Next Page >>
two
Hello,
Before the Cisco network-witty guys will start poking around calling it a fudge and welcoming you to the last week, I might outline this for you: http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/sec_chap7.html#wp1058965
It's a feature, not a bug, and it's as oldschool as email forging with telnet or BGP poisoning by more specific route injection. Of course, there might be STP enabled switches out there with no security features, but the problem resides in the risk management not in the product.
Sounds to me more like the description of a threat, not like a vulnerability. Great for Risk Assessment scenarios, though.
Stefan Laudat
Information Security Manager
CISSP-ITIL Manager-PrInCE2 Practitioner
Allianz-Tiriac Asigurari SA
As I read in many white papers about attacks on Spanning Tree Protocol, I found mitm attack on two STP switches, one station and two ethernet NICs.
That attack is in most cases useless because:
- we need physical access to two (not one switch)
- two cards in station
As two cards are possible, that access to two switches in one ie. office is almost impossible.
My idea for modification of this attack needs:
- two stations to attack by mitm (A and B)
- two or more switches with STP protocol
- two attacking stations connected to two different switches in way beetween attacked stations (C and D)
exploitation of these flaws on x64 versions of Linux.
VULNERABILITY DETAILS
---------------------
This document describes two x64 instruction emulation flaws,
discovered by the author in the aforementioned versions of VMware
products, which allow user-mode code to cause an illegitimate
kernel-mode exception inside the virtual machine. If the guest
operating system kernel is not written to safely handle such an
exception, it may be possible for user-mode code to interfere with
signature.
It is not entirely clear whether the files provided as a demonstration of
the vulnerability can actually be considered (syntactically valid) PDF
documents or not--I haven't found a cleaner way so far. Also, the
demonstration documents do not work with all implementations in the same
way--however, I would argue that the mere fact that implementations
(and in at least one case even two different interfaces to what seems to
be the same implementation) don't agree on how to interpret a document
and its signing status while not being in conflict with the specification
in any obvious way is sufficient evidence that at the very least the
Vendors contacted: HTC (and MITRE - CVE ID)
-- Vulnerability description:
The default Twitter client (or application) in HTC mobile devices is called HTC Peep. HTC Peep is vulnerable to two different credentials disclosure vulnerabilities during the authentication process against the Twitter service (twitter.com).
During the authentication process, the HTC Peep app establishes an HTTP (TCP/80) connection against the twitter.com servers, sending a few HTTP OAuth-related requests. The first two HTTP GET requests try to gather and make use of an OAuth token: "GET /oauth/request_token" (the response contains the "oauth_token") and "GET /oauth/authorize?oauth_token=...".
The first vulnerability resides in the third HTTP request, a POST request towards the "/oauth/authorize" resource, which contains several parameters, including the Twitter username and password in the clear, making the authentication process vulnerable to eavesdropping attacks:
key notifying them of the vulnerabilities and sending an advisory draft,
a proof of concept for the WebEx Player vulnerability, and a proof of
concept for the Meeting Center vulnerability including details of how to
reproduce both vulnerabilities, and details about the behaviour of the
PoC for the Player vulnerability on Windows XP SP2 (which overwrites EIP
with 0x41414141 on that platform). October 18th 2010 (a two weeks
timeframe) is set as a potential release date for the advisory.
. 2010-10-05:
Cisco PSIRT contacts Core stating that their development team is out of
the office till Friday October 8th. November 15th 2010 is mentioned as
The most serious of the three vulnerabilities is due to potential
memory corruption resulting from a resource liberation bug that can be
triggered with a malformed '.ics' calendar file specially crafted by a
would-be attacker.
The other two vulnerabilities lead to abnormal termination (crash) of
the iCal application due to null-pointer dereference bugs triggered
while parsing a malformed '.ics' files. The ability to inject and
execute arbitrary code on vulnerable systems using these two
vulnerabilities was researched but not proven possible.
The most serious of the three vulnerabilities is due to potential
memory corruption resulting from a resource liberation bug that can be
triggered with a malformed '.ics' calendar file specially crafted by a
would-be attacker.
The other two vulnerabilities lead to abnormal termination (crash) of
the iCal application due to null-pointer dereference bugs triggered
while parsing a malformed '.ics' files. The ability to inject and
execute arbitrary code on vulnerable systems using these two
vulnerabilities was researched but not proven possible.
Just for the records: I will not write that much, even because it is very,
very simple, and I do believe some one else will write a good stuff for
academic audiences.
If you still believe in Santa Claus, please, stop reading right now, because
this paper will show that bad things can get worse, and worse, and worse, if
we are not paying attention on the signs. And according to some people: it
is all old news, and the techniques were already presented by someone,
somewhere. Ok, then!
-[ What happened during 2003?
The 2009 edition will be held from May 19th to 22nd in the wonderful
seaside resort Tanka Village, located in Villasimius, Sardinia, a large
and beautiful island in the Mediterranean sea.
Besides the main conference, featuring two tracks of top-notch
presentations over two intense days, the programme will include two days
of advanced trainings, and a set of unique social events (Italian
style), in order to foster networking.
A number of key speakers already confirmed their presence, and we warmly
Background
Bytehoard is a web application written in PHP that serves as a file
storage and sharing system.
It has two levels of security, a user level and an admin level. Login is
required but it can be configured to allow anyone to obtain a user level
account if desired.
Summary
L) "Boa" log escape sequence injection
(Affected versions: 0.94.14rc21 and probably earlier versions)
A) "nginx" log escape sequence injection
One of the following two Proofs Of Concept can be used in order to
verify the vulnerability.
curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
- --------------------------------------------------------------------------
Summary
=======
Two vulnerabilities exist in the Cisco VPN Client for Microsoft Windows
that may allow unprivileged users to elevate their privileges to those of
the LocalSystem account.
A workaround exists for one of the two vulnerabilities disclosed in this
advisory.
The Accellion File Transfer Appliance, prior to version FTA_8_0_562, suffers from a number of security flaws that can lead to a remote root compromise.
1. Message Routing Daemon Default Encryption Keys
The appliance ships with UDP port 8812 allowed through the firewall. The port correlates to an internal service that routes messages between backend processes. To authenticate access to this service, all messages must be encrypted with a secret key using the blowfish algorithm. The appliance ships with two default keys, neither of which is random, which results in an attacker being able to communicate with the internal processes of the appliance and perform administration tasks on the appliance itself. These two default keys are 123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF, which are expanded with MD5 to create 448-bit blowfish keys.
2. MatchRep Daemon insert_plugin_meta_info() Command Injection
One of the applications that is exposed through the port 8812 message routing service executes a system command without sanitizing the arguments provided by the requesting application. This allows arbitrary commands to be executed on the appliance. Combined with Issue #1, this allows remote, unauthenticated command execution on the appliance as the "soggycat" user, which is root equivalent (sudo rights). Rapid7 has developed a Metasploit module[***] to chain these vulnerabilities and will release this module in early March.
=======
The Cisco Wireless LAN Controller (WLC) product family is affected by
these vulnerabilities:
* Two denial of service (DoS) vulnerabilities
* Three privilege escalation vulnerabilities
* Two access control list (ACL) bypass vulnerabilities
Note: These vulnerabilities are independent of one another. A device
may be affected by one vulnerability and not affected by another.
versions of Linux.
VULNERABILITY DETAILS
---------------------
This document describes the first of two x64 instruction emulation
flaws, discovered by the author in the aforementioned versions of
VMware products, which allow user-mode code to cause an illegitimate
kernel-mode exception inside the virtual machine. If the guest
operating system kernel is not written to safely handle such an
exception, it may be possible for user-mode code to interfere with
. Only run IE in Protected Mode if it is available on the operating
system.
. Use a different web browser to navigate untrusted web sites.
Additionally, although disabling file sharing if it is not necessary and
filtering outbound SMB connections at the endpoint or network perimeter
may not prevent exploitation it is generally a good security measure to
prevent disclosure of sensitive information such as valid usernames of
endpoint users.
Microsoft has issued a patch to fix the vulnerability and a detailed
Dear PowerDNS Users,
Two major vulnerabilities have recently been discovered in the PowerDNS
Recursor (all versions up to and including 3.1.7.1). Over the past two
weeks, these vulnerabilities have been addressed, resulting in PowerDNS
Recursor 3.1.7.2.
Given the nature and magnitude of these vulnerabilities, ALL PowerDNS
RECURSOR USERS ARE URGED TO UPGRADE AT THEIR EARLIEST CONVENIENCE. No
versions of the PowerDNS Authoritative Server are affected.
follow up on January 8th 2010 with a final decision on how it is
planning to tackle the issue.
. 2010-01-11:
Vendor says that it has completed the investigation of the Virtual PC
issue. It agrees with Core's conclusions. The bug has two implications:
1) It allows an attacker to bypass DEP and SafeSEH. However as these are
defense in depth mechanisms it would not be sufficient to issue a
security bulletin. 2) In specific limited conditions it causes
vulnerabilities that were deemed not exploitable to become exploitable.
This does break a security boundary and it is something that needs to be
Aug 21, 2007
I. BACKGROUND
Trend Micro Inc.'s ServerProtect is an anti-virus software for Microsoft
Windows and Novell NetWare servers. It enables network administrators to
manage multiple deployments from a single management console. For more
information, please visit vendor's website at the following URL.
http://us.trendmicro.com/us/products/enterprise/serverprotect-for-microsoft-windows/index.html
more resilient against forged answer attacks.[9]
While researching the fixes issued by Microsoft in Microsoft's Security
Bulletin MS10-024
[http://www.microsoft.com/technet/security/bulletin/ms10-024.mspx]
published April 13, 2010 Nicolas Economou discovered two vulnerabilities
in Windows SMTP Service and Microsoft Exchange . These vulnerabilities
were fixed by the patches referenced in MS10-024 but were not disclosed
in the vendor's security bulletin and did not have an unique
vulnerability identifier assigned to them. As a result, the guidance and
the assessment of risk derived from reading the vendor's security
As long as Outlook has been around, people have been trying to get two
instances running at the same time. Not multiple profiles that you can
load when starting Outlook, but two separate instances running
concurrently, each with their own associated profile. After all, Outlook
(even 2007) only lets you connect to a single Exchange server per
profile... And that sucks.
What would be great is to have one instance connected up to your
"business" Exchange Server, and another connected up to your "personal"
Exchange Server (and of course, to other people's Exchange servers who
don't you know have an account on their box ;).
- Cross-Site-Scripting (XSS)
- Cross-Site-Request-Forgery (XSRF)
- Session fixation
- Session impersonation
- Remote buffer overflow
- Privilege escalation in two applications
- Missing authentication in configuration panel
- Admin password is delivered in plaintext inside the server response
- Cookies are set for root path, not application path
- Crawler endless loop
Here are the details:
Quick intro
Two in one Backdoor Hiding/Finding Contest (participate in either or
both): In the first stage, hiding participants provide a source code
hiding a backdoor, in the second stage organizers mix the source codes
with non-backdoored (placebos), and then ask finding participants to
spot the placebos. Hiding participants get hiding points for being voted
as a placebo and finding participants get points for spotting the
this is just a friendly reminder that registration for the DeepSec
Security Conference 2007 is available at the URL
http://deepsec.net/register/
The conference is taking place in less than 3 weeks in the awesome city
of Vienna, Austria (20-23 November, with the first two days dedicated to
trainings and the last two days to the conference itself).
As we are filling up seats very fast, advance booking allows us to make
room for more of you. So, if you want to attend, please do us and
yourself a favor and register right now!
CVE Name: CVE-2009-0920, CVE-2009-0921
3. *Vulnerability Description*
Several buffer overflows have been found in HP OpenView Network Node
Manager, which can be exploited to remotely compromise a user's system.
4. *Vulnerable packages*
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
Note: The March 26, 2008 publication includes five Security
Advisories. The Advisories all affect Cisco's Internetwork Operating
System (IOS). Each Advisory lists the releases that correct the
vulnerability described in the Advisory, and the Advisories also
detail the releases that correct the vulnerabilities in all five
Advisories. Please reference the following software table to find a
release which fixes all published Security Advisories as of March
== Topics ==
The DeepSec 2010 focuses heavily on mobile security. Any gadget that you
carry with you or that is used by roadwarriors comes under scrutiny.
This includes networked resources intended for the mobile audience and
modern nomads as well. On top of that we like to hear about the security
of next generation infrastructure - IPv6, cloud computing and services,
virtualization technologies, in short everything that should keep us
online and connected for the next decades. We want to get a glimpse into
the future based on the problems of today.
+---------------------------------------------------------------------
Summary
=======
Cisco IOS Software is affected by two vulnerabilities that cause a
Cisco IOS device to reload when processing IP version 6 (IPv6)
packets over a Multiprotocol Label Switching (MPLS) domain. These
vulnerabilities are:
* Crafted IPv6 Packet May Cause MPLS-Configured Device to Reload
+--------------------------------------------------------------------
Summary
=======
Two crafted packet vulnerabilities exist in the Cisco PIX 500 Series
Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security
Appliance (ASA) that may result in a reload of the device. These
vulnerabilities are triggered during processing of Media Gateway
Control Protocol (MGCP) packets, or during processing of Transport
Layer Security (TLS) traffic that terminates on the PIX or ASA security
Next Page>>
|
