Next Page >>
target
===============/========================================================
Description
===========
This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver. This exploit caches a single malicious host entry
into the target nameserver. By causing the target nameserver to query
for random hostnames at the target domain, the attacker can spoof a
response to the target server including an answer for the query, an
> ===============/========================================================
>
> Description
> ===========
>
> This exploit targets a fairly ubiquitous flaw in DNS implementations
> which allow the insertion of malicious DNS records into the cache of the
> target nameserver. This exploit caches a single malicious host entry
> into the target nameserver. By causing the target nameserver to query
> for random hostnames at the target domain, the attacker can spoof a
> response to the target server including an answer for the query, an
problem resides in the Notes feature implemented by tb2ftp.dll loaded by
the tb2pro.exe. This is the main issue.
2) Log input manipulation (CVE-2008-1118): Several fields of the packet
containing peer information (computer name, user name and IP address)
are taken from the packet sent to the target and used to display this
information on the screen of the target.
The vulnerabilities discovered allow a remote attacker to upload a file
to an arbitrary location on the victim's machine and forge peer
information on the log lines of the victim's application. For example,
Announcing CanSecWest PWN2OWN 2008.
===================================
Three targets, all patched. All in typical client configurations with
typical user configurations. You hack it, you get to keep it.
Each has a file on them and it contains the instructions and how to
claim the prize.
Announcing CanSecWest PWN2OWN 2008.
===================================
Three targets, all patched. All in typical client configurations with
typical user configurations. You hack it, you get to keep it.
Each has a file on them and it contains the instructions and how to
claim the prize.
II. Problem Description
Microsoft Office documents can carry URLs as clickable
references. The target of URLs given in the document
are stored in word/_rels/document.xml.rels inside
the OOXML ZIP container. Inside you will see the
hyperlink, referenced by an internal ID and the target.
The target can be changed without invalidating the signature.
At least in the GUI a hyperlink's target is shown to the user.
Flaws in Microsoft's implementation of the NTLM challenge-response
authentication protocol causing the server to generate duplicate
challenges/nonces and an information leak allow an unauthenticated
remote attacker without any kind of credentials to access the SMB
service of the target system under the credentials of an authorized
user. Depending on the privileges of the user, the attacker will be able
to obtain and modify files on the target system and execute arbitrary code.
3.Vulnerable Systems
--------------------
Fix
------------------------------------------------------------------------
Akamai reports that this vulnerability should have been fixed in version
2.2.5.4 of the Akamai Download Manager for both Java and ActiveX.
Specifically, both the Java and ActiveX versions ignore the
configuration option target when set to DESKTOP.
The latest version of Akamai Download Manager can be obtained using the
following URL:
http://dlm.tools.akamai.com/tools/upgrade.html
== Meet-in-the-middle attack ==
If equivalent substrings are not present in a given hash function, then
brute-force seems to be the only solution. The obvious way to best use
brute-force would be to choose a target value and hash random
(fixed-size) strings and store those which hash to the target value. For
a non-biased hash function with 32 bit output length, the probability of
hitting a target in this way is 1/(2^32).
A meet-in-the-middle attack now tries to hit more than one target at a
foreach ($str as $value){
$pos = strpos($res, $value);
if ($pos === false) {
$count=$count++;
} else {
echo "<font color=white>Target patched.<br/><br/></font>";
die();
}
}
if ($count=10) echo '<font color=white>Target is
exploitable.<br/><br/></font>';
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. This typically requires a user
to have valid MySQL credentials to complete. However, a malicious user can
host their own MySQL database server and can successfully complete the
WordPress installation without having valid credentials on the target system.
After the successful installation of WordPress, a malicious user can inject
malicious PHP code via the WordPress Themes editor. In addition, with control
of the database store, malicious Javascript can be injected into the content
of WordPress yielding persistent Cross Site Scripting.
The attacker owns the data as almost all the connections goes through
the attacker's box. The attacker can record all the data exchanged
between the database server and the client machines and both client and
server will be oblivious of the attack.
If the attacker just wants to own the target's data, (s)he is done. Game
over.
Injecting arbitrary commands (Session hijack)
---------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. generated password is weak and can be easily bruteforced
Preconditions:
1. attacker must know email address associated with target's account
Torrenttrader contains password reseting functionality:
http://localhost/torrenttrader109/account-recover.php
#####
Subject: DNS Multiple Race Exploiting Tool release
Homepage: http://www.securebits.org/dnsmre.html
Download: http://www.securebits.org/tools/dns_mre-v1.0.tar.gz
OS: The tool runs on Linux
Target OS: Tested against windows 2003 server
############################################################################
#####
01 Introduction
02 Features
functionality built in to the radio software which adds to the ease of
exploitation.
This attack focuses on the Subscriber Unit (SU) end, however, if one knows
the correct information, one could potentially configure a rogue Access
Point and MiTM a target as well, though this is not the topic of this
advisory.
The Problem
-----------
description:Lotus Quickr, announced at Lotusphere 2007, is an evolution of Lotus QuickPlace ,The software use a weak xss filter that an attacker can bypass this xss filter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the IBM Lotus Quickr 8.0 software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
IBM Quickr 8.0 Server Calender XSS Injection:
its seems that IBM Lotus Quickvr use a filter xss,an attacker can avoid this filter .
example of IBM Quickr 8.0 XSS filter:
http://victim.com/QuickPlace/main.nsf/h_Toc/2a922d48c75dd00b052567080016723a/?OpenDocument&Count='20"><script>alert('g')</script>
and then you will get a error message from Quickr:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
*Vulnerability Description*
AOL Instant Messenger ("AIM", http://www.aim.com) is an instant messaging
application that allows its users to communicate in real time via text,
voice, and video over the Internet. It is maintained by AOL LLC. AIM Pro
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
website (http://x.aim.com/laim/), is a reference application used to test
new technology also developed by AOL and available for the public in the
*Vulnerability Description*
AOL Instant Messenger ("AIM", http://www.aim.com) is an instant messaging
application that allows its users to communicate in real time via text,
voice, and video over the Internet. It is maintained by AOL LLC. AIM Pro
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
website (http://x.aim.com/laim/), is a reference application used to test
new technology also developed by AOL and available for the public in the
#
# this should be exploitable on linux too (on the compiled SAPI version)
# the shipped linux version of lsphp has stack cookies enabled,
# which could be brute forced if there wasn't a null put at the end of
# the exploit buffer. The compiled SAPI version is exploitable, but then
# the offsets differ from box to box, so this time FreeBSD targets only.
# thus on linux this is very tricky to exploit.
# this is a proof of concept, don't try this on real boxes
# see lsapilib.c line 1240
(http://litespeedtech.com/packages/lsapi/php-litespeed-5.4.tgz)
int main(int argc, char * argv[])
{
int sock, proto, i, offset = -1;
unsigned long proto_tab, landing, target, pn_ops, pn_ioctl, *ptr;
void * map;
/* Create a socket to load the module for symbol support */
printf("[*] Testing Phonet support and CAP_SYS_ADMIN...\n");
sock = socket(PF_PHONET, SOCK_DGRAM, 0);
Permissions in the Local Machine security zone
Prior to Windows XP Service Pack 2 if a web page was loaded in the Local
Machine security zone, it was granted full privileges. For example, it
could read local files or worse invoke an unsafe ActiveX control and
gain full control of the target machine. In Service Pack 2, Microsoft
introduced the Local Machine Zone Lockdown that greatly reduced the
privileges of web pages running in the Local Machine zone. With
ClickOnce, applications running in the Local Machine security zone are
granted Full Trust permissions.
char buff[1100];
long ret1 = 0x64f8134b; // pop ret (core.dll)
long addr = 0x63b8624f; // Required to reach ret instruction
long ret2 = 0x7c874413; // jmp esp (kernel32.dll)
long *ptr;
struct sockaddr_in target;
int i, port, sock;
printf("\n---------------------------------------------------------------------\n");
printf(" [*] httpdx 1.4 GET Request Remote Buffer Overflow Exploit (0day) \n");
More info can be found here: http://engineeringforfun.com/wiki/index.php/Durzosploit_Introduction
You can get it through the SVN: http://engineeringforfun.com/wiki/index.php/Durzosploit_SVN
At present there isn't many exploits:
(dz)> search exploits
twitter.com/update_status - Updates a target's status
twitter.com/update_settings - Updates your target's settings
facebook.com/what_is_on_your_mind - Write your message in your target's mind
drupal/edit_user_profile - Drupal 6.x - edit the profile of the user
drupal/logout - Drupal 6.x - makes target logout
(dz)>
=================
Vers:1.9.2.102 and old versions.
Description
===========
Attempts to terminate the process by sending Close messages (called WM_CLOSE and SC_CLOSE) to all windows in the target process. This method only works if 1) the target process has at least one window, and 2) the target process doesn't handle the WM_CLOSE/SC_CLOSE message .
Impact
======
ClamAV 0.94.1/8713/Tue Dec 2 14:59:31 2008
From http://securitytracker.com/alerts/2008/Dec/1021296.html:
Version(s): prior to 0.94.2
Description: A vulnerability was reported in Clam AntiVirus. A remote user can cause denial of service conditions on the target system.
A remote user can create a specially crafted JPEG file that, when processed by the target system, will trigger a stack overflow and cause the Clam AntiVirus process to crash.
Ilja van Sprundel reported this vulnerability.
Impact: A remote user can create a JPEG file that, when processed by the target application, will cause the target application to crash.
# MySQL root account.
#
# Example
# -----------
# $ ./zabbix181api.pl http://10.0.0.1/zabbix
# Target: http://10.0.0.1/zabbix
# Reqtime: 0.2s ; SleepTime: 0.4s
#
# Checking if zabbix uses mysql root account... No
#
# Extracting Admin's password hash from zabbix users table:
Since the parameter values set by ActiveX are saved in a temporary
file as INI file format, in the above manner the value of "referer"
will be changed.
In addition, the parameter "target" is used to setting the
loacation of the downloaded file, it has following meanings:
"DESKTOP" the file will be saved on the desktop
"AUTO" the file will be saved in Temporary Internet Files
"" ask the user to choose the saving location
nothing more than SOAP. Our AJAX knowledge tells us about a feature
that allows us to craft arbitrary XML requests: the XMLHttpRequest [3]
object. Trouble is, such object can only be used within the context of
the site that the requests are submitted to. So if we host the
malicious scripting code on a third-party site, and a victim user
located in the same LAN as the target IGD visits such page, the
request wouldn't go through due to XMLHttpRequest same-origin policy
restricition. Or put in a different way: you aren't allowed to make
XMLHttpRequests to any server except the server where your web page
came from.
Date: 16. January 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-62.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MyBB is a discussion board that has been around for a while; it has evolved
from other bulletin boards into the forum package it is today. Therefore,
it is a professional and efficient discussion board, developed by an active
or (2) that appears to cause an out-of-bounds memory operation or (3)
which most likely has one hell of a race condition?
> All of the testing involved
> intentionally corrupted target data that highlighted a few relatively
> minor bugs.
Yes, and pretty much every exploit on the planet involves intentionally
corrupted data.
Next Page>>
|
