Next Page >>
trying
out) in headers.
Retrying.
^C
//After twelve tries it never worked. However, trying with a sightly
different URL:
$ wget http://$GoogleHost/? -O /dev/null -T 5
- --2009-08-16 21:19:41-- http://74.125.65.106/?
Connecting to 74.125.65.106:80... connected.
HTTP request sent, awaiting response... 200 OK
We at Taddong honestly believe this finding must be publicly known by the information security community in order to take appropriate countermeasures and mitigate the vulnerable behavior. Therefore, we have tried to coordinate the release of this security advisory together with the vendor, following responsible disclosure principles. This vulnerability is especially relevant considering the extensive number of HTC mobile devices available in the market and the potential impact of the associated attacks.
-- Vulnerability report timeline:
2010-08-21: Taddong tries to report the vulnerability to HTC through the standard channels (web, e-mail...) without success.
2010-08-23: Taddong contacts other security researchers (Thanks Alberto!) previously involved in reporting vulnerabilities to HTC in order to identify a valid contact or notification channel to let HTC know about the issue.
2010-08-25: Taddong spends around a week trying to identify a secure channel to report the issue to HTC, without any success. Please, read "The Seven Deadly Sins of Security Vulnerability Reporting"!! [1]
2010-09-03: Taddong finally decides to notify HTC about the vulnerability through the only available (but insecure) web channel and sends a brief technical report.
2010-09-04: HTC confirms they "...will investigate (the issue) and get back to us as soon as they get a reply."
2010-09-19: Taddong contacts HTC again (after 15 days) emphasizing this is a serious issue that requires immediate action, as Twitter credentials are directly exposed. Taddong tried to get an estimated date when an update would be available in order to proceed to publicly and responsibly disclose the vulnerability.
#
# Exploit:
# + Logged in (Administrator)
# + The administrator has 2 resellers
# / Changing dareseller's password
# / Trying to connect as dareseller:thatpwnz
# + Login successful
# + The reseller has 2 users
# + Host domaintest.fr is connected
# / Trying to write PHP code
# + PHP code successfully written
# machines on your network to query pdnsd.
status_ctl = on;
# paranoid=on; # This option reduces the chance of cache poisoning
# but may make pdnsd less efficient, unfortunately.
query_method=udp_tcp;
min_ttl=15m; # Retain cached entries at least 15 minutes.
max_ttl=1w; # One week.
timeout=10; # Global timeout option (10 seconds).
}
# The following section is most appropriate if you have a fixed connection to
if (empty($this->_eventsToMail)) {
return;
}
if ($this->_subjectPrependText !== null) {
// Tack on the summary of entries per-priority to the subject
// line and set it on the Zend_Mail object.
$numEntries = $this->_getFormattedNumEntriesPerPriority();
$this->_mail->setSubject(
"{$this->_subjectPrependText} ({$numEntries})");
}
import time
import httplib
def server_uses_SSL(host, port):
#Try to determine if the server is using HTTP over SSL or not.
headers = { 'User-Agent':'Mozilla/4.0 (compatible; MSIE 8.0;
Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
> be sent to the user by email. If the user is logged in,
> he is redirected instantly - if he is not logged in yet, the login page
> will be displayed and he will be redirected after successful login.
> This vulnerability can be used to redirect the user to a phishing
> website which shows the (faked) login screen and getting the users
> logon credentials as soon as he tries to log in on the faked site.
>
> Affected:
> ---------
> - All tested versions that are vulnerable
> Microsoft Outlook Web Access for Exchange 2003 Server
------------------------------------------------------------------------
Insufficient protection against brute force attacks
------------------------------------------------------------------------
The login page of FWS is not protected against brute force attacks in
which an attacker tries to log on with various username and password
combinations. These attacks are not detected by FWS and FWS does not
implement measures to thwart these kind of attacks for example by using
timeouts and/or locking. In addition, due to the way session handling is
implemented, it is even possible to execute brute force attacks on the
session cookies. In this case, it is not required to know the correct
Here is where the problem shows up. The code does not properly validates
the data retrieved by 'ZwQueryObject', expecting an 'UNICODE_STRING'
structure. But it is possible to make multiple calls to the function
using different handlers to obtain a null structure crashing the system
when the code tries to dereference its 'Buffer' field.
/-----------
.text:0001A6F0 movzx eax, [esi+UNICODE_STRING.Length]
.text:0001A6F3 shr eax, 1
>> (SLD). For customers with a primary DNS suffix configured, the DNS
>> resolver in Windows will attempt to resolve an unqualified .wpad. hostname
>> using each sub-domain in the DNS suffix until a second-level domain is
>> reached. For example, if the DNS suffix is corp.contoso.co.us and an
>> attempt is made to resolve an unqualified hostname of wpad, the DNS
>> resolver will try wpad.corp.contoso.co.us. If that is not found, it will
>> try, via DNS devolution, to resolve wpad.contoso.co.us. If that is not
>> found, it will try to resolve wpad.co.us, which is outside of the
>> contoso.co.us domain.
>>
> Most of the wpad.tld domains are already reserved like this one
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security risk: medium
Preconditions:
1. attacker must be registered user
2. multiple tries needed for successful exploitation
Affected modules are Blog (gallery file upload), Reviews and Image Gallery.
For example let's look at Image Gallery's file upload code:
---------[source code]--------------------------
As result, a remote attacker can send a SOAP message against port 8080 containing the
getSubKeys string to execute arbitrary sql commands against the
underlying database.
The following code tries to execute calc.exe (if the xp_cmdshell stored procedure
is not enabled, it will try to reenable it via 'sp_configure', assuming you have
the privileges of the 'sa' user), otherwise use your imagination.
Note: Reportedly, this product is end of sale ... so it's better you are aware of
it just in case you have an online installation exposed to user input :)
I've used Tim's block sets for awhile in my own FOAD rule, but I ended up having to adjust the policy because of the toolsets I provide to the folks that are trying to do a good day's work in those same locations.
Yes; there are plenty of good folks, computers and networks in China and other countries, but the sad fact is these countries also represent the network-sources (even if, as has been stated; not the "true" source) of the majority of attacks. My own firewall logs validate this.
How you use the lists Tim provides is a matter of personal choice according to your capabilities and priorities. If your firewall is smart enough to ignore anyone trying to bash your network or play silly buggers in the upper layers, then you may feel that an IP-based block set is overkill. If, like so many your firewall operates primarily at L4 and below, this data may prove very valuable.
Frankly, I like that someone has taken the time to do the numbers and produce the data; even if I can't use it the way I'd prefer.
Jim
else
$this->msg('Using ACP path "'.$this->p_acp.'"', 1);
# Init client headers:
# Only if we have the same IP as the targeted user (not admin),
# it resets session datas, so we try to spoof our
# IP as a random one in order to keep user's session datas while
# we bruteforce SQL fields.
$this->bypass_matches();
# Remove expired sessions ( time() - 60*60*2 = > 2 hours )
rand = randint(1, 99999)
dn1 = 0
dn2 = 0
dn3 = 0
try:
for line in sys.argv[:]:
if line.find('-pass') != -1 and dn1 == 0:
upass = line.split('-pass')[1]
dn1 = 1
elif line.find('-pass') == -1 and dn1 == 0:
> I'm beggining studying deeply exploits. Now I have a problem. I'm
> trying a return-to-libc exploit but I get a segmentation fault when
> executed in the terminal and I get the code correctly executed when I
> run it inside GDB. Does GDB alter the memory map of a process when
> executed inside it? In which way? Where I can read info about this?
It's hard to say exactly what's going on without seeing the example
code you're trying to exploit. But let me give you some basic
thoughts..
II - BLIND SQL INJECTION
Note: Only 2.3.x (2.3.1 to 2.3.5) branch seems to be
affected to this issue.
Newest versions support Ajax technology, when you try to
register, there's a check which is made via Ajax. The
"class_ajax" object is created in the file
"sources/action_public/xmlout.php":
101| require_once( KERNEL_PATH . 'class_ajax.php' );
------------------------------------------------------------------------------------------------
Bug Explanation:
The platform presents some vulnerabilities in the "login system" and in the "private message sender system".
The first vulnerability is in index.php that verifies the login without sql database verifying the existence of files with the structure Nick.HashMD5Password.php in a dir "db".
The cms'coder didn't thought about directory transversal. In fact if we try to login with these cookies:
rem_user = /../users/Nick
rem_pass = HashMD5Password
Where Nick and HashMD5Password are an existent UserName and MD5 Password's Hash, we'll gain administration rights. This happens because the "function is_admin" will check the file existence of /db/admin/../users/Nick.HashMD5Password.php
>>
>>
>>
>>
>>
>> and run the filemon with the filter as smc.exe, Whenever it tries to
>> access the smcgui.exe. There is a "Buffer Overflow" detected. As I have
>> said at bugtrax as well, I am not sure if the buffer overflow has
>> happened or averted but its all very interesting.
>>
>>
user = sys.argv[2]
passwd = sys.argv[3]
print "Connecting to "+ftpserver+" using "+user+"....",
# Try opening a connection to the FTP server
try:
F = FTP(ftpserver)
F.timeout = 3
if F:
print 'Connected !'
>
>
>
>
>
> and run the filemon with the filter as smc.exe, Whenever it tries to
> access the smcgui.exe. There is a "Buffer Overflow" detected. As I have
> said at bugtrax as well, I am not sure if the buffer overflow has happened
> or averted but its all very interesting.
>
>
Quote from http://www.php-ids.org
"PHPIDS (PHP-Intrusion Detection System) is a simple to use, well
structured, fast and state-of-the-art security layer for your PHP
based web application. The IDS neither strips, sanitizes nor
filters any malicious input, it simply recognizes when an attacker
tries to break your site and reacts in exactly the way you want it
to. Based on a set of approved and heavily tested filter rules any
attack is given a numerical impact rating which makes it easy to
decide what kind of action should follow the hacking attempt. This
could range from simple logging to sending out an emergency mail
to the development team, displaying a warning message for the
and run the filemon with the filter as smc.exe, Whenever it tries to access
the smcgui.exe. There is a "Buffer Overflow" detected. As I have said at
bugtrax as well, I am not sure if the buffer overflow has happened or
averted but its all very interesting.
Source distribution
090620 1:53:52 - mysqld got signal 11;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.
key_buffer_size=8388600
read_buffer_size=131072
Are all Application developers now required to work around obvious bugs
in the way Windows handles the mailto: handler ?
What you call for is in essence - mitigation, yes it's fine to mitigate
a "vulnerability". But shouldn't we be concentrating on finding and
fixing the root cause instead of trying to mitigate the problem in
(hundrets) of third-party applications ?
RAG> How is that a Microsoft or Windows problem?
How is that _not_ a Windows Problem ?
extract( $wp_filetype );
if ( ( !$type || !$ext ) && !current_user_can( 'unfiltered_upload' ) )
return $upload_error_handler( $file,
__( 'File type does not meet security guidelines. Try another.' ));
if ( !$ext )
$ext = ltrim(strrchr($file['name'], '.'), '.');
if ( !$type )
https://www.SiteRunningEFSWS.com/MyFileName1234.exe and immediately begin downloading the file.
In itself, this is not a big issue as one would have to guess any given filename. However, EFSWS always uses the common file name "FILES.SDB" to store all the files being published. This file is stored in the root program directory. While the EFSWS product engine filters out many file types, it does NOT filter out FILES.SDB. If you know someone is running EFSWS, one simply has to access the following URL to anonymously download the FILES.SDB file without authentication:
https://www.SiteRunningEFSWS.com/files.sdb
This will download the FILES.SDB file and will allow an attacker to see every published file via the free viewer record by record. (You can of course view the db as a text file). Entries look like this:
"V:\rootDirForFiles\applications\Acronis Disk Director Suite 10.2160\ioware-w32-x86-30.exe"
"D:\anotherdir\music\crystalmethod\boom.mp3"
One can now access files directly by removing the drive letter and top directory as follows:
print "(+) Sending op_connect_request packet..."
s.send(str(packet))
s.close()
print "(+) op_connect_request packet successfully sent."
#Wait 10 seconds and try to connect again to Firebird SQL server, to
check if it's down
print "(+) Waiting 10 seconds before trying to reconnect to the
server..."
time.sleep(10)
------------------------------------------------------------------------------------------------
Bug Explanation:
The platform presents some vulnerabilities in the "login system" and in the "private message sender system".
The first vulnerability is in index.php that verifies the login without sql database verifying the existence of files with the structure Nick.HashMD5Password.php in a dir "db".
The cms'coder didn't thought about directory transversal. In fact if we try to login with these cookies:
rem_user = /../users/Nick
rem_pass = HashMD5Password
Where Nick and HashMD5Password are an existent UserName and MD5 Password's Hash, we'll gain administration rights. This happens because the "function is_admin" will check the file existence of /db/admin/../users/Nick.HashMD5Password.php
Are all Application developers now required to work around obvious bugs
in the way Windows handles the mailto: handler ?
What you call for is in essence - mitigation, yes it's fine to mitigate
a "vulnerability". But shouldn't we be concentrating on finding and
fixing the root cause instead of trying to mitigate the problem in
(hundrets) of third-party applications ?
RAG> How is that a Microsoft or Windows problem?
How is that _not_ a Windows Problem ?
Next Page>>
|
