Next Page >>
test case
those vulnerabilities are discoered via playing with AVI
1) indx truck size
2) wLongsPerEntry
3) nEntriesInuse
Olny build 5 testcases
test case 1 (new_avihead_poc1.avi)
------------------------------------------
69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10
3. *Vulnerability Description*
Multiple injection (both XSS [1] and SQL) vulnerabilities have been
discovered in Testlink [2], a widely used test-case management
application written in PHP [3]. One of the XSS vulnerabilities,
discovered in its login screen, can be exploited without an
authenticated session.
Hi,
I'd like to announce tmin - a free, quick, and handy tool to quickly and
effortlessly minimize the size and syntax of complex test cases in
automated security testing. I found the tool to be remarkably useful, as
it saved me from hours of manual guesswork a number of times already - so
I thought it's good to share.
The tool is related to delta (http://delta.tigris.org), a sophisticated
test case optimizer for well-structured input formats - but tmin is
quines, which still permit remote, pre-authentication, single-packet,
spoofed-source DoS in the latest versions).
The Xnu port of this code is close to the original, where the decompressed
payload is recursively injected back into the toplevel ip dispatcher. The
implementation is otherwise similar, and some alterations to the testcase
provided for NetBSD should make it work. This is left as an exercise for the
interested reader.
--------------------
Affected Software
Apache Struts 2 and OpenSymphony WebWork frameworks are vulnerable to similar attacks.
1. Using <s:submit> tag with Dynamic Method Invocation (DMI) enabled.
a. Test case for Struts 2.2.1 with XWork 2.2.1
http://test.app.net/home.action?user=&password=&action!login:cantLogin_1=some_value
XWork generated error:
Related Links
##############
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776
###################### €nd #############################
Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.
TSRM/tsrm_virtual_cwd.c-566: }
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
Let's compare the behaviuor with and without Suhosin patch with the
testcase:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
$ php -r 'include("/etc/passwd/////////");'
``/tmp/Makefile-conf<PID>'' before it is first written to at (1). In
the time between (1) and (2), arbitrary commands can be written to the
file. They will be executed at (2).
3. Test Case
No test case.
4. Patch
. 2009-12-14:
Core Security Technologies notifies the Google Security team of the
vulnerability.
. 2009-12-15:
The Google Security team asks Core for the test case for the
vulnerability.
. 2009-12-15:
Core replies with the PoC test case.
Related Links
##############
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776
###################### €nd #############################
Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.
The Vim documentation lacks a comprehensive explicit list of special
items. This might have been the reason why patch 7.2a.013 failed to
acknowledge ``!'' as a special item.
3. Test Case
We have added a test case to our test suite; run ``make test'' in the
``shellescape'' directory. The result will show as ``VULNERABLE'' if
the shellescape() function of the version of Vim tested doesn't escape
the ``!'' special item, ``FAILED'' otherwise.
Impact Subscore:
8.6
Temporal Score:
6.9
SecureScout Testcase ID:
TC 17992
Vulnerable Systems:
SAXON version 5.4
possible to perform the attacks (The loadbalancer merged both
sessions and handed them as one to the webserver)
Updates :
--------
- Added a simple s_client testcase
- Analysis of FTPS (vendors are encouraged to assess)
- HTTPS : Injecting arbritary _responses_ into the stream
- HTTPS : Downgrading HTTPS to HTTP and performing an active mitm
(Discovered by Frank Heidt but details witheld,
rediscovered by Thierry Zoller for this paper)
18/11/2008 : Send proof of concept file and a description that failed to
give the correct impact.
25/11/2009 : Apple acknowledges receipt and reproducability :
"After investigating this issue further, we've determined
that the crash your test case triggers is caused by
dereferencing a null pointer and not from a format string issue"
20/01/2009 : Ask for an update
23/01/2009 : Apple sends an encrypted and signed PGP mail, fine, however the mail
CVE: TBD
Timeline:
2008-04-30: vendor contacts oCERT asking patch analysis
2008-05-06: analysis results in bug being found, test case sent upstream
2008-05-07: vendor submits second set of patches for analysis
2008-05-07: vendor provides issue private exposure to some vendors
2008-05-07: vendor proposes patch for the found security bug
2008-05-25: Full analysis results supplied to vendor and another PoC
2008-05-27: oCERT contacts vendor regarding timeline and coordination
execute arbitrary code via vectors that trigger a memory-allocation
error and a resulting buffer overflow (CVE-2011-3002).
Mozilla Firefox before 7.0 and SeaMonkey before 2.4 allow remote
attackers to cause a denial of service (application crash) or possibly
execute arbitrary code via an unspecified WebGL test case that triggers
a memory-allocation error and a resulting out-of-bounds write operation
(CVE-2011-3003).
The JSSubScriptLoader in Mozilla Firefox 4.x through 6 and SeaMonkey
before 2.4 does not properly handle XPCNativeWrappers during calls
Exploitability Subscore:
10
Temporal Score:
6.2
SecureScout Testcase ID:
TC 17989
Vulnerable Systems:
SimpNews version 2.41.03
> Simple Mail Server is a tiny Mail Server written in C#. It can be sent mail
without password by using usual tcp client(such as telnet).
> And it did not have SMTP authentication contoller.
>
> POC(Remarks: domain alex.com and user alex@alex.com must be exists in
configuration for this test case):
> >telnet 127.0.0.1 25
> 220 TEST-121F797342 SMTP ready.
> EHLO mail_of_alert
> 500 Not supported. Use HELO
> MAIL FROM: <alex@alex.com>
Exploitability Subscore:
10
Temporal Score:
5.3
SecureScout Testcase ID:
TC 17985
Vulnerable Systems:
SimpGB version 1.46.02
Exploitability Subscore:
10
Temporal Score:
4.1
SecureScout Testcase ID:
TC 17988
Vulnerable Systems:
SimpNews version 2.41.03
Exploitability Subscore:
10
Temporal Score:
4.1
SecureScout Testcase ID:
TC 17990
Vulnerable Systems:
SAXON version 5.4
Bug Description :
Simple Mail Server is a tiny Mail Server written in C#. It can be sent mail without password by using usual tcp client(such as telnet).
And it did not have SMTP authentication contoller.
POC(Remarks: domain alex.com and user alex@alex.com must be exists in configuration for this test case):
>telnet 127.0.0.1 25
220 TEST-121F797342 SMTP ready.
EHLO mail_of_alert
500 Not supported. Use HELO
MAIL FROM: <alex@alex.com>
=================
Technical Details
=================
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movdqa %xmm1,CONSTANT(%rdi,%rcx):instruction_address=0x00007fffffe0088c:access_type=write:access_address=0x00000001159d0000:
Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes.
Test case was copyImageBlockSetTiff
Process: qlmanage [4763]
Path: /System/Library/Frameworks/QuickLook.framework/Versions/A/Resources/quicklookd.app/Contents/MacOS/qlmanage
Exploitability Subscore:
10
Temporal Score:
6.2
SecureScout Testcase ID:
TC 17991
Vulnerable Systems:
SAXON version 5.4
Exploitability Subscore:
10
Temporal Score:
4.1
SecureScout Testcase ID:
TC 17987
Vulnerable Systems:
SimpNews version 2.41.03
That being said, remotely writting to the memory of a process is
definitly a high impact vulnerability, and remote code execution
can not be excluded.
--[ Test case:
The following trivial test case triggers the vulnerability:
<--!
Opera <= 10.60 Arbitrary null write
Exploitability Subscore:
10
Temporal Score:
4.1
SecureScout Testcase ID:
TC 17983
Vulnerable Systems:
SimpGB version 1.46.02
Message Center II service (build 6_24) was found vulnerable to SQL Injection attacks. When exploited by an attacker, the identified vulnerability could lead to Information Disclosure (map database structure, extract data from available tables), Denial of Service (consume server resources by injecting SQL heavy queries), etc.
An authenticated attacker without administrative privileges can inject arbitrary code into the SQL query built to generate the list of quarantined/deleted e-mails. This can be achieved by manipulating the sort_direction parameter of /junk_quarantine/process and /trash/process resources.
Test case: sort_direction='
POST https://mc-s200.postini.com/app/msgctr/junk_quarantine/process HTTP/1.1
Host: mc-s200.postini.com
...
=================
Technical Details
=================
exception=EXC_BAD_ACCESS:signal=10:is_exploitable=yes:instruction_disassembly=movw %dx,(%rsi,%rax,2):instruction_address=0x00007fff8381efcf:access_type=write:access_address=0x0000000101a83000:
Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes.
Test case was SIGBUS.49563.2010-12-18.13.15.15.CR2
Process: qlmanage [71823]
Path:
/System/Library/Frameworks/QuickLook.framework/Versions/A/Resources/quicklookd.app/Contents/MacOS/qlmanage
Exploitability Subscore:
10
Temporal Score:
6.2
SecureScout Testcase ID:
TC 17986
Vulnerable Systems:
SimpGB version 1.46.02
Next Page>>
|
