Next Page >>
victim
were also returned by other remote systems. This means that attacker A
only needs, in the best case scenario, to force user U to connect to his
own specially crafted SMB server once. Of course, user U must have
access (his credentials must be valid) to the other systems attacked.
This attack needs the victim to have port 445/tcp open and the attacker
to be able to access that port. The victim also needs to be able to
access port 445/tcp on the attacker's server (only once, to record
responses. Subsequent attacks do not need the victim to access the
attacker's system).
III - SESSION FIXATION
In a session fixation attack, the attacker have to set
the victim's session id. In our case, the attacker fix
the user's session id, the victim which is logged in,
will get logged out when the cookie will be set, then
if the victim try to log in, the session id will be
registered on the server. Let's see a part of the
logged_in() function:
the local filesystem of user's machines running vulnerable versions of IE.
Exploitation of the vulnerability relies solely on the ability for a
would-be attacker to provide malicious HTML content from a website and
to predict the full pathname for the file that will be used to cache it
locally on the victim's system. If the entire path name can be
predicted, the attacker can cause a redirection to the locally stored
file using an URI specified in UNC form and force the local content to
be rendered as an HTML document, which will permit to run scripting
commands and instantiate certain ActiveX controls.
Proof of concept, version 4.0.4:
https://[yourserver]/cgi-bin/Calcium40.pl?Op=ShowIt&CalendarName=XSS_%3Cbody%20onload=alert(document.cookie)%3E_here
Impact:
Attacker could impersonate victim to do any activity the victim is authorized to do through a compromised web site, for example, initiate funds transfers or access private data. Under some circumstances the existence of this vulnerability in one web site could be used to attack other web sites in the same DNS domain. For example, if host "a.example.com" shares cookies with host "b.example.com" and "b" is vulnerable, "b" can be used to attack "a".
Versions tested:
Calcium 4.0.4 Vulnerable
Calcium 3.10 Vulnerable
appears to be taking place but can be easily circumvented by an attacker.
As a result, the entire attack surface of MSHTML is exposed to remote IM
peers. By having a way of sending data straight to the MSHTML library,
attackers could abuse such high-risk attack vector to:
- - Execute arbitrary shell commands in the victim‟s workstation.
- - Direct the embedded IE to perform arbitrary HTTP requests (CSRF)
- - Include HTML controls (links, images, forms…) in IM text messages in
order to trick users into revealing sensitive information or performing
harmful actions against their accounts/workstation/etc.
- - Run JavaScript code within IE to enhance the attacks mentioned above.
appears to be taking place but can be easily circumvented by an attacker.
As a result, the entire attack surface of MSHTML is exposed to remote IM
peers. By having a way of sending data straight to the MSHTML library,
attackers could abuse such high-risk attack vector to:
- - Execute arbitrary shell commands in the victim‟s workstation.
- - Direct the embedded IE to perform arbitrary HTTP requests (CSRF)
- - Include HTML controls (links, images, forms…) in IM text messages in
order to trick users into revealing sensitive information or performing
harmful actions against their accounts/workstation/etc.
- - Run JavaScript code within IE to enhance the attacks mentioned above.
number conversion routines. Using this vulnerability an attacker
could craft some malicious JavaScript code containing a very long
string to be converted to a floating point number which would result
in improper memory allocation and the execution of an arbitrary memory
location. This vulnerability could thus be leveraged by the attacker
to run arbitrary code on a victim's computer (CVE-2009-1563).
Security researcher Jeremy Brown reported that the file naming scheme
used for downloading a file which already exists in the downloads
folder is predictable. If an attacker had local access to a victim's
computer and knew the name of a file the victim intended to open
he can generate spoofed replies. The caching server will accept spoofed
reply as coming from authoritative name server and cache the fake data.
The attack scenario is as follows. The attacker controls the
authoritative name server for some zone, in our example
cache-poisoning.net. The victim has a recursive DNS server that the
attacker can query (ns.victim.com). Victim's server runs Microsft DNS
server. Attacker wants victim's DNS cache to think that www.hotmail.com
has IP address 127.0.0.1 (or any other).
First the attacker gathers a sample of DNS transaction IDs that
Description:
A XSS vulnerability has been found within HP System Management; Arising
from insufficient input filtering.
By using a specially-crafted link, and tricking the victim into clicking
on it, an attacker can perform malicious attacks such as the following:
- Hijack user accounts by stealing the victim's cookies that are
assigned to the victim's browser by the vulnerable website
A HTTP GET request against the following URL will, on a web browser
with Javascript support, cause a dialog box saying '1' to be displayed:
http://CACTIHOST/graph.php?action=zoom&local_graph_id=1&graph_end=1%27%20style=visibility:hidden%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cx%20y=%27
This vulnerability is only exploitable if the victim is allowed to view
graphs. This will be true if the victim has previously authenticated
against Cacti or if both the guest user has been activated (default:
disabled) and the graph view permission was set to 'guest' (default:
'No User').
Anyway, is it possible to abuse the "Check for mail using POP3"
capability to do attacks to the passwords of the users in an automated
way, evading all referred security restrictions and controls and doing
a transparent and not noticeable attack to the user that its account
is being password cracked as:
- There's no need for required action from the victim.
- There's no modification in the password of the victim.
- There's no locking in the victim account.
- There's no security notification to the victim.
The vulnerability is aggravated due Gmail allows weak passwords to be
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a select event handler for XUL tree items could be
called after the tree item was deleted. This results in the execution
of previously freed memory which an attacker could use to crash a
victim's browser and run arbitrary code on the victim's computer
(CVE-2010-0175).
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative an error in the way <option> elements are inserted into
a XUL tree <optgroup>. In certain cases, the number of references
number conversion routines. Using this vulnerability an attacker
could craft some malicious JavaScript code containing a very long
string to be converted to a floating point number which would result
in improper memory allocation and the execution of an arbitrary memory
location. This vulnerability could thus be leveraged by the attacker
to run arbitrary code on a victim's computer (CVE-2009-1563).
Security researcher Jeremy Brown reported that the file naming scheme
used for downloading a file which already exists in the downloads
folder is predictable. If an attacker had local access to a victim's
computer and knew the name of a file the victim intended to open
>> Anyway, is it possible to abuse the "Check for mail using POP3"
>> capability to do attacks to the passwords of the users in an automated
>> way, evading all referred security restrictions and controls and doing
>> a transparent and not noticeable attack to the user that its account
>> is being password cracked as:
>> - There's no need for required action from the victim.
>> - There's no modification in the password of the victim.
>> - There's no locking in the victim account.
>> - There's no security notification to the victim.
>>
>> The vulnerability is aggravated due Gmail allows weak passwords to be
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a select event handler for XUL tree items could be
called after the tree item was deleted. This results in the execution
of previously freed memory which an attacker could use to crash a
victim's browser and run arbitrary code on the victim's computer
(CVE-2010-0175).
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative an error in the way <option> elements are inserted into
a XUL tree <optgroup>. In certain cases, the number of references
> Anyway, is it possible to abuse the "Check for mail using POP3"
> capability to do attacks to the passwords of the users in an automated
> way, evading all referred security restrictions and controls and doing
> a transparent and not noticeable attack to the user that its account
> is being password cracked as:
> - There's no need for required action from the victim.
> - There's no modification in the password of the victim.
> - There's no locking in the victim account.
> - There's no security notification to the victim.
>
> The vulnerability is aggravated due Gmail allows weak passwords to be
number conversion routines. Using this vulnerability an attacker
could craft some malicious JavaScript code containing a very long
string to be converted to a floating point number which would result
in improper memory allocation and the execution of an arbitrary memory
location. This vulnerability could thus be leveraged by the attacker
to run arbitrary code on a victim's computer (CVE-2009-1563).
Security researcher Jeremy Brown reported that the file naming scheme
used for downloading a file which already exists in the downloads
folder is predictable. If an attacker had local access to a victim's
computer and knew the name of a file the victim intended to open
Description:
XSS vulnerabilities have been found within HP System Management; Arising
from insufficient input filtering.
By using a specially-crafted link, and tricking the victim into clicking
on it, an attacker can perform malicious attacks such as the following:
- Hijack user accounts by stealing the victim's cookies that are
assigned to the victim's browser by the vulnerable website
OK, this is a bit of a funny attack - although it could also be used
for criminal purposes! After playing with the BT Home Hub for a while
(again!) [1], pdp and I discovered that attackers can steal/hijack
VoIP calls. Let me explain …
In summary, if the victim visits our evil proof-of-concept webpage,
his/her browser sends a HTTP request to the BT Home Hub's web
interface. After this, the Home Hub starts a VoIP/telephone connection
to the recipient's phone number specified in the exploit page. This is
what the attack looks like: the victim's VoIP telephone starts ringing
and shows an external call message on the LCD screen along with the
A remote arbitrary-code-execution vulnerability has been found in
Libpurple (used by Pidgin and Adium instant messaging clients, among
others), which can be triggered by a remote attacker by sending a
specially crafted MSNSLP packet [4] with invalid data to the client
through the MSN server. No victim interaction is required, and the
attacker is not required to be in the victim's buddy list (under default
configuration).
4. *Vulnerable packages*
8.2 Reflected Cross Site Scripting in index.php
------------------------------------------------------------------------------------------------------------------------
Severity: Medium
Requires: Register globals to be on
The victim user must be logged out
Magic quotes must be off
8.2.1 Proof of concept exploit
http://test/cutenews/index.php?lastusername='%3E%3Cscript%3Ealert(/xss/);%3C/script%3E
Google Chrome and Opera’s inbuilt RSS/ATOM Reader renders untrusted
javascript in an RSS/ATOM feed.
Exploit Scenarios
1. Scenario 1 –
1. Attacker social engineers a victim user to visit a rss/atom feed
link pointing to his or her evil site.
2. Victim uses Google Chrome / Opera browser to view the feed.
3. Malicious javascript gets executed on victim’s browser. Examples
1. Modifies into a phishing page and asks user credentials
for subscribing to Google Reader / My.Opera.com
TwonkyMedia Server contains multiple Cross-Site Scripting (XSS)
vulnerabilities.
The TwonkyMedia web server fails to adequately sanitize user input
(HTTP request strings and form input); thus, an attacker may be able
to execute arbitrary script code in a victim's browser.
3. DETAILS
Two main vulnerabilities have been found.
The TwonkyMedia server IP address, in the following, is just denoted
Severity: High
Description:
HTTP requests can be forged due to lack of tokenization. By tricking the
victim to visit a third-party page while being logged in, certain
actions can be forged on behalf of the target user.
Notes:
containing peer information (computer name, user name and IP address)
are taken from the packet sent to the target and used to display this
information on the screen of the target.
The vulnerabilities discovered allow a remote attacker to upload a file
to an arbitrary location on the victim's machine and forge peer
information on the log lines of the victim's application. For example,
an attacker could write an executable in a startup directory of the
victim's machine and wait for the user to restart his/her machine.
Another example is to write a fake system DLL in an existing program
directory, inducing Windows to load this module instead of the real DLL
Vulnerability Overview
- ----------------------
On March 27th, VSR identified a vulnerability in Java Web Start related
to the execution of privileged applications. This flaw could allow an
attacker to execute arbitrary code on a victim system if a user could be
convinced to visit a malicious web site.
Product Background
- ------------------
changes his password to the application. Given network access to SQL-Ledger, the
attacker could then use the application with the user's account and the newly set
password.
To set the password for the »test« user to »1234«, the following URL would need to
be retrieved by a victim:
http://sql-ledger-host/sql-ledger/am.pl?type=preferences&role=user&name=&email=&signature=&tel=&fax=&new_password=1234&confirm_password=1234&dateformat=mm-dd-yy&numberformat=1%2C000.00&vclimit=1000&menuwidth=155&countrycode=&timeout=10800&usestylesheet=sql-ledger.css&outputformat=html&printer=&old_password=te41jrt0ygm5k&path=bin%2Fmozilla&login=test&action=Save
As SQL-Ledger would typically run on an intranet server which is not directly accessible
to an outside attacker, the missing XSRF protection makes it much easier for an attacker
vulnerability may allow a Man-in-the-Middle (MITM) attacker to inject
arbitrary data into the beginning of the application protocol stream
protected by TLS.
The only ArubaOS component that seems affected by this issue is the
HTTPS WebUI administration interface. If a client browser (victim) is
configured to authenticate to the WebUI over HTTPS using a client
certificate, an attacker can potentially use the victim's credentials
temporarily to execute arbitrary HTTP request for each initiation of an
HTTPS session from the victim to the WebUI. This would happen without
any HTTPS/TLS warnings to the victim. This condition can essentially be
Likelihood: 2 – Best practice is to deploy the management console web application on a segmented management network.
Impact: 5 – Control over security appliances managed by the management console.
CVSS Severity (version 2.0)
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Confidentiality Impact: Partial
Integrity Impact: None
code in the context of the application processing the malicious font
file. All applications that support Embedded OpenType Fonts using the
T2EMBED library are likely to be vulnerable.
There are several attack vectors available to exploit this
vulnerability. A targeted victim may be lured to a website hosting a
malicious OpenType font, or the targeted victim may visit a trusted
website that been compromised and is hosting a malicious font file.
Upon loading the web page, the victim's web browser is compromised.
Alternatively, an attacker may email a Microsoft Word document
containing a malicious embedded font to the victim. Upon opening the
Next Page>>
|
