DNS spoofing
Date: September 04, 2008
Bugs: #231282, #232523
ID: 200809-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
_______________________________________________________________________
Problem Description:
konqueror/konq_combo.cc in Konqueror 3.5.7 allows remote attackers
to spoof the data: URI scheme in the address bar via a long URI with
trailing whitespace, which prevents the beginning of the URI from
being displayed. (CVE-2007-3820)
KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address
bar by calling setInterval with a small interval and changing the
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Released on: 2007/10/21
Changelog: ----------
L M H T
Summary: Ip Spoofing [X] [_] [_] [X]
Cross Site Scripting [X] [_] [_] [X]
Session Fixation [X] [_] [_] [X]
mail() CRLF Injection [X] [_] [_] [_]
Local File Inclusion (+CSRF) [_] [X] [_] [X]
File Deletion (+CSRF) [_] [X] [_] [X]
Ok, I'm missing it, what exactly is the spoof here? When the popup comes up
for me, the address of the page is
http://www.google.com.ar/#www.microsoft.com and I see in the address bar
#www.microsoft.com.
If I'm understanding the wording below correctly, it's because the # keeps
the browser from interpreting Microsoft.com and thus giving a bad URL, and
presumably, the browser cannot or does not have the ability to show the full
address (and perhaps in other browsers or scenarios people don't see the #
like I did - and also don't realize that the browser always prefixes it's
NTP Access Group
+---------------
Warning: Because the feature in this vulnerability utilizes
UDP as a transport, it is possible to spoof the sender's IP address,
which may defeat access control lists (ACLs) that permit
communication to these ports from trusted IP addresses. Unicast
Reverse Path Forwarding (Unicast RPF) should be considered to be used
in conjunction to offer a better mitigation solution.
http://www.debian.org/security/ Devin Carraway
September 22, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : python-dns
Vulnerability : DNS response spoofing
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1447
Debian Bug : 490217
'GX' authentication cookie for mail.google.com is set to be
transmitted for any type of connection (http or https). This is the
only cookie one needs to authenticate to gmail.
This "Any type of connection" property allows an attacker execute a
cross site request forgery attack to inject spoofed
'http://mail.google.com' content elements or meta-refresh tags into
ANY WEB PAGE loaded by a user. Repeat: the user does NOT have to be
using gmail at the time, they just need to have a valid 'GX'
authentication cookie from a prior login, and then visit ANY WEBSITE.
Upon fetching/executing these injected elements, the browser will
Next Page>>
|
