Next Page >>
started
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OpenCart is a turn-key ready "out of the box" shopping cart solution.
You simply install, select your template, add products and your ready to start
accepting orders.
http://www.opencart.com/
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
Result: "MYSQL Error has occurred!"
-----------------------------[source code start]-------------------------------
if ($msg) {
$msg = trim($msg);
$res = mysql_query("SELECT id, acceptpms, notifs, email, UNIX_TIMESTAMP(last_access) as la FROM users WHERE username=".sqlesc($receiver)."");
$user = mysql_fetch_assoc($res);
permissions for installation folder
%ProgramFiles%\Panda Software\AVTC\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.
The 32bit Version of Panda Security for Desktops/File Servers
installs the TruePrevent package by default, which protects the files
in the installation directory from manipulation.
permissions for installation folder
%ProgramFiles%\Panda Software\AVTC\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.
The 32bit Version of Panda Security for Desktops/File Servers
installs the TruePrevent package by default, which protects the files
in the installation directory from manipulation.
/* Collapse multiple stars. */
while (c == '*')
c = FOLDCASE(*++pattern, flags);
if (*string == '.' && (flags & FNM_PERIOD) &&
(string == stringstart ||
((flags & FNM_PATHNAME) && *(string - 1) == '/')))
return (FNM_NOMATCH);
..
# ./jaja2 512
Segmentation fault (core dumped)
# /usr/local/bin/gdb -q jaja2
(no debugging symbols found)
(gdb) r 512
Starting program: /jaja2 512
(no debugging symbols found)
(no debugging symbols found)
Program received signal SIGSEGV, Segmentation fault.
0xfeeab05c in fconvert () from /lib/libc.so.1
make this task as easy as possible for end users. The process of
downloading and running a file looks and feels different from what users
are used to. This alone may cause users to make the wrong decisions,
causing them to run unwanted/untrusted software.
The HTML code needed to start a download using the ActiveX control looks
something like the following code:
<html><body>
<object id="dm" classid="CLSID:4871A87A-BFDD-4106-8153-FFDE2BAC2967"
codebase="http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab#Version=2,2,4,8" width="1" height="1">
static bin_tree_t *
parse_dup_op (bin_tree_t *elem, re_string_t *regexp, re_dfa_t *dfa,
re_token_t *token, reg_syntax_t syntax, reg_errcode_t *err)
{
bin_tree_t *tree = NULL, *old_tree = NULL;
int i, start, end, start_idx = re_string_cur_idx (regexp);
re_token_t start_token = *token;
if (token->type == OP_OPEN_DUP_NUM)
{
end = 0;
Security Advisory
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Java Web Start File Inclusion via System Properties Override
Release Date: 2008-12-03
Application: Sun Java Runtime Environment / Java Web Start
Versions: See below
Severity: High
Author: Timothy D. Morgan <tmorgan {a} vsecurity.com>
McAfee
Pointsec
ISS Proventia
ZoneAlarm
On successfully disarming these security services, one could also use the following to then further manipulate the drivers & services, by reconfiguring their startup parameters to 'manual' and not 'automatic', or just disable them alltogether.
i.e. The following will reconfigure the startup parameters to 'manual' and not 'automatic' (default)
C:\>sc config VPatch start= demand
C:\>sc config BlackICE start= demand
C:\>sc config McShield start= demand
On successfully disarming these security services, one could
also use
the following to then further manipulate the drivers & services,
by
reconfiguring their startup parameters to 'manual' and not
'automatic', or just disable them alltogether.
i.e. The following will reconfigure the startup parameters to
'manual'
and not 'automatic' (default)
Problem Description:
Security issues were identified and fixed in openjdk (icedtea6)
and icedtea-web:
IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
applications and untrusted Java applets to affect confidentiality
via unknown vectors related to Networking (CVE-2011-3547).
IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
applications and untrusted Java applets to affect confidentiality,
The problem lies within the handling of multiple reads from the
"/proc/driver/snd-page-alloc" file. The kernel side function that
handles the read system call, "snd_mem_proc_read", is defined in
sound/core/memalloc.c as shown below.
484 static int snd_mem_proc_read(char *page, char **start, off_t off,
485 int count, int *eof, void *data)
486 {
487 int len = 0;
...
494 len += snprintf(page + len, count - len,
8.2. *Memory Corruption*
While importing 3DS files, Google SketchUp reads a sequence of 2-byte
words from the .3DS file, starting at offset 0x6F49F. These words are
used as operands in pointer arithmetics to calculate an index for an
array where data will be copied to. However, the application does not
check if the calculated index is inside the bounds of the destination
array. By crafting a 3DS file with large values for the words located at
the mentioned offset, the lack of bounds-checking can be exploited to
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 02, 2008
I. BACKGROUND
Java Web Start (JWS) is a framework built by Sun that is used to run
Java applications outside of the browser. It is distributed with the
Java Runtime Environment (JRE) installation. JWS is typically launched
by clicking on a link in the browser, and results in a separate process
being started that is not tied to the JVM inside of the browser. A file
contains various parameters that describe the Java application to be
Multiple vulnerabilities have been discovered in Sun Java:
* Daniel Soeder discovered that a long codebase attribute string in a
JNLP file will overflow a stack variable when launched by Java
WebStart (CVE-2007-3655).
* Multiple vulnerabilities (CVE-2007-2435, CVE-2007-2788,
CVE-2007-2789) that were previously reported as GLSA 200705-23 and
GLSA 200706-08 also affect 1.4 and 1.6 SLOTs, which was not mentioned
in the initial revision of said GLSAs.
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 25, 2009
I. BACKGROUND
Java Web Start (JWS) is a framework built by Sun that is used to run
Java applications outside of the browser. It is distributed with the
Java Runtime Environment (JRE) installation. JWS is typically launched
by clicking on a link in the browser and results in a separate process
being started that is not tied to the JVM inside the browser. In order
to accomplish this, the Java Network Launching Protocol (JNLP) is used
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 25, 2009
I. BACKGROUND
Java Web Start (JWS) is a framework built by Sun that is used to run
Java applications outside of the browser. It is distributed with the
Java Runtime Environment (JRE) installation. JWS is typically launched
by clicking on a link in the browser and results in a separate process
being started that is not tied to the JVM inside the browser. In order
to accomplish this, the Java Network Launching Protocol (JNLP) is used
and Diskeeper 2007 Pro Premier. (Though I believe from
documentation that the Server Editions of each and both versions in
Diskeeper 10 are equally vulnerable.)
The administrative interface, DkService.exe, runs as a system
service that is by default configured to automatically start. It
listens on TCP port 31038 and has three RPC functions available.
Calling the opcode 0x01 RPC function (MIDL below) allows a remote,
anonymous memory comparison at an attacker provided address.
Simply pass the size of the data, the data, and the address to make
use of this.
Impact: attacker can take over CruxCMS admin account
Php script "manager/passwordreset.php" is directly accessible via web
without any authorization. Source code snippet:
-----------------[ source code start ]---------------------------------
include ("../includes/injectionprevention.php");
$ID = numericquery($_POST["ID"]) ;
if (isset($ID)) {
Expired translations: 2
Dynamic mappings:
-- Inside Source
access-list 1 pool mypool refcount 2
pool mypool: netmask 255.255.255.0
start 192.168.10.1 end 192.168.10.254
type generic, total addresses 14, allocated 2 (14%), misses 0
You can also use the "show running-config | include ip nat" command to
verify if NAT has been enabled on the device.
Office files (except for .mdb files, which are blocked), PDF documents
and image files. In addition, this is also true for files with the
extension .xaml, .xbap or .application. These extensions are normally
used by the .NET technologies XAML Browser Application (.xaml &
.xbap) and ClickOnce (.application). If the correct version of the .NET
Framework is installed, opening these type of attachments will start the
associated .NET application(s).
As noted above, Outlook does not block ClickOnce deployment manifest
files (.application). If an deployment manifest is sent as attachment
and a user opens this attachment, it will be opened immediately. The
use by higher level functions like include, require, require_once,
file_get_contents, fopen and others.
In this paper only include/require behaviours are going to be analyzed.
The code analysis started with a simple breakpoint on open calls:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
$ gdb /usr/bin/php
(gdb) break open
recommendation specifies an HMAC truncation length (HMACOutputLength)
but does not require a minimum for its length, which allows attackers
to spoof HMAC-based signatures and bypass authentication by specifying
a truncation length with a small number of bits (CVE-2009-0217).
The Java Web Start framework does not properly check all application
jar files trust and this allows context-dependent attackers to
execute arbitrary code via a crafted application, related to NetX
(CVE-2009-1896).
Some variables and data structures without the final
Attack vector: user submitted GET or POST parameter 'folder'
Preconditions: none
Result: attacker can upload any files to remote system
Source code snippet from script "check.php":
-----------------[ source code start ]---------------------------------
if (!empty($_FILES)) {
$tempFile = $_FILES['Filedata']['tmp_name'];
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
$targetFile = str_replace('//','/',$targetPath) . $_FILES['Filedata']['name'];
java-1.6.0-openjdk:
Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29
and earlier, and 1.4.2_31 and earlier allows remote untrusted Java
Web Start applications and untrusted Java applets to affect integrity
via unknown vectors related to Deserialization (CVE-2011-0865).
Multiple unspecified vulnerabilities in the Java Runtime Environment
(JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update
29 and earlier, and 1.4.2_31 and earlier allow remote attackers
Cisco devices are affected when they are running affected Cisco IOS
Software versions that are configured to process SIP messages.
Recent versions of Cisco IOS Software do not process SIP messages by
default. Creating a dial peer by issuing the dial-peer voice command
will start the SIP processes, causing the Cisco IOS device to process
SIP messages. In addition, several features within Cisco Unified
Communications Manager Express, such as ePhones, will also
automatically start the SIP process when they are configured, causing
the device to start processing SIP messages. An example of an
affected configuration follows:
characters. The "stripslashes()" function is also called.
But we don't really care about that, this will not cause
a problem, this was just to show you how user's inputs
are treated. Now let's see how the change is made:
993| $start = "<?php\n\n".'$lang = array('."\n";
994|
995| foreach($barney as $key => $text)
996| {
997| $text = preg_replace("/\n{1,}$/", "", $text);
998| $start .= "\n'".$key."' => \"".str_replace( '"', '\"', $text)."\",";
pw_chars.extend([x for x in range(97, 103)])
pw_chars.sort()
todo = [('', 0, 255)]
while len(todo):
(found, start, end) = todo.pop()
if start == 0 and end == 255 and check("WHERE user_name = '" + found +
"'"):
sys.stdout.write(found + " ")
sys.stdout.flush()
for i in range(35):
I found the issue by realizing some very simple steps that you can reproduce following:
1. Log in as guest
2. Run taskmgr.exe (CTRL+ALT+DEL)
3. Go in "view", "select columns" and tick "I/O Other Bytes". Apply. (see Annex about this column)
4. Start runas.exe, with :
C:\> runas /user:Administrator explorer.exe
5. The prompt is asking for the password. Start OllyDBG (no setup, ready to use)
6. Configure OllyDBG to only break on Thread exit.
7. Release the process and type no password (immediately press enter)
8. Repeat the process again, same steps, but type a password for this time.
Next Page>>
|
