user/controllable
audits specific to your policies, or to perform more general-purpose
security assessments. Examples of the types of issues Watcher will currently
identify:
Cross-domain stylesheet and javascript references
User-controllable cross-domain references
User-controllable attribute values such as href, form action, etc.
Cross-domain form POSTs
Insecure cookies which don't set the HTTPOnly or secure flags
Open redirects which can be abused by spammers and phishers
Insecure Flash object access through allowScriptAccess
Do not perform administrative access of security management consoles from computers exposed to the Internet through web browsing, email, and other applications. Lock down and heavily monitor systems used to perform administrative tasks such as accessing security management consoles.
Details
User-controllable input supplied by the “iaction” and “node” parameters to the “Login.jsp” page is not properly sanitized for invalid or malicious content prior to being returned to the user in dynamically generated web content. This condition may aid an attacker in retrieving session cookies, stealing recently submitted data, or launching further attacks.
SecureWorks Risk Scoring
Likelihood: 2 – Best practice is to deploy the management console web application on a segmented management network.
Impact: 5 – Control over security appliances managed by the management console.
File: dojo-release-1.4.1-src\dojo-release-1.4.1-src\dijit\tests\_testCommon.js
1) Data enters via "theme" URL parameter through the window.location.href property.
Line 25:
var str = window.location.href.substr(window.location.href.indexOf("?")+1).split(/#/);
..snip..
2) The "theme" variable with user-controllable input is then passed into "themeCss" and "themeCssRtl" which is then passed to document.write(). Writing the un-validated data to HTML creates the XSS exposure.
Line 54:
..snip..
var themeCss = d.moduleUrl("dijit.themes",theme+"/"+theme+".css");
var themeCssRtl = d.moduleUrl("dijit.themes",theme+"/"+theme+"_rtl.css");
document.write('<link rel="stylesheet" type="text/css" href="'+themeCss+'">');
device control.
Both control codes are used for an object name retrieval, through
ZwQueryObject() method or
ObReferenceObjectByHandle()/ObQueryNameString() methods. Input buffers
for both IRP packets include user mode pointers which are completely
user-controllable. However, no checks regarding NULL pointers, invalid
input buffer length, or otherwise invalid pointers are made - user can
pass NULL input buffer and thus cause a BSOD.
Vulnerable code disassembly excerpt:
---
}
dev_unlock();
return (csw);
}
In [1] vp is dereferenced, resulting in user-controllable *devp pointer (loaded
from *0x1c). If values dereferenced in [2], [3] and [4] are reachable, at [5] we
have memory write at user-controllable address. Unfortunately, the value is
decremented in [6].
In my exploit, I use si_threadcount incrementation to modify kernel code in
value.
The function nfs_mount() employs an insufficient input validation method
for copying data passed in a structure of type nfs_args from userspace to
kernel. Specifically, the file handle buffer to be mounted (args.fh) and
its size (args.fhsize) are completely user-controllable. The unbounded copy
operation is in file src/sys/nfsclient/nfs_vfsops.c (the excerpts are from
8.0-RELEASE):
1094: if (!has_fh_opt) {
1095: error = copyin((caddr_t)args.fh, (caddr_t)nfh,
The specific flaw exists within the primary QuickTime.qts library when
parsing the BkPixPat opcode (0x12) within a PICT file. The application
will use 2 fields within the file in a multiply which is then passed as
an argument to an allocation. As both operands in the multiply are
user-controllable, specific values can cause an under allocation which
will later result in a heap overflow. Successful exploitation can lead
to code execution under the context of the current user.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
Manager. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the ovwebsnmpsrv.exe application which
is launched when a request is received for the jovgraph.exe CGI
application. This process copies the contents of the 'sel' POST variable
a user-controllable amount of times into a static stack buffer. By
repeating a specific string as the contents of the 'arg' POST variable
this buffer can be overflowed leading to arbitrary code execution.
-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
system. (This exploitation technique has only been made successful
for cases where the kernel is not being debugged, which is basically
assumed to be the only real-world attack scenario.)
The NT!KiDebugRoutine function pointer is writable and can therefore
be the target of the user-controllable increment. By pointing
GS:[0x20] to &NT!KiDebugRoutine - 0x22A0 before exploiting the
emulation flaw, NT!KiDebugRoutine will be incremented, and then its
modified contents (NT!KdpStub + 1) will be called. The first
instruction of NT!KdpStub is "SUB RSP, 0x58", which in machine code is
"48/83/EC/58". Therefore, the instruction that gets executed at
AC_FL_RunContent(
..snip..
"FlashVars", "MMredirectURL=" MMredirectURL '&MMplayerType=' MMPlayerType '&MMdoctitle=' MMdoctitle "",
..snip..
2) The MMredirectURL variable with user-controllable input is passed to AC_GetArgs and ultimately to AC_Generateobj, which performs a document.write. Writing the un-validated data to HTML creates the XSS exposure.
File: AC_OETags.js
Line 200:
function AC_FL_RunContent(){
system. (This exploitation technique has only been made successful
for cases where the kernel is not being debugged, which is basically
assumed to be the only real-world attack scenario.)
The NT!KiDebugRoutine function pointer is writable and can therefore
be the target of the user-controllable increment. By pointing
GS:[0x20] to &NT!KiDebugRoutine - 0x22A0 before exploiting one of the
emulation flaws, NT!KiDebugRoutine will be incremented, and then its
modified contents (NT!KdpStub + 1) will be called. The first
instruction of NT!KdpStub is "SUB RSP, 0x58", which in machine code is
"48/83/EC/58". Therefore, the instruction that gets executed at
|
