Next Page >>
user account
Summary
=======
A vulnerability exists in some Cisco Secure Access Control System
(ACS) versions that could allow a remote, unauthenticated attacker to
change the password of any user account to any value without
providing the account's previous password. Successful exploitation
requires the user account to be defined on the internal identity
store.
This vulnerability does not allow an attacker to perform any other
----------
The vulnerability may be exploited on Studio if both of these
conditions apply:
- you have Studio 2.0
and
- you have created a user account with limited privileges (this is
not the default configuration).
Studio is by default shipped with the root user account and no other
user accounts. For this reason, exploitation of the vulnerability
would not yield any gain for an attacker since the attacker would
Squiz Matrix - User Account Enumeration
http://www.osisecurity.com.au/advisories/squiz-matrix-user-enumeration
Release Date:
12-Dec-2011
Software:
Squiz - Matrix
http://www.squiz.net/
Hi!
>
> The reason I wrote this article was not to explain how to create a hidden
> user account. I wrote the article to show you that you can modify the SAM
> in real time in a way that is undetectable by ANYONE. This modification
> allows you to masquerade any user account as the built-in Administrator.
>
> Christian,
>
> "Continued Access" to a system means that someone has compromised a system
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2008-0012
Synopsis: Updated VirtualCenter addresses User Account
Disclosure Vulnerability
Issue date: 2008-08-12
Updated on: 2008-08-12 (initial release of advisory)
CVE numbers: CVE-2008-3514
- ------------------------------------------------------------------------
CVE ID Disclosed Title
CVE-2000-1038 12/11/2000 The web administration interface for IBM AS/400
Firewall allows remote attackers to cause a denial of service via an
empty GET request.
CVE-2002-1731 12/31/2002 The System Request menu in IBM AS/400 allows
local users to list valid user accounts by viewing the object names that
are type USRPRF.
CVE-2005-0868 05/02/2005 AS/400 Telnet 5250 terminal emulation clients,
as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm,
(4) Mochasoft, and possibly other emulations, allows malicious AS/400
servers to execute arbitrary commands via a STRPCO (Start PC Organizer)
to modify their cached accounts to masquerade as other domain users
that have logged in to those domain assets. This will allow local
administrators to temporarily escalate their domain privileges on
domain workstations or servers. If the local administrator masquerades
as an Active Directory Domain Admin account, the modified cached
account is now free to modify system files and user account profiles
using the identity of the Domain Admin's account. This includes
creating scripts to run as the Domain Admin account the next time that
they log in. All files created will not be linked to your domain
account in file and folder access lists. All security access lists
will only show the Domain Admin's account once you log out of the
>>>Wrong. The local administrator is already local administrator. There's
>>>nothing the elevate any more.
>>>
>>>> If the local administrator masquerades as an Active Directory Domain
>>>> Admin account, the modified cached account is now free to modify
>>>> system files and user account profiles using the identity of the
>>>> Domain Admin's account.
>>>
>>>There is no need to masquerade: the local administrator can perform
>>>all these modifications, and if s/he wishes, hide the tracks: turn off
>>>auditing before, clear audit/event logs afterwards, change the SID in
feature contains a privilege escalation vulnerability that may allow
an attacker to obtain complete administrative access to a vulnerable
Cisco Unified Communications Manager system. After an IP Phone PAB
Synchronizer client successfully authenticates to a Cisco Unified
Communications Manager device over a HTTPS connection, the Cisco
Unified Communications Manager returns credentials for a user account
that is used to manage the Cisco Unified Communications Manager
directory service. If an attacker is able to intercept the
credentials, they can perform unauthorized modifications to the Cisco
Unified Communications Manager configuration and extend their
privileges. The IP Phone PAB Synchronizer client has been redesigned
Wrong. The local administrator is already local administrator. There's
nothing the elevate any more.
> If the local administrator masquerades
> as an Active Directory Domain Admin account, the modified cached
> account is now free to modify system files and user account profiles
> using the identity of the Domain Admin's account.
There is no need to masquerade: the local administrator can perform all
these modifications, and if s/he wishes, hide the tracks: turn off
auditing before, clear audit/event logs afterwards, change the SID in
>Wrong. The local administrator is already local administrator. There's nothing
>the elevate any more.
>
>> If the local administrator masquerades as an Active Directory Domain
>> Admin account, the modified cached account is now free to modify
>> system files and user account profiles using the identity of the
>> Domain Admin's account.
>
>There is no need to masquerade: the local administrator can perform all these
>modifications, and if s/he wishes, hide the tracks: turn off auditing before,
>clear audit/event logs afterwards, change the SID in the ACEs of all objects
30743 2006-11-17 2006-6836 IBM OS/400 osp-cert ASN.1 Certificate Version Handling Weakness
30744 2006-11-17 2006-6836 IBM OS/400 osp-cert ASN.1 X.509 Certificate Version Weakness
[..]
16606 2005-04-20 2005-1238 AS/400 FTP Server for iSeries Traversal File Restriction Bypass
15300 2005-04-04 2005-1025 AS/400 iSeries FTP IFS Mode ADDLNK User Account Disclosure
15079 2005-03-26 2005-0899 AS/400 LDAP User Account Name Disclosure
15074 2005-03-23 2005-0868 AS/400 Multiple Emulator STRPCO / STRPCCMD Command Execution
[..]
: This raises a couple of questions:
software projects. The following security issues have been discovered
in Bugzilla:
* When a user creates a new account, Bugzilla doesn't correctly
reject email addresses containing non-ASCII characters, which
could be used to impersonate another user account.
* A CSRF vulnerability in the implementation of the JSON-RPC API
could be used to make changes to bugs or execute some admin tasks
without the victim's knowledge.
>Wrong. The local administrator is already local administrator. There's nothing
>the elevate any more.
>
>> If the local administrator masquerades as an Active Directory Domain
>> Admin account, the modified cached account is now free to modify
>> system files and user account profiles using the identity of the
>> Domain Admin's account.
>
>There is no need to masquerade: the local administrator can perform all these
>modifications, and if s/he wishes, hide the tracks: turn off auditing before,
>clear audit/event logs afterwards, change the SID in the ACEs of all objects
All versions of Microsoft Windows allow real-time modifications to the
Security Accounts Manager (SAM) that enable an attacker to create a
hidden administrative backdoor account for continued access once a
system has been compromised. Once an attacker has compromised a
Microsoft Windows computer system using any method, they can either
leave behind a regular user or hijack a known user account (Such as
ASPNET). This user account will now have all of the rights of the
built-in local administrator account from local or remote connections.
The user will also share the Administrator's desktop and profile. When
inspected by system administrators, the regular user always looks like
it is just part of the built-in user's group. The attacker can also
Wrong. The local administrator is already local administrator. There's
nothing the elevate any more.
> If the local administrator masquerades
> as an Active Directory Domain Admin account, the modified cached
> account is now free to modify system files and user account profiles
> using the identity of the Domain Admin's account.
There is no need to masquerade: the local administrator can perform all
these modifications, and if s/he wishes, hide the tracks: turn off
auditing before, clear audit/event logs afterwards, change the SID in
To all,
The reason I wrote this article was not to explain how to create a hidden
user account. I wrote the article to show you that you can modify the SAM
in real time in a way that is undetectable by ANYONE. This modification
allows you to masquerade any user account as the built-in Administrator.
Christian,
"Continued Access" to a system means that someone has compromised a system
>>Wrong. The local administrator is already local administrator. There's nothing
>>the elevate any more.
>>
>>> If the local administrator masquerades as an Active Directory Domain
>>> Admin account, the modified cached account is now free to modify
>>> system files and user account profiles using the identity of the
>>> Domain Admin's account.
>>
>>There is no need to masquerade: the local administrator can perform all these
>>modifications, and if s/he wishes, hide the tracks: turn off auditing before,
>>clear audit/event logs afterwards, change the SID in the ACEs of all objects
Wrong. The local administrator is already local administrator. There's
nothing the elevate any more.
> If the local administrator masquerades
> as an Active Directory Domain Admin account, the modified cached
> account is now free to modify system files and user account profiles
> using the identity of the Domain Admin's account.
There is no need to masquerade: the local administrator can perform all
these modifications, and if s/he wishes, hide the tracks: turn off
auditing before, clear audit/event logs afterwards, change the SID in
>>Wrong. The local administrator is already local administrator. There's
>>nothing the elevate any more.
>>
>>> If the local administrator masquerades as an Active Directory Domain
>>> Admin account, the modified cached account is now free to modify
>>> system files and user account profiles using the identity of the
>>> Domain Admin's account.
>>
>>There is no need to masquerade: the local administrator can perform
>>all these modifications, and if s/he wishes, hide the tracks: turn off
>>auditing before, clear audit/event logs afterwards, change the SID in
>>>Wrong. The local administrator is already local administrator. There's
>>>nothing the elevate any more.
>>>
>>>> If the local administrator masquerades as an Active Directory Domain
>>>> Admin account, the modified cached account is now free to modify
>>>> system files and user account profiles using the identity of the
>>>> Domain Admin's account.
>>>
>>>There is no need to masquerade: the local administrator can perform
>>>all these modifications, and if s/he wishes, hide the tracks: turn off
>>>auditing before, clear audit/event logs afterwards, change the SID in
Advisory: IceWarp WebMail Server: SQL Injection in Groupware Component
During a penetration test RedTeam Pentesting discovered multiple
SQL-Injections in the IceWarp WebMail Server. Attackers that are in
control of a user account for the web-based email and groupware
components are able to execute arbitrary SQL SELECT statements and
therefore read any data from the DBMS that are accessible by the Icewarp
eMail Server.
* When viewing tabular or graphical reports as well as new charts,
an XSS vulnerability is possible in debug mode.
* The User.offer_account_by_email WebService method lets you create
a new user account even if the active authentication method forbids
users to create an account.
* A CSRF vulnerability in post_bug.cgi and in attachment.cgi could
lead to the creation of unwanted bug reports and attachments.
renaming .exe's, using command-line profile specifications, or any other
tricks.
However, while futzing around one day trying to get two Outlooks
running, I had what I thought was a great idea -- I'd configure a
separate profile for Outlook under a different user account, and then
use "RunAs" to launch Outlook as that user, and all of my dreams would
come true. Boy, was I excited.
Well, it didn't work. In fact, it didn't work so well that it scared me.
Kayako Fusion is the world's leading multi-channel helpdesk solution that enables organizations to deliver a better customer experience and work more effectively as a team, whatever their size.
Whether over email, support tickets, self-help, live chat or voice, your customers' support history is tracked in one place and can be accessed from anywhere.
---[ Vulnerability Description ]
A vulnerability has been discovered in Kayako Fusion, which can be exploited by a malicious person with a 'staff' privileged user account.
The vulnerability exists in the logic of report generation, which is based on Kayako Query Language (KQL). An authorized 'staff' user can generate a report containing usernames and hashed password of all system users.
--[ How to fix ]
Update your software up to the latest version
Medium
Details:
========
Multiple persistent Input Validation vulnerabilities are detected on Barracudas Spam & Virus Web Firewall 600. Local low privileged user account can
implement/inject malicious persistent script code. When exploited by an authenticated user, the identified vulnerabilities
can lead to information disclosure, access to intranet available servers, manipulated persistent content.
Vulnerable Module(s):
[+] Trace route Device - Troubleshooting
mkdir /tmp/MathLink; ln -s /home/victim/.bashrc /tmp/MathLink/.gshmm
then when the victim runs Mathematica his ~/.bashrc will be clobbered.
New files are created world-writable, allowing a complete compromise of
the user account by linking to ~/.bash_logout . (If root ever uses
Mathematica then the damage is greater.)
Mathematica uses also /tmp/fonts$$.conf in insecure ways.
Workaround: use command-line math instead of pretty interface.
Introduction:
=============
Skype is a software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within the
Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based
user account system. Skype has also become popular for its additional features which include instant messaging, file transfer, and
videoconferencing. Skype has 663 million registered users as of 2010. The network is operated by Skype Limited, which has its headquarters
in Luxembourg. Most of the development team and 44% of the overall employees of Skype are situated in the offices of Tallinn and Tartu, Estonia.
(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype)
Sent: Friday, February 13, 2009 12:25 PM
To: bugtraq@securityfocus.com
Subject: Re: SEPKILL /im SMC.EXE /f
Just as an update couldn't get any further other than t.he fact that
SMCGui.exe is getting killed as its running in the user account and SMC.exe
in the system account.
Thank you.
Regards, Sandeep
The appliance ships with a default login of admin/accellion. To reduce the risk of remote attack, this account is not allowed to login over Secure Shell. The implementation of this security check has a flaw and
it is still possible to configure an out-of-box Accellion appliance remotely through SSH, simply by executing a shell without a TTY: (ssh admin@target 'sh')
4. Static Passwords for Privileged User Accounts
The secure shell daemon is running by default and the system is configured with static passwords for a number of root-equivalent accounts. It is possible to crack these passwords and gain access to any Accellion system with the secure shell daemon exposed. The scope of our research did not provide time to crack these passwords, but it's a just a question of resource allocation. These accounts include "soggycat","sdadmin", and the "root" user account itself.
5. Remote Access via Stale SSH Authorized Keys
Next Page>>
|
